From 89a536e75a9d4e1331da0ef81d5ccd06b70aabb4 Mon Sep 17 00:00:00 2001 From: Kevin Behrens <43488774+agapetry@users.noreply.github.com> Date: Wed, 25 Sep 2024 12:53:06 -0400 Subject: [PATCH 1/2] Custom html tags stripped out of revision if user lacks unfiltered_html capability Instead, prevent revision if post has custom html, displaying error message about unfiltered_html capability requirement. Fixes #1346 --- admin/admin-init_rvy.php | 13 ++++++++++++ admin/admin-posts_rvy.php | 27 +++++++++++++++--------- admin/revisions.php | 18 +++++++++++++++- rvy_init-functions.php | 44 ++++++++++++++++++++++++++++++++------- 4 files changed, 84 insertions(+), 18 deletions(-) diff --git a/admin/admin-init_rvy.php b/admin/admin-init_rvy.php index fbaf586e..346611bc 100644 --- a/admin/admin-init_rvy.php +++ b/admin/admin-init_rvy.php @@ -397,6 +397,19 @@ function get_current_screen() { add_action( 'wp_loaded', 'rvy_revision_delete' ); } elseif ( ! empty($_GET['action']) && ('revise' == $_GET['action']) ) { + if (!empty($_REQUEST['post'])) { + $post_id = intval($_REQUEST['post']); + $arr = rvy_post_revision_blocked($post_id); + } + + if (!empty($arr) && is_array($arr) && !empty($arr['code'])) { + if (!empty($_REQUEST['referer'])) { + $url = add_query_arg('revision_action', $arr['code'], $_REQUEST['referer']); + wp_redirect($url); + exit; + } + } + require_once( dirname(__FILE__).'/revision-action_rvy.php'); add_action( 'wp_loaded', 'rvy_revision_create' ); diff --git a/admin/admin-posts_rvy.php b/admin/admin-posts_rvy.php index 180fe77c..56832da4 100644 --- a/admin/admin-posts_rvy.php +++ b/admin/admin-posts_rvy.php @@ -52,17 +52,27 @@ function __construct() { function revision_action_notice() { if ( ! empty($_GET['restored_post'] ) ) { ?> -
+
-
+
-
+
+
+ +
', '');?> +
+ +
post_status); - if (empty($actions['view'])) { - - } - if (!empty($status_obj->public) || !empty($status_obj->private) || rvy_get_option('pending_revision_unpublished')) { - if (rvy_get_option('pending_revisions') && current_user_can('copy_post', $post->ID) && rvy_post_revision_supported($post)) { + if (rvy_get_option('pending_revisions') && current_user_can('copy_post', $post->ID) && rvy_post_revision_supported($post, ['context' => 'admin_posts'])) { + $referer_arg = '&referer=' . esc_url_raw($_SERVER['REQUEST_URI']); + $redirect_arg = ( ! empty($_REQUEST['rvy_redirect']) ) ? "&rvy_redirect=" . esc_url_raw($_REQUEST['rvy_redirect']) : ''; - $url = rvy_admin_url("admin.php?page=rvy-revisions&post={$post->ID}&action=revise$redirect_arg"); + $url = rvy_admin_url("admin.php?page=rvy-revisions&post={$post->ID}&action=revise{$referer_arg}$redirect_arg"); $caption = (isset($actions['edit']) || !rvy_get_option('caption_copy_as_edit')) ? pp_revisions_status_label('draft-revision', 'submit') : esc_html__('Edit'); - $caption = str_replace(' ', ' ', $caption); $actions['create_revision'] = "" . $caption . ''; diff --git a/admin/revisions.php b/admin/revisions.php index a48d9a9f..86cad982 100644 --- a/admin/revisions.php +++ b/admin/revisions.php @@ -47,7 +47,23 @@ if ( empty($revision_id) && ! $left && ! $right ) { echo( '

' ); - esc_html_e( 'No revision specified.', 'revisionary'); + + if (!empty($_REQUEST['action']) && ('revise' == $_REQUEST['action'])) { + // Fallback error message, in case redirect is missed + if (!empty($_REQUEST['post'])) { + $post_id = intval($_REQUEST['post']); + $arr = rvy_post_revision_blocked($post_id); + } + + if (!empty($arr) && is_array($arr) && !empty($arr['description'])) { + echo $arr['description']; + } else { + esc_html_e( 'Revision of this post is not allowed.', 'revisionary'); + } + } else { + esc_html_e( 'No revision specified.', 'revisionary'); + } + echo( '
' ); return; } diff --git a/rvy_init-functions.php b/rvy_init-functions.php index 36608a96..2d8c4689 100644 --- a/rvy_init-functions.php +++ b/rvy_init-functions.php @@ -718,18 +718,48 @@ function revisionary_refresh_postmeta($post_id, $args = []) { } } -function rvy_post_revision_supported($post) { +function rvy_post_revision_supported($post, $args = []) { + if ($post) { + if (rvy_post_revision_blocked($post, $args)) { + return false; + } + } + + return true; +} + +function rvy_post_revision_blocked($post, $args = []) { + static $unfiltered_html; + + if (!isset($unfiltered_html)) { + $unfiltered_html = current_user_can('unfiltered_html'); + } + $post_id = (is_scalar($post)) ? $post : $post->ID; - if ($post_id) { - if (1 === intval(rvy_get_option('revision_limit_per_post'))) { - if (rvy_get_post_meta($post_id, '_rvy_has_revisions')) { - return false; - } + if (1 === intval(rvy_get_option('revision_limit_per_post'))) { + if (rvy_get_post_meta($post_id, '_rvy_has_revisions')) { + return [ + 'code' => 'blocked_revision_limit', + 'description' => __('The post already has a revision in process.', 'revisionary') + ]; } } - return true; + if (!$unfiltered_html && (empty($args['context']) || ('admin_posts' != $args['context']))) { + if (is_scalar($post)) { + $post = get_post($post); + } + + if (!empty($post) && is_object($post) && !empty($post->post_content && (wp_filter_post_kses($post->post_content) != $post->post_content))) { + return [ + 'code' => 'blocked_unfiltered', + 'description' => __('The unfiltered_html capability is required to create a revision of this post.', 'revisionary') + ]; + } + } + + return false; } if (!empty($_REQUEST['rvy_flush_flags'])) { From e490ae3ea590f7821b56acaba8701a26ea43a2ec Mon Sep 17 00:00:00 2001 From: Kevin Behrens <43488774+agapetry@users.noreply.github.com> Date: Wed, 25 Sep 2024 12:54:55 -0400 Subject: [PATCH 2/2] Update change log --- readme.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index 549d258b..5de6ef0a 100644 --- a/readme.txt +++ b/readme.txt @@ -239,7 +239,8 @@ Divi is one of the most popular page-builders in WordPress, and it does integrat == Changelog == -= 3.5.13 - 24 Sep 2024 = += 3.5.13 - 25 Sep 2024 = +* Fixed : Revision creation by a user with default Revisor capabilities caused custom html tags to be stripped out of post content. Now prevent revision, requiring unfiltered_html capability. * Fixed : Classic Editor - Revisors editing a revision could not select a future date * Fixed : Revision approval in "Publish by Revision" mode caused page to be published without a URL * Fixed : Revision History - PHP Warning for preg_replace parameter