From c7576a3408fdbefeb7bfa106dac61cdc2db4b975 Mon Sep 17 00:00:00 2001 From: randhirexpresstech Date: Mon, 10 Jun 2024 12:50:49 +0530 Subject: [PATCH 1/5] skip result page apply_filter data sanitization --- php/classes/class-qsm-results-pages.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/php/classes/class-qsm-results-pages.php b/php/classes/class-qsm-results-pages.php index c1f6279c5..9d58d71a1 100644 --- a/php/classes/class-qsm-results-pages.php +++ b/php/classes/class-qsm-results-pages.php @@ -177,12 +177,12 @@ public static function generate_pages( $response_data ) { // Decodes special characters, runs through our template // variables, and then outputs the text. - $page = htmlspecialchars_decode( $content, ENT_QUOTES); + $page = wp_kses_post( htmlspecialchars_decode( $content, ENT_QUOTES) ); //last chance to filter $page $page = apply_filters( 'qsm_template_variable_results_page', $page, $response_data ); - echo wp_kses_post( apply_filters( 'mlw_qmn_template_variable_results_page', $page, $response_data ) ); + echo apply_filters( 'mlw_qmn_template_variable_results_page', $page, $response_data ); do_action( 'qsm_after_results_page', $response_data, $page_index ); ?> Date: Wed, 12 Jun 2024 16:40:25 +0530 Subject: [PATCH 2/5] fixed contact form email allow domain validation --- php/classes/class-qsm-contact-manager.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/php/classes/class-qsm-contact-manager.php b/php/classes/class-qsm-contact-manager.php index 35cd74e38..d644d84b4 100644 --- a/php/classes/class-qsm-contact-manager.php +++ b/php/classes/class-qsm-contact-manager.php @@ -353,6 +353,25 @@ public static function save_fields( $quiz_id, $fields ) { $fields[ $i ]['label'] = $label; $mlwQuizMasterNext->pluginHelper->qsm_register_language_support( $label, "quiz_contact_field_text-{$i}-{$quiz_id}" ); $mlwQuizMasterNext->pluginHelper->qsm_register_language_support( $placeholder, "quiz_contact_field_placeholder-{$i}-{$quiz_id}" ); + + // Validate allowed domains + if ( ! empty( $fields[ $i ]['allowdomains'] ) ) { + $allowdomains = explode( ',', $fields[ $i ]['allowdomains'] ); + // Trim domains + $allowdomains = array_map( 'trim', $allowdomains ); + // filter domain + $allowdomains = array_filter( $allowdomains, function( $allowdomain ) { + /** + * full domain name may not exceed a total length of 253 ASCII characters + * The domain name consists of valid labels (1-63 characters of letters, digits, + * or hyphens) followed by a dot. The domain ends with a valid TLD + * (2-63 characters of letters). + */ + return preg_match( '/^([a-zA-Z0-9-]{1,63}\.)+[a-zA-Z]{2,63}$/', $allowdomain ) && ( strlen( $allowdomain ) <= 253 ); + } ); + + $fields[ $i ]['allowdomains'] = implode( ',', $allowdomains ); + } if ( ! empty( $fields[ $i ]['options'] ) ) { $options = sanitize_text_field( wp_unslash( $fields[ $i ]['options'] ) ); $fields[ $i ]['options'] = $options; From 36fdbd122d8fc844934c91791ac773f0672fd582 Mon Sep 17 00:00:00 2001 From: randhirexpresstech Date: Thu, 13 Jun 2024 11:51:14 +0530 Subject: [PATCH 3/5] Fixed: wpApiSettings JS error --- mlw_quizmaster2.php | 3 ++- readme.txt | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/mlw_quizmaster2.php b/mlw_quizmaster2.php index 242550b1d..97e9fe400 100644 --- a/mlw_quizmaster2.php +++ b/mlw_quizmaster2.php @@ -473,7 +473,8 @@ public function qsm_admin_scripts_style( $hook ) { } } // load admin JS after all dependencies are loaded - wp_enqueue_script( 'qsm_admin_js', plugins_url( 'js/qsm-admin.js', __FILE__ ), array( 'jquery', 'backbone', 'underscore', 'wp-util', 'jquery-ui-sortable', 'jquery-touch-punch', 'qsm-jquery-multiselect-js' ), $this->version, true ); + /** Fixed wpApiSettings is not defined js error by using 'wp-api-request' core script to allow the use of localized version of wpApiSettings. **/ + wp_enqueue_script( 'qsm_admin_js', plugins_url( 'js/qsm-admin.js', __FILE__ ), array( 'jquery', 'backbone', 'underscore', 'wp-util', 'jquery-ui-sortable', 'jquery-touch-punch', 'qsm-jquery-multiselect-js', 'wp-api-request' ), $this->version, true ); wp_enqueue_style( 'jquer-multiselect-css', QSM_PLUGIN_CSS_URL . '/jquery.multiselect.min.css', array(), $this->version ); wp_enqueue_script( 'qsm-jquery-multiselect-js', QSM_PLUGIN_JS_URL . '/jquery.multiselect.min.js', array( 'jquery' ), $this->version, true ); wp_enqueue_script( 'micromodal_script', plugins_url( 'js/micromodal.min.js', __FILE__ ), array( 'jquery', 'qsm_admin_js' ), $this->version, true ); diff --git a/readme.txt b/readme.txt index d78e51d99..29fd3533b 100644 --- a/readme.txt +++ b/readme.txt @@ -163,6 +163,10 @@ This is usually a theme conflict. You can [checkout out our common conflict solu 18. Database == Changelog == += 9.0.5 ( Beta ) = +* Fixed: quiz contact form email allow domains validation +* Fixed: wpApiSettings JS error + = 9.0.4 ( June 10, 2024 ) = * Enhancement: Improved HTML code management on the result page From c87886a08d9ac026d5e61b2335db9a4264240bb5 Mon Sep 17 00:00:00 2001 From: randhirexpresstech Date: Thu, 13 Jun 2024 16:10:32 +0530 Subject: [PATCH 4/5] Fixed: Email subject converts & to & --- php/classes/class-qsm-emails.php | 4 ++++ readme.txt | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/php/classes/class-qsm-emails.php b/php/classes/class-qsm-emails.php index ffd3599ff..7565c5bf4 100644 --- a/php/classes/class-qsm-emails.php +++ b/php/classes/class-qsm-emails.php @@ -40,6 +40,10 @@ public static function send_emails( $transient_id ) { foreach ( $emails as $index => $email ) { $email_subject = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $email['subject'], "quiz-email-subject-{$index}-{$response_data['quiz_id']}" ); + + // kses converts ampersands to & core.trac.wordpress.org/ticket/11311. + $email_subject = str_replace( '&', '&', $email_subject ); + $email_content = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $email['content'], "quiz-email-content-{$index}-{$response_data['quiz_id']}" ); // Checks if any conditions are present. Else, send it always. if ( ! empty( $email['conditions'] ) ) { diff --git a/readme.txt b/readme.txt index 29fd3533b..9766b60ce 100644 --- a/readme.txt +++ b/readme.txt @@ -164,8 +164,9 @@ This is usually a theme conflict. You can [checkout out our common conflict solu == Changelog == = 9.0.5 ( Beta ) = -* Fixed: quiz contact form email allow domains validation +* Fixed: Quiz contact form email allow domains validation * Fixed: wpApiSettings JS error +* Fixed: Email subject converts & to & = 9.0.4 ( June 10, 2024 ) = * Enhancement: Improved HTML code management on the result page From 53747b95d23ca083af4d6ead83c1998db57c4afb Mon Sep 17 00:00:00 2001 From: PranavAwasthi Date: Thu, 13 Jun 2024 16:34:20 +0530 Subject: [PATCH 5/5] Fixed blank date field in contact form --- php/classes/class-qmn-plugin-helper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/php/classes/class-qmn-plugin-helper.php b/php/classes/class-qmn-plugin-helper.php index 88ece3223..d6c6ffaee 100644 --- a/php/classes/class-qmn-plugin-helper.php +++ b/php/classes/class-qmn-plugin-helper.php @@ -1097,7 +1097,7 @@ public function convert_contacts_to_preferred_date_format( $qsm_qna_array ) { $qsm_contact_array = $qsm_qna_array['contact']; foreach ( $qsm_contact_array as $qsm_contact_id => $qsm_contact ) { - if ( 'date' === $qsm_contact['type'] && null !== $GLOBALS['qsm_date_format'] ) { + if ( 'date' === $qsm_contact['type'] && '' !== $qsm_contact['value'] && null !== $GLOBALS['qsm_date_format'] ) { $qsm_qna_array['contact'][ $qsm_contact_id ]['value'] = date_i18n( $GLOBALS['qsm_date_format'], strtotime( ( $qsm_contact['value'] ) ) ); } }