Merge pull request #366 from alleyinteractive/html_updates

Hotfixes for urgent issues

admin/apple-actions/index/class-push.php

@@ -154,11 +154,8 @@ private function push( $user_id = null ) {
 		// Process errors
 		$this->process_errors( $errors );
 
-		// Validate the data before using since it's filterable.
-		// JSON should just be a string.
-		// Apple News format is complex and has too many options to validate otherwise.
-		// Let's just make sure it's not doing anything bad and is the right data type.
-		$json = sanitize_text_field( $json );
+		// Sanitize the data before using since it's filterable.
+		$json = $this->sanitize_json( $json );
 
 		// Bundles should be an array of URLs
 		if ( ! empty( $bundles ) && is_array( $bundles ) ) {
@@ -386,4 +383,23 @@ private function generate_article() {
 
 		return array( $this->exporter->get_json(), $this->exporter->get_bundles(), $this->exporter->get_errors() );
 	}
+
+	/**
+	 * Sanitize the JSON output based on whether HTML or markdown is used.
+	 *
+	 * @access private
+	 * @param string $json
+	 * @return string
+	 * @since 1.2.7
+	 */
+	private function sanitize_json( $json ) {
+		// Apple News format is complex and has too many options to validate otherwise.
+		// Let's just make sure the JSON is valid
+		$decoded = json_decode( $json );
+		if ( ! $decoded ) {
+			 throw new \Apple_Actions\Action_Exception( __( 'The Apple News JSON is invalid and cannot be published.', 'apple-news' ) );
+		} else {
+			 return wp_json_encode( $decoded );
+		}
+	}
 }

admin/class-admin-apple-themes.php

@@ -693,7 +693,7 @@ private function get_formatting_object( $name = null ) {
 	 */
 	private function validate_data( $data ) {
 		$settings = new \Apple_Exporter\Settings();
-		$valid_settings = array_keys( $settings->all() );
+		$default_settings = $settings->all();
 		$clean_settings = array();
 
 		// Check for the theme name
@@ -718,10 +718,17 @@ private function validate_data( $data ) {
 		// the appropriate validation and sanitization for each
 		foreach ( $valid_settings as $setting ) {
 			if ( ! isset( $data[ $setting ] ) ) {
-				return sprintf(
-					__( 'The theme was missing the required setting %s', 'apple-news' ),
-					$setting
-				);
+				// Get the default value instead.
+				// This ensures backwards compatiblity with theme files
+				// when new settings are added in future plugin versions.
+				if ( isset( $default_settings[ $setting ] ) ) {
+					$data[ $setting ] = $default_settings[ $setting ];
+				} else {
+					return sprintf(
+						__( 'The theme was missing the required setting %s and no default was found', 'apple-news' ),
+						$setting
+					);
+				}
 			}
 
 			// Find the appropriate sanitization method for each setting

apple-news.php

@@ -12,7 +12,7 @@
  * Plugin Name: Publish to Apple News
  * Plugin URI:  http://github.com/alleyinteractive/apple-news
  * Description: Export and sync posts to Apple format.
- * Version:     1.2.6
+ * Version:     1.2.7
  * Author:      Alley Interactive
  * Author URI:  https://www.alleyinteractive.com
  * Text Domain: apple-news

includes/apple-exporter/components/class-component.php

@@ -143,6 +143,38 @@ abstract class Component {
 	 */
 	public $specs;
 
+	/**
+	 * Allowed HTML tags for components that support it.
+	 *
+	 * @since 1.2.7
+	 * @var array
+	 * @access public
+	 */
+	public $allowed_html = array(
+		'p' => array(),
+		'strong' => array(),
+		'b' => array(),
+		'em' => array(),
+		'i' => array(),
+		'a' => array(
+			'href' => array(),
+		),
+		'ul' => array(),
+		'ol' => array(),
+		'li' => array(),
+		'br' => array(),
+		'sub' => array(),
+		'sup' => array(),
+		'del' => array(),
+		's' => array(),
+		'pre' => array(),
+		'code' => array(),
+		'samp' => array(),
+		'footer' => array(),
+		'aside' => array(),
+		'blockquote' => array(),
+	);
+
 	/**
 	 * Constructor.
 	 *
@@ -233,6 +265,11 @@ protected static function clean_html( $html ) {
 	 * @access public
 	 */
 	public function to_array() {
+		// If HTML support is enabled, provide an extra level of validation for supported tags.
+		if ( ! empty( $this->json['text'] ) && $this->html_enabled() ) {
+			$this->json['text'] = wp_kses( $this->json['text'], $this->allowed_html );
+		}
+
 		return apply_filters( 'apple_news_' . $this->get_component_name() . '_json', $this->json );
 	}
 

includes/class-apple-news.php

@@ -39,7 +39,7 @@ class Apple_News {
 	 * @var string
 	 * @access public
 	 */
-	public static $version = '1.2.6';
+	public static $version = '1.2.7';
 
 	/**
 	 * Link to support for the plugin on WordPress.org.

readme.txt

@@ -3,8 +3,8 @@ Contributors: potatomaster, kevinfodness, alleyinteractive, beezwaxbuzz, gosukiw
 Donate link: https://wordpress.org
 Tags: publish, apple, news, iOS
 Requires at least: 4.0
-Tested up to: 4.7.3
-Stable tag: 1.2.6
+Tested up to: 4.7.4
+Stable tag: 1.2.7
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl.html
 
@@ -45,6 +45,10 @@ Please visit our [wiki](https://github.com/alleyinteractive/apple-news/wiki) for
 
 == Changelog ==
 
+= 1.2.7 =
+* Fixed a bug where HTML tags were being stripped before being sent to the API.
+* Fixed a bug where older theme files couldn't be imported if new formatting settings were added.
+
 = 1.2.6 =
 * WP Standards: Ensured all instances of in_array use the strict parameter
 * WP Standards: Replaced all remaining instances of == with ===