Merge pull request #362 from Automattic/short-code-hardening

Hardening the use of a shortcode

README.md

@@ -1,5 +1,5 @@
 # ActivityPub #
-**Contributors:** [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [akirk](https://profiles.wordpress.org/akirk/), [automattic](https://profiles.wordpress.org/automattic/)  
+**Contributors:** [automattic](https://profiles.wordpress.org/automattic/), [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [mattwiebe](https://profiles.wordpress.org/mattwiebe/), [akirk](https://profiles.wordpress.org/akirk/), [jeherve](https://profiles.wordpress.org/jeherve/), [nuriapena](https://profiles.wordpress.org/nuriapena/)  
 **Tags:** OStatus, fediverse, activitypub, activitystream  
 **Requires at least:** 4.7  
 **Tested up to:** 6.2  

includes/class-shortcodes.php

@@ -6,6 +6,11 @@ class Shortcodes {
 	 * Class constructor, registering WordPress then Shortcodes
 	 */
 	public static function init() {
+		// do not load on admin pages
+		if ( is_admin() ) {
+			return;
+		}
+
 		foreach ( get_class_methods( self::class ) as $shortcode ) {
 			if ( 'init' !== $shortcode ) {
 				add_shortcode( 'ap_' . $shortcode, array( self::class, $shortcode ) );
@@ -23,13 +28,13 @@ class Shortcodes {
 	 * @return string The post tags as hashtags.
 	 */
 	public static function hashtags( $atts, $content, $tag ) {
-		$post_id = get_the_ID();
+		$item = self::get_item();
 
-		if ( ! $post_id ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$tags = \get_the_tags( $post_id );
+		$tags = \get_the_tags( $item->ID );
 
 		if ( ! $tags ) {
 			return '';
@@ -58,13 +63,13 @@ class Shortcodes {
 	 * @return string The post title.
 	 */
 	public static function title( $atts, $content, $tag ) {
-		$post_id = get_the_ID();
+		$item = self::get_item();
 
-		if ( ! $post_id ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		return \wp_strip_all_tags( \get_the_title( $post_id ), true );
+		return \wp_strip_all_tags( \get_the_title( $item->ID ), true );
 
 	}
 
@@ -78,9 +83,9 @@ class Shortcodes {
 	 * @return string The post excerpt.
 	 */
 	public static function excerpt( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post || \post_password_required( $post ) ) {
+		if ( ! $item ) {
 			return '';
 		}
 
@@ -96,11 +101,11 @@ class Shortcodes {
 			$excerpt_length = ACTIVITYPUB_EXCERPT_LENGTH;
 		}
 
-		$excerpt = \get_post_field( 'post_excerpt', $post );
+		$excerpt = \get_post_field( 'post_excerpt', $item );
 
 		if ( '' === $excerpt ) {
 
-			$content = \get_post_field( 'post_content', $post );
+			$content = \get_post_field( 'post_content', $item );
 
 			// An empty string will make wp_trim_excerpt do stuff we do not want.
 			if ( '' !== $content ) {
@@ -181,22 +186,22 @@ class Shortcodes {
 	 * @return string The post content.
 	 */
 	public static function content( $atts, $content, $tag ) {
-		// prevent inception
+		$item = self::get_item();
-		remove_shortcode( 'ap_content' );
 
-		$post = get_post();
+		if ( ! $item ) {
-
-		if ( ! $post || \post_password_required( $post ) ) {
 			return '';
 		}
 
+		// prevent inception
+		remove_shortcode( 'ap_content' );
+
 		$atts = shortcode_atts(
 			array( 'apply_filters' => 'yes' ),
 			$atts,
 			$tag
 		);
 
-		$content = \get_post_field( 'post_content', $post );
+		$content = \get_post_field( 'post_content', $item );
 
 		if ( 'yes' === $atts['apply_filters'] ) {
 			$content = \apply_filters( 'the_content', $content );
@@ -226,9 +231,9 @@ class Shortcodes {
 	 * @return string The post permalink.
 	 */
 	public static function permalink( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
@@ -241,12 +246,12 @@ class Shortcodes {
 		);
 
 		if ( 'url' === $atts['type'] ) {
-			return \esc_url( \get_permalink( $post->ID ) );
+			return \esc_url( \get_permalink( $item->ID ) );
 		}
 
 		return \sprintf(
 			'<a href="%1$s">%1$s</a>',
-			\esc_url( \get_permalink( $post->ID ) )
+			\esc_url( \get_permalink( $item->ID ) )
 		);
 	}
 
@@ -260,9 +265,9 @@ class Shortcodes {
 	 * @return string The post shortlink.
 	 */
 	public static function shortlink( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
@@ -275,12 +280,12 @@ class Shortcodes {
 		);
 
 		if ( 'url' === $atts['type'] ) {
-			return \esc_url( \wp_get_shortlink( $post->ID ) );
+			return \esc_url( \wp_get_shortlink( $item->ID ) );
 		}
 
 		return \sprintf(
 			'<a href="%1$s">%1$s</a>',
-			\esc_url( \wp_get_shortlink( $post->ID ) )
+			\esc_url( \wp_get_shortlink( $item->ID ) )
 		);
 	}
 
@@ -294,9 +299,9 @@ class Shortcodes {
 	 * @return string
 	 */
 	public static function image( $atts, $content, $tag ) {
-		$post_id = get_the_ID();
+		$item = self::get_item();
 
-		if ( ! $post_id ) {
+		if ( ! $item ) {
 			return '';
 		}
 
@@ -318,7 +323,7 @@ class Shortcodes {
 			$size = $atts['type'];
 		}
 
-		$image = \get_the_post_thumbnail_url( $post_id, $size );
+		$image = \get_the_post_thumbnail_url( $item->ID, $size );
 
 		if ( ! $image ) {
 			return '';
@@ -337,13 +342,13 @@ class Shortcodes {
 	 * @return string The post categories as hashtags.
 	 */
 	public static function hashcats( $atts, $content, $tag ) {
-		$post_id = get_the_ID();
+		$item = self::get_item();
 
-		if ( ! $post_id ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$categories = \get_the_category( $post_id );
+		$categories = \get_the_category( $item->ID );
 
 		if ( ! $categories ) {
 			return '';
@@ -372,13 +377,13 @@ class Shortcodes {
 	 * @return string The author name.
 	 */
 	public static function author( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$name = \get_the_author_meta( 'display_name', $post->post_author );
+		$name = \get_the_author_meta( 'display_name', $item->post_author );
 
 		if ( ! $name ) {
 			return '';
@@ -397,13 +402,13 @@ class Shortcodes {
 	 * @return string The author URL.
 	 */
 	public static function authorurl( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$url = \get_the_author_meta( 'user_url', $post->post_author );
+		$url = \get_the_author_meta( 'user_url', $item->post_author );
 
 		if ( ! $url ) {
 			return '';
@@ -461,13 +466,13 @@ class Shortcodes {
 	 * @return string The post date.
 	 */
 	public static function date( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$datetime = \get_post_datetime( $post );
+		$datetime = \get_post_datetime( $item );
 		$dateformat = \get_option( 'date_format' );
 		$timeformat = \get_option( 'time_format' );
 
@@ -490,13 +495,13 @@ class Shortcodes {
 	 * @return string The post time.
 	 */
 	public static function time( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$datetime = \get_post_datetime( $post );
+		$datetime = \get_post_datetime( $item );
 		$dateformat = \get_option( 'date_format' );
 		$timeformat = \get_option( 'time_format' );
 
@@ -519,13 +524,13 @@ class Shortcodes {
 	 * @return string The post date/time.
 	 */
 	public static function datetime( $atts, $content, $tag ) {
-		$post = get_post();
+		$item = self::get_item();
 
-		if ( ! $post ) {
+		if ( ! $item ) {
 			return '';
 		}
 
-		$datetime = \get_post_datetime( $post );
+		$datetime = \get_post_datetime( $item );
 		$dateformat = \get_option( 'date_format' );
 		$timeformat = \get_option( 'time_format' );
 
@@ -537,4 +542,34 @@ class Shortcodes {
 
 		return $date;
 	}
+
+	/**
+	 * Get a WordPress item to federate.
+	 *
+	 * Checks if item (WP_Post) is "public", a supported post type
+	 * and not password protected.
+	 *
+	 * @return null|WP_Post The WordPress item.
+	 */
+	protected static function get_item() {
+		$post = \get_post();
+
+		if ( ! $post ) {
+			return null;
+		}
+
+		if ( 'publish' !== \get_post_status( $post ) ) {
+			return null;
+		}
+
+		if ( \post_password_required( $post ) ) {
+			return null;
+		}
+
+		if ( ! \in_array( \get_post_type( $post ), \get_post_types_by_support( 'activitypub' ), true ) ) {
+			return null;
+		}
+
+		return $post;
+	}
 }

includes/functions.php

@@ -351,4 +351,3 @@ if ( ! function_exists( 'get_self_link' ) ) {
 		return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
 	}
 }
-

readme.txt

@@ -1,5 +1,5 @@
 === ActivityPub ===
-Contributors: pfefferle, mediaformat, akirk, automattic
+Contributors: automattic, pfefferle, mediaformat, mattwiebe, akirk, jeherve, nuriapena
 Tags: OStatus, fediverse, activitypub, activitystream
 Requires at least: 4.7
 Tested up to: 6.2

tests/test-class-activitypub-shortcodes.php

@@ -39,13 +39,12 @@ class Test_Activitypub_Shortcodes extends WP_UnitTestCase {
 		$post->post_date_gmt = current_time( 'mysql', 1 );
 		$post->post_title = 'Some title or other';
 		$post->post_content = '<script>test</script>hallo<script type="javascript">{"asdf": "qwerty"}</script><style></style>';
-		$post->post_status = 'publish';
 		$post->comment_status = 'closed';
 		$post->ping_status = 'closed';
 		$post->post_name = 'fake-page-' . rand( 1, 99999 ); // append random number to avoid clash
 		$post->post_type = 'page';
-		$post->post_password = 'abc';
 		$post->filter = 'raw'; // important!
+		$post->post_password = 'abc';
 
 		$content = '[ap_content]';