public function test_register_shortcode_malicious_html()
{
Shortcode_UI::get_instance()->register_shortcode_ui('foo', array('inner_content' => array('label' => '<script>gotcha()</script>', 'description' => '<iframe src="baddomain.com"></iframe>'), 'attrs' => array(array('attr' => 'bar', 'label' => '<strong>gotcha()</strong>', 'description' => '<script>banana()</script>'))));
$shortcodes = Shortcode_UI::get_instance()->get_shortcodes();
$this->assertEquals('gotcha()', $shortcodes['foo']['inner_content']['label']);
$this->assertEmpty($shortcodes['foo']['inner_content']['description']);
$this->assertEquals('<strong>gotcha()</strong>', $shortcodes['foo']['attrs'][0]['label']);
$this->assertEquals('banana()', $shortcodes['foo']['attrs'][0]['description']);
}
/**
* Ajax handler for select2 post field queries.
* Output JSON containing post data.
* Requires that shortcode, attr and nonce are passed.
* Requires that the field has been correctly registred and can be found in $this->post_fields
* Supports passing page number and search query string.
*
* @return null
*/
public function action_wp_ajax_shortcode_ui_post_field()
{
$nonce = isset($_GET['nonce']) ? sanitize_text_field($_GET['nonce']) : null;
$requested_shortcode = isset($_GET['shortcode']) ? sanitize_text_field($_GET['shortcode']) : null;
$requested_attr = isset($_GET['attr']) ? sanitize_text_field($_GET['attr']) : null;
$response = array('posts' => array(), 'found_posts' => 0, 'posts_per_page' => 0);
$shortcodes = Shortcode_UI::get_instance()->get_shortcodes();
if (!wp_verify_nonce($nonce, 'shortcode_ui_field_post_select')) {
wp_send_json_error($response);
}
// Shortcode not found.
if (!isset($shortcodes[$requested_shortcode])) {
wp_send_json_error($response);
die;
}
$shortcode = $shortcodes[$requested_shortcode];
foreach ($shortcode['attrs'] as $attr) {
if ($attr['attr'] === $requested_attr && isset($attr['query'])) {
$query_args = $attr['query'];
}
}
// Query not found.
if (empty($query_args)) {
wp_send_json_error($response);
die;
}
// Hardcoded query args.
$query_args['fields'] = 'ids';
$query_args['perm'] = 'readable';
if (isset($_GET['page'])) {
$query_args['paged'] = sanitize_text_field($_GET['page']);
}
if (!empty($_GET['s'])) {
$query_args['s'] = sanitize_text_field($_GET['s']);
}
if (!empty($_GET['post__in'])) {
$post__in = is_array($_GET['post__in']) ? $_GET['post__in'] : explode(',', $_GET['post__in']);
$query_args['post__in'] = array_map('intval', $post__in);
$query_args['orderby'] = 'post__in';
}
$query = new WP_Query($query_args);
foreach ($query->posts as $post_id) {
array_push($response['posts'], array('id' => $post_id, 'text' => html_entity_decode(get_the_title($post_id))));
}
$response['found_posts'] = $query->found_posts;
$response['posts_per_page'] = $query->query_vars['posts_per_page'];
wp_send_json_success($response);
}
/**
* Whether or not the color attribute is present in registered shortcode UI
*
* @return bool
*/
private function color_attribute_present()
{
foreach (Shortcode_UI::get_instance()->get_shortcodes() as $shortcode) {
if (empty($shortcode['attrs'])) {
continue;
}
foreach ($shortcode['attrs'] as $attribute) {
if (empty($attribute['type'])) {
continue;
}
if ('color' === $attribute['type']) {
return true;
}
}
}
return false;
}
function testUI()
{
// When plugin is inactive, do not display the shortcodes
$shortcake = new Shortcode_UI();
$shortcake->shortcodes = array();
$o = new GambitPBSandwichShortcodeBBPress();
$o->sandwich_bbp_shortcodes();
foreach ($this->shortcodes as $tag) {
$this->assertEmpty($shortcake->get_shortcode($tag), $tag . ' should should not be included if parent plugin is deactivated');
}
// When plugin is active, display the shortcodes
$shortcake = Shortcode_UI::get_instance();
$shortcake->shortcodes = array();
$result = activate_plugin('bbpress/bbpress.php');
$o = new GambitPBSandwichShortcodeBBPress();
$o->sandwich_bbp_shortcodes();
foreach ($this->shortcodes as $tag) {
$this->assertNotEmpty($shortcake->get_shortcode($tag), $tag . ' should should be included if parent plugin is activated');
}
}
/**
* Queue the shortcode UI scripts & templates manually
*/
function shortcode_ui_enqueue_assets()
{
Shortcode_UI::get_instance()->enqueue();
}