From 8f127f6466be27fcc93b22138d2c4156d7c67a72 Mon Sep 17 00:00:00 2001 From: Viorel Date: Mon, 19 Feb 2024 18:03:27 +0200 Subject: [PATCH] bagrinsergiu/blox-editor#25494 - sanitize json for users with no unfiltered_html capability --- admin/abstract-api.php | 2 ++ admin/blocks/api.php | 12 ++++++------ editor/api.php | 2 +- editor/editor/editor.php | 31 +------------------------------ editor/trait/sanitize.php | 18 ++++++++++++++++++ editor/zip/archiver.php | 3 ++- 6 files changed, 30 insertions(+), 38 deletions(-) create mode 100644 editor/trait/sanitize.php diff --git a/admin/abstract-api.php b/admin/abstract-api.php index 76499875ec..baf46fa4b7 100644 --- a/admin/abstract-api.php +++ b/admin/abstract-api.php @@ -5,6 +5,8 @@ */ abstract class Brizy_Admin_AbstractApi { + use Brizy_Editor_Trait_Sanitize; + abstract protected function initializeApiActions(); abstract protected function getRequestNonce(); diff --git a/admin/blocks/api.php b/admin/blocks/api.php index 0f76de8499..a300ec352f 100644 --- a/admin/blocks/api.php +++ b/admin/blocks/api.php @@ -230,7 +230,7 @@ public function actionCreateGlobalBlock() try { - $editorData = stripslashes($this->param('data')); + $editorData = $this->sanitizeJson(stripslashes($this->param('data'))); $position = stripslashes($this->param('position')); $status = stripslashes($this->param('status')); $rulesData = stripslashes($this->param('rules')); @@ -316,7 +316,7 @@ public function actionUpdateGlobalBlock() $block->setMeta(stripslashes($this->param('meta'))); } if ($this->param('data')) { - $data = stripslashes( $this->param( 'data' ) ); + $data = $this->sanitizeJson(stripslashes( $this->param( 'data' ) )); if ( json_decode( $data ) !== null && ! json_last_error() ) { $block->set_editor_data( $data ); } @@ -422,10 +422,10 @@ public function actionUpdateGlobalBlocks() } if (isset($this->param('data')[$i]) && !empty($this->param('data')[$i])) { - $data = stripslashes( $this->param( 'data' )[ $i ] ); + $data = $this->sanitizeJson(stripslashes( $this->param( 'data' )[ $i ] )); if ( json_decode( $data ) !== null && ! json_last_error() ) { - $block->set_editor_data( stripslashes( $this->param( 'data' )[ $i ] ) ); + $block->set_editor_data( $data ); } } @@ -575,7 +575,7 @@ public function actionCreateSavedBlock() $block->setTags(stripslashes($this->param('tags'))); } - $block->set_editor_data(stripslashes($this->param('data'))); + $block->set_editor_data($this->sanitizeJson(stripslashes($this->param('data')))); $block->set_needs_compile(true); //$block->setCloudUpdateRequired( true ); $block->save(); @@ -613,7 +613,7 @@ public function actionUpdateSavedBlock() $block->setDataVersion($this->param('dataVersion')); if ($this->param('data')) { - $block->set_editor_data(stripslashes($this->param('data'))); + $block->set_editor_data($this->sanitizeJson(stripslashes($this->param('data')))); } diff --git a/editor/api.php b/editor/api.php index 4ee557044f..df3cfb48b4 100755 --- a/editor/api.php +++ b/editor/api.php @@ -431,7 +431,7 @@ public function update_item() try { $this->verifyNonce(self::nonce); - $data = stripslashes($this->param('data')); + $data = $this->sanitizeJson(stripslashes($this->param('data'))); $atemplate = $this->param('template'); $dataVersion = (int)stripslashes($this->param('dataVersion')); $status = stripslashes($this->param('status')); diff --git a/editor/editor/editor.php b/editor/editor/editor.php index 17f5116064..96d5d1b3ca 100755 --- a/editor/editor/editor.php +++ b/editor/editor/editor.php @@ -125,8 +125,7 @@ public function config($context = self::COMPILE_CONTEXT) $config = array( 'user' => array( 'role' => 'admin', - 'isAuthorized' => $this->project->getMetaValue('brizy-cloud-token') !== null, - 'allowScripts' => $this->isUserAllowedToAddScripts($context), + 'isAuthorized' => $this->project->getMetaValue('brizy-cloud-token') !== null ), 'project' => array( 'id' => $this->project->getId(), @@ -1877,34 +1876,6 @@ public function getCloudInfo() return $response; } - /** - * Do not use: $userId = get_post_meta( $this->post->getWpPostId(), '_edit_last', true ); - * This meta _edit_last is often deleted by plugins dealing with optimize database - * - * @param $context - * - * @return bool - */ - private function isUserAllowedToAddScripts($context) - { - - if ($context == self::COMPILE_CONTEXT) { - - $userId = $this->post->getLastUserEdited(); - - if ($userId === null) { - return true; - } - - } else { - $userId = get_current_user_id(); - } - - $userCan = user_can($userId, 'unfiltered_html'); - - return $userCan; - } - private function getImgSizes() { diff --git a/editor/trait/sanitize.php b/editor/trait/sanitize.php new file mode 100644 index 0000000000..e4a30fd119 --- /dev/null +++ b/editor/trait/sanitize.php @@ -0,0 +1,18 @@ +getManager($entityClass)->createEntity(md5(random_bytes(10)), 'publish'); $block->set_needs_compile(true); - $block->set_editor_data($data->data); + $block->set_editor_data($this->sanitizeJson($data->data)); $block->setMeta($data->meta); if (isset($data->title)) {