Merge pull request #362 from Automattic/short-code-hardening

Hardening the use of a shortcode
This commit is contained in:
Matthias Pfefferle 2023-07-18 08:31:11 +02:00 committed by GitHub
commit ee3574a8a3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 83 additions and 50 deletions

View file

@ -1,5 +1,5 @@
# ActivityPub # # ActivityPub #
**Contributors:** [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [akirk](https://profiles.wordpress.org/akirk/), [automattic](https://profiles.wordpress.org/automattic/) **Contributors:** [automattic](https://profiles.wordpress.org/automattic/), [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [mattwiebe](https://profiles.wordpress.org/mattwiebe/), [akirk](https://profiles.wordpress.org/akirk/), [jeherve](https://profiles.wordpress.org/jeherve/), [nuriapena](https://profiles.wordpress.org/nuriapena/)
**Tags:** OStatus, fediverse, activitypub, activitystream **Tags:** OStatus, fediverse, activitypub, activitystream
**Requires at least:** 4.7 **Requires at least:** 4.7
**Tested up to:** 6.2 **Tested up to:** 6.2

View file

@ -6,6 +6,11 @@ class Shortcodes {
* Class constructor, registering WordPress then Shortcodes * Class constructor, registering WordPress then Shortcodes
*/ */
public static function init() { public static function init() {
// do not load on admin pages
if ( is_admin() ) {
return;
}
foreach ( get_class_methods( self::class ) as $shortcode ) { foreach ( get_class_methods( self::class ) as $shortcode ) {
if ( 'init' !== $shortcode ) { if ( 'init' !== $shortcode ) {
add_shortcode( 'ap_' . $shortcode, array( self::class, $shortcode ) ); add_shortcode( 'ap_' . $shortcode, array( self::class, $shortcode ) );
@ -23,13 +28,13 @@ class Shortcodes {
* @return string The post tags as hashtags. * @return string The post tags as hashtags.
*/ */
public static function hashtags( $atts, $content, $tag ) { public static function hashtags( $atts, $content, $tag ) {
$post_id = get_the_ID(); $item = self::get_item();
if ( ! $post_id ) { if ( ! $item ) {
return ''; return '';
} }
$tags = \get_the_tags( $post_id ); $tags = \get_the_tags( $item->ID );
if ( ! $tags ) { if ( ! $tags ) {
return ''; return '';
@ -58,13 +63,13 @@ class Shortcodes {
* @return string The post title. * @return string The post title.
*/ */
public static function title( $atts, $content, $tag ) { public static function title( $atts, $content, $tag ) {
$post_id = get_the_ID(); $item = self::get_item();
if ( ! $post_id ) { if ( ! $item ) {
return ''; return '';
} }
return \wp_strip_all_tags( \get_the_title( $post_id ), true ); return \wp_strip_all_tags( \get_the_title( $item->ID ), true );
} }
@ -78,9 +83,9 @@ class Shortcodes {
* @return string The post excerpt. * @return string The post excerpt.
*/ */
public static function excerpt( $atts, $content, $tag ) { public static function excerpt( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post || \post_password_required( $post ) ) { if ( ! $item ) {
return ''; return '';
} }
@ -96,11 +101,11 @@ class Shortcodes {
$excerpt_length = ACTIVITYPUB_EXCERPT_LENGTH; $excerpt_length = ACTIVITYPUB_EXCERPT_LENGTH;
} }
$excerpt = \get_post_field( 'post_excerpt', $post ); $excerpt = \get_post_field( 'post_excerpt', $item );
if ( '' === $excerpt ) { if ( '' === $excerpt ) {
$content = \get_post_field( 'post_content', $post ); $content = \get_post_field( 'post_content', $item );
// An empty string will make wp_trim_excerpt do stuff we do not want. // An empty string will make wp_trim_excerpt do stuff we do not want.
if ( '' !== $content ) { if ( '' !== $content ) {
@ -181,22 +186,22 @@ class Shortcodes {
* @return string The post content. * @return string The post content.
*/ */
public static function content( $atts, $content, $tag ) { public static function content( $atts, $content, $tag ) {
// prevent inception $item = self::get_item();
remove_shortcode( 'ap_content' );
$post = get_post(); if ( ! $item ) {
if ( ! $post || \post_password_required( $post ) ) {
return ''; return '';
} }
// prevent inception
remove_shortcode( 'ap_content' );
$atts = shortcode_atts( $atts = shortcode_atts(
array( 'apply_filters' => 'yes' ), array( 'apply_filters' => 'yes' ),
$atts, $atts,
$tag $tag
); );
$content = \get_post_field( 'post_content', $post ); $content = \get_post_field( 'post_content', $item );
if ( 'yes' === $atts['apply_filters'] ) { if ( 'yes' === $atts['apply_filters'] ) {
$content = \apply_filters( 'the_content', $content ); $content = \apply_filters( 'the_content', $content );
@ -226,9 +231,9 @@ class Shortcodes {
* @return string The post permalink. * @return string The post permalink.
*/ */
public static function permalink( $atts, $content, $tag ) { public static function permalink( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
@ -241,12 +246,12 @@ class Shortcodes {
); );
if ( 'url' === $atts['type'] ) { if ( 'url' === $atts['type'] ) {
return \esc_url( \get_permalink( $post->ID ) ); return \esc_url( \get_permalink( $item->ID ) );
} }
return \sprintf( return \sprintf(
'<a href="%1$s">%1$s</a>', '<a href="%1$s">%1$s</a>',
\esc_url( \get_permalink( $post->ID ) ) \esc_url( \get_permalink( $item->ID ) )
); );
} }
@ -260,9 +265,9 @@ class Shortcodes {
* @return string The post shortlink. * @return string The post shortlink.
*/ */
public static function shortlink( $atts, $content, $tag ) { public static function shortlink( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
@ -275,12 +280,12 @@ class Shortcodes {
); );
if ( 'url' === $atts['type'] ) { if ( 'url' === $atts['type'] ) {
return \esc_url( \wp_get_shortlink( $post->ID ) ); return \esc_url( \wp_get_shortlink( $item->ID ) );
} }
return \sprintf( return \sprintf(
'<a href="%1$s">%1$s</a>', '<a href="%1$s">%1$s</a>',
\esc_url( \wp_get_shortlink( $post->ID ) ) \esc_url( \wp_get_shortlink( $item->ID ) )
); );
} }
@ -294,9 +299,9 @@ class Shortcodes {
* @return string * @return string
*/ */
public static function image( $atts, $content, $tag ) { public static function image( $atts, $content, $tag ) {
$post_id = get_the_ID(); $item = self::get_item();
if ( ! $post_id ) { if ( ! $item ) {
return ''; return '';
} }
@ -318,7 +323,7 @@ class Shortcodes {
$size = $atts['type']; $size = $atts['type'];
} }
$image = \get_the_post_thumbnail_url( $post_id, $size ); $image = \get_the_post_thumbnail_url( $item->ID, $size );
if ( ! $image ) { if ( ! $image ) {
return ''; return '';
@ -337,13 +342,13 @@ class Shortcodes {
* @return string The post categories as hashtags. * @return string The post categories as hashtags.
*/ */
public static function hashcats( $atts, $content, $tag ) { public static function hashcats( $atts, $content, $tag ) {
$post_id = get_the_ID(); $item = self::get_item();
if ( ! $post_id ) { if ( ! $item ) {
return ''; return '';
} }
$categories = \get_the_category( $post_id ); $categories = \get_the_category( $item->ID );
if ( ! $categories ) { if ( ! $categories ) {
return ''; return '';
@ -372,13 +377,13 @@ class Shortcodes {
* @return string The author name. * @return string The author name.
*/ */
public static function author( $atts, $content, $tag ) { public static function author( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
$name = \get_the_author_meta( 'display_name', $post->post_author ); $name = \get_the_author_meta( 'display_name', $item->post_author );
if ( ! $name ) { if ( ! $name ) {
return ''; return '';
@ -397,13 +402,13 @@ class Shortcodes {
* @return string The author URL. * @return string The author URL.
*/ */
public static function authorurl( $atts, $content, $tag ) { public static function authorurl( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
$url = \get_the_author_meta( 'user_url', $post->post_author ); $url = \get_the_author_meta( 'user_url', $item->post_author );
if ( ! $url ) { if ( ! $url ) {
return ''; return '';
@ -461,13 +466,13 @@ class Shortcodes {
* @return string The post date. * @return string The post date.
*/ */
public static function date( $atts, $content, $tag ) { public static function date( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
$datetime = \get_post_datetime( $post ); $datetime = \get_post_datetime( $item );
$dateformat = \get_option( 'date_format' ); $dateformat = \get_option( 'date_format' );
$timeformat = \get_option( 'time_format' ); $timeformat = \get_option( 'time_format' );
@ -490,13 +495,13 @@ class Shortcodes {
* @return string The post time. * @return string The post time.
*/ */
public static function time( $atts, $content, $tag ) { public static function time( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
$datetime = \get_post_datetime( $post ); $datetime = \get_post_datetime( $item );
$dateformat = \get_option( 'date_format' ); $dateformat = \get_option( 'date_format' );
$timeformat = \get_option( 'time_format' ); $timeformat = \get_option( 'time_format' );
@ -519,13 +524,13 @@ class Shortcodes {
* @return string The post date/time. * @return string The post date/time.
*/ */
public static function datetime( $atts, $content, $tag ) { public static function datetime( $atts, $content, $tag ) {
$post = get_post(); $item = self::get_item();
if ( ! $post ) { if ( ! $item ) {
return ''; return '';
} }
$datetime = \get_post_datetime( $post ); $datetime = \get_post_datetime( $item );
$dateformat = \get_option( 'date_format' ); $dateformat = \get_option( 'date_format' );
$timeformat = \get_option( 'time_format' ); $timeformat = \get_option( 'time_format' );
@ -537,4 +542,34 @@ class Shortcodes {
return $date; return $date;
} }
/**
* Get a WordPress item to federate.
*
* Checks if item (WP_Post) is "public", a supported post type
* and not password protected.
*
* @return null|WP_Post The WordPress item.
*/
protected static function get_item() {
$post = \get_post();
if ( ! $post ) {
return null;
}
if ( 'publish' !== \get_post_status( $post ) ) {
return null;
}
if ( \post_password_required( $post ) ) {
return null;
}
if ( ! \in_array( \get_post_type( $post ), \get_post_types_by_support( 'activitypub' ), true ) ) {
return null;
}
return $post;
}
} }

View file

@ -351,4 +351,3 @@ if ( ! function_exists( 'get_self_link' ) ) {
return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
} }
} }

View file

@ -1,5 +1,5 @@
=== ActivityPub === === ActivityPub ===
Contributors: pfefferle, mediaformat, akirk, automattic Contributors: automattic, pfefferle, mediaformat, mattwiebe, akirk, jeherve, nuriapena
Tags: OStatus, fediverse, activitypub, activitystream Tags: OStatus, fediverse, activitypub, activitystream
Requires at least: 4.7 Requires at least: 4.7
Tested up to: 6.2 Tested up to: 6.2

View file

@ -39,13 +39,12 @@ class Test_Activitypub_Shortcodes extends WP_UnitTestCase {
$post->post_date_gmt = current_time( 'mysql', 1 ); $post->post_date_gmt = current_time( 'mysql', 1 );
$post->post_title = 'Some title or other'; $post->post_title = 'Some title or other';
$post->post_content = '<script>test</script>hallo<script type="javascript">{"asdf": "qwerty"}</script><style></style>'; $post->post_content = '<script>test</script>hallo<script type="javascript">{"asdf": "qwerty"}</script><style></style>';
$post->post_status = 'publish';
$post->comment_status = 'closed'; $post->comment_status = 'closed';
$post->ping_status = 'closed'; $post->ping_status = 'closed';
$post->post_name = 'fake-page-' . rand( 1, 99999 ); // append random number to avoid clash $post->post_name = 'fake-page-' . rand( 1, 99999 ); // append random number to avoid clash
$post->post_type = 'page'; $post->post_type = 'page';
$post->post_password = 'abc';
$post->filter = 'raw'; // important! $post->filter = 'raw'; // important!
$post->post_password = 'abc';
$content = '[ap_content]'; $content = '[ap_content]';