diff --git a/changelog.txt b/changelog.txt index 5876d2e16..b579b2234 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,9 @@ += 1.32.2 = +* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update. +* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7) +* Fix: Escape JSON encoded strings. +* Fix: Add additional sanitization for file attachment fields. + = 1.32.1 = * Fix: Adds compatibility with PHP 7.3 * Fix: Restores original site search functionality. diff --git a/includes/admin/class-wp-job-manager-admin.php b/includes/admin/class-wp-job-manager-admin.php index 8dda96241..74b78c98b 100644 --- a/includes/admin/class-wp-job-manager-admin.php +++ b/includes/admin/class-wp-job-manager-admin.php @@ -42,12 +42,8 @@ public function __construct() { include_once dirname( __FILE__ ) . '/class-wp-job-manager-admin-notices.php'; include_once dirname( __FILE__ ) . '/class-wp-job-manager-cpt.php'; - if ( version_compare( $wp_version, '4.7.0', '<' ) ) { - include_once dirname( __FILE__ ) . '/class-wp-job-manager-cpt-legacy.php'; - WP_Job_Manager_CPT_Legacy::instance(); - } else { - WP_Job_Manager_CPT::instance(); - } + WP_Job_Manager_CPT::instance(); + include_once dirname( __FILE__ ) . '/class-wp-job-manager-settings.php'; include_once dirname( __FILE__ ) . '/class-wp-job-manager-writepanels.php'; include_once dirname( __FILE__ ) . '/class-wp-job-manager-setup.php'; diff --git a/includes/admin/class-wp-job-manager-cpt-legacy.php b/includes/admin/class-wp-job-manager-cpt-legacy.php deleted file mode 100644 index aa8dc49a0..000000000 --- a/includes/admin/class-wp-job-manager-cpt-legacy.php +++ /dev/null @@ -1,91 +0,0 @@ -get_bulk_actions() as $key => $bulk_action ) { - $bulk_actions[] = array( - 'key' => $key, - 'label' => sprintf( $bulk_action['label'], $wp_post_types['job_listing']->labels->name ), - ); - } - - if ( 'job_listing' === $post_type ) { - ?> - - current_action(); - $actions_handled = $this->get_bulk_actions(); - if ( isset( $actions_handled[ $action ] ) && isset( $actions_handled[ $action ]['handler'] ) ) { - check_admin_referer( 'bulk-posts' ); - $post_ids = array_map( 'absint', array_filter( (array) $_GET['post'] ) ); - if ( ! empty( $post_ids ) ) { - $this->do_bulk_actions( admin_url( 'edit.php?post_type=job_listing' ), $action, $post_ids ); - } - } - } -} diff --git a/includes/admin/class-wp-job-manager-cpt.php b/includes/admin/class-wp-job-manager-cpt.php index b12d8241a..7f9bf515b 100644 --- a/includes/admin/class-wp-job-manager-cpt.php +++ b/includes/admin/class-wp-job-manager-cpt.php @@ -819,11 +819,11 @@ public function extend_submitdiv_post_status() { ' . "\r\n"; - echo ''; + echo ''; } } diff --git a/includes/forms/class-wp-job-manager-form-edit-job.php b/includes/forms/class-wp-job-manager-form-edit-job.php index 6c1a32530..21ffd1151 100644 --- a/includes/forms/class-wp-job-manager-form-edit-job.php +++ b/includes/forms/class-wp-job-manager-form-edit-job.php @@ -55,6 +55,8 @@ public static function instance() { */ public function __construct() { add_action( 'wp', array( $this, 'submit_handler' ) ); + add_action( 'submit_job_form_start', array( $this, 'output_submit_form_nonce_field' ) ); + $this->job_id = ! empty( $_REQUEST['job_id'] ) ? absint( $_REQUEST['job_id'] ) : 0; if ( ! job_manager_user_can_edit_job( $this->job_id ) ) { @@ -158,6 +160,8 @@ public function submit_handler() { return; } + $this->check_submit_form_nonce_field(); + try { // Get posted values. diff --git a/includes/forms/class-wp-job-manager-form-submit-job.php b/includes/forms/class-wp-job-manager-form-submit-job.php index 76f891fde..f6bdba241 100644 --- a/includes/forms/class-wp-job-manager-form-submit-job.php +++ b/includes/forms/class-wp-job-manager-form-submit-job.php @@ -57,6 +57,9 @@ public static function instance() { */ public function __construct() { add_action( 'wp', array( $this, 'process' ) ); + add_action( 'submit_job_form_start', array( $this, 'output_submit_form_nonce_field' ) ); + add_action( 'preview_job_form_start', array( $this, 'output_preview_form_nonce_field' ) ); + if ( $this->use_recaptcha_field() ) { add_action( 'submit_job_form_end', array( $this, 'display_recaptcha_field' ) ); add_action( 'submit_job_form_validate_fields', array( $this, 'validate_recaptcha_field' ) ); @@ -455,7 +458,7 @@ private function job_types() { public function submit() { $this->init_fields(); - // Load data if neccessary. + // Load data if necessary. if ( $this->job_id ) { $job = get_post( $this->job_id ); foreach ( $this->fields as $group_key => $group_fields ) { @@ -538,6 +541,8 @@ public function submit_handler() { return; } + $this->check_submit_form_nonce_field(); + // Validate required. $validation_status = $this->validate_fields( $values ); if ( is_wp_error( $validation_status ) ) { @@ -707,6 +712,15 @@ protected function create_attachment( $attachment_url ) { return 0; } + $attachment_url_parts = parse_url( $attachment_url ); + + // Relative paths aren't allowed. + if ( false !== strpos( $attachment_url_parts['path'], '../' ) ) { + return 0; + } + + $attachment_url = sprintf( '%s://%s%s', $attachment_url_parts['scheme'], $attachment_url_parts['host'], $attachment_url_parts['path'] ); + $attachment_url = str_replace( array( $upload_dir['baseurl'], WP_CONTENT_URL, site_url( '/' ) ), array( $upload_dir['basedir'], WP_CONTENT_DIR, ABSPATH ), $attachment_url ); if ( empty( $attachment_url ) || ! is_string( $attachment_url ) ) { return 0; @@ -850,6 +864,8 @@ public function preview_handler() { return; } + $this->check_preview_form_nonce_field(); + // Edit = show submit form again. if ( ! empty( $_POST['edit_job'] ) ) { $this->step --; @@ -878,6 +894,52 @@ public function preview_handler() { } } + /** + * Output the nonce field on job submission form. + */ + public function output_submit_form_nonce_field() { + if ( ! is_user_logged_in() ) { + return; + } + wp_nonce_field( 'submit-job-' . $this->job_id, '_wpjm_nonce' ); + } + + /** + * Check the nonce field on the submit form. + */ + public function check_submit_form_nonce_field() { + if ( ! is_user_logged_in() ) { + return; + } + if ( empty( $_REQUEST['_wpjm_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpjm_nonce'], 'submit-job-' . $this->job_id ) ) { + wp_nonce_ays( 'submit-job-' . $this->job_id ); + die(); + } + } + + /** + * Output the nonce field on job preview form. + */ + public function output_preview_form_nonce_field() { + if ( ! is_user_logged_in() ) { + return; + } + wp_nonce_field( 'preview-job-' . $this->job_id, '_wpjm_nonce' ); + } + + /** + * Check the nonce field on the preview form. + */ + public function check_preview_form_nonce_field() { + if ( ! is_user_logged_in() ) { + return; + } + if ( empty( $_REQUEST['_wpjm_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpjm_nonce'], 'preview-job-' . $this->job_id ) ) { + wp_nonce_ays( 'preview-job-' . $this->job_id ); + die(); + } + } + /** * Displays the final screen after a job listing has been submitted. */ diff --git a/languages/wp-job-manager.pot b/languages/wp-job-manager.pot index a60cc54f3..5f75f7e99 100644 --- a/languages/wp-job-manager.pot +++ b/languages/wp-job-manager.pot @@ -2,9 +2,9 @@ # This file is distributed under the GPL2+. msgid "" msgstr "" -"Project-Id-Version: WP Job Manager 1.32.1\n" +"Project-Id-Version: WP Job Manager 1.32.2\n" "Report-Msgid-Bugs-To: https://github.com/Automattic/WP-Job-Manager/issues\n" -"POT-Creation-Date: 2019-01-28 10:55:14+00:00\n" +"POT-Creation-Date: 2019-02-25 14:23:26+00:00\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -31,7 +31,7 @@ msgid "\"%s\" check failed. Please try again." msgstr "" #: includes/admin/class-wp-job-manager-addons.php:124 -#: includes/admin/class-wp-job-manager-admin.php:175 +#: includes/admin/class-wp-job-manager-admin.php:171 #: includes/admin/views/html-admin-page-addons.php:2 msgid "WP Job Manager Add-ons" msgstr "" @@ -49,7 +49,7 @@ msgstr "" msgid "You don’t have permission to do this." msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:90 +#: includes/admin/class-wp-job-manager-admin.php:86 #. translators: %s is the URL for the page where users can go to update #. WordPress. msgid "" @@ -57,17 +57,17 @@ msgid "" "WordPress. Please update WordPress to avoid issues." msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:102 +#: includes/admin/class-wp-job-manager-admin.php:98 #. translators: Placeholder (%s) is the URL where users can go to update #. WordPress. msgid "WordPress Update Required" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:172 +#: includes/admin/class-wp-job-manager-admin.php:168 msgid "Settings" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:175 +#: includes/admin/class-wp-job-manager-admin.php:171 msgid "Add-ons" msgstr "" @@ -216,7 +216,7 @@ msgstr "" #: includes/admin/class-wp-job-manager-cpt.php:474 #: includes/admin/class-wp-job-manager-writepanels.php:57 #: includes/class-wp-job-manager-email-notifications.php:234 -#: includes/forms/class-wp-job-manager-form-submit-job.php:184 +#: includes/forms/class-wp-job-manager-form-submit-job.php:187 #: includes/widgets/class-wp-job-manager-widget-recent-jobs.php:40 #: templates/job-filters.php:35 templates/job-filters.php:36 msgid "Location" @@ -278,7 +278,7 @@ msgid "View" msgstr "" #: includes/admin/class-wp-job-manager-cpt.php:624 -#: includes/class-wp-job-manager-post-types.php:316 +#: includes/class-wp-job-manager-post-types.php:317 #: templates/job-dashboard.php:52 templates/job-dashboard.php:70 msgid "Edit" msgstr "" @@ -349,8 +349,8 @@ msgid "" msgstr "" #: includes/admin/class-wp-job-manager-settings.php:117 -#: includes/class-wp-job-manager-post-types.php:310 -#: includes/class-wp-job-manager-post-types.php:412 +#: includes/class-wp-job-manager-post-types.php:311 +#: includes/class-wp-job-manager-post-types.php:413 msgid "Job Listings" msgstr "" @@ -741,13 +741,13 @@ msgstr "" #: includes/admin/class-wp-job-manager-taxonomy-meta.php:78 #: includes/admin/class-wp-job-manager-taxonomy-meta.php:101 #: includes/admin/class-wp-job-manager-taxonomy-meta.php:120 -#: includes/class-wp-job-manager-post-types.php:270 +#: includes/class-wp-job-manager-post-types.php:271 #: includes/rest-api/class-wp-job-manager-models-job-types-custom-fields.php:36 msgid "Employment Type" msgstr "" #: includes/admin/class-wp-job-manager-writepanels.php:58 -#: includes/forms/class-wp-job-manager-form-submit-job.php:188 +#: includes/forms/class-wp-job-manager-form-submit-job.php:191 msgid "e.g. \"London\"" msgstr "" @@ -1111,7 +1111,7 @@ msgid "WP Job Manager" msgstr "" #: includes/class-wp-job-manager-data-exporter.php:52 -#: includes/class-wp-job-manager-post-types.php:333 +#: includes/class-wp-job-manager-post-types.php:334 msgid "Company Logo" msgstr "" @@ -1125,18 +1125,18 @@ msgstr "" #: includes/class-wp-job-manager-email-notifications.php:243 #: includes/class-wp-job-manager-post-types.php:205 -#: includes/forms/class-wp-job-manager-form-submit-job.php:192 +#: includes/forms/class-wp-job-manager-form-submit-job.php:195 msgid "Job type" msgstr "" #: includes/class-wp-job-manager-email-notifications.php:253 #: includes/class-wp-job-manager-post-types.php:141 -#: includes/forms/class-wp-job-manager-form-submit-job.php:201 +#: includes/forms/class-wp-job-manager-form-submit-job.php:204 msgid "Job category" msgstr "" #: includes/class-wp-job-manager-email-notifications.php:262 -#: includes/forms/class-wp-job-manager-form-submit-job.php:226 +#: includes/forms/class-wp-job-manager-form-submit-job.php:229 msgid "Company name" msgstr "" @@ -1191,7 +1191,7 @@ msgstr "" #: includes/class-wp-job-manager-post-types.php:170 #: includes/class-wp-job-manager-post-types.php:233 -#: includes/class-wp-job-manager-post-types.php:326 +#: includes/class-wp-job-manager-post-types.php:327 #. translators: Placeholder %s is the plural label of the job listing category #. taxonomy type. #. translators: Placeholder %s is the plural label of the job listing job type @@ -1203,7 +1203,7 @@ msgstr "" #: includes/class-wp-job-manager-post-types.php:172 #: includes/class-wp-job-manager-post-types.php:235 -#: includes/class-wp-job-manager-post-types.php:312 +#: includes/class-wp-job-manager-post-types.php:313 #. translators: Placeholder %s is the plural label of the job listing category #. taxonomy type. #. translators: Placeholder %s is the plural label of the job listing job type @@ -1215,7 +1215,7 @@ msgstr "" #: includes/class-wp-job-manager-post-types.php:174 #: includes/class-wp-job-manager-post-types.php:237 -#: includes/class-wp-job-manager-post-types.php:332 +#: includes/class-wp-job-manager-post-types.php:333 #. translators: Placeholder %s is the singular label of the job listing #. category taxonomy type. #. translators: Placeholder %s is the singular label of the job listing job @@ -1236,7 +1236,7 @@ msgstr "" #: includes/class-wp-job-manager-post-types.php:178 #: includes/class-wp-job-manager-post-types.php:241 -#: includes/class-wp-job-manager-post-types.php:318 +#: includes/class-wp-job-manager-post-types.php:319 #. translators: Placeholder %s is the singular label of the job listing #. category taxonomy type. #. translators: Placeholder %s is the singular label of the job listing job @@ -1277,75 +1277,75 @@ msgstr "" msgid "Job types" msgstr "" -#: includes/class-wp-job-manager-post-types.php:279 +#: includes/class-wp-job-manager-post-types.php:280 msgid "Job" msgstr "" -#: includes/class-wp-job-manager-post-types.php:280 +#: includes/class-wp-job-manager-post-types.php:281 msgid "Jobs" msgstr "" -#: includes/class-wp-job-manager-post-types.php:313 +#: includes/class-wp-job-manager-post-types.php:314 msgid "Add New" msgstr "" -#: includes/class-wp-job-manager-post-types.php:315 +#: includes/class-wp-job-manager-post-types.php:316 #. translators: Placeholder %s is the singular label of the job listing post #. type. msgid "Add %s" msgstr "" -#: includes/class-wp-job-manager-post-types.php:320 +#: includes/class-wp-job-manager-post-types.php:321 #. translators: Placeholder %s is the singular label of the job listing post #. type. msgid "New %s" msgstr "" -#: includes/class-wp-job-manager-post-types.php:322 -#: includes/class-wp-job-manager-post-types.php:324 +#: includes/class-wp-job-manager-post-types.php:323 +#: includes/class-wp-job-manager-post-types.php:325 #. translators: Placeholder %s is the singular label of the job listing post #. type. msgid "View %s" msgstr "" -#: includes/class-wp-job-manager-post-types.php:328 +#: includes/class-wp-job-manager-post-types.php:329 #. translators: Placeholder %s is the singular label of the job listing post #. type. msgid "No %s found" msgstr "" -#: includes/class-wp-job-manager-post-types.php:330 +#: includes/class-wp-job-manager-post-types.php:331 #. translators: Placeholder %s is the plural label of the job listing post #. type. msgid "No %s found in trash" msgstr "" -#: includes/class-wp-job-manager-post-types.php:334 +#: includes/class-wp-job-manager-post-types.php:335 msgid "Set company logo" msgstr "" -#: includes/class-wp-job-manager-post-types.php:335 +#: includes/class-wp-job-manager-post-types.php:336 msgid "Remove company logo" msgstr "" -#: includes/class-wp-job-manager-post-types.php:336 +#: includes/class-wp-job-manager-post-types.php:337 msgid "Use as company logo" msgstr "" -#: includes/class-wp-job-manager-post-types.php:339 +#: includes/class-wp-job-manager-post-types.php:340 #. translators: Placeholder %s is the plural label of the job listing post #. type. msgid "This is where you can create and manage %s." msgstr "" -#: includes/class-wp-job-manager-post-types.php:380 +#: includes/class-wp-job-manager-post-types.php:381 #. translators: Placeholder %s is the number of expired posts of this type. msgid "Expired (%s)" msgid_plural "Expired (%s)" msgstr[0] "" msgstr[1] "" -#: includes/class-wp-job-manager-post-types.php:392 +#: includes/class-wp-job-manager-post-types.php:393 #. translators: Placeholder %s is the number of posts in a preview state. msgid "Preview (%s)" msgid_plural "Preview (%s)" @@ -1487,141 +1487,141 @@ msgstr "" msgid "days" msgstr "" -#: includes/forms/class-wp-job-manager-form-edit-job.php:97 +#: includes/forms/class-wp-job-manager-form-edit-job.php:99 msgid "Invalid listing" msgstr "" -#: includes/forms/class-wp-job-manager-form-edit-job.php:129 +#: includes/forms/class-wp-job-manager-form-edit-job.php:131 msgid "Save changes" msgstr "" -#: includes/forms/class-wp-job-manager-form-edit-job.php:132 +#: includes/forms/class-wp-job-manager-form-edit-job.php:134 msgid "Submit changes for approval" msgstr "" -#: includes/forms/class-wp-job-manager-form-edit-job.php:183 +#: includes/forms/class-wp-job-manager-form-edit-job.php:187 msgid "Your changes have been saved." msgstr "" -#: includes/forms/class-wp-job-manager-form-edit-job.php:189 +#: includes/forms/class-wp-job-manager-form-edit-job.php:193 msgid "View →" msgstr "" -#: includes/forms/class-wp-job-manager-form-edit-job.php:191 +#: includes/forms/class-wp-job-manager-form-edit-job.php:195 msgid "" "Your changes have been submitted and your listing will be visible again " "once approved." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:69 +#: includes/forms/class-wp-job-manager-form-submit-job.php:72 msgid "Submit Details" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:75 -#: includes/forms/class-wp-job-manager-form-submit-job.php:519 -#: templates/job-preview.php:22 +#: includes/forms/class-wp-job-manager-form-submit-job.php:78 +#: includes/forms/class-wp-job-manager-form-submit-job.php:522 +#: templates/job-preview.php:30 msgid "Preview" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:81 +#: includes/forms/class-wp-job-manager-form-submit-job.php:84 msgid "Done" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:151 +#: includes/forms/class-wp-job-manager-form-submit-job.php:154 msgid "Application email" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:152 +#: includes/forms/class-wp-job-manager-form-submit-job.php:155 #: wp-job-manager-template.php:719 msgid "you@yourdomain.com" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:156 +#: includes/forms/class-wp-job-manager-form-submit-job.php:159 msgid "Application URL" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:157 -#: includes/forms/class-wp-job-manager-form-submit-job.php:237 +#: includes/forms/class-wp-job-manager-form-submit-job.php:160 +#: includes/forms/class-wp-job-manager-form-submit-job.php:240 msgid "http://" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:161 +#: includes/forms/class-wp-job-manager-form-submit-job.php:164 msgid "Application email/URL" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:162 +#: includes/forms/class-wp-job-manager-form-submit-job.php:165 msgid "Enter an email address or website URL" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:177 +#: includes/forms/class-wp-job-manager-form-submit-job.php:180 msgid "Job Title" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:185 +#: includes/forms/class-wp-job-manager-form-submit-job.php:188 msgid "Leave this blank if the location is not important" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:195 +#: includes/forms/class-wp-job-manager-form-submit-job.php:198 msgid "Choose job type…" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:210 +#: includes/forms/class-wp-job-manager-form-submit-job.php:213 msgid "Description" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:229 +#: includes/forms/class-wp-job-manager-form-submit-job.php:232 msgid "Enter the name of the company" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:233 +#: includes/forms/class-wp-job-manager-form-submit-job.php:236 #: templates/content-single-job_listing-company.php:30 msgid "Website" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:241 +#: includes/forms/class-wp-job-manager-form-submit-job.php:244 msgid "Tagline" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:244 +#: includes/forms/class-wp-job-manager-form-submit-job.php:247 msgid "Briefly describe your company" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:249 +#: includes/forms/class-wp-job-manager-form-submit-job.php:252 msgid "Video" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:253 +#: includes/forms/class-wp-job-manager-form-submit-job.php:256 msgid "A link to a video about your company" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:257 +#: includes/forms/class-wp-job-manager-form-submit-job.php:260 msgid "Twitter username" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:260 +#: includes/forms/class-wp-job-manager-form-submit-job.php:263 msgid "@yourcompany" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:264 +#: includes/forms/class-wp-job-manager-form-submit-job.php:267 msgid "Logo" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:314 +#: includes/forms/class-wp-job-manager-form-submit-job.php:317 #. translators: Placeholder %s is the label for the required field. msgid "%s is a required field" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:325 +#: includes/forms/class-wp-job-manager-form-submit-job.php:328 #. translators: Placeholder %s is the field label that is did not validate. msgid "%s is invalid" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:342 +#: includes/forms/class-wp-job-manager-form-submit-job.php:345 msgid "Invalid attachment provided." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:360 -#: wp-job-manager-functions.php:1277 +#: includes/forms/class-wp-job-manager-form-submit-job.php:363 +#: wp-job-manager-functions.php:1291 #. translators: Placeholder %1$s is field label; %2$s is the file mime type; #. %3$s is the allowed mime-types. #. translators: %1$s is the file field label; %2$s is the file type; %3$s is @@ -1629,44 +1629,44 @@ msgstr "" msgid "\"%1$s\" (filetype %2$s) needs to be one of the following file types: %3$s" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:375 +#: includes/forms/class-wp-job-manager-form-submit-job.php:378 msgid "Please enter a valid application email address" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:384 +#: includes/forms/class-wp-job-manager-form-submit-job.php:387 msgid "Please enter a valid application URL" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:394 +#: includes/forms/class-wp-job-manager-form-submit-job.php:397 msgid "Please enter a valid application email address or URL" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:554 +#: includes/forms/class-wp-job-manager-form-submit-job.php:559 msgid "Please enter a username." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:558 +#: includes/forms/class-wp-job-manager-form-submit-job.php:563 msgid "Please enter a password." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:562 +#: includes/forms/class-wp-job-manager-form-submit-job.php:567 msgid "Please enter your email address." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:568 +#: includes/forms/class-wp-job-manager-form-submit-job.php:573 msgid "Passwords must match." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:574 +#: includes/forms/class-wp-job-manager-form-submit-job.php:579 #. translators: Placeholder %s is the password hint. msgid "Invalid Password: %s" msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:576 +#: includes/forms/class-wp-job-manager-form-submit-job.php:581 msgid "Password is not valid." msgstr "" -#: includes/forms/class-wp-job-manager-form-submit-job.php:599 +#: includes/forms/class-wp-job-manager-form-submit-job.php:604 msgid "You must be signed in to post a new listing." msgstr "" @@ -1994,12 +1994,12 @@ msgid "Maximum file size: %s." msgstr "" #: templates/form-fields/multiselect-field.php:20 -#: wp-job-manager-functions.php:1060 +#: wp-job-manager-functions.php:1074 msgid "No results match" msgstr "" #: templates/form-fields/multiselect-field.php:20 -#: wp-job-manager-functions.php:1061 +#: wp-job-manager-functions.php:1075 msgid "Select Some Options" msgstr "" @@ -2076,11 +2076,11 @@ msgid "" "must be enabled in order to view listings." msgstr "" -#: templates/job-preview.php:20 +#: templates/job-preview.php:28 msgid "Submit Listing" msgstr "" -#: templates/job-preview.php:21 +#: templates/job-preview.php:29 msgid "Edit listing" msgstr "" @@ -2124,47 +2124,47 @@ msgstr "" msgid "This email is already registered, please choose another one." msgstr "" -#: wp-job-manager-functions.php:866 +#: wp-job-manager-functions.php:880 msgid "Full Time" msgstr "" -#: wp-job-manager-functions.php:867 +#: wp-job-manager-functions.php:881 msgid "Part Time" msgstr "" -#: wp-job-manager-functions.php:868 +#: wp-job-manager-functions.php:882 msgid "Contractor" msgstr "" -#: wp-job-manager-functions.php:869 +#: wp-job-manager-functions.php:883 msgid "Temporary" msgstr "" -#: wp-job-manager-functions.php:870 +#: wp-job-manager-functions.php:884 msgid "Intern" msgstr "" -#: wp-job-manager-functions.php:871 +#: wp-job-manager-functions.php:885 msgid "Volunteer" msgstr "" -#: wp-job-manager-functions.php:872 +#: wp-job-manager-functions.php:886 msgid "Per Diem" msgstr "" -#: wp-job-manager-functions.php:873 +#: wp-job-manager-functions.php:887 msgid "Other" msgstr "" -#: wp-job-manager-functions.php:940 +#: wp-job-manager-functions.php:954 msgid "Passwords must be at least 8 characters long." msgstr "" -#: wp-job-manager-functions.php:1059 +#: wp-job-manager-functions.php:1073 msgid "Choose a category…" msgstr "" -#: wp-job-manager-functions.php:1280 +#: wp-job-manager-functions.php:1294 #. translators: %s is the list of allowed file types. msgid "Uploaded files need to be one of the following file types: %s" msgstr "" @@ -2255,38 +2255,38 @@ msgstr "" msgid "Automattic" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:141 +#: includes/admin/class-wp-job-manager-admin.php:137 msgctxt "user selection" msgid "No matches found" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:142 +#: includes/admin/class-wp-job-manager-admin.php:138 msgctxt "user selection" msgid "Loading failed" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:143 +#: includes/admin/class-wp-job-manager-admin.php:139 msgctxt "user selection" msgid "Please enter 1 or more characters" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:144 +#: includes/admin/class-wp-job-manager-admin.php:140 msgctxt "user selection" msgid "Please enter %qty% or more characters" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:145 +#: includes/admin/class-wp-job-manager-admin.php:141 msgctxt "user selection" msgid "Loading more results…" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:146 +#: includes/admin/class-wp-job-manager-admin.php:142 msgctxt "user selection" msgid "Searching…" msgstr "" -#: includes/admin/class-wp-job-manager-admin.php:159 -#: includes/forms/class-wp-job-manager-form-submit-job.php:432 +#: includes/admin/class-wp-job-manager-admin.php:155 +#: includes/forms/class-wp-job-manager-form-submit-job.php:435 #. translators: jQuery date format, see #. http:api.jqueryui.com/datepicker/#utility-formatDate msgctxt "Date format for jQuery datepicker." @@ -2294,19 +2294,19 @@ msgid "yy-mm-dd" msgstr "" #: includes/admin/class-wp-job-manager-permalink-settings.php:104 -#: includes/class-wp-job-manager-post-types.php:823 +#: includes/class-wp-job-manager-post-types.php:838 msgctxt "Job permalink - resave permalinks after changing this" msgid "job" msgstr "" #: includes/admin/class-wp-job-manager-permalink-settings.php:113 -#: includes/class-wp-job-manager-post-types.php:824 +#: includes/class-wp-job-manager-post-types.php:839 msgctxt "Job category slug - resave permalinks after changing this" msgid "job-category" msgstr "" #: includes/admin/class-wp-job-manager-permalink-settings.php:122 -#: includes/class-wp-job-manager-post-types.php:825 +#: includes/class-wp-job-manager-post-types.php:840 msgctxt "Job type slug - resave permalinks after changing this" msgid "job-type" msgstr "" @@ -2326,13 +2326,13 @@ msgctxt "Default page title (wizard)" msgid "Jobs" msgstr "" -#: includes/class-wp-job-manager-post-types.php:373 +#: includes/class-wp-job-manager-post-types.php:374 #: wp-job-manager-functions.php:320 msgctxt "post status" msgid "Expired" msgstr "" -#: includes/class-wp-job-manager-post-types.php:386 +#: includes/class-wp-job-manager-post-types.php:387 #: wp-job-manager-functions.php:321 msgctxt "post status" msgid "Preview" @@ -2358,7 +2358,7 @@ msgctxt "post status" msgid "Active" msgstr "" -#: includes/class-wp-job-manager-post-types.php:807 +#: includes/class-wp-job-manager-post-types.php:822 msgctxt "Post type archive slug - resave permalinks after changing this" msgid "jobs" msgstr "" \ No newline at end of file diff --git a/package.json b/package.json index 5103639d9..689b01a3a 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "wp-job-manager", "title": "WP Job Manager", - "version": "1.32.1", + "version": "1.32.2", "homepage": "http://wordpress.org/plugins/wp-job-manager/", "license": "GPL-2.0+", "repository": "automattic/wp-job-manager", diff --git a/phpcs.xml.dist b/phpcs.xml.dist index 691198475..e1fc2e2fc 100644 --- a/phpcs.xml.dist +++ b/phpcs.xml.dist @@ -54,4 +54,11 @@ includes/**/abstract-*.php tests/* + + + + + + + diff --git a/readme.md b/readme.md index 24490477c..d5bb0c6c0 100644 --- a/readme.md +++ b/readme.md @@ -2,8 +2,8 @@ **Contributors:** [mikejolley](https://profiles.wordpress.org/mikejolley), [automattic](https://profiles.wordpress.org/automattic), [adamkheckler](https://profiles.wordpress.org/adamkheckler), [alexsanford1](https://profiles.wordpress.org/alexsanford1), [annezazu](https://profiles.wordpress.org/annezazu), [cena](https://profiles.wordpress.org/cena), [chaselivingston](https://profiles.wordpress.org/chaselivingston), [csonnek](https://profiles.wordpress.org/csonnek), [davor.altman](https://profiles.wordpress.org/davor.altman), [donnapep](https://profiles.wordpress.org/donnapep), [donncha](https://profiles.wordpress.org/donncha), [drawmyface](https://profiles.wordpress.org/drawmyface), [erania-pinnera](https://profiles.wordpress.org/erania-pinnera), [jacobshere](https://profiles.wordpress.org/jacobshere), [jakeom](https://profiles.wordpress.org/jakeom), [jeherve](https://profiles.wordpress.org/jeherve), [jenhooks](https://profiles.wordpress.org/jenhooks), [jgs](https://profiles.wordpress.org/jgs), [jonryan](https://profiles.wordpress.org/jonryan), [kraftbj](https://profiles.wordpress.org/kraftbj), [lamdayap](https://profiles.wordpress.org/lamdayap), [lschuyler](https://profiles.wordpress.org/lschuyler), [macmanx](https://profiles.wordpress.org/macmanx), [nancythanki](https://profiles.wordpress.org/nancythanki), [orangesareorange](https://profiles.wordpress.org/orangesareorange), [rachelsquirrel](https://profiles.wordpress.org/rachelsquirrel), [ryancowles](https://profiles.wordpress.org/ryancowles), [richardmtl](https://profiles.wordpress.org/richardmtl), [scarstocea](https://profiles.wordpress.org/scarstocea) **Tags:** job manager, job listing, job board, job management, job lists, job list, job, jobs, company, hiring, employment, employer, employees, candidate, freelance, internship, job listings, positions, board, application, hiring, listing, manager, recruiting, recruitment, talent **Requires at least:** 4.7.0 -**Tested up to:** 5.0 -**Stable tag:** 1.32.1 +**Tested up to:** 5.1 +**Stable tag:** 1.32.2 **License:** GPLv3 **License URI:** http://www.gnu.org/licenses/gpl-3.0.html @@ -152,6 +152,12 @@ It then creates a database based on the parameters passed to it. ## Changelog ## +### 1.32.2 ### +* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update. +* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7) +* Fix: Escape JSON encoded strings. +* Fix: Add additional sanitization for file attachment fields. + ### 1.32.1 ### * Fix: Adds compatibility with PHP 7.3 * Fix: Restores original site search functionality. diff --git a/readme.txt b/readme.txt index 4ce61f8cf..6d71d2ed4 100644 --- a/readme.txt +++ b/readme.txt @@ -2,8 +2,8 @@ Contributors: mikejolley, automattic, adamkheckler, alexsanford1, annezazu, cena, chaselivingston, csonnek, davor.altman, donnapep, donncha, drawmyface, erania-pinnera, jacobshere, jakeom, jeherve, jenhooks, jgs, jonryan, kraftbj, lamdayap, lschuyler, macmanx, nancythanki, orangesareorange, rachelsquirrel, ryancowles, richardmtl, scarstocea Tags: job manager, job listing, job board, job management, job lists, job list, job, jobs, company, hiring, employment, employer, employees, candidate, freelance, internship, job listings, positions, board, application, hiring, listing, manager, recruiting, recruitment, talent Requires at least: 4.7.0 -Tested up to: 5.0 -Stable tag: 1.32.1 +Tested up to: 5.1 +Stable tag: 1.32.2 License: GPLv3 License URI: http://www.gnu.org/licenses/gpl-3.0.html @@ -152,6 +152,12 @@ It then creates a database based on the parameters passed to it. == Changelog == += 1.32.2 = +* Fix: Issue saving job types for job listings in WordPress admin after WordPress 5.1 update. +* Fix: Add nonce checks on edit/submit forms for logged in users. Will require updates to `templates/job-preview.php` if overridden in theme. (Props to foobar7) +* Fix: Escape JSON encoded strings. +* Fix: Add additional sanitization for file attachment fields. + = 1.32.1 = * Fix: Adds compatibility with PHP 7.3 * Fix: Restores original site search functionality. diff --git a/templates/job-preview.php b/templates/job-preview.php index f9d84a8c6..88e5aad10 100644 --- a/templates/job-preview.php +++ b/templates/job-preview.php @@ -8,7 +8,7 @@ * @author Automattic * @package WP Job Manager * @category Template - * @version 1.31.1 + * @version 1.32.2 */ if ( ! defined( 'ABSPATH' ) ) { @@ -16,6 +16,14 @@ } ?>
+
@@ -30,4 +38,12 @@
+
diff --git a/tests/php/tests/includes/test_class.wp-job-manager-post-types.php b/tests/php/tests/includes/test_class.wp-job-manager-post-types.php index f91fe8d9b..322a6cffb 100644 --- a/tests/php/tests/includes/test_class.wp-job-manager-post-types.php +++ b/tests/php/tests/includes/test_class.wp-job-manager-post-types.php @@ -730,7 +730,7 @@ public function test_output_structured_data() { $jobs->the_post(); $post = get_post(); $structured_data = wpjm_get_job_listing_structured_data( $post ); - $json_data = wp_json_encode( $structured_data ); + $json_data = wpjm_esc_json( wp_json_encode( $structured_data ), true ); ob_start(); $instance->output_structured_data(); $result = ob_get_clean(); diff --git a/wp-job-manager-functions.php b/wp-job-manager-functions.php index 0c9217541..c798b0f70 100644 --- a/wp-job-manager-functions.php +++ b/wp-job-manager-functions.php @@ -623,13 +623,27 @@ function wp_job_manager_create_account( $args, $deprecated = '' ) { do_action( 'wpjm_notify_new_user', $user_id, $args['password'], $new_user ); // Login. + add_action( 'set_logged_in_cookie', '_wpjm_update_global_login_cookie' ); wp_set_auth_cookie( $user_id, true, is_ssl() ); wp_set_current_user( $user_id ); + remove_action( 'set_logged_in_cookie', '_wpjm_update_global_login_cookie' ); return true; } endif; +/** + * Allows for immediate access to the logged in cookie after mid-request login. + * + * @since 1.32.2 + * @access private + * + * @param string $logged_in_cookie Logged in cookie. + */ +function _wpjm_update_global_login_cookie( $logged_in_cookie ) { + $_COOKIE[ LOGGED_IN_COOKIE ] = $logged_in_cookie; +} + /** * Checks if the user can upload a file via the Ajax endpoint. * @@ -1438,3 +1452,20 @@ function job_manager_duplicate_listing( $post_id ) { return $new_post_id; } +/** + * Escape JSON for use on HTML or attribute text nodes. + * + * @since 1.32.2 + * + * @param string $json JSON to escape. + * @param bool $html True if escaping for HTML text node, false for attributes. Determines how quotes are handled. + * @return string Escaped JSON. + */ +function wpjm_esc_json( $json, $html = false ) { + return _wp_specialchars( + $json, + $html ? ENT_NOQUOTES : ENT_QUOTES, // Escape quotes in attribute nodes only. + 'UTF-8', // json_encode() outputs UTF-8 (really just ASCII), not the blog's charset. + true // Double escape entities: `&` -> `&amp;`. + ); +} diff --git a/wp-job-manager.php b/wp-job-manager.php index 7d0ab57de..f9ce6d4d9 100644 --- a/wp-job-manager.php +++ b/wp-job-manager.php @@ -3,11 +3,11 @@ * Plugin Name: WP Job Manager * Plugin URI: https://wpjobmanager.com/ * Description: Manage job listings from the WordPress admin panel, and allow users to post jobs directly to your site. - * Version: 1.32.1 + * Version: 1.32.2 * Author: Automattic * Author URI: https://wpjobmanager.com/ * Requires at least: 4.7.0 - * Tested up to: 5.0 + * Tested up to: 5.1 * Text Domain: wp-job-manager * Domain Path: /languages/ * License: GPL2+ @@ -63,7 +63,7 @@ public static function instance() { */ public function __construct() { // Define constants. - define( 'JOB_MANAGER_VERSION', '1.32.1' ); + define( 'JOB_MANAGER_VERSION', '1.32.2' ); define( 'JOB_MANAGER_MINIMUM_WP_VERSION', '4.7.0' ); define( 'JOB_MANAGER_PLUGIN_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) ); define( 'JOB_MANAGER_PLUGIN_URL', untrailingslashit( plugins_url( basename( plugin_dir_path( __FILE__ ) ), basename( __FILE__ ) ) ) );