From 2f09d9172ff573a424ab420eb781b2eb6604e933 Mon Sep 17 00:00:00 2001
From: varsha-blueastral <varsha@blueastral.com>
Date: Thu, 21 Mar 2024 13:52:29 +0530
Subject: [PATCH 1/2] release_1_5_39

---
 ds-live-composer.php                               |  4 ++--
 includes/ajax.php                                  |  4 ++++
 includes/functions.php                             | 14 ++++++++++++++
 .../inc/access-control.php                         | 14 +++++++-------
 readme.txt                                         |  5 ++++-
 5 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/ds-live-composer.php b/ds-live-composer.php
index 9dac6ce6..fba4a56b 100644
--- a/ds-live-composer.php
+++ b/ds-live-composer.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://www.livecomposerplugin.com
  * Description: Page builder for WordPress with drag and drop header/footer editing.
  * Author: Live Composer Team
- * Version: 1.5.38
+ * Version: 1.5.39
  * Author URI: https://livecomposerplugin.com
  * License: GPL3
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -41,7 +41,7 @@
 	 * Constants
 	 */
 
-	define( 'DS_LIVE_COMPOSER_VER', '1.5.38' );
+	define( 'DS_LIVE_COMPOSER_VER', '1.5.39' );
 
 	define( 'DS_LIVE_COMPOSER_SHORTNAME', __( 'Live Composer', 'live-composer-page-builder' ) );
 	define( 'DS_LIVE_COMPOSER_BASENAME', plugin_basename( __FILE__ ) );
diff --git a/includes/ajax.php b/includes/ajax.php
index 0c7d46e2..1741164e 100644
--- a/includes/ajax.php
+++ b/includes/ajax.php
@@ -89,6 +89,10 @@ function dslc_ajax_add_module( $atts ) {
 			die();
 		}
 
+		if (isset($_POST['content']) && !empty($_POST['content']) && !current_user_can( 'manage_options' )) {
+			$_POST['content'] = dslc_sanitize_html($_POST['content']);
+		}
+		
 		$post_id = intval( $_POST['dslc_post_id'] );
 
 		if ( isset( $_POST['dslc_preload_preset'] ) && 'enabled' === $_POST['dslc_preload_preset'] ) {
diff --git a/includes/functions.php b/includes/functions.php
index 7982070e..72a6f949 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -1024,3 +1024,17 @@ function dslc_sanitize_option_val ( $data_to_sanitize ) {
 	// return $value;
 }
 */
+
+
+/**
+ * Generic function
+ *
+ * Remove JavaScript code from HTML
+ *
+ * @since 1.0
+ */
+function dslc_sanitize_html($html) {
+	 $html = preg_replace('/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/', '', $html);
+	 // Return sanitized HTML
+	 return $html;
+}
diff --git a/includes/plugin-options-framework/inc/access-control.php b/includes/plugin-options-framework/inc/access-control.php
index 7e36b401..929eddd6 100644
--- a/includes/plugin-options-framework/inc/access-control.php
+++ b/includes/plugin-options-framework/inc/access-control.php
@@ -49,7 +49,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Front-End Editor', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can use Live Composer in the front-end? This will also affect who can manage post templates.', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -59,7 +59,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Projects Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage projects ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -69,7 +69,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Galleries Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage galleries ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -79,7 +79,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Staff Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage staff ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -89,7 +89,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Downloads Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage downloads ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -99,7 +99,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Testimonials Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage testimonials ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
@@ -109,7 +109,7 @@ function dslc_access_control_init() {
 
 				'section' => 'dslc_plugin_options_access_control',
 				'label' => __( 'Partners Management', 'live-composer-page-builder' ),
-				'std' => 'publish_posts',
+				'std' => 'manage_options',
 				'type' => 'select',
 				'descr' => __( 'Who can manage partners ( add, edit, trash... )?', 'live-composer-page-builder' ),
 				'choices' => $capability_opts
diff --git a/readme.txt b/readme.txt
index 10c4eaf8..374a5750 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: LiveComposer
 Tags: page builder, landing page builder, frontend page builder, drag and drop page builder, website builder
 Requires at least: 4.7
 Tested up to: 6.4.3
-Stable tag: 1.5.38
+Stable tag: 1.5.39
 License: GPLv3
 
 Page builder for WordPress with drag and drop header/footer editing, responsive settings, and animations. Compatible with Gutenberg block editor.
@@ -58,6 +58,9 @@ In most of the cases, this is because the homepage is not a real WordPress page,
 * 🦊 [Check out our WooCommerce Page Builder Extension](https://livecomposerplugin.com/downloads/woocommerce-page-builder/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=woo-integration)
 * 👀 [We keep updating and improving our extensions pack](https://livecomposerplugin.com/downloads/extensions/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=add-ons) ACF + CPT + MegaMenu + 9 more add-ons.
 
+= 1.5.39 - Mar 21 2024 =
+* Fixes related to Cross Site Request Forgery (CSRF)
+
 = 1.5.38 - Mar 15 2024 =
 * Fixes related to Cross Site Request Forgery (CSRF)
 

From 749ec9d5f6c10b47e5cb0a44c304110d945eae67 Mon Sep 17 00:00:00 2001
From: varsha-blueastral <varsha@blueastral.com>
Date: Thu, 21 Mar 2024 17:09:00 +0530
Subject: [PATCH 2/2] chang release date

---
 readme.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/readme.txt b/readme.txt
index 374a5750..b4b517e3 100644
--- a/readme.txt
+++ b/readme.txt
@@ -58,8 +58,8 @@ In most of the cases, this is because the homepage is not a real WordPress page,
 * 🦊 [Check out our WooCommerce Page Builder Extension](https://livecomposerplugin.com/downloads/woocommerce-page-builder/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=woo-integration)
 * 👀 [We keep updating and improving our extensions pack](https://livecomposerplugin.com/downloads/extensions/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=add-ons) ACF + CPT + MegaMenu + 9 more add-ons.
 
-= 1.5.39 - Mar 21 2024 =
-* Fixes related to Cross Site Request Forgery (CSRF)
+= 1.5.39 - Mar 22 2024 =
+* Fixes related to Cross Site Scripting (XSS)
 
 = 1.5.38 - Mar 15 2024 =
 * Fixes related to Cross Site Request Forgery (CSRF)