Merge pull request #891 from kprajapatii/master

Improper Access Control fixes - FIXED/SECURITY

Author: kprajapatii

admin/settings/class-formbuilder.php

@@ -1818,7 +1818,7 @@ public static function validation_pattern( $output, $result_str, $cf, $field_inf
                 'label'      => __( 'Validation Pattern', 'userswp' ) . uwp_help_tip( __( 'Enter regex expression for HTML5 pattern validation.', 'userswp' ) ),
                 'type'       => 'text',
                 'wrap_class' => uwp_advanced_toggle_class(),
-                'value'      => addslashes_gpc( $value ), // Keep slashes
+                'value'      => wp_slash( $value ), // Keep slashes
             )
         );
 

assets/js/users-wp.js

@@ -106,8 +106,9 @@ jQuery(window).on('load',function () {
         $( '.uwp_upload_file_remove' ).on( 'click', function( event ) {
             event.preventDefault();
 
-            var htmlvar =  $( this ).data( 'htmlvar' );
-            var uid =  $( this ).data( 'uid' );
+            var $this = $(this);
+            var htmlvar =  $this.data( 'htmlvar' );
+            var uid =  $this.data( 'uid' );
 
             var data = {
                 'action': 'uwp_upload_file_remove',
@@ -116,17 +117,25 @@ jQuery(window).on('load',function () {
                 'security': uwp_localize_data.basicNonce
             };
 
+            if ($this.closest("form").find('.uwp-field-error').length) {
+                $this.closest("form").find('.uwp-field-error').remove();
+            }
+
             jQuery.ajax({
                 url: uwp_localize_data.ajaxurl,
                 type: 'POST',
                 data: data,
                 dataType: 'json'
             }).done(function(res, textStatus, jqXHR) {
-                if (typeof res == 'object' && res.success) {
-                    $("#"+htmlvar+"_row").find(".uwp_file_preview_wrap").remove();
-                    $("#"+htmlvar).closest("td").find(".uwp_file_preview_wrap").remove();
-                    if($('input[name='+htmlvar+']').data( 'is-required' )){
-                        $('input[name='+htmlvar+']').prop('required',true);
+                if (res && typeof res == 'object') {
+                    if (res.success) {
+                        $("#"+htmlvar+"_row").find(".uwp_file_preview_wrap").remove();
+                        $("#"+htmlvar).closest("td").find(".uwp_file_preview_wrap").remove();
+                        if($('input[name='+htmlvar+']').data( 'is-required' )){
+                            $('input[name='+htmlvar+']').prop('required',true);
+                        }
+                    } else if (res.data && typeof res.data == 'object' && res.data.message) {
+                        $this.parent(".uwp_file_preview_wrap").append('<div class="uwp-field-error">' + res.data.message + '</div>');
                     }
                 }
             });