Fix for sanitized ALM ID.

ajaxloadmore · Mar 8, 2023 · 03a9510 · 03a9510
1 parent b33c8a8
commit 03a9510
Show file tree

Hide file tree

Showing 10 changed files with 1,303 additions and 365 deletions.
diff --git a/README.txt b/README.txt
@@ -5,7 +5,7 @@ Tags: infinite scroll, load more, ajax, lazy load, endless scroll, infinite scro
 Requires at least: 4.4
 Requires PHP: 5.6
 Tested up to: 6.1
-Stable tag: 5.6.0.3
+Stable tag: 5.6.0.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -263,6 +263,12 @@ How to install Ajax Load More.
 
 == Changelog ==
 
+= 5.6.0.4 - March 8, 2023 =
+* UPDATE: Resticting ALM ID to contain alphanumeric characters, dashes and underscores only.
+* FIX: Fixed issue with Filters target parameter and the security updates in ALM 5.6.0.3
+* FIX: Fix for `total_posts` value in new `getTotals()` method.
+
+
 = 5.6.0.3 - February 24, 2023 =
 * NEW: Add new `getTotalRemaining` public JS function that returns the total number of posts remaining to be loaded  by ALM instance ID. [See Docs](https://connekthq.com/plugins/ajax-load-more/docs/public-functions/#getTotalRemaining)
 * Update: Added support for disabling Images Loaded functionality in WooCommerce add-on.

diff --git a/admin/shortcode-builder/js/shortcode-builder.js b/admin/shortcode-builder/js/shortcode-builder.js
@@ -1413,6 +1413,34 @@ jQuery(document).ready(function ($) {
 		_alm.buildShortcode();
 	});
 
+	// Allow only alphanumeric and underscores only.
+	$('input.id-only').keydown(function (e) {
+		var keyCode = e.keyCode || e.which;
+		var shiftKey = e.shiftKey;
+		var keyCode = e.keyCode;
+
+		if (shiftKey && keyCode !== 189) {
+			// Bail if not shiftkey and underscore.
+			return false;
+		}
+
+		if (
+			keyCode === 8 ||
+			keyCode === 9 ||
+			keyCode === 46 ||
+			keyCode === 95 ||
+			keyCode === 189 ||
+			(keyCode > 47 && keyCode < 58) ||
+			(keyCode > 64 && keyCode < 91) ||
+			(keyCode > 96 && keyCode < 123)
+		) {
+			return true;
+		} else {
+			return false;
+		}
+	});
+
+	// Allow numbers only.
 	$('input.numbers-only').keydown(function (e) {
 		if (
 			$.inArray(e.keyCode, [188, 46, 8, 9, 27, 13, 110, 190]) !== -1 ||

diff --git a/admin/shortcode-builder/shortcode-builder.php b/admin/shortcode-builder/shortcode-builder.php
@@ -103,14 +103,17 @@
 						<section class="first">
 							<div class="shortcode-builder--label">
 								<h4><?php _e('ID', 'ajax-load-more'); ?> <a href="javascript:void(0)" class="fa fa-question-circle tooltip" title="<?php _e('Adding a unique ID will allow you target this specific Ajax Load More instance with the alm_query_args_id() filter','ajax-load-more'); ?>."></a></h4>
-								<p><?php _e('Set a unique ID for this Ajax Load More instance.', 'ajax-load-more'); ?></p>
+								<p>
+									<?php _e('Set a unique ID for this Ajax Load More instance.', 'ajax-load-more'); ?>
+									<small>e.g. my_alm_list etc...</small>
+								</p>
 								<p><a class="button-small" href="https://connekthq.com/plugins/ajax-load-more/docs/filter-hooks/#alm_query_args" target="_blank"><?php _e('Learn More', 'ajax-load-more'); ?></a></p>
 							</div>
 							<div class="shortcode-builder--fields">
 								<div class="inner">
-									<input type="text" class="alm_element" name="unique-id" id="unique-id">
+									<input type="text" class="alm_element id-only" name="unique-id" id="unique-id" style="text-transform: lowercase;" autocomplete="off">
 									<div class="clear"></div>
-									<p class="generate-id"><a href="javascript:void(0);" data-id="unique-id"><i class="fa fa-random"></i> <?php _e('Generate Unique ID', 'ajax-load-more'); ?></a></p>
+									<p class="generate-id"><a href="javascript:void(0);" data-id="unique-id"><i class="fa fa-random"></i> <?php _e('Generate ID', 'ajax-load-more'); ?></a></p>
 								</div>
 							</div>
 						</section>

diff --git a/ajax-load-more.php b/ajax-load-more.php
@@ -7,15 +7,15 @@
  * Author: Darren Cooney
  * Twitter: @KaptonKaos
  * Author URI: https://connekthq.com
- * Version: 5.6.0.3
+ * Version: 5.6.0.4
  * License: GPL
  * Copyright: Darren Cooney & Connekt Media
  *
  * @package AjaxLoadMore
  */
 
-define( 'ALM_VERSION', '5.6.0.3' );
-define( 'ALM_RELEASE', 'February 24, 2023' );
+define( 'ALM_VERSION', '5.6.0.4' );
+define( 'ALM_RELEASE', 'March 8, 2023' );
 define( 'ALM_STORE_URL', 'https://connekthq.com' );
 
 // Plugin installation helpers.
@@ -409,7 +409,7 @@ public static function alm_return_shortcode_atts() {
 		 * @since 2.0.0
 		 */
 		public function alm_query_posts() {
-			$params = filter_input_array( INPUT_GET, FILTER_SANITIZE_STRING );
+			$params = filter_input_array( INPUT_GET );
 
 			// WPML fix for category/tag/taxonomy archives.
 			if ( ( isset( $params['category'] ) && $params['category'] ) || ( isset( $params['taxonomy'] ) && $params['taxonomy'] ) || ( isset( $params['tag'] ) && $params['tag'] ) ) {

diff --git a/core/classes/class-alm-shortcode.php b/core/classes/class-alm-shortcode.php
@@ -1371,7 +1371,7 @@ public static function alm_render_shortcode( $atts ) {
 			 * Custom JavaScript.
 			 * ALM core setting parameter.
 			 */
-			$ajaxloadmore .= isset( $options['_alm_custom_js'] ) && ! empty( $options['_alm_custom_js'] ) ? '<script>' . esc_html( $options['_alm_custom_js'] ) . '</script>' : '';
+			$ajaxloadmore .= isset( $options['_alm_custom_js'] ) && ! empty( $options['_alm_custom_js'] ) ? '<script>' . $options['_alm_custom_js'] . '</script>' : ''; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 
 			/**
 			 * REST API Add-on

diff --git a/core/dist/js/ajax-load-more.js b/core/dist/js/ajax-load-more.js
@@ -4802,7 +4802,7 @@ function getTotals(type) {
 	var id = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : '';
 
 	// Get the ALM localized variable name.
-	var localize_var = id ? 'ajax_load_more_' + id + '_vars' : 'ajax_load_more_vars';
+	var localize_var = id ? 'ajax_load_more_' + id.replace(/-/g, '_') + '_vars' : 'ajax_load_more_vars';
 
 	// Get the localized value from the window object.
 	var localized = window[localize_var];
@@ -5745,6 +5745,8 @@ var _slicedToArray = function () {
 	};
 }();
 
+exports.default = almFilter;
+
 var _fadeIn = __webpack_require__(/*! ./fadeIn */ "./core/src/js/modules/fadeIn.js");
 
 var _fadeIn2 = _interopRequireDefault(_fadeIn);
@@ -5770,98 +5772,100 @@ function _toConsumableArray(arr) {
 }
 
 /**
- * Filter Ajax Load More
+ * Filter an Ajax Load More instance.
  *
- * @param {*} transition string;
- * @param {*} speed number;
- * @param {*} data obj;
- * @param {*} type string;
+ * @param {string} transition Transition type.
+ * @param {Number} speed      Transition speed.
+ * @param {Object} data       Data object.
+ * @param {string} type       Type of filter.
  * @since 2.6.1
  */
-
-var almFilter = function almFilter(transition, speed, data) {
+function almFilter(transition) {
+	var speed = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : 150;
+	var data = arguments[2];
 	var type = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : 'filter';
 
 	if (data.target) {
-		// if a target has been specified
-		var target = document.querySelectorAll('.ajax-load-more-wrap[data-id="' + data.target + '"]');
-		target.forEach(function (element) {
-			almFilterTransition(transition, speed, data, element, type);
-		});
+		// Target has been specified.
+		var alm = document.querySelectorAll('.ajax-load-more-wrap[data-id="' + data.target.toLowerCase() + '"]');
+		if (alm) {
+			alm.forEach(function (element) {
+				almFilterTransition(transition, speed, data, type, element);
+			});
+		}
 	} else {
-		// Target not specified
-		var alm = document.querySelectorAll('.ajax-load-more-wrap');
-		alm.forEach(function (element) {
-			almFilterTransition(transition, speed, data, element, type);
-		});
+		// Target not specified.
+		var _alm = document.querySelectorAll('.ajax-load-more-wrap');
+		if (_alm) {
+			_alm.forEach(function (element) {
+				almFilterTransition(transition, speed, data, type, element);
+			});
+		}
 	}
 
-	// Clear table of contents if required
-	(0, _tableofcontents.clearTOC)();
-};
-exports.default = almFilter;
+	(0, _tableofcontents.clearTOC)(); // Clear table of contents if required
+}
 
 /**
  * Transition Ajax Load More
  *
- * @param {*} transition string;
- * @param {*} speed number;
- * @param {*} data obj;
- * @param {*} el element;
- * @param {*} type string;
+ * @param {string}  transition Transition type.
+ * @param {Number}  speed      Transition speed.
+ * @param {Object}  data       Data object.
+ * @param {string}  type       Type of filter.
+ * @param {Element} element    Target element.
  * @since 2.13.1
  */
-
-var almFilterTransition = function almFilterTransition(transition, speed, data, el, type) {
+function almFilterTransition(transition, speed, data, type, element) {
 	if (transition === 'fade' || transition === 'masonry') {
 		// Fade, Masonry transition
 
 		switch (type) {
 			case 'filter':
-				el.classList.add('alm-is-filtering');
-				(0, _fadeOut2.default)(el, speed);
-
+				element.classList.add('alm-is-filtering');
+				(0, _fadeOut2.default)(element, speed);
 				break;
 
 			case 'tab':
-				el.classList.add('alm-loading');
-				var new_el = el.querySelector('.alm-listing');
-				el.style.height = new_el.offsetHeight + 'px';
-				(0, _fadeOut2.default)(new_el, speed);
-
+				element.classList.add('alm-loading');
+				var new_element = element.querySelector('.alm-listing');
+				element.style.height = new_element.offsetHeight + 'px';
+				(0, _fadeOut2.default)(new_element, speed);
 				break;
 		}
 
 		// Move to next function
 		setTimeout(function () {
-			almCompleteFilterTransition(speed, data, el, type);
+			almCompleteFilterTransition(speed, data, type, element);
 		}, speed);
 	} else {
 		// No transition
-		el.classList.add('alm-is-filtering');
-		almCompleteFilterTransition(speed, data, el, type);
+		element.classList.add('alm-is-filtering');
+		almCompleteFilterTransition(speed, data, type, element);
 	}
-};
+}
 
 /**
  * Complete the filter transition
  *
- * @param {*} speed number;
- * @param {*} data obj;
- * @param {*} el element;
- * @param {*} type string;
+ * @param {number}  speed    Transition speed.
+ * @param {object}  data     Data object.
+ * @param {string}  type     Type of filter.
+ * @param {Element} element  Target element.
  * @since 3.3
  */
-var almCompleteFilterTransition = function almCompleteFilterTransition(speed, data, el, type) {
-	// Get `.alm-btn-wrap` element
-	var btnWrap = el.querySelector('.alm-btn-wrap');
+function almCompleteFilterTransition(speed, data, type, element) {
+	var btnWrap = element.querySelector('.alm-btn-wrap'); // Get `.alm-btn-wrap` element
+	var listing = element.querySelectorAll('.alm-listing'); // Get `.alm-listing` element
 
-	// Get `.alm-listing` element
-	var listing = el.querySelectorAll('.alm-listing');
+	if (!listing || !btnWrap) {
+		// Bail early if elements doesn't exist.
+		return false;
+	}
 
-	// Loop over all .alm-listing divs
+	// Loop over all .alm-listing divs and clear HTML.
 	[].concat(_toConsumableArray(listing)).forEach(function (e) {
-		e.innerHTML = ''; // Clear listings
+		e.innerHTML = '';
 	});
 
 	// Get Load More button
@@ -5878,28 +5882,24 @@ var almCompleteFilterTransition = function almCompleteFilterTransition(speed, da
 
 	// Reset Preloaded Amount
 	data.preloadedAmount = 0;
+
 	// Dispatch Filters
-	almSetFilters(speed, data, el, type);
-};
+	almSetFilters(speed, data, type, element);
+}
 
 /**
  * Set filter parameters on .alm-listing element.
  *
- * @param {*} speed number;
- * @param {*} el element;
- * @param {*} data string;
- * @param {*} type string;
+ * @param {number}  speed   Transition speed.
+ * @param {object}  data    Data object.
+ * @param {string}  type    Type of filter.
+ * @param {Element} element Target element.
  * @updated 3.3
  * @since 2.6.1
  */
-var almSetFilters = function almSetFilters() {
-	var speed = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : 150;
-	var data = arguments[1];
-	var el = arguments[2];
-	var type = arguments[3];
-
-	// Get `alm-listing` container
-	var listing = el.querySelector('.alm-listing') || el.querySelector('.alm-comments');
+function almSetFilters(speed, data, type, element) {
+	// Get `alm-listing` container.
+	var listing = element.querySelector('.alm-listing') || element.querySelector('.alm-comments');
 	if (!listing) {
 		return false;
 	}
@@ -5940,7 +5940,7 @@ var almSetFilters = function almSetFilters() {
 				}
 			}
 
-			(0, _fadeIn2.default)(el, speed);
+			(0, _fadeIn2.default)(element, speed);
 			break;
 
 		case 'tab':
@@ -5952,7 +5952,7 @@ var almSetFilters = function almSetFilters() {
 			break;
 	}
 
-	// Re-initiate Ajax Load More
+	// Re-initiate Ajax Load More.
 	var target = '';
 	if (data.target) {
 		// Target has been specified
@@ -5985,7 +5985,7 @@ var almSetFilters = function almSetFilters() {
 			}
 			break;
 	}
-};
+}
 
 /***/ }),
 

diff --git a/core/dist/js/ajax-load-more.min.js b/core/dist/js/ajax-load-more.min.js
diff --git a/core/src/js/helpers/getTotals.js b/core/src/js/helpers/getTotals.js
@@ -10,7 +10,7 @@
  */
 export default function getTotals(type, id = '') {
 	// Get the ALM localized variable name.
-	const localize_var = id ? `ajax_load_more_${id}_vars` : 'ajax_load_more_vars';
+	const localize_var = id ? `ajax_load_more_${id.replace(/-/g, '_')}_vars` : 'ajax_load_more_vars';
 
 	// Get the localized value from the window object.
 	const localized = window[localize_var];