Pods 3.2.8.1

changelog.txt

@@ -2,6 +2,11 @@ Found a bug? Have a great feature idea? Get on GitHub and tell us about it and w
 
 Our GitHub has the full list of all prior releases of Pods: https://github.com/pods-framework/pods/releases
 
+= 3.2.8.1 - November 18th, 2024 =
+
+* Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)
+* Security: Harden the use of values within id and class HTML attributes in Pods form elements. (@sc0ttkclark)
+
 = 3.2.8 - November 17th, 2024 =
 
 REMINDER: PHP support for Pod Templates and Pod Pages been turned off by default in Pods 3.2.7+ (`PODS_DISABLE_EVAL` constant set to `false` can be used to re-enable it). It will be completely removed in Pods 3.3 after being deprecated back in Pods 2.3. (@sc0ttkclark)
@@ -10,8 +15,8 @@ REMINDER: PHP support for Pod Templates and Pod Pages been turned off by default
 * Feature: Updated the design and user experience of the various guided screens inside of the Pods Admin to make it easier to read and click through on small screens. (@sc0ttkclark, @heybran)
 * Enhanced: Pod Page template part handling for PHP template files now passes the `$pods` variable. (@sc0ttkclark)
 * Enhanced: Added support for parsing magic tags in Pod Template files in the theme when you set the PHP header comment `Magic Tags: Enabled`. (@sc0ttkclark)
-* Enhanced: Run wpautop on Pods Item List and Pods Related Item List blocks for the "not found" content if they are not already formatted. (@sc0ttkclark)  
-* Fixed: Only running wpautop for block the Pods Field block content if it does not contain div, ul, ol, heading, or p HTML tags. (@sc0ttkclark)  
+* Enhanced: Run wpautop on Pods Item List and Pods Related Item List blocks for the "not found" content if they are not already formatted. (@sc0ttkclark)
+* Fixed: Only running wpautop for block the Pods Field block content if it does not contain div, ul, ol, heading, or p HTML tags. (@sc0ttkclark)
 * Fixed: Resolve issue with empty strings showing when using magic tags before/after functionality. (@JoryHogeveen)
 * Fixed: Ignore more internal WP post types and taxonomies plus others from other plugins.
 * Fixed: Move load_plugin_textdomain usage into init and make it optional with the constant `PODS_LOAD_TEXTDOMAIN` set to `true`. It is no longer needed for WordPress.org plugins but may be needed in the future for testing. (@sc0ttkclark)
@@ -36,7 +41,7 @@ REMINDER: PHP support for Pod Templates and Pod Pages been turned off by default
 * Feature: New support for Query Monitor now shows Pods debug logs in a QM panel. (@sc0ttkclark)
 * Tweak: Toggle add file button on single file field depending on whether a file is provided yet. #7315 (@heybran)
 * Tweak: Added a `<p>` wrapper for the span-based pagination. (@sc0ttkclark)
-* Removed: PHP support for Pod Templates and Pod Pages has been finally turned off by default (`PODS_DISABLE_EVAL` constant set to `false` can be used to re-enable it). It will be completely removed in Pods 3.3 after being deprecated in Pods 2.3. (@sc0ttkclark) 
+* Removed: PHP support for Pod Templates and Pod Pages has been finally turned off by default (`PODS_DISABLE_EVAL` constant set to `false` can be used to re-enable it). It will be completely removed in Pods 3.3 after being deprecated back in Pods 2.3. (@sc0ttkclark)
 * Fixed: Improve REST authentication method to support other auth forms when registering fields. #7340 #7341 (@JoryHogeveen, @sc0ttkclark)
 * Fixed: Fix invalid default value for REST API `write_all` option. #7339 (@JoryHogeveen)
 * Fixed: Resolve issue with Taxonomy syncing for relationship fields. #7336 #7334 (@pdclark, @sc0ttkclark)
@@ -105,7 +110,7 @@ To be safe and sure that those who are using Pods do not mistake Pods 3.2.3 as a
 * Feature: New support for WordPress `register_meta()` for all Pods fields on meta-based Pods. You can enable this feature in Pods Admin > Settings > "Register meta fields". (@sc0ttkclark)
 * Feature: New support for specifying where your Custom Fields show in REST API responses for Pods that support that. You can choose from Object (response.field_name) or Meta (response.meta.field_name). (@sc0ttkclark)
 * Feature: New support for Custom Fields in the new [WordPress 6.5 Block Bindings API](https://make.wordpress.org/core/2024/03/06/new-feature-the-block-bindings-api/) for the `core/post-meta` source. To use your custom fields there, you will need to enable "Register meta fields" in your Pods Admin > Settings and set your Pod to show it's REST API fields in the "Meta" location instead of Object. (@sc0ttkclark)
-* Feature: New custom binding source support for the [WordPress 6.5 Block Bindings API](https://make.wordpress.org/core/2024/03/06/new-feature-the-block-bindings-api/). Specify your source as `pods/bindings-field` and then just pass the same arguments you would pass for a normal `[pods]` shortcode or block. This will bind that dynamic output to the block you are working with. (@sc0ttkclark)  
+* Feature: New custom binding source support for the [WordPress 6.5 Block Bindings API](https://make.wordpress.org/core/2024/03/06/new-feature-the-block-bindings-api/). Specify your source as `pods/bindings-field` and then just pass the same arguments you would pass for a normal `[pods]` shortcode or block. This will bind that dynamic output to the block you are working with. (@sc0ttkclark)
 * Feature: Now you can specify whether to default values for a Pods field when the field is empty. This works great for when you add a new field to a Pod and you want to edit an existing item that did not have a field value set. The default value will be used in that circumstance. (@sc0ttkclark)
 * Feature: Support for multiple default values when working with a multi-select field. Now you can just separate your values with a comma and they will be set as the default values. (@sc0ttkclark)
 * Feature: Now you can specify whether to evaluate magic tags for default values like `{@user.ID}`. (@sc0ttkclark)
@@ -262,7 +267,7 @@ New minimum required versions have been updated as follows which includes notice
 **3.0 Changelog**
 
 * Feature: [Conditional Logic for Fields](https://docs.pods.io/fields/conditional-logic-for-fields/) - You can now choose to show or hide a Pods field based on the value of another Pods field. More will be expanded into this functionality in the future. #609 (@zrothauser, @sc0ttkclark, @Shelob9)
-* Feature: Support for the new Command Palettes feature added in WordPress 6.3. This will allow you to contextually go to the Edit Pod screen for the matching Pod configuration of that post type directly from the Edit Post screen. (@sc0ttkclark) 
+* Feature: Support for the new Command Palettes feature added in WordPress 6.3. This will allow you to contextually go to the Edit Pod screen for the matching Pod configuration of that post type directly from the Edit Post screen. (@sc0ttkclark)
 * Added: Set up backward compatible updates to our prior `depends-on` and related logic for internal conditional logic prior to Pods 3.0 so they now properly translate over to the new format required. (@sc0ttkclark)
 * Added: When importing and exporting Pods packages, they now include the list of active components. (@sc0ttkclark)
 * Fixed: Media saving issue has been resolved when the Media Modal fields are disabled, it now saves fields as expected. #7158 (@sc0ttkclark, @pd-cm)

classes/PodsAdmin.php

@@ -757,6 +757,15 @@ public function admin_content_settings() {
 
 		$pod = pods_get_instance( $pod_name );
 
+		if ( empty( $pod->pod_data ) ) {
+			printf(
+				'<div class="wrap"><p>%s</p></div>',
+				esc_html__( 'This content type is not configured correctly. There could be an issue in your configuration storagae. Please contact support.', 'pods' )
+			);
+
+			return;
+		}
+
 		if ( 'custom' !== pods_v( 'ui_style', $pod->pod_data['options'], 'settings', true ) ) {
 			$actions_disabled = array(
 				'manage'    => 'manage',

classes/PodsField.php

@@ -478,10 +478,10 @@ public function build_dfv_field_data( $args ) {
 		// Build DFV field data.
 		$data = [
 			'htmlAttr'      => [
-				'id'         => $attributes['id'],
-				'class'      => $attributes['class'],
-				'name'       => $attributes['name'],
-				'name_clean' => $attributes['data-name-clean'],
+				'id'         => pods_enforce_safe_id( $attributes['id'] ),
+				'class'      => pods_enforce_safe_class( $attributes['class'] ),
+				'name'       => pods_enforce_safe_id( $attributes['name'] ),
+				'name_clean' => pods_enforce_safe_id( $attributes['data-name-clean'] ),
 			],
 			'fieldType'     => $args->type,
 			'fieldItemData' => $this->build_dfv_field_item_data( $args ),

classes/PodsForm.php

@@ -490,6 +490,12 @@ public static function attributes( $attributes, $name = null, $type = null, $opt
 				continue;
 			}
 
+			if ( 'class' === $attribute ) {
+				$value = pods_enforce_safe_class( $value );
+			} elseif ( 'id' === $attribute ) {
+				$value = pods_enforce_safe_id( $value );
+			}
+
 			echo ' ' . esc_attr( (string) $attribute ) . '="' . esc_attr( (string) $value ) . '"';
 		}
 	}

includes/data.php

@@ -3100,3 +3100,50 @@ function pods_enforce_safe_url( string $url, ?string $fallback_url = null ) {
 
 	return wp_validate_redirect( $url, $fallback_url );
 }
+
+/**
+ * Enforce safety and standards on a value for the HTML attribute "class" context.
+ *
+ * @since 3.2.8.1
+ *
+ * @param string|null $value The value to enforce standards for.
+ *
+ * @return string|null The safe value.
+ */
+function pods_enforce_safe_class( ?string $value ): ?string {
+	return pods_enforce_safe_value_via_regex( $value, '/[^a-zA-Z0-9\s_\-]/' );
+}
+
+/**
+ * Enforce safety and standards on a value for the HTML attribute "id" context.
+ *
+ * @since 3.2.8.1
+ *
+ * @param string|null $value The value to enforce standards for.
+ *
+ * @return string|null The safe value.
+ */
+function pods_enforce_safe_id( ?string $value ): ?string {
+	return pods_enforce_safe_value_via_regex( $value, '/[^a-zA-Z0-9_\-\[\]]/' );
+}
+
+/**
+ * Enforce safety and standards on a value via a disallowed pattern.
+ *
+ * @since 3.2.8.1
+ *
+ * @param string|null $value              The value to enforce standards for.
+ * @param string      $disallowed_pattern The disallowed pattern to remove matching characters.
+ *
+ * @return string|null The safe value.
+ */
+function pods_enforce_safe_value_via_regex( ?string $value, string $disallowed_pattern ): ?string {
+	if ( null === $value ) {
+		return $value;
+	}
+
+	// Strip tags and the script tag contents.
+	$value = wp_strip_all_tags( $value );
+
+	return (string) preg_replace( $disallowed_pattern, '', $value );
+}

init.php

@@ -10,7 +10,7 @@
  * Plugin Name:       Pods - Custom Content Types and Fields
  * Plugin URI:        https://pods.io/
  * Description:       Pods is a framework for creating, managing, and deploying customized content types and fields
- * Version:           3.2.8
+ * Version:           3.2.8.1
  * Author:            Pods Framework Team
  * Author URI:        https://pods.io/about/
  * Text Domain:       pods
@@ -43,7 +43,7 @@
 	add_action( 'init', 'pods_deactivate_pods_ui' );
 } else {
 	// Current version.
-	define( 'PODS_VERSION', '3.2.8' );
+	define( 'PODS_VERSION', '3.2.8.1' );
 
 	// Current database version, this is the last version the database changed.
 	define( 'PODS_DB_VERSION', '2.3.5' );

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pods",
-  "version": "3.2.8",
+  "version": "3.2.8.1",
   "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",
   "author": "Pods Foundation, Inc",
   "homepage": "https://pods.io/",

readme.txt

@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields
 Requires at least: 6.0
 Tested up to: 6.7
 Requires PHP: 7.2
-Stable tag: 3.2.8
+Stable tag: 3.2.8.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -182,6 +182,11 @@ Pods really wouldn't be where it is without all the contributions from our [dono
 
 == Changelog ==
 
+= 3.2.8.1 - November 18th, 2024 =
+
+* Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)
+* Security: Harden the use of values within id and class HTML attributes in Pods form elements. (@sc0ttkclark)
+
 = 3.2.8 - November 17th, 2024 =
 
 REMINDER: PHP support for Pod Templates and Pod Pages been turned off by default in Pods 3.2.7+ (`PODS_DISABLE_EVAL` constant set to `false` can be used to re-enable it). It will be completely removed in Pods 3.3 after being deprecated back in Pods 2.3. (@sc0ttkclark)
@@ -190,8 +195,8 @@ REMINDER: PHP support for Pod Templates and Pod Pages been turned off by default
 * Feature: Updated the design and user experience of the various guided screens inside of the Pods Admin to make it easier to read and click through on small screens. (@sc0ttkclark, @heybran)
 * Enhanced: Pod Page template part handling for PHP template files now passes the `$pods` variable. (@sc0ttkclark)
 * Enhanced: Added support for parsing magic tags in Pod Template files in the theme when you set the PHP header comment `Magic Tags: Enabled`. (@sc0ttkclark)
-* Enhanced: Run wpautop on Pods Item List and Pods Related Item List blocks for the "not found" content if they are not already formatted. (@sc0ttkclark)  
-* Fixed: Only running wpautop for block the Pods Field block content if it does not contain div, ul, ol, heading, or p HTML tags. (@sc0ttkclark)  
+* Enhanced: Run wpautop on Pods Item List and Pods Related Item List blocks for the "not found" content if they are not already formatted. (@sc0ttkclark)
+* Fixed: Only running wpautop for block the Pods Field block content if it does not contain div, ul, ol, heading, or p HTML tags. (@sc0ttkclark)
 * Fixed: Resolve issue with empty strings showing when using magic tags before/after functionality. (@JoryHogeveen)
 * Fixed: Ignore more internal WP post types and taxonomies plus others from other plugins.
 * Fixed: Move load_plugin_textdomain usage into init and make it optional with the constant `PODS_LOAD_TEXTDOMAIN` set to `true`. It is no longer needed for WordPress.org plugins but may be needed in the future for testing. (@sc0ttkclark)
@@ -216,7 +221,7 @@ REMINDER: PHP support for Pod Templates and Pod Pages been turned off by default
 * Feature: New support for Query Monitor now shows Pods debug logs in a QM panel. (@sc0ttkclark)
 * Tweak: Toggle add file button on single file field depending on whether a file is provided yet. #7315 (@heybran)
 * Tweak: Added a `<p>` wrapper for the span-based pagination. (@sc0ttkclark)
-* Removed: PHP support for Pod Templates and Pod Pages has been finally turned off by default (`PODS_DISABLE_EVAL` constant set to `false` can be used to re-enable it). It will be completely removed in Pods 3.3 after being deprecated back in Pods 2.3. (@sc0ttkclark) 
+* Removed: PHP support for Pod Templates and Pod Pages has been finally turned off by default (`PODS_DISABLE_EVAL` constant set to `false` can be used to re-enable it). It will be completely removed in Pods 3.3 after being deprecated back in Pods 2.3. (@sc0ttkclark)
 * Fixed: Improve REST authentication method to support other auth forms when registering fields. #7340 #7341 (@JoryHogeveen, @sc0ttkclark)
 * Fixed: Fix invalid default value for REST API `write_all` option. #7339 (@JoryHogeveen)
 * Fixed: Resolve issue with Taxonomy syncing for relationship fields. #7336 #7334 (@pdclark, @sc0ttkclark)

ui/fields/attachment.php

@@ -124,7 +124,7 @@
 	<a class="button pods-file-add pods-media-add" href="<?php echo esc_url( admin_url( 'media-upload.php?inlineId=pods_media_attachment' . $the_post_id . '&tab=' . $tab . '&TB_iframe=1&width=640&height=1500&pods_pod=' . $pod->pod . '&pods_pod_id=' . $pod->pod . '&pods_field=' . $options['name'] . '&pods_field_id=' . $options['id'] . '&pods_uri_hash=' . $uri_hash . '&pods_field_nonce=' . $field_nonce ) ); ?>"><?php echo pods_v( $form_field_type . '_add_button', $options, __( 'Add File', 'pods' ) ); ?></a>
 </div>
 
-<script type="text/x-handlebars" id="<?php echo $css_id; ?>-handlebars">
+<script type="text/x-handlebars" id="<?php echo pods_js_name( $css_id ); ?>-handlebars">
 	<?php echo $field_file->markup( $attributes, $file_limit, $title_editable ); ?>
 
 </script>

ui/fields/checkbox.php

@@ -87,7 +87,7 @@
 			<?php
 			if ( isset( $attributes['readonly'] ) && isset( $attributes['checked'] ) && 'CHECKED' === $attributes['checked'] ) {
 				?>
-				<input type="hidden" name="<?php echo esc_attr( $name ); ?>" value="<?php echo esc_attr( $attributes['value'] ); ?>" />
+				<input type="hidden" name="<?php echo esc_attr( pods_js_name( $name ) ); ?>" value="<?php echo esc_attr( $attributes['value'] ); ?>" />
 				<?php
 			}
 

ui/fields/link.php

@@ -52,25 +52,25 @@
 
 	<div<?php PodsForm::attributes( $class_attributes, $name, $form_field_type, $options ); ?>>
 		<div class="pods-link-options">
-			<p class="howto"><?php _e( 'Enter the destination URL' ); ?></p>
+			<p class="howto"><?php esc_html( 'Enter the destination URL' ); ?></p>
 			<p>
 			<div class="alignleft">
-				<label><span><?php _e( 'URL' ); ?></span><input<?php PodsForm::attributes( $url_attributes, $url_name, $form_field_type, $options ); ?> /></label>
+				<label><span><?php esc_html( 'URL' ); ?></span><input<?php PodsForm::attributes( $url_attributes, $url_name, $form_field_type, $options ); ?> /></label>
 			</div>
 			<div class="alignleft">
-				<label><span><?php _e( 'Link Text' ); ?></span><input<?php PodsForm::attributes( $text_attributes, $text_name, $form_field_type, $options ); ?> /></label>
+				<label><span><?php esc_html( 'Link Text' ); ?></span><input<?php PodsForm::attributes( $text_attributes, $text_name, $form_field_type, $options ); ?> /></label>
 			</div>
 			<div class="link-target">
 				<label>
 					<div>&nbsp;</div>
-					<input<?php PodsForm::attributes( $target_attributes, $target_name, $form_field_type, $options ); ?> /> <?php _e( 'Open link in a new tab' ); ?>
+					<input<?php PodsForm::attributes( $target_attributes, $target_name, $form_field_type, $options ); ?> /> <?php esc_html_e( 'Open link in a new tab' ); ?>
 				</label>
 			</div>
 			</p>		<br clear="both">
 
 			<?php if ( 1 == pods_v( 'link_select_existing', $options, 1 ) ) { ?>
 				<div class="howto link-existing-content" style="display: none;">
-					<a href="#" class="podsLinkPopup"><?php _e( 'Or link to existing content' ); ?></a>
+					<a href="#" class="podsLinkPopup"><?php esc_html_e( 'Or link to existing content' ); ?></a>
 					<textarea id="pods-link-editor-hidden" disabled="disabled" style="display: none;"></textarea>
 				</div>
 			<?php } ?>

ui/fields/oembed.php

@@ -26,7 +26,7 @@
 	$oembed_height = ( isset( $options['oembed_height'] ) ) ? (int) $options['oembed_height'] : 0;
 	?>
 	<p class="howto">
-		<?php _e( 'Preview', 'pods' ); ?>
+		<?php esc_html_e( 'Preview', 'pods' ); ?>
 	</p>
 	<input type="hidden" id="<?php echo esc_js( pods_js_name( $attributes['id'] ) ); ?>_preview_nonce" name="_nonce_pods_oembed" value="<?php echo wp_create_nonce( 'pods_field_oembed_preview' ); ?>" />
 	<div id="<?php echo esc_js( pods_js_name( $attributes['id'] ) ); ?>_preview" class="pods-oembed-preview">