Merge pull request from GHSA-43mp-gc69-2cjm

WordPress · Jul 15, 2021 · ede5e74 · ede5e74
1 parent c4ea2bd
commit ede5e74
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 17 deletions.
diff --git a/lib/compat/wordpress-5.8/index.php b/lib/compat/wordpress-5.8/index.php
@@ -35,8 +35,11 @@ function build_query_vars_from_query_block( $block, $page ) {
 		);
 
 		if ( isset( $block->context['query'] ) ) {
-			if ( isset( $block->context['query']['postType'] ) ) {
-				$query['post_type'] = $block->context['query']['postType'];
+			if ( ! empty( $block->context['query']['postType'] ) ) {
+				$post_type_param = $block->context['query']['postType'];
+				if ( is_post_type_viewable( $post_type_param ) ) {
+					$query['post_type'] = $post_type_param;
+				}
 			}
 			if ( isset( $block->context['query']['sticky'] ) && ! empty( $block->context['query']['sticky'] ) ) {
 				$sticky = get_option( 'sticky_posts' );
@@ -46,29 +49,54 @@ function build_query_vars_from_query_block( $block, $page ) {
 					$query['post__not_in'] = array_merge( $query['post__not_in'], $sticky );
 				}
 			}
-			if ( isset( $block->context['query']['exclude'] ) ) {
-				$query['post__not_in'] = array_merge( $query['post__not_in'], $block->context['query']['exclude'] );
+			if ( ! empty( $block->context['query']['exclude'] ) ) {
+				$excluded_post_ids     = array_map( 'intval', $block->context['query']['exclude'] );
+				$excluded_post_ids     = array_filter( $excluded_post_ids );
+				$query['post__not_in'] = array_merge( $query['post__not_in'], $excluded_post_ids );
 			}
-			if ( isset( $block->context['query']['perPage'] ) ) {
-				$query['offset']         = ( $block->context['query']['perPage'] * ( $page - 1 ) ) + $block->context['query']['offset'];
-				$query['posts_per_page'] = $block->context['query']['perPage'];
+			if (
+				isset( $block->context['query']['perPage'] ) &&
+				is_numeric( $block->context['query']['perPage'] )
+			) {
+				$per_page = absint( $block->context['query']['perPage'] );
+				$offset   = 0;
+
+				if (
+					isset( $block->context['query']['offset'] ) &&
+					is_numeric( $block->context['query']['offset'] )
+				) {
+					$offset = absint( $block->context['query']['offset'] );
+				}
+
+				$query['offset']         = ( $per_page * ( $page - 1 ) ) + $offset;
+				$query['posts_per_page'] = $per_page;
 			}
-			if ( isset( $block->context['query']['categoryIds'] ) ) {
-				$query['category__in'] = $block->context['query']['categoryIds'];
+			if ( ! empty( $block->context['query']['categoryIds'] ) ) {
+				$term_ids              = array_map( 'intval', $block->context['query']['categoryIds'] );
+				$term_ids              = array_filter( $term_ids );
+				$query['category__in'] = $term_ids;
 			}
-			if ( isset( $block->context['query']['tagIds'] ) ) {
-				$query['tag__in'] = $block->context['query']['tagIds'];
+			if ( ! empty( $block->context['query']['tagIds'] ) ) {
+				$term_ids         = array_map( 'intval', $block->context['query']['tagIds'] );
+				$term_ids         = array_filter( $term_ids );
+				$query['tag__in'] = $term_ids;
 			}
-			if ( isset( $block->context['query']['order'] ) ) {
+			if (
+				isset( $block->context['query']['order'] ) &&
+					in_array( strtoupper( $block->context['query']['order'] ), array( 'ASC', 'DESC' ), true )
+			) {
 				$query['order'] = strtoupper( $block->context['query']['order'] );
 			}
 			if ( isset( $block->context['query']['orderBy'] ) ) {
 				$query['orderby'] = $block->context['query']['orderBy'];
 			}
-			if ( isset( $block->context['query']['author'] ) ) {
-				$query['author'] = $block->context['query']['author'];
+			if (
+				isset( $block->context['query']['author'] ) &&
+				(int) $block->context['query']['author'] > 0
+			) {
+				$query['author'] = (int) $block->context['query']['author'];
 			}
-			if ( isset( $block->context['query']['search'] ) ) {
+			if ( ! empty( $block->context['query']['search'] ) ) {
 				$query['s'] = $block->context['query']['search'];
 			}
 		}

diff --git a/packages/block-library/src/post-terms/edit.js b/packages/block-library/src/post-terms/edit.js
@@ -35,7 +35,7 @@ export default function PostTermsEdit( {
 			if ( ! term ) return {};
 			const { getTaxonomy } = select( coreStore );
 			const taxonomy = getTaxonomy( term );
-			return taxonomy?.visibility?.show_ui ? taxonomy : {};
+			return taxonomy?.visibility?.publicly_queryable ? taxonomy : {};
 		},
 		[ term ]
 	);

diff --git a/packages/block-library/src/post-terms/index.php b/packages/block-library/src/post-terms/index.php
@@ -18,6 +18,10 @@ function render_block_core_post_terms( $attributes, $content, $block ) {
 		return '';
 	}
 
+	if ( ! is_taxonomy_viewable( $attributes['term'] ) ) {
+		return '';
+	}
+
 	$post_terms = get_the_terms( $block->context['postId'], $attributes['term'] );
 	if ( is_wp_error( $post_terms ) ) {
 		return '';

diff --git a/packages/block-library/src/post-terms/use-post-terms.js b/packages/block-library/src/post-terms/use-post-terms.js
@@ -9,6 +9,14 @@ export default function usePostTerms( { postId, postType, term } ) {
 	const [ termIds ] = useEntityProp( 'postType', postType, restBase, postId );
 	return useSelect(
 		( select ) => {
+			const visible = term?.visibility?.publicly_queryable;
+			if ( ! visible ) {
+				return {
+					postTerms: [],
+					_isLoading: false,
+					hasPostTerms: false,
+				};
+			}
 			if ( ! termIds ) {
 				// Waiting for post terms to be fetched.
 				return { isLoading: true };
@@ -33,6 +41,6 @@ export default function usePostTerms( { postId, postType, term } ) {
 				hasPostTerms: !! terms?.length,
 			};
 		},
-		[ termIds ]
+		[ termIds, term?.visibility?.publicly_queryable ]
 	);
 }