Feature/1.16.0

ACF_City_Selector.php

@@ -3,7 +3,7 @@
     Plugin Name:    ACF City Selector
     Plugin URI:     https://acf-city-selector.com
     Description:    An extension for ACF which allows you to select a city based on country and province/state.
-    Version:        1.15.1
+    Version:        1.16.0
     Tested up to:   6.6.1
     Requires PHP:   7.0
     Author:         Beee
@@ -38,7 +38,7 @@ public function __construct() {
                 $this->settings = [
                     'db_version' => '1.0',
                     'url'        => plugin_dir_url( __FILE__ ),
-                    'version'    => '1.15.1',
+                    'version'    => '1.16.0',
                 ];
 
                 if ( ! class_exists( 'ACFCS_WEBSITE_URL' ) ) {

README.md

@@ -228,6 +228,9 @@ I got the idea for this plugin through [Fabrizio Sabato](https://github.com/fab0
 <a name="changelog"></a>
 ### Changelog
 
+1.16.0
+* add nonces for forms
+
 1.15.1
 * use wp_filesystem for csv files
 * sanitize/escape more

admin/acf-city-selector-v4.php

@@ -234,7 +234,7 @@ function input_admin_enqueue_scripts() {
                 $all_info                     = acfcs_get_field_settings();
                 $js_vars[ 'ajaxurl' ]         = admin_url( 'admin-ajax.php' );
                 $js_vars[ 'default_country' ] = ( isset( $all_info[ 'default_country' ] ) && false != $all_info[ 'default_country' ] ) ? $all_info[ 'default_country' ] : false;
-                $js_vars[ 'post_id' ]         = ( isset( $_GET[ 'post' ] ) ) ? (int) $_GET[ 'post' ] : false;
+                $js_vars[ 'post_id' ]         = 0 < get_the_ID() ? (int) get_the_ID() : false;
                 $js_vars[ 'show_labels' ]     = ( isset( $all_info[ 'show_labels' ] ) ) ? $all_info[ 'show_labels' ] : apply_filters( 'acfcs_show_labels', true );
                 $js_vars[ 'use_select2' ]     = ( isset( $all_info[ 'use_select2' ] ) ) ? $all_info[ 'use_select2' ] : false;
                 $js_vars[ 'which_fields' ]    = ( isset( $all_info[ 'which_fields' ] ) ) ? $all_info[ 'which_fields' ] : 'all';

admin/acf-city-selector-v5.php

@@ -201,15 +201,17 @@ function input_admin_enqueue_scripts() {
 
                 wp_register_script( 'acfcs-process', "{$plugin_url}assets/js/city-selector.js", array( 'jquery', 'acf-input' ), $plugin_version, false );
                 wp_enqueue_script( 'acfcs-process' );
-
-                $all_info                     = acfcs_get_field_settings();
-                $js_vars[ 'ajaxurl' ]         = admin_url( 'admin-ajax.php' );
-                $js_vars[ 'default_country' ] = ( isset( $all_info[ 'default_country' ] ) && false != $all_info[ 'default_country' ] ) ? $all_info[ 'default_country' ] : false;
-                $js_vars[ 'post_id' ]         = ( isset( $_GET[ 'post' ] ) ) ? (int) $_GET[ 'post' ] : false;
-                $js_vars[ 'show_labels' ]     = ( isset( $all_info[ 'show_labels' ] ) ) ? $all_info[ 'show_labels' ] : apply_filters( 'acfcs_show_labels', true );
-                $js_vars[ 'store_meta' ]      = ( isset( $all_info[ 'store_meta' ] ) ) ? $all_info[ 'store_meta' ] : false;
-                $js_vars[ 'use_select2' ]     = ( isset( $all_info[ 'use_select2' ] ) ) ? $all_info[ 'use_select2' ] : false;
-                $js_vars[ 'which_fields' ]    = ( isset( $all_info[ 'which_fields' ] ) ) ? $all_info[ 'which_fields' ] : 'all';
+
+                $all_info                       = acfcs_get_field_settings();
+                $js_vars[ 'ajaxurl' ]           = admin_url( 'admin-ajax.php' );
+                $js_vars[ 'default_country' ]   = ( isset( $all_info[ 'default_country' ] ) && false != $all_info[ 'default_country' ] ) ? $all_info[ 'default_country' ] : false;
+                $js_vars[ 'post_id' ]           = 0 < get_the_ID() ? (int) get_the_ID() : false;
+                $js_vars[ 'acfcs_state_nonce' ] = wp_create_nonce( 'acfcs-state-nonce' );
+                $js_vars[ 'acfcs_city_nonce' ]  = wp_create_nonce( 'acfcs-city-nonce' );
+                $js_vars[ 'show_labels' ]       = ( isset( $all_info[ 'show_labels' ] ) ) ? $all_info[ 'show_labels' ] : apply_filters( 'acfcs_show_labels', true );
+                $js_vars[ 'store_meta' ]        = ( isset( $all_info[ 'store_meta' ] ) ) ? $all_info[ 'store_meta' ] : false;
+                $js_vars[ 'use_select2' ]       = ( isset( $all_info[ 'use_select2' ] ) ) ? $all_info[ 'use_select2' ] : false;
+                $js_vars[ 'which_fields' ]      = ( isset( $all_info[ 'which_fields' ] ) ) ? $all_info[ 'which_fields' ] : 'all';
 
                 wp_localize_script( 'acfcs-process', 'city_selector_vars', $js_vars );
             }

admin/acfcs-dashboard.php

@@ -7,7 +7,16 @@ function acfcs_dashboard() {
         if ( ! current_user_can( apply_filters( 'acfcs_user_cap', 'manage_options' ) ) ) {
             wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'acf-city-selector' ) );
         }
-
+
+        $submitted_raw_data = false;
+        if ( isset( $_POST[ 'acfcs_import_raw_nonce' ] ) ) {
+            if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_import_raw_nonce' ] ) ), 'acfcs-import-raw-nonce' ) ) {
+                ACF_City_Selector::acfcs_errors()->add( 'error_no_nonce_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) );
+            } else {
+                $submitted_raw_data = ( isset( $_POST[ 'raw_csv_import' ] ) ) ? sanitize_textarea_field( wp_unslash( $_POST[ 'raw_csv_import' ] ) ) : false;
+            }
+        }
+
         ACF_City_Selector::acfcs_show_admin_notices();
 
         $show_raw_import = true;
@@ -38,7 +47,6 @@ function acfcs_dashboard() {
 
                         <?php if ( true === $show_raw_import ) { ?>
                             <?php $placeholder = "Amsterdam;NH;Noord-Holland;NL;Netherlands\nRotterdam;ZH;Zuid-Holland;NL;Netherlands"; ?>
-                            <?php $submitted_raw_data = ( isset( $_POST[ 'raw_csv_import' ] ) ) ? sanitize_textarea_field( wp_unslash( $_POST[ 'raw_csv_import' ] ) ) : false; ?>
                             <div class="acfcs__section acfcs__section--raw-import">
                                 <?php echo sprintf( '<h2>%s</h2>', esc_html__( 'Import CSV data (from clipboard)', 'acf-city-selector' ) ); ?>
                                 <p>

admin/acfcs-preview-form.php

@@ -8,6 +8,7 @@
 
 <div class="acfcs__section acfcs__section--preview">
     <form name="select-preview-file" id="settings-form" action="" method="post">
+        <input type="hidden" name="acfcs_preview_nonce" value="<?php echo esc_attr( wp_create_nonce( 'acfcs-preview-nonce' ) ); ?>" />
         <div class="acfcs__process-file">
             <div class="acfcs__process-file-element">
                 <?php echo sprintf( '<label for="acfcs_file_name">%s</label>', esc_attr__( 'File', 'acf-city-selector' ) ); ?>

admin/acfcs-preview.php

@@ -7,7 +7,22 @@ function acfcs_preview_page() {
         if ( ! current_user_can( apply_filters( 'acfcs_user_cap', 'manage_options' ) ) ) {
             wp_die( esc_html__( 'Sorry, you do not have sufficient permissions to access this page.', 'acf-city-selector' ) );
         }
-
+
+        $file_name = false;
+        $limit     = 100;
+        $delimiter = ';';
+
+        if ( isset( $_POST[ 'acfcs_preview_nonce' ] ) ) {
+            if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_preview_nonce' ] ) ), 'acfcs-preview-nonce' ) ) {
+                ACF_City_Selector::acfcs_errors()->add( 'error_nonce_no_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) );
+                return;
+            } else {
+                $file_name = ( isset( $_POST[ 'acfcs_file_name' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_file_name' ] ) ) : false;
+                $max_lines = ( isset( $_POST[ 'acfcs_max_lines' ] ) ) ? (int) $_POST[ 'acfcs_max_lines' ] : $limit;
+                $delimiter = ( isset( $_POST[ 'acfcs_delimiter' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_delimiter' ] ) ) : apply_filters( 'acfcs_delimiter', $delimiter );
+            }
+        }
+
         ACF_City_Selector::acfcs_show_admin_notices();
         ?>
 
@@ -16,12 +31,8 @@ function acfcs_preview_page() {
 
             <?php
                 do_action( 'acfcs_admin_menu' );
-
-                $file_index      = acfcs_check_if_files();
-                $file_name       = ( isset( $_POST[ 'acfcs_file_name' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_file_name' ] ) ) : false;
-                $max_lines       = ( isset( $_POST[ 'acfcs_max_lines' ] ) ) ? (int) $_POST[ 'acfcs_max_lines' ] : false;
-                $max_lines_value = ( false != $max_lines ) ? $max_lines : 100;
-                $delimiter       = ( isset( $_POST[ 'acfcs_delimiter' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_delimiter' ] ) ) : apply_filters( 'acfcs_delimiter', ';' );
+
+                $file_index = acfcs_check_if_files();
 
                 // Get imported data
                 if ( $file_name ) {

admin/acfcs-search.php

@@ -14,13 +14,28 @@ function acfcs_search() {
         $cities                  = array();
         $city_array              = array();
         $countries               = array();
-        $search_criteria_state   = ( isset( $_POST[ 'acfcs_state' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_state' ] ) ) : false;
-        $search_criteria_country = ( isset( $_POST[ 'acfcs_country' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_country' ] ) ) : false;
-        $searched_orderby        = ( ! empty( $_POST[ 'acfcs_orderby' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_orderby' ] ) ) : false;
-        $searched_term           = ( ! empty( $_POST[ 'acfcs_search' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search' ] ) ) : false;
-        $selected_limit          = ( ! empty( $_POST[ 'acfcs_limit' ] ) ) ? (int) $_POST[ 'acfcs_limit' ] : 100;
+
+        $search_criteria_state   = false;
+        $search_criteria_country = false;
+        $searched_orderby        = false;
+        $searched_term           = false;
+        $selected_limit          = false;
+        $limit                   = 100;
         $states                  = acfcs_get_states_optgroup();
-
+
+        if ( isset( $_POST[ 'acfcs_search_form_nonce' ] ) ) {
+            if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search_form_nonce' ] ) ), 'acfcs-search-form-nonce' ) ) {
+                ACF_City_Selector::acfcs_errors()->add( 'error_no_nonce_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) );
+                return;
+            } else {
+                $search_criteria_state   = ( ! empty( $_POST[ 'acfcs_state' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_state' ] ) ) : false;
+                $search_criteria_country = ( ! empty( $_POST[ 'acfcs_country' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_country' ] ) ) : false;
+                $searched_orderby        = ( ! empty( $_POST[ 'acfcs_orderby' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_orderby' ] ) ) : false;
+                $searched_term           = ( ! empty( $_POST[ 'acfcs_search' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_search' ] ) ) : false;
+                $selected_limit          = ( ! empty( $_POST[ 'acfcs_limit' ] ) ) ? (int) $_POST[ 'acfcs_limit' ] : $limit;
+            }
+        }
+
         // if there is at least 1 country
         if ( ! empty( $all_countries ) ) {
             foreach ( $all_countries as $country_code => $country_name ) {
@@ -62,6 +77,7 @@ function acfcs_search() {
                         <?php } else { ?>
                             <form action="" method="POST">
                                 <input name="acfcs_search_form" type="hidden" value="1" />
+                                <input name="acfcs_search_form_nonce" type="hidden" value="<?php echo esc_attr( wp_create_nonce( 'acfcs-search-form-nonce' ) ); ?>" />
 
                                 <div class="acfcs__search-form">
                                     <?php // if there's only 1 country, no need to add country dropdown ?>

admin/process-file-form.php

@@ -2,6 +2,16 @@
     if ( ! defined( 'ABSPATH' ) ) {
         exit;
     }
+
+    $selected_file_name = false;
+    if ( isset( $_POST[ 'acfcs_select_file_nonce' ] ) ) {
+        if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST[ 'acfcs_select_file_nonce' ] ) ), 'acfcs-select-file-nonce' ) ) {
+            ACF_City_Selector::acfcs_errors()->add( 'error_nonce_no_match', esc_html__( 'Something went wrong, please try again.', 'acf-city-selector' ) );
+            return;
+        } else {
+            $selected_file_name = isset( $_POST[ 'acfcs_file_name' ] ) ? sanitize_text_field( wp_unslash( $_POST[ 'acfcs_file_name' ] ) ) : false;
+        }
+    }
 ?>
 <form method="post">
     <input name="acfcs_select_file_nonce" type="hidden" value="<?php echo esc_attr( wp_create_nonce( 'acfcs-select-file-nonce' ) ); ?>" />
@@ -14,7 +24,7 @@
                     <?php echo sprintf( '<option value="">%s</option>', esc_attr__( 'Select a file', 'acf-city-selector' ) ); ?>
                 <?php } ?>
                 <?php foreach ( $file_index as $file_name ) { ?>
-                    <?php $selected = ( isset( $_POST[ 'acfcs_file_name' ] ) && $_POST[ 'acfcs_file_name' ] == $file_name ) ? ' selected="selected"' : false; ?>
+                    <?php $selected = $selected_file_name == $file_name ? ' selected="selected"' : false; ?>
                     <?php echo sprintf( '<option value="%s"%s>%s</option>', esc_attr( $file_name ), esc_attr( $selected ), esc_attr( $file_name ) ); ?>
                 <?php } ?>
             </select>

assets/js/city-selector.js

@@ -45,7 +45,6 @@
                 countries.on('change', function () {
                     const response_cities = []
                     const response_states = []
-
                     var $this             = $(this);
                     var country_code      = $this.val();
                     var country_field_id  = $this.attr('id');
@@ -61,11 +60,17 @@
                         $show_labels = $(this).data('show-labels');
                         $which_fields = $(this).data('which-fields');
                     }
+                    var state_nonce = city_selector_vars[ 'acfcs_state_nonce' ];
+                    var city_nonce = city_selector_vars[ 'acfcs_city_nonce' ];
                     var show_labels = $show_labels;
                     var which_fields = $which_fields;
 
+                    if ( '' === country_code ) {
+                        changed_city.empty();
+                    }
+
                     if ( $.inArray(which_fields, [ 'country_state', 'all' ] ) !== -1 ) {
-                        const d = acfcs_get_states(country_code, show_labels, post_id);
+                        const d = acfcs_get_states(country_code, show_labels, post_id, state_nonce);
                         response_states.push(d);
 
                         Promise.all(response_states).then(function(jsonResults) {
@@ -85,7 +90,7 @@
                         });
 
                     } else if ( $.inArray(which_fields, [ 'country_city' ] ) !== -1 ) {
-                        const d = acfcs_get_cities(country_code, show_labels, post_id);
+                        const d = acfcs_get_cities(country_code, show_labels, post_id, city_nonce);
                         response_cities.push(d);
 
                         Promise.all(response_cities).then(function(jsonResults) {
@@ -122,6 +127,7 @@
                         $show_labels = $(this).data('show-labels');
                         $which_fields = $(this).data('which-fields');
                     }
+                    var city_nonce = city_selector_vars[ 'acfcs_city_nonce' ];
                     var show_labels = $show_labels;
                     var which_fields = $which_fields;
 
@@ -132,7 +138,7 @@
                         var state_field_id = $this.attr('id');
                         var city_field_id = state_field_id.replace('stateCode', 'cityName');
                         var changed_city = $('select[id="' + city_field_id + '"]');
-                        const d = acfcs_get_cities(state_code, show_labels, post_id);
+                        const d = acfcs_get_cities(state_code, show_labels, post_id, city_nonce);
                         response_cities.push(d);
 
                         Promise.all(response_cities).then(function(jsonResults) {
@@ -166,10 +172,12 @@
          * @param showLabels
          * @param postID
          * @param callback
+         * @param nonce
          * @returns {Promise<unknown>}
          */
-        function acfcs_get_states(countryCode, showLabels, postID, callback) {
+        function acfcs_get_states(countryCode, showLabels, postID, nonce, callback) {
             const state_data = {
+                acfcs_state_nonce: nonce,
                 action: 'get_states_call',
                 country_code: countryCode,
                 post_id: postID,
@@ -189,11 +197,13 @@
          * @param stateCode
          * @param showLabels
          * @param postID
+         * @param nonce
          * @param callback
          * @returns {Promise<unknown>}
          */
-        function acfcs_get_cities(stateCode, showLabels, postID, callback) {
+        function acfcs_get_cities(stateCode, showLabels, postID, nonce, callback) {
             const city_data = {
+                acfcs_city_nonce: nonce,
                 action: 'get_cities_call',
                 post_id: postID,
                 show_labels: showLabels,