diff --git a/assets/js/admin.js b/assets/js/admin.js
index 501324798..af66623c8 100644
--- a/assets/js/admin.js
+++ b/assets/js/admin.js
@@ -1,11 +1,21 @@
jQuery(document).ready(function($) {
// Tooltips
- $( '.tips, .help_tip' ).tipTip({
- 'attribute' : 'data-tip',
- 'fadeIn' : 50,
- 'fadeOut' : 50,
- 'delay' : 200
- });
+ $( '.tips, .help_tip' ).each( function() {
+ var $self = $(this);
+ var tipText = $self.attr( 'data-tip' );
+
+ if ( tipText ) {
+ $(this).tipTip( {
+ 'content': '',
+ 'fadeIn': 50,
+ 'fadeOut': 50,
+ 'delay': 200,
+ 'enter': function () {
+ $(tiptip_content).text( tipText );
+ }
+ } );
+ }
+ } );
// Author
$( 'p.form-field-author' ).on( 'click', 'a.change-author', function() {
@@ -42,8 +52,11 @@ jQuery(document).ready(function($) {
searching: function() {
return job_manager_admin_params.user_selection_strings.searching;
},
- escapeMarkup: function( m ) {
- return m;
+ templateResult: function (result) {
+ return result.text;
+ },
+ templateSelection: function (selection) {
+ return selection.text;
},
width: '100%',
ajax: {
diff --git a/assets/js/admin.min.js b/assets/js/admin.min.js
index 3132ff253..de0de363b 100644
--- a/assets/js/admin.min.js
+++ b/assets/js/admin.min.js
@@ -1 +1 @@
-jQuery(document).ready(function(t){t(".tips, .help_tip").tipTip({attribute:"data-tip",fadeIn:50,fadeOut:50,delay:200}),t("p.form-field-author").on("click","a.change-author",function(){t(this).closest("p").find(".current-author").hide();var e=t(this).closest("p").find(".change-author");return e.show(),e.find(":input.wpjm-user-search").trigger("init.user_search"),!1}),t("#wpbody").on("init.user_search",":input.wpjm-user-search",function(){var e={allowClear:!!t(this).data("allow_clear"),placeholder:t(this).data("placeholder"),minimumInputLength:t(this).data("minimum_input_length")?t(this).data("minimum_input_length"):"1",errorLoading:job_manager_admin_params.user_selection_strings.searching,inputTooShort:function(t){var e=t.minimum-t.input.length;return 1===e?job_manager_admin_params.user_selection_strings.input_too_short_1:job_manager_admin_params.user_selection_strings.input_too_short_n.replace("%qty%",e)},loadingMore:function(){return job_manager_admin_params.user_selection_strings.load_more},noResults:function(){return job_manager_admin_params.user_selection_strings.no_matches},searching:function(){return job_manager_admin_params.user_selection_strings.searching},escapeMarkup:function(t){return t},width:"100%",ajax:{url:job_manager_admin_params.ajax_url,dataType:"json",delay:1e3,data:function(t){return{term:t.term,action:"job_manager_search_users",security:job_manager_admin_params.search_users_nonce,page:t.page}},processResults:function(e){var a=[];return e&&e.results&&t.each(e.results,function(t,e){a.push({id:t,text:e})}),{results:a,pagination:{more:e.more}}},cache:!0}};t(this).select2(e)}),t(":input.wpjm-user-search:visible").trigger("init.user_search");var e,a,n;t(document.body).on("click",".wp_job_manager_add_another_file_button",function(e){e.preventDefault();var a=t(this).data("field_name"),n=t(this).data("field_placeholder"),i=t(this).data("uploader_button_text"),r=t(this).data("uploader_button"),o=t(this).data("view_button");t(this).before('")}),t(document.body).on("click",".wp_job_manager_view_file_button",function(e){e.preventDefault(),n=t(this).closest(".file_url");var i=(a=n.find("input")).val();i.indexOf("://")>-1?window.open(i,"_blank"):(a.addClass("file_no_url"),setTimeout(function(){a.removeClass("file_no_url")},1e3))}),t(document.body).on("click",".wp_job_manager_upload_file_button",function(i){i.preventDefault(),n=t(this).closest(".file_url"),a=n.find("input"),e?e.open():((e=wp.media.frames.file_frame=wp.media({title:t(this).data("uploader_title"),button:{text:t(this).data("uploader_button_text")},multiple:!1})).on("select",function(){var n=e.state().get("selection").first().toJSON();t(a).val(n.url)}),e.open())})}),jQuery(document).ready(function(t){var e="job_listing_type";t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").live("click",function(){var a=t(this),n=a.is(":checked"),i=a.val();t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").prop("checked",!1),t("#in-"+e+"-"+i+", #in-popular-"+e+"-"+i).prop("checked",n)})});
\ No newline at end of file
+jQuery(document).ready(function(t){t(".tips, .help_tip").each(function(){var e=t(this).attr("data-tip");e&&t(this).tipTip({content:"",fadeIn:50,fadeOut:50,delay:200,enter:function(){t(tiptip_content).text(e)}})}),t("p.form-field-author").on("click","a.change-author",function(){t(this).closest("p").find(".current-author").hide();var e=t(this).closest("p").find(".change-author");return e.show(),e.find(":input.wpjm-user-search").trigger("init.user_search"),!1}),t("#wpbody").on("init.user_search",":input.wpjm-user-search",function(){var e={allowClear:!!t(this).data("allow_clear"),placeholder:t(this).data("placeholder"),minimumInputLength:t(this).data("minimum_input_length")?t(this).data("minimum_input_length"):"1",errorLoading:job_manager_admin_params.user_selection_strings.searching,inputTooShort:function(t){var e=t.minimum-t.input.length;return 1===e?job_manager_admin_params.user_selection_strings.input_too_short_1:job_manager_admin_params.user_selection_strings.input_too_short_n.replace("%qty%",e)},loadingMore:function(){return job_manager_admin_params.user_selection_strings.load_more},noResults:function(){return job_manager_admin_params.user_selection_strings.no_matches},searching:function(){return job_manager_admin_params.user_selection_strings.searching},templateResult:function(t){return t.text},templateSelection:function(t){return t.text},width:"100%",ajax:{url:job_manager_admin_params.ajax_url,dataType:"json",delay:1e3,data:function(t){return{term:t.term,action:"job_manager_search_users",security:job_manager_admin_params.search_users_nonce,page:t.page}},processResults:function(e){var n=[];return e&&e.results&&t.each(e.results,function(t,e){n.push({id:t,text:e})}),{results:n,pagination:{more:e.more}}},cache:!0}};t(this).select2(e)}),t(":input.wpjm-user-search:visible").trigger("init.user_search");var e,n,a;t(document.body).on("click",".wp_job_manager_add_another_file_button",function(e){e.preventDefault();var n=t(this).data("field_name"),a=t(this).data("field_placeholder"),i=t(this).data("uploader_button_text"),r=t(this).data("uploader_button"),o=t(this).data("view_button");t(this).before('")}),t(document.body).on("click",".wp_job_manager_view_file_button",function(e){e.preventDefault(),a=t(this).closest(".file_url");var i=(n=a.find("input")).val();i.indexOf("://")>-1?window.open(i,"_blank"):(n.addClass("file_no_url"),setTimeout(function(){n.removeClass("file_no_url")},1e3))}),t(document.body).on("click",".wp_job_manager_upload_file_button",function(i){i.preventDefault(),a=t(this).closest(".file_url"),n=a.find("input"),e?e.open():((e=wp.media.frames.file_frame=wp.media({title:t(this).data("uploader_title"),button:{text:t(this).data("uploader_button_text")},multiple:!1})).on("select",function(){var a=e.state().get("selection").first().toJSON();t(n).val(a.url)}),e.open())})}),jQuery(document).ready(function(t){var e="job_listing_type";t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").live("click",function(){var n=t(this),a=n.is(":checked"),i=n.val();t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").prop("checked",!1),t("#in-"+e+"-"+i+", #in-popular-"+e+"-"+i).prop("checked",a)})});
\ No newline at end of file
diff --git a/changelog.txt b/changelog.txt
index b579b2234..c6a1e7736 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,3 +1,7 @@
+= 1.32.3 =
+* Fix: Escape tooltip text in WordPress admin. (Props hd7exploit)
+* Fix: Escape user display names on author selector while editing job listings. (Props hd7exploit)
+
= 1.32.2 =
* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update.
* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7)
diff --git a/includes/admin/class-wp-job-manager-writepanels.php b/includes/admin/class-wp-job-manager-writepanels.php
index 5b71ede72..54bd1c0b9 100644
--- a/includes/admin/class-wp-job-manager-writepanels.php
+++ b/includes/admin/class-wp-job-manager-writepanels.php
@@ -517,8 +517,8 @@ public static function input_author( $key, $field ) {
if ( $posted_by ) {
$user_string = sprintf(
// translators: Used in user select. %1$s is the user's display name; #%2$s is the user ID; %3$s is the user email.
- esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ),
- $posted_by->display_name,
+ esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ),
+ htmlentities( $posted_by->display_name ),
absint( $posted_by->ID ),
$posted_by->user_email
);
diff --git a/includes/class-wp-job-manager-ajax.php b/includes/class-wp-job-manager-ajax.php
index 30e58580c..640e3506c 100644
--- a/includes/class-wp-job-manager-ajax.php
+++ b/includes/class-wp-job-manager-ajax.php
@@ -401,8 +401,8 @@ public static function ajax_search_users() {
foreach ( $users as $user ) {
$found_users[ $user->ID ] = sprintf(
// translators: Used in user select. %1$s is the user's display name; #%2$s is the user ID; %3$s is the user email.
- esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ),
- $user->display_name,
+ esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ),
+ htmlentities( $user->display_name ),
absint( $user->ID ),
$user->user_email
);
diff --git a/languages/wp-job-manager.pot b/languages/wp-job-manager.pot
index 5f75f7e99..3e7371a57 100644
--- a/languages/wp-job-manager.pot
+++ b/languages/wp-job-manager.pot
@@ -2,9 +2,9 @@
# This file is distributed under the GPL2+.
msgid ""
msgstr ""
-"Project-Id-Version: WP Job Manager 1.32.2\n"
+"Project-Id-Version: WP Job Manager 1.32.3\n"
"Report-Msgid-Bugs-To: https://github.com/Automattic/WP-Job-Manager/issues\n"
-"POT-Creation-Date: 2019-02-25 14:23:26+00:00\n"
+"POT-Creation-Date: 2019-04-23 17:25:49+00:00\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
diff --git a/package.json b/package.json
index 689b01a3a..505d38857 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
{
"name": "wp-job-manager",
"title": "WP Job Manager",
- "version": "1.32.2",
+ "version": "1.32.3",
"homepage": "http://wordpress.org/plugins/wp-job-manager/",
"license": "GPL-2.0+",
"repository": "automattic/wp-job-manager",
diff --git a/readme.md b/readme.md
index d5bb0c6c0..1e09d75a5 100644
--- a/readme.md
+++ b/readme.md
@@ -3,7 +3,7 @@
**Tags:** job manager, job listing, job board, job management, job lists, job list, job, jobs, company, hiring, employment, employer, employees, candidate, freelance, internship, job listings, positions, board, application, hiring, listing, manager, recruiting, recruitment, talent
**Requires at least:** 4.7.0
**Tested up to:** 5.1
-**Stable tag:** 1.32.2
+**Stable tag:** 1.32.3
**License:** GPLv3
**License URI:** http://www.gnu.org/licenses/gpl-3.0.html
@@ -152,6 +152,10 @@ It then creates a database based on the parameters passed to it.
## Changelog ##
+### 1.32.3 ###
+* Fix: Escape tooltips in WordPress admin. (Props hd7exploit)
+* Fix: Escape user display names on author selector while editing job listings.
+
### 1.32.2 ###
* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update.
* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7)
diff --git a/readme.txt b/readme.txt
index 6d71d2ed4..ab508ebdb 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: mikejolley, automattic, adamkheckler, alexsanford1, annezazu, cena
Tags: job manager, job listing, job board, job management, job lists, job list, job, jobs, company, hiring, employment, employer, employees, candidate, freelance, internship, job listings, positions, board, application, hiring, listing, manager, recruiting, recruitment, talent
Requires at least: 4.7.0
Tested up to: 5.1
-Stable tag: 1.32.2
+Stable tag: 1.32.3
License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -152,6 +152,10 @@ It then creates a database based on the parameters passed to it.
== Changelog ==
+= 1.32.3 =
+* Fix: Escape tooltip text in WordPress admin. (Props hd7exploit)
+* Fix: Escape user display names on author selector while editing job listings. (Props hd7exploit)
+
= 1.32.2 =
* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update.
* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7)
diff --git a/wp-job-manager.php b/wp-job-manager.php
index f9ce6d4d9..18d9e2804 100644
--- a/wp-job-manager.php
+++ b/wp-job-manager.php
@@ -3,7 +3,7 @@
* Plugin Name: WP Job Manager
* Plugin URI: https://wpjobmanager.com/
* Description: Manage job listings from the WordPress admin panel, and allow users to post jobs directly to your site.
- * Version: 1.32.2
+ * Version: 1.32.3
* Author: Automattic
* Author URI: https://wpjobmanager.com/
* Requires at least: 4.7.0
@@ -63,7 +63,7 @@ public static function instance() {
*/
public function __construct() {
// Define constants.
- define( 'JOB_MANAGER_VERSION', '1.32.2' );
+ define( 'JOB_MANAGER_VERSION', '1.32.3' );
define( 'JOB_MANAGER_MINIMUM_WP_VERSION', '4.7.0' );
define( 'JOB_MANAGER_PLUGIN_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
define( 'JOB_MANAGER_PLUGIN_URL', untrailingslashit( plugins_url( basename( plugin_dir_path( __FILE__ ) ), basename( __FILE__ ) ) ) );