EM 5.12 upgrade

Author: shashachu

admin/em-options.php

@@ -9,7 +9,6 @@ function em_options_save(){
 	 */
 	if( current_user_can('manage_options') && !empty($_POST['em-submitted']) && check_admin_referer('events-manager-options','_wpnonce') ){
 		//Build the array of options here
-		$post = $_POST;
 		foreach ($_POST as $postKey => $postValue){
 			if( $postKey != 'dbem_data' && substr($postKey, 0, 5) == 'dbem_' ){
 				//TODO some more validation/reporting

classes/em-event.php

@@ -2363,7 +2363,7 @@ function output($format, $target="html") {
 				case '#_24HENDTIME_LOCAL':
 				case '#_24HTIMES_LOCAL':
 					$ts = ($result == '#_24HENDTIME_LOCAL') ? $this->end()->getTimestamp():$this->start()->getTimestamp();
-					$date_end = ($result == '#_24HTIMES_LOCAL' && $this->end()->getTimestamp() !== $ts) ? 'data-time-end="'. esc_attr($this->end()->getTimestamp()) .'" data-separator="'. esc_attr(get_option('dbem_times_separator')) . '"' : '';
+					$date_end = ($result == '#_24HTIMES_LOCAL' && $this->event_start_time !== $this->event_end_time) ? 'data-time-end="'. esc_attr($this->end()->getTimestamp()) .'" data-separator="'. esc_attr(get_option('dbem_times_separator')) . '"' : '';
 					$replace = '<span class="em-time-localjs" data-time-format="24"  data-time="'. esc_attr($ts) .'" '. $date_end .'>JavaScript Disabled</span>';
 					break;
 				case '#_12HSTARTTIME':
@@ -2418,9 +2418,13 @@ function output($format, $target="html") {
 							}
 							if( $result === '#_EVENTDATES_LOCAL' ){
 								$time_format = ( get_option('dbem_date_format') ) ? get_option('dbem_date_format'):get_option('date_format');
+								$start_time = $this->start()->getTimestamp();
+								$end_time = $this->event_start_date == $this->event_end_date ? $start_time : $this->end()->getTimestamp();
 								if( empty($separator) ) $separator = get_option('dbem_dates_separator');
 							}else{
 								$time_format = ( get_option('dbem_time_format') ) ? get_option('dbem_time_format'):get_option('time_format');
+								$start_time = $this->start()->getTimestamp();
+								$end_time = $this->event_start_time == $this->event_end_time ? $start_time : $this->end()->getTimestamp();
 								if( empty($separator) ) $separator = get_option('dbem_times_separator');
 							}
 							$time_format = strtr($time_format, $replacements);
@@ -2429,7 +2433,7 @@ function output($format, $target="html") {
 						// start output
 						ob_start();
 						?>
-						<span class="em-date-momentjs" data-date-format="<?php echo esc_attr($time_format); ?>" data-date-start="<?php echo $this->start()->getTimestamp() ?>" data-date-end="<?php echo $this->end()->getTimestamp() ?>" data-date-separator="<?php echo esc_attr($separator); ?>">JavaScript Disabled</span>
+						<span class="em-date-momentjs" data-date-format="<?php echo esc_attr($time_format); ?>" data-date-start="<?php echo $start_time ?>" data-date-end="<?php echo $end_time ?>" data-date-separator="<?php echo esc_attr($separator); ?>">JavaScript Disabled</span>
 						<?php
 						$replace = ob_get_clean();
 					}

classes/em-events.php

@@ -395,6 +395,7 @@ public static function output_grouped( $args = array() ){
 							}
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $year => $events){
 						$EM_DateTime = new EM_DateTime($year.'-01-01');
 						echo str_replace('#s', $EM_DateTime->i18n($format), $args['header_format']);
@@ -417,6 +418,7 @@ public static function output_grouped( $args = array() ){
 							}
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $month => $events){
 						$EM_DateTime = new EM_DateTime($month);
 						echo str_replace('#s', $EM_DateTime->i18n($format), $args['header_format']);
@@ -443,6 +445,7 @@ public static function output_grouped( $args = array() ){
 							}while( $EM_DateTime <= $EM_Event->end() );
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $date => $events){
 						$dates_formatted = $EM_DateTime->modify($date)->i18n($format). get_option('dbem_dates_separator') . $EM_DateTime->add('P6D')->i18n($format);
 						echo str_replace('#s', $dates_formatted, $args['header_format']);
@@ -465,6 +468,7 @@ public static function output_grouped( $args = array() ){
 							}while( $EM_DateTime <= $EM_Event->end() );
 						}
 					}
+					$events_dates = apply_filters('em_events_output_grouped_events_dates', $events_dates, $args);
 					foreach ($events_dates as $date => $events){
 						echo str_replace('#s', $EM_DateTime->modify($date)->i18n($format), $args['header_format']);
 						echo self::output($events, $atts);
@@ -478,7 +482,7 @@ public static function output_grouped( $args = array() ){
 		}elseif( $args['no_results_msg'] !== false ){
 			echo !empty($args['no_results_msg']) ? $args['no_results_msg'] : get_option('dbem_no_events_message');
 		}
-		return ob_get_clean();
+		return apply_filters('em_events_output_grouped', ob_get_clean(), $events, $args);
 	}
 
 	public static function get_pagination_links($args, $count, $search_action = 'search_events', $default_args = array()){

classes/em-taxonomy-frontend.php

@@ -83,6 +83,15 @@ public static function template($template = ''){
 			//sort out filters
 			add_filter('wp_head', 'EM_Taxonomy_Frontend::remove_em_the_content', 10000);
 			add_filter('the_content', array(self::$this_class,'the_content')); //come in slightly early and consider other plugins
+			// Meta Tag Manager Tweaks
+			if( defined('MTM_VERSION') ) {
+				add_filter('mtm_is_taxonomy_page', '__return_true');
+				add_filter('mtm_is_cpt_page', '__return_false');
+				add_filter('mtm_get_queried_object', function(){
+					global $em_the_query;
+					return $em_the_query->get_queried_object();
+				});
+			}
 			//Yoast WP SEO Tweals
 			if( defined('WPSEO_VERSION') ){
 				add_filter('wpseo_breadcrumb_links',array(self::$this_class,'wpseo_breadcrumb_links'));

classes/em-ticket.php

@@ -341,6 +341,7 @@ function validate(){
 	}
 
 	function is_available( $ignore_member_restrictions = false, $ignore_guest_restrictions = false ){
+		if( EM_Bookings::$disable_restrictions ) return true; // complete short-circuit
 		if( isset($this->is_available) && !$ignore_member_restrictions && !$ignore_guest_restrictions ) return apply_filters('em_ticket_is_available',  $this->is_available, $this); //save extra queries if doing a standard check
 		$is_available = false;
 		$EM_Event = $this->get_event();
@@ -350,7 +351,7 @@ function is_available( $ignore_member_restrictions = false, $ignore_guest_restri
 		$condition_3 = $EM_Event->rsvp_end()->getTimestamp() > time(); //either defined ending rsvp time, or start datetime is used here
 		$condition_4 = !$this->ticket_members || ($this->ticket_members && is_user_logged_in()) || $ignore_member_restrictions;
 		$condition_5 = true;
-		if( !$ignore_member_restrictions && !EM_Bookings::$disable_restrictions && $this->ticket_members && !empty($this->ticket_members_roles) ){
+		if( !$ignore_member_restrictions && $this->ticket_members && !empty($this->ticket_members_roles) ){
 			//check if user has the right role to use this ticket
 			$condition_5 = false;
 			if( is_user_logged_in() ){

classes/event-locations/em-event-location-url.php

@@ -21,11 +21,11 @@ public function get_post(){
 		if( !empty($_POST['event_location_url_text']) ){
 			$this->data['text'] = sanitize_text_field($_POST['event_location_url_text']);
 		}
-		return $return;
+		return apply_filters('em_event_location_url_get_post', $return, $this);
 	}
 
 	public function validate(){
-		$result = false;
+		$result = parent::validate();
 		if( empty($this->data['url']) ){
 			$this->event->add_error( __('Please enter a valid URL for this event location.', 'events-manager') );
 			$result = false;
@@ -34,7 +34,7 @@ public function validate(){
 			$this->event->add_error( __('Please provide some link text for this event location URL.', 'events-manager') );
 			$result = false;
 		}
-		return $result;
+		return apply_filters('em_event_location_url_validate', $result, $this);
 	}
 
 	public function get_link( $new_target = true ){
@@ -68,5 +68,9 @@ public function output( $what = null, $target = null ){
 			return parent::output($what);
 		}
 	}
+	
+	public function get_ical_location(){
+		return $this->url;
+	}
 }
 URL::init();

classes/event-locations/em-event-location.php

@@ -103,6 +103,7 @@ public function load_postdata( $event_meta = array(), $reload = false ){
 				$this->data[$key] = maybe_unserialize($this->data[$key]);
 			}
 		}
+		do_action('em_event_location_load_postdata', $this);
 	}
 
 	/**
@@ -111,14 +112,14 @@ public function load_postdata( $event_meta = array(), $reload = false ){
 	 */
 	public function get_post(){
 		$this->data = array();
-		return true;
+		return apply_filters('em_event_location_get_post', true, $this);
 	}
 
 	/**
 	 * @return boolean
 	 */
 	public function validate(){
-		return false;
+		return apply_filters('em_event_location_validate', false, $this);
 	}
 
 	public function save(){
@@ -133,13 +134,14 @@ public function save(){
 				}
 			}
 		}
-		return true;
+		return apply_filters('em_event_location_save', true, $this);
 	}
 
 	public function delete(){
 		$this->reset_data();
 		$this->data = array();
-		return true;
+		do_action('em_event_location_deleted', $this);
+		return apply_filters('em_event_location_delete', true, $this);
 	}
 
 	/**
@@ -199,6 +201,10 @@ public function output( $what = null, $target = null ){
 			return static::get_label();
 		}
 	}
+	
+	public function get_ical_location(){
+		return false;
+	}
 }
 
 //include default Event Locations

em-functions.php

@@ -615,20 +615,23 @@ function em_get_search_form_defaults($args = array()){
 	//merge defaults with supplied arguments 
 	$args = array_merge($search_args, $args);
 	//overwrite with $_REQUEST defaults in event of a submitted search
-	if( isset($_REQUEST['geo']) ) $args['geo'] = $_REQUEST['geo']; //if geo search string requested, use that for search form
-	if( isset($_REQUEST['near']) ) $args['near'] = wp_unslash($_REQUEST['near']); //if geo search string requested, use that for search form
-	if( isset($_REQUEST['em_search']) ) $args['search'] = wp_unslash($_REQUEST['em_search']); //if geo search string requested, use that for search form
-	if( isset($_REQUEST['category']) ) $args['category'] = $_REQUEST['category']; //if state requested, use that for searching
-	if( isset($_REQUEST['country']) ) $args['country'] = wp_unslash($_REQUEST['country']); //if country requested, use that for searching
-	if( isset($_REQUEST['region']) ) $args['region'] = wp_unslash($_REQUEST['region']); //if region requested, use that for searching
-	if( isset($_REQUEST['state']) ) $args['state'] = wp_unslash($_REQUEST['state']); //if state requested, use that for searching
-	if( isset($_REQUEST['town']) ) $args['town'] = wp_unslash($_REQUEST['town']); //if state requested, use that for searching
-	if( isset($_REQUEST['near_unit']) ) $args['near_unit'] = $_REQUEST['near_unit']; //if state requested, use that for searching
-	if( isset($_REQUEST['near_distance']) ) $args['near_distance'] = $_REQUEST['near_distance']; //if state requested, use that for searching
+	if( isset($_REQUEST['geo']) ) $args['geo'] = sanitize_text_field($_REQUEST['geo']); //if geo search string requested, use that for search form
+	if( isset($_REQUEST['near']) ) $args['near'] = sanitize_text_field(wp_unslash($_REQUEST['near'])); //if geo search string requested, use that for search form
+	if( isset($_REQUEST['em_search']) ) $args['search'] = sanitize_text_field(wp_unslash($_REQUEST['em_search'])); //if geo search string requested, use that for search form
+	if( isset($_REQUEST['category']) ) $args['category'] = sanitize_text_field($_REQUEST['category']); //if category requested, use that for searching
+	if( isset($_REQUEST['country']) ) $args['country'] = sanitize_text_field(wp_unslash($_REQUEST['country'])); //if country requested, use that for searching
+	if( isset($_REQUEST['region']) ) $args['region'] = sanitize_text_field(wp_unslash($_REQUEST['region'])); //if region requested, use that for searching
+	if( isset($_REQUEST['state']) ) $args['state'] = sanitize_text_field(wp_unslash($_REQUEST['state'])); //if state requested, use that for searching
+	if( isset($_REQUEST['town']) ) $args['town'] = sanitize_text_field(wp_unslash($_REQUEST['town'])); //if state requested, use that for searching
+	if( isset($_REQUEST['near_unit']) ) $args['near_unit'] = sanitize_text_field($_REQUEST['near_unit']); //if state requested, use that for searching
+	if( isset($_REQUEST['near_distance']) ) $args['near_distance'] = sanitize_text_field($_REQUEST['near_distance']); //if state requested, use that for searching
 	if( !empty($_REQUEST['scope']) && !is_array($_REQUEST['scope'])){ 
-		$args['scope'] = explode(',',$_REQUEST['scope']); //convert scope to an array in event of pagination 
+		$args['scope'] = explode(',',sanitize_text_field($_REQUEST['scope'])); //convert scope to an array in event of pagination
 	}elseif( !empty($_REQUEST['scope']) ){
-		$args['scope'] = $_REQUEST['scope'];
+		$args['scope'] = array(); // reset and populate sanitized
+		foreach( $_REQUEST['scope'] as $k => $v ){
+			$args['scope'][absint($k)] = sanitize_text_field($v);
+		}
 	}
 	return $args;
 }

events-manager.php

@@ -1,7 +1,7 @@
 <?php
 /*
 Plugin Name: GGG Events Manager
-Version: 5.11.1
+Version: 5.12.2
 Plugin URI: https://github.com/shashachu/ggg-events-manager/
 Description: Customized version of the Events Manager plugin by Marcus Sykes, tailored towards trooping signups for the Golden Gate Garrison.
 Author: Marcus Sykes, Sha Sha Chu
@@ -40,7 +40,7 @@
 $myUpdateChecker->getVcsApi()->enableReleaseAssets();
 
 // Setting constants
-define('EM_VERSION', 5.99911); //self expanatory, although version currently may not correspond directly with published version number. until 6.0 we're stuck updating 5.999.x
+define('EM_VERSION', 5.99912); //self expanatory, although version currently may not correspond directly with published version number. until 6.0 we're stuck updating 5.999.x
 define('EM_PRO_MIN_VERSION', 2.6712); //self expanatory
 define('EM_PRO_MIN_VERSION_CRITICAL', 2.377); //self expanatory
 define('EM_DIR', dirname( __FILE__ )); //an absolute path to this directory
@@ -337,6 +337,11 @@ public static function public_enqueue() {
 
 	public static function admin_enqueue( $hook_suffix = false ){
 		if( $hook_suffix == 'post.php' || (!empty($_GET['page']) && substr($_GET['page'],0,14) == 'events-manager') || (!empty($_GET['post_type']) && in_array($_GET['post_type'], array(EM_POST_TYPE_EVENT,EM_POST_TYPE_LOCATION,'event-recurring'))) ){
+			if( $hook_suffix == 'post.php' && empty($_GET['post_type']) && !empty($_GET['post']) ){
+				// don't load if the post being edited isn't an EM one
+				$post = get_post($_GET['post']);
+				if( !in_array($post->post_type, array(EM_POST_TYPE_EVENT,EM_POST_TYPE_LOCATION,'event-recurring')) ) return;
+			}
 			wp_enqueue_style( 'wp-color-picker' );
 			wp_enqueue_script('events-manager', plugins_url('includes/js/events-manager.js',__FILE__), array('jquery', 'jquery-ui-core','jquery-ui-widget','jquery-ui-position','jquery-ui-sortable','jquery-ui-datepicker','jquery-ui-autocomplete','jquery-ui-dialog','wp-color-picker'), EM_VERSION);
 		    do_action('em_enqueue_admin_scripts');

readme.txt

@@ -4,8 +4,8 @@ Donate link: http://wp-events-plugin.com
 Tags: bookings, calendar, tickets, events, buddypress, event management, google maps, maps, locations, registration, zoom
 Text Domain: events-manager
 Requires at least: 5.2
-Tested up to: 5.8
-Stable tag: 5.11.1
+Tested up to: 6.0
+Stable tag: 5.12.1
 Requires PHP: 5.3
 
 Fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management
@@ -119,6 +119,22 @@ See our [FAQ](http://wp-events-plugin.com/documentation/faq/) page, which is upd
 6. Manage attendees with various booking reports
 
 == Changelog ==
+= 5.12.2 =
+* 5.12.1 with GGG mods
+
+= 5.12.1 =
+* fixed issue with scope sanitization preventing search form searching by date range
+* added limitation to prevent JS loading on non-EM post type editors to potentially help prevent 3rd party conflicts
+* added support for event location displaying url or other custom info for the ical LOCATION property
+
+= 5.12 =
+* changed EM_Booking::$disable_restricions so that all ticket restrictions can ignored for admin manual bookings (pro feature) including spaces, roles and dates
+* added taxonomy filters for Meta Tag Manager compatibility on overriden taxonomy pages
+* added filters to Event_Locations\Event_Location and Event_Locations\URL
+* added filters to EM_Events::output_grouped()
+* fixed #_EVENTDATES_LOCAL and #_24HHTIMES_LOCAL showing time/date range even if time/dates are the same
+* fixed XSS security vulnerability reported by/via WP Plugins team
+
 = 5.11.1 =
 * 5.11 with GGG mods