Merge pull request #362 from Automattic/short-code-hardening
Hardening the use of a shortcode
This commit is contained in:
commit
ee3574a8a3
5 changed files with 83 additions and 50 deletions
|
@ -1,5 +1,5 @@
|
|||
# ActivityPub #
|
||||
**Contributors:** [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [akirk](https://profiles.wordpress.org/akirk/), [automattic](https://profiles.wordpress.org/automattic/)
|
||||
**Contributors:** [automattic](https://profiles.wordpress.org/automattic/), [pfefferle](https://profiles.wordpress.org/pfefferle/), [mediaformat](https://profiles.wordpress.org/mediaformat/), [mattwiebe](https://profiles.wordpress.org/mattwiebe/), [akirk](https://profiles.wordpress.org/akirk/), [jeherve](https://profiles.wordpress.org/jeherve/), [nuriapena](https://profiles.wordpress.org/nuriapena/)
|
||||
**Tags:** OStatus, fediverse, activitypub, activitystream
|
||||
**Requires at least:** 4.7
|
||||
**Tested up to:** 6.2
|
||||
|
|
|
@ -6,6 +6,11 @@ class Shortcodes {
|
|||
* Class constructor, registering WordPress then Shortcodes
|
||||
*/
|
||||
public static function init() {
|
||||
// do not load on admin pages
|
||||
if ( is_admin() ) {
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ( get_class_methods( self::class ) as $shortcode ) {
|
||||
if ( 'init' !== $shortcode ) {
|
||||
add_shortcode( 'ap_' . $shortcode, array( self::class, $shortcode ) );
|
||||
|
@ -23,13 +28,13 @@ class Shortcodes {
|
|||
* @return string The post tags as hashtags.
|
||||
*/
|
||||
public static function hashtags( $atts, $content, $tag ) {
|
||||
$post_id = get_the_ID();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post_id ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$tags = \get_the_tags( $post_id );
|
||||
$tags = \get_the_tags( $item->ID );
|
||||
|
||||
if ( ! $tags ) {
|
||||
return '';
|
||||
|
@ -58,13 +63,13 @@ class Shortcodes {
|
|||
* @return string The post title.
|
||||
*/
|
||||
public static function title( $atts, $content, $tag ) {
|
||||
$post_id = get_the_ID();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post_id ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
return \wp_strip_all_tags( \get_the_title( $post_id ), true );
|
||||
return \wp_strip_all_tags( \get_the_title( $item->ID ), true );
|
||||
|
||||
}
|
||||
|
||||
|
@ -78,9 +83,9 @@ class Shortcodes {
|
|||
* @return string The post excerpt.
|
||||
*/
|
||||
public static function excerpt( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post || \post_password_required( $post ) ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
@ -96,11 +101,11 @@ class Shortcodes {
|
|||
$excerpt_length = ACTIVITYPUB_EXCERPT_LENGTH;
|
||||
}
|
||||
|
||||
$excerpt = \get_post_field( 'post_excerpt', $post );
|
||||
$excerpt = \get_post_field( 'post_excerpt', $item );
|
||||
|
||||
if ( '' === $excerpt ) {
|
||||
|
||||
$content = \get_post_field( 'post_content', $post );
|
||||
$content = \get_post_field( 'post_content', $item );
|
||||
|
||||
// An empty string will make wp_trim_excerpt do stuff we do not want.
|
||||
if ( '' !== $content ) {
|
||||
|
@ -181,22 +186,22 @@ class Shortcodes {
|
|||
* @return string The post content.
|
||||
*/
|
||||
public static function content( $atts, $content, $tag ) {
|
||||
// prevent inception
|
||||
remove_shortcode( 'ap_content' );
|
||||
$item = self::get_item();
|
||||
|
||||
$post = get_post();
|
||||
|
||||
if ( ! $post || \post_password_required( $post ) ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
// prevent inception
|
||||
remove_shortcode( 'ap_content' );
|
||||
|
||||
$atts = shortcode_atts(
|
||||
array( 'apply_filters' => 'yes' ),
|
||||
$atts,
|
||||
$tag
|
||||
);
|
||||
|
||||
$content = \get_post_field( 'post_content', $post );
|
||||
$content = \get_post_field( 'post_content', $item );
|
||||
|
||||
if ( 'yes' === $atts['apply_filters'] ) {
|
||||
$content = \apply_filters( 'the_content', $content );
|
||||
|
@ -226,9 +231,9 @@ class Shortcodes {
|
|||
* @return string The post permalink.
|
||||
*/
|
||||
public static function permalink( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
@ -241,12 +246,12 @@ class Shortcodes {
|
|||
);
|
||||
|
||||
if ( 'url' === $atts['type'] ) {
|
||||
return \esc_url( \get_permalink( $post->ID ) );
|
||||
return \esc_url( \get_permalink( $item->ID ) );
|
||||
}
|
||||
|
||||
return \sprintf(
|
||||
'<a href="%1$s">%1$s</a>',
|
||||
\esc_url( \get_permalink( $post->ID ) )
|
||||
\esc_url( \get_permalink( $item->ID ) )
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -260,9 +265,9 @@ class Shortcodes {
|
|||
* @return string The post shortlink.
|
||||
*/
|
||||
public static function shortlink( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
@ -275,12 +280,12 @@ class Shortcodes {
|
|||
);
|
||||
|
||||
if ( 'url' === $atts['type'] ) {
|
||||
return \esc_url( \wp_get_shortlink( $post->ID ) );
|
||||
return \esc_url( \wp_get_shortlink( $item->ID ) );
|
||||
}
|
||||
|
||||
return \sprintf(
|
||||
'<a href="%1$s">%1$s</a>',
|
||||
\esc_url( \wp_get_shortlink( $post->ID ) )
|
||||
\esc_url( \wp_get_shortlink( $item->ID ) )
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -294,9 +299,9 @@ class Shortcodes {
|
|||
* @return string
|
||||
*/
|
||||
public static function image( $atts, $content, $tag ) {
|
||||
$post_id = get_the_ID();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post_id ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
@ -318,7 +323,7 @@ class Shortcodes {
|
|||
$size = $atts['type'];
|
||||
}
|
||||
|
||||
$image = \get_the_post_thumbnail_url( $post_id, $size );
|
||||
$image = \get_the_post_thumbnail_url( $item->ID, $size );
|
||||
|
||||
if ( ! $image ) {
|
||||
return '';
|
||||
|
@ -337,13 +342,13 @@ class Shortcodes {
|
|||
* @return string The post categories as hashtags.
|
||||
*/
|
||||
public static function hashcats( $atts, $content, $tag ) {
|
||||
$post_id = get_the_ID();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post_id ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$categories = \get_the_category( $post_id );
|
||||
$categories = \get_the_category( $item->ID );
|
||||
|
||||
if ( ! $categories ) {
|
||||
return '';
|
||||
|
@ -372,13 +377,13 @@ class Shortcodes {
|
|||
* @return string The author name.
|
||||
*/
|
||||
public static function author( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$name = \get_the_author_meta( 'display_name', $post->post_author );
|
||||
$name = \get_the_author_meta( 'display_name', $item->post_author );
|
||||
|
||||
if ( ! $name ) {
|
||||
return '';
|
||||
|
@ -397,13 +402,13 @@ class Shortcodes {
|
|||
* @return string The author URL.
|
||||
*/
|
||||
public static function authorurl( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$url = \get_the_author_meta( 'user_url', $post->post_author );
|
||||
$url = \get_the_author_meta( 'user_url', $item->post_author );
|
||||
|
||||
if ( ! $url ) {
|
||||
return '';
|
||||
|
@ -461,13 +466,13 @@ class Shortcodes {
|
|||
* @return string The post date.
|
||||
*/
|
||||
public static function date( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$datetime = \get_post_datetime( $post );
|
||||
$datetime = \get_post_datetime( $item );
|
||||
$dateformat = \get_option( 'date_format' );
|
||||
$timeformat = \get_option( 'time_format' );
|
||||
|
||||
|
@ -490,13 +495,13 @@ class Shortcodes {
|
|||
* @return string The post time.
|
||||
*/
|
||||
public static function time( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$datetime = \get_post_datetime( $post );
|
||||
$datetime = \get_post_datetime( $item );
|
||||
$dateformat = \get_option( 'date_format' );
|
||||
$timeformat = \get_option( 'time_format' );
|
||||
|
||||
|
@ -519,13 +524,13 @@ class Shortcodes {
|
|||
* @return string The post date/time.
|
||||
*/
|
||||
public static function datetime( $atts, $content, $tag ) {
|
||||
$post = get_post();
|
||||
$item = self::get_item();
|
||||
|
||||
if ( ! $post ) {
|
||||
if ( ! $item ) {
|
||||
return '';
|
||||
}
|
||||
|
||||
$datetime = \get_post_datetime( $post );
|
||||
$datetime = \get_post_datetime( $item );
|
||||
$dateformat = \get_option( 'date_format' );
|
||||
$timeformat = \get_option( 'time_format' );
|
||||
|
||||
|
@ -537,4 +542,34 @@ class Shortcodes {
|
|||
|
||||
return $date;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a WordPress item to federate.
|
||||
*
|
||||
* Checks if item (WP_Post) is "public", a supported post type
|
||||
* and not password protected.
|
||||
*
|
||||
* @return null|WP_Post The WordPress item.
|
||||
*/
|
||||
protected static function get_item() {
|
||||
$post = \get_post();
|
||||
|
||||
if ( ! $post ) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ( 'publish' !== \get_post_status( $post ) ) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ( \post_password_required( $post ) ) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ( ! \in_array( \get_post_type( $post ), \get_post_types_by_support( 'activitypub' ), true ) ) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $post;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -351,4 +351,3 @@ if ( ! function_exists( 'get_self_link' ) ) {
|
|||
return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) );
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
=== ActivityPub ===
|
||||
Contributors: pfefferle, mediaformat, akirk, automattic
|
||||
Contributors: automattic, pfefferle, mediaformat, mattwiebe, akirk, jeherve, nuriapena
|
||||
Tags: OStatus, fediverse, activitypub, activitystream
|
||||
Requires at least: 4.7
|
||||
Tested up to: 6.2
|
||||
|
|
|
@ -39,13 +39,12 @@ class Test_Activitypub_Shortcodes extends WP_UnitTestCase {
|
|||
$post->post_date_gmt = current_time( 'mysql', 1 );
|
||||
$post->post_title = 'Some title or other';
|
||||
$post->post_content = '<script>test</script>hallo<script type="javascript">{"asdf": "qwerty"}</script><style></style>';
|
||||
$post->post_status = 'publish';
|
||||
$post->comment_status = 'closed';
|
||||
$post->ping_status = 'closed';
|
||||
$post->post_name = 'fake-page-' . rand( 1, 99999 ); // append random number to avoid clash
|
||||
$post->post_type = 'page';
|
||||
$post->post_password = 'abc';
|
||||
$post->filter = 'raw'; // important!
|
||||
$post->post_password = 'abc';
|
||||
|
||||
$content = '[ap_content]';
|
||||
|
||||
|
|
Loading…
Reference in a new issue