Pods 3.2.7.1

changelog.txt

@@ -2,6 +2,10 @@ Found a bug? Have a great feature idea? Get on GitHub and tell us about it and w
 
 Our GitHub has the full list of all prior releases of Pods: https://github.com/pods-framework/pods/releases
 
+= 3.2.7.1 - October 9th, 2024 =
+
+* Security: Lock down heading field to only specific allowed HTML tags and preventing it from being used to insert malicious scripts. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark)
+
 = 3.2.7 - August 28th, 2024 =
 
 * Feature: New Pods Related Item List block that works like a Pods Item List block but uses the Pods Single Item block context where you specify a relationship field name to reference. (@sc0ttkclark)

classes/PodsAdmin.php

@@ -2026,7 +2026,7 @@ public function get_callouts() {
 
 		if ( ! $callouts ) {
 			$callouts = [
-				'friends_2023_docs' => 1,
+				'friends_2024_docs' => 1,
 				'access_rights'     => (
 					PodsInit::$version_last
 					&& version_compare( PodsInit::$version_last, '3.1.0-a-1', '<' )
@@ -2038,7 +2038,7 @@ public function get_callouts() {
 
 		// Handle callouts logic.
 		$callouts['access_rights'] = ! isset( $callouts['access_rights'] ) || $callouts['access_rights'] ? 1 : 0;
-		$callouts['friends_2023_docs'] = ! isset( $callouts['friends_2023_docs'] ) || $callouts['friends_2023_docs'] || $force_callouts ? 1 : 0;
+		$callouts['friends_2024_docs'] = ! isset( $callouts['friends_2024_docs'] ) || $callouts['friends_2024_docs'] || $force_callouts ? 1 : 0;
 
 		/**
 		 * Allow hooking into whether or not the specific callouts should show.
@@ -2108,7 +2108,7 @@ public function handle_callouts_updates() {
 
 		if ( $is_demo ) {
 			// Disable Friends of Pods callout on demos.
-			$callout_dismiss = 'friends_2023_docs';
+			$callout_dismiss = 'friends_2024_docs';
 		}
 
 		if ( $callout_dismiss ) {
@@ -2188,10 +2188,10 @@ public function admin_manage_callouts() {
 			$did_callout = true;
 
 			pods_view( PODS_DIR . 'ui/admin/callouts/access_rights.php', compact( array_keys( get_defined_vars() ) ) );
-		} elseif ( ! empty( $callouts['friends_2023_docs'] ) ) {
+		} elseif ( ! empty( $callouts['friends_2024_docs'] ) ) {
 			$did_callout = true;
 
-			pods_view( PODS_DIR . 'ui/admin/callouts/friends_2023_docs.php', compact( array_keys( get_defined_vars() ) ) );
+			pods_view( PODS_DIR . 'ui/admin/callouts/friends_2024_docs.php', compact( array_keys( get_defined_vars() ) ) );
 		}
 	}
 

classes/fields/heading.php

@@ -41,15 +41,25 @@ public function setup() {
 	public function options() {
 		return [
 			static::$type . '_tag' => [
-				'label'   => __( 'Heading HTML Tag', 'pods' ),
-				'type'        => 'text',
-				'default'     => '',
+				'label'       => __( 'Heading HTML Tag', 'pods' ),
+				'type'        => 'pick',
+				'data'        => [
+					'h1'  => 'h1',
+					'h2'  => 'h2',
+					'h3'  => 'h3',
+					'h4'  => 'h4',
+					'h5'  => 'h5',
+					'h6'  => 'h6',
+					'p'   => 'p',
+					'div' => 'div',
+				],
+				'default'     => 'h2',
 				'description' => __( 'Leave this empty to use the default heading tag for the form context the heading appears in.', 'pods' ),
 				'help'        => __( 'This is the heading HTML tag to use for the heading text. Example "h2" will output your heading as <code>&lt;h2&gt;Heading Text&lt;/h2&gt;</code>', 'pods' ),
 			],
-			'output_options' => [
-				'label' => __( 'Output Options', 'pods' ),
-				'type'  => 'boolean_group',
+			'output_options'       => [
+				'label'         => __( 'Output Options', 'pods' ),
+				'type'          => 'boolean_group',
 				'boolean_group' => [
 					static::$type . '_allow_html'      => [
 						'label'      => __( 'Allow HTML', 'pods' ),
@@ -101,11 +111,13 @@ public function schema( $options = null ) {
 	public function input( $name, $value = null, $options = null, $pod = null, $id = null ) {
 		$options = ( is_array( $options ) || is_object( $options ) ) ? $options : (array) $options;
 
+		$options[ static::$type . '_tag' ] = static::get_heading_tag( $options );
+
 		// Format content.
-		$options[ static::$type . '_content' ] = $this->display( $options[ static::$type . '_content' ], $name, $options, $pod, $id );
+		$options[ 'label' ] = $this->display( $options[ 'label' ], $name, $options, $pod, $id );
 
 		if ( isset( $options['_field_object'] ) && $options['_field_object'] instanceof Field ) {
-			$options['_field_object']->set_arg( static::$type . '_content', $options[ static::$type . '_content' ] );
+			$options['_field_object']->set_arg( 'label', $options[ 'label' ] );
 		}
 
 		$type = pods_v( 'type', $options, static::$type );
@@ -120,9 +132,9 @@ public function input( $name, $value = null, $options = null, $pod = null, $id =
 	 * {@inheritdoc}
 	 */
 	public function display( $value = null, $name = null, $options = null, $pod = null, $id = null ) {
-		// Support passing html_content into the options for custom HTML option layouts.
-		if ( empty( $value ) && ! empty( $options[ static::$type . '_content' ] ) ) {
-			$value = $options[ static::$type . '_content' ];
+		// Support passing label into the options for custom HTML option layouts.
+		if ( empty( $value ) && ! empty( $options[ 'label' ] ) ) {
+			$value = $options[ 'label' ];
 		}
 
 		$value = $this->strip_html( $value, $options );
@@ -150,4 +162,38 @@ public function ui( $id, $value, $name = null, $options = null, $fields = null,
 
 		return wp_trim_words( $value );
 	}
+
+	/**
+	 * Get the heading tag from the field options and ensure it's allowed.
+	 *
+	 * @since 3.2.7.1
+	 *
+	 * @param array|Field $options The field data.
+	 * @param null|string $default The default heading tag to use.
+	 *
+	 * @return string The heading tag.
+	 */
+	public static function get_heading_tag( $options, ?string $default = null ): string {
+		// Only allow specific HTML tags.
+		$allowed_html_tags = [
+			'h1' => 'h1',
+			'h2' => 'h2',
+			'h3' => 'h3',
+			'h4' => 'h4',
+			'h5' => 'h5',
+			'h6' => 'h6',
+			'p' => 'p',
+			'div' => 'div',
+		];
+
+		$heading_tag = 'h2';
+
+		if ( ! empty( $options[ static::$type . '_tag' ] ) && isset( $allowed_html_tags[ $options[ static::$type . '_tag' ] ] ) ) {
+			$heading_tag = $options[ static::$type . '_tag' ];
+		} elseif ( ! empty( $default ) && isset( $allowed_html_tags[ $default ] ) ) {
+			$heading_tag = $default;
+		}
+
+		return $heading_tag;
+	}
 }

init.php

@@ -10,7 +10,7 @@
  * Plugin Name:       Pods - Custom Content Types and Fields
  * Plugin URI:        https://pods.io/
  * Description:       Pods is a framework for creating, managing, and deploying customized content types and fields
- * Version:           3.2.7
+ * Version:           3.2.7.1
  * Author:            Pods Framework Team
  * Author URI:        https://pods.io/about/
  * Text Domain:       pods
@@ -43,7 +43,7 @@
 	add_action( 'init', 'pods_deactivate_pods_ui' );
 } else {
 	// Current version.
-	define( 'PODS_VERSION', '3.2.7' );
+	define( 'PODS_VERSION', '3.2.7.1' );
 
 	// Current database version, this is the last version the database changed.
 	define( 'PODS_DB_VERSION', '2.3.5' );

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pods",
-  "version": "3.2.7",
+  "version": "3.2.7.1",
   "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",
   "author": "Pods Foundation, Inc",
   "homepage": "https://pods.io/",

readme.txt

@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields
 Requires at least: 6.0
 Tested up to: 6.6
 Requires PHP: 7.2
-Stable tag: 3.2.7
+Stable tag: 3.2.7.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -96,7 +96,7 @@ You can enable some of our included components to extend your WordPress site eve
 
 = Plugins that integrate with Pods =
 
-* [Advanced Views Lite](https://pods.io/advanced-views-lite/) - Lets you build templates (views) and queries (cards) so that you can manage your content rendering with less code.
+* [Advanced Views Lite](https://wplake.org/advanced-views-lite/?ref=5) - Lets you build templates (views) and queries (cards) so that you can manage your content rendering with less code. (Disclaimer: We have an affiliate link to them to help support our project)
 * [Bricks Builder](https://bricksbuilder.io/)
 * [Codepress Admin Columns](https://wordpress.org/plugins/codepress-admin-columns/) using premium [Admin Columns Pro](https://www.admincolumns.com/pods/) Pods integration
 * [Conductor](https://conductorplugin.com/)
@@ -114,7 +114,7 @@ You can enable some of our included components to extend your WordPress site eve
 = Extend Pods with Free Add-Ons =
 
 * [Pods Beaver Themer Add-On](https://wordpress.org/plugins/pods-beaver-builder-themer-add-on/) - Integrates Pods with [Beaver Themer](https://www.wpbeaverbuilder.com/beaver-themer/)
-* [Pods Gravity Forms Add-On](https://wordpress.org/plugins/pods-gravity-forms/) - Integrates Pods with [Gravity Forms](https://pods.io/gravityforms/)
+* [Pods Gravity Forms Add-On](https://wordpress.org/plugins/pods-gravity-forms/) - Integrates Pods with [Gravity Forms](https://www.gravityforms.com/)
 * [Pods Alternative Cache Add-On](https://wordpress.org/plugins/pods-alternative-cache/) - Speed up Pods on servers with limited object caching capabilities
 * [Pods SEO Add-On](https://wordpress.org/plugins/pods-seo/) - Integrates Pods Advanced Content Types with Yoast SEO
 * [Pods AJAX Views Add-On](https://wordpress.org/plugins/pods-ajax-views/) - Adds new functions you can use to output template parts that load via AJAX after other page elements
@@ -182,6 +182,10 @@ Pods really wouldn't be where it is without all the contributions from our [dono
 
 == Changelog ==
 
+= 3.2.7.1 - October 9th, 2024 =
+
+* Security: Lock down heading field to only specific allowed HTML tags and preventing it from being used to insert malicious scripts. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark)
+
 = 3.2.7 - August 28th, 2024 =
 
 * Feature: New Pods Related Item List block that works like a Pods Item List block but uses the Pods Single Item block context where you specify a relationship field name to reference. (@sc0ttkclark)

ui/admin/callouts/friends_2023_docs.php → ui/admin/callouts/friends_2024_docs.php

@@ -9,9 +9,9 @@
  * @var bool $force_callouts Whether to force the callouts.
  */
 
-$callout = 'friends_2023_docs';
+$callout = 'friends_2024_docs';
 
-$donor_count    = 2768;
+$donor_count    = 2747;
 $donor_goal     = 7000;
 $progress_width = ( $donor_count / $donor_goal ) * 100;
 
@@ -60,7 +60,7 @@
 		<p class="pods-admin_friends-callout_text">
 			🎉&nbsp;
 			<?php
-				esc_html_e( 'Pods 3.2 is out and our goal is to spend 2024 focused on revamping our Documentation, Tutorials, and Video content', 'pods' );
+				esc_html_e( 'Our goal is to be able to focus on revamping our Documentation, Tutorials, and Video content', 'pods' );
 
 				/*printf(
 					'%1$s: %2$s',

ui/forms/div-row.php

@@ -17,7 +17,7 @@
 <div class="pods-field__container pods-field-option <?php echo esc_attr( $row_classes ); ?>"
 	style="<?php echo esc_attr( 'hidden' == $field['type'] ? 'display:none;' : '' ); ?>">
 	<?php if ( 'heading' === $field['type'] ) : ?>
-		<?php $heading_tag = pods_v( $field['type'] . '_tag', $field, isset( $heading_tag ) ? $heading_tag : 'h2', true ); ?>
+		<?php $heading_tag = PodsField_Heading::get_heading_tag( $field, 'h2' ); ?>
 		<<?php echo esc_html( sanitize_key( $heading_tag ) ); ?>
 			class="pods-form-ui-heading pods-form-ui-heading-<?php echo esc_attr( $field['name'] ); ?>"
 			id="heading-<?php echo esc_attr( $field['name'] ); ?>">

ui/forms/list-row.php

@@ -17,7 +17,7 @@
 <li class="pods-field__container pods-field-option <?php echo esc_attr( $row_classes ); ?>"
 	style="<?php echo esc_attr( 'hidden' == $field['type'] ? 'display:none;' : '' ); ?>">
 	<?php if ( 'heading' === $field['type'] ) : ?>
-		<?php $heading_tag = pods_v( $field['type'] . '_tag', $field, isset( $heading_tag ) ? $heading_tag : 'h2', true ); ?>
+		<?php $heading_tag = PodsField_Heading::get_heading_tag( $field, 'h2' ); ?>
 		<<?php echo esc_html( sanitize_key( $heading_tag ) ); ?>
 			class="pods-form-ui-heading pods-form-ui-heading-<?php echo esc_attr( $field['name'] ); ?>"
 			id="heading-<?php echo esc_attr( $field['name'] ); ?>">

ui/forms/p-row.php

@@ -16,7 +16,7 @@
 ?>
 <div class="pods-field__container pods-field-option" style="<?php echo esc_attr( 'hidden' == $field['type'] ? 'display:none;' : '' ); ?>">
 	<?php if ( 'heading' === $field['type'] ) : ?>
-		<?php $heading_tag = pods_v( $field['type'] . '_tag', $field, isset( $heading_tag ) ? $heading_tag : 'h2', true ); ?>
+		<?php $heading_tag = PodsField_Heading::get_heading_tag( $field, 'h2' ); ?>
 		<<?php echo esc_html( sanitize_key( $heading_tag ) ); ?>
 			class="pods-form-ui-heading pods-form-ui-heading-<?php echo esc_attr( $field['name'] ); ?>"
 			id="heading-<?php echo esc_attr( $field['name'] ); ?>">

ui/forms/table-row.php

@@ -18,7 +18,7 @@
 <tr valign="top" class="pods-field__container pods-field-option <?php echo esc_attr( $row_classes ); ?>"
 	style="<?php echo esc_attr( 'hidden' == $field['type'] ? 'display:none;' : '' ); ?>">
 	<?php if ( 'heading' === $field['type'] ) : ?>
-		<?php $heading_tag = pods_v( $field['type'] . '_tag', $field, isset( $heading_tag ) ? $heading_tag : 'h2', true ); ?>
+		<?php $heading_tag = PodsField_Heading::get_heading_tag( $field, 'h2' ); ?>
 		<td colspan="2">
 			<<?php echo esc_html( sanitize_key( $heading_tag ) ); ?>
 				class="pods-form-ui-heading pods-form-ui-heading-<?php echo esc_attr( $field['name'] ); ?>"

ui/js/dfv/pods-dfv.min.asset.json

@@ -1 +1 @@
-{"dependencies":["lodash","moment","react","react-dom","react-jsx-runtime","regenerator-runtime","wp-api-fetch","wp-autop","wp-components","wp-compose","wp-data","wp-element","wp-hooks","wp-i18n","wp-keycodes","wp-plugins","wp-primitives","wp-url"],"version":"6c3b89ffe8da2dcd1d1f"}
+{"dependencies":["lodash","moment","react","react-dom","react-jsx-runtime","regenerator-runtime","wp-api-fetch","wp-autop","wp-components","wp-compose","wp-data","wp-element","wp-hooks","wp-i18n","wp-keycodes","wp-plugins","wp-primitives","wp-url"],"version":"82c8aaf9e4ae1481502c"}

ui/js/dfv/src/fields/heading/heading-tag.js

@@ -11,18 +11,20 @@ const elements = {
   h4: 'h4',
   h5: 'h5',
   h6: 'h6',
+  p: 'p',
+  div: 'div',
 };
 
 function HeadingTag( { type, children, ...props } ) {
   return React.createElement(
-    elements[type] || elements.h3,
+    elements[type] || elements.h2,
     props,
     children
   );
 }
 
 HeadingTag.defaultProps = {
-  type: 'h3',
+  type: 'h2',
 };
 
 export default HeadingTag;

ui/js/dfv/src/fields/heading/index.js

@@ -9,7 +9,7 @@ import './heading.scss';
 const Heading = ( props ) => {
 	const {
 		fieldConfig: {
-			heading_tag: headingTag = 'h3',
+			heading_tag: headingTag = 'h2',
 			helpText,
 			label,
 			name,