v7.4.3

larangin · larangin · commit 57ce6051e806 · 2025-01-21T21:07:31.000-05:00
diff --git a/application/config/constants.php b/application/config/constants.php
@@ -1,7 +1,7 @@
 <?php  if ( ! defined( 'BASEPATH' ) ) {
 	exit( 'No direct script access allowed' );}
 
-define( 'UIFORM_VERSION', '7.3.9' );
+define( 'UIFORM_VERSION', '7.4.3' );
 define( 'ZIGAFORM_F_LITE', 1 );
 define( 'UIFORM_DEBUG', 0 );
 define( 'UIFORM_DEMO', 0 );
diff --git a/application/helpers/common_helper.php b/application/helpers/common_helper.php
@@ -191,6 +191,34 @@ public static function sanitizeInput_html($string)
 		return $string;
 	}
 
+	public static function sanitizeInput_front_html($string)
+    {
+        if (!is_string($string)) {
+            return $string;
+        }
+
+        // Decode existing entities to prevent double encoding
+        $string = html_entity_decode($string, ENT_QUOTES, 'UTF-8');
+
+        // Strip slashes added by magic quotes or manual escaping
+        $string = stripslashes($string);
+
+        // Strip potential dangerous tags and attributes
+        $string = strip_tags($string, '<a><b><i><strong><em><ul><li><ol>'); // Allow only safe tags
+
+        // Encode special characters to prevent HTML injection
+        $string = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
+
+        // Remove dangerous JavaScript attributes
+        $string = preg_replace('/(on\w*|style)=["\'].*?["\']/i', '', $string);
+
+        // Normalize whitespaces and trim
+        $string = preg_replace('/[\n\r\t]+/', ' ', $string);
+        $string = trim($string);
+
+        return $string;
+    }
+
 
 	public static function sanitizeInput_data_html($string)
 	{
@@ -285,6 +313,22 @@ public static function sanitizeRecursive_html($data)
 		}
 	}
 
+    /**
+     * Sanitize recursive
+     *
+     * @param string $data array
+     *
+     * @return array
+     */
+    public static function sanitizeRecursive_front_html($data)
+    {
+        if ( is_array($data)) {
+            return array_map(array( 'Uiform_Form_Helper', 'sanitizeRecursive_front_html' ), $data);
+        } else {
+            return self::sanitizeInput_front_html($data);
+        }
+    }
+
 
 	public static function data_encrypt($string, $key)
 	{
diff --git a/application/modules/formbuilder/controllers/frontend.php b/application/modules/formbuilder/controllers/frontend.php
@@ -1193,8 +1193,8 @@ public function process_form($isMultiStep = false)
             }
             $is_demo               = ( $_POST['zgfm_is_demo'] ) ? intval(Uiform_Form_Helper::sanitizeInput(trim($_POST['zgfm_is_demo']))) : 0;
             $this->current_form_id = $form_id;
-                $form_fields       = ( isset($_POST['uiform_fields']) && $_POST['uiform_fields'] ) ? array_map(array( 'Uiform_Form_Helper', 'sanitizeRecursive_html' ), $_POST['uiform_fields']) : array();
-                $form_avars        = ( isset($_POST['zgfm_avars']) && $_POST['zgfm_avars'] ) ? array_map(array( 'Uiform_Form_Helper', 'sanitizeRecursive_html' ), $_POST['zgfm_avars']) : array();
+                $form_fields       = ( isset($_POST['uiform_fields']) && $_POST['uiform_fields'] ) ? array_map(array( 'Uiform_Form_Helper', 'sanitizeRecursive_front_html' ), $_POST['uiform_fields']) : array();
+                $form_avars        = ( isset($_POST['zgfm_avars']) && $_POST['zgfm_avars'] ) ? array_map(array( 'Uiform_Form_Helper', 'sanitizeRecursive_front_html' ), $_POST['zgfm_avars']) : array();
                 $form_f_tmp        = array();
                 $form_f_rec_tmp    = array();
 
diff --git a/assets/backend/json/manifest.json b/assets/backend/json/manifest.json
diff --git a/change_log.txt b/change_log.txt
@@ -1,3 +1,6 @@
+version 7.4.3
+[update] - Implemented a critical security patch to address potential vulnerabilities and enhance system protection.
+-----------------------------------------------------------------------------------------------------------------
 version 7.3.9
 [fix] - minor issues
 -----------------------------------------------------------------------------------------------------------------
diff --git a/i18n/languages/backend/wprockf.pot b/i18n/languages/backend/wprockf.pot
@@ -1,12 +1,12 @@
-# Copyright (C) 2024 Zigaform WP Cost Estimation Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform WP Cost Estimation Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform WP Cost Estimation Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform WP Cost Estimation Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
-"Project-Id-Version: Zigaform WP Cost Estimation Form Builder 7.3.9\n"
+"Project-Id-Version: Zigaform WP Cost Estimation Form Builder 7.4.3\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-11-15 01:58+0000\n"
+"POT-Creation-Date: 2025-01-22 02:01+0000\n"
 "X-Poedit-Basepath: ..\n"
 "X-Poedit-KeywordsList: __;_e;_ex:1,2c;_n:1,2;_n_noop:1,2;_nx:1,2,4c;_nx_noop:1,2,3c;_x:1,2c;esc_attr__;esc_attr_e;esc_attr_x:1,2c;esc_html__;esc_html_e;esc_html_x:1,2c\n"
 "X-Poedit-SearchPath-0: .\n"
diff --git a/i18n/languages/front/wprockf-de_DE.po b/i18n/languages/front/wprockf-de_DE.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-en_US.po b/i18n/languages/front/wprockf-en_US.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-es_ES.po b/i18n/languages/front/wprockf-es_ES.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-fr_FR.po b/i18n/languages/front/wprockf-fr_FR.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-it_IT.po b/i18n/languages/front/wprockf-it_IT.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-pt_BR.po b/i18n/languages/front/wprockf-pt_BR.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-ru_RU.po b/i18n/languages/front/wprockf-ru_RU.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf-zh_CN.po b/i18n/languages/front/wprockf-zh_CN.po
@@ -1,5 +1,5 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
 "Project-Id-Version: Rocket form\n"
diff --git a/i18n/languages/front/wprockf.pot b/i18n/languages/front/wprockf.pot
@@ -1,12 +1,12 @@
-# Copyright (C) 2024 Zigaform PHP Form Builder 7.3.9
-# This file is distributed under the same license as the Zigaform PHP Form Builder 7.3.9 package.
+# Copyright (C) 2025 Zigaform PHP Form Builder 7.4.3
+# This file is distributed under the same license as the Zigaform PHP Form Builder 7.4.3 package.
 msgid ""
 msgstr ""
-"Project-Id-Version: Zigaform PHP Form Builder 7.3.9\n"
+"Project-Id-Version: Zigaform PHP Form Builder 7.4.3\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-11-15 01:58+0000\n"
+"POT-Creation-Date: 2025-01-22 02:01+0000\n"
 "X-Poedit-Basepath: ..\n"
 "X-Poedit-KeywordsList: __;_e;_ex:1,2c;_n:1,2;_n_noop:1,2;_nx:1,2,4c;_nx_noop:1,2,3c;_x:1,2c;esc_attr__;esc_attr_e;esc_attr_x:1,2c;esc_html__;esc_html_e;esc_html_x:1,2c\n"
 "X-Poedit-SearchPath-0: .\n"
diff --git a/install/db/structure.sql b/install/db/structure.sql
@@ -178,7 +178,7 @@ CREATE TABLE `fbcf_uiform_settings` (
 -- ----------------------------
 -- Records of fbcf_uiform_settings
 -- ----------------------------
-INSERT INTO `fbcf_uiform_settings` VALUES ('7.3.9', '1', '', '0', '', '','', '/usr/sbin/sendmail', 'en', '1', 'Company name', 'user@testexample.com', '2016-02-09 00:38:01', '1980-01-01 00:00:01');
+INSERT INTO `fbcf_uiform_settings` VALUES ('7.4.3', '1', '', '0', '', '','', '/usr/sbin/sendmail', 'en', '1', 'Company name', 'user@testexample.com', '2016-02-09 00:38:01', '1980-01-01 00:00:01');
 
 -- ----------------------------
 -- Table structure for `fbcf_uiform_user`
diff --git a/install/db/structure_mysql8.sql b/install/db/structure_mysql8.sql
@@ -178,7 +178,7 @@ CREATE TABLE `fbcf_uiform_settings` (
 -- ----------------------------
 -- Records of fbcf_uiform_settings
 -- ----------------------------
-INSERT INTO `fbcf_uiform_settings` VALUES ('7.3.9', '1', '', '0', '', '','', '/usr/sbin/sendmail', 'en', '1', 'Company name', 'user@testexample.com', '2016-02-09 00:38:01', '1980-01-01 00:00:01');
+INSERT INTO `fbcf_uiform_settings` VALUES ('7.4.3', '1', '', '0', '', '','', '/usr/sbin/sendmail', 'en', '1', 'Company name', 'user@testexample.com', '2016-02-09 00:38:01', '1980-01-01 00:00:01');
 
 -- ----------------------------
 -- Table structure for `fbcf_uiform_user`
diff --git a/readme.txt b/readme.txt
@@ -7,7 +7,7 @@ Tags: form, forms, contact form, custom form, form builder, form creator, form m
 Requires at least: 5.0  
 Tested up to: 6.6.1  
 Requires PHP: 5.4  
-Stable tag: 7.3.9  
+Stable tag: 7.4.3  
 
 Create forms with total control using this powerful drag-and-drop form builder, allowing you to build contact forms or any custom forms in minutes.
 
diff --git a/vendor/autoload.php b/vendor/autoload.php
@@ -4,4 +4,4 @@
 
 require_once __DIR__ . '/composer/autoload_real.php';
 
-return ComposerAutoloaderInit8cd06888ad2f7157fd178791fe203518::getLoader();
+return ComposerAutoloaderInit6315adedaf3ba9b72be29d3fc130aedc::getLoader();
diff --git a/vendor/composer/autoload_real.php b/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
 
 // autoload_real.php @generated by Composer
 
-class ComposerAutoloaderInit8cd06888ad2f7157fd178791fe203518
+class ComposerAutoloaderInit6315adedaf3ba9b72be29d3fc130aedc
 {
     private static $loader;
 
@@ -22,15 +22,15 @@ public static function getLoader()
             return self::$loader;
         }
 
-        spl_autoload_register(array('ComposerAutoloaderInit8cd06888ad2f7157fd178791fe203518', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit6315adedaf3ba9b72be29d3fc130aedc', 'loadClassLoader'), true, true);
         self::$loader = $loader = new \Composer\Autoload\ClassLoader();
-        spl_autoload_unregister(array('ComposerAutoloaderInit8cd06888ad2f7157fd178791fe203518', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit6315adedaf3ba9b72be29d3fc130aedc', 'loadClassLoader'));
 
         $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
         if ($useStaticLoader) {
             require_once __DIR__ . '/autoload_static.php';
 
-            call_user_func(\Composer\Autoload\ComposerStaticInit8cd06888ad2f7157fd178791fe203518::getInitializer($loader));
+            call_user_func(\Composer\Autoload\ComposerStaticInit6315adedaf3ba9b72be29d3fc130aedc::getInitializer($loader));
         } else {
             $map = require __DIR__ . '/autoload_namespaces.php';
             foreach ($map as $namespace => $path) {
@@ -51,19 +51,19 @@ public static function getLoader()
         $loader->register(true);
 
         if ($useStaticLoader) {
-            $includeFiles = Composer\Autoload\ComposerStaticInit8cd06888ad2f7157fd178791fe203518::$files;
+            $includeFiles = Composer\Autoload\ComposerStaticInit6315adedaf3ba9b72be29d3fc130aedc::$files;
         } else {
             $includeFiles = require __DIR__ . '/autoload_files.php';
         }
         foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequire8cd06888ad2f7157fd178791fe203518($fileIdentifier, $file);
+            composerRequire6315adedaf3ba9b72be29d3fc130aedc($fileIdentifier, $file);
         }
 
         return $loader;
     }
 }
 
-function composerRequire8cd06888ad2f7157fd178791fe203518($fileIdentifier, $file)
+function composerRequire6315adedaf3ba9b72be29d3fc130aedc($fileIdentifier, $file)
 {
     if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
         require $file;
diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
 
 namespace Composer\Autoload;
 
-class ComposerStaticInit8cd06888ad2f7157fd178791fe203518
+class ComposerStaticInit6315adedaf3ba9b72be29d3fc130aedc
 {
     public static $files = array (
         '7f55c0c8faca7d96e425512293db1ad1' => __DIR__ . '/../..' . '/includes/wp/wp-includes/formatting.php',
@@ -32,9 +32,9 @@ class ComposerStaticInit8cd06888ad2f7157fd178791fe203518
     public static function getInitializer(ClassLoader $loader)
     {
         return \Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInit8cd06888ad2f7157fd178791fe203518::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInit8cd06888ad2f7157fd178791fe203518::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInit8cd06888ad2f7157fd178791fe203518::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit6315adedaf3ba9b72be29d3fc130aedc::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit6315adedaf3ba9b72be29d3fc130aedc::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInit6315adedaf3ba9b72be29d3fc130aedc::$classMap;
 
         }, null, ClassLoader::class);
     }
