Merge pull request #1112 from live-composer/1.5.30

1.5.30

ds-live-composer.php

@@ -4,7 +4,7 @@
  * Plugin URI: https://www.livecomposerplugin.com
  * Description: Page builder for WordPress with drag and drop header/footer editing.
  * Author: Live Composer Team
- * Version: 1.5.29
+ * Version: 1.5.30
  * Author URI: https://livecomposerplugin.com
  * License: GPL3
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -41,7 +41,7 @@
 	 * Constants
 	 */
 
-	define( 'DS_LIVE_COMPOSER_VER', '1.5.29' );
+	define( 'DS_LIVE_COMPOSER_VER', '1.5.30' );
 
 	define( 'DS_LIVE_COMPOSER_SHORTNAME', __( 'Live Composer', 'live-composer-page-builder' ) );
 	define( 'DS_LIVE_COMPOSER_BASENAME', plugin_basename( __FILE__ ) );

includes/ajax.php

@@ -23,8 +23,6 @@
 	header( 'HTTP/1.0 403 Forbidden' );
 	exit;
 }
-
-
 /**
  * Add/display a new module section
  *
@@ -473,7 +471,11 @@ function dslc_ajax_import_template( $atts ) {
 
 		// The code of the template.
 		$template_code = stripslashes( $_POST['dslc_template_code'] );
-		$template_code = maybe_serialize($template_code);
+
+		if (!dslc_is_json( $template_code ) ) {
+			return 0;
+			exit;
+		}
 
 		$response['output'] = dslc_render_content( $template_code, true );
 
@@ -526,7 +528,7 @@ function dslc_ajax_save_template( $atts ) {
 		$templates[ $template_id ] = array(
 			'title' => $template_title,
 			'id' => $template_id,
-			'code' => maybe_serialize($template_code),
+			'code' => $template_code,
 			'section' => 'user',
 		);
 
@@ -605,9 +607,10 @@ function dslc_ajax_import_modules_section( $atts ) {
 
 		// The code of the modules section.
 		$code_to_import = stripslashes( $_POST['dslc_modules_section_code'] );
-
-		$code_to_import = maybe_serialize($code_to_import);
-
+		if (!dslc_is_json($code_to_import) ) {
+			return 0;
+			exit;
+		}
 		$response['output'] = dslc_render_content( $code_to_import, true );
 		$response['output'] = do_shortcode( $response['output'] );
 

includes/display-functions.php

@@ -942,7 +942,13 @@ function dslc_editor_code() {
  * @return Bool           True if JSON, false otherwise.
  */
 function dslc_is_json( $string ) {
-	json_decode( $string );
+
+	try {
+		json_decode( $string );
+	} catch (\Throwable $th) {
+		return false;
+	}
+
 	return ( function_exists( 'json_last_error' ) && json_last_error() == JSON_ERROR_NONE );
 }
 
@@ -956,54 +962,61 @@ function dslc_is_json( $string ) {
 function dslc_json_decode( $raw_code, $ignore_migration = false ) {
 	$decoded = false;
 
-	// $raw_code = maybe_unserialize( stripslashes($raw_code) );
-	$raw_code = maybe_unserialize( $raw_code );
-
-	// Array already provided. Do nothing.
-	if ( is_array( $raw_code ) ) {
-		return $raw_code;
-	}
-
-	// Is it JSON?
-	if ( ! dslc_is_json( $raw_code ) ) {
-		// If it's not JSON then:
-		// 1. it's old code of the module settings serialized + base64.
-		// 2. it's old code containing both shortocodes + base64.
-		/**
-		 * Is it's valid base64?
-		 *
-		 * Function base64_decode returns FALSE if input contains
-		 * character from outside the base64 alphabet.
-		 */
-
-		$decoded_base64 = base64_decode( $raw_code );
-
-		// Base64 successfull?
-		if ( ! $decoded_base64 ) {
-			// 2. it's old code containing both shortocodes + base64
-			// We can do nothing with it, so return FALSE.
-			return false;
-		} else {
+	if (dslc_is_json( $raw_code ) ) {
+		$decoded = json_decode( $raw_code, true );
+	}
+	else{
+		// $raw_code = maybe_unserialize( stripslashes($raw_code) );
+		$raw_code = maybe_unserialize( $raw_code );
+
+		// Array already provided. Do nothing.
+		if ( is_array( $raw_code ) ) {
+			return $raw_code;
+		}
+
+		// Is it JSON?
+		if ( ! dslc_is_json( $raw_code ) ) {
+			// If it's not JSON then:
 			// 1. it's old code of the module settings serialized + base64.
-			// Get array out of it.
-			$decoded = maybe_unserialize( $decoded_base64 );
+			// 2. it's old code containing both shortocodes + base64.
+			/**
+			 * Is it's valid base64?
+			 *
+			 * Function base64_decode returns FALSE if input contains
+			 * character from outside the base64 alphabet.
+			 */
+
+			$decoded_base64 = base64_decode( $raw_code );
+
+			// Base64 successfull?
+			if ( ! $decoded_base64 ) {
+				// 2. it's old code containing both shortocodes + base64
+				// We can do nothing with it, so return FALSE.
+				return false;
+			} else {
+				// 1. it's old code of the module settings serialized + base64.
+				// Get array out of it.
+				$decoded = maybe_unserialize( $decoded_base64 );
+
+				// Add a marker indicating that this module
+				// was imported from shortcode format.
+				if ( is_array( $decoded ) ) {
+					$decoded['code_version'] = 1;
+				}
 
-			// Add a marker indicating that this module
-			// was imported from shortcode format.
-			if ( is_array( $decoded ) ) {
-				$decoded['code_version'] = 1;
+				// Preset is always being stored in base64 format,
+				// so we need to ignore code version parameter as it's not relevant.
+				if ( $ignore_migration ) {
+					unset( $decoded['code_version'] );
+				}
 			}
+		} else {
+			// Decode JSON.
+			$decoded = json_decode( $raw_code, true );
+		} // End if().
+
+	}
 
-			// Preset is always being stored in base64 format,
-			// so we need to ignore code version parameter as it's not relevant.
-			if ( $ignore_migration ) {
-				unset( $decoded['code_version'] );
-			}
-		}
-	} else {
-		// Decode JSON.
-		$decoded = json_decode( $raw_code, true );
-	} // End if().
 
 	return $decoded;
 }

readme.txt

@@ -3,7 +3,7 @@ Contributors: LiveComposer
 Tags: page builder, landing page builder, frontend page builder, drag and drop page builder, website builder
 Requires at least: 4.7
 Tested up to: 6.4.2
-Stable tag: 1.5.29
+Stable tag: 1.5.30
 License: GPLv3
 
 Page builder for WordPress with drag and drop header/footer editing, responsive settings, and animations. Compatible with Gutenberg block editor.
@@ -58,6 +58,9 @@ In most of the cases, this is because the homepage is not a real WordPress page,
 * 🦊 [Check out our WooCommerce Page Builder Extension](https://livecomposerplugin.com/downloads/woocommerce-page-builder/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=woo-integration)
 * 👀 [We keep updating and improving our extensions pack](https://livecomposerplugin.com/downloads/extensions/?utm_source=wp-admin&utm_medium=changelog&utm_campaign=add-ons) ACF + CPT + MegaMenu + 9 more add-ons.
 
+= 1.5.30 - Jan 24 2024 =
+* Security improvements
+
 = 1.5.29 - Jan 17 2024 =
 * Security improvement