Merge branch 'develop'

Author: mecha

CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.20] - 2022-01-18
+### Added
+* New option to use feed item GUIDs instead of permalinks to detect duplicate items.
+
+### Changed
+* Small performance improvement when importing feed items.
+
+### Fixed
+* A warning about `get_headers()` only working with URLs.
+* A warning about iteration over a non-array value.
+* An AJAX XSS vulnerability on the Feed Sources page. Thanks WPScan!
+
 ## [4.19.3] - 2021-11-24
 ### Fixed
 * An error during cron schedule filtering.

includes/Aventura/Wprss/Core/Licensing/Settings.php

@@ -349,11 +349,13 @@ public function renderActivateLicenseButton( $args ) {
         );
 
         $license = $manager->getLicense($addonId);
+        $licenseValid = $license !== null && $license->isValid();
+        $licenseKey = $license !== null ? $license->getKey() : null;
 
-        if ($license !== null && !$license->isInvalid() && ($licenseKey = $license->getKey()) && !empty($licenseKey)) {
+        if ($licenseValid && !empty($licenseKey)) {
             if (!is_object($data)) {
                 printf(
-                    '<p><small>%</small></p>',
+                    '<p><small>%s</small></p>',
                     __(
                         'Failed to get license information. This is a temporary problem. Check your internet connection and try again later.',
                         'wprss'

includes/admin-display.php

@@ -483,27 +483,25 @@ function wprss_fetch_feeds_action_hook()
 {
     $response = wprss()->createAjaxResponse();
     $wprss = wprss();
-    $kFeedSourceId = 'feed_source_id';
-    try {
-        $kId = 'id';
-        if (!isset($_POST[$kId]) || empty($_POST[$kId])) {
-            throw new Exception($wprss->__('Could not schedule fetch: source ID must be specified'));
-        }
-        $id = $_POST['id'];
-        $response->setAjaxData($kFeedSourceId, $id);
+    $feedIdKey = 'feed_source_id';
 
+    try {
         if (!current_user_can('edit_feed_sources')) {
-            throw new Exception($wprss->__([
-                'Could not schedule fetch for source #%1$s: user must have sufficient privileges',
-                $id,
-            ]));
+            throw new Exception(__('Could not schedule fetch for feed source: user must have sufficient privileges.'));
         }
 
         // Verify admin referer
         if (!wprss_verify_nonce('wprss_feed_source_action', 'wprss_admin_ajax_nonce')) {
-            throw new Exception($wprss->__(['Could not schedule fetch for source #%1$s: nonce is expired', $id]));
+            throw new Exception(__('Could not schedule fetch for feed source: nonce is invalid.', 'wprss'));
         }
 
+        $id = filter_input(INPUT_POST, 'id', FILTER_VALIDATE_INT);
+        if (!$id) {
+            throw new Exception($wprss->__('Could not schedule fetch: feed source ID is invalid or was not specified'));
+        }
+        $response->setAjaxData($feedIdKey, $id);
+
+
         update_post_meta($id, 'wprss_force_next_fetch', '1');
 
         // Prepare the schedule args
@@ -534,7 +532,7 @@ function wprss_fetch_feeds_action_hook()
     } catch (Exception $e) {
         $response = wprss()->createAjaxErrorResponse($e);
         if (isset($id)) {
-            $response->setAjaxData($kFeedSourceId, $id);
+            $response->setAjaxData($feedIdKey, $id);
         }
         echo $response->getBody();
         exit();

includes/admin-help-metaboxes.php

@@ -56,6 +56,13 @@
             'wprss'
         ),
 
+        'wprss_use_guids' => __(
+            'Enable this option to identify duplicate feed items by their GUIDs, rather than by their permalink.' .
+            "\n\n" .
+            'This can be useful when the feed items share the same permalink, and so not all feed items would get imported.',
+            'wprss'
+        ),
+
         'wprss_import_source' => __(
             'Tick this box to get the site name and URL from the RSS feed, for each item individually.' .
             "\n\n" .

includes/admin-metaboxes.php

@@ -122,6 +122,12 @@ function wprss_get_custom_fields()
         'type' => 'checkbox',
     ];
 
+    $wprss_meta_fields['use_guids'] = [
+        'label' => __('Use GUIDs', 'wprss'),
+        'id' => $prefix . 'use_guids',
+        'type' => 'checkbox',
+    ];
+
     // for extensibility, allows more meta fields to be added
     return apply_filters('wprss_fields', $wprss_meta_fields);
 }

includes/feed-importing-images.php

@@ -464,7 +464,10 @@ function wpra_get_item_enclosure_images($item)
             continue;
         }
 
-        foreach ($enclosure->get_thumbnails() as $thumbnail) {
+        $thumbnails = $enclosure->get_thumbnails();
+        $thumbnails = is_array($thumbnails) ? $thumbnails : [];
+
+        foreach ($thumbnails as $thumbnail) {
             if (empty($thumbnail)) {
                 continue;
             }
@@ -1036,7 +1039,8 @@ function wpra_image_feature_enabled($feature)
  */
 function wpra_is_url_an_image($url)
 {
-    $headers = get_headers($url, true);
+    $headers = @get_headers($url, true);
+    $headers = is_array($headers) ? $headers : [];
     $headers = array_change_key_case($headers, CASE_LOWER);
 
     if (empty($headers['content-type'])) {