CVE-2023-5110: category-dropdown.php in bsk-pdf-manager/trunk/classes/shortcodes/category – WordPress Plugin Repository

1<?php23class BSKPDFM_Shortcodes_Category_Dropdown extends BSKPDFM_Shortcodes_Category {45 public function __construct() {6 add_shortcode( 'bsk-pdfm-category-dropdown’, array($this, ‘bsk_pdf_manager_list_pdfs_by_cat_as_dropdown’) );7 8 //ajax action for verify password9 add_action( 'wp_ajax_pdfs_get_category_dropdown’, array( $this, ‘bsk_pdfm_ajax_get_category_dropdown’ ) );10 add_action( 'wp_ajax_nopriv_pdfs_get_category_dropdown’, array( $this, ‘bsk_pdfm_ajax_get_category_dropdown’ ) );11 }12 13 function bsk_pdf_manager_list_pdfs_by_cat_as_dropdown( $atts, $content ){ 14 $all_shortcode_atts = array( 15 ‘option_none’ => esc_html__( 'Select to open…’, ‘bskpdfmanager’ ),16 ‘option_group_label’ => 'CAT_TITLE’, 17 );18 $all_shortcode_atts = array_merge( 19 $all_shortcode_atts,20 $this->_shortcode_category_atts,21 $this->_shortcode_pdfs_atts,22 $this->_shortcode_count_desc_atts,23 $this->_shortcode_extension_filter_atts,24 $this->_shortcode_tags_filter_atts,25 $this->_shortcode_output_container_atts26 );27 $all_shortcode_atts[‘target’] = '_blank’;28 $shortcode_atts = shortcode_atts( $all_shortcode_atts, $atts );29 $shortcode_atts_processed = $this->process_shortcode_parameters( $shortcode_atts );3031 $shortcode_atts[‘cat_id’] = $shortcode_atts[‘id’];3233 //get all categories id34 $categories_id_array = BSKPDFM_Common_Data_Source::bsk_pdfm_organise_categories_id( $shortcode_atts );35 if( $categories_id_array == false || !is_array( $categories_id_array ) || count( $categories_id_array ) < 1 ){36 $str = ‘<div class="bsk-pdfm-output-container’.’ '.$shortcode_atts[‘output_container_class’].’">’.37 '<p>’.esc_html__( 'No valid category id found’, ‘bskpdfmanager’ ).’</p>’.38 '</div>’;39 return $str;40 }41 42 $default_enable_permalink = false;43 $plugin_settings = get_option( BSKPDFManager::$_plugin_settings_option, ‘’ );44 if( $plugin_settings && is_array($plugin_settings) && count($plugin_settings) > 0 ){45 if( isset($plugin_settings[‘enable_permalink’]) ){46 $default_enable_permalink = $plugin_settings[‘enable_permalink’];47 }48 }49 50 $permalink_structure = get_option( ‘permalink_structure’ );51 if ( ! $permalink_structure ) {52 $default_enable_permalink = false;53 }54 55 //most top56 $most_top = intval( $shortcode_atts[‘most_top’] );57 58 //59 //process all filters 60 //process search bar61 //62 $extension_filter_return = BSKPDFM_Common_Filter_Extension::show_extension_filter_bar( $shortcode_atts );63 $tags_filter_return = BSKPDFM_Common_Filter_Tags::show_tags_filter_bar( $shortcode_atts, 'category’, $categories_id_array[‘ids_array’] );64 65 $query_args = array();66 $query_args[‘cat_order_by’] = $shortcode_atts[‘cat_order_by’];67 $query_args[‘cat_order’] = $shortcode_atts[‘cat_order’];68 $query_args[‘order_by’] = $shortcode_atts[‘order_by’];69 $query_args[‘order’] = $shortcode_atts[‘order’];70 $query_args[‘most_top’] = $most_top;71 $query_args[‘ids_array’] = $categories_id_array[‘ids_array’];72 73 if( $extension_filter_return && 74 is_array( $extension_filter_return ) && 75 isset( $extension_filter_return[‘only_filters’] ) &&76 !$extension_filter_return[‘only_filters’] && 77 isset( $extension_filter_return[‘filters’] ) && 78 $extension_filter_return[‘filters’] ){7980 $query_args[‘extension’] = trim( $shortcode_atts[‘extension_filter_default’] );81 }82 83 if( $tags_filter_return && 84 is_array( $tags_filter_return ) && 85 isset( $tags_filter_return[‘default’] ) &&86 $tags_filter_return[‘default’] > 0 ){8788 $query_args[‘tags’] = $tags_filter_return[‘default’];89 }9091 $cat_pdfs_query_results = BSKPDFM_Common_Data_Source::bsk_pdfm_get_pdfs_by_cat( $query_args );92 $total_pdfs = 0;93 if( $cat_pdfs_query_results && is_array( $cat_pdfs_query_results ) ){94 $total_pdfs = $cat_pdfs_query_results[‘total’];95 }96 97 $output_container_class = $shortcode_atts[‘output_container_class’] ? ' '.$shortcode_atts[‘output_container_class’] : '’;98 $str_body = '<div class="bsk-pdfm-output-container shortcode-category layout-dropdown’.$output_container_class.’">’;99100 $target_str = '’;101 if( $cat_pdfs_query_results ){102 103 //show extension filter bar104 if( $extension_filter_return ){105 $str_body .= $extension_filter_return[‘filters’];106 }107 108 //show tags filter bar109 if( $tags_filter_return ){110 $str_body .= $tags_filter_return[‘filters’];111 }112113 if( $shortcode_atts[‘option_group_label’] != ‘CAT_TITLE’ &&114 $shortcode_atts[‘option_group_label’] != ‘HIDE’ ){115 /*116 *117 * every category has its own category118 * 119 */120 //show count description bar121 $str_body .= BSKPDFM_Common_Count_Desc_Bar::show_count_desc_bar( 122 $total_pdfs,123 $shortcode_atts,124 false,125 false126 );127128 foreach( $categories_id_array[‘categories_loop’] as $category_obj ){129130 $pdfs_results = false;131 if( isset($cat_pdfs_query_results[‘pdfs’] ) && 132 isset($cat_pdfs_query_results[‘pdfs’][$category_obj->id]) ){133134 $pdfs_results = $cat_pdfs_query_results[‘pdfs’][$category_obj->id];135 }136137 $str_body .= $this->show_pdfs_in_dropdown_by_category( 138 $category_obj,139 $pdfs_results,140 $shortcode_atts,141 1,142 $default_enable_permalink143 );144 }145 }else{146 /*147 *148 * All category and PDFs in one dropdown, category title as option group label149 * 150 */151 //show count description bar152 $str_body .= BSKPDFM_Common_Count_Desc_Bar::show_count_desc_bar( 153 $total_pdfs,154 $shortcode_atts,155 false,156 false157 );158 159 if( trim($shortcode_atts[‘target’]) == ‘_blank’ ){160 $target_str = ' data-target="_blank"’;161 }162163 $dropdown_output = '<select class="bsk-pdfm-pdfs-dropdown"’.$target_str.’>’;164 $option_none_str = trim($shortcode_atts[‘option_none’]);165 if( $option_none_str ){166 $dropdown_output .= '<option value="">’.esc_attr($option_none_str).’</option>’;167 }168169 $cat_ids_for_container = array();170 foreach( $categories_id_array[‘categories_loop’] as $category_obj ){171172 $pdfs_results = false;173 if( isset($cat_pdfs_query_results[‘pdfs’] ) && 174 isset($cat_pdfs_query_results[‘pdfs’][$category_obj->id]) ){175176 $pdfs_results = $cat_pdfs_query_results[‘pdfs’][$category_obj->id];177 }178 179 $category_return = $this->get_password_form_and_dropdown_options_by_category( 180 $category_obj,181 $pdfs_results,182 $shortcode_atts,183 1,184 $default_enable_permalink185 );186 $dropdown_output .= $category_return[‘options’];187 if( $category_return[‘options’] ){188 $cat_ids_for_container[] = $category_obj->id;189 }190 191 }192 $dropdown_output .= '</select>’;193194 $str_body .= '<div class="bsk-pdfm-category-output cat-'.esc_attr(implode('-‘, $cat_ids_for_container)).’ category-hierarchical-depth-1 pdfs-in-dropdown" data-cat-id="’.esc_attr(implode('-', $cat_ids_for_container)).’">’;195 $str_body .= $dropdown_output;196 $str_body .= '</div>’;197 }198 }199 200 //output all shortcode parameters and ajax nonce201 $str_body .= $this->get_shortcode_parameters_output( $shortcode_atts );202203 $str_body .= '</div><!-- //bsk-pdfm-output-container -->’;204205 global $post;206 207 if ( $post->ID && $target_str ) {208 $_dropdown_shortcodes_pages = get_option( BSKPDFManager::$_dropdown_shortcodes_pages_option, array() );209 $_dropdown_shortcodes_pages[$post->ID] = $post->ID;210211 update_option( BSKPDFManager::$_dropdown_shortcodes_pages_option, $_dropdown_shortcodes_pages );212 }213214 return $str_body;215 }//end of function216 217 function show_pdfs_in_dropdown_by_category( 218 $category_obj,219 $pdfs_results_array,220 $shortcode_atts,221 $category_depth,222 $default_enable_permalink223 ){224 225 $depth_class = ' category-hierarchical-depth-'.$category_depth;226 $caegory_title_tag = 'h’.($category_depth + 1);227 $pdf_title_tag = 'h’.($category_depth + 2);228 229 $categor_output_str = '<div class="bsk-pdfm-category-output cat-‘.esc_attr($category_obj->id.$depth_class).’ pdfs-in-dropdown" data-cat-id="’.esc_attr($category_obj->id).’">’;230 231 $show_cat_title = BSKPDFM_Common_Display::process_shortcodes_bool_attrs('show_cat_title’, $shortcode_atts);232 if( $show_cat_title ){233 $categor_output_str .= apply_filters( 'bsk_pdfm_filter_cat_title’, 234 ‘<’.$caegory_title_tag.’ class="bsk-pdfm-cat-titile">’.esc_attr($category_obj->title).’</’.$caegory_title_tag.’>’,235 $category_obj->id,236 $category_obj->title );237 }238 239 //process open target240 $target_str = '’;241 if( trim($shortcode_atts[‘target’]) == ‘_blank’ ){242 $target_str = ' data-target="_blank"’;243 }244 245 //show date in title246 $show_date = BSKPDFM_Common_Display::process_shortcodes_bool_attrs('show_date’, $shortcode_atts);247 //date postion248 $date_before_title = BSKPDFM_Common_Display::process_shortcodes_bool_attrs('date_before_title’, $shortcode_atts);249 250 //date format251 $date_format_str = $date_before_title ? ‘d/m/Y ' : ' d/m/Y’;252 if( $shortcode_atts[‘date_format’] && is_string($shortcode_atts[‘date_format’]) && $shortcode_atts[‘date_format’] != ' d/m/Y’ ){253 $date_format_str = $shortcode_atts[‘date_format’];254 }255 256 $categor_output_str .= '<select class="bsk-pdfm-pdfs-dropdown"’.$target_str.’>’;257 $option_none_str = trim($shortcode_atts[‘option_none’]);258 if( $option_none_str ){259 $categor_output_str .= '<option value="">’.esc_attr($option_none_str).’</option>’;260 }261 $categor_output_str .= BSKPDFM_Common_Display::show_pdfs_dropdown_option_for_category(262 $pdfs_results_array,263 $category_obj,264 $show_date, 265 $date_format_str,266 $date_before_title,267 $category_depth,268 false,269 $default_enable_permalink270 );271 $categor_output_str .= '</select>’;272 273 $categor_output_str .= '<!–//bsk-pdfm-category-output cat-'.esc_attr($category_obj->id).’–>’;274 $categor_output_str .= '</div>’;275276 return $categor_output_str;277 }278 279 /* the function only for option_group_label == ‘CAT_TITLE’ */280 function get_password_form_and_dropdown_options_by_category( 281 $category_obj,282 $pdfs_results_array,283 $shortcode_atts,284 $depth,285 $default_enable_permalink286 ){287 288 $depth_class = ' category-hierarchical-depth-'.$depth;289 $caegory_title_tag = 'h’.($depth+1);290 $pdf_title_tag = 'h’.($depth+2);291 292 $category_options = '’;293 294 //show date in title295 $show_date = BSKPDFM_Common_Display::process_shortcodes_bool_attrs('show_date’, $shortcode_atts);296 //date postion297 $date_before_title = BSKPDFM_Common_Display::process_shortcodes_bool_attrs('date_before_title’, $shortcode_atts);298 299 //date format300 $date_format_str = $date_before_title ? ‘d/m/Y ' : ' d/m/Y’;301 if( $shortcode_atts[‘date_format’] && is_string($shortcode_atts[‘date_format’]) && $shortcode_atts[‘date_format’] != ' d/m/Y’ ){302 $date_format_str = $shortcode_atts[‘date_format’];303 }304 305 $category_options .= BSKPDFM_Common_Display::show_pdfs_dropdown_option_for_category(306 $pdfs_results_array,307 $category_obj,308 $show_date, 309 $date_format_str,310 $date_before_title,311 $depth,312 $shortcode_atts[‘option_group_label’],313 $default_enable_permalink314 );315 316317 return array( ‘password_form’ => '’, ‘options’ => $category_options );318 }319320 function bsk_pdfm_ajax_get_category_dropdown(){321 322 if( !check_ajax_referer( 'category-ajax-get’, 'nonce’, false ) ){323 324 $error_message = '<p class="bsk-pdfm-error-message">’.__( 'Security check, please refresh page and try again’, ‘bskpdfmanager’ ).’!</p>’;325 326 $data_to_return = array( 327 ‘category_out’ => '’, 328 ‘pagination’ => '’, 329 ‘results_desc’ => esc_html__( 'No records found’, ‘bskpdfmanager’ ),330 ‘error_message’ => $error_message331 );332 wp_die( json_encode( $data_to_return ) );333 }334335 $shortcode_atts = array();336 $shortcode_atts[‘option_none’] = 'Select to open…’;337 if (isset( $_POST[‘option_none’] )) {338 $shortcode_atts[‘option_none’] = sanitize_text_field($_POST[‘option_none’]);339 }340 $shortcode_atts[‘option_group_label’] = 'CAT_TITLE’;341 if (isset($_POST[‘option_group_label’])) {342 $shortcode_atts[‘option_group_label’] = sanitize_text_field($_POST[‘option_group_label’]);343 }344 $shortcode_atts[‘extension’] = isset( $_POST[‘extension’] ) ? sanitize_text_field($_POST[‘extension’]) : '’;345 $shortcode_atts[‘tags_default’] = isset( $_POST[‘tags_default’] ) ? sanitize_text_field($_POST[‘tags_default’]) : -1;346 347 $shortcode_atts = array_merge( 348 $shortcode_atts,349 $this->_shortcode_category_atts,350 $this->_shortcode_pdfs_atts,351 $this->_shortcode_count_desc_atts,352 $this->_shortcode_extension_filter_atts,353 $this->_shortcode_output_container_atts354 );355 foreach( $shortcode_atts as $key => $default_val ){356 $shortcode_atts[$key] = isset( $_POST[$key] ) ? sanitize_text_field($_POST[$key]) : $default_val;357 }358 $shortcode_atts = $this->process_shortcode_parameters( $shortcode_atts );359360 $shortcode_atts[‘cat_id’] = $shortcode_atts[‘id’];361 362 //get all categories id363 $categories_id_array = BSKPDFM_Common_Data_Source::bsk_pdfm_organise_categories_id( $shortcode_atts );364 if( $categories_id_array == false || !is_array( $categories_id_array ) || count( $categories_id_array ) < 1 ){365 $str = ‘<div class="bsk-pdfm-output-container’.’ '.esc_attr($shortcode_atts[‘output_container_class’]).’">’.366 '<p>’.esc_html__( 'No valid category id found’, ‘bskpdfmanager’ ).’</p>’.367 '</div>’;368 return $str;369 }370 371 $default_enable_permalink = false;372 $plugin_settings = get_option( BSKPDFManager::$_plugin_settings_option, ‘’ );373 if( $plugin_settings && is_array($plugin_settings) && count($plugin_settings) > 0 ){374 if( isset($plugin_settings[‘enable_permalink’]) ){375 $default_enable_permalink = $plugin_settings[‘enable_permalink’];376 }377 }378 379 $permalink_structure = get_option( ‘permalink_structure’ );380 if ( ! $permalink_structure ) {381 $default_enable_permalink = false;382 }383 384 //most top385 $most_top = intval( $shortcode_atts[‘most_top’] );386387 $query_args = array();388 $query_args[‘cat_order_by’] = $shortcode_atts[‘cat_order_by’];389 $query_args[‘cat_order’] = $shortcode_atts[‘cat_order’];390 $query_args[‘order_by’] = $shortcode_atts[‘order_by’];391 $query_args[‘order’] = $shortcode_atts[‘order’];392 $query_args[‘most_top’] = $most_top;393 $query_args[‘ids_array’] = $categories_id_array[‘ids_array’];394 $extension = trim( $shortcode_atts[‘extension’] );395 if( $extension ){396 $query_args[‘extension’] = $extension;397 }398 if( intval( $shortcode_atts[‘tags_default’] ) > 0 ){399 $query_args[‘tags’] = intval( $shortcode_atts[‘tags_default’] );400 }401402 $cat_pdfs_query_results = BSKPDFM_Common_Data_Source::bsk_pdfm_get_pdfs_by_cat( $query_args );403 $total_pdfs = 0;404 if( $cat_pdfs_query_results && is_array( $cat_pdfs_query_results ) ){405 $total_pdfs = $cat_pdfs_query_results[‘total’];406 }407408 409 $str_body = '’;410 if( $cat_pdfs_query_results ){411 /*412 *413 * every category has its own category414 * 415 */416 //show count description bar417 $count_desc = BSKPDFM_Common_Count_Desc_Bar::show_count_desc_bar( 418 $total_pdfs,419 $shortcode_atts,420 false,421 false422 );423 if( $shortcode_atts[‘option_group_label’] != ‘CAT_TITLE’ &&424 $shortcode_atts[‘option_group_label’] != ‘HIDE’ ){425 426 foreach( $categories_id_array[‘categories_loop’] as $category_obj ){427428 $pdfs_results = false;429 if( isset($cat_pdfs_query_results[‘pdfs’] ) && 430 isset($cat_pdfs_query_results[‘pdfs’][$category_obj->id]) ){431432 $pdfs_results = $cat_pdfs_query_results[‘pdfs’][$category_obj->id];433 }434435 $str_body .= $this->show_pdfs_in_dropdown_by_category( 436 $category_obj,437 $pdfs_results,438 $shortcode_atts,439 1,440 $default_enable_permalink441 );442 }443 }else{444 /*445 *446 * All category and PDFs in one dropdown, category title as option group label447 * 448 */449 $target_str = '’;450 if( trim($shortcode_atts[‘target’]) == ‘_blank’ ){451 $target_str = ' data-target="_blank"’;452 }453454 $dropdown_output = '<select class="bsk-pdfm-pdfs-dropdown"’.$target_str.’>’;455 $option_none_str = trim($shortcode_atts[‘option_none’]);456 if( $option_none_str ){457 $dropdown_output .= '<option value="">’.esc_attr($option_none_str).’</option>’;458 }459 460 $pdf_results_for_date_filter = array();461 $cat_ids_for_container = array();462 foreach( $categories_id_array[‘categories_loop’] as $category_obj ){463464 $pdfs_results = false;465 if( isset($cat_pdfs_query_results[‘pdfs’] ) && 466 isset($cat_pdfs_query_results[‘pdfs’][$category_obj->id]) ){467468 $pdfs_results = $cat_pdfs_query_results[‘pdfs’][$category_obj->id];469 $pdf_results_for_date_filter = array_merge( $pdf_results_for_date_filter, $pdfs_results );470 }471472 $category_return = $this->get_password_form_and_dropdown_options_by_category( 473 $category_obj,474 $pdfs_results,475 $shortcode_atts,476 1,477 $default_enable_permalink478 );479 $dropdown_output .= $category_return[‘options’];480 if( $category_return[‘options’] ){481 $cat_ids_for_container[] = $category_obj->id;482 }483 }484 $dropdown_output .= '</select>’;485 486 $str_body .= '<div class="bsk-pdfm-category-output cat-'.implode('-‘, esc_attr($cat_ids_for_container)).’ category-hierarchical-depth-1 pdfs-in-dropdown" data-cat-id="’.esc_attr(implode('-', $cat_ids_for_container)).’">’;487 $str_body .= $dropdown_output;488 $str_body .= '</div>’;489 }490 }491 492 $data_to_return = array( 493 ‘category_out’ => $str_body, 494 ‘pagination’ => '’,495 ‘results_desc’ => $count_desc,496 );497 wp_die( json_encode( $data_to_return ) );498 } //end of function499 500}