Changeset 3366016
- Timestamp:
- 09/22/2025 07:17:03 PM (6 months ago)
- Location:
- integromat-connector
- Files:
-
- 39 added
- 6 edited
-
tags/1.6.3 (added)
-
tags/1.6.3/api (added)
-
tags/1.6.3/api/authentication.php (added)
-
tags/1.6.3/api/response.php (added)
-
tags/1.6.3/assets (added)
-
tags/1.6.3/assets/integromat-white.svg (added)
-
tags/1.6.3/assets/iwc.css (added)
-
tags/1.6.3/assets/iwc.js (added)
-
tags/1.6.3/class (added)
-
tags/1.6.3/class/class-api-permissions.php (added)
-
tags/1.6.3/class/class-api-token.php (added)
-
tags/1.6.3/class/class-file-validator.php (added)
-
tags/1.6.3/class/class-guard.php (added)
-
tags/1.6.3/class/class-logger.php (added)
-
tags/1.6.3/class/class-rate-limiter.php (added)
-
tags/1.6.3/class/class-rest-request.php (added)
-
tags/1.6.3/class/class-rest-response.php (added)
-
tags/1.6.3/class/class-user.php (added)
-
tags/1.6.3/index.php (added)
-
tags/1.6.3/licence.txt (added)
-
tags/1.6.3/readme.txt (added)
-
tags/1.6.3/settings (added)
-
tags/1.6.3/settings/class-controller.php (added)
-
tags/1.6.3/settings/class-meta-object.php (added)
-
tags/1.6.3/settings/events.php (added)
-
tags/1.6.3/settings/object-types (added)
-
tags/1.6.3/settings/object-types/class-comments-meta.php (added)
-
tags/1.6.3/settings/object-types/class-post-meta.php (added)
-
tags/1.6.3/settings/object-types/class-term-meta.php (added)
-
tags/1.6.3/settings/object-types/class-user-meta.php (added)
-
tags/1.6.3/settings/object-types/custom-taxonomy.php (added)
-
tags/1.6.3/settings/object-types/general.php (added)
-
tags/1.6.3/settings/object-types/security.php (added)
-
tags/1.6.3/settings/render.php (added)
-
tags/1.6.3/settings/template (added)
-
tags/1.6.3/settings/template/customFields.phtml (added)
-
tags/1.6.3/settings/template/custom_taxonomies.phtml (added)
-
tags/1.6.3/settings/template/general_menu.phtml (added)
-
tags/1.6.3/settings/template/security_settings.phtml (added)
-
trunk/class/class-guard.php (modified) (1 diff)
-
trunk/class/class-rest-request.php (modified) (2 diffs)
-
trunk/index.php (modified) (4 diffs)
-
trunk/readme.txt (modified) (2 diffs)
-
trunk/settings/object-types/security.php (modified) (6 diffs)
-
trunk/settings/template/security_settings.phtml (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
integromat-connector/trunk/class/class-guard.php
r3361722 r3366016 10 10 * @return bool 11 11 */ 12 public static function is_protected() { 12 public static function is_protected() { 13 13 // Only guard if IWC-API-KEY header is present 14 14 if ( ! isset( $_SERVER['HTTP_IWC_API_KEY'] ) || empty( $_SERVER['HTTP_IWC_API_KEY'] ) ) { -
integromat-connector/trunk/class/class-rest-request.php
r3364774 r3366016 126 126 return $sanitized; 127 127 } elseif ( is_string( $data ) ) { 128 // Get allowed post tags and add iframe support for embedded content 129 $allowed_tags = wp_kses_allowed_html( 'post' ); 130 $allowed_tags['iframe'] = array( 131 'src' => true, 132 'width' => true, 133 'height' => true, 134 'frameborder' => true, 135 'allowfullscreen' => true, 136 'loading' => true, 137 'title' => true, 138 'sandbox' => true, 139 'allow' => true, 140 'style' => true, 141 ); 142 return wp_kses( wp_unslash( $data ), $allowed_tags ); 128 // Check if content sanitization is enabled 129 $sanitize_content = get_option( 'iwc_sanitize_post_content', '0' ); 130 if ( $sanitize_content === '1' ) { 131 return wp_kses_post( wp_unslash( $data ) ); 132 } else { 133 // Only apply basic unslashing without HTML stripping when disabled 134 return wp_unslash( $data ); 135 } 143 136 } elseif ( is_numeric( $data ) ) { 144 137 return is_float( $data ) ? floatval( $data ) : intval( $data ); … … 264 257 if ( $movefile && ! isset( $movefile['error'] ) ) { 265 258 // Get additional metadata 266 // phpcs: ignore WordPress.Security.NonceVerification.Recommended -- REST API endpoint, authentication handled separately259 // phpcs:disable WordPress.Security.NonceVerification.Recommended -- REST API endpoint, authentication handled separately 267 260 $title = isset( $_REQUEST['title'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['title'] ) ) : ''; 268 // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- REST API endpoint, authentication handled separately269 261 $description = isset( $_REQUEST['description'] ) ? sanitize_textarea_field( wp_unslash( $_REQUEST['description'] ) ) : ''; 270 // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- REST API endpoint, authentication handled separately271 262 $caption = isset( $_REQUEST['caption'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['caption'] ) ) : ''; 272 // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- REST API endpoint, authentication handled separately273 263 $alt_text = isset( $_REQUEST['alt_text'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['alt_text'] ) ) : ''; 274 // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- REST API endpoint, authentication handled separately275 264 $post_id = isset( $_REQUEST['post'] ) ? absint( $_REQUEST['post'] ) : 0; 276 265 $filename = basename( $movefile['file'] ); 266 // phpcs:enable WordPress.Security.NonceVerification.Recommended 277 267 // Prepare attachment data 278 268 $attachment = array( -
integromat-connector/trunk/index.php
r3364774 r3366016 3 3 /** 4 4 * @package Integromat_Connector 5 * @version 1.6. 25 * @version 1.6.3 6 6 */ 7 7 … … 11 11 Author: Celonis s.r.o. 12 12 Author URI: https://www.make.com/en?utm_source=wordpress&utm_medium=partner&utm_campaign=wordpress-partner-make 13 Version: 1.6. 213 Version: 1.6.3 14 14 License: GPL v2 or later 15 15 License URI: https://www.gnu.org/licenses/gpl-2.0.html … … 19 19 define('IWC_PLUGIN_NAME_SAFE', 'integromat-wordpress-connector'); 20 20 define('IWC_MENUITEM_IDENTIFIER', 'integromat_custom_fields'); 21 define('IWC_PLUGIN_VERSION', '1.6. 2');21 define('IWC_PLUGIN_VERSION', '1.6.3'); 22 22 23 23 require __DIR__ . '/class/class-user.php'; … … 236 236 add_option('iwc_allowed_file_extensions', 'jpg,jpeg,png,gif,webp,svg,bmp,ico,pdf,doc,docx,xls,xlsx,ppt,pptx,txt,rtf,odt,ods,zip,rar,7z,tar,gz,mp3,wav,mp4,avi,mov,wmv,flv,webm,json,xml,csv'); 237 237 add_option('iwc_log_security_events', '0'); 238 add_option('iwc_sanitize_post_content', '0'); 238 239 } 239 240 -
integromat-connector/trunk/readme.txt
r3364774 r3366016 5 5 Tested up to: 6.8 6 6 Requires PHP: 7.2 7 Stable tag: 1.6. 27 Stable tag: 1.6.3 8 8 License: GPLv2 or later 9 9 … … 45 45 46 46 == Changelog == 47 = 1.6.3 = 48 * New feature: Content sanitization control option 49 47 50 = 1.6.2 = 48 51 * Fixed reported issues on content missing when creating post -
integromat-connector/trunk/settings/object-types/security.php
r3361722 r3366016 8 8 // Register security settings 9 9 register_setting( 'integromat_security_options', 'iwc_rate_limit_enabled', array( 10 'sanitize_callback' => ' sanitize_text_field',10 'sanitize_callback' => 'Integromat\\iwc_sanitize_checkbox_value', 11 11 'default' => '0', 12 12 ) ); … … 18 18 19 19 register_setting( 'integromat_security_options', 'iwc_payload_limit_enabled', array( 20 'sanitize_callback' => ' sanitize_text_field',20 'sanitize_callback' => 'Integromat\\iwc_sanitize_checkbox_value', 21 21 'default' => '0', 22 22 ) ); … … 28 28 29 29 register_setting( 'integromat_security_options', 'iwc_strict_file_validation', array( 30 'sanitize_callback' => ' sanitize_text_field',30 'sanitize_callback' => 'Integromat\\iwc_sanitize_checkbox_value', 31 31 'default' => '0', 32 32 ) ); … … 38 38 39 39 register_setting( 'integromat_security_options', 'iwc_log_security_events', array( 40 'sanitize_callback' => 'sanitize_text_field', 40 'sanitize_callback' => 'Integromat\\iwc_sanitize_checkbox_value', 41 'default' => '0', 42 ) ); 43 44 register_setting( 'integromat_security_options', 'iwc_sanitize_post_content', array( 45 'sanitize_callback' => 'Integromat\\iwc_sanitize_checkbox_value', 41 46 'default' => '0', 42 47 ) ); … … 63 68 </label> 64 69 <p class="description">Log rate limiting violations and permission denials for security monitoring.</p> 70 </div> 71 <?php 72 }, 73 'integromat_security_options', 74 'integromat_security_section', 75 array() 76 ); 77 78 add_settings_field( 79 'sanitize_post_content_control', 80 'Content Sanitization', 81 function ( $args ) { 82 $sanitize_post_content = get_option( 'iwc_sanitize_post_content', '0' ); 83 ?> 84 <div class="iwc-sanitize-content-container"> 85 <label> 86 <input type="checkbox" name="iwc_sanitize_post_content" value="1" <?php checked( $sanitize_post_content, '1' ); ?> /> 87 Sanitize post content (recommended) 88 </label> 89 <p class="description">Strip potentially harmful HTML tags and attributes from incoming content.</p> 90 91 <div class="notice notice-warning" style="margin: 10px 0; padding: 10px; background: #fff3cd; border: 1px solid #ffeaa7; border-left: 4px solid #ffb900;"> 92 <p style="margin: 0 0 8px 0; font-size: 13px;"> 93 <strong>⚠️ Warning:</strong> Disabling this may allow dangerous HTML/scripts to be stored. Only disable if you trust your API clients completely. 94 </p> 95 <p style="margin: 0; font-size: 12px; color: #666;"> 96 <strong>Examples of tags that will be stripped when enabled:</strong> <script>, <iframe>, <object>, <embed>, <form>, <input>, <style>, <link>, <meta> 97 </p> 98 </div> 65 99 </div> 66 100 <?php … … 325 359 return get_option( 'iwc_allowed_file_extensions', 'jpg,jpeg,png,gif,webp,svg,bmp,ico,pdf,doc,docx,xls,xlsx,ppt,pptx,txt,rtf,odt,ods,zip,rar,7z,tar,gz,mp3,wav,mp4,avi,mov,wmv,flv,webm,json,xml,csv' ); 326 360 } 361 362 function iwc_sanitize_checkbox_value( $value ) { 363 // Ensure only '0' or '1' values are accepted for checkbox settings 364 return ( $value === '1' || $value === 1 || $value === true ) ? '1' : '0'; 365 } -
integromat-connector/trunk/settings/template/security_settings.phtml
r3361722 r3366016 3 3 4 4 <!-- Security Settings Banner --> 5 <div class="notice notice-info" style="margin: 20px 0; padding: 15px; border-left: 4px solid #0073aa;">5 <div class="notice notice-info" style="margin: 20px 20px 20px 0; padding: 15px; border-left: 4px solid #0073aa;"> 6 6 <div style="display: flex; align-items: flex-start;"> 7 7 <span class="dashicons dashicons-info" style="color: #0073aa; margin-right: 10px; margin-top: 2px;"></span>
Note: See TracChangeset
for help on using the changeset viewer.