release: fixes

### Improvements - **SDK Updates** ### Bug Fixes - **Enhanced security** - **Fixed the broken starter site link**
Codeinwp · Dec 18, 2023 · 6bcf5df · 6bcf5df
2 parents 9eb1c90 + 7605ea5
commit 6bcf5df
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 7 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/obfx_modules/header-footer-scripts/init.php b/obfx_modules/header-footer-scripts/init.php
@@ -86,6 +86,56 @@ public function hooks() {
 
 		$this->loader->add_action( 'wp_head', $this, 'do_header_scripts' );
 		$this->loader->add_action( 'wp_footer', $this, 'do_footer_scripts' );
+
+		/**
+		 * Since we allow for the script meta to be unfiltered, we need to make sure that
+		 * the current user is allowed to add unfiltered html. If not we prevent the meta from being saved or listed.
+		 */
+		$this->loader->add_filter( 'add_post_metadata', $this, 'check_post_metadata', 10, 5 );
+		$this->loader->add_filter( 'update_post_metadata', $this, 'check_post_metadata', 10, 5 );
+		$this->loader->add_filter( 'is_protected_meta', $this, 'is_meta_protected', 10, 3 );
+	}
+
+	/**
+	 * Check if meta is protected.
+	 *
+	 * @param bool $protected Whether the key is considered protected.
+	 * @param string $meta_key Metadata key.
+	 * @param string $meta_type Type of object metadata is for. Accepts 'post', 'comment', 'term', 'user', or any other object type with an associated meta table.
+	 *
+	 * @return bool
+	 */
+	final public function is_meta_protected( $protected, $meta_key, $meta_type ) {
+		if ( ! in_array( $meta_key, array( 'obfx-header-scripts', 'obfx-footer-scripts' ), true ) ) {
+			return $protected;
+		}
+
+		if ( current_user_can( 'unfiltered_html' ) ) {
+			return $protected;
+		}
+
+		return true;
+	}
+
+	/**
+	 * @param null | bool $check Whether the meta key is allowed for update or add actions.
+	 * @param int $object_id Object ID.
+	 * @param string $meta_key Metadata key.
+	 * @param mixed $meta_value Metadata value.
+	 * @param mixed $prev_value Previous value of metadata.
+	 *
+	 * @return null | bool
+	 */
+	final public function check_post_metadata( $check, $object_id, $meta_key, $meta_value, $prev_value ) {
+		if ( ! in_array( $meta_key, array( 'obfx-header-scripts', 'obfx-footer-scripts' ), true ) ) {
+			return $check;
+		}
+
+		if ( current_user_can( 'unfiltered_html' ) ) {
+			return $check;
+		}
+
+		return false;
 	}
 
 	/**

diff --git a/obfx_modules/template-directory/init.php b/obfx_modules/template-directory/init.php
@@ -211,7 +211,7 @@ public function admin_enqueue() {
 					'cta'      => $this->get_state( 'tpc' ),
 					'activate' => $this->get_tcp_activation_link(),
 				),
-				'tpcAdminURL' => ( defined( 'NEVE_COMPATIBILITY_FEATURES' ) && isset( NEVE_COMPATIBILITY_FEATURES['theme_dedicated_menu'] ) ) ? admin_url( 'admin.php?page=tiob-starter-sites' ) : admin_url( 'themes.php?page=tiob-starter-sites' ),
+				'tpcAdminURL' => admin_url( 'admin.php?page=tiob-starter-sites' ),
 				'nonce'       => wp_create_nonce( 'wp_rest' ),
 				'strings'     => array(
 					'themeNotInstalled' => __( 'In order to import any starter sites, Neve theme & Templates Cloud plugin need to be installed and activated. Click the button below to install and activate Neve.', 'themeisle-companion' ),