release: fixes

- Enhanced security
- Updated dependencies

Author: vytisbulkevicius

composer.lock

@@ -697,10 +697,14 @@ public function normalize_urls( $raw ) {
 		$feed_url = apply_filters( 'feedzy_get_feed_url', $feeds );
 		if ( is_array( $feed_url ) ) {
 			foreach ( $feed_url as $index => $url ) {
-				$feed_url[ $index ] = trim( $this->smart_convert( $url ) );
+				if ( wp_http_validate_url( $url ) ) {
+					$feed_url[ $index ] = trim( $this->smart_convert( esc_url_raw( $url ) ) );
+				}
 			}
+		} elseif ( wp_http_validate_url( $feed_url ) ) {
+			$feed_url = trim( $this->smart_convert( esc_url_raw( $feed_url ) ) );
 		} else {
-			$feed_url = trim( $this->smart_convert( $feed_url ) );
+			$feed_url = '';
 		}
 
 		return $feed_url;

includes/abstract/feedzy-rss-feeds-admin-abstract.php

@@ -284,8 +284,9 @@ public function feedzy_register_rest_route() {
 			array(
 				'methods'             => 'POST',
 				'callback'            => array( $this, 'feedzy_rest_route' ),
-				'permission_callback' => function () {
-					return is_user_logged_in();
+				'permission_callback' => function ( WP_REST_Request $request ) {
+					$post_id = absint( $request->get_param( 'postId' ) );
+					return current_user_can( 'edit_post', $post_id );
 				},
 				'args'                => array(
 					'url'      => array(
@@ -398,12 +399,14 @@ public function feedzy_rest_route( $data ) {
 	 */
 	public function feedzy_sanitize_feeds( $input ) {
 		if ( count( $input ) === 1 ) {
-			$feed = esc_url( $input[0] );
+			$feed = wp_http_validate_url( $input[0] );
 			return $feed;
 		} else {
 			$feeds = array();
 			foreach ( $input as $item ) {
-				$feeds[] = esc_url( $item );
+				if ( wp_http_validate_url( $item ) ) {
+					$feeds[] = esc_url_raw( $item );
+				}
 			}
 			return $feeds;
 		}

includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php

@@ -194,11 +194,12 @@ class Editor extends Component {
 				.filter((item) => item !== '');
 			url = queryString.stringify({ url }, { arrayFormat: 'bracket' });
 		}
+		const postId = wp.data.select('core/editor').getCurrentPostId();
 
 		apiFetch({
 			path: `/feedzy/v1/feed?${url}`,
 			method: 'POST',
-			data: this.props.attributes,
+			data: {...this.props.attributes, postId: postId},
 		})
 			.then((data) => {
 				if (this.unmounting) {
@@ -311,16 +312,20 @@ class Editor extends Component {
 
 	getImageURL(item, background) {
 		let url;
-		if (item.thumbnail && this.props.attributes.thumb === 'auto') {
-			url = item.thumbnail;
+		if (
+			item.thumbnail &&
+			this.props.attributes.thumb === 'auto' &&
+			item.thumbnail !== item.default_img
+		) {
+			url = item.thumbnail.replace(/http:/g, 'https:');
 		} else if (this.props.attributes.default) {
 			url = this.props.attributes.default.url;
+		} else if (item.default_img) {
+			url = item.default_img;
 		} else {
 			url = window.feedzyjs.imagepath + 'feedzy.svg';
 		}
 
-		url = url.replace(/http:/g, 'https:');
-
 		if (background) {
 			url = 'url("' + url + '")';
 		}

js/FeedzyBlock/Editor.js

@@ -124,4 +124,30 @@ test.describe('Feedzy Classic Block', () => {
 		const image = page.locator('.feedzy-rss .rss_image img');
 		await expect(image).toHaveAttribute('style', /aspect-ratio:\s*auto;/i);
 	});
+
+	test('embed youtube video', async ({ editor, page, admin }) => {
+		await admin.createNewPost();
+
+		await editor.insertBlock({
+			name: 'feedzy-rss-feeds/feedzy-block',
+			attributes: {
+				feeds: 'https://www.youtube.com/feeds/videos.xml?channel_id=UCSHmNs-_UuU1CfPhSbilTZQ',
+				max: 1,
+			},
+		});
+
+		const postId = await editor.publishPost();
+		await page.goto(`/?p=${postId}`);
+
+		const rssContainer = page.locator('.rss_item').first();
+		await expect(rssContainer).toBeVisible();
+
+		const youtubeLink = rssContainer
+			.locator('a[href*="youtube.com/"]')
+			.first();
+		await expect(youtubeLink).toBeVisible();
+
+		const image = rssContainer.locator('img').first();
+		await expect(image).toBeVisible();
+	});
 });

tests/e2e/specs/classic-block.spec.js

@@ -304,4 +304,31 @@ test.describe('Feed Import', () => {
 			page.locator('.attachment').count()
 		).resolves.toBeGreaterThan(0); // We should have some imported images.
 	});
+
+	test('close Feedzy Action modal when clicking outside', async ({
+		page,
+	}) => {
+		await page.goto('/wp-admin/post-new.php?post_type=feedzy_imports');
+		await tryCloseTourModal(page);
+
+		await page
+			.getByRole('button', { name: 'Step 3 Map content ' })
+			.click();
+
+		await expect(
+			page.getByText('Post Title item title Item')
+		).toBeVisible();
+
+		await page.getByTitle('item title').getByRole('link').click();
+
+		await expect(
+			page.getByRole('heading', { name: 'Add actions to this tag' })
+		).toBeVisible();
+
+		await page.locator('body').click({ position: { x: 0, y: 0 } });
+
+		await expect(
+			page.getByRole('heading', { name: 'Add actions to this tag' })
+		).not.toBeVisible();
+	});
 });