Merge pull request #1690 from Automattic/release/1.32.2

Release 1.32.2

changelog.txt

@@ -1,3 +1,9 @@
+= 1.32.2 =
+* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update.
+* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7)
+* Fix: Escape JSON encoded strings.
+* Fix: Add additional sanitization for file attachment fields.
+
 = 1.32.1 =
 * Fix: Adds compatibility with PHP 7.3
 * Fix: Restores original site search functionality.

includes/admin/class-wp-job-manager-admin.php

@@ -42,12 +42,8 @@ public function __construct() {
 
 		include_once dirname( __FILE__ ) . '/class-wp-job-manager-admin-notices.php';
 		include_once dirname( __FILE__ ) . '/class-wp-job-manager-cpt.php';
-		if ( version_compare( $wp_version, '4.7.0', '<' ) ) {
-			include_once dirname( __FILE__ ) . '/class-wp-job-manager-cpt-legacy.php';
-			WP_Job_Manager_CPT_Legacy::instance();
-		} else {
-			WP_Job_Manager_CPT::instance();
-		}
+		WP_Job_Manager_CPT::instance();
+
 		include_once dirname( __FILE__ ) . '/class-wp-job-manager-settings.php';
 		include_once dirname( __FILE__ ) . '/class-wp-job-manager-writepanels.php';
 		include_once dirname( __FILE__ ) . '/class-wp-job-manager-setup.php';

includes/admin/class-wp-job-manager-cpt.php

@@ -819,11 +819,11 @@ public function extend_submitdiv_post_status() {
 		<script type="text/javascript">
 			jQuery( document ).ready( function($) {
 				<?php if ( ! empty( $display ) ) : ?>
-					jQuery( '#post-status-display' ).html( <?php echo wp_json_encode( $display ); ?> );
+					jQuery( '#post-status-display' ).html( decodeURIComponent( '<?php echo rawurlencode( (string) wp_specialchars_decode( $display ) ); ?>' ) );
 				<?php endif; ?>
 
 				var select = jQuery( '#post-status-select' ).find( 'select' );
-				jQuery( select ).html( <?php echo wp_json_encode( $options ); ?> );
+				jQuery( select ).html( decodeURIComponent( '<?php echo rawurlencode( (string) wp_specialchars_decode( $options ) ); ?>' ) );
 			} );
 		</script>
 		<?php

includes/class-wp-job-manager-post-types.php

@@ -987,7 +987,7 @@ public function output_structured_data() {
 		$structured_data = wpjm_get_job_listing_structured_data();
 		if ( ! empty( $structured_data ) ) {
 			echo '<!-- WP Job Manager Structured Data -->' . "\r\n";
-			echo '<script type="application/ld+json">' . wp_json_encode( $structured_data ) . '</script>';
+			echo '<script type="application/ld+json">' . wpjm_esc_json( wp_json_encode( $structured_data ), true ) . '</script>';
 		}
 	}
 

includes/forms/class-wp-job-manager-form-edit-job.php

@@ -55,6 +55,8 @@ public static function instance() {
 	 */
 	public function __construct() {
 		add_action( 'wp', array( $this, 'submit_handler' ) );
+		add_action( 'submit_job_form_start', array( $this, 'output_submit_form_nonce_field' ) );
+
 		$this->job_id = ! empty( $_REQUEST['job_id'] ) ? absint( $_REQUEST['job_id'] ) : 0;
 
 		if ( ! job_manager_user_can_edit_job( $this->job_id ) ) {
@@ -158,6 +160,8 @@ public function submit_handler() {
 			return;
 		}
 
+		$this->check_submit_form_nonce_field();
+
 		try {
 
 			// Get posted values.

includes/forms/class-wp-job-manager-form-submit-job.php

@@ -57,6 +57,9 @@ public static function instance() {
 	 */
 	public function __construct() {
 		add_action( 'wp', array( $this, 'process' ) );
+		add_action( 'submit_job_form_start', array( $this, 'output_submit_form_nonce_field' ) );
+		add_action( 'preview_job_form_start', array( $this, 'output_preview_form_nonce_field' ) );
+
 		if ( $this->use_recaptcha_field() ) {
 			add_action( 'submit_job_form_end', array( $this, 'display_recaptcha_field' ) );
 			add_action( 'submit_job_form_validate_fields', array( $this, 'validate_recaptcha_field' ) );
@@ -455,7 +458,7 @@ private function job_types() {
 	public function submit() {
 		$this->init_fields();
 
-		// Load data if neccessary.
+		// Load data if necessary.
 		if ( $this->job_id ) {
 			$job = get_post( $this->job_id );
 			foreach ( $this->fields as $group_key => $group_fields ) {
@@ -538,6 +541,8 @@ public function submit_handler() {
 				return;
 			}
 
+			$this->check_submit_form_nonce_field();
+
 			// Validate required.
 			$validation_status = $this->validate_fields( $values );
 			if ( is_wp_error( $validation_status ) ) {
@@ -707,6 +712,15 @@ protected function create_attachment( $attachment_url ) {
 			return 0;
 		}
 
+		$attachment_url_parts = parse_url( $attachment_url );
+
+		// Relative paths aren't allowed.
+		if ( false !== strpos( $attachment_url_parts['path'], '../' ) ) {
+			return 0;
+		}
+
+		$attachment_url = sprintf( '%s://%s%s', $attachment_url_parts['scheme'], $attachment_url_parts['host'], $attachment_url_parts['path'] );
+
 		$attachment_url = str_replace( array( $upload_dir['baseurl'], WP_CONTENT_URL, site_url( '/' ) ), array( $upload_dir['basedir'], WP_CONTENT_DIR, ABSPATH ), $attachment_url );
 		if ( empty( $attachment_url ) || ! is_string( $attachment_url ) ) {
 			return 0;
@@ -850,6 +864,8 @@ public function preview_handler() {
 			return;
 		}
 
+		$this->check_preview_form_nonce_field();
+
 		// Edit = show submit form again.
 		if ( ! empty( $_POST['edit_job'] ) ) {
 			$this->step --;
@@ -878,6 +894,52 @@ public function preview_handler() {
 		}
 	}
 
+	/**
+	 * Output the nonce field on job submission form.
+	 */
+	public function output_submit_form_nonce_field() {
+		if ( ! is_user_logged_in() ) {
+			return;
+		}
+		wp_nonce_field( 'submit-job-' . $this->job_id, '_wpjm_nonce' );
+	}
+
+	/**
+	 * Check the nonce field on the submit form.
+	 */
+	public function check_submit_form_nonce_field() {
+		if ( ! is_user_logged_in() ) {
+			return;
+		}
+		if ( empty( $_REQUEST['_wpjm_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpjm_nonce'], 'submit-job-' . $this->job_id ) ) {
+			wp_nonce_ays( 'submit-job-' . $this->job_id );
+			die();
+		}
+	}
+
+	/**
+	 * Output the nonce field on job preview form.
+	 */
+	public function output_preview_form_nonce_field() {
+		if ( ! is_user_logged_in() ) {
+			return;
+		}
+		wp_nonce_field( 'preview-job-' . $this->job_id, '_wpjm_nonce' );
+	}
+
+	/**
+	 * Check the nonce field on the preview form.
+	 */
+	public function check_preview_form_nonce_field() {
+		if ( ! is_user_logged_in() ) {
+			return;
+		}
+		if ( empty( $_REQUEST['_wpjm_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpjm_nonce'], 'preview-job-' . $this->job_id ) ) {
+			wp_nonce_ays( 'preview-job-' . $this->job_id );
+			die();
+		}
+	}
+
 	/**
 	 * Displays the final screen after a job listing has been submitted.
 	 */