CVE-2021-4396: class-rucy-editor.php in rucy/trunk/inc – WordPress Plugin Repository

1<?php2/**3 * 4 * 5 * @author Nita6 */7require_once RC_PLUGIN_DIR . '/inc/class-rucy-component.php’;89class Class_Rucy_Editer {10 public $post_metas;11 public $post_meta_keys;12 public $support_post_types;13 public $current_post_content;1415 public function add_rucy_metabox() {16 $component = new Class_Rucy_Component();17 $support_post_types = $component->get_support_post_type();18 foreach ( $support_post_types as $post_type ) {19 add_meta_box( 'rucy_metabox’, 'Rucy - Reservation Update Content -', array( $this, ‘add_rucy_editor_box’ ), $post_type, 'normal’, ‘high’ );20 }21 }22 23 public function add_rucy_editor_box() {24 global $post;25 $component = new Class_Rucy_Component();26 $current_year = date_i18n( ‘Y’ );27 $support_post_types = $component->get_support_post_type();28 $this->support_post_types = $support_post_types;29 $this->post_meta_keys = $component->get_post_meta_keys();30 $this->post_metas = $component->get_post_rc_meta( $post->ID );31 $this->current_post_content = $post->post_content;32 $dismissed = explode( ',’, get_user_meta( get_current_user_id(), 'dismissed_wp_pointers’, true ) );33 $reserve_date = ( $this->post_metas->date == “” ) ? date_i18n( ‘Y-m-d H:i:s’ ) : $this->post_metas->date;34 $arr_reserve_date = getdate(strtotime( $reserve_date ) );35 $arr_date = array(36 ‘rc_year’ => date_i18n( 'Y’, $arr_reserve_date[0] ),37 ‘rc_month’ => date_i18n( 'm’, $arr_reserve_date[0] ),38 ‘rc_day’ => date_i18n( 'd’, $arr_reserve_date[0] ),39 ‘rc_hour’ => date_i18n( 'H’, $arr_reserve_date[0] ),40 ‘rc_minutes’ => date_i18n( 'i’, $arr_reserve_date[0] ),41 );42 $reserve_content = ( $this->post_metas->content == “” ) ? $this->current_post_content : $this->post_metas->content;43 // rollback settings44 $rollback_date = ( $this->post_metas->rollback_date == “” ) ? date_i18n( ‘Y-m-d H:i:s’ ) : $this->post_metas->rollback_date;45 $arr_rollback_date = getdate(strtotime( $rollback_date ) );46 $arr_rb_date = array(47 ‘rc_rb_year’ => date_i18n( 'Y’, $arr_rollback_date[0] ),48 ‘rc_rb_month’ => date_i18n( 'm’, $arr_rollback_date[0] ),49 ‘rc_rb_day’ => date_i18n( 'd’, $arr_rollback_date[0] ),50 ‘rc_rb_hour’ => date_i18n( 'H’, $arr_rollback_date[0] ),51 ‘rc_rb_minutes’ => date_i18n( 'i’, $arr_rollback_date[0] ),52 );53?>54<div id="rc-post-wrap" class="curtime">55 <input type="hidden" id="schroeder" name="schroeder" value="<?php echo wp_create_nonce(plugin_basename(__FILE__)); ?>" />56 <label for="<?php echo $this->post_meta_keys->accept; ?>" class="rc_accept"><input type="checkbox" id="<?php echo $this->post_meta_keys->accept; ?>" name="<?php echo $this->post_meta_keys->accept; ?>" value="1" <?php echo ( $this->post_metas->accept == “1” ) ? “checked” : “"; ?> /> <?php _e('Accept reserve update content.’,RC_TXT_DOMAIN) ?></label>57 <div class="rc-datetime” id="timestamp">58 <?php _e( 'UpdateTime’, RC_TXT_DOMAIN ); ?> : <strong><?php echo date_i18n( 'Y/m/d @ H:i’, strtotime( $reserve_date ) ); ?></strong>59 </div>60 <a href="#edit-reservdate" class="edit-timestamp rc-datetime-edit"><?php _e( ‘Edit’ ); ?></a>61 <div class="rc-datetime-wrap">62 <select name="rc_year" id="">63 <?php for( $y = $current_year; $y <= ( $current_year + 3); $y++ ): 64 $selected_y = ( $y == date_i18n( 'Y’, $arr_reserve_date[0] ) ) ? “selected” : “"; ?>65 <option value="<?php echo $y; ?>” <?php echo $selected_y; ?>><?php echo $y; ?></option>66 <?php endfor; ?>67 </select> / 68 <select name="rc_month" id="">69 <?php for( $i = 1; $i <= 12; $i++ ):70 $m = sprintf( “%02d", $i );71 $selected_m = ( $m == date_i18n( 'm’, $arr_reserve_date[0] ) ) ? “selected” : “";72 ?>73 <option value="<?php echo $m; ?>” <?php echo $selected_m; ?>><?php echo $m; ?></option>74 <?php endfor; ?>75 </select> / 76 <select name="rc_day” id="">77 <?php for( $d = 1; $d<=31; $d++ ):78 $d = sprintf( “%02d", $d );79 $selected_d = ( $d == date_i18n( 'd’, $arr_reserve_date[0] ) ) ? “selected” : “";80 ?>81 <option value="<?php echo $d; ?>” <?php echo $selected_d; ?>><?php echo $d; ?></option>82 <?php endfor; ?>83 </select>@84 <select name="rc_hour” id="">85 <?php for( $h = 0; $h <= 23; $h++ ): 86 $h = sprintf(“%02d",$h);87 $selected_h = ( $h == date_i18n( 'H’, $arr_reserve_date[0] ) ) ? “selected” : “";88 ?>89 <option value="<?php echo $h; ?>” <?php echo $selected_h; ?>><?php echo $h; ?></option>90 <?php endfor; ?>91 </select>:92 <select name="rc_minutes” id="">93 <?php for( $min = 0; $min <= 59; $min++ ): 94 $min = sprintf( “%02d", $min );95 $selected_min = ( $min == date_i18n( 'i’, $arr_reserve_date[0] ) ) ? “selected” : “";96 ?>97 <option value="<?php echo $min; ?>” <?php echo $selected_min; ?>><?php echo $min; ?></option>98 <?php endfor; ?>99 </select>100 <a href="#edit-reservdate” class="rc-datetime-update button"><?php _e('OK’,RC_TXT_DOMAIN) ?></a>101 <a href="#edit-reservdate" class="rc-datetime-cancel"><?php _e('Cancel’,RC_TXT_DOMAIN) ?></a>102 </div>103 <?php foreach ( $arr_date as $k => $v ): ?>104 <input type="hidden" name="<?php echo $k; ?>_cr" id="<?php echo $k; ?>_cr" value="<?php echo $v; ?>" />105 <?php endforeach; ?>106 <div id="rc-accept-update-update">107 <label for="rc-accept-update-postdate">108 <input type="checkbox" name="<?php echo $this->post_meta_keys->accept_update; ?>" value="1" id="rc-accept-update-postdate" class="rc-accept-update-postdate" <?php echo ( $this->post_metas->accept_update == “1” ) ? “checked” : “"; ?> /> <?php _e('Accept reserve update post date.’, RC_TXT_DOMAIN); ?>109 </label>110 </div>111<?php if( array_search( 'rc_update_postdate’, $dismissed ) === false ): 112 $pointer_content = ‘<h3>’ . __( 'Attention - reservation update UpdateTime’, RC_TXT_DOMAIN ) . '</h3>’;113 $pointer_content .= ‘<p>’ . __( “If update UpdateTime, this post\’s permalink is changed by permalink settings.", RC_TXT_DOMAIN ) . '</p>’;114 ?>115 <script type="text/javascript">116 jQuery(document).ready(function(){117 // show notice pointer update postdate.118 jQuery(‘#rc-accept-update-update’).pointer({119 content : '<?php echo $pointer_content; ?>’,120 buttons : function(e, t){121 return jQuery('<a class="close” href="#"><?php _e( ‘Do not show future’, RC_TXT_DOMAIN ) ?></a>’).bind(‘click.pointer’,function(e){122 e.preventDefault();123 t.element.pointer(‘close’);124 });125 },126 position : { edge : “top", align : “left"},127 close : function(){128 jQuery.post(“<?php echo admin_url( ‘admin-ajax.php’ ); ?>", {129 action : 'dismiss-wp-pointer’,130 pointer : 'rc_update_postdate’131 });132 }133 }).pointer(‘open’);134 });135 </script>136<?php endif; ?>137</div>138<?php 139 wp_editor( $reserve_content, $this->post_meta_keys->content );140 /*141 * support feature image reservation.142 */143 if( current_theme_supports(‘post-thumbnails’) ):144?>145<fieldset>146<h3><?php echo __( 'Featured Image for Reservation Update’, RC_TXT_DOMAIN ); ?></h3>147<label class="rc_feature_accept">148 <input type="checkbox” name="<?php echo $this->post_meta_keys->accept_feature_img; ?>” value="1” <?php echo ( $this->post_metas->accept_feature_img == “1”) ? “checked” : “"; ?>> <?php _e( 'Accept reserve update feature image.’, RC_TXT_DOMAIN ); ?>149</label>150<div class="rc_feature_image_uploader">151 <p><button id="rc_feature_image_upload” class="button rc-feature-uploader-button <?php echo ( $this->post_metas->feature_img != ‘’ ) ? ' has_image’ : '’; ?>"><?php _e( 'Set featured image for Reservation’, RC_TXT_DOMAIN ); ?></button></p>152<div class="rc-feature-image-uploader__ctrl">153 <div class="rc-feature-image-preview">154 <?php155 if ( ! empty( $this->post_metas->feature_img ) ) {156 echo $this->post_metas->feature_img;157 }158 ?> 159 </div>160</div>161<p><button class="button rc_remove_feature_image"><?php _e( 'Remove Featured image for Reservation’, RC_TXT_DOMAIN ); ?></button></p>162<input type="hidden” id="rc_feature_image" name="<?php echo $this->post_meta_keys->feature_img; ?>" value="<?php echo $this->post_metas->feature_img; ?>" />163</div>164</fieldset>165<fieldset id="rc-rollback-container" class="curtime">166 <h3><?php _e( 'Setting Rollback post content.’, RC_TXT_DOMAIN ); ?></h3>167 <label for="rc-accept-rollback-content">168 <input type="checkbox" name="<?php echo $this->post_meta_keys->accept_rollback ?>" value="1" id="rc-accept-rollback-content" class="rc-accept-rollback-content" <?php echo ( $this->post_metas->accept_rollback == “1” ) ? “checked” : “"; ?> > <?php _e( 'Accept rollback content.’, RC_TXT_DOMAIN ); ?>169 </label>170 <div class="rc-rollback-datetime” id="timestamp">171 <?php _e( 'Rollback DateTime’, RC_TXT_DOMAIN ); ?> : <strong><?php echo date_i18n(“Y/m/d @ H:i", strtotime( $rollback_date ) ); ?></strong>172 </div>173 <a href="#edit-rollback-datetime” class="edit-timestamp rc-rollback-datetime-edit"><?php _e(‘Edit’); ?></a>174 <div class="rc-rollback-datetime-wrap">175 <select name="rc_rb_year" id="">176 <?php for( $y = $current_year; $y <= ( $current_year + 3); $y++ ): 177 $selected_y = ( $y == date_i18n( 'Y’, $arr_rollback_date[0] ) ) ? “selected” : “"; ?>178 <option value="<?php echo $y; ?>” <?php echo $selected_y; ?>><?php echo $y; ?></option>179 <?php endfor; ?>180 </select> / 181 <select name="rc_rb_month" id="">182 <?php for( $i = 1; $i <= 12; $i++ ):183 $m = sprintf( “%02d", $i );184 $selected_m = ( $m == date_i18n( 'm’, $arr_rollback_date[0] ) ) ? “selected” : “";185 ?>186 <option value="<?php echo $m; ?>” <?php echo $selected_m; ?>><?php echo $m; ?></option>187 <?php endfor; ?>188 </select> / 189 <select name="rc_rb_day” id="">190 <?php for( $d = 1; $d<=31; $d++ ):191 $d = sprintf( “%02d", $d );192 $selected_d = ( $d == date_i18n( 'd’, $arr_rollback_date[0] ) ) ? “selected” : “";193 ?>194 <option value="<?php echo $d; ?>” <?php echo $selected_d; ?>><?php echo $d; ?></option>195 <?php endfor; ?>196 </select>@197 <select name="rc_rb_hour” id="">198 <?php for( $h = 0; $h <= 23; $h++ ): 199 $h = sprintf(“%02d",$h);200 $selected_h = ( $h == date_i18n( 'H’, $arr_rollback_date[0] ) ) ? “selected” : “";201 ?>202 <option value="<?php echo $h; ?>” <?php echo $selected_h; ?>><?php echo $h; ?></option>203 <?php endfor; ?>204 </select>:205 <select name="rc_rb_minutes” id="">206 <?php for( $min = 0; $min <= 59; $min++ ): 207 $min = sprintf( “%02d", $min );208 $selected_min = ( $min == date_i18n( 'i’, $arr_rollback_date[0] ) ) ? “selected” : “";209 ?>210 <option value="<?php echo $min; ?>” <?php echo $selected_min; ?>><?php echo $min; ?></option>211 <?php endfor; ?>212 </select>213 <a href="#edit-rollback-datetime” class="rc-rollback-datetime-update button"><?php _e('OK’,RC_TXT_DOMAIN) ?></a>214 <a href="#edit-rollback-datetime" class="rc-rollback-datetime-cancel"><?php _e('Cancel’,RC_TXT_DOMAIN) ?></a>215 </div>216 <?php foreach ( $arr_rb_date as $k => $v ): ?>217 <input type="hidden" name="<?php echo $k; ?>_cr" id="<?php echo $k; ?>_cr" value="<?php echo $v; ?>"/>218 <?php endforeach; ?>219 <div id="rc-accept-rollback-updatetime-wrap">220 <label for="rc-accept-rollback-updatetime">221 <input id="rc-accept-rollback-updatetime" type="checkbox" value="1" name="<?php echo $this->post_meta_keys->accept_rollback_update; ?>" <?php echo ( $this->post_metas->accept_rollback_update == “1” ) ? “checked” : “"; ?>> <?php _e( 'Accept Rollback post date.’, RC_TXT_DOMAIN ); ?>222 </label>223 </div>224 <?php if( current_theme_supports( ‘post-thumbnails’ ) ): ?>225 <div id="rc-accept-rollback-feature-image-wrap">226 <label for="rc-accept-rollback-feature-image">227 <input id="rc-accept-rollback-feature-image” type="checkbox" value="1" name="<?php echo $this->post_meta_keys->accept_rollback_feature_img; ?>" <?php echo ( $this->post_metas->accept_rollback_feature_img == “1” ) ? “checked” : ""; ?>> <?php _e( 'Accept Rollback feature image.’, RC_TXT_DOMAIN ); ?>228 </label>229 </div>230 <?php endif; ?>231</fieldset>232<?php 233 endif;234 }235 236// save post meta237 public function save_rc_post_meta( $post_id ) {238 $component = new Class_Rucy_Component();239 if( !isset( $_POST ) && !isset( $_POST[‘post_type’] ) ) {240 return;241 }242 if(isset( $_POST[‘schroeder’] ) && !wp_verify_nonce( $_POST[‘schroeder’], plugin_basename( __FILE__ ) ) ) {243 return;244 }245 if( defined( ‘DOING_AUTOSAVE’ ) && DOING_AUTOSAVE ) {246 return;247 }248 if ( !isset( $_POST[‘post_type’] ) ) {249 return;250 }251 $accept_post_types = $component->get_support_post_type();252 if ( !in_array( $_POST[‘post_type’], $accept_post_types ) ) {253 return;254 }255 if (256 !array_key_exists( 'rc_hour’, $_POST )257 && !array_key_exists( 'rc_minutes’, $_POST )258 && !array_key_exists( 'rc_month’, $_POST )259 && !array_key_exists( 'rc_day’, $_POST )260 && !array_key_exists( 'rc_year’, $_POST )261 && !array_key_exists( 'rc_rb_hour’, $_POST )262 && !array_key_exists( 'rc_rb_minutes’, $_POST )263 && !array_key_exists( 'rc_rb_month’, $_POST )264 && !array_key_exists( 'rc_rb_day’, $_POST )265 && !array_key_exists( 'rc_rb_year’, $_POST )266 ) {267 return;268 }269270 $post_meta_keys = $component->get_post_meta_keys();271 $date = mktime( $_POST[‘rc_hour’], $_POST[‘rc_minutes’], 00, $_POST[‘rc_month’], $_POST[‘rc_day’], $_POST[‘rc_year’] );272 if( $date ) {273 $_POST[$post_meta_keys->date] = date_i18n( 'Y-m-d H:i:s’, $date );274 } else {275 $_POST[$post_meta_keys->date] = "";276 }277 if( !isset( $_POST[$post_meta_keys->accept] ) || $_POST[$post_meta_keys->accept] != “1” ){278 $_POST[$post_meta_keys->accept] = "0";279 }280 // rollback setting281 $rdate = mktime( $_POST[‘rc_rb_hour’], $_POST[‘rc_rb_minutes’], 00, $_POST[‘rc_rb_month’], $_POST[‘rc_rb_day’], $_POST[‘rc_rb_year’] );282 if ( $rdate ) {283 $_POST[$post_meta_keys->rollback_date] = date_i18n( 'Y-m-d H:i:s’, $rdate );284 } else {285 $_POST[$post_meta_keys->rollback_date] = "";286 }287 if( !isset( $_POST[$post_meta_keys->accept_rollback] ) || $_POST[$post_meta_keys->accept_rollback] != “1” ){288 $_POST[$post_meta_keys->accept_rollback] = "0";289 }290 if( !isset( $_POST[$post_meta_keys->accept_rollback_update] ) || $_POST[$post_meta_keys->accept_rollback_update] != “1” ){291 $_POST[$post_meta_keys->accept_rollback_update] = "0";292 }293 if( !isset( $_POST[$post_meta_keys->accept_rollback_feature_img] ) || $_POST[$post_meta_keys->accept_rollback_feature_img] != “1” ){294 $_POST[$post_meta_keys->accept_rollback_feature_img] = “0";295 }296 // save post meta 297 foreach ( $post_meta_keys as $key => $value ) {298 $component->save_rc_post_meta_base( $post_id, $value, $_POST );299 }300 // regist reserve update content301 if ( $_POST[$post_meta_keys->accept] == “1” ) {302 $reserve_date = strtotime( get_gmt_from_date( $_POST[$post_meta_keys->date] ) . " GMT” );303 if ( in_array( $_POST[‘post_type’], $accept_post_types ) ) {304 wp_schedule_single_event( $reserve_date, RC_CRON_HOOK, array( $post_id ) );305 }306 } else if ( $_POST[$post_meta_keys->accept] == “0” || !isset ( $_POST[$post_meta_keys->accept] ) ) {307 // delete schedule308 wp_clear_scheduled_hook(RC_CRON_HOOK, array($post_id));309 }310 }311 312 // add update message313 public function add_reservation_message( $messages ) {314 global $post, $post_ID;315 $component = new Class_Rucy_Component();316 $accept_post_types = $component->get_support_post_type();317 $post_type = get_post_type( $post );318 319 if ( !in_array( $post_type, $accept_post_types ) ) {320 return $messages;321 }322 323 $post_metas = $component->get_post_rc_meta( $post_ID );324 if ( $post_metas->accept != “1” ) {325 return $messages;326 }327 328 $add_message_date = date_i18n( 'Y/m/d @ H:i’, strtotime( $post_metas->date ) );329 $base_str = __( 'registered reservation update content _RC_DATETIME_’, RC_TXT_DOMAIN );330 $add_message = ‘<br>’ . strtr( $base_str, array( ‘_RC_DATETIME_’ => $add_message_date ) );331 332 if( $post_metas->accept_rollback == “1” ) {333 $rollback_date = date_i18n( 'Y/m/d @ H:i’, strtotime( $post_metas->rollback_date ) );334 $rollback_base_str = __( 'registered rollback content _RC_ROLLBACK_DATETIME_ ', RC_TXT_DOMAIN );335 $add_message .= ‘<br>’ . strtr( $rollback_base_str , array( ‘_RC_ROLLBACK_DATETIME_’ => $rollback_date ) );336 }337 // published338 $messages[$post_type][1] .= $add_message;339 $messages[$post_type][4] .= $add_message;340 $messages[$post_type][6] .= $add_message;341 // saved342 $messages[$post_type][7] .= $add_message;343 // submited344 $messages[$post_type][8] .= $add_message;345 // scheduled346 $messages[$post_type][9] .= $add_message;347 348 return $messages;349 }350}