From a634991867c08d21e8d80e04cdcfd3f0d9831e2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Amieiro?= <1667814+amieiro@users.noreply.github.com> Date: Tue, 20 Feb 2024 00:12:08 +0100 Subject: [PATCH 1/2] Prevent the usage of event titles that can conflict with event URLs --- assets/js/translation-events.js | 8 +++++--- wporg-gp-translation-events.php | 11 ++++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/assets/js/translation-events.js b/assets/js/translation-events.js index 1dda3aba..4a9bd946 100644 --- a/assets/js/translation-events.js +++ b/assets/js/translation-events.js @@ -69,9 +69,11 @@ $gp.notices.success( response.data.message ); } }, - error: function ( error ) { - $gp.notices.error( response.data.message ); - } + error: function ( xhr, msg ) { + /* translators: %s: Error message. */ + msg = xhr.responseJSON.data ? wp.i18n.sprintf( wp.i18n.__( 'Error: %s', 'gp-translation-events' ), xhr.responseJSON.data ) : wp.i18n.__( 'Error saving the event!', 'gp-translation-events' ); + $gp.notices.error( msg ); + }, } ); } diff --git a/wporg-gp-translation-events.php b/wporg-gp-translation-events.php index bf611a56..16b5142e 100644 --- a/wporg-gp-translation-events.php +++ b/wporg-gp-translation-events.php @@ -160,7 +160,12 @@ function submit_event_ajax() { } } if ( ! $is_nonce_valid ) { - wp_send_json_error( 'Nonce verification failed' ); + wp_send_json_error( 'Nonce verification failed', 403 ); + } + // This is a list of slugs that are not allowed, as they conflict with the event URLs. + $invalid_slugs = array( 'new', 'edit', 'attend', 'my-events' ); + if ( isset( $_POST['event_title'] ) && in_array( sanitize_title( wp_unslash( $_POST['event_title'] ) ), $invalid_slugs, true ) ) { + wp_send_json_error( 'Invalid slug', 403 ); } $title = isset( $_POST['event_title'] ) ? sanitize_text_field( wp_unslash( $_POST['event_title'] ) ) : ''; @@ -336,10 +341,10 @@ function gp_event_nav_menu_items( array $items, string $location ): array { * * Generate a slug based on the event title if it's not provided. * - * @param array $data An array of slashed post data. + * @param array $data An array of slashed post data. * @return array The modified post data. */ -function generate_event_slug( $data ) { +function generate_event_slug( array $data ): array { if ( 'event' === $data['post_type'] && 'draft' === $data['post_status'] ) { if ( empty( $data['post_name'] ) ) { $data['post_name'] = sanitize_title( $data['post_title'] ); From 7c13ed5c12ca3a74d1cf82e28d24a732e7384257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Amieiro?= <1667814+amieiro@users.noreply.github.com> Date: Tue, 20 Feb 2024 13:00:02 +0100 Subject: [PATCH 2/2] Reuse the title variable --- wporg-gp-translation-events.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/wporg-gp-translation-events.php b/wporg-gp-translation-events.php index 16b5142e..f5fde0fd 100644 --- a/wporg-gp-translation-events.php +++ b/wporg-gp-translation-events.php @@ -163,16 +163,15 @@ function submit_event_ajax() { wp_send_json_error( 'Nonce verification failed', 403 ); } // This is a list of slugs that are not allowed, as they conflict with the event URLs. - $invalid_slugs = array( 'new', 'edit', 'attend', 'my-events' ); - if ( isset( $_POST['event_title'] ) && in_array( sanitize_title( wp_unslash( $_POST['event_title'] ) ), $invalid_slugs, true ) ) { - wp_send_json_error( 'Invalid slug', 403 ); - } - + $invalid_slugs = array( 'new', 'edit', 'attend', 'my-events' ); $title = isset( $_POST['event_title'] ) ? sanitize_text_field( wp_unslash( $_POST['event_title'] ) ) : ''; $description = isset( $_POST['event_description'] ) ? sanitize_text_field( wp_unslash( $_POST['event_description'] ) ) : ''; $event_start = isset( $_POST['event_start'] ) ? sanitize_text_field( wp_unslash( $_POST['event_start'] ) ) : ''; $event_end = isset( $_POST['event_end'] ) ? sanitize_text_field( wp_unslash( $_POST['event_end'] ) ) : ''; $event_timezone = isset( $_POST['event_timezone'] ) ? sanitize_text_field( wp_unslash( $_POST['event_timezone'] ) ) : ''; + if ( isset( $title ) && in_array( sanitize_title( $title ), $invalid_slugs, true ) ) { + wp_send_json_error( 'Invalid slug', 403 ); + } $is_valid_event_date = false; try {