Merge pull request #362 from Automattic/short-code-hardening
Hardening the use of a shortcode
This commit is contained in:
commit
ee3574a8a3
5 changed files with 83 additions and 50 deletions
|
@ -1,5 +1,5 @@
|
||||||
# ActivityPub #
|
# ActivityPub #
|
||||||
**Contributors:** [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [akirk](https://profiles.wordpress.org/akirk/), [automattic](https://profiles.wordpress.org/automattic/)
|
**Contributors:** [automattic](https://profiles.wordpress.org/automattic/), [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [mattwiebe](https://profiles.wordpress.org/mattwiebe/), [akirk](https://profiles.wordpress.org/akirk/), [jeherve](https://profiles.wordpress.org/jeherve/), [nuriapena](https://profiles.wordpress.org/nuriapena/)
|
||||||
**Tags:** OStatus, fediverse, activitypub, activitystream
|
**Tags:** OStatus, fediverse, activitypub, activitystream
|
||||||
**Requires at least:** 4.7
|
**Requires at least:** 4.7
|
||||||
**Tested up to:** 6.2
|
**Tested up to:** 6.2
|
||||||
|
|
|
@ -6,6 +6,11 @@ class Shortcodes {
|
||||||
* Class constructor, registering WordPress then Shortcodes
|
* Class constructor, registering WordPress then Shortcodes
|
||||||
*/
|
*/
|
||||||
public static function init() {
|
public static function init() {
|
||||||
|
// do not load on admin pages
|
||||||
|
if ( is_admin() ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
foreach ( get_class_methods( self::class ) as $shortcode ) {
|
foreach ( get_class_methods( self::class ) as $shortcode ) {
|
||||||
if ( 'init' !== $shortcode ) {
|
if ( 'init' !== $shortcode ) {
|
||||||
add_shortcode( 'ap_' . $shortcode, array( self::class, $shortcode ) );
|
add_shortcode( 'ap_' . $shortcode, array( self::class, $shortcode ) );
|
||||||
|
@ -23,13 +28,13 @@ class Shortcodes {
|
||||||
* @return string The post tags as hashtags.
|
* @return string The post tags as hashtags.
|
||||||
*/
|
*/
|
||||||
public static function hashtags( $atts, $content, $tag ) {
|
public static function hashtags( $atts, $content, $tag ) {
|
||||||
$post_id = get_the_ID();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post_id ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$tags = \get_the_tags( $post_id );
|
$tags = \get_the_tags( $item->ID );
|
||||||
|
|
||||||
if ( ! $tags ) {
|
if ( ! $tags ) {
|
||||||
return '';
|
return '';
|
||||||
|
@ -58,13 +63,13 @@ class Shortcodes {
|
||||||
* @return string The post title.
|
* @return string The post title.
|
||||||
*/
|
*/
|
||||||
public static function title( $atts, $content, $tag ) {
|
public static function title( $atts, $content, $tag ) {
|
||||||
$post_id = get_the_ID();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post_id ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
return \wp_strip_all_tags( \get_the_title( $post_id ), true );
|
return \wp_strip_all_tags( \get_the_title( $item->ID ), true );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,9 +83,9 @@ class Shortcodes {
|
||||||
* @return string The post excerpt.
|
* @return string The post excerpt.
|
||||||
*/
|
*/
|
||||||
public static function excerpt( $atts, $content, $tag ) {
|
public static function excerpt( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post || \post_password_required( $post ) ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -96,11 +101,11 @@ class Shortcodes {
|
||||||
$excerpt_length = ACTIVITYPUB_EXCERPT_LENGTH;
|
$excerpt_length = ACTIVITYPUB_EXCERPT_LENGTH;
|
||||||
}
|
}
|
||||||
|
|
||||||
$excerpt = \get_post_field( 'post_excerpt', $post );
|
$excerpt = \get_post_field( 'post_excerpt', $item );
|
||||||
|
|
||||||
if ( '' === $excerpt ) {
|
if ( '' === $excerpt ) {
|
||||||
|
|
||||||
$content = \get_post_field( 'post_content', $post );
|
$content = \get_post_field( 'post_content', $item );
|
||||||
|
|
||||||
// An empty string will make wp_trim_excerpt do stuff we do not want.
|
// An empty string will make wp_trim_excerpt do stuff we do not want.
|
||||||
if ( '' !== $content ) {
|
if ( '' !== $content ) {
|
||||||
|
@ -181,22 +186,22 @@ class Shortcodes {
|
||||||
* @return string The post content.
|
* @return string The post content.
|
||||||
*/
|
*/
|
||||||
public static function content( $atts, $content, $tag ) {
|
public static function content( $atts, $content, $tag ) {
|
||||||
// prevent inception
|
$item = self::get_item();
|
||||||
remove_shortcode( 'ap_content' );
|
|
||||||
|
|
||||||
$post = get_post();
|
if ( ! $item ) {
|
||||||
|
|
||||||
if ( ! $post || \post_password_required( $post ) ) {
|
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// prevent inception
|
||||||
|
remove_shortcode( 'ap_content' );
|
||||||
|
|
||||||
$atts = shortcode_atts(
|
$atts = shortcode_atts(
|
||||||
array( 'apply_filters' => 'yes' ),
|
array( 'apply_filters' => 'yes' ),
|
||||||
$atts,
|
$atts,
|
||||||
$tag
|
$tag
|
||||||
);
|
);
|
||||||
|
|
||||||
$content = \get_post_field( 'post_content', $post );
|
$content = \get_post_field( 'post_content', $item );
|
||||||
|
|
||||||
if ( 'yes' === $atts['apply_filters'] ) {
|
if ( 'yes' === $atts['apply_filters'] ) {
|
||||||
$content = \apply_filters( 'the_content', $content );
|
$content = \apply_filters( 'the_content', $content );
|
||||||
|
@ -226,9 +231,9 @@ class Shortcodes {
|
||||||
* @return string The post permalink.
|
* @return string The post permalink.
|
||||||
*/
|
*/
|
||||||
public static function permalink( $atts, $content, $tag ) {
|
public static function permalink( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -241,12 +246,12 @@ class Shortcodes {
|
||||||
);
|
);
|
||||||
|
|
||||||
if ( 'url' === $atts['type'] ) {
|
if ( 'url' === $atts['type'] ) {
|
||||||
return \esc_url( \get_permalink( $post->ID ) );
|
return \esc_url( \get_permalink( $item->ID ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
return \sprintf(
|
return \sprintf(
|
||||||
'<a href="%1$s">%1$s</a>',
|
'<a href="%1$s">%1$s</a>',
|
||||||
\esc_url( \get_permalink( $post->ID ) )
|
\esc_url( \get_permalink( $item->ID ) )
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -260,9 +265,9 @@ class Shortcodes {
|
||||||
* @return string The post shortlink.
|
* @return string The post shortlink.
|
||||||
*/
|
*/
|
||||||
public static function shortlink( $atts, $content, $tag ) {
|
public static function shortlink( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -275,12 +280,12 @@ class Shortcodes {
|
||||||
);
|
);
|
||||||
|
|
||||||
if ( 'url' === $atts['type'] ) {
|
if ( 'url' === $atts['type'] ) {
|
||||||
return \esc_url( \wp_get_shortlink( $post->ID ) );
|
return \esc_url( \wp_get_shortlink( $item->ID ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
return \sprintf(
|
return \sprintf(
|
||||||
'<a href="%1$s">%1$s</a>',
|
'<a href="%1$s">%1$s</a>',
|
||||||
\esc_url( \wp_get_shortlink( $post->ID ) )
|
\esc_url( \wp_get_shortlink( $item->ID ) )
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -294,9 +299,9 @@ class Shortcodes {
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function image( $atts, $content, $tag ) {
|
public static function image( $atts, $content, $tag ) {
|
||||||
$post_id = get_the_ID();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post_id ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -318,7 +323,7 @@ class Shortcodes {
|
||||||
$size = $atts['type'];
|
$size = $atts['type'];
|
||||||
}
|
}
|
||||||
|
|
||||||
$image = \get_the_post_thumbnail_url( $post_id, $size );
|
$image = \get_the_post_thumbnail_url( $item->ID, $size );
|
||||||
|
|
||||||
if ( ! $image ) {
|
if ( ! $image ) {
|
||||||
return '';
|
return '';
|
||||||
|
@ -337,13 +342,13 @@ class Shortcodes {
|
||||||
* @return string The post categories as hashtags.
|
* @return string The post categories as hashtags.
|
||||||
*/
|
*/
|
||||||
public static function hashcats( $atts, $content, $tag ) {
|
public static function hashcats( $atts, $content, $tag ) {
|
||||||
$post_id = get_the_ID();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post_id ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$categories = \get_the_category( $post_id );
|
$categories = \get_the_category( $item->ID );
|
||||||
|
|
||||||
if ( ! $categories ) {
|
if ( ! $categories ) {
|
||||||
return '';
|
return '';
|
||||||
|
@ -372,13 +377,13 @@ class Shortcodes {
|
||||||
* @return string The author name.
|
* @return string The author name.
|
||||||
*/
|
*/
|
||||||
public static function author( $atts, $content, $tag ) {
|
public static function author( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$name = \get_the_author_meta( 'display_name', $post->post_author );
|
$name = \get_the_author_meta( 'display_name', $item->post_author );
|
||||||
|
|
||||||
if ( ! $name ) {
|
if ( ! $name ) {
|
||||||
return '';
|
return '';
|
||||||
|
@ -397,13 +402,13 @@ class Shortcodes {
|
||||||
* @return string The author URL.
|
* @return string The author URL.
|
||||||
*/
|
*/
|
||||||
public static function authorurl( $atts, $content, $tag ) {
|
public static function authorurl( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$url = \get_the_author_meta( 'user_url', $post->post_author );
|
$url = \get_the_author_meta( 'user_url', $item->post_author );
|
||||||
|
|
||||||
if ( ! $url ) {
|
if ( ! $url ) {
|
||||||
return '';
|
return '';
|
||||||
|
@ -461,13 +466,13 @@ class Shortcodes {
|
||||||
* @return string The post date.
|
* @return string The post date.
|
||||||
*/
|
*/
|
||||||
public static function date( $atts, $content, $tag ) {
|
public static function date( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$datetime = \get_post_datetime( $post );
|
$datetime = \get_post_datetime( $item );
|
||||||
$dateformat = \get_option( 'date_format' );
|
$dateformat = \get_option( 'date_format' );
|
||||||
$timeformat = \get_option( 'time_format' );
|
$timeformat = \get_option( 'time_format' );
|
||||||
|
|
||||||
|
@ -490,13 +495,13 @@ class Shortcodes {
|
||||||
* @return string The post time.
|
* @return string The post time.
|
||||||
*/
|
*/
|
||||||
public static function time( $atts, $content, $tag ) {
|
public static function time( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$datetime = \get_post_datetime( $post );
|
$datetime = \get_post_datetime( $item );
|
||||||
$dateformat = \get_option( 'date_format' );
|
$dateformat = \get_option( 'date_format' );
|
||||||
$timeformat = \get_option( 'time_format' );
|
$timeformat = \get_option( 'time_format' );
|
||||||
|
|
||||||
|
@ -519,13 +524,13 @@ class Shortcodes {
|
||||||
* @return string The post date/time.
|
* @return string The post date/time.
|
||||||
*/
|
*/
|
||||||
public static function datetime( $atts, $content, $tag ) {
|
public static function datetime( $atts, $content, $tag ) {
|
||||||
$post = get_post();
|
$item = self::get_item();
|
||||||
|
|
||||||
if ( ! $post ) {
|
if ( ! $item ) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
$datetime = \get_post_datetime( $post );
|
$datetime = \get_post_datetime( $item );
|
||||||
$dateformat = \get_option( 'date_format' );
|
$dateformat = \get_option( 'date_format' );
|
||||||
$timeformat = \get_option( 'time_format' );
|
$timeformat = \get_option( 'time_format' );
|
||||||
|
|
||||||
|
@ -537,4 +542,34 @@ class Shortcodes {
|
||||||
|
|
||||||
return $date;
|
return $date;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get a WordPress item to federate.
|
||||||
|
*
|
||||||
|
* Checks if item (WP_Post) is "public", a supported post type
|
||||||
|
* and not password protected.
|
||||||
|
*
|
||||||
|
* @return null|WP_Post The WordPress item.
|
||||||
|
*/
|
||||||
|
protected static function get_item() {
|
||||||
|
$post = \get_post();
|
||||||
|
|
||||||
|
if ( ! $post ) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( 'publish' !== \get_post_status( $post ) ) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( \post_password_required( $post ) ) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! \in_array( \get_post_type( $post ), \get_post_types_by_support( 'activitypub' ), true ) ) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $post;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -351,4 +351,3 @@ if ( ! function_exists( 'get_self_link' ) ) {
|
||||||
return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
|
return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
=== ActivityPub ===
|
=== ActivityPub ===
|
||||||
Contributors: pfefferle, mediaformat, akirk, automattic
|
Contributors: automattic, pfefferle, mediaformat, mattwiebe, akirk, jeherve, nuriapena
|
||||||
Tags: OStatus, fediverse, activitypub, activitystream
|
Tags: OStatus, fediverse, activitypub, activitystream
|
||||||
Requires at least: 4.7
|
Requires at least: 4.7
|
||||||
Tested up to: 6.2
|
Tested up to: 6.2
|
||||||
|
|
|
@ -39,13 +39,12 @@ class Test_Activitypub_Shortcodes extends WP_UnitTestCase {
|
||||||
$post->post_date_gmt = current_time( 'mysql', 1 );
|
$post->post_date_gmt = current_time( 'mysql', 1 );
|
||||||
$post->post_title = 'Some title or other';
|
$post->post_title = 'Some title or other';
|
||||||
$post->post_content = '<script>test</script>hallo<script type="javascript">{"asdf": "qwerty"}</script><style></style>';
|
$post->post_content = '<script>test</script>hallo<script type="javascript">{"asdf": "qwerty"}</script><style></style>';
|
||||||
$post->post_status = 'publish';
|
|
||||||
$post->comment_status = 'closed';
|
$post->comment_status = 'closed';
|
||||||
$post->ping_status = 'closed';
|
$post->ping_status = 'closed';
|
||||||
$post->post_name = 'fake-page-' . rand( 1, 99999 ); // append random number to avoid clash
|
$post->post_name = 'fake-page-' . rand( 1, 99999 ); // append random number to avoid clash
|
||||||
$post->post_type = 'page';
|
$post->post_type = 'page';
|
||||||
$post->post_password = 'abc';
|
|
||||||
$post->filter = 'raw'; // important!
|
$post->filter = 'raw'; // important!
|
||||||
|
$post->post_password = 'abc';
|
||||||
|
|
||||||
$content = '[ap_content]';
|
$content = '[ap_content]';
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue