Merge pull request #2018 from rtCamp/develop

Release version 4.6.16

Gruntfile.js

@@ -32,7 +32,7 @@ module.exports = function ( grunt ) {
 			dist: {
 				options: {
 					style: 'expanded',
-					sourcemap: 'none'
+					sourceMap: false
 				},
 				files: {
 					'app/assets/admin/css/admin.css': 'app/assets/admin/css/sass/admin.scss',
@@ -43,7 +43,7 @@ module.exports = function ( grunt ) {
 			minify: {
 				options: {
 					style: 'compressed',
-					sourcemap: 'none'
+					sourceMap: false
 				},
 				files: {
 					'app/assets/admin/css/admin.min.css': 'app/assets/admin/css/sass/admin.scss',

README.md

@@ -152,6 +152,19 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 
 ## Changelog ##
 
+### 4.6.16 [November 16, 2023] ###
+
+* Enhancement
+
+	* Compatible with WordPress latest version 6.4
+
+* Fixed
+
+	* Fixed PHP deprecation warnings. 
+    * Fixed BuddyPress Versioning issue 
+    * Fixed Security issue. 
+    * Fixed Video player UI issues.
+
 ### 4.6.15 [September 4, 2023] ###
 
 * Fixed

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security bugs found in this plugin's source code through the
+[Patchstack Vulnerability Disclosure
+Program](https://patchstack.com/database/vdp/buddypress-media). The Patchstack team will
+assist you with verification, and CVE assignment, and notify the
+developers of this plugin. 

app/admin/RTMediaAdmin.php

@@ -1434,10 +1434,8 @@ public function import_settings( $file_path ) {
 				wp_send_json( $response );
 			}
 
-			ob_start();
-			include $file_path;
-
-			$settings_data_json = ob_get_clean();
+			$settings_data_json_string = file_get_contents( $file_path );
+			$settings_data_json = json_decode( $settings_data_json_string, true );
 			wp_delete_file( $file_path );
 
 			if ( empty( $settings_data_json ) ) {

app/assets/css/rtmedia.css

@@ -3109,6 +3109,10 @@ a.rtmedia-upload-media-link {
   padding: 4px 8px;
   border: none;
   background: rgba(0, 0, 0, 0) url("../../../lib/media-element/mejs-controls.png") no-repeat;
+  width: 20px;
+}
+#buddypress .mejs-controls button:hover, #buddypress .mejs-controls button:focus, #buddypress .mejs-controls button:active {
+  background: rgba(0, 0, 0, 0.2) url("../../../lib/media-element/mejs-controls.png") no-repeat;
 }
 #buddypress .mejs-controls .mejs-play > button {
   background-position: 0 0;

app/assets/css/sass/_media-element.scss

@@ -11,6 +11,11 @@
 			padding: 4px 8px;
 			border: none;
 			background: rgba(0, 0, 0, 0) url('../../../lib/media-element/mejs-controls.png') no-repeat;
+			width: 20px;
+
+			&:hover, &:focus, &:active {
+				background: rgba(0, 0, 0, 0.2) url('../../../lib/media-element/mejs-controls.png') no-repeat;
+			}
 		}
 
 		.mejs-play > button {

app/assets/js/rtMedia.activity.js

@@ -0,0 +1,14 @@
+( function() {
+    if( bp && bp.Nouveau && bp.Nouveau.inject ) {
+        callback = bp.Nouveau.inject;
+
+        // Overwrite the inject function and apply mediaelement library player after adding activity.
+        bp.Nouveau.inject = function( selector, content, method ) {
+            callback( selector, content, method );
+
+            if ( 'function' === typeof rtmedia_on_activity_add ) {
+                rtmedia_on_activity_add();
+            }
+        };
+    }
+})();

app/assets/js/rtMedia.backbone.js

@@ -1751,20 +1751,8 @@ jQuery( document ).ready( function( $ ) {
 						objUploadView.uploader.refresh();
 						$( '#rtmedia-whts-new-upload-container > div' ).css( { 'top': '0', 'left': '0' } );
 						$( '#whats-new-form #rtMedia-update-queue-list' ).html( '' );
-						//$("#div-attache-rtmedia").hide();
+
 						apply_rtMagnificPopup( jQuery( '.rtmedia-list-media, .rtmedia-activity-container ul.rtmedia-list, #bp-media-list,.widget-item-listing,.bp-media-sc-list, li.media.album_updated ul,ul.bp-media-list-media, li.activity-item div.activity-content div.activity-inner div.bp_media_content' ) );
-						jQuery( 'ul.activity-list li.rtmedia_update:first-child .wp-audio-shortcode, ul.activity-list li.rtmedia_update:first-child .wp-video-shortcode' ).mediaelementplayer( {
-							// This is required to work with new MediaElement version.
-                                                        classPrefix: 'mejs-',
-                                                        // If the <video width> is not specified, this is the default
-							defaultVideoWidth: 480,
-							// If the <video height> is not specified, this is the default
-							defaultVideoHeight: 270
-							// If set, overrides <video width>
-							//videoWidth: 1,
-							// if set, overrides <video height>
-							//videoHeight: 1
-						} );
 
 						// For BuddyPress New Template hacks
 						jQuery( '.plupload_filelist_content.rtm-plupload-list' ).html('');
@@ -1776,7 +1764,7 @@ jQuery( document ).ready( function( $ ) {
 						rtmedia_add_media_button_post_update.removeAttr( 'disabled' );
 					}
 
-					rtmedia_on_activity_add();
+					// rtmedia_on_activity_add();
 
 					$( '#whats-new-post-in' ).removeAttr( 'disabled' );
 					if ( ! rtmedia_add_media_button_post_update ) {
@@ -2272,14 +2260,11 @@ function rtmedia_reset_video_and_audio(){
 
 
 function rtmedia_on_activity_add(){
-	setTimeout( function() {
-		rtmedia_activity_stream_comment_media();
-
-		rtmedia_reset_video_and_audio();
+	rtmedia_activity_stream_comment_media();
 
-		rtmedia_apply_popup_to_media();
+	rtmedia_reset_video_and_audio();
 
-	}, 1500 );
+	rtmedia_apply_popup_to_media();
 }
 
 

app/main/RTMedia.php

@@ -449,9 +449,7 @@ public function custom_style_for_activity_image_size() {
 			height: 100% !important;
 			}
 
-			.rtmedia-activity-container li.media-type-video div.rtmedia-item-thumbnail .mejs-video,
-			.rtmedia-activity-container li.media-type-video div.rtmedia-item-thumbnail .mejs-video video,
-			.rtmedia-activity-container li.media-type-video div.rtmedia-item-thumbnail .mejs-video .mejs-overlay-play{
+			.rtmedia-activity-container li.media-type-video div.rtmedia-item-thumbnail .mejs-video video {
 			width: 100% !important;
 			height: 100% !important;
 			}
@@ -1671,6 +1669,17 @@ public function enqueue_scripts_styles() {
 
 			wp_localize_script( 'rtmedia-backbone', 'rtMedia_update_plupload_config', $params );
 		}
+
+		wp_enqueue_script(
+			'rtmedia-activity',
+			RTMEDIA_URL . 'app/assets/js/rtMedia.activity.js',
+			array(
+				'bp-nouveau',
+				'rtmedia-backbone'
+			),
+			RTMEDIA_VERSION,
+			true
+		);
 	}
 
 	/**

app/main/controllers/api/RTMediaJsonApi.php

@@ -1085,8 +1085,8 @@ public function rtmedia_api_process_rtmedia_upload_media_request() {
 		$ec_no_file  = 140001;
 		$msg_no_file = esc_html__( 'no file', 'buddypress-media' );
 
-		$ec_invalid_file_string  = 140005;
-		$msg_invalid_file_string = esc_html__( 'invalid file string', 'buddypress-media' );
+		$ec_invalid_file_type  = 140007;
+		$msg_invalid_file_type = esc_html__( 'invalid file type. jpeg and png are allowed.', 'buddypress-media' );
 
 		$ec_image_type_missing  = 140006;
 		$msg_image_type_missing = esc_html__( 'image type missing', 'buddypress-media' );
@@ -1100,11 +1100,23 @@ public function rtmedia_api_process_rtmedia_upload_media_request() {
 		$ec_look_updated  = 140004;
 		$msg_look_updated = esc_html__( 'media updated', 'buddypress-media' );
 
-		$rtmedia_file = sanitize_text_field( filter_input( INPUT_POST, 'rtmedia_file', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
 		$image_type   = sanitize_text_field( filter_input( INPUT_POST, 'image_type', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
-		$title        = sanitize_text_field( filter_input( INPUT_POST, 'title', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
+		$mime_type    = "";
+
+		if ( in_array( $image_type, array( 'jpeg', 'jpg' ), true ) ) {
+			$mime_type = 'image/jpeg';
+		}
+		else if ( 'png' === $image_type ) {
+			$mime_type = 'image/png';
+		} else {
+			wp_send_json( $this->rtmedia_api_response_object( 'FALSE', $ec_invalid_file_type, $msg_invalid_file_type ) );
+		}
+
+		$title        = sanitize_title( filter_input( INPUT_POST, 'title', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
 		$description  = sanitize_text_field( filter_input( INPUT_POST, 'description', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
 
+		$rtmedia_file = sanitize_text_field( filter_input( INPUT_POST, 'rtmedia_file', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
+
 		$updated       = false;
 		$uploaded_look = false;
 
@@ -1118,6 +1130,8 @@ public function rtmedia_api_process_rtmedia_upload_media_request() {
 			}
 			if ( empty( $title ) ) {
 				wp_send_json( $this->rtmedia_api_response_object( 'FALSE', $ec_no_file_title, $msg_no_file_title ) );
+			} else {
+				$title .= wp_generate_password( 12, false );
 			}
 		}
 
@@ -1137,23 +1151,30 @@ public function rtmedia_api_process_rtmedia_upload_media_request() {
 
 			// Process rtmedia_file.
 			$img          = $rtmedia_file;
-			$str_replace  = 'data:image/' . $image_type . ';base64,';
+			$str_replace  = 'data:' . $mime_type . ';base64,';
 			$img          = str_replace( $str_replace, '', $img );
 			$rtmedia_file = base64_decode( $img ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
 
-			if ( ! $rtmedia_file ) {
-				wp_send_json( $this->rtmedia_api_response_object( 'FALSE', $ec_invalid_file_string, $msg_invalid_file_string ) );
+			// check if file is valid image.
+			$actual_file_info = getimagesizefromstring( $rtmedia_file );
+
+			if ( ! $actual_file_info || ! isset( $actual_file_info['mime'] ) || ! in_array( $actual_file_info['mime'], array( 'image/jpeg', 'image/png' ), true ) ) {
+				wp_send_json( $this->rtmedia_api_response_object( 'FALSE', $ec_invalid_image, $msg_invalid_image ) );
 			}
 
-			define( 'UPLOAD_DIR_LOOK', sys_get_temp_dir() . '/' );
+			define( 'UPLOAD_DIR_LOOK', sys_get_temp_dir() );
 
 			$tmp_name = UPLOAD_DIR_LOOK . $title;
 			$file     = $tmp_name . '.' . $image_type;
 			$success  = file_put_contents( $file, $rtmedia_file ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_file_put_contents
 
+			if ( ! $success ) {
+				wp_send_json( $this->rtmedia_api_response_object( 'FALSE', $ec_invalid_image, $msg_invalid_image ) );
+			}
+
 			add_filter( 'upload_dir', array( $this, 'api_new_media_upload_dir' ) );
 			$new_look         = wp_upload_bits( $title . '.' . $image_type, null, $rtmedia_file );
-			$new_look['type'] = 'image/' . $image_type;
+			$new_look['type'] = $mime_type;
 			remove_filter( 'upload_dir', array( $this, 'api_new_media_upload_dir' ) );
 
 			foreach ( $new_look as $key => $value ) {

app/main/controllers/media/RTMediaComment.php

@@ -199,8 +199,14 @@ public static function pre_comment_render( $attr ) {
 					$template = 'comment-media';
 				}
 
+				ob_start();
+
 				$view = new RTMediaUploadView( $attr );
-				echo wp_kses( $view->render( $template ), RTMedia::expanded_allowed_tags() );
+				$view->render( $template );
+
+				$buffer = ob_get_clean();
+
+				echo wp_kses( $buffer, RTMedia::expanded_allowed_tags() );
 
 			}
 		} else {

app/main/controllers/template/RTMediaNav.php

@@ -131,8 +131,6 @@ public function custom_media_nav_tab() {
 				$media_tab_position = apply_filters( 'rtmedia_group_media_tab_position', 99 );
 
 				// to solve an issue of Media Tab is not showing in version 10.0.0.
-				$bp->version = floatval( $bp->version );
-
 				if ( isset( $bp->version ) && version_compare( $bp->version, '2.5.3', 'gt' ) ) {
 
 					/**

app/main/controllers/template/rtmedia-filters.php

@@ -758,7 +758,13 @@ function rtmedia_search_fillter_where_query( $where, $table_name ) {
 
 	if ( function_exists( 'rtmedia_media_search_enabled' ) && rtmedia_media_search_enabled() ) {
 
-		$search                = sanitize_text_field( urldecode( wp_unslash( filter_input( INPUT_GET, 'search', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) ) );
+		$raw_search = wp_unslash( filter_input( INPUT_GET, 'search', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
+
+		if ( 'string' !== gettype( $raw_search ) ) {
+			$raw_search = "";
+		}
+
+		$search                = sanitize_text_field( urldecode( $raw_search ) );
 		$search_by             = sanitize_text_field( wp_unslash( filter_input( INPUT_GET, 'search_by', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) );
 		$media_type            = sanitize_text_field( wp_unslash( filter_input( INPUT_GET, 'media_type', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) );
 		$rtmedia_current_album = sanitize_text_field( wp_unslash( filter_input( INPUT_GET, 'rtmedia-current-album', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) );

app/main/controllers/template/rtmedia-functions.php

@@ -950,8 +950,7 @@ function rtmedia_duration( $id = false ) {
 
 	if ( ! empty( $rtmedia_backbone['backbone'] ) ) {
 		echo '<%= duration %>';
-
-		return;
+		return '';
 	}
 
 	if ( $id ) {
@@ -965,7 +964,7 @@ function rtmedia_duration( $id = false ) {
 		if ( isset( $media[0] ) ) {
 			$media_object = $media[0];
 		} else {
-			return false;
+			return '';
 		}
 	} else {
 		global $rtmedia_media;

index.php

@@ -3,7 +3,7 @@
  * Plugin Name: rtMedia for WordPress, BuddyPress and bbPress
  * Plugin URI: https://rtmedia.io/?utm_source=dashboard&utm_medium=plugin&utm_campaign=buddypress-media
  * Description: This plugin adds missing media rich features like photos, videos and audio uploading to BuddyPress which are essential if you are building social network, seriously!
- * Version: 4.6.15
+ * Version: 4.6.16
  * Author: rtCamp
  * Text Domain: buddypress-media
  * Author URI: http://rtcamp.com/?utm_source=dashboard&utm_medium=plugin&utm_campaign=buddypress-media
@@ -19,7 +19,7 @@
 	/**
 	 * The version of the plugin
 	 */
-	define( 'RTMEDIA_VERSION', '4.6.15' );
+	define( 'RTMEDIA_VERSION', '4.6.16' );
 }
 
 if ( ! defined( 'RTMEDIA_PATH' ) ) {