--- a/wp-user-frontend/Lib/Appsero/License.php
+++ b/wp-user-frontend/Lib/Appsero/License.php
@@ -272,7 +272,7 @@
<div class="appsero-license-details">
<p>
- <?php printf( wp_kses_post( $this->client->__trans( 'Activate <strong>%s</strong> by your license key to get professional support and automatic update from your WordPress dashboard.' ) ), $this->client->name ); ?>
+ <?php printf( wp_kses_post( $this->client->__trans( 'Activate <strong>%s</strong> by your license key to get professional support and automatic update from your WordPress dashboard.' ) ), esc_html( $this->client->name ) ); ?>
</p>
<form method="post" novalidate="novalidate" spellcheck="false">
<input type="hidden" name="_action" value="<?php echo esc_attr( $action ); ?>">
--- a/wp-user-frontend/Lib/Gateway/Bank.php
+++ b/wp-user-frontend/Lib/Gateway/Bank.php
@@ -141,6 +141,7 @@
$msg = sprintf(
// translators: %s is displayname
__( 'Hello %s,', 'wp-user-frontend' ), $user->display_name ) . "rn";
+ // translators: %s is the payment amount
$msg .= sprintf( __( 'We have received your payment amount of %s through bank . ', 'wp-user-frontend' ), $transaction['cost'] ) . "rnrn";
$msg .= __( 'Thanks for being with us.', 'wp-user-frontend' ) . "rn";
--- a/wp-user-frontend/Lib/Gateway/Paypal.php
+++ b/wp-user-frontend/Lib/Gateway/Paypal.php
@@ -129,7 +129,7 @@
type: 'POST',
data: {
action: 'wpuf_dismiss_paypal_notice',
- nonce: '<?php echo wp_create_nonce( 'wpuf_dismiss_paypal_notice' ); ?>'
+ nonce: '<?php echo esc_js( wp_create_nonce( 'wpuf_dismiss_paypal_notice' ) ); ?>'
},
success: function(response) {
// Handle success if needed
@@ -465,7 +465,7 @@
$acknowledged = true;
} catch ( Exception $e ) {
- throw new Exception( 'Webhook processing failed: ' . $e->getMessage() );
+ throw new Exception( 'Webhook processing failed: ' . esc_html( $e->getMessage() ) );
}
// Always acknowledge to PayPal
@@ -1538,7 +1538,7 @@
exit();
}
} catch ( Exception $e ) {
- wp_die( $e->getMessage() );
+ wp_die( esc_html( $e->getMessage() ) );
}
}
@@ -2082,7 +2082,7 @@
}
}
} catch ( Exception $e ) {
- throw new Exception( 'Error handling subscription activation: ' . $e->getMessage() );
+ throw new Exception( 'Error handling subscription activation: ' . $e->getMessage(), 0, $e );
}
}
}
--- a/wp-user-frontend/Lib/invisible_recaptcha.php
+++ b/wp-user-frontend/Lib/invisible_recaptcha.php
@@ -24,7 +24,7 @@
if ( $secret_key == null || $secret_key == "" ) {
die("To use reCAPTCHA you must get an API key from <a href='"
- . self::$_signupUrl . "'>" . self::$_signupUrl . "</a>");
+ . esc_url( self::$_signupUrl ) . "'>" . esc_html( self::$_signupUrl ) . "</a>");
}
$this->config = array(
'client-key' => $site_key,
--- a/wp-user-frontend/Lib/recaptchalib.php
+++ b/wp-user-frontend/Lib/recaptchalib.php
@@ -122,9 +122,10 @@
if ( $enable_no_captcha == true ) {
- $return_var = '<div class="g-recaptcha" data-sitekey="'.$pubkey.'"></div><script src="https://www.google.com/recaptcha/api.js"></script>';
+ wp_enqueue_script( 'wpuf-recaptcha', 'https://www.google.com/recaptcha/api.js', array(), null, true );
+ $return_var = '<div class="g-recaptcha" data-sitekey="'.esc_attr($pubkey).'"></div>';
} else {
- $return_var = '<script type="text/javascript" src="'. $server . '/challenge?k=' . $pubkey . $errorpart . '"></script>';
+ $return_var = '<script src="' . esc_url( $server . '/challenge?k=' . rawurlencode( $pubkey ) . $errorpart ) . '"></script>';
}
return $return_var.'
--- a/wp-user-frontend/Lib/recaptchalib_noCaptcha.php
+++ b/wp-user-frontend/Lib/recaptchalib_noCaptcha.php
@@ -58,7 +58,7 @@
{
if ($secret == null || $secret == "") {
die("To use reCAPTCHA you must get an API key from <a href='"
- . self::$_signupUrl . "'>" . self::$_signupUrl . "</a>");
+ . esc_url( self::$_signupUrl ) . "'>" . esc_html( self::$_signupUrl ) . "</a>");
}
$this->_secret=$secret;
}
@@ -95,35 +95,27 @@
$req = $this->_encodeQS($data);
$url = $path . $req;
- // Use curl if possible because allow_url_fopen is off in many
- // environments, making file_get_contents fail.
- if (function_exists('curl_init')) {
- $response = $this->_curl($url);
- } else {
- $response = file_get_contents($url);
+ // Use WordPress HTTP API instead of cURL
+ $response = wp_remote_get($url, array(
+ 'timeout' => 3,
+ 'sslverify' => true
+ ));
+
+ if (is_wp_error($response)) {
+ return false;
}
- return $response;
+
+ $response_code = wp_remote_retrieve_response_code($response);
+ $response_body = wp_remote_retrieve_body($response);
+
+ // Return false for non-200 responses or empty bodies
+ if ($response_code !== 200 || empty($response_body)) {
+ return false;
+ }
+
+ return $response_body;
}
- private function _curl($url)
- {
- // Initiate curl.
- $c = curl_init();
- // Set timeout.
- $timeout = 3;
- curl_setopt($c, CURLOPT_CONNECTTIMEOUT, $timeout);
- curl_setopt($c, CURLOPT_RETURNTRANSFER, TRUE);
- // Set url for call.
- curl_setopt($c, CURLOPT_URL, $url);
-
- // Execute curl call.
- $response = curl_exec($c);
-
- // Close curl.
- curl_close($c);
-
- return $response;
- }
/**
* Calls the reCAPTCHA siteverify API to verify whether the user passes
--- a/wp-user-frontend/admin/form-builder/views/form-builder-v4.1.php
+++ b/wp-user-frontend/admin/form-builder/views/form-builder-v4.1.php
@@ -5,7 +5,7 @@
<div class="wpuf-bg-white wpuf-p-8 wpuf-justify-between wpuf-items-center wpuf-pb-7">
<div class="wpuf-flex wpuf-justify-between">
<div class="wpuf-flex">
- <img src="<?php echo WPUF_ASSET_URI . '/images/wpuf-icon-circle.svg'; ?>" alt="WPUF Icon" class="wpuf-mr-2">
+ <img src="<?php echo esc_url( WPUF_ASSET_URI . '/images/wpuf-icon-circle.svg' ); ?>" alt="WPUF Icon" class="wpuf-mr-2">
<nav class="wpuf-flex wpuf-items-center" aria-label="Tabs">
<div class="wpuf-relative wpuf-flex">
<div class="wpuf-flex wpuf-items-center">
@@ -56,10 +56,15 @@
if ( count( $shortcodes ) > 1 && isset( $shortcodes[0]['type'] ) ) {
foreach ( $shortcodes as $shortcode ) {
?>
+ <?php
+ // translators: %s is the shortcode type (e.g., form, post, profile)
+ $title = sprintf( __( 'Click to copy %s shortcode', 'wp-user-frontend' ), esc_attr( $shortcode['type'] ) );
+ $clipboard = sprintf( '[%s type="%s" id="%s"]', $shortcode['name'], esc_attr( $shortcode['type'] ), esc_attr( $form_id ) );
+ ?>
<span
class="form-id wpuf-group wpuf-flex wpuf-items-center wpuf-px-[18px] wpuf-py-[10px] wpuf-rounded-md wpuf-border wpuf-border-gray-300 hover:wpuf-cursor-pointer wpuf-ml-6 wpuf-text-gray-700 wpuf-text-base wpuf-leading-none wpuf-shadow-sm"
- title="<?php printf( esc_attr( __( 'Click to copy %s shortcode', 'wp-user-frontend' ) ), $shortcode['type'] ); ?>"
- data-clipboard-text="<?php printf( esc_attr( '[' . $shortcode['name'] . ' type="' . esc_attr( $shortcode['type'] ) . '" id="' . esc_attr( $form_id ) . '"]' ) ); ?>"><?php echo esc_attr( ucwords( $shortcode['type'] ) ); ?>: #{{ post.ID }}
+ title="<?php echo esc_attr( $title ); ?>"
+ data-clipboard-text="<?php echo esc_attr( $clipboard ); ?>"><?php echo esc_attr( ucwords( $shortcode['type'] ) ); ?>: #{{ post.ID }}
<span id="default-icon" class="wpuf-ml-2">
<svg
class="group-hover:wpuf-rotate-6 group-hover:wpuf-stroke-gray-500 wpuf-stroke-gray-400"
@@ -106,7 +111,7 @@
</div>
<div class="wpuf-flex wpuf-space-x-4">
<a
- :href="'<?php echo get_wpuf_preview_page(); ?>?wpuf_preview=1&form_id=' + post.ID"
+ :href="'<?php echo esc_url( get_wpuf_preview_page() ); ?>?wpuf_preview=1&form_id=' + post.ID"
target="_blank"
class="wpuf-inline-flex wpuf-items-center wpuf-gap-x-3 wpuf-rounded-md wpuf-px-[18px] wpuf-py-[10px] wpuf-text-base wpuf-text-gray-700 hover:wpuf-text-gray-700 hover:wpuf-bg-gray-50 wpuf-ring-1 wpuf-ring-inset wpuf-ring-gray-300 focus:wpuf-shadow-none focus:wpuf-border-none wpuf-leading-none wpuf-shadow-sm"><?php esc_html_e( 'Preview', 'wp-user-frontend' ); ?>
<svg width="20" height="14" viewBox="0 0 20 14" fill="none" xmlns="http://www.w3.org/2000/svg">
@@ -176,7 +181,7 @@
</div>
</section>
</div>
- </div>
+ </div>
</div>
<div
v-show="active_tab === 'form-settings'"
--- a/wp-user-frontend/admin/form-builder/views/post-form-settings.php
+++ b/wp-user-frontend/admin/form-builder/views/post-form-settings.php
@@ -26,11 +26,11 @@
:class="active_settings_tab === 'modules'? 'wpuf-bg-primary active_settings_tab wpuf-m-0 wpuf-text-white' : ''"
class="wpuf-group/sidebar-item hover:wpuf-bg-primary hover:wpuf-cursor-pointer hover:wpuf-text-white wpuf-rounded-lg wpuf-transition-all wpuf-duration-200 wpuf-ease-in-out wpuf-items-center wpuf-w-full wpuf-m-0 wpuf-py-2 wpuf-px-3 wpuf--ml-3 wpuf-flex wpuf-text-gray-600">
<?php
- echo $icon;
+ echo wp_kses( $icon, array('span' => array('class' => array()), 'i' => array('class' => array())) );
?>
<span class="wpuf-ml-2">
<?php
- echo $label;
+ echo esc_html( $label );
?>
</span>
</h2>
@@ -39,11 +39,11 @@
<div class="wpuf-mb-4 wpuf-flex wpuf-justify-between wpuf-items-center">
<h2 class="wpuf-text-base wpuf-text-gray-600 wpuf-m-0 wpuf-flex wpuf-items-center">
<?php
- echo $icon;
+ echo wp_kses( $icon, array('span' => array('class' => array()), 'i' => array('class' => array())) );
?>
<span class="wpuf-ml-2">
<?php
- echo $label;
+ echo esc_html( $label );
?>
</span>
</h2>
@@ -61,26 +61,26 @@
$sub_label = ! empty( $sub_menu['label'] ) ? $sub_menu['label'] : '';
?>
<li
- @click="switch_settings_menu('<?php echo $key; ?>', '<?php echo $sub_key; ?>')"
- :class="active_settings_tab === '<?php echo $sub_key; ?>' ? 'wpuf-bg-primary active_settings_tab' : ''"
+ @click="switch_settings_menu('<?php echo esc_attr( $key ); ?>', '<?php echo esc_attr( $sub_key ); ?>')"
+ :class="active_settings_tab === '<?php echo esc_attr( $sub_key ); ?>' ? 'wpuf-bg-primary active_settings_tab' : ''"
class="wpuf-group/sidebar-item wpuf-mx-2 wpuf-py-2 wpuf-px-3 hover:wpuf-bg-primary hover:wpuf-cursor-pointer wpuf-rounded-lg wpuf-transition-all wpuf-duration-200 wpuf-ease-in-out wpuf-items-center wpuf-flex wpuf-justify-between"
- data-settings="<?php echo $sub_key; ?>">
+ data-settings="<?php echo esc_attr( $sub_key ); ?>">
<a
- :class="active_settings_tab === '<?php echo $sub_key; ?>' ? 'wpuf-text-white' : 'wpuf-text-gray-600'"
+ :class="active_settings_tab === '<?php echo esc_attr( $sub_key ); ?>' ? 'wpuf-text-white' : 'wpuf-text-gray-600'"
class="wpuf-ml-2 wpuf-text-sm group-hover/sidebar-item:wpuf-text-white wpuf-transition-all wpuf-duration-200 wpuf-ease-in-out focus:wpuf-shadow-none focus:wpuf-outline-none wpuf-flex wpuf-items-center">
<?php
- echo $sub_icon;
+ echo wp_kses( $sub_icon, array('span' => array('class' => array()), 'i' => array('class' => array())) );
?>
<span class="wpuf-ml-2">
<?php
- echo $sub_label;
+ echo esc_html( $sub_label );
?>
</span>
</a>
<?php
if ( in_array( $sub_key, $badge_menus, true ) && ! wpuf_is_pro_active() ) {
?>
- <span><img src="<?php echo wpuf_get_pro_icon() ?>" alt="pro icon"></span>
+ <span><img src="<?php echo esc_url( wpuf_get_pro_icon() ) ?>" alt="pro icon"></span>
<?php
}
?>
@@ -125,11 +125,11 @@
}
?>
<div
- class="<?php echo $class_list; ?>"
- data-settings-body="<?php echo $settings_key; ?>"
+ class="<?php echo esc_attr( $class_list ); ?>"
+ data-settings-body="<?php echo esc_attr( $settings_key ); ?>"
>
- <p class="wpuf-text-lg wpuf-font-medium wpuf-mb-3 wpuf-mt-0 wpuf-leading-none"><?php echo $section['label']; ?></p>
- <p class="wpuf-text-gray-500 wpuf-text-[13px] wpuf-leading-5 !wpuf-mb-4 !wpuf-mt-0"><?php echo $section['desc']; ?></p>
+ <p class="wpuf-text-lg wpuf-font-medium wpuf-mb-3 wpuf-mt-0 wpuf-leading-none"><?php echo esc_html( $section['label'] ); ?></p>
+ <p class="wpuf-text-gray-500 wpuf-text-[13px] wpuf-leading-5 !wpuf-mb-4 !wpuf-mt-0"><?php echo esc_html( $section['desc'] ); ?></p>
<?php
if ( ! empty( $section['fields'] ) ) {
foreach ( $section['fields'] as $field_key => $field ) {
@@ -166,7 +166,7 @@
?>
<div
class="wpuf-settings-body wpuf--mt-6"
- data-settings-body="<?php echo $settings_key; ?>"
+ data-settings-body="<?php echo esc_attr( $settings_key ); ?>"
>
<?php
foreach ( $settings_item as $field_key => $field ) {
@@ -346,24 +346,24 @@
<input
:class="[setting_class_names('checkbox'), '!wpuf-mr-2']"
type="checkbox"
- name="<?php echo $is_pro_preview ? '' : $name; ?>"
+ name="<?php echo $is_pro_preview ? '' : esc_attr( $name ); ?>"
<?php echo esc_attr( checked( $value, 'on', false ) ); ?>
<?php echo $is_pro_preview ? 'disabled' : ''; ?>
- id="<?php echo $field_key; ?>"/>
+ id="<?php echo esc_attr( $field_key ); ?>"/>
<?php } ?>
<?php
if ( 'color-picker' === $field['type'] || 'toggle' === $field['type'] ) {
echo '<div class="wpuf-flex wpuf-items-center">';
}
?>
- <label for="<?php echo $field_key; ?>" class="wpuf-text-sm wpuf-text-gray-700 wpuf-my-2">
- <?php echo $field['label']; ?>
+ <label for="<?php echo esc_attr( $field_key ); ?>" class="wpuf-text-sm wpuf-text-gray-700 wpuf-my-2">
+ <?php echo esc_html( $field['label'] ); ?>
</label>
<?php if ( ! empty( $field['help_text'] ) ) { ?>
- <help-text text="<?php echo $field['help_text']; ?>"></help-text>
+ <help-text text="<?php echo esc_attr( $field['help_text'] ); ?>"></help-text>
<?php } ?>
<?php if ( ! empty( $field['link'] ) ) { ?>
- <a href="<?php echo $field['link']; ?>" target="_blank" title="<?php esc_attr_e( 'Learn More', 'wp-user-frontend' ); ?>" class="focus:wpuf-shadow-none">
+ <a href="<?php echo esc_url( $field['link'] ); ?>" target="_blank" title="<?php esc_attr_e( 'Learn More', 'wp-user-frontend' ); ?>" class="focus:wpuf-shadow-none">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" class="wpuf-size-5 wpuf-ml-1 wpuf-stroke-gray-50 hover:wpuf-stroke-gray-200">
<path d="M12.232 4.232a2.5 2.5 0 0 1 3.536 3.536l-1.225 1.224a.75.75 0 0 0 1.061 1.06l1.224-1.224a4 4 0 0 0-5.656-5.656l-3 3a4 4 0 0 0 .225 5.865.75.75 0 0 0 .977-1.138 2.5 2.5 0 0 1-.142-3.667l3-3Z" />
<path d="M11.603 7.963a.75.75 0 0 0-.977 1.138 2.5 2.5 0 0 1 .142 3.667l-3 3a2.5 2.5 0 0 1-3.536-3.536l1.225-1.224a.75.75 0 0 0-1.061-1.06l-1.224 1.224a4 4 0 1 0 5.656 5.656l3-3a4 4 0 0 0-.225-5.865Z" />
@@ -390,12 +390,12 @@
}
?>
<label
- for="<?php echo $field_key; ?>"
+ for="<?php echo esc_attr( $field_key ); ?>"
class="wpuf-relative wpuf-inline-flex wpuf-items-center wpuf-cursor-pointer wpuf-ml-2">
<input
type="checkbox"
- id="<?php echo $field_key; ?>"
- name="<?php echo $is_pro_preview ? '' : $name; ?>"
+ id="<?php echo esc_attr( $field_key ); ?>"
+ name="<?php echo $is_pro_preview ? '' : esc_attr( $name ); ?>"
<?php echo esc_attr( checked( $toggle_value, 'on', false ) ); ?>
<?php echo $is_pro_preview ? 'disabled' : ''; ?>
class="wpuf-sr-only wpuf-peer">
@@ -408,13 +408,17 @@
@click="$event.target.querySelector('input').click()"
class="wpuf-flex wpuf-justify-center wpuf-items-center wpuf-space-x-1 wpuf-px-2 wpuf-py-1.5 wpuf-rounded-md wpuf-bg-white wpuf-border wpuf-cursor-pointer wpuf-relative">
<div class="wpuf-w-6 wpuf-h-6 wpuf-overflow-hidden wpuf-border wpuf-border-gray-200 wpuf-rounded-full wpuf-flex wpuf-justify-center wpuf-items-center">
+ <?php
+ $sanitized_default = sanitize_hex_color( $field['default'] ) ?: '';
+ $sanitized_value = sanitize_hex_color( $value ) ?: '';
+ ?>
<input
type="color"
class="wpuf-w-8 wpuf-h-12 !wpuf-border-gray-50 !wpuf--m-4 hover:!wpuf-cursor-pointer"
- name="<?php echo $name; ?>"
- id="<?php echo $field_key; ?>"
- style="background: <?php echo $field['default']; ?>"
- value="<?php echo $value; ?>">
+ name="<?php echo esc_attr( $name ); ?>"
+ id="<?php echo esc_attr( $field_key ); ?>"
+ style="background: <?php echo esc_attr( $sanitized_default ); ?>"
+ value="<?php echo esc_attr( $sanitized_value ); ?>">
</div>
<i
@click="$event.target.closest('div').querySelector('input').click()"
@@ -428,13 +432,13 @@
$value_str = is_array( $value ) ? implode( ',', $value ) : $value;
?>
<select
- id="<?php echo $field_key; ?>"
- name="<?php echo $name; ?>"
- data-value="<?php echo $value_str; ?>"
+ id="<?php echo esc_attr( $field_key ); ?>"
+ name="<?php echo esc_attr( $name ); ?>"
+ data-value="<?php echo esc_attr( $value_str ); ?>"
:class="setting_class_names('dropdown')">
<?php
foreach ( $field['options'] as $index => $option ) {
- printf( '<option data-select-value="%s" data-select-index="%s" value="%s"%s>%s</option>', $value, $index, esc_attr( $index ), esc_attr( selected( $value, $index, false ) ), esc_html( $option ) );
+ printf( '<option data-select-value="%s" data-select-index="%s" value="%s"%s>%s</option>', esc_attr( $value_str ), esc_attr( $index ), esc_attr( $index ), esc_attr( selected( $value, $index, false ) ), esc_html( $option ) );
}
?>
</select>
@@ -444,9 +448,9 @@
$value_str = is_array( $value ) ? implode( ',', $value ) : $value;
?>
<select
- id="<?php echo $field_key; ?>"
- name="<?php echo $name; ?>[]"
- data-value="<?php echo $value_str; ?>"
+ id="<?php echo esc_attr( $field_key ); ?>"
+ name="<?php echo esc_attr( $name ); ?>[]"
+ data-value="<?php echo esc_attr( $value_str ); ?>"
:class="setting_class_names('dropdown')"
multiple
>
@@ -457,7 +461,7 @@
$selected = in_array( $index, $value ) ? 'selected' : '';
printf(
- '<option value="%s" %s>%s</option>', esc_attr( $index ), $selected, esc_html( $option )
+ '<option value="%s" %s>%s</option>', esc_attr( $index ), esc_attr( $selected ), esc_html( $option )
);
} else {
printf(
@@ -473,12 +477,12 @@
?>
<input
:class="setting_class_names('text')"
- type="<?php echo $field['type']; ?>"
- name="<?php echo $is_pro_preview ? '' : $name; ?>"
- <?php echo ! empty( $field['placeholder'] ) ? 'placeholder=' . $field['placeholder'] : ''; ?>
+ type="<?php echo esc_attr( $field['type'] ); ?>"
+ name="<?php echo $is_pro_preview ? '' : esc_attr( $name ); ?>"
+ <?php echo ! empty( $field['placeholder'] ) ? 'placeholder="' . esc_attr( $field['placeholder'] ) . '"' : ''; ?>
<?php echo $is_pro_preview ? 'disabled' : ''; ?>
- id="<?php echo $field_key; ?>"
- value="<?php echo $value; ?>"/>
+ id="<?php echo esc_attr( $field_key ); ?>"
+ value="<?php echo esc_attr( $value ); ?>"/>
<?php } ?>
<?php
if ( 'textarea' === $field['type'] ) {
@@ -487,15 +491,15 @@
<textarea
:class="setting_class_names('textarea')"
rows="6"
- name="<?php echo $is_pro_preview ? '' : $name; ?>"
+ name="<?php echo $is_pro_preview ? '' : esc_attr( $name ); ?>"
<?php echo $is_pro_preview ? 'disabled' : ''; ?>
- id="<?php echo $field_key; ?>"><?php echo $value; ?></textarea>
+ id="<?php echo esc_attr( $field_key ); ?>"><?php echo esc_textarea( $value ); ?></textarea>
<?php } ?>
<?php
if ( 'pic-radio' === $field['type'] ) {
?>
- <div class="wpuf-grid wpuf-grid-cols-4 wpuf-pic-radio" id="<?php echo $field_key; ?>">
+ <div class="wpuf-grid wpuf-grid-cols-4 wpuf-pic-radio" id="<?php echo esc_attr( $field_key ); ?>">
<?php
foreach ( $field['options'] as $key => $option ) {
?>
@@ -503,22 +507,22 @@
<label>
<input
type="radio"
- name="<?php echo $name; ?>"
- value="<?php echo $key; ?>"
+ name="<?php echo esc_attr( $name ); ?>"
+ value="<?php echo esc_attr( $key ); ?>"
<?php echo esc_attr( checked( $value, $key, false ) ); ?>
class="wpuf-absolute wpuf-opacity-0 wpuf-peer">
<img
class="wpuf-absolute wpuf-opacity-0 peer-checked:wpuf-opacity-100 wpuf-top-[7%] wpuf-right-[12%] wpuf-transition-all wpuf-duration-200 wpuf-ease-in-out"
src="<?php echo esc_attr( WPUF_ASSET_URI . '/images/checked-green.svg' ); ?>" alt="">
<img
- src="<?php echo $option['image']; ?>"
- alt="<?php echo $key; ?>"
+ src="<?php echo esc_url( $option['image'] ); ?>"
+ alt="<?php echo esc_attr( $key ); ?>"
class="hover:wpuf-cursor-pointer wpuf-border-transparent wpuf-border-2 wpuf-border-solid wpuf-rounded-lg hover:wpuf-border-primary peer-checked:wpuf-border-primary wpuf-transition-all wpuf-duration-200 wpuf-ease-in-out wpuf-mb-2 wpuf-w-full">
</label>
<label
- for="<?php echo $field_key; ?>"
+ for="<?php echo esc_attr( $field_key ); ?>"
class="wpuf-mr-2 wpuf-text-sm wpuf-text-gray-700">
- <?php echo $option['label']; ?>
+ <?php echo esc_html( $option['label'] ); ?>
</div>
<?php
}
@@ -533,14 +537,14 @@
?>
<div class="wpuf-relative">
<input
- :class="setting_class_names('<?php echo $field['trailing_type']; ?>')"
- type="<?php echo $field['trailing_type']; ?>"
- name="<?php echo $name; ?>"
- id="<?php echo $field_key; ?>"
- value="<?php echo $value; ?>"/>
+ :class="setting_class_names('<?php echo esc_attr( $field['trailing_type'] ); ?>')"
+ type="<?php echo esc_attr( $field['trailing_type'] ); ?>"
+ name="<?php echo esc_attr( $name ); ?>"
+ id="<?php echo esc_attr( $field_key ); ?>"
+ value="<?php echo esc_attr( $value ); ?>"/>
<span
class="wpuf-absolute wpuf-top-0 wpuf--right-px wpuf-h-full wpuf-bg-gray-50 wpuf-rounded-r-[6px] wpuf-text-gray-700 wpuf-border wpuf-border-gray-300 wpuf-text-base wpuf-py-[7px] wpuf-px-[15px]">
- <?php echo $field['trailing_text']; ?>
+ <?php echo esc_html( $field['trailing_text'] ); ?>
</span>
</div>
<?php
@@ -552,9 +556,9 @@
:class="setting_class_names('text')"
class="datepicker"
type="text"
- name="<?php echo $name; ?>"
- id="<?php echo $field_key; ?>"
- value="<?php echo $value; ?>"/>
+ name="<?php echo esc_attr( $name ); ?>"
+ id="<?php echo esc_attr( $field_key ); ?>"
+ value="<?php echo esc_attr( $value ); ?>"/>
<?php
}
@@ -575,7 +579,7 @@
if ( ! empty( $field['notice'] ) ) {
?>
<div class="wpuf-bg-yellow-50 wpuf-border-l-4 wpuf-border-yellow-500 wpuf-text-yellow-700 wpuf-p-4">
- <p class="wpuf-m-0"><?php echo $field['notice']['text']; ?></p>
+ <p class="wpuf-m-0"><?php echo esc_html( $field['notice']['text'] ); ?></p>
</div>
<?php
@@ -612,11 +616,11 @@
++$index_counter;
?>
<div
- class="<?php echo $classes; ?>">
+ class="<?php echo esc_attr( $classes ); ?>">
<label
- for="<?php echo $inner_field_key; ?>"
+ for="<?php echo esc_attr( $inner_field_key ); ?>"
class="wpuf-text-sm wpuf-text-gray-700 wpuf-my-2">
- <?php echo $inner_field['label']; ?>
+ <?php echo esc_html( $inner_field['label'] ); ?>
</label>
<?php
if ( 'text' === $inner_field['type'] || 'number' === $inner_field['type'] ) {
@@ -624,11 +628,11 @@
<input
:class="setting_class_names('text')"
class="!wpuf-mt-2"
- type="<?php echo $inner_field['type']; ?>"
- name="wpuf_settings[<?php echo $inner_field_key; ?>]"
- <?php echo ! empty( $inner_field['placeholder'] ) ? 'placeholder=' . $inner_field['placeholder'] : ''; ?>
- id="<?php echo $inner_field_key; ?>"
- value="<?php echo $value; ?>"/>
+ type="<?php echo esc_attr( $inner_field['type'] ); ?>"
+ name="wpuf_settings[<?php echo esc_attr( $inner_field_key ); ?>]"
+ <?php echo ! empty( $inner_field['placeholder'] ) ? 'placeholder="' . esc_attr( $inner_field['placeholder'] ) . '"' : ''; ?>
+ id="<?php echo esc_attr( $inner_field_key ); ?>"
+ value="<?php echo esc_attr( $value ); ?>"/>
<?php
}
@@ -638,9 +642,9 @@
:class="setting_class_names('text')"
class="datepicker !wpuf-mt-2"
type="text"
- name="wpuf_settings[<?php echo $inner_field_key; ?>]"
- id="<?php echo $inner_field_key; ?>"
- value="<?php echo $value; ?>"/>
+ name="wpuf_settings[<?php echo esc_attr( $inner_field_key ); ?>]"
+ id="<?php echo esc_attr( $inner_field_key ); ?>"
+ value="<?php echo esc_attr( $value ); ?>"/>
<?php
}
@@ -648,14 +652,14 @@
$value_str = is_array( $value ) ? implode( ',', $value ) : $value;
?>
<select
- id="<?php echo $inner_field_key; ?>"
- name="<?php echo $inner_field_key; ?>"
- data-value="<?php echo $value_str; ?>"
+ id="<?php echo esc_attr( $inner_field_key ); ?>"
+ name="wpuf_settings[<?php echo esc_attr( $inner_field_key ); ?>]"
+ data-value="<?php echo esc_attr( $value_str ); ?>"
class="!wpuf-mt-2"
:class="setting_class_names('dropdown')">
<?php
foreach ( $inner_field['options'] as $index => $option ) {
- printf( '<option data-select-value="%s" data-select-index="%s" value="%s"%s>%s</option>', $value, $index, esc_attr( $index ), esc_attr( selected( $value, $index, false ) ), esc_html( $option ) );
+ printf( '<option data-select-value="%s" data-select-index="%s" value="%s"%s>%s</option>', esc_attr( $value_str ), esc_attr( $index ), esc_attr( $index ), esc_attr( selected( $value, $index, false ) ), esc_html( $option ) );
}
?>
</select>
--- a/wp-user-frontend/assets/js-templates/form-components.php
+++ b/wp-user-frontend/assets/js-templates/form-components.php
@@ -93,7 +93,7 @@
<script type="text/x-template" id="tmpl-wpuf-builder-stage-v4-1">
<div id="form-preview-stage" class="wpuf-h-[70vh]">
<div v-if="!form_fields.length" class="wpuf-flex wpuf-flex-col wpuf-items-center wpuf-justify-center wpuf-h-[80vh]">
- <img src="<?php echo WPUF_ASSET_URI . '/images/form-blank-state.svg'; ?>" alt="">
+ <img src="<?php echo esc_url( WPUF_ASSET_URI . '/images/form-blank-state.svg' ); ?>" alt="">
<h2 class="wpuf-text-lg wpuf-text-gray-800 wpuf-mt-8 wpuf-mb-2"><?php esc_html_e( 'Add fields and build your desired form', 'wp-user-frontend' ); ?></h2>
<p class="wpuf-text-sm wpuf-text-gray-500"><?php esc_html_e( 'Add the necessary field and build your form.', 'wp-user-frontend' ); ?></p>
@@ -111,13 +111,13 @@
field.width ? 'field-size-' + field.width : '',
('custom_hidden_field' === field.template) ? 'hidden-field' : ''
]"
- class="wpuf-group wpuf-rounded-lg hover:!wpuf-bg-green-50 wpuf-transition wpuf-duration-150 wpuf-ease-out !wpuf-m-0 !wpuf-p-0">
+ class="wpuf-group wpuf-rounded-lg hover:!wpuf-bg-green-50 wpuf-transition wpuf-duration-150 wpuf-ease-out !wpuf-m-0 !wpuf-p-0 wpuf-overflow-hidden">
<div
v-if="field.input_type !== 'column_field' && field.input_type !== 'repeat'"
:class="parseInt(editing_form_id) === parseInt(field.id) ? 'wpuf-bg-green-50 wpuf-border-green-400' : 'wpuf-border-transparent'"
class="wpuf-flex wpuf-justify-between wpuf-p-6 wpuf-rounded-t-md wpuf-border-t wpuf-border-r wpuf-border-l wpuf-border-dashed group-hover:wpuf-border-green-400 group-hover:wpuf-cursor-pointer !wpuf-pb-3">
<div v-if="!(is_full_width(field.template) || is_pro_preview(field.template))" class="wpuf-w-1/4 wpuf-flex wpuf-items-center">
- <span v-if="field.show_icon === 'yes' && field.field_icon && field.icon_position === 'left_label'"
+ <span v-if="field.show_icon === 'yes' && field.field_icon && field.icon_position === 'left_label'"
class="wpuf-field-label-icon wpuf-inline-flex wpuf-items-center wpuf-mr-1">
<i :class="[field.field_icon, 'wpuf-field-icon']"></i>
</span>
@@ -128,7 +128,7 @@
{{ field.label }} <span v-if="field.required && 'yes' === field.required"
class="required">*</span>
</label>
- <span v-if="field.show_icon === 'yes' && field.field_icon && field.icon_position === 'right_label'"
+ <span v-if="field.show_icon === 'yes' && field.field_icon && field.icon_position === 'right_label'"
class="wpuf-field-label-icon wpuf-inline-flex wpuf-items-center wpuf-ml-2">
<i :class="[field.field_icon, 'wpuf-field-icon']"></i>
</span>
@@ -146,7 +146,7 @@
<label class="wpuf-pro-text-alert">
<a :href="pro_link" target="_blank"
class="wpuf-text-gray-700 wpuf-text-base"><strong>{{ get_field_name( field.template )
- }}</strong> <?php _e( 'is available in Pro Version', 'wp-user-frontend' ); ?></a>
+ }}</strong> <?php esc_html_e( 'is available in Pro Version', 'wp-user-frontend' ); ?></a>
</label>
</div>
</div>
@@ -208,7 +208,7 @@
:href="pro_link"
target="_blank"
class="wpuf-rounded-r-md hover:wpuf-bg-slate-500 hover:wpuf-cursor-pointer wpuf-transition wpuf-duration-150 wpuf-ease-out hover:wpuf-transition-all">
- <img src="<?php esc_attr_e( WPUF_ASSET_URI . '/images/pro-badge.svg' ); ?>" alt="">
+ <img src="<?php echo esc_url( WPUF_ASSET_URI . '/images/pro-badge.svg' ); ?>" alt="">
</a>
</span>
</div>
@@ -410,7 +410,10 @@
</div>
<div class="wpuf-mt-4">
- <span class="wpuf-text-[14px] wpuf-text-gray-700 wpuf-font-medium"><?php esc_attr_e( 'Label & Values', 'wp-user-frontend' ); ?></span>
+ <div class="wpuf-flex wpuf-items-center wpuf-justify-between wpuf-mb-2">
+ <span class="wpuf-text-[14px] wpuf-text-gray-700 wpuf-font-medium"><?php esc_attr_e( 'Label & Values', 'wp-user-frontend' ); ?></span>
+ <?php do_action( 'wpuf_field_option_data_actions' ); ?>
+ </div>
<table class="option-field-option-chooser">
<tbody>
<tr
@@ -492,6 +495,7 @@
@click.prevent="clear_selection">
<?php esc_attr_e( 'Clear Selection', 'wp-user-frontend' ); ?>
</a>
+ <?php do_action( 'wpuf_field_option_data_after' ); ?>
</div>
</script>
@@ -501,7 +505,7 @@
<label
class="wpuf-pro-text-alert wpuf-ml-2 wpuf-tooltip-top"
data-tip="<?php esc_attr_e( 'Available in PRO version', 'wp-user-frontend' ); ?>">
- <a :href="pro_link" target="_blank"><img src="<?php echo wpuf_get_pro_icon() ?>" alt="pro icon"></a>
+ <a :href="pro_link" target="_blank"><img src="<?php echo esc_url( wpuf_get_pro_icon() ) ?>" alt="pro icon"></a>
</label>
</div>
</script>
@@ -509,9 +513,7 @@
<script type="text/x-template" id="tmpl-wpuf-field-options">
<div class="wpuf-form-builder-field-options">
<div v-if="!parseInt(editing_field_id)" class="options-fileds-section text-center">
- <p>
- <span class="loader"></span>
- </p>
+ <p class="wpuf-text-gray-500 wpuf-text-lg wpuf-font-medium">{{ i18n.empty_field_options_msg }}</p>
</div>
<div v-else>
@@ -583,7 +585,6 @@
class="wpuf-block text-sm/6 wpuf-font-medium wpuf-text-gray-900 !wpuf-mb-0">
<input
type="radio"
- :name="'radio_' + editing_form_field.id + '_' + option_field.name"
:value="key"
v-model="value"
:class="builder_class_names('radio')">
@@ -599,7 +600,6 @@
<label class="!wpuf-mb-0">
<input
type="radio"
- :name="'radio_' + editing_form_field.id + '_' + option_field.name"
:value="key"
v-model="value"
:class="builder_class_names('radio')">
@@ -1027,7 +1027,7 @@
:href="pro_link"
target="_blank"
class="wpuf-rounded-r-md hover:wpuf-bg-slate-500 hover:wpuf-cursor-pointer wpuf-transition wpuf-duration-150 wpuf-ease-out hover:wpuf-transition-all">
- <img src="<?php esc_attr_e( WPUF_ASSET_URI . '/images/pro-badge.svg' ); ?>" alt="">
+ <img src="<?php echo esc_attr( WPUF_ASSET_URI . '/images/pro-badge.svg' ); ?>" alt="">
</a>
</span>
</div>
@@ -1236,7 +1236,7 @@
</div>
<div
class="wpuf-absolute wpuf-top-4 wpuf-right-4 wpuf-opacity-0 group-hover/pro-field:wpuf-opacity-100 wpuf-transition-all">
- <img src="<?php esc_attr_e( WPUF_ASSET_URI . '/images/pro-badge.svg' ); ?>" alt="">
+ <img src="<?php echo esc_attr( WPUF_ASSET_URI . '/images/pro-badge.svg' ); ?>" alt="">
</div>
</div>
<div
--- a/wp-user-frontend/class/render-form.php
+++ b/wp-user-frontend/class/render-form.php
@@ -1761,7 +1761,7 @@
}
if ( $enable_invisible_recaptcha ) { ?>
- <script src="https://www.google.com/recaptcha/api.js?onload=wpufreCaptchaLoaded&render=explicit&hl=en" async defer></script>
+ <?php wp_enqueue_script( 'wpuf-recaptcha-invisible', 'https://www.google.com/recaptcha/api.js?onload=wpufreCaptchaLoaded&render=explicit&hl=en', array(), null, true ); ?>
<script>
jQuery(document).ready(function($) {
jQuery('[name="submit"]').removeClass('wpuf-submit-button').addClass('g-recaptcha').attr('data-sitekey', '<?php echo esc_html( wpuf_get_option( 'recaptcha_public', 'wpuf_general' ) ); ?>');
--- a/wp-user-frontend/class/subscription.php
+++ b/wp-user-frontend/class/subscription.php
@@ -55,16 +55,10 @@
public static function subscriber_cancel( $user_id, $pack_id ) {
global $wpdb;
- $sql = $wpdb->prepare(
+ $result = $wpdb->get_row( $wpdb->prepare(
'SELECT transaction_id FROM ' . $wpdb->prefix . 'wpuf_transaction
WHERE user_id = %d AND pack_id = %d LIMIT 1', $user_id, $pack_id
- );
- $result = $wpdb->get_row(
- $wpdb->prepare(
- 'SELECT transaction_id FROM ' . $wpdb->prefix . 'wpuf_transaction
- WHERE user_id = %d AND pack_id = %d LIMIT 1', $user_id, $pack_id
- )
- );
+ ) );
$transaction_id = $result ? $result->transaction_id : 0;
@@ -752,19 +746,11 @@
global $wpdb;
//$post = get_post( $post_id );
- $sql = $wpdb->prepare(
+ return $wpdb->get_row( $wpdb->prepare(
"SELECT p.ID, p.post_status
FROM $wpdb->posts p, $wpdb->postmeta m
WHERE p.ID = m.post_id AND p.post_status <> 'publish' AND m.meta_key = '_wpuf_order_id' AND m.meta_value = %s", $order_id
- );
-
- return $wpdb->get_row(
- $wpdb->prepare(
- "SELECT p.ID, p.post_status
- FROM $wpdb->posts p, $wpdb->postmeta m
- WHERE p.ID = m.post_id AND p.post_status <> 'publish' AND m.meta_key = '_wpuf_order_id' AND m.meta_value = %s", $order_id
- )
- );
+ ) );
}
/**
@@ -898,9 +884,11 @@
$payment_gateway = $payment_gateway ? strtolower( $payment_gateway ) : '';
?>
- <?php echo wp_kses_post( __( '<p><i>You have a subscription pack activated. </i></p>', 'wp-user-frontend' ) ); ?>
- <?php /* translators: %s: pack title */ ?>
- <?php printf( wp_kses_post( __( '<p><i>Pack name: %s </i></p>', 'wp-user-frontend' ) ), esc_html( get_the_title( $current_pack['pack_id'] ) ) ); ?>
+ <p><i><?php esc_html_e( 'You have a subscription pack activated.', 'wp-user-frontend' ); ?></i></p>
+ <p><i><?php
+ // translators: %s: pack title
+ printf( esc_html__( 'Pack name: %s', 'wp-user-frontend' ), esc_html( get_the_title( $current_pack['pack_id'] ) ) );
+ ?></i></p>
<?php echo '<p><i>' . esc_html__( 'To cancel the pack, press the following cancel button', 'wp-user-frontend' ) . '</i></p>'; ?>
--- a/wp-user-frontend/includes/Admin/Forms/Admin_Form.php
+++ b/wp-user-frontend/includes/Admin/Forms/Admin_Form.php
@@ -394,19 +394,17 @@
public function i18n( $i18n ) {
return array_merge( $i18n, [
'any_of_three_needed' =>
- __(
- sprintf(
- '%sSome required fields are missing. Please include a %sTitle%s, %sBody%s, or %sExcerpt%s to continue.%s',
- '<p class="!wpuf-m-0 wpuf-text-xl wpuf-text-gray-500">',
- '<span class="wpuf-font-semibold">',
- '</span>',
- '<span class="wpuf-font-semibold">',
- '</span>',
- '<span class="wpuf-font-semibold">',
- '</span>',
- '</p>'
- ),
- 'wp-user-frontend'
+ sprintf(
+ // translators: %1$s, %2$s, %3$s, %4$s, %5$s, %6$s, %7$s, %8$s are HTML markup for styling
+ __( '%1$sSome required fields are missing. Please include a %2$sTitle%3$s, %4$sBody%5$s, or %6$sExcerpt%7$s to continue.%8$s', 'wp-user-frontend' ),
+ '<p class="!wpuf-m-0 wpuf-text-xl wpuf-text-gray-500">',
+ '<span class="wpuf-font-semibold">',
+ '</span>',
+ '<span class="wpuf-font-semibold">',
+ '</span>',
+ '<span class="wpuf-font-semibold">',
+ '</span>',
+ '</p>'
)
] );
}
--- a/wp-user-frontend/includes/Admin/Forms/Admin_Form_Builder.php
+++ b/wp-user-frontend/includes/Admin/Forms/Admin_Form_Builder.php
@@ -337,15 +337,16 @@
'column' => __( 'Column', 'wp-user-frontend' ),
'last_column_warn_msg' => __( 'This field must contain at least one column', 'wp-user-frontend' ),
'is_a_pro_feature' => __( 'is a pro feature', 'wp-user-frontend' ),
- 'pro_feature_msg' => __(
- '<p class="wpuf-text-gray-500 wpuf-font-medium wpuf-text-xl">Please upgrade to the Pro version to unlock all these awesome features</p>',
+ 'pro_feature_msg' => '<p class="wpuf-text-gray-500 wpuf-font-medium wpuf-text-xl">' . __(
+ 'Please upgrade to the Pro version to unlock all these awesome features',
'wp-user-frontend'
- ),
+ ) . '</p>',
'upgrade_to_pro' => __( 'Upgrade to PRO', 'wp-user-frontend' ),
'select' => __( 'Select', 'wp-user-frontend' ),
'saved_form_data' => __( 'Saved form data', 'wp-user-frontend' ),
'unsaved_changes' => __( 'You have unsaved changes.', 'wp-user-frontend' ),
'copy_shortcode' => __( 'Click to copy shortcode', 'wp-user-frontend' ),
+ 'empty_field_options_msg' => __( 'To view field options, please start adding fields in the builder', 'wp-user-frontend' ),
'pro_field_message' => $field_messages,
]
);
--- a/wp-user-frontend/includes/Admin/List_Table_Subscribers.php
+++ b/wp-user-frontend/includes/Admin/List_Table_Subscribers.php
@@ -15,6 +15,18 @@
class List_Table_Subscribers extends WP_List_Table {
protected $page_status;
+ /**
+ * Verify nonce for admin actions
+ *
+ * @return bool
+ */
+ private function verify_nonce() {
+ if ( ! isset( $_REQUEST['_wpnonce'] ) ) {
+ return false;
+ }
+ return wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), 'wpuf_subscribers_list' );
+ }
+
public function __construct() {
parent::__construct(
[
@@ -119,6 +131,13 @@
* @return string
*/
public function column_cb( $item ) {
+ // Verify nonce for security
+ if ( ! $this->verify_nonce() ) {
+ if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+ error_log( 'WPUF Subscribers: Nonce verification failed for column_cb function' );
+ }
+ }
+
$post_ID = isset( $_REQUEST['post_ID'] ) ? intval( wp_unslash( $_REQUEST['post_ID'] ) ) : 0;
return sprintf(
'<input type="checkbox" name="subscriber_id[]" value="%d" />', $post_ID
@@ -131,6 +150,13 @@
* @return array
*/
public function get_views() {
+ // Verify nonce for security
+ if ( ! $this->verify_nonce() ) {
+ if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+ error_log( 'WPUF Subscribers: Nonce verification failed for get_views function' );
+ }
+ }
+
$status_links = [];
$post_ID = isset( $_REQUEST['post_ID'] ) ? intval( wp_unslash( $_REQUEST['post_ID'] ) ) : 0;
$base_link = admin_url( 'admin.php?page=wpuf_subscribers&pack=' . $post_ID );
@@ -156,6 +182,13 @@
public function prepare_items() {
global $wpdb;
+ // Verify nonce for security
+ if ( ! $this->verify_nonce() ) {
+ if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+ error_log( 'WPUF Subscribers: Nonce verification failed for prepare_items function' );
+ }
+ }
+
$columns = $this->get_columns();
$hidden = [];
$sortable = $this->get_sortable_columns();
@@ -177,33 +210,67 @@
$args['order'] = sanitize_text_field( wp_unslash( $_REQUEST['order'] ) );
}
- // start with a fresh query
- $sql = 'SELECT * FROM ' . $wpdb->prefix . 'wpuf_subscribers';
- $where_clauses = [];
+ // Build the query with proper placeholders
+ $base_sql = 'SELECT * FROM ' . $wpdb->prefix . 'wpuf_subscribers';
$prepare_values = [];
+ $where_clause = '';
// Add conditional WHERE clauses if params exist
- if ( ! empty( $_REQUEST['post_ID'] ) ) {
- $where_clauses[] = 'subscribtion_id = %d';
- $prepare_values[] = intval( sanitize_text_field( wp_unslash( $_REQUEST['post_ID'] ) ) );
+ $post_id = ! empty( $_REQUEST['post_ID'] ) ? intval( sanitize_text_field( wp_unslash( $_REQUEST['post_ID'] ) ) ) : '';
+ $status = ! empty( $_REQUEST['status'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['status'] ) ) : '';
+
+ if ( $post_id && $status ) {
+ $where_clause = ' WHERE subscribtion_id = %d AND subscribtion_status = %s';
+ $prepare_values = [ $post_id, $status ];
+ } elseif ( $post_id ) {
+ $where_clause = ' WHERE subscribtion_id = %d';
+ $prepare_values = [ $post_id ];
+ } elseif ( $status ) {
+ $where_clause = ' WHERE subscribtion_status = %s';
+ $prepare_values = [ $status ];
}
- if ( ! empty( $_REQUEST['status'] ) ) {
- $where_clauses[] = 'subscribtion_status = %d';
- $prepare_values[] = sanitize_key( wp_unslash( $_REQUEST['status'] ) );
+ // Get total count for pagination
+ $count_sql = 'SELECT COUNT(*) FROM ' . $wpdb->prefix . 'wpuf_subscribers' . $where_clause;
+
+ if ( ! empty( $prepare_values ) ) {
+ $total_items = (int) $wpdb->get_var( $wpdb->prepare( $count_sql, ...$prepare_values ) );
+ } else {
+ $total_items = (int) $wpdb->get_var( $count_sql );
}
- // Combine WHERE clauses if any exist
- if ( ! empty( $where_clauses ) ) {
- $sql .= ' WHERE ' . implode( ' AND ', $where_clauses );
+ // Build ORDER BY clause with whitelisted columns
+ $order_by = 'id';
+ $order = 'DESC';
+
+ if ( ! empty( $args['orderby'] ) ) {
+ $allowed_cols = [ 'id', 'user_id', 'subscribtion_id', 'subscribtion_status', 'starts_from', 'expire' ];
+ $candidate = sanitize_key( $args['orderby'] );
+
+ if ( in_array( $candidate, $allowed_cols, true ) ) {
+ $order_by = $candidate;
+ }
}
- // Prepare and execute the query safely
- $prepared_query = $wpdb->prepare( $sql, $prepare_values );
- $this->items = $wpdb->get_results( $prepared_query );
+ if ( ! empty( $args['order'] ) && in_array( strtoupper( $args['order'] ), [ 'ASC', 'DESC' ], true ) ) {
+ $order = strtoupper( $args['order'] );
+ }
+
+ // Build final query with ORDER BY, LIMIT, and OFFSET
+ $sql = $base_sql . $where_clause . " ORDER BY {$order_by} {$order} LIMIT %d OFFSET %d";
+ $prepare_values[] = (int) $per_page;
+ $prepare_values[] = (int) $offset;
+
+ // Execute the paginated query
+ if ( ! empty( $prepare_values ) ) {
+ $this->items = $wpdb->get_results( $wpdb->prepare( $sql, ...$prepare_values ) );
+ } else {
+ // This should not happen as we always have LIMIT and OFFSET
+ $this->items = [];
+ }
$this->set_pagination_args( [
- 'total_items' => count( $this->items ),
+ 'total_items' => $total_items,
'per_page' => $per_page,
] );
}
--- a/wp-user-frontend/includes/Admin/Posting.php
+++ b/wp-user-frontend/includes/Admin/Posting.php
@@ -145,23 +145,23 @@
] );
// Enqueue field initialization script for admin metabox
-
+
// Enqueue Selectize for country fields
wp_enqueue_style( 'wpuf-selectize' );
wp_enqueue_script( 'wpuf-selectize' );
-
+
// Enqueue international telephone input for phone fields
wp_enqueue_style( 'wpuf-intlTelInput' );
wp_enqueue_script( 'wpuf-intlTelInput' );
-
+
// Try to load the field initialization script using the registered handle
wp_enqueue_script( 'wpuf-field-initialization' );
-
+
// Localize script with asset URI
wp_localize_script( 'wpuf-field-initialization', 'wpuf_field_initializer', [
'asset_uri' => defined( 'WPUF_PRO_ASSET_URI' ) ? WPUF_PRO_ASSET_URI : '',
] );
-
+
}
@@ -461,6 +461,7 @@
if ( typeof wpuf_map_items === 'undefined' ) {
wpuf_map_items = [];
}
+
</script>
<?php
@@ -560,14 +561,19 @@
var fieldName = $container.data('field-name');
var maxRepeats = parseInt($container.data('max-repeats')) || -1;
+
wpuf.updateRepeatButtons($container);
$container.on('click', '.wpuf-add-repeat', function() {
+ var $instance = $(this).closest('.wpuf-repeat-instance');
+ var instanceIndex = $instance.attr('data-instance');
wpuf.addRepeatInstance($container, fieldName, maxRepeats);
});
$container.on('click', '.wpuf-remove-repeat', function() {
- wpuf.removeRepeatInstance($(this).closest('.wpuf-repeat-instance'), $container);
+ var $instance = $(this).closest('.wpuf-repeat-instance');
+ var instanceIndex = $instance.attr('data-instance');
+ wpuf.removeRepeatInstance($instance, $container);
});
});
},
@@ -576,6 +582,7 @@
var $instances = $container.find('.wpuf-repeat-instance');
var currentInstances = $instances.length;
+
if (maxRepeats !== -1 && currentInstances >= maxRepeats) {
return;
}
@@ -623,14 +630,27 @@
wpuf.reindexInstances($container, fieldName);
wpuf.updateRepeatButtons($container);
+ // Set up MutationObserver for new buttons
+ if (window.MutationObserver && typeof observer !== 'undefined') {
+ $newInstance.find('.wpuf-add-repeat, .wpuf-remove-repeat').each(function() {
+ observer.observe(this, { attributes: true, attributeFilter: ['style', 'class'] });
+ });
+ }
+
// Initialize fields in the new instance
if (typeof WPUF_Field_Initializer !== 'undefined') {
WPUF_Field_Initializer.init();
+
+ // Re-apply button visibility after field initializer runs on new instance
+ setTimeout(function() {
+ wpuf.updateRepeatButtons($container);
+ }, 100);
}
},
removeRepeatInstance: function($instance, $container) {
var fieldName = $container.data('field-name');
+ var instanceIndex = $instance.attr('data-instance');
$instance.remove();
wpuf.reindexInstances($container, fieldName);
wpuf.updateRepeatButtons($container);
@@ -639,6 +659,7 @@
reindexInstances: function($container, fieldName) {
$container.find('.wpuf-repeat-instance').each(function(index) {
var $instance = $(this);
+ var oldIndex = $instance.attr('data-instance');
$instance.attr('data-instance', index);
$instance.find('[name], [id], [for]').each(function() {
@@ -669,29 +690,109 @@
var $instances = $container.find('.wpuf-repeat-instance');
var count = $instances.length;
+
+ // Prevent rapid successive calls
+ if ($container.data('updating-buttons')) {
+ return;
+ }
+ $container.data('updating-buttons', true)
