diff --git a/includes/meta-box.php b/includes/meta-box.php new file mode 100644 index 0000000..caa3b61 --- /dev/null +++ b/includes/meta-box.php @@ -0,0 +1,37 @@ +

' . esc_html( __( 'Settings saved.', 'simple-embed-code' ) ) . "

\n"; @@ -52,17 +58,32 @@ // Fetch options into an array. $options = get_option( 'artiss_code_embed' ); + +// Display a message box if the custom meta box removal has been overridden. + +if ( '1' === $options['meta_box'] ) { + echo '

' . esc_html( __( 'Warning: You have custom post fields switched on for users who do not have the unfiltered HTML capability. This means that insecure code can be added. Please see the plugin README for more details.', 'simple-embed-code' ) ) . "

\n"; +} ?>
+ + + + + + +
/>
+/>

' . esc_html( ucwords( __( 'Identifier format', 'simple-embed-code' ) ) ) . '' . esc_html__( 'Specify the format that will be used to define the way the code is embedded in your post. The formats are case insensitive and characters < > [ ] are invalid.', 'simple-embed-code' ); ?> diff --git a/includes/shared.php b/includes/shared.php index 1e486a5..2cc9db9 100644 --- a/includes/shared.php +++ b/includes/shared.php @@ -7,6 +7,12 @@ * @package simple-embed-code */ +// Exit if accessed directly. + +if ( ! defined( 'ABSPATH' ) ) { + exit; +} + /** * Add meta to plugin details * @@ -62,33 +68,42 @@ function sec_action_links( $actions, $plugin_file ) { add_filter( 'plugin_action_links', 'sec_action_links', 10, 2 ); /** - * WordPress Fork Check + * WordPress Requirements Check * - * Deactivate the plugin if an unsupported fork of WordPress is detected. + * Deactivate the plugin if certain requirements are not met. * - * @version 1.0 + * @version 1.1 */ -function sec_fork_check() { +function sec_requirements_check() { + + $reason = ''; + + // Grab the plugin details. + + $plugins = get_plugins(); + $name = $plugins[ CODE_EMBED_PLUGIN_BASE ]['Name']; // Check for a fork. if ( function_exists( 'calmpress_version' ) || function_exists( 'classicpress_version' ) ) { - // Grab the plugin details. + /* translators: 1: The plugin name. */ + $reason .= '
  • ' . sprintf( __( 'A fork of WordPress was detected. %1$s has not been tested on this fork and, as a consequence, the author will not provide any support.', 'simple-embed-code' ), $name ) . '
    • '; + + } - $plugins = get_plugins(); - $name = $plugins[ CODE_EMBED_PLUGIN_BASE ]['Name']; + // If a requirement is not met, output the message and stop the plugin. + + if ( '' !== $reason ) { // Deactivate this plugin. - deactivate_plugins( CODE_EMBED_PLUGIN_BASE ); + deactivate_plugins( PLUGIN_NAME_PLUGIN_BASE ); // Set up a message and output it via wp_die. /* translators: 1: The plugin name. */ - $message = '

    ' . sprintf( __( '%1$s has been deactivated', 'simple-embed-code' ), $name ) . '

    ' . __( 'Reason:', 'simple-embed-code' ) . '

    '; - /* translators: 1: The plugin name. */ - $message .= '

    ' . sprintf( __( 'The author of %1$s will not provide any support until the above are resolved.', 'simple-embed-code' ), $name ) . '

    '; + $message = '

    ' . sprintf( __( '%1$s has been deactivated', 'simple-embed-code' ), $name ) . '

    ' . __( 'Reason:', 'simple-embed-code' ) . '

    '; $allowed = array( 'p' => array(), @@ -101,4 +116,4 @@ function sec_fork_check() { } } -add_action( 'admin_init', 'sec_fork_check' ); +add_action( 'admin_init', 'sec_requirements_check' ); diff --git a/readme.txt b/readme.txt index 218f011..941e89b 100644 --- a/readme.txt +++ b/readme.txt @@ -3,9 +3,9 @@ Contributors: dartiss Donate link: https://artiss.blog/donate Tags: code, embed, html, css, javascript Requires at least: 4.6 -Tested up to: 6.5 +Tested up to: 6.6 Requires PHP: 7.4 -Stable tag: 2.3.9 +Stable tag: 2.4 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -62,9 +62,11 @@ Check out the screenshots for how the custom fields should look. == I can't find the custom fields == -For block editor users, I'm assuming you've done the above. For classic editor users, the custom fields should be present by default. In all cases they should appear at the bottom of the editor screen. +For block editor users, I'm assuming you've done the above. For classic editor users, the custom fields should be present by default. In all cases they should appear at the bottom of the editor screen. + +From version 2.4, anyone without the "unfiltered HTML" capability won't be able to see custom fields, for added security. Please see the section "Custom Field Security", below, for more details. -If they're not present then you may have a theme or plugin that removes this or may have a problem with your WordPress installation - you will need to try the usual diagnostics to try and resolve this, including requesting help on [the WordPress support forum](https://wordpress.org/support/forum/how-to-and-troubleshooting/ "Fixing WordPress Forum"). +If none of the above applies then you may have a theme or plugin that removes this or may have a problem with your WordPress installation - you will need to try the usual diagnostics to try and resolve this, including requesting help on [the WordPress support forum](https://wordpress.org/support/forum/how-to-and-troubleshooting/ "Fixing WordPress Forum"). Please bear in mind that the custom fields functionality is part of WordPress so it would be greatly appreciated if you don't give me poor reviews in this situation as, I say, this component is not part of this plugin but, by using it, keeps this plugin simple to use and bloat-free :) @@ -142,7 +144,17 @@ If you don't wish the output to be full width you can specify a maximum width by == Embedding in excerpts == -By default embed code will not appear in excerpts. However, you can switch this ability on via the Code Embed options screen. If you do this then the standard rules of excerpts will still apply, but now once the code embed has applied - for example, excerpts are just text, a specific length, etc. +By default embed code will not appear in excerpts. However, you can switch this ability on via the Code Embed options screen. If you do this then the standard rules of excerpts will still apply, but now once the code embed has applied - for example, excerpts are just text, a specific length, etc. + +== Custom Field Security == + +By default, WordPress allows unfiltered HTML to be used by users in post custom fields, even if their role it set up otherwise. This opens up the possibility of leaving a site vulnerable, if any plugins that uses this data doesn't check it appropriately. + +"Out of the box", neither the contributor and author roles have unfiltered HTML capabilities but can access custom post fields. + +As this plugin requires the use unfiltered HTML, we need to ensure that the only users who use it, should be using it. From version 2.4, this plugin will now turn off custom fields for any users that don't have this capability. This will protect this plugin, but any others too. On the flip side, some users may now loose access to these fields who may still require it. + +For this reason, there is an option in the Code Embed settings screen to turn them back on for all users. Please use this ONLY if it really is needed. I would recommend looking at giving those users different, or modified roles, with the appropriate permissions instead of overridding it here. But the choice is yours. == Reviews & Mentions == @@ -152,8 +164,8 @@ By default embed code will not appear in excerpts. However, you can switch this [Embedding content](http://wsdblog.westbrook.k12.me.us/blog/2009/12/24/embedding-content/ "Embedding content") - WSD Blogging Server. -[Animating images with PhotoPeach](http://comohago.conectandonos.gov.ar/2009/08/05/animando-imagenes-con-photopeach/ "Animando imágenes con PhotoPeach") - Cómo hago. - +[Animating images with PhotoPeach](http://comohago.conectandonos.gov.ar/2009/08/05/animando-imagenes-con-photopeach/ "Animando imágenes con PhotoPeach") - Cómo hago. + == Installation == Code Embed can be found and installed via the Plugin menu within WordPress administration (Plugins -> Add New). Alternatively, it can be downloaded from WordPress.org and installed manually... @@ -195,8 +207,12 @@ It is, in that it doesn't save any data that could be odds with GDPR compliance I use semantic versioning, with the first release being 1.0. += 2.4 = +* Enhancement: A vulnerability was raised to me but is actually an issue with Core. I've implemented a fix that protects not just this plugin but any others you may have installed. Please read the section in the README titled "Custom Field Security" for more details +* Enhancement: Tweaked a few bits of code here. No visible changes, just quality improvements + = 2.3.9 = -* Enhancement: So, let me tell you a story. To make the output look neat, I was adding carriage returns to the embeds. Except, if you want to embed something part way through a line it can look... well... wrong. And all for it looking clean. Remember kids, cleanlyness isn't always next to Godlyness. Needless to say, those rogue carriage returns are gone +* Enhancement: So, let me tell you a story. To make the output look neat, I was adding carriage returns to the embeds. Except, if you want to embed something part way through a line it can look... well... wrong. And all for it looking clean. Remember kids, cleanliness isn't always next to Godliness. Needless to say, those rogue carriage returns are gone * Enhancement: Whilst I was at it, I updated some of the settings code to a brand-spanking new version, which I'm sharing across all my plugins * Enhancement: Tidied up some of the assets, including adding a blueprint for WordPress Playground @@ -332,5 +348,5 @@ versions of this plugin == Upgrade Notice == -= 2.3.9 = -* Minor improvement to output to eliminate unwanted carriage returns \ No newline at end of file += 2.4 = +* Important security update \ No newline at end of file diff --git a/simple-code-embed.php b/simple-code-embed.php index 1b41cef..2a10fee 100644 --- a/simple-code-embed.php +++ b/simple-code-embed.php @@ -9,7 +9,7 @@ * Plugin Name: Code Embed * Plugin URI: https://wordpress.org/plugins/simple-embed-code/ * Description: Code Embed provides a very easy and efficient way to embed code (JavaScript and HTML) in your posts and pages. - * Version: 2.3.9 + * Version: 2.4 * Requires at least: 4.6 * Requires PHP: 7.4 * Author: David Artiss @@ -26,7 +26,7 @@ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. */ -define( 'CODE_EMBED_VERSION', '2.3.9' ); +define( 'CODE_EMBED_VERSION', '2.4' ); // Define global to hold the plugin base file name. @@ -38,18 +38,14 @@ $functions_dir = plugin_dir_path( __FILE__ ) . 'includes/'; -require_once $functions_dir . 'initialise.php'; // Initialisation scripts. +require_once $functions_dir . 'initialise.php'; // Initialisation scripts. -if ( is_admin() ) { +require_once $functions_dir . 'add-scripts.php'; // Add scripts to the main theme. - require_once $functions_dir . 'shared.php'; // Functions shared across all my plugins. +require_once $functions_dir . 'add-embeds.php'; // Filter to apply code embeds. - require_once $functions_dir . 'screens.php'; // Add settings and tools screens. +require_once $functions_dir . 'shared.php'; // Functions shared across all my plugins. -} else { +require_once $functions_dir . 'screens.php'; // Add settings and tools screens. - require_once $functions_dir . 'add-scripts.php'; // Add scripts to the main theme. - - require_once $functions_dir . 'add-embeds.php'; // Filter to apply code embeds. - -} +require_once $functions_dir . 'meta-box.php'; // Suppress meta-boxes.