From ede5e74e20fc3492c4d757d7b3bccfb2dfdf7c4f Mon Sep 17 00:00:00 2001 From: Nik Tsekouras Date: Wed, 7 Jul 2021 01:43:59 +0300 Subject: [PATCH] Merge pull request from GHSA-43mp-gc69-2cjm --- lib/compat/wordpress-5.8/index.php | 58 ++++++++++++++----- packages/block-library/src/post-terms/edit.js | 2 +- .../block-library/src/post-terms/index.php | 4 ++ .../src/post-terms/use-post-terms.js | 10 +++- 4 files changed, 57 insertions(+), 17 deletions(-) diff --git a/lib/compat/wordpress-5.8/index.php b/lib/compat/wordpress-5.8/index.php index 6aeac5d21b827..9427ce463500a 100644 --- a/lib/compat/wordpress-5.8/index.php +++ b/lib/compat/wordpress-5.8/index.php @@ -35,8 +35,11 @@ function build_query_vars_from_query_block( $block, $page ) { ); if ( isset( $block->context['query'] ) ) { - if ( isset( $block->context['query']['postType'] ) ) { - $query['post_type'] = $block->context['query']['postType']; + if ( ! empty( $block->context['query']['postType'] ) ) { + $post_type_param = $block->context['query']['postType']; + if ( is_post_type_viewable( $post_type_param ) ) { + $query['post_type'] = $post_type_param; + } } if ( isset( $block->context['query']['sticky'] ) && ! empty( $block->context['query']['sticky'] ) ) { $sticky = get_option( 'sticky_posts' ); @@ -46,29 +49,54 @@ function build_query_vars_from_query_block( $block, $page ) { $query['post__not_in'] = array_merge( $query['post__not_in'], $sticky ); } } - if ( isset( $block->context['query']['exclude'] ) ) { - $query['post__not_in'] = array_merge( $query['post__not_in'], $block->context['query']['exclude'] ); + if ( ! empty( $block->context['query']['exclude'] ) ) { + $excluded_post_ids = array_map( 'intval', $block->context['query']['exclude'] ); + $excluded_post_ids = array_filter( $excluded_post_ids ); + $query['post__not_in'] = array_merge( $query['post__not_in'], $excluded_post_ids ); } - if ( isset( $block->context['query']['perPage'] ) ) { - $query['offset'] = ( $block->context['query']['perPage'] * ( $page - 1 ) ) + $block->context['query']['offset']; - $query['posts_per_page'] = $block->context['query']['perPage']; + if ( + isset( $block->context['query']['perPage'] ) && + is_numeric( $block->context['query']['perPage'] ) + ) { + $per_page = absint( $block->context['query']['perPage'] ); + $offset = 0; + + if ( + isset( $block->context['query']['offset'] ) && + is_numeric( $block->context['query']['offset'] ) + ) { + $offset = absint( $block->context['query']['offset'] ); + } + + $query['offset'] = ( $per_page * ( $page - 1 ) ) + $offset; + $query['posts_per_page'] = $per_page; } - if ( isset( $block->context['query']['categoryIds'] ) ) { - $query['category__in'] = $block->context['query']['categoryIds']; + if ( ! empty( $block->context['query']['categoryIds'] ) ) { + $term_ids = array_map( 'intval', $block->context['query']['categoryIds'] ); + $term_ids = array_filter( $term_ids ); + $query['category__in'] = $term_ids; } - if ( isset( $block->context['query']['tagIds'] ) ) { - $query['tag__in'] = $block->context['query']['tagIds']; + if ( ! empty( $block->context['query']['tagIds'] ) ) { + $term_ids = array_map( 'intval', $block->context['query']['tagIds'] ); + $term_ids = array_filter( $term_ids ); + $query['tag__in'] = $term_ids; } - if ( isset( $block->context['query']['order'] ) ) { + if ( + isset( $block->context['query']['order'] ) && + in_array( strtoupper( $block->context['query']['order'] ), array( 'ASC', 'DESC' ), true ) + ) { $query['order'] = strtoupper( $block->context['query']['order'] ); } if ( isset( $block->context['query']['orderBy'] ) ) { $query['orderby'] = $block->context['query']['orderBy']; } - if ( isset( $block->context['query']['author'] ) ) { - $query['author'] = $block->context['query']['author']; + if ( + isset( $block->context['query']['author'] ) && + (int) $block->context['query']['author'] > 0 + ) { + $query['author'] = (int) $block->context['query']['author']; } - if ( isset( $block->context['query']['search'] ) ) { + if ( ! empty( $block->context['query']['search'] ) ) { $query['s'] = $block->context['query']['search']; } } diff --git a/packages/block-library/src/post-terms/edit.js b/packages/block-library/src/post-terms/edit.js index da8b2004aa23e..15b981bf69af6 100644 --- a/packages/block-library/src/post-terms/edit.js +++ b/packages/block-library/src/post-terms/edit.js @@ -35,7 +35,7 @@ export default function PostTermsEdit( { if ( ! term ) return {}; const { getTaxonomy } = select( coreStore ); const taxonomy = getTaxonomy( term ); - return taxonomy?.visibility?.show_ui ? taxonomy : {}; + return taxonomy?.visibility?.publicly_queryable ? taxonomy : {}; }, [ term ] ); diff --git a/packages/block-library/src/post-terms/index.php b/packages/block-library/src/post-terms/index.php index 0af8742f869b9..436611d756704 100644 --- a/packages/block-library/src/post-terms/index.php +++ b/packages/block-library/src/post-terms/index.php @@ -18,6 +18,10 @@ function render_block_core_post_terms( $attributes, $content, $block ) { return ''; } + if ( ! is_taxonomy_viewable( $attributes['term'] ) ) { + return ''; + } + $post_terms = get_the_terms( $block->context['postId'], $attributes['term'] ); if ( is_wp_error( $post_terms ) ) { return ''; diff --git a/packages/block-library/src/post-terms/use-post-terms.js b/packages/block-library/src/post-terms/use-post-terms.js index facfffa21117f..4539ea1c8df22 100644 --- a/packages/block-library/src/post-terms/use-post-terms.js +++ b/packages/block-library/src/post-terms/use-post-terms.js @@ -9,6 +9,14 @@ export default function usePostTerms( { postId, postType, term } ) { const [ termIds ] = useEntityProp( 'postType', postType, restBase, postId ); return useSelect( ( select ) => { + const visible = term?.visibility?.publicly_queryable; + if ( ! visible ) { + return { + postTerms: [], + _isLoading: false, + hasPostTerms: false, + }; + } if ( ! termIds ) { // Waiting for post terms to be fetched. return { isLoading: true }; @@ -33,6 +41,6 @@ export default function usePostTerms( { postId, postType, term } ) { hasPostTerms: !! terms?.length, }; }, - [ termIds ] + [ termIds, term?.visibility?.publicly_queryable ] ); }