Merge pull request #223 from PRX/plugin-updates-august-2024

Update plugins 21 August, 2024.

wp-content/plugins/advanced-custom-fields-pro/acf.php

@@ -9,7 +9,7 @@
  * Plugin Name:       Advanced Custom Fields PRO
  * Plugin URI:        https://www.advancedcustomfields.com
  * Description:       Customize WordPress with powerful, professional and intuitive fields.
- * Version:           6.3.3
+ * Version:           6.3.5
  * Author:            WP Engine
  * Author URI:        https://wpengine.com/?utm_source=wordpress.org&utm_medium=referral&utm_campaign=plugin_directory&utm_content=advanced_custom_fields
  * Update URI:        https://www.advancedcustomfields.com/pro
@@ -36,7 +36,7 @@ class ACF {
 		 *
 		 * @var string
 		 */
-		public $version = '6.3.3';
+		public $version = '6.3.5';
 
 		/**
 		 * The plugin settings array.

wp-content/plugins/advanced-custom-fields-pro/includes/acf-input-functions.php

@@ -70,25 +70,28 @@ function acf_esc_attrs( $attrs ) {
  *
  * This function emulates `wp_kses_post()` with a context of "acf" for extensibility.
  *
- * @date    16/4/21
- * @since   5.9.6
+ * @since  5.9.6
  *
- * @param   string $string
- * @return  string
+ * @param  string $string The string to be escaped
+ * @return string|false
  */
 function acf_esc_html( $string = '' ) {
+
+	if ( ! is_scalar( $string ) ) {
+		return false;
+	}
+
 	return wp_kses( (string) $string, 'acf' );
 }
 
 /**
  * Private callback for the "wp_kses_allowed_html" filter used to return allowed HTML for "acf" context.
  *
- * @date    16/4/21
  * @since   5.9.6
  *
- * @param   array  $tags    An array of allowed tags.
- * @param   string $context The context name.
- * @return  array.
+ * @param  array  $tags    An array of allowed tags.
+ * @param  string $context The context name.
+ * @return array
  */
 function _acf_kses_allowed_html( $tags, $context ) {
 	global $allowedposttags;

wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-check-screen.php

@@ -23,11 +23,6 @@ class ACF_Ajax_Check_Screen extends ACF_Ajax {
 		 * @return array|WP_Error The response data or WP_Error.
 		 */
 		public function get_response( $request ) {
-			if ( ! current_user_can( 'edit_posts' ) ) {
-				return new WP_Error( 'acf_invalid_permissions', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
-			}
-
-			// vars
 			$args = wp_parse_args(
 				$this->request,
 				array(
@@ -38,7 +33,10 @@ public function get_response( $request ) {
 				)
 			);
 
-			// vars
+			if ( ! acf_current_user_can_edit_post( (int) $args['post_id'] ) ) {
+				return new WP_Error( 'acf_invalid_permissions', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
+			}
+
 			$response = array(
 				'results' => array(),
 				'style'   => '',

wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-local-json-diff.php

@@ -34,7 +34,7 @@ class ACF_Ajax_Local_JSON_Diff extends ACF_Ajax {
 		public function get_response( $request ) {
 			// Bail early if the current user can't access the ACF admin.
 			if ( ! acf_current_user_can_admin() ) {
-				return new WP_Error( 'acf_not_allowed', __( 'Sorry, you are not allowed to do that.', 'acf' ), array( 'status' => 403 ) );
+				return new WP_Error( 'acf_not_allowed', __( 'Sorry, you do not have permission to do that.', 'acf' ), array( 'status' => 403 ) );
 			}
 
 			$json = array();

wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-upgrade.php

@@ -21,7 +21,7 @@ class ACF_Ajax_Upgrade extends ACF_Ajax {
 		 */
 		public function get_response( $request ) {
 			if ( ! current_user_can( acf_get_setting( 'capability' ) ) ) {
-				return new WP_Error( 'upgrade_error', __( 'Sorry, you don\'t have permission to do that.', 'acf' ) );
+				return new WP_Error( 'upgrade_error', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
 			}
 
 			// Switch blog.

wp-content/plugins/advanced-custom-fields-pro/includes/api/api-helpers.php

@@ -2715,6 +2715,31 @@ function acf_current_user_can_admin() {
 	return false;
 }
 
+/**
+ * Wrapper function for current_user_can( 'edit_post', $post_id ).
+ *
+ * @since 6.3.4
+ *
+ * @param integer $post_id The post ID to check.
+ * @return boolean
+ */
+function acf_current_user_can_edit_post( int $post_id ): bool {
+	/**
+	 * The `edit_post` capability is a meta capability, which
+	 * gets converted to the correct post type object `edit_post`
+	 * equivalent.
+	 *
+	 * If the post type does not have `map_meta_cap` enabled and the user is
+	 * not manually mapping the `edit_post` capability, this will fail
+	 * unless the role has the `edit_post` capability added to a user/role.
+	 *
+	 * However, more (core) stuff will likely break in this scenario.
+	 */
+	$user_can_edit = current_user_can( 'edit_post', $post_id );
+
+	return (bool) apply_filters( 'acf/current_user_can_edit_post', $user_can_edit, $post_id );
+}
+
 /**
  * acf_get_filesize
  *

wp-content/plugins/advanced-custom-fields-pro/includes/api/api-template.php

@@ -115,10 +115,14 @@ function the_field( $selector, $post_id = false, $format_value = true ) {
 		$unescaped_value = implode( ', ', $unescaped_value );
 	}
 
+	if ( ! is_scalar( $unescaped_value ) ) {
+		$unescaped_value = false;
+	}
+
 	$field_type = is_array( $field ) && isset( $field['type'] ) ? $field['type'] : 'text';
 	if ( apply_filters( 'acf/the_field/allow_unsafe_html', false, $selector, $post_id, $field_type, $field ) ) {
 		$value = $unescaped_value;
-	} elseif ( (string) $value !== (string) $unescaped_value ) {
+	} elseif ( $unescaped_value !== false && (string) $value !== (string) $unescaped_value ) {
 		do_action( 'acf/removed_unsafe_html', __FUNCTION__, $selector, $field, $post_id );
 	}
 
@@ -889,10 +893,14 @@ function the_sub_field( $field_name, $format_value = true ) {
 		$unescaped_value = implode( ', ', $unescaped_value );
 	}
 
+	if ( ! is_scalar( $unescaped_value ) ) {
+		$unescaped_value = false;
+	}
+
 	$field_type = is_array( $field ) && isset( $field['type'] ) ? $field['type'] : 'text';
 	if ( apply_filters( 'acf/the_field/allow_unsafe_html', false, $field_name, 'sub_field', $field_type, $field ) ) {
 		$value = $unescaped_value;
-	} elseif ( (string) $value !== (string) $unescaped_value ) {
+	} elseif ( $unescaped_value !== false && (string) $value !== (string) $unescaped_value ) {
 		do_action( 'acf/removed_unsafe_html', __FUNCTION__, $field_name, $field, false );
 	}
 
@@ -999,7 +1007,11 @@ function get_row_layout() {
 function acf_shortcode( $atts ) {
 	// Return if the ACF shortcode is disabled.
 	if ( ! acf_get_setting( 'enable_shortcode' ) ) {
-		return;
+		if ( is_preview() ) {
+			return apply_filters( 'acf/shortcode/disabled_message', __( '[The ACF shortcode is disabled on this site]', 'acf' ) );
+		} else {
+			return;
+		}
 	}
 
 	if ( function_exists( 'wp_is_block_theme' ) && wp_is_block_theme() ) {
@@ -1031,6 +1043,21 @@ function acf_shortcode( $atts ) {
 		'acf'
 	);
 
+	// Decode the post ID for filtering.
+	$post_id         = acf_get_valid_post_id( $atts['post_id'] );
+	$decoded_post_id = acf_decode_post_id( $post_id );
+
+	// If we've decoded to a post, ensure the post is publicly visible.
+	if ( $decoded_post_id['type'] === 'post' ) {
+		if ( $atts['post_id'] !== false && ( (int) $atts['post_id'] !== (int) acf_get_valid_post_id() ) && ( ! is_post_publicly_viewable( $decoded_post_id['id'] ) ) && apply_filters( 'acf/shortcode/prevent_access_to_fields_on_non_public_posts', true ) ) {
+			if ( is_preview() ) {
+				return apply_filters( 'acf/shortcode/post_not_public_message', __( '[The ACF shortcode cannot display fields from non-public posts]', 'acf' ) );
+			} else {
+				return;
+			}
+		}
+	}
+
 	$access_already_prevented = apply_filters( 'acf/prevent_access_to_unknown_fields', false );
 	$filter_applied           = false;
 
@@ -1039,10 +1066,6 @@ function acf_shortcode( $atts ) {
 		add_filter( 'acf/prevent_access_to_unknown_fields', '__return_true' );
 	}
 
-	// Decode the post ID for filtering.
-	$post_id         = acf_get_valid_post_id( $atts['post_id'] );
-	$decoded_post_id = acf_decode_post_id( $post_id );
-
 	// Try to get the field value, ensuring any non-safe HTML is stripped from wysiwyg fields via `acf_the_content`
 	$field = get_field_object( $atts['field'], $post_id, $atts['format_value'], true, true );
 	$value = $field ? $field['value'] : get_field( $atts['field'], $post_id, $atts['format_value'], true );
@@ -1060,10 +1083,6 @@ function acf_shortcode( $atts ) {
 	// Temporarily always get the unescaped version for action comparison.
 	$unescaped_value = get_field( $atts['field'], $post_id, $atts['format_value'], false );
 
-	if ( $filter_applied ) {
-		remove_filter( 'acf/prevent_access_to_unknown_fields', '__return_true' );
-	}
-
 	// Remove the filter preventing access to unknown filters now we've got all the values.
 	if ( $filter_applied ) {
 		remove_filter( 'acf/prevent_access_to_unknown_fields', '__return_true' );
@@ -1073,10 +1092,14 @@ function acf_shortcode( $atts ) {
 		$unescaped_value = implode( ', ', $unescaped_value );
 	}
 
+	if ( ! is_scalar( $unescaped_value ) ) {
+		$unescaped_value = false;
+	}
+
 	// Handle getting the unescaped version if we're allowed unsafe html.
 	if ( apply_filters( 'acf/shortcode/allow_unsafe_html', false, $atts, $field_type, $field ) ) {
 		$value = $unescaped_value;
-	} elseif ( (string) $value !== (string) $unescaped_value ) {
+	} elseif ( $unescaped_value !== false && (string) $value !== (string) $unescaped_value ) {
 		do_action( 'acf/removed_unsafe_html', __FUNCTION__, $atts['field'], $field, $post_id );
 	}
 

wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-icon_picker.php

@@ -437,13 +437,13 @@ public function get_dashicons() {
 				'dashicons-book'                      => esc_html__( 'Book Icon', 'acf' ),
 				'dashicons-book-alt'                  => esc_html__( 'Book (alt) Icon', 'acf' ),
 				'dashicons-buddicons-activity'        => esc_html__( 'Activity Icon', 'acf' ),
-				'dashicons-buddicons-bbpress-logo'    => esc_html__( 'BbPress Icon', 'acf' ),
+				'dashicons-buddicons-bbpress-logo'    => esc_html__( 'bbPress Icon', 'acf' ),
 				'dashicons-buddicons-buddypress-logo' => esc_html__( 'BuddyPress Icon', 'acf' ),
 				'dashicons-buddicons-community'       => esc_html__( 'Community Icon', 'acf' ),
 				'dashicons-buddicons-forums'          => esc_html__( 'Forums Icon', 'acf' ),
 				'dashicons-buddicons-friends'         => esc_html__( 'Friends Icon', 'acf' ),
 				'dashicons-buddicons-groups'          => esc_html__( 'Groups Icon', 'acf' ),
-				'dashicons-buddicons-pm'              => esc_html__( 'Pm Icon', 'acf' ),
+				'dashicons-buddicons-pm'              => esc_html__( 'PM Icon', 'acf' ),
 				'dashicons-buddicons-replies'         => esc_html__( 'Replies Icon', 'acf' ),
 				'dashicons-buddicons-topics'          => esc_html__( 'Topics Icon', 'acf' ),
 				'dashicons-buddicons-tracking'        => esc_html__( 'Tracking Icon', 'acf' ),
@@ -570,8 +570,8 @@ public function get_dashicons() {
 				'dashicons-hidden'                    => esc_html__( 'Hidden Icon', 'acf' ),
 				'dashicons-hourglass'                 => esc_html__( 'Hourglass Icon', 'acf' ),
 				'dashicons-html'                      => esc_html__( 'HTML Icon', 'acf' ),
-				'dashicons-id'                        => esc_html__( 'Id Icon', 'acf' ),
-				'dashicons-id-alt'                    => esc_html__( 'Id (alt) Icon', 'acf' ),
+				'dashicons-id'                        => esc_html__( 'ID Icon', 'acf' ),
+				'dashicons-id-alt'                    => esc_html__( 'ID (alt) Icon', 'acf' ),
 				'dashicons-image-crop'                => esc_html__( 'Crop Icon', 'acf' ),
 				'dashicons-image-filter'              => esc_html__( 'Filter Icon', 'acf' ),
 				'dashicons-image-flip-horizontal'     => esc_html__( 'Flip Horizontal Icon', 'acf' ),