From c4b0d7637c25f558a2ed6b6d088c24aff47c78ba Mon Sep 17 00:00:00 2001 From: Jake Oehler Morrison Date: Tue, 23 Apr 2019 16:56:40 +0100 Subject: [PATCH 1/3] Escape tagline before sending it as a tooltip --- assets/js/admin.js | 22 ++++++++++++++++------ assets/js/admin.min.js | 2 +- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/assets/js/admin.js b/assets/js/admin.js index 501324798..41a4056f6 100644 --- a/assets/js/admin.js +++ b/assets/js/admin.js @@ -1,11 +1,21 @@ jQuery(document).ready(function($) { // Tooltips - $( '.tips, .help_tip' ).tipTip({ - 'attribute' : 'data-tip', - 'fadeIn' : 50, - 'fadeOut' : 50, - 'delay' : 200 - }); + $( '.tips, .help_tip' ).each( function() { + var $self = $(this); + var tipText = $self.attr( 'data-tip' ); + + if ( tipText ) { + $(this).tipTip( { + 'content': '', + 'fadeIn': 50, + 'fadeOut': 50, + 'delay': 200, + 'enter': function () { + $(tiptip_content).text( tipText ); + } + } ); + } + } ); // Author $( 'p.form-field-author' ).on( 'click', 'a.change-author', function() { diff --git a/assets/js/admin.min.js b/assets/js/admin.min.js index 3132ff253..cebe6ad7a 100644 --- a/assets/js/admin.min.js +++ b/assets/js/admin.min.js @@ -1 +1 @@ -jQuery(document).ready(function(t){t(".tips, .help_tip").tipTip({attribute:"data-tip",fadeIn:50,fadeOut:50,delay:200}),t("p.form-field-author").on("click","a.change-author",function(){t(this).closest("p").find(".current-author").hide();var e=t(this).closest("p").find(".change-author");return e.show(),e.find(":input.wpjm-user-search").trigger("init.user_search"),!1}),t("#wpbody").on("init.user_search",":input.wpjm-user-search",function(){var e={allowClear:!!t(this).data("allow_clear"),placeholder:t(this).data("placeholder"),minimumInputLength:t(this).data("minimum_input_length")?t(this).data("minimum_input_length"):"1",errorLoading:job_manager_admin_params.user_selection_strings.searching,inputTooShort:function(t){var e=t.minimum-t.input.length;return 1===e?job_manager_admin_params.user_selection_strings.input_too_short_1:job_manager_admin_params.user_selection_strings.input_too_short_n.replace("%qty%",e)},loadingMore:function(){return job_manager_admin_params.user_selection_strings.load_more},noResults:function(){return job_manager_admin_params.user_selection_strings.no_matches},searching:function(){return job_manager_admin_params.user_selection_strings.searching},escapeMarkup:function(t){return t},width:"100%",ajax:{url:job_manager_admin_params.ajax_url,dataType:"json",delay:1e3,data:function(t){return{term:t.term,action:"job_manager_search_users",security:job_manager_admin_params.search_users_nonce,page:t.page}},processResults:function(e){var a=[];return e&&e.results&&t.each(e.results,function(t,e){a.push({id:t,text:e})}),{results:a,pagination:{more:e.more}}},cache:!0}};t(this).select2(e)}),t(":input.wpjm-user-search:visible").trigger("init.user_search");var e,a,n;t(document.body).on("click",".wp_job_manager_add_another_file_button",function(e){e.preventDefault();var a=t(this).data("field_name"),n=t(this).data("field_placeholder"),i=t(this).data("uploader_button_text"),r=t(this).data("uploader_button"),o=t(this).data("view_button");t(this).before('")}),t(document.body).on("click",".wp_job_manager_view_file_button",function(e){e.preventDefault(),n=t(this).closest(".file_url");var i=(a=n.find("input")).val();i.indexOf("://")>-1?window.open(i,"_blank"):(a.addClass("file_no_url"),setTimeout(function(){a.removeClass("file_no_url")},1e3))}),t(document.body).on("click",".wp_job_manager_upload_file_button",function(i){i.preventDefault(),n=t(this).closest(".file_url"),a=n.find("input"),e?e.open():((e=wp.media.frames.file_frame=wp.media({title:t(this).data("uploader_title"),button:{text:t(this).data("uploader_button_text")},multiple:!1})).on("select",function(){var n=e.state().get("selection").first().toJSON();t(a).val(n.url)}),e.open())})}),jQuery(document).ready(function(t){var e="job_listing_type";t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").live("click",function(){var a=t(this),n=a.is(":checked"),i=a.val();t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").prop("checked",!1),t("#in-"+e+"-"+i+", #in-popular-"+e+"-"+i).prop("checked",n)})}); \ No newline at end of file +jQuery(document).ready(function(t){t(".tips, .help_tip").each(function(){var e=t(this).attr("data-tip");e&&t(this).tipTip({content:"",fadeIn:50,fadeOut:50,delay:200,enter:function(){t(tiptip_content).text(e)}})}),t("p.form-field-author").on("click","a.change-author",function(){t(this).closest("p").find(".current-author").hide();var e=t(this).closest("p").find(".change-author");return e.show(),e.find(":input.wpjm-user-search").trigger("init.user_search"),!1}),t("#wpbody").on("init.user_search",":input.wpjm-user-search",function(){var e={allowClear:!!t(this).data("allow_clear"),placeholder:t(this).data("placeholder"),minimumInputLength:t(this).data("minimum_input_length")?t(this).data("minimum_input_length"):"1",errorLoading:job_manager_admin_params.user_selection_strings.searching,inputTooShort:function(t){var e=t.minimum-t.input.length;return 1===e?job_manager_admin_params.user_selection_strings.input_too_short_1:job_manager_admin_params.user_selection_strings.input_too_short_n.replace("%qty%",e)},loadingMore:function(){return job_manager_admin_params.user_selection_strings.load_more},noResults:function(){return job_manager_admin_params.user_selection_strings.no_matches},searching:function(){return job_manager_admin_params.user_selection_strings.searching},escapeMarkup:function(t){return t},width:"100%",ajax:{url:job_manager_admin_params.ajax_url,dataType:"json",delay:1e3,data:function(t){return{term:t.term,action:"job_manager_search_users",security:job_manager_admin_params.search_users_nonce,page:t.page}},processResults:function(e){var n=[];return e&&e.results&&t.each(e.results,function(t,e){n.push({id:t,text:e})}),{results:n,pagination:{more:e.more}}},cache:!0}};t(this).select2(e)}),t(":input.wpjm-user-search:visible").trigger("init.user_search");var e,n,a;t(document.body).on("click",".wp_job_manager_add_another_file_button",function(e){e.preventDefault();var n=t(this).data("field_name"),a=t(this).data("field_placeholder"),i=t(this).data("uploader_button_text"),r=t(this).data("uploader_button"),o=t(this).data("view_button");t(this).before('")}),t(document.body).on("click",".wp_job_manager_view_file_button",function(e){e.preventDefault(),a=t(this).closest(".file_url");var i=(n=a.find("input")).val();i.indexOf("://")>-1?window.open(i,"_blank"):(n.addClass("file_no_url"),setTimeout(function(){n.removeClass("file_no_url")},1e3))}),t(document.body).on("click",".wp_job_manager_upload_file_button",function(i){i.preventDefault(),a=t(this).closest(".file_url"),n=a.find("input"),e?e.open():((e=wp.media.frames.file_frame=wp.media({title:t(this).data("uploader_title"),button:{text:t(this).data("uploader_button_text")},multiple:!1})).on("select",function(){var a=e.state().get("selection").first().toJSON();t(n).val(a.url)}),e.open())})}),jQuery(document).ready(function(t){var e="job_listing_type";t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").live("click",function(){var n=t(this),a=n.is(":checked"),i=n.val();t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").prop("checked",!1),t("#in-"+e+"-"+i+", #in-popular-"+e+"-"+i).prop("checked",a)})}); \ No newline at end of file From 16799dd6716e0d3a25065dd43d914ae8724dd82e Mon Sep 17 00:00:00 2001 From: Jake Oehler Morrison Date: Tue, 23 Apr 2019 18:25:31 +0100 Subject: [PATCH 2/3] Escape user display name on user selector --- assets/js/admin.js | 7 +++++-- assets/js/admin.min.js | 2 +- includes/admin/class-wp-job-manager-writepanels.php | 4 ++-- includes/class-wp-job-manager-ajax.php | 4 ++-- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/assets/js/admin.js b/assets/js/admin.js index 41a4056f6..af66623c8 100644 --- a/assets/js/admin.js +++ b/assets/js/admin.js @@ -52,8 +52,11 @@ jQuery(document).ready(function($) { searching: function() { return job_manager_admin_params.user_selection_strings.searching; }, - escapeMarkup: function( m ) { - return m; + templateResult: function (result) { + return result.text; + }, + templateSelection: function (selection) { + return selection.text; }, width: '100%', ajax: { diff --git a/assets/js/admin.min.js b/assets/js/admin.min.js index cebe6ad7a..de0de363b 100644 --- a/assets/js/admin.min.js +++ b/assets/js/admin.min.js @@ -1 +1 @@ -jQuery(document).ready(function(t){t(".tips, .help_tip").each(function(){var e=t(this).attr("data-tip");e&&t(this).tipTip({content:"",fadeIn:50,fadeOut:50,delay:200,enter:function(){t(tiptip_content).text(e)}})}),t("p.form-field-author").on("click","a.change-author",function(){t(this).closest("p").find(".current-author").hide();var e=t(this).closest("p").find(".change-author");return e.show(),e.find(":input.wpjm-user-search").trigger("init.user_search"),!1}),t("#wpbody").on("init.user_search",":input.wpjm-user-search",function(){var e={allowClear:!!t(this).data("allow_clear"),placeholder:t(this).data("placeholder"),minimumInputLength:t(this).data("minimum_input_length")?t(this).data("minimum_input_length"):"1",errorLoading:job_manager_admin_params.user_selection_strings.searching,inputTooShort:function(t){var e=t.minimum-t.input.length;return 1===e?job_manager_admin_params.user_selection_strings.input_too_short_1:job_manager_admin_params.user_selection_strings.input_too_short_n.replace("%qty%",e)},loadingMore:function(){return job_manager_admin_params.user_selection_strings.load_more},noResults:function(){return job_manager_admin_params.user_selection_strings.no_matches},searching:function(){return job_manager_admin_params.user_selection_strings.searching},escapeMarkup:function(t){return t},width:"100%",ajax:{url:job_manager_admin_params.ajax_url,dataType:"json",delay:1e3,data:function(t){return{term:t.term,action:"job_manager_search_users",security:job_manager_admin_params.search_users_nonce,page:t.page}},processResults:function(e){var n=[];return e&&e.results&&t.each(e.results,function(t,e){n.push({id:t,text:e})}),{results:n,pagination:{more:e.more}}},cache:!0}};t(this).select2(e)}),t(":input.wpjm-user-search:visible").trigger("init.user_search");var e,n,a;t(document.body).on("click",".wp_job_manager_add_another_file_button",function(e){e.preventDefault();var n=t(this).data("field_name"),a=t(this).data("field_placeholder"),i=t(this).data("uploader_button_text"),r=t(this).data("uploader_button"),o=t(this).data("view_button");t(this).before('")}),t(document.body).on("click",".wp_job_manager_view_file_button",function(e){e.preventDefault(),a=t(this).closest(".file_url");var i=(n=a.find("input")).val();i.indexOf("://")>-1?window.open(i,"_blank"):(n.addClass("file_no_url"),setTimeout(function(){n.removeClass("file_no_url")},1e3))}),t(document.body).on("click",".wp_job_manager_upload_file_button",function(i){i.preventDefault(),a=t(this).closest(".file_url"),n=a.find("input"),e?e.open():((e=wp.media.frames.file_frame=wp.media({title:t(this).data("uploader_title"),button:{text:t(this).data("uploader_button_text")},multiple:!1})).on("select",function(){var a=e.state().get("selection").first().toJSON();t(n).val(a.url)}),e.open())})}),jQuery(document).ready(function(t){var e="job_listing_type";t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").live("click",function(){var n=t(this),a=n.is(":checked"),i=n.val();t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").prop("checked",!1),t("#in-"+e+"-"+i+", #in-popular-"+e+"-"+i).prop("checked",a)})}); \ No newline at end of file +jQuery(document).ready(function(t){t(".tips, .help_tip").each(function(){var e=t(this).attr("data-tip");e&&t(this).tipTip({content:"",fadeIn:50,fadeOut:50,delay:200,enter:function(){t(tiptip_content).text(e)}})}),t("p.form-field-author").on("click","a.change-author",function(){t(this).closest("p").find(".current-author").hide();var e=t(this).closest("p").find(".change-author");return e.show(),e.find(":input.wpjm-user-search").trigger("init.user_search"),!1}),t("#wpbody").on("init.user_search",":input.wpjm-user-search",function(){var e={allowClear:!!t(this).data("allow_clear"),placeholder:t(this).data("placeholder"),minimumInputLength:t(this).data("minimum_input_length")?t(this).data("minimum_input_length"):"1",errorLoading:job_manager_admin_params.user_selection_strings.searching,inputTooShort:function(t){var e=t.minimum-t.input.length;return 1===e?job_manager_admin_params.user_selection_strings.input_too_short_1:job_manager_admin_params.user_selection_strings.input_too_short_n.replace("%qty%",e)},loadingMore:function(){return job_manager_admin_params.user_selection_strings.load_more},noResults:function(){return job_manager_admin_params.user_selection_strings.no_matches},searching:function(){return job_manager_admin_params.user_selection_strings.searching},templateResult:function(t){return t.text},templateSelection:function(t){return t.text},width:"100%",ajax:{url:job_manager_admin_params.ajax_url,dataType:"json",delay:1e3,data:function(t){return{term:t.term,action:"job_manager_search_users",security:job_manager_admin_params.search_users_nonce,page:t.page}},processResults:function(e){var n=[];return e&&e.results&&t.each(e.results,function(t,e){n.push({id:t,text:e})}),{results:n,pagination:{more:e.more}}},cache:!0}};t(this).select2(e)}),t(":input.wpjm-user-search:visible").trigger("init.user_search");var e,n,a;t(document.body).on("click",".wp_job_manager_add_another_file_button",function(e){e.preventDefault();var n=t(this).data("field_name"),a=t(this).data("field_placeholder"),i=t(this).data("uploader_button_text"),r=t(this).data("uploader_button"),o=t(this).data("view_button");t(this).before('")}),t(document.body).on("click",".wp_job_manager_view_file_button",function(e){e.preventDefault(),a=t(this).closest(".file_url");var i=(n=a.find("input")).val();i.indexOf("://")>-1?window.open(i,"_blank"):(n.addClass("file_no_url"),setTimeout(function(){n.removeClass("file_no_url")},1e3))}),t(document.body).on("click",".wp_job_manager_upload_file_button",function(i){i.preventDefault(),a=t(this).closest(".file_url"),n=a.find("input"),e?e.open():((e=wp.media.frames.file_frame=wp.media({title:t(this).data("uploader_title"),button:{text:t(this).data("uploader_button_text")},multiple:!1})).on("select",function(){var a=e.state().get("selection").first().toJSON();t(n).val(a.url)}),e.open())})}),jQuery(document).ready(function(t){var e="job_listing_type";t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").live("click",function(){var n=t(this),a=n.is(":checked"),i=n.val();t("#"+e+"checklist li :radio, #"+e+"checklist-pop :radio").prop("checked",!1),t("#in-"+e+"-"+i+", #in-popular-"+e+"-"+i).prop("checked",a)})}); \ No newline at end of file diff --git a/includes/admin/class-wp-job-manager-writepanels.php b/includes/admin/class-wp-job-manager-writepanels.php index 5b71ede72..54bd1c0b9 100644 --- a/includes/admin/class-wp-job-manager-writepanels.php +++ b/includes/admin/class-wp-job-manager-writepanels.php @@ -517,8 +517,8 @@ public static function input_author( $key, $field ) { if ( $posted_by ) { $user_string = sprintf( // translators: Used in user select. %1$s is the user's display name; #%2$s is the user ID; %3$s is the user email. - esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ), - $posted_by->display_name, + esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ), + htmlentities( $posted_by->display_name ), absint( $posted_by->ID ), $posted_by->user_email ); diff --git a/includes/class-wp-job-manager-ajax.php b/includes/class-wp-job-manager-ajax.php index 30e58580c..640e3506c 100644 --- a/includes/class-wp-job-manager-ajax.php +++ b/includes/class-wp-job-manager-ajax.php @@ -401,8 +401,8 @@ public static function ajax_search_users() { foreach ( $users as $user ) { $found_users[ $user->ID ] = sprintf( // translators: Used in user select. %1$s is the user's display name; #%2$s is the user ID; %3$s is the user email. - esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ), - $user->display_name, + esc_html__( '%1$s (#%2$s – %3$s)', 'wp-job-manager' ), + htmlentities( $user->display_name ), absint( $user->ID ), $user->user_email ); From 1a43219d65ff1ba8fc6a9b380f0257bb4ab6bf19 Mon Sep 17 00:00:00 2001 From: Jake Oehler Morrison Date: Tue, 23 Apr 2019 19:26:12 +0200 Subject: [PATCH 3/3] Bump version to 1.32.3 --- changelog.txt | 4 ++++ languages/wp-job-manager.pot | 4 ++-- package.json | 2 +- readme.md | 6 +++++- readme.txt | 6 +++++- wp-job-manager.php | 4 ++-- 6 files changed, 19 insertions(+), 7 deletions(-) diff --git a/changelog.txt b/changelog.txt index b579b2234..c6a1e7736 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,7 @@ += 1.32.3 = +* Fix: Escape tooltip text in WordPress admin. (Props hd7exploit) +* Fix: Escape user display names on author selector while editing job listings. (Props hd7exploit) + = 1.32.2 = * Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update. * Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7) diff --git a/languages/wp-job-manager.pot b/languages/wp-job-manager.pot index 5f75f7e99..3e7371a57 100644 --- a/languages/wp-job-manager.pot +++ b/languages/wp-job-manager.pot @@ -2,9 +2,9 @@ # This file is distributed under the GPL2+. msgid "" msgstr "" -"Project-Id-Version: WP Job Manager 1.32.2\n" +"Project-Id-Version: WP Job Manager 1.32.3\n" "Report-Msgid-Bugs-To: https://github.com/Automattic/WP-Job-Manager/issues\n" -"POT-Creation-Date: 2019-02-25 14:23:26+00:00\n" +"POT-Creation-Date: 2019-04-23 17:25:49+00:00\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" diff --git a/package.json b/package.json index 689b01a3a..505d38857 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "wp-job-manager", "title": "WP Job Manager", - "version": "1.32.2", + "version": "1.32.3", "homepage": "http://wordpress.org/plugins/wp-job-manager/", "license": "GPL-2.0+", "repository": "automattic/wp-job-manager", diff --git a/readme.md b/readme.md index d5bb0c6c0..1e09d75a5 100644 --- a/readme.md +++ b/readme.md @@ -3,7 +3,7 @@ **Tags:** job manager, job listing, job board, job management, job lists, job list, job, jobs, company, hiring, employment, employer, employees, candidate, freelance, internship, job listings, positions, board, application, hiring, listing, manager, recruiting, recruitment, talent **Requires at least:** 4.7.0 **Tested up to:** 5.1 -**Stable tag:** 1.32.2 +**Stable tag:** 1.32.3 **License:** GPLv3 **License URI:** http://www.gnu.org/licenses/gpl-3.0.html @@ -152,6 +152,10 @@ It then creates a database based on the parameters passed to it. ## Changelog ## +### 1.32.3 ### +* Fix: Escape tooltips in WordPress admin. (Props hd7exploit) +* Fix: Escape user display names on author selector while editing job listings. + ### 1.32.2 ### * Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update. * Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7) diff --git a/readme.txt b/readme.txt index 6d71d2ed4..ab508ebdb 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: mikejolley, automattic, adamkheckler, alexsanford1, annezazu, cena Tags: job manager, job listing, job board, job management, job lists, job list, job, jobs, company, hiring, employment, employer, employees, candidate, freelance, internship, job listings, positions, board, application, hiring, listing, manager, recruiting, recruitment, talent Requires at least: 4.7.0 Tested up to: 5.1 -Stable tag: 1.32.2 +Stable tag: 1.32.3 License: GPLv3 License URI: http://www.gnu.org/licenses/gpl-3.0.html @@ -152,6 +152,10 @@ It then creates a database based on the parameters passed to it. == Changelog == += 1.32.3 = +* Fix: Escape tooltip text in WordPress admin. (Props hd7exploit) +* Fix: Escape user display names on author selector while editing job listings. (Props hd7exploit) + = 1.32.2 = * Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update. * Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7) diff --git a/wp-job-manager.php b/wp-job-manager.php index f9ce6d4d9..18d9e2804 100644 --- a/wp-job-manager.php +++ b/wp-job-manager.php @@ -3,7 +3,7 @@ * Plugin Name: WP Job Manager * Plugin URI: https://wpjobmanager.com/ * Description: Manage job listings from the WordPress admin panel, and allow users to post jobs directly to your site. - * Version: 1.32.2 + * Version: 1.32.3 * Author: Automattic * Author URI: https://wpjobmanager.com/ * Requires at least: 4.7.0 @@ -63,7 +63,7 @@ public static function instance() { */ public function __construct() { // Define constants. - define( 'JOB_MANAGER_VERSION', '1.32.2' ); + define( 'JOB_MANAGER_VERSION', '1.32.3' ); define( 'JOB_MANAGER_MINIMUM_WP_VERSION', '4.7.0' ); define( 'JOB_MANAGER_PLUGIN_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) ); define( 'JOB_MANAGER_PLUGIN_URL', untrailingslashit( plugins_url( basename( plugin_dir_path( __FILE__ ) ), basename( __FILE__ ) ) ) );