Merge branch 'dev'

css/pmpro-member-directory.css

@@ -1,6 +1,6 @@
 /* CSS Document */
 
-h3#pmpro_member_directory_subheading {clear: none; margin-top: 0; }
+h2#pmpro_member_directory_subheading {clear: none; margin-top: 0; }
 form.pmpro_member_directory_search {float: right; margin-bottom: 1rem; clear: both; }
 form.pmpro_member_directory_search input[type=text] { }
 form.pmpro_member_directory_search input[type=submit] {background: none; border: none; padding: 0; position: absolute; text-indent: -9999em; }
@@ -11,12 +11,12 @@ form.pmpro_member_directory_search input[type=submit] {background: none; border:
 .pmpro_pagination .pmpro_next {float: right; width: 250px; text-align: right;}
 
 /* div/column type layouts */
-div.pmpro_member_directory div h3 {clear: none; }
+div.pmpro_member_directory div h2 {clear: none; }
 div.pmpro_member_directory div p {margin: .5rem 0 0 0; } 
 div.pmpro_member_profile strong {display: block; }
 
 /* table type layouts */
-.pmpro_member_directory table h3.pmpro_member_directory_display-name {margin-top: 0; }
+.pmpro_member_directory table h2.pmpro_member_directory_display-name {margin-top: 0; }
 .pmpro_member_directory table tbody td {vertical-align: top; }
 .pmpro_member_directory table tbody td p {margin: 0 0 .5rem 0; }
 

pmpro-member-directory.php

@@ -3,14 +3,14 @@
 Plugin Name: Paid Memberships Pro - Member Directory Add On
 Plugin URI: https://www.paidmembershipspro.com/add-ons/member-directory/
 Description: Adds a customizable Member Directory and Member Profiles to your membership site.
-Version: 1.2.4
+Version: 1.2.5
 Author: Paid Memberships Pro
 Author URI: https://www.paidmembershipspro.com/
 Text Domain: pmpro-member-directory
 Domain Path: /languages
 */
 
-define( 'PMPRO_MEMBER_DIRECTORY_VERSION', '1.2.4' );
+define( 'PMPRO_MEMBER_DIRECTORY_VERSION', '1.2.5' );
 
 global $pmpromd_options;
 
@@ -69,7 +69,7 @@ function pmpromd_show_extra_profile_fields($user)
 
 	if ( empty( $pmpro_pages['member_profile_edit'] ) || ! is_page( $pmpro_pages['member_profile_edit'] ) ) {
 ?>
-	<h3><?php echo get_the_title($pmpro_pages['directory']); ?></h3>
+	<h2><?php echo get_the_title($pmpro_pages['directory']); ?></h2>
     <table class="form-table">
         <tbody>
         <tr class="user-hide-directory-wrap">
@@ -552,11 +552,11 @@ function pmpromd_build_profile_url( $pu, $profile_url = false, $separator = fals
  */
 function pmpromd_check_for_upgrade() {
 
-	if ( ! function_exists( 'pmpro_getOption' ) ) {
+	if ( ! function_exists( 'pmpro_init' ) ) {
 		return;
 	}
 
-	$pmpromd_db_version = pmpro_getOption("md_db_version");
+	$pmpromd_db_version = get_option("pmpro_md_db_version");
 
 	if( empty( $pmpromd_db_version ) || version_compare( $pmpromd_db_version, '1.2', '<' ) ) {
 
@@ -567,4 +567,78 @@ function pmpromd_check_for_upgrade() {
 	}
 
 }
-add_action( 'admin_init', 'pmpromd_check_for_upgrade' );
+add_action( 'admin_init', 'pmpromd_check_for_upgrade' );
+
+/**
+ * Strip the [pmpro_member_directory] or [pmpro_member_profile] shortcode and blocks from content if the current user can't edit users.
+ *
+ * @since TBD
+ *
+ * @return mixed The content with the shortcode removed. Will be the same type as the input.
+ */
+function pmpromd_maybe_strip_shortcodes( $content ) {
+	// If the user can edit users, we don't need to strip the shortcode.
+	if ( current_user_can( 'edit_users' ) ) {
+		return $content;
+	}
+
+	// If an array is passed in, filter all elements recursively.
+	if ( is_array( $content ) ) {
+		foreach ( $content as $key => $value ) {
+			$content[ $key ] = pmpromd_maybe_strip_shortcodes( $value );
+		}
+		return $content;
+	}
+
+	// If we're not looking at a string, just return it.
+	if ( ! is_string( $content ) ) {
+		return $content;
+	}
+
+	// Okay, we have a string, figure out the regex.
+	$shortcodeRegex = get_shortcode_regex( array( 'pmpro_member_directory', 'pmpro_member_profile' ) );	
+
+	// Remove various blocks.
+	$blockWrapperPatterns = array(
+		"<!-- wp:pmpro-member-directory/directory /-->",
+		"<!-- wp:pmpro-member-directory/profile /-->",
+		"/<!--\s*wp:pmpro-member-directory\/directory\s*{[^}]*}\s*\/-->/",
+		"/<!--\s*wp:pmpro-member-directory\/profile\s*{[^}]*}\s*\/-->/",
+		"/<!-- wp:shortcode -->\s*$shortcodeRegex\s*<!-- \/wp:shortcode -->/s",
+		"/$shortcodeRegex/"
+	);
+
+	$content = preg_replace( $blockWrapperPatterns, '', $content );
+
+	return $content;
+}
+add_filter( 'content_save_pre', 'pmpromd_maybe_strip_shortcodes' );
+add_filter( 'excerpt_save_pre', 'pmpromd_maybe_strip_shortcodes' );
+add_filter( 'widget_update_callback', 'pmpromd_maybe_strip_shortcodes' );
+
+/**
+ * Only allow those with the edit_users capability
+ * to use the Directory or Profile shortcodes in post_meta.
+ *
+ * @since TBD
+ * @param int    $meta_id     ID of the meta data entry.
+ * @param int    $object_id   ID of the object the meta is attached to.
+ * @param string $meta_key    Meta key.
+ * @param mixed  $_meta_value Meta value.
+ * @return void
+ */
+function pmpromd_maybe_strip_shortcodes_from_post_meta( $meta_id, $object_id, $meta_key, $_meta_value ) {
+	// Bail if the value is not a string or array.
+	if ( ! is_string( $_meta_value ) && ! is_array( $_meta_value ) ) {
+		return;
+	}
+
+	// Strip the shortcode from the meta value.
+	$stripped_value = pmpromd_maybe_strip_shortcodes( $_meta_value );
+
+	// If there was a change, save our stripped version.
+	if ( $stripped_value !== $_meta_value ) {
+		update_post_meta( $object_id, $meta_key, $stripped_value );
+	}
+}
+add_action( 'updated_post_meta', 'pmpromd_maybe_strip_shortcodes_from_post_meta', 10, 4 );

readme.txt

@@ -1,9 +1,9 @@
 === Paid Memberships Pro - Member Directory Add On ===
 Contributors: strangerstudios
 Tags: pmpro, paid memberships pro, members, directory
-Requires at least: 5.0
-Tested up to: 6.2
-Stable tag: 1.2.4
+Requires at least: 5.2
+Tested up to: 6.4
+Stable tag: 1.2.5
 
 Add a robust Member Directory and Profiles to Your Membership Site - with attributes to customize the display.
 
@@ -97,6 +97,12 @@ Please post it in the issues section of GitHub and we'll fix it as soon as we ca
 Please visit our premium support site at http://www.paidmembershipspro.com for more documentation and our support forums.
 
 == Changelog ==
+= 1.2.5 - 2024-02-14 =
+* SECURITY: Improved security around using the Directory and Profile shortcode or block to only be used by users that have are able to edit the relevant content and edit_users capability. (@andrewlimaza)
+* REFACTOR: Moved from pmpro_getOption to get_option for better compatibility. (@JarrydLong)
+* REFACTOR: Improved accessibility for screen readers by adjusting the HTML header sizes. (@kimwhite)
+* BUG FIX: Fixed an issue where fields that had default blank values would show up on the profile page (@ipokkel)
+
 = 1.2.4 - 2023-06-28 =
 * ENHANCEMENT: Improved pagination style to display page numbers instead of ... (@JarrydLong)
 * ENHANCEMENT: Improved output on custom fields label values for value => label type of fields. (@andrewlimaza)

templates/directory.php

@@ -173,7 +173,7 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 	</form>
 	<?php } ?>
 
-	<h3 id="pmpro_member_directory_subheading">
+	<h2 id="pmpro_member_directory_subheading">
 		<?php if(!empty($s)) { ?>
 			<?php /* translators: placeholder is for search string entered */ ?>
 			<?php printf(__('Profiles Within <em>%s</em>.','pmpro-member-directory'), stripslashes( ucwords(esc_html($s)))); ?>
@@ -191,7 +191,7 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 				?>)
 			</small>
 		<?php } ?>
-	</h3>
+	</h2>
 	<?php
 	if(!empty($theusers))
 	{
@@ -330,13 +330,13 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 								</td>
 							<?php } ?>
 							<td>
-								<h3 class="pmpro_member_directory_display-name">
+								<h2 class="pmpro_member_directory_display-name">
 									<?php if(!empty($link) && !empty($profile_url)) { ?>
 										<a href="<?php echo esc_url( pmpromd_build_profile_url( $auser, $profile_url ), $profile_url, true ); ?>"><?php echo esc_html( pmpro_member_directory_get_member_display_name( $auser ) ); ?></a>
 									<?php } else { ?>
 										<?php echo esc_html( pmpro_member_directory_get_member_display_name( $auser ) ); ?>
 									<?php } ?>
-								</h3>
+								</h2>
 							</td>
 							<?php if(!empty($show_email)) { ?>
 								<td class="pmpro_member_directory_email">
@@ -480,13 +480,13 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 								<?php } ?>
 							</div>
 						<?php } ?>
-						<h3 class="pmpro_member_directory_display-name">
+						<h2 class="pmpro_member_directory_display-name">
 							<?php if(!empty($link) && !empty($profile_url)) { ?>
 								<a href="<?php echo esc_url( pmpromd_build_profile_url( $auser ), $profile_url ); ?>"><?php echo esc_html( pmpro_member_directory_get_member_display_name( $auser ) ); ?></a>
 							<?php } else { ?>
 								<?php echo esc_html( pmpro_member_directory_get_member_display_name( $auser ) ); ?></a>
 							<?php } ?>
-						</h3>
+						</h2>
 						<?php if(!empty($show_email)) { ?>
 							<p class="pmpro_member_directory_email">
 								<strong><?php _e('Email Address', 'pmpromd'); ?></strong>

templates/profile.php

@@ -391,7 +391,7 @@ function pmpromd_profile_shortcode($atts, $content=null, $code="")
 							$meta_field = $pu->$field_val;
 
 							// If using PMPro 2.10, try use User Field function to display labels.
-							if ( function_exists( 'pmpro_get_label_for_user_field_value' ) && ! empty( $field_val ) ) {
+							if ( function_exists( 'pmpro_get_label_for_user_field_value' ) && ! empty( $field_val ) && ! empty( $meta_field ) ) {
 								$meta_field = pmpro_get_label_for_user_field_value( $field_val, $meta_field );
 							}
 
@@ -462,7 +462,7 @@ function pmpromd_profile_shortcode($atts, $content=null, $code="")
 
 					if ( ! empty( $pu ) && $pu->ID === $current_user->ID ) {
 						// User viewing their own profile. Show an edit profile link if 'Member Profile Edit Page' is set or dashboard access is allowed.
-						if ( ! empty( pmpro_getOption( 'member_profile_edit_page_id' ) ) ) {
+						if ( ! empty( get_option( 'pmpro_member_profile_edit_page_id' ) ) ) {
 							$edit_profile_url = pmpro_url( 'member_profile_edit' );
 						} elseif ( ! pmpro_block_dashboard() ) {
 							$edit_profile_url = admin_url( 'profile.php' );