Merge pull request #890 from kprajapatii/master

Improve image validation during the cropping process - FIXED/SECURITY

Author: kprajapatii

includes/class-forms.php

@@ -103,25 +103,24 @@ public function handler() {
 		}
 
 		if ( $processed ) {
-
 			if ( is_wp_error( $errors ) ) {
-				echo aui()->alert(
-                    array( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-					'type'    => 'error',
-					'class'   => 'text-center',
-					'content' => wp_kses_post( $errors->get_error_message() ),
-                    )
-                );
-			} elseif ( $redirect ) {
+				aui()->alert(
+					array(
+						'type'    => 'error',
+						'content' => wp_kses_post( $errors->get_error_message() )
+					),
+					true
+				);
+			} else if ( $redirect ) {
 					wp_safe_redirect( $redirect );
 					exit();
-				} else {
-				echo aui()->alert(
-				array( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-				'type'    => 'success',
-				'class'   => 'text-center',
-				'content' => wp_kses_post( $message ),
-                    )
+			} else {
+				aui()->alert(
+					array(
+						'type'    => 'success',
+						'content' => wp_kses_post( $message )
+					),
+					true
 				);
 			}
 		}
@@ -197,6 +196,7 @@ public function process_upload_submit( $data = array(), $files = array(), $type
 	 */
 	public function process_image_crop( $data = array(), $type = 'avatar', $unlink_prev_img = false ) {
 		global $wpdb;
+
 		if ( ! is_user_logged_in() ) {
 			return false;
 		}
@@ -205,6 +205,27 @@ public function process_image_crop( $data = array(), $type = 'avatar', $unlink_p
 			return;
 		}
 
+		$image_url = ! empty( $data['uwp_crop'] ) ? esc_url( $data['uwp_crop'] ) : '';
+
+		if ( empty( $image_url ) ) {
+			return new WP_Error( 'empty_image', __( 'Upload valid image.', 'userswp' ) );
+		}
+
+		// Ensure we have a valid URL with an allowed meme type.
+		$image_url = $this->normalize_url( $image_url );
+
+		$content_url = str_replace( array( 'https://', 'http://' ) , '', untrailingslashit( WP_CONTENT_URL ) );
+		$_image_url = str_replace( array( 'https://', 'http://' ), '', $image_url );
+		if ( strpos( $_image_url, $content_url ) !== 0 ) {
+			return new WP_Error( 'invalid_image', __( 'Invalid image url.', 'userswp' ) );
+		}
+
+		$filetype = wp_check_filetype( $image_url );
+
+		if ( empty( $filetype['ext'] ) ) {
+			return new WP_Error( 'invalid_image', __( 'Invalid image type.', 'userswp' ) );
+		}
+
 		// If is current user's profile (profile.php)
 		if ( is_admin() && defined( 'IS_PROFILE_PAGE' ) && IS_PROFILE_PAGE ) {
 			$user_id = get_current_user_id();
@@ -216,19 +237,6 @@ public function process_image_crop( $data = array(), $type = 'avatar', $unlink_p
 			$user_id = get_current_user_id();
 		}
 
-		// Ensure we have a valid URL with an allowed meme type.
-		$image_url = $this->normalize_url( esc_url( $data['uwp_crop'] ) );
-		$filetype  = wp_check_filetype( $image_url );
-
-		$errors = new WP_Error();
-		if ( empty( $image_url ) || empty( $filetype['ext'] ) ) {
-			$errors->add( 'something_wrong', __( 'Something went wrong. Please contact site admin.', 'userswp' ) );
-		}
-
-		if ( $errors->has_errors() ) {
-			return $errors;
-		}
-
 		// Retrieve current thumbnail.
 		$current_field     = 'avatar' === $type ? 'avatar_thumb' : 'banner_thumb';
 		$current_thumbnail = $this->normalize_url( uwp_get_usermeta( $user_id, $current_field, '' ) );
@@ -253,11 +261,12 @@ public function process_image_crop( $data = array(), $type = 'avatar', $unlink_p
 			$name                 = sanitize_file_name( pathinfo( $image_path, PATHINFO_FILENAME ) ); //file name without extension
 			$thumb_image_name     = $name . $thumb_postfix . '.' . $ext;
 			$thumb_image_location = str_replace( $name . '.' . $ext, $thumb_image_name, $image_path );
+
 			//Get the new coordinates to crop the image.
-			$x = $data['x'];
-			$y = $data['y'];
-			$w = $data['w'];
-			$h = $data['h'];
+			$x = $data['uwpx'];
+			$y = $data['uwpy'];
+			$w = $data['uwpw'];
+			$h = $data['uwph'];
 			//Scale the image based on cropped width setting
 			$scale = $full_width / $w;
 			//$scale = 1; // no scaling

includes/class-userswp.php

@@ -571,7 +571,7 @@ public function load_forms_actions_and_filters( $instance ) {
 
 		// general
 		add_action( 'init', array( $instance, 'init_notices' ), 1 );
-		add_action( 'uwp_loaded', array( $instance, 'handler' ) );
+		add_action( 'init', array( $instance, 'handler' ), 11 );
 		add_action( 'init', array( $instance, 'privacy_submit_handler' ) );
 		add_action( 'uwp_template_display_notices', array( $instance, 'display_notices' ), 10, 1 );
 		add_action( 'wp_ajax_uwp_upload_file_remove', array( $instance, 'upload_file_remove' ) );

readme.txt

@@ -152,6 +152,9 @@ Yes, you can customize it with Elementor, but also with Gutenberg, Divi, Beaver
 
 == Changelog ==
 
+= 1.2.59 - 2026-03-TBD =
+* Improve image validation during the cropping process - FIXED/SECURITY
+
 = 1.2.58 - 2026-03-26 =
 * UsersWP import workflow CSV import security improvement - FIXED/SECURITY
 * Invalid activation link for usernames that contain spaces or special characters - FIXED

templates/bootstrap/modal-profile-image-crop.php

@@ -36,28 +36,28 @@
                 echo aui()->input(array( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	                'type'  =>  'hidden',
 	                'id'    =>  esc_html( $type.'-x' ),
-	                'name'  =>  'x',
+	                'name'  =>  'uwpx',
 	                'value' =>  '',
 	                'no_wrap' => true,
                 ));
                 echo aui()->input(array( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	                'type'  =>  'hidden',
 	                'id'    =>  esc_html( $type.'-y' ),
-	                'name'  =>  'y',
+	                'name'  =>  'uwpy',
 	                'value' =>  '',
 	                'no_wrap' => true,
                 ));
                 echo aui()->input(array( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	                'type'  =>  'hidden',
 	                'id'    =>  esc_html( $type.'-w' ),
-	                'name'  =>  'w',
+	                'name'  =>  'uwpw',
 	                'value' =>  '',
 	                'no_wrap' => true,
                 ));
                 echo aui()->input(array( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	                'type'  =>  'hidden',
 	                'id'    =>  esc_html( $type.'-h' ),
-	                'name'  =>  'h',
+	                'name'  =>  'uwph',
 	                'value' =>  '',
 	                'no_wrap' => true,
                 ));

templates/bootstrap/profile-header.php

@@ -23,7 +23,9 @@
 	return;
 }
 
-if ( ! $uwp_in_user_loop ){ ?>
+if ( ! $uwp_in_user_loop ) {
+do_action( 'uwp_template_display_notices', 'profile' );
+?>
 <div class="card shadow-0 border-0 mw-100"><?php }
 
 	if ( ! $hide_cover ) {

templates/modal-profile-image-crop.php

@@ -34,10 +34,10 @@
 				<div class="uwp-<?php echo esc_attr( $type ); ?>-crop-p-wrap">
 					<div id="<?php echo esc_attr( $type ); ?>-crop-actions">
 						<form class="uwp-crop-form" method="post">
-							<input type="hidden" name="x" value="" id="<?php echo esc_attr( $type ); ?>-x" />
-							<input type="hidden" name="y" value="" id="<?php echo esc_attr( $type ); ?>-y" />
-							<input type="hidden" name="w" value="" id="<?php echo esc_attr( $type ); ?>-w" />
-							<input type="hidden" name="h" value="" id="<?php echo esc_attr( $type ); ?>-h" />
+							<input type="hidden" name="uwpx" value="" id="<?php echo esc_attr( $type ); ?>-x" />
+							<input type="hidden" name="uwpy" value="" id="<?php echo esc_attr( $type ); ?>-y" />
+							<input type="hidden" name="uwpw" value="" id="<?php echo esc_attr( $type ); ?>-w" />
+							<input type="hidden" name="uwph" value="" id="<?php echo esc_attr( $type ); ?>-h" />
 							<input type="hidden" id="uwp-<?php echo esc_attr( $type ); ?>-crop-image" name="uwp_crop" value="<?php echo esc_attr( $image_url ); ?>" />
 							<input type="hidden" name="uwp_crop_nonce" value="<?php echo esc_attr( wp_create_nonce( 'uwp_crop_nonce_'.$type ) ); ?>" />
 							<input type="submit" name="uwp_<?php echo esc_attr( $type ); ?>_crop" value="<?php esc_attr_e('Apply', 'userswp'); ?>" class="button button-primary" id="save_uwp_<?php echo esc_attr( $type ); ?>" />