Changeset 3367712

lazy-blocks/tags/4.1.1/assets/admin/tools/tools.js

-                      r3304975
+                      r3367712
         const typeLabel = type.charAt(0).toUpperCase() + type.slice(1);
         let url = window.location.href;
+        // Add export nonce for CSRF protection
+        if (data.export_nonce) {
+            url += `&lazyblocks_export_nonce=${data.export_nonce}`;
+        }
         data[type].forEach((item) => {

lazy-blocks/tags/4.1.1/build/admin-tools.asset.php

r3304975	r3367712
1		<?php return array('dependencies' => array('wp-components', 'wp-element', 'wp-i18n'), 'version' => '~~ef9e249564ec49e19956~~');
	1	<?php return array('dependencies' => array('wp-components', 'wp-element', 'wp-i18n'), 'version' => '05bb6126d0a5b8d21d57');

lazy-blocks/tags/4.1.1/build/admin-tools.js

r3304975	r3367712
1		(()=>{"use strict";const e=window.wp.element,t=window.wp.i18n,n=window.wp.components;function l(e){var n=e.children;return wp.element.createElement("div",{className:"lazyblocks-component-copied"},n\|\|(0,t.__)("Copied!","lazy-blocks"))}function o(e){return o="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},o(e)}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var l=Object.getOwnPropertySymbols(e);t&&(l=l.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,l)}return n}function r(e,t,n){return(t=function(e){var t=function(e){if("object"!=o(e)\|\|!e)return e;var t=e[Symbol.toPrimitive];if(void 0!==t){var n=t.call(e,"string");if("object"!=o(n))return n;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(e)}(e);return"symbol"==o(t)?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function c(e,t){return function(e){if(Array.isArray(e))return e}(e)\|\|function(e,t){var n=null==e?null:"undefined"!=typeof Symbol&&e[Symbol.iterator]\|\|e["@@iterator"];if(null!=n){var l,o,a,r,c=[],i=!0,s=!1;try{if(a=(n=n.call(e)).next,0===t){if(Object(n)!==n)return;i=!1}else for(;!(i=(l=a.call(n)).done)&&(c.push(l.value),c.length!==t);i=!0);}catch(e){s=!0,o=e}finally{try{if(!i&&null!=n.return&&(r=n.return(),Object(r)!==r))return}finally{if(s)throw o}}return c}}(e,t)\|\|function(e,t){if(e){if("string"==typeof e)return i(e,t);var n={}.toString.call(e).slice(8,-1);return"Object"===n&&e.constructor&&(n=e.constructor.name),"Map"===n\|\|"Set"===n?Array.from(e):"Arguments"===n\|\|/^(?:Ui\|I)nt(?:8\|16\|32)(?:Clamped)?Array$/.test(n)?i(e,t):void 0}}(e,t)\|\|function(){throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}()}function i(e,t){(null==t\|\|t>e.length)&&(t=e.length);for(var n=0,l=Array(t);n<t;n++)l[n]=e[n];return l}var s=window,m=s.navigator,p=s.lazyblocksToolsData;function u(){var o=c((0,e.useState)(!1),2),i=o[0],s=o[1],u=c((0,e.useState)(!1),2),d=u[0],b=u[1],w=c((0,e.useState)({}),2),y=w[0],h=w[1],f=c((0,e.useState)({}),2),v=f[0],E=f[1],k=c((0,e.useState)(!1),2),_=k[0],g=k[1],x=c((0,e.useState)(!1),2),N=x[0],S=x[1],z={showBlocksPHP:i,showTemplatesPHP:d},O={disabledBlocks:y,disabledTemplates:v},j={copiedBlocks:_,copiedTemplates:N},P=(0,e.useRef)({});function T(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n=window.location.href;return p[e].forEach((function(l){O["disabled".concat(t)][l.data.id]\|\|(n+="&lazyblocks_export_".concat(e,"[]=").concat(l.data.id))})),n}function B(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n="";return p[e].forEach((function(e){O["disabled".concat(t)][e.data.id]\|\|(n+=e.php_string_code)})),n&&(n="add_action( 'lzb/init', function() {\n".concat(n,"\n} );")),n}function C(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",o=e.charAt(0).toUpperCase()+e.slice(1),c=Object.keys(O["disabled".concat(o)]).length===p[e].length;return wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement(n.BaseControl,{__nextHasNoMarginBottom:!0},wp.element.createElement(n.ToggleControl,{label:(0,t.__)("Select all","lazy-blocks"),checked:0===Object.keys(O["disabled".concat(o)]).length,onChange:function(){var t={};0===Object.keys(O["disabled".concat(o)]).length&&p[e].forEach((function(e){t[e.data.id]=!0})),"Blocks"===o?h(t):"Templates"===o&&E(t)},__nextHasNoMarginBottom:!0}),p[e].map((function(t){var l=!O["disabled".concat(o)][t.data.id];return wp.element.createElement(n.ToggleControl,{key:t.data.id,label:wp.element.createElement(wp.element.Fragment,null,"blocks"===e?wp.element.createElement(wp.element.Fragment,null,t.data.icon&&/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{className:t.data.icon}):"",t.data.icon&&!/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{dangerouslySetInnerHTML:{__html:t.data.icon}}):""," "):"",t.data.title),checked:l,onChange:function(){var e=function(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){r(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}({},O["disabled".concat(o)]);l&&!e[t.data.id]?e[t.data.id]=!0:l\|\|void 0===e[t.data.id]\|\|delete e[t.data.id],"Blocks"===o?h(e):"Templates"===o&&E(e)},__nextHasNoMarginBottom:!0})})))),z["show".concat(o,"PHP")]?wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-textarea"},wp.element.createElement(n.TextareaControl,{className:"lzb-export-code",readOnly:!0,value:B(e),__next40pxDefaultSize:!0,__nextHasNoMarginBottom:!0})),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button",onClick:function(){!function(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1);m.clipboard.writeText(B(e)).then((function(){"Blocks"===t?g(!0):"Templates"===t&&S(!0),clearTimeout(P.current[t]),P.current[t]=setTimeout((function(){"Blocks"===t?g(!1):"Templates"===t&&S(!1)}),350)}))}(e)}},(0,t.__)("Copy to Clipboard","lazy-blocks"),j["copied".concat(o)]?wp.element.createElement(l,null):""))):wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("a",{className:"button button-primary",disabled:c,href:T(e)},(0,t.__)("Export JSON","lazy-blocks")),wp.element.createElement("button",{className:"button",onClick:function(){"Blocks"===o?s(!0):"Templates"===o&&b(!0)},disabled:c},(0,t.__)("Generate PHP","lazy-blocks"))))}return wp.element.createElement("div",{className:"metabox-holder"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{id:"normal-sortables"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Blocks","lazy-blocks"))),p.blocks&&p.blocks.length?wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the blocks you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("blocks")):wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("There are no blocks to export.")))),p.templates&&p.templates.length?wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Templates","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the templates you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("templates"))):null),wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Import","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the Lazy Blocks JSON file you want to import. When you click the import button below, Lazy Blocks will import the blocks.")),wp.element.createElement("form",{method:"post",encType:"multipart/form-data"},wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement("input",{type:"file",name:"lzb_tools_import_json"})),wp.element.createElement("input",{type:"hidden",name:"lzb_tools_import_nonce",value:p.nonce}),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button button-primary"},(0,t.__)("Import","lazy-blocks"))))))))))}window.addEventListener("load",(function(){(0,e.render)(wp.element.createElement(u,null),document.querySelector(".lazyblocks-tools-page"))}))})();
	1	(()=>{"use strict";const e=window.wp.element,t=window.wp.i18n,n=window.wp.components;function l(e){var n=e.children;return wp.element.createElement("div",{className:"lazyblocks-component-copied"},n\|\|(0,t.__)("Copied!","lazy-blocks"))}function o(e){return o="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},o(e)}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var l=Object.getOwnPropertySymbols(e);t&&(l=l.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,l)}return n}function r(e,t,n){return(t=function(e){var t=function(e){if("object"!=o(e)\|\|!e)return e;var t=e[Symbol.toPrimitive];if(void 0!==t){var n=t.call(e,"string");if("object"!=o(n))return n;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(e)}(e);return"symbol"==o(t)?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function c(e,t){return function(e){if(Array.isArray(e))return e}(e)\|\|function(e,t){var n=null==e?null:"undefined"!=typeof Symbol&&e[Symbol.iterator]\|\|e["@@iterator"];if(null!=n){var l,o,a,r,c=[],i=!0,s=!1;try{if(a=(n=n.call(e)).next,0===t){if(Object(n)!==n)return;i=!1}else for(;!(i=(l=a.call(n)).done)&&(c.push(l.value),c.length!==t);i=!0);}catch(e){s=!0,o=e}finally{try{if(!i&&null!=n.return&&(r=n.return(),Object(r)!==r))return}finally{if(s)throw o}}return c}}(e,t)\|\|function(e,t){if(e){if("string"==typeof e)return i(e,t);var n={}.toString.call(e).slice(8,-1);return"Object"===n&&e.constructor&&(n=e.constructor.name),"Map"===n\|\|"Set"===n?Array.from(e):"Arguments"===n\|\|/^(?:Ui\|I)nt(?:8\|16\|32)(?:Clamped)?Array$/.test(n)?i(e,t):void 0}}(e,t)\|\|function(){throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}()}function i(e,t){(null==t\|\|t>e.length)&&(t=e.length);for(var n=0,l=Array(t);n<t;n++)l[n]=e[n];return l}var s=window,m=s.navigator,p=s.lazyblocksToolsData;function u(){var o=c((0,e.useState)(!1),2),i=o[0],s=o[1],u=c((0,e.useState)(!1),2),d=u[0],b=u[1],w=c((0,e.useState)({}),2),y=w[0],h=w[1],f=c((0,e.useState)({}),2),v=f[0],E=f[1],_=c((0,e.useState)(!1),2),k=_[0],g=_[1],x=c((0,e.useState)(!1),2),N=x[0],z=x[1],S={showBlocksPHP:i,showTemplatesPHP:d},O={disabledBlocks:y,disabledTemplates:v},j={copiedBlocks:k,copiedTemplates:N},P=(0,e.useRef)({});function T(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n=window.location.href;return p.export_nonce&&(n+="&lazyblocks_export_nonce=".concat(p.export_nonce)),p[e].forEach((function(l){O["disabled".concat(t)][l.data.id]\|\|(n+="&lazyblocks_export_".concat(e,"[]=").concat(l.data.id))})),n}function B(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n="";return p[e].forEach((function(e){O["disabled".concat(t)][e.data.id]\|\|(n+=e.php_string_code)})),n&&(n="add_action( 'lzb/init', function() {\n".concat(n,"\n} );")),n}function C(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",o=e.charAt(0).toUpperCase()+e.slice(1),c=Object.keys(O["disabled".concat(o)]).length===p[e].length;return wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement(n.BaseControl,{__nextHasNoMarginBottom:!0},wp.element.createElement(n.ToggleControl,{label:(0,t.__)("Select all","lazy-blocks"),checked:0===Object.keys(O["disabled".concat(o)]).length,onChange:function(){var t={};0===Object.keys(O["disabled".concat(o)]).length&&p[e].forEach((function(e){t[e.data.id]=!0})),"Blocks"===o?h(t):"Templates"===o&&E(t)},__nextHasNoMarginBottom:!0}),p[e].map((function(t){var l=!O["disabled".concat(o)][t.data.id];return wp.element.createElement(n.ToggleControl,{key:t.data.id,label:wp.element.createElement(wp.element.Fragment,null,"blocks"===e?wp.element.createElement(wp.element.Fragment,null,t.data.icon&&/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{className:t.data.icon}):"",t.data.icon&&!/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{dangerouslySetInnerHTML:{__html:t.data.icon}}):""," "):"",t.data.title),checked:l,onChange:function(){var e=function(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){r(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}({},O["disabled".concat(o)]);l&&!e[t.data.id]?e[t.data.id]=!0:l\|\|void 0===e[t.data.id]\|\|delete e[t.data.id],"Blocks"===o?h(e):"Templates"===o&&E(e)},__nextHasNoMarginBottom:!0})})))),S["show".concat(o,"PHP")]?wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-textarea"},wp.element.createElement(n.TextareaControl,{className:"lzb-export-code",readOnly:!0,value:B(e),__next40pxDefaultSize:!0,__nextHasNoMarginBottom:!0})),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button",onClick:function(){!function(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1);m.clipboard.writeText(B(e)).then((function(){"Blocks"===t?g(!0):"Templates"===t&&z(!0),clearTimeout(P.current[t]),P.current[t]=setTimeout((function(){"Blocks"===t?g(!1):"Templates"===t&&z(!1)}),350)}))}(e)}},(0,t.__)("Copy to Clipboard","lazy-blocks"),j["copied".concat(o)]?wp.element.createElement(l,null):""))):wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("a",{className:"button button-primary",disabled:c,href:T(e)},(0,t.__)("Export JSON","lazy-blocks")),wp.element.createElement("button",{className:"button",onClick:function(){"Blocks"===o?s(!0):"Templates"===o&&b(!0)},disabled:c},(0,t.__)("Generate PHP","lazy-blocks"))))}return wp.element.createElement("div",{className:"metabox-holder"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{id:"normal-sortables"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Blocks","lazy-blocks"))),p.blocks&&p.blocks.length?wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the blocks you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("blocks")):wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("There are no blocks to export.")))),p.templates&&p.templates.length?wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Templates","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the templates you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("templates"))):null),wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Import","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the Lazy Blocks JSON file you want to import. When you click the import button below, Lazy Blocks will import the blocks.")),wp.element.createElement("form",{method:"post",encType:"multipart/form-data"},wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement("input",{type:"file",name:"lzb_tools_import_json"})),wp.element.createElement("input",{type:"hidden",name:"lzb_tools_import_nonce",value:p.nonce}),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button button-primary"},(0,t.__)("Import","lazy-blocks"))))))))))}window.addEventListener("load",(function(){(0,e.render)(wp.element.createElement(u,null),document.querySelector(".lazyblocks-tools-page"))}))})();

lazy-blocks/tags/4.1.1/classes/class-blocks.php

-                      r3346570
+                      r3367712
                         array(
                             'lazyblocks_export_block' => intval( $post->ID ),
+                            'lazyblocks_export_nonce' => wp_create_nonce( 'lzb-export-blocks-nonce' ),
+                        )
                     ),
 …
      * @param string $code - user code string.
      * @param array  $attributes - block attributes.
+     * @param array  $context - block context.
+     *
      * @return string
 …
         // add filter for block output.
         $result = apply_filters( 'lzb/block_render/output', $result, $attributes, $render_location, $block, $context );
+        $result = apply_filters( 'lzb/block_render/output', $result, $attributes, $render_location, $block, $context, $content );
         // phpcs:ignore
         $result = apply_filters( $block['slug'] . '/' . $render_location . '_output', $result, $attributes, $block, $context );
+        $result = apply_filters( $block['slug'] . '/' . $render_location . '_output', $result, $attributes, $block, $context, $content );
         // phpcs:ignore
         $result = apply_filters( $block['slug'] . '/output', $result, $attributes, $render_location, $block, $context );
+        $result = apply_filters( $block['slug'] . '/output', $result, $attributes, $render_location, $block, $context, $content );
         return $result;

lazy-blocks/tags/4.1.1/classes/class-tools.php

-                      r3346570
+                      r3367712
         $templates = lazyblocks()->templates()->get_templates( true, true );
         $data      = array(
+            'blocks'    => array(),
+            'templates' => array(),
+            'nonce'     => wp_create_nonce( 'lzb-tools-import-nonce' ),
+            'blocks'       => array(),
+            'templates'    => array(),
+            'nonce'        => wp_create_nonce( 'lzb-tools-import-nonce' ),
+            'export_nonce' => wp_create_nonce( 'lzb-export-blocks-nonce' ),
         );
 …
      */
     public function maybe_export_json() {
+        // Check if any export parameters are present.
+        $has_export_params = isset( $_GET['lazyblocks_export_block'] ) ||
+                            isset( $_GET['lazyblocks_export_blocks'] ) ||
+                            isset( $_GET['lazyblocks_export_templates'] ) ||
+                            isset( $_GET['lazyblocks_export_nonce'] );
+        // Exit early if no export parameters - this is the normal case on every admin page.
+        if ( ! $has_export_params ) {
+            return;
+        }
+        // Verify nonce for CSRF protection - required for all export operations.
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+        $nonce = isset( $_GET['lazyblocks_export_nonce'] ) ? sanitize_key( $_GET['lazyblocks_export_nonce'] ) : false;
+        if ( ! $nonce || ! wp_verify_nonce( $nonce, 'lzb-export-blocks-nonce' ) ) {
+            wp_die( esc_html__( 'Export permission denied.', 'lazy-blocks' ) );
+        }
         $block_id  = filter_input( INPUT_GET, 'lazyblocks_export_block', FILTER_SANITIZE_NUMBER_INT );
         $block_ids = filter_input_array(
 …
         $template_ids = is_array( $template_ids ) && isset( $template_ids['lazyblocks_export_templates'] ) ? $template_ids['lazyblocks_export_templates'] : array();
+        if ( isset( $block_id ) && current_user_can( 'read_lazyblock', $block_id ) ) {
+        // Security: Only administrators with edit_lazyblocks capability can export.
+        // This prevents contributors from bypassing UI restrictions via direct URL access.
+        if ( isset( $block_id ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->export_json( array( $block_id ) );
         } elseif ( isset( $block_ids ) && ! empty( $block_ids ) && current_user_can( 'read_lazyblock', $block_ids[0] ) ) {
+        } elseif ( isset( $block_ids ) && ! empty( $block_ids ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->export_json( $block_ids );
         } elseif ( isset( $template_ids ) && ! empty( $template_ids ) && current_user_can( 'read_lazyblock', $template_ids[0] ) ) {
+        } elseif ( isset( $template_ids ) && ! empty( $template_ids ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->export_json( $template_ids, 'templates' );
+        }
 …
         // Duplicate block.
         if ( isset( $block_id ) && current_user_can( 'read_lazyblock', $block_id ) ) {
+        if ( isset( $block_id ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->duplicate_block( $block_id );
+        }

lazy-blocks/tags/4.1.1/languages/lazy-blocks.json

-                      r3304975
+                      r3367712
             ""
          ],
+         "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline": [
+            ""
+         ],
          "Easily create custom blocks and custom meta fields for Gutenberg without hard coding.": [
             ""
          ],
          "Lazy Blocks Team": [
-            ""
-         ],
-         "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline": [
             ""
          ],
 …
             "",
             "Imported %s templates"
+         ],
+         "Export permission denied.": [
+            ""
          ],
          "Template for these post types '%s' already exists.": [

lazy-blocks/tags/4.1.1/languages/lazy-blocks.pot

-                      r3346570
+                      r3367712
 msgid ""
 msgstr ""
 "Project-Id-Version: Lazy Blocks 4.1.0\n"
+"Project-Id-Version: Lazy Blocks 4.1.1\n"
 "Report-Msgid-Bugs-To: https://github.com/nk-crew/lazyblocks/issues\n"
 "Last-Translator: Lazy Blocks Team\n"
 …
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "POT-Creation-Date: 2025-08-18T17:07:40+00:00\n"
+"POT-Creation-Date: 2025-09-25T09:27:58+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.12.0\n"
 …
 #: classes/class-admin.php:252
 #: classes/class-blocks.php:187
 #: classes/class-blocks.php:1222
+#: classes/class-blocks.php:1223
 msgid "Lazy Blocks"
+msgstr ""
+#. Plugin URI of the plugin
+#. Author URI of the plugin
+#: lazy-blocks.php
+msgid "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline"
 msgstr ""
 …
 #: lazy-blocks.php
 msgid "Lazy Blocks Team"
-msgstr ""
-#. Author URI of the plugin
-#: lazy-blocks.php
-msgid "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline"
 msgstr ""
 …
 #. translators: %1$ - post title.
 #: classes/class-blocks.php:374
+#: classes/class-blocks.php:375
 #, php-format
 msgid "Export “%1$s”"
 msgstr ""
 #: classes/class-blocks.php:377
 #: classes/class-blocks.php:412
+#: classes/class-blocks.php:378
+#: classes/class-blocks.php:413
 msgid "Export"
 msgstr ""
 #. translators: %1$ - post title.
 #: classes/class-blocks.php:389
+#: classes/class-blocks.php:390
 #, php-format
 msgid "Deactivate “%1$s”"
 …
 #. translators: %1$ - post title.
 #: classes/class-blocks.php:389
+#: classes/class-blocks.php:390
 #, php-format
 msgid "Activate “%1$s”"
 msgstr ""
 #: classes/class-blocks.php:393
 #: classes/class-blocks.php:416
+#: classes/class-blocks.php:394
+#: classes/class-blocks.php:417
 msgid "Deactivate"
 msgstr ""
 #: classes/class-blocks.php:393
 #: classes/class-blocks.php:414
+#: classes/class-blocks.php:394
+#: classes/class-blocks.php:415
 msgid "Activate"
 msgstr ""
 #: classes/class-blocks.php:456
+#: classes/class-blocks.php:457
 #: assets/block-builder/boxes/general/index.js:179
 msgid "Icon"
 msgstr ""
 #: classes/class-blocks.php:458
+#: classes/class-blocks.php:459
 #: assets/block-builder/boxes/general/index.js:46
 msgid "Slug"
 msgstr ""
 #: classes/class-blocks.php:459
+#: classes/class-blocks.php:460
 #: assets/block-builder/boxes/general/index.js:94
 msgid "Category"
 msgstr ""
 #: classes/class-blocks.php:460
+#: classes/class-blocks.php:461
 #: assets/block-builder/boxes/general/index.js:213
 #: assets/block-builder/boxes/wizard/index.js:276
 …
 #. translators: %s - block title.
 #: classes/class-tools.php:330
+#: classes/class-tools.php:331
 #, php-format
 msgid "Block \"%s\" activated successfully."
 …
 #. translators: %s - block title.
 #: classes/class-tools.php:330
+#: classes/class-tools.php:331
 #, php-format
 msgid "Block \"%s\" deactivated successfully."
 …
 #. translators: %s - number of blocks.
 #: classes/class-tools.php:333
+#: classes/class-tools.php:334
 #, php-format
 msgid "Activated %s block"
 …
 #. translators: %s - number of blocks.
 #: classes/class-tools.php:333
+#: classes/class-tools.php:334
 #, php-format
 msgid "Deactivated %s block"
 …
 msgstr[1] ""
 #: classes/class-tools.php:372
+#: classes/class-tools.php:373
 msgid "No file selected"
 msgstr ""
 #: classes/class-tools.php:382
+#: classes/class-tools.php:383
 msgid "Error uploading file. Please try again"
 msgstr ""
 #: classes/class-tools.php:388
+#: classes/class-tools.php:389
 msgid "Incorrect file type"
 msgstr ""
 #: classes/class-tools.php:399
+#: classes/class-tools.php:400
 msgid "Import file empty"
 msgstr ""
 #. translators: %s - number of blocks.
 #: classes/class-tools.php:438
+#: classes/class-tools.php:439
 #, php-format
 msgid "Imported %s block"
 …
 #. translators: %s - number of templates.
 #: classes/class-tools.php:458
+#: classes/class-tools.php:459
 #, php-format
 msgid "Imported %s template"
 …
 msgstr[1] ""
+#: classes/class-tools.php:493
+msgid "Export permission denied."
+msgstr ""
 #. translators: %s - post type.
 #: classes/class-tools.php:634
+#: classes/class-tools.php:656
 #, php-format
 msgid "Template for these post types '%s' already exists."
 …
 #. translators: %s - post title.
 #: classes/class-tools.php:680
+#: classes/class-tools.php:702
 #, php-format
 msgid "Added new block '%s'."
 msgstr ""
 #: classes/class-tools.php:711
+#: classes/class-tools.php:733
 msgid "(Copy)"
 msgstr ""
 …
 msgstr ""
 #: assets/admin/tools/tools.js:117
+#: assets/admin/tools/tools.js:122
 msgid "Select all"
 msgstr ""
 #: assets/admin/tools/tools.js:245
+#: assets/admin/tools/tools.js:250
 msgid "Copy to Clipboard"
 msgstr ""
 #: assets/admin/tools/tools.js:261
+#: assets/admin/tools/tools.js:266
 msgid "Export JSON"
 msgstr ""
 #: assets/admin/tools/tools.js:275
+#: assets/admin/tools/tools.js:280
 msgid "Generate PHP"
 msgstr ""
 #: assets/admin/tools/tools.js:291
+#: assets/admin/tools/tools.js:296
 msgid "Export Blocks"
 msgstr ""
 #: assets/admin/tools/tools.js:316
+#: assets/admin/tools/tools.js:321
 msgid "Export Templates"
 msgstr ""
 #: assets/admin/tools/tools.js:334
 #: assets/admin/tools/tools.js:363
+#: assets/admin/tools/tools.js:339
+#: assets/admin/tools/tools.js:368
 msgid "Import"
 msgstr ""

lazy-blocks/tags/4.1.1/lazy-blocks.php

-                      r3357405
+                      r3367712
  * Plugin Name:  Lazy Blocks
  * Description:  Easily create custom blocks and custom meta fields for Gutenberg without hard coding.
  * Version:      4.1.0
+ * Version:      4.1.1
  * Plugin URI:   https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline
  * Author:       Lazy Blocks Team
 …
 if ( ! defined( 'LAZY_BLOCKS_VERSION' ) ) {
     define( 'LAZY_BLOCKS_VERSION', '4.1.0' );
+    define( 'LAZY_BLOCKS_VERSION', '4.1.1' );
+}

lazy-blocks/tags/4.1.1/readme.txt

-                      r3347329
+                      r3367712
 * Tested up to: 6.8
 * Requires PHP: 8.0
 * Stable tag: 4.1.0
+* Stable tag: 4.1.1
 * License: GPLv2 or later
 * License URI: <http://www.gnu.org/licenses/gpl-2.0.html>
 …
 ## Changelog
+= 4.1.1 - Sep 25, 2025 =
+* security fix: prevent unauthorized block export access
+* added `$content` attribute to `lzb/block_render/output` filters
+* **Pro:**
+* fixed rendering blocks in widgets screen when Rank Math is active
 = 4.1.0 - Aug 18, 2025 =

lazy-blocks/trunk/assets/admin/tools/tools.js

-                      r3304975
+                      r3367712
         const typeLabel = type.charAt(0).toUpperCase() + type.slice(1);
         let url = window.location.href;
+        // Add export nonce for CSRF protection
+        if (data.export_nonce) {
+            url += `&lazyblocks_export_nonce=${data.export_nonce}`;
+        }
         data[type].forEach((item) => {

lazy-blocks/trunk/build/admin-tools.asset.php

r3304975	r3367712
1		<?php return array('dependencies' => array('wp-components', 'wp-element', 'wp-i18n'), 'version' => '~~ef9e249564ec49e19956~~');
	1	<?php return array('dependencies' => array('wp-components', 'wp-element', 'wp-i18n'), 'version' => '05bb6126d0a5b8d21d57');

lazy-blocks/trunk/build/admin-tools.js

r3304975	r3367712
1		(()=>{"use strict";const e=window.wp.element,t=window.wp.i18n,n=window.wp.components;function l(e){var n=e.children;return wp.element.createElement("div",{className:"lazyblocks-component-copied"},n\|\|(0,t.__)("Copied!","lazy-blocks"))}function o(e){return o="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},o(e)}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var l=Object.getOwnPropertySymbols(e);t&&(l=l.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,l)}return n}function r(e,t,n){return(t=function(e){var t=function(e){if("object"!=o(e)\|\|!e)return e;var t=e[Symbol.toPrimitive];if(void 0!==t){var n=t.call(e,"string");if("object"!=o(n))return n;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(e)}(e);return"symbol"==o(t)?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function c(e,t){return function(e){if(Array.isArray(e))return e}(e)\|\|function(e,t){var n=null==e?null:"undefined"!=typeof Symbol&&e[Symbol.iterator]\|\|e["@@iterator"];if(null!=n){var l,o,a,r,c=[],i=!0,s=!1;try{if(a=(n=n.call(e)).next,0===t){if(Object(n)!==n)return;i=!1}else for(;!(i=(l=a.call(n)).done)&&(c.push(l.value),c.length!==t);i=!0);}catch(e){s=!0,o=e}finally{try{if(!i&&null!=n.return&&(r=n.return(),Object(r)!==r))return}finally{if(s)throw o}}return c}}(e,t)\|\|function(e,t){if(e){if("string"==typeof e)return i(e,t);var n={}.toString.call(e).slice(8,-1);return"Object"===n&&e.constructor&&(n=e.constructor.name),"Map"===n\|\|"Set"===n?Array.from(e):"Arguments"===n\|\|/^(?:Ui\|I)nt(?:8\|16\|32)(?:Clamped)?Array$/.test(n)?i(e,t):void 0}}(e,t)\|\|function(){throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}()}function i(e,t){(null==t\|\|t>e.length)&&(t=e.length);for(var n=0,l=Array(t);n<t;n++)l[n]=e[n];return l}var s=window,m=s.navigator,p=s.lazyblocksToolsData;function u(){var o=c((0,e.useState)(!1),2),i=o[0],s=o[1],u=c((0,e.useState)(!1),2),d=u[0],b=u[1],w=c((0,e.useState)({}),2),y=w[0],h=w[1],f=c((0,e.useState)({}),2),v=f[0],E=f[1],k=c((0,e.useState)(!1),2),_=k[0],g=k[1],x=c((0,e.useState)(!1),2),N=x[0],S=x[1],z={showBlocksPHP:i,showTemplatesPHP:d},O={disabledBlocks:y,disabledTemplates:v},j={copiedBlocks:_,copiedTemplates:N},P=(0,e.useRef)({});function T(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n=window.location.href;return p[e].forEach((function(l){O["disabled".concat(t)][l.data.id]\|\|(n+="&lazyblocks_export_".concat(e,"[]=").concat(l.data.id))})),n}function B(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n="";return p[e].forEach((function(e){O["disabled".concat(t)][e.data.id]\|\|(n+=e.php_string_code)})),n&&(n="add_action( 'lzb/init', function() {\n".concat(n,"\n} );")),n}function C(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",o=e.charAt(0).toUpperCase()+e.slice(1),c=Object.keys(O["disabled".concat(o)]).length===p[e].length;return wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement(n.BaseControl,{__nextHasNoMarginBottom:!0},wp.element.createElement(n.ToggleControl,{label:(0,t.__)("Select all","lazy-blocks"),checked:0===Object.keys(O["disabled".concat(o)]).length,onChange:function(){var t={};0===Object.keys(O["disabled".concat(o)]).length&&p[e].forEach((function(e){t[e.data.id]=!0})),"Blocks"===o?h(t):"Templates"===o&&E(t)},__nextHasNoMarginBottom:!0}),p[e].map((function(t){var l=!O["disabled".concat(o)][t.data.id];return wp.element.createElement(n.ToggleControl,{key:t.data.id,label:wp.element.createElement(wp.element.Fragment,null,"blocks"===e?wp.element.createElement(wp.element.Fragment,null,t.data.icon&&/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{className:t.data.icon}):"",t.data.icon&&!/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{dangerouslySetInnerHTML:{__html:t.data.icon}}):""," "):"",t.data.title),checked:l,onChange:function(){var e=function(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){r(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}({},O["disabled".concat(o)]);l&&!e[t.data.id]?e[t.data.id]=!0:l\|\|void 0===e[t.data.id]\|\|delete e[t.data.id],"Blocks"===o?h(e):"Templates"===o&&E(e)},__nextHasNoMarginBottom:!0})})))),z["show".concat(o,"PHP")]?wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-textarea"},wp.element.createElement(n.TextareaControl,{className:"lzb-export-code",readOnly:!0,value:B(e),__next40pxDefaultSize:!0,__nextHasNoMarginBottom:!0})),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button",onClick:function(){!function(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1);m.clipboard.writeText(B(e)).then((function(){"Blocks"===t?g(!0):"Templates"===t&&S(!0),clearTimeout(P.current[t]),P.current[t]=setTimeout((function(){"Blocks"===t?g(!1):"Templates"===t&&S(!1)}),350)}))}(e)}},(0,t.__)("Copy to Clipboard","lazy-blocks"),j["copied".concat(o)]?wp.element.createElement(l,null):""))):wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("a",{className:"button button-primary",disabled:c,href:T(e)},(0,t.__)("Export JSON","lazy-blocks")),wp.element.createElement("button",{className:"button",onClick:function(){"Blocks"===o?s(!0):"Templates"===o&&b(!0)},disabled:c},(0,t.__)("Generate PHP","lazy-blocks"))))}return wp.element.createElement("div",{className:"metabox-holder"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{id:"normal-sortables"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Blocks","lazy-blocks"))),p.blocks&&p.blocks.length?wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the blocks you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("blocks")):wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("There are no blocks to export.")))),p.templates&&p.templates.length?wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Templates","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the templates you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("templates"))):null),wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Import","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the Lazy Blocks JSON file you want to import. When you click the import button below, Lazy Blocks will import the blocks.")),wp.element.createElement("form",{method:"post",encType:"multipart/form-data"},wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement("input",{type:"file",name:"lzb_tools_import_json"})),wp.element.createElement("input",{type:"hidden",name:"lzb_tools_import_nonce",value:p.nonce}),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button button-primary"},(0,t.__)("Import","lazy-blocks"))))))))))}window.addEventListener("load",(function(){(0,e.render)(wp.element.createElement(u,null),document.querySelector(".lazyblocks-tools-page"))}))})();
	1	(()=>{"use strict";const e=window.wp.element,t=window.wp.i18n,n=window.wp.components;function l(e){var n=e.children;return wp.element.createElement("div",{className:"lazyblocks-component-copied"},n\|\|(0,t.__)("Copied!","lazy-blocks"))}function o(e){return o="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},o(e)}function a(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var l=Object.getOwnPropertySymbols(e);t&&(l=l.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,l)}return n}function r(e,t,n){return(t=function(e){var t=function(e){if("object"!=o(e)\|\|!e)return e;var t=e[Symbol.toPrimitive];if(void 0!==t){var n=t.call(e,"string");if("object"!=o(n))return n;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(e)}(e);return"symbol"==o(t)?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function c(e,t){return function(e){if(Array.isArray(e))return e}(e)\|\|function(e,t){var n=null==e?null:"undefined"!=typeof Symbol&&e[Symbol.iterator]\|\|e["@@iterator"];if(null!=n){var l,o,a,r,c=[],i=!0,s=!1;try{if(a=(n=n.call(e)).next,0===t){if(Object(n)!==n)return;i=!1}else for(;!(i=(l=a.call(n)).done)&&(c.push(l.value),c.length!==t);i=!0);}catch(e){s=!0,o=e}finally{try{if(!i&&null!=n.return&&(r=n.return(),Object(r)!==r))return}finally{if(s)throw o}}return c}}(e,t)\|\|function(e,t){if(e){if("string"==typeof e)return i(e,t);var n={}.toString.call(e).slice(8,-1);return"Object"===n&&e.constructor&&(n=e.constructor.name),"Map"===n\|\|"Set"===n?Array.from(e):"Arguments"===n\|\|/^(?:Ui\|I)nt(?:8\|16\|32)(?:Clamped)?Array$/.test(n)?i(e,t):void 0}}(e,t)\|\|function(){throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}()}function i(e,t){(null==t\|\|t>e.length)&&(t=e.length);for(var n=0,l=Array(t);n<t;n++)l[n]=e[n];return l}var s=window,m=s.navigator,p=s.lazyblocksToolsData;function u(){var o=c((0,e.useState)(!1),2),i=o[0],s=o[1],u=c((0,e.useState)(!1),2),d=u[0],b=u[1],w=c((0,e.useState)({}),2),y=w[0],h=w[1],f=c((0,e.useState)({}),2),v=f[0],E=f[1],_=c((0,e.useState)(!1),2),k=_[0],g=_[1],x=c((0,e.useState)(!1),2),N=x[0],z=x[1],S={showBlocksPHP:i,showTemplatesPHP:d},O={disabledBlocks:y,disabledTemplates:v},j={copiedBlocks:k,copiedTemplates:N},P=(0,e.useRef)({});function T(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n=window.location.href;return p.export_nonce&&(n+="&lazyblocks_export_nonce=".concat(p.export_nonce)),p[e].forEach((function(l){O["disabled".concat(t)][l.data.id]\|\|(n+="&lazyblocks_export_".concat(e,"[]=").concat(l.data.id))})),n}function B(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1),n="";return p[e].forEach((function(e){O["disabled".concat(t)][e.data.id]\|\|(n+=e.php_string_code)})),n&&(n="add_action( 'lzb/init', function() {\n".concat(n,"\n} );")),n}function C(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",o=e.charAt(0).toUpperCase()+e.slice(1),c=Object.keys(O["disabled".concat(o)]).length===p[e].length;return wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement(n.BaseControl,{__nextHasNoMarginBottom:!0},wp.element.createElement(n.ToggleControl,{label:(0,t.__)("Select all","lazy-blocks"),checked:0===Object.keys(O["disabled".concat(o)]).length,onChange:function(){var t={};0===Object.keys(O["disabled".concat(o)]).length&&p[e].forEach((function(e){t[e.data.id]=!0})),"Blocks"===o?h(t):"Templates"===o&&E(t)},__nextHasNoMarginBottom:!0}),p[e].map((function(t){var l=!O["disabled".concat(o)][t.data.id];return wp.element.createElement(n.ToggleControl,{key:t.data.id,label:wp.element.createElement(wp.element.Fragment,null,"blocks"===e?wp.element.createElement(wp.element.Fragment,null,t.data.icon&&/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{className:t.data.icon}):"",t.data.icon&&!/^dashicons/.test(t.data.icon)?wp.element.createElement("span",{dangerouslySetInnerHTML:{__html:t.data.icon}}):""," "):"",t.data.title),checked:l,onChange:function(){var e=function(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?a(Object(n),!0).forEach((function(t){r(e,t,n[t])})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):a(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t))}))}return e}({},O["disabled".concat(o)]);l&&!e[t.data.id]?e[t.data.id]=!0:l\|\|void 0===e[t.data.id]\|\|delete e[t.data.id],"Blocks"===o?h(e):"Templates"===o&&E(e)},__nextHasNoMarginBottom:!0})})))),S["show".concat(o,"PHP")]?wp.element.createElement(wp.element.Fragment,null,wp.element.createElement("div",{className:"lzb-export-textarea"},wp.element.createElement(n.TextareaControl,{className:"lzb-export-code",readOnly:!0,value:B(e),__next40pxDefaultSize:!0,__nextHasNoMarginBottom:!0})),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button",onClick:function(){!function(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"blocks",t=e.charAt(0).toUpperCase()+e.slice(1);m.clipboard.writeText(B(e)).then((function(){"Blocks"===t?g(!0):"Templates"===t&&z(!0),clearTimeout(P.current[t]),P.current[t]=setTimeout((function(){"Blocks"===t?g(!1):"Templates"===t&&z(!1)}),350)}))}(e)}},(0,t.__)("Copy to Clipboard","lazy-blocks"),j["copied".concat(o)]?wp.element.createElement(l,null):""))):wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("a",{className:"button button-primary",disabled:c,href:T(e)},(0,t.__)("Export JSON","lazy-blocks")),wp.element.createElement("button",{className:"button",onClick:function(){"Blocks"===o?s(!0):"Templates"===o&&b(!0)},disabled:c},(0,t.__)("Generate PHP","lazy-blocks"))))}return wp.element.createElement("div",{className:"metabox-holder"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{id:"normal-sortables"},wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Blocks","lazy-blocks"))),p.blocks&&p.blocks.length?wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the blocks you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("blocks")):wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("There are no blocks to export.")))),p.templates&&p.templates.length?wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Export Templates","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the templates you would like to export and then select your export method. Use the download button to export to a .json file which you can then import to another Lazy Blocks installation. Use the generate button to export to PHP code which you can place in your theme.")),C("templates"))):null),wp.element.createElement("div",{className:"postbox-container"},wp.element.createElement("div",{className:"postbox"},wp.element.createElement("h2",{className:"hndle"},wp.element.createElement("span",null,(0,t.__)("Import","lazy-blocks"))),wp.element.createElement("div",{className:"inside"},wp.element.createElement("p",null,(0,t.__)("Select the Lazy Blocks JSON file you want to import. When you click the import button below, Lazy Blocks will import the blocks.")),wp.element.createElement("form",{method:"post",encType:"multipart/form-data"},wp.element.createElement("div",{className:"lzb-export-select-items"},wp.element.createElement("input",{type:"file",name:"lzb_tools_import_json"})),wp.element.createElement("input",{type:"hidden",name:"lzb_tools_import_nonce",value:p.nonce}),wp.element.createElement("div",{className:"lzb-export-buttons"},wp.element.createElement("button",{className:"button button-primary"},(0,t.__)("Import","lazy-blocks"))))))))))}window.addEventListener("load",(function(){(0,e.render)(wp.element.createElement(u,null),document.querySelector(".lazyblocks-tools-page"))}))})();

lazy-blocks/trunk/classes/class-blocks.php

-                      r3346570
+                      r3367712
                         array(
                             'lazyblocks_export_block' => intval( $post->ID ),
+                            'lazyblocks_export_nonce' => wp_create_nonce( 'lzb-export-blocks-nonce' ),
+                        )
                     ),
 …
      * @param string $code - user code string.
      * @param array  $attributes - block attributes.
+     * @param array  $context - block context.
+     *
      * @return string
 …
         // add filter for block output.
         $result = apply_filters( 'lzb/block_render/output', $result, $attributes, $render_location, $block, $context );
+        $result = apply_filters( 'lzb/block_render/output', $result, $attributes, $render_location, $block, $context, $content );
         // phpcs:ignore
         $result = apply_filters( $block['slug'] . '/' . $render_location . '_output', $result, $attributes, $block, $context );
+        $result = apply_filters( $block['slug'] . '/' . $render_location . '_output', $result, $attributes, $block, $context, $content );
         // phpcs:ignore
         $result = apply_filters( $block['slug'] . '/output', $result, $attributes, $render_location, $block, $context );
+        $result = apply_filters( $block['slug'] . '/output', $result, $attributes, $render_location, $block, $context, $content );
         return $result;

lazy-blocks/trunk/classes/class-tools.php

-                      r3346570
+                      r3367712
         $templates = lazyblocks()->templates()->get_templates( true, true );
         $data      = array(
+            'blocks'    => array(),
+            'templates' => array(),
+            'nonce'     => wp_create_nonce( 'lzb-tools-import-nonce' ),
+            'blocks'       => array(),
+            'templates'    => array(),
+            'nonce'        => wp_create_nonce( 'lzb-tools-import-nonce' ),
+            'export_nonce' => wp_create_nonce( 'lzb-export-blocks-nonce' ),
         );
 …
      */
     public function maybe_export_json() {
+        // Check if any export parameters are present.
+        $has_export_params = isset( $_GET['lazyblocks_export_block'] ) ||
+                            isset( $_GET['lazyblocks_export_blocks'] ) ||
+                            isset( $_GET['lazyblocks_export_templates'] ) ||
+                            isset( $_GET['lazyblocks_export_nonce'] );
+        // Exit early if no export parameters - this is the normal case on every admin page.
+        if ( ! $has_export_params ) {
+            return;
+        }
+        // Verify nonce for CSRF protection - required for all export operations.
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+        $nonce = isset( $_GET['lazyblocks_export_nonce'] ) ? sanitize_key( $_GET['lazyblocks_export_nonce'] ) : false;
+        if ( ! $nonce || ! wp_verify_nonce( $nonce, 'lzb-export-blocks-nonce' ) ) {
+            wp_die( esc_html__( 'Export permission denied.', 'lazy-blocks' ) );
+        }
         $block_id  = filter_input( INPUT_GET, 'lazyblocks_export_block', FILTER_SANITIZE_NUMBER_INT );
         $block_ids = filter_input_array(
 …
         $template_ids = is_array( $template_ids ) && isset( $template_ids['lazyblocks_export_templates'] ) ? $template_ids['lazyblocks_export_templates'] : array();
+        if ( isset( $block_id ) && current_user_can( 'read_lazyblock', $block_id ) ) {
+        // Security: Only administrators with edit_lazyblocks capability can export.
+        // This prevents contributors from bypassing UI restrictions via direct URL access.
+        if ( isset( $block_id ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->export_json( array( $block_id ) );
         } elseif ( isset( $block_ids ) && ! empty( $block_ids ) && current_user_can( 'read_lazyblock', $block_ids[0] ) ) {
+        } elseif ( isset( $block_ids ) && ! empty( $block_ids ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->export_json( $block_ids );
         } elseif ( isset( $template_ids ) && ! empty( $template_ids ) && current_user_can( 'read_lazyblock', $template_ids[0] ) ) {
+        } elseif ( isset( $template_ids ) && ! empty( $template_ids ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->export_json( $template_ids, 'templates' );
+        }
 …
         // Duplicate block.
         if ( isset( $block_id ) && current_user_can( 'read_lazyblock', $block_id ) ) {
+        if ( isset( $block_id ) && current_user_can( 'edit_lazyblocks' ) ) {
             $this->duplicate_block( $block_id );
+        }

lazy-blocks/trunk/languages/lazy-blocks.json

-                      r3304975
+                      r3367712
             ""
          ],
+         "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline": [
+            ""
+         ],
          "Easily create custom blocks and custom meta fields for Gutenberg without hard coding.": [
             ""
          ],
          "Lazy Blocks Team": [
-            ""
-         ],
-         "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline": [
             ""
          ],
 …
             "",
             "Imported %s templates"
+         ],
+         "Export permission denied.": [
+            ""
          ],
          "Template for these post types '%s' already exists.": [

lazy-blocks/trunk/languages/lazy-blocks.pot

-                      r3346570
+                      r3367712
 msgid ""
 msgstr ""
 "Project-Id-Version: Lazy Blocks 4.1.0\n"
+"Project-Id-Version: Lazy Blocks 4.1.1\n"
 "Report-Msgid-Bugs-To: https://github.com/nk-crew/lazyblocks/issues\n"
 "Last-Translator: Lazy Blocks Team\n"
 …
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "POT-Creation-Date: 2025-08-18T17:07:40+00:00\n"
+"POT-Creation-Date: 2025-09-25T09:27:58+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.12.0\n"
 …
 #: classes/class-admin.php:252
 #: classes/class-blocks.php:187
 #: classes/class-blocks.php:1222
+#: classes/class-blocks.php:1223
 msgid "Lazy Blocks"
+msgstr ""
+#. Plugin URI of the plugin
+#. Author URI of the plugin
+#: lazy-blocks.php
+msgid "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline"
 msgstr ""
 …
 #: lazy-blocks.php
 msgid "Lazy Blocks Team"
-msgstr ""
-#. Author URI of the plugin
-#: lazy-blocks.php
-msgid "https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline"
 msgstr ""
 …
 #. translators: %1$ - post title.
 #: classes/class-blocks.php:374
+#: classes/class-blocks.php:375
 #, php-format
 msgid "Export “%1$s”"
 msgstr ""
 #: classes/class-blocks.php:377
 #: classes/class-blocks.php:412
+#: classes/class-blocks.php:378
+#: classes/class-blocks.php:413
 msgid "Export"
 msgstr ""
 #. translators: %1$ - post title.
 #: classes/class-blocks.php:389
+#: classes/class-blocks.php:390
 #, php-format
 msgid "Deactivate “%1$s”"
 …
 #. translators: %1$ - post title.
 #: classes/class-blocks.php:389
+#: classes/class-blocks.php:390
 #, php-format
 msgid "Activate “%1$s”"
 msgstr ""
 #: classes/class-blocks.php:393
 #: classes/class-blocks.php:416
+#: classes/class-blocks.php:394
+#: classes/class-blocks.php:417
 msgid "Deactivate"
 msgstr ""
 #: classes/class-blocks.php:393
 #: classes/class-blocks.php:414
+#: classes/class-blocks.php:394
+#: classes/class-blocks.php:415
 msgid "Activate"
 msgstr ""
 #: classes/class-blocks.php:456
+#: classes/class-blocks.php:457
 #: assets/block-builder/boxes/general/index.js:179
 msgid "Icon"
 msgstr ""
 #: classes/class-blocks.php:458
+#: classes/class-blocks.php:459
 #: assets/block-builder/boxes/general/index.js:46
 msgid "Slug"
 msgstr ""
 #: classes/class-blocks.php:459
+#: classes/class-blocks.php:460
 #: assets/block-builder/boxes/general/index.js:94
 msgid "Category"
 msgstr ""
 #: classes/class-blocks.php:460
+#: classes/class-blocks.php:461
 #: assets/block-builder/boxes/general/index.js:213
 #: assets/block-builder/boxes/wizard/index.js:276
 …
 #. translators: %s - block title.
 #: classes/class-tools.php:330
+#: classes/class-tools.php:331
 #, php-format
 msgid "Block \"%s\" activated successfully."
 …
 #. translators: %s - block title.
 #: classes/class-tools.php:330
+#: classes/class-tools.php:331
 #, php-format
 msgid "Block \"%s\" deactivated successfully."
 …
 #. translators: %s - number of blocks.
 #: classes/class-tools.php:333
+#: classes/class-tools.php:334
 #, php-format
 msgid "Activated %s block"
 …
 #. translators: %s - number of blocks.
 #: classes/class-tools.php:333
+#: classes/class-tools.php:334
 #, php-format
 msgid "Deactivated %s block"
 …
 msgstr[1] ""
 #: classes/class-tools.php:372
+#: classes/class-tools.php:373
 msgid "No file selected"
 msgstr ""
 #: classes/class-tools.php:382
+#: classes/class-tools.php:383
 msgid "Error uploading file. Please try again"
 msgstr ""
 #: classes/class-tools.php:388
+#: classes/class-tools.php:389
 msgid "Incorrect file type"
 msgstr ""
 #: classes/class-tools.php:399
+#: classes/class-tools.php:400
 msgid "Import file empty"
 msgstr ""
 #. translators: %s - number of blocks.
 #: classes/class-tools.php:438
+#: classes/class-tools.php:439
 #, php-format
 msgid "Imported %s block"
 …
 #. translators: %s - number of templates.
 #: classes/class-tools.php:458
+#: classes/class-tools.php:459
 #, php-format
 msgid "Imported %s template"
 …
 msgstr[1] ""
+#: classes/class-tools.php:493
+msgid "Export permission denied."
+msgstr ""
 #. translators: %s - post type.
 #: classes/class-tools.php:634
+#: classes/class-tools.php:656
 #, php-format
 msgid "Template for these post types '%s' already exists."
 …
 #. translators: %s - post title.
 #: classes/class-tools.php:680
+#: classes/class-tools.php:702
 #, php-format
 msgid "Added new block '%s'."
 msgstr ""
 #: classes/class-tools.php:711
+#: classes/class-tools.php:733
 msgid "(Copy)"
 msgstr ""
 …
 msgstr ""
 #: assets/admin/tools/tools.js:117
+#: assets/admin/tools/tools.js:122
 msgid "Select all"
 msgstr ""
 #: assets/admin/tools/tools.js:245
+#: assets/admin/tools/tools.js:250
 msgid "Copy to Clipboard"
 msgstr ""
 #: assets/admin/tools/tools.js:261
+#: assets/admin/tools/tools.js:266
 msgid "Export JSON"
 msgstr ""
 #: assets/admin/tools/tools.js:275
+#: assets/admin/tools/tools.js:280
 msgid "Generate PHP"
 msgstr ""
 #: assets/admin/tools/tools.js:291
+#: assets/admin/tools/tools.js:296
 msgid "Export Blocks"
 msgstr ""
 #: assets/admin/tools/tools.js:316
+#: assets/admin/tools/tools.js:321
 msgid "Export Templates"
 msgstr ""
 #: assets/admin/tools/tools.js:334
 #: assets/admin/tools/tools.js:363
+#: assets/admin/tools/tools.js:339
+#: assets/admin/tools/tools.js:368
 msgid "Import"
 msgstr ""

lazy-blocks/trunk/lazy-blocks.php

-                      r3357405
+                      r3367712
  * Plugin Name:  Lazy Blocks
  * Description:  Easily create custom blocks and custom meta fields for Gutenberg without hard coding.
  * Version:      4.1.0
+ * Version:      4.1.1
  * Plugin URI:   https://www.lazyblocks.com/?utm_source=wordpress.org&utm_medium=readme&utm_campaign=byline
  * Author:       Lazy Blocks Team
 …
 if ( ! defined( 'LAZY_BLOCKS_VERSION' ) ) {
     define( 'LAZY_BLOCKS_VERSION', '4.1.0' );
+    define( 'LAZY_BLOCKS_VERSION', '4.1.1' );
+}

lazy-blocks/trunk/readme.txt

-                      r3347329
+                      r3367712
 * Tested up to: 6.8
 * Requires PHP: 8.0
 * Stable tag: 4.1.0
+* Stable tag: 4.1.1
 * License: GPLv2 or later
 * License URI: <http://www.gnu.org/licenses/gpl-2.0.html>
 …
 ## Changelog
+= 4.1.1 - Sep 25, 2025 =
+* security fix: prevent unauthorized block export access
+* added `$content` attribute to `lzb/block_render/output` filters
+* **Pro:**
+* fixed rendering blocks in widgets screen when Rank Math is active
 = 4.1.0 - Aug 18, 2025 =

Plugin Directory

Context Navigation

Legend:

lazy-blocks/tags/4.1.1/assets/admin/tools/tools.js

lazy-blocks/tags/4.1.1/build/admin-tools.asset.php

lazy-blocks/tags/4.1.1/build/admin-tools.js

lazy-blocks/tags/4.1.1/classes/class-blocks.php

lazy-blocks/tags/4.1.1/classes/class-tools.php

lazy-blocks/tags/4.1.1/languages/lazy-blocks.json

lazy-blocks/tags/4.1.1/languages/lazy-blocks.pot

lazy-blocks/tags/4.1.1/lazy-blocks.php

lazy-blocks/tags/4.1.1/readme.txt

lazy-blocks/trunk/assets/admin/tools/tools.js

lazy-blocks/trunk/build/admin-tools.asset.php

lazy-blocks/trunk/build/admin-tools.js

lazy-blocks/trunk/classes/class-blocks.php

lazy-blocks/trunk/classes/class-tools.php

lazy-blocks/trunk/languages/lazy-blocks.json

lazy-blocks/trunk/languages/lazy-blocks.pot

lazy-blocks/trunk/lazy-blocks.php

lazy-blocks/trunk/readme.txt

Download in other formats: