Merge pull request #1125 from live-composer/release_1_5_39

release_1_5_39

ds-live-composer.php

@@ -4,7 +4,7 @@
  * Plugin URI: https://www.livecomposerplugin.com
  * Description: Page builder for WordPress with drag and drop header/footer editing.
  * Author: Live Composer Team
- * Version: 1.5.38
+ * Version: 1.5.39
  * Author URI: https://livecomposerplugin.com
  * License: GPL3
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -41,7 +41,7 @@
 	 * Constants
 	 */
 
-	define( 'DS_LIVE_COMPOSER_VER', '1.5.38' );
+	define( 'DS_LIVE_COMPOSER_VER', '1.5.39' );
 
 	define( 'DS_LIVE_COMPOSER_SHORTNAME', __( 'Live Composer', 'live-composer-page-builder' ) );
 	define( 'DS_LIVE_COMPOSER_BASENAME', plugin_basename( __FILE__ ) );

includes/ajax.php

@@ -89,6 +89,10 @@ function dslc_ajax_add_module( $atts ) {
 			die();
 		}
 
+		if (isset($_POST['content']) && !empty($_POST['content']) && !current_user_can( 'manage_options' )) {
+			$_POST['content'] = dslc_sanitize_html($_POST['content']);
+		}
+
 		$post_id = intval( $_POST['dslc_post_id'] );
 
 		if ( isset( $_POST['dslc_preload_preset'] ) && 'enabled' === $_POST['dslc_preload_preset'] ) {

includes/functions.php

@@ -1024,3 +1024,17 @@ function dslc_sanitize_option_val ( $data_to_sanitize ) {
 	// return $value;
 }
 */
+
+
+/**
+ * Generic function
+ *
+ * Remove JavaScript code from HTML
+ *
+ * @since 1.0
+ */
+function dslc_sanitize_html($html) {
+	 $html = preg_replace('/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/', '', $html);
+	 // Return sanitized HTML
+	 return $html;
+}

includes/plugin-options-framework/inc/access-control.php

@@ -49,7 +49,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Front-End Editor', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can use Live Composer in the front-end? This will also affect who can manage post templates.', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -59,7 +59,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Projects Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage projects ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -69,7 +69,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Galleries Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage galleries ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -79,7 +79,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Staff Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage staff ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -89,7 +89,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Downloads Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage downloads ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -99,7 +99,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Testimonials Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage testimonials ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -109,7 +109,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Partners Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage partners ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts

readme.txt

@@ -3,7 +3,7 @@ Contributors: LiveComposer
 Tags: page builder, landing page builder, frontend page builder, drag and drop page builder, website builder
 Requires at least: 4.7
 Tested up to: 6.4.3
-Stable tag: 1.5.38
+Stable tag: 1.5.39
 License: GPLv3
 
 Page builder for WordPress with drag and drop header/footer editing, responsive settings, and animations. Compatible with Gutenberg block editor.
@@ -58,6 +58,9 @@ In most of the cases, this is because the homepage is not a real WordPress page,
 * 🦊 [Check out our WooCommerce Page Builder Extension](https://livecomposerplugin.com/downloads/woocommerce-page-builder/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=woo-integration)
 * 👀 [We keep updating and improving our extensions pack](https://livecomposerplugin.com/downloads/extensions/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=add-ons) ACF + CPT + MegaMenu + 9 more add-ons.
 
+= 1.5.39 - Mar 22 2024 =
+* Fixes related to Cross Site Scripting (XSS)
+
 = 1.5.38 - Mar 15 2024 =
 * Fixes related to Cross Site Request Forgery (CSRF)