Merge pull request #46 from the-events-calendar/fix/switch-to-json-fr…

…om-serialize

Switch serialize/unserialize to JSON string handling

lib/tribe-filters.class.php

@@ -142,7 +142,7 @@ public function get_filters() {
 	 */
 	public function set_active( $active = null ) {
 		if ( ! empty( $active ) ) {
-			$this->active = $active;
+			$this->active = (array) $active;
 			$this->cache_last_query( $active );
 		}
 	}
@@ -330,7 +330,20 @@ public function init_active() {
 		if ( isset( $_GET['saved_filter'] ) && $_GET['saved_filter'] > 0 ) {
 
 			$filterset = get_post( $_GET['saved_filter'] );
-			$active = unserialize( $filterset->post_content );
+			if ( substr( $filterset->post_content, 0, 2 ) === 'a:' ) {
+				// If post_content is serialized, grab it and update it to json_encoded.
+				$active = unserialize( $filterset->post_content );
+
+				if ( $active ) {
+					wp_update_post( [
+						'ID'           => $filterset->ID,
+						'post_content' => json_encode( $active ),
+					] );
+				}
+			} else {
+				$active = json_decode( $filterset->post_content, true );
+			}
+
 			if ( $active ) {
 				$this->set_active( $active );
 				$this->saved_active = $filterset;
@@ -403,7 +416,7 @@ public function update_or_delete_saved_filters() {
 		// update the filter with currently active stuff
 		if ( isset( $_POST['tribe-update-saved-filter'] ) ) {
 			$filter = get_post( $_POST['tribe-saved-filter-active'] );
-			$filter->post_content = serialize( $this->active );
+			$filter->post_content = json_encode( $this->active );
 			wp_update_post( $filter );
 		}
 
@@ -445,7 +458,7 @@ protected function last_query() {
 	}
 
 	protected function cache_last_query( $query ) {
-		return update_user_meta( get_current_user_id(), 'last_used_filters_'.$this->filtered_post_type, $query );
+		return update_user_meta( get_current_user_id(), 'last_used_filters_'.$this->filtered_post_type, json_encode( $query ) );
 	}
 
 	protected function clear_last_query() {
@@ -500,7 +513,7 @@ protected function save_filter() {
 		}
 
 		$filter = array(
-			'post_content' => serialize( $this->active ),
+			'post_content' => json_encode( $this->active ),
 			'post_title' => $_POST['filter_name'],
 			'post_type' => self::FILTER_POST_TYPE,
 			'post_status' => 'publish',

package.json

@@ -1,6 +1,6 @@
 {
   "name": "advanced-post-manager",
-  "version": "4.5.1",
+  "version": "4.5.2",
   "repository": "[email protected]:the-events-calendar/advanced-post-manager.git",
   "_zipname": "advanced-post-manager",
   "_zipfoldername": "advanced-post-manager",

readme.txt

@@ -6,7 +6,7 @@ Tags: developer-tools, custom post, filter, column, metabox, taxonomy, wp-admin,
 Requires at least: 5.6
 Tested up to: 5.8.2
 License: GPL v2
-Stable tag: 4.5.1
+Stable tag: 4.5.2
 Requires PHP: 7.1
 
 Turbo charge your posts admin for any custom post type with sortable filters and columns, and auto-registration of metaboxes.
@@ -67,9 +67,13 @@ Our Premium Plugins and Services:
 
 == Changelog ==
 
+= [4.5.2] 2022-07-14 =
+
+* Security - Store filter data using JSON rather than serialized strings for safer and smaller strings.
+
 = [4.5.1] 2021-12-03 =
 
-* Fix - Use WP-provided jQuery UI datepicker to resolve JS error when interacting with filters. (props to @ethanclevenger91) 
+* Fix - Use WP-provided jQuery UI datepicker to resolve JS error when interacting with filters. (props to @ethanclevenger91)
 
 = [4.5] 2019-02-14 =
 

tribe-apm.php

@@ -2,7 +2,7 @@
 /*
  Plugin Name: Advanced Post Manager
  Description: Dialing custom post types to 11 with advanced filtering controls.
- Version: 4.5.1
+ Version: 4.5.2
  Author: Modern Tribe, Inc.
  Author URI: https://evnt.is/4n
  Text Domain: advanced-post-manager
@@ -45,7 +45,7 @@ class Tribe_APM {
 	/**
 	 * The current version of iCal Importer
 	 */
-	const VERSION = '4.5.1';
+	const VERSION = '4.5.2';
 
 	protected $textdomain = 'advanced-post-manager';
 	protected $args;