Merge pull request #2048 from rtCamp/develop

Version update v4.6.19

Author: pavanpatil1

README.md

@@ -138,7 +138,7 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 2.  BuddyPress Settings
 3.  Media Types Settings
 4.  Media Size Settings
-5.  Privacy Settings 
+5.  Privacy Settings
 6.  Other Setiings
 7.  Export/Import Settings
 8.  Media View
@@ -152,6 +152,11 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 
 ## Changelog ##
 
+### 4.6.19 [April 16, 2024] ###
+* Fixed
+	* Fixed shortcode security issue.
+
+
 ### 4.6.18 [January 16, 2024] ###
 
 * Fixed
@@ -182,9 +187,9 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 
 * Fixed
 
-	* Fixed PHP deprecation warnings. 
-    * Fixed BuddyPress Versioning issue 
-    * Fixed Security issue. 
+	* Fixed PHP deprecation warnings.
+    * Fixed BuddyPress Versioning issue
+    * Fixed Security issue.
     * Fixed Video player UI issues.
 
 ### 4.6.15 [September 4, 2023] ###
@@ -214,29 +219,29 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 ### 4.6.13 [December 12, 2022] ###
 
 * Enhancement
-   
+
     * Compatible with WordPress latest version 6.1.1
-    * Compatible with PHP 8.0.0 
+    * Compatible with PHP 8.0.0
     * Refactored code base.
 
 * Fixed
-    
+
     * Fixed save settings not working issue.
     * Fixed media tab not visible on groups page.
 
-  
+
 ### 4.6.12 [June 16, 2022] ###
 
 * Enhancement
 
-    * Compatible with BP-Rewrites latest version. 
+    * Compatible with BP-Rewrites latest version.
     * Compatible with with WordPress latest version 6.0.
 
 * Fixed
 
-    * UI/UX Issues. 
-    * Fixed album count issue for non-admin user and group albums. 
-    * Fixed Video thumbnail issue. 
+    * UI/UX Issues.
+    * Fixed album count issue for non-admin user and group albums.
+    * Fixed Video thumbnail issue.
 
 
 ### 4.6.11 [April 27, 2022] ###
@@ -257,12 +262,12 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 
 * Enhancement
 
-    * Compatible with latest of WordPress v5.9. 
-    * Compatible with latest version of BuddyPress v10.0.0. 
+    * Compatible with latest of WordPress v5.9.
+    * Compatible with latest version of BuddyPress v10.0.0.
 
 * New Feature
 
-	* Edit media option on activity stream with [BuddyPress Edit Activity](https://wordpress.org/support/plugin/buddypress-edit-activity/). 
+	* Edit media option on activity stream with [BuddyPress Edit Activity](https://wordpress.org/support/plugin/buddypress-edit-activity/).
 
 * Fixed
 
@@ -275,14 +280,14 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 
 * Enhancement
 
-	* Added album search functionality. 
+	* Added album search functionality.
 	* Added capability to group admin and mod to edit/delete the album.
 
 * FIXED
 
-	* UI/UX issues. 
-	* Able to upload media to comment if the activity steam option is disabled. 
-	* Fixed pagination issue. 
+	* UI/UX issues.
+	* Able to upload media to comment if the activity steam option is disabled.
+	* Fixed pagination issue.
 	* Fixed RTL issues.
 
 ### 4.6.8 [October 26, 2021] ###
@@ -406,8 +411,8 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 	* Add new class on activity page based on the uploaded media type
 
 * FIXED
-	* Post Update button issue with BuddyPress Nouveau template 
-	* Issue when user uploads the media with link in comment on buddypress activity 
+	* Post Update button issue with BuddyPress Nouveau template
+	* Issue when user uploads the media with link in comment on buddypress activity
 
 ### 4.5.8 [August 6, 2019] ###
 
@@ -432,8 +437,8 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
     * Issue of entering text in text area when Direct Upload and Upload terms enabled together
     * UI of pagination button height and text field
     * Export/Import button issue in Firefox browser
-    * Issue of direct upload and media was not opening in lightbox with TwentySeventeen theme v2.1 
-    * Empty space issue for generated activity when media is uploaded without adding text 
+    * Issue of direct upload and media was not opening in lightbox with TwentySeventeen theme v2.1
+    * Empty space issue for generated activity when media is uploaded without adding text
     * Other Errors, Warnings and notices
     * Group Activity media are not shown in Group Media tab with BuddyPress Nouveau Template
     * User’s name autosuggestion
@@ -495,11 +500,11 @@ https://www.youtube.com/watch?v=dJrykKQGDcs
 * NEW
 
 	 * Added JavaScript hook to handle uploader slide event [Doc](https://rtmedia.io/docs/developers/hooks/rtmedia-js-hooks/#rtmediajsuploaderslideaftergalleryreload)
-	 
+
 * ENHANCEMENT
 
 	 * Added translation support for “Search Media” string
-	 
+
 * FIXED
 
 	 * PHP notices

app/helper/RTMediaModel.php

@@ -122,6 +122,20 @@ public function get( $columns, $offset = false, $per_page = false, $order_by = '
 		}
 		$qgroup_by = ' ';
 
+		$allowed_order_columns = array( 'media_id', 'date', 'name' ); // Define allowed columns.
+		list( $order_column, $order_direction ) = explode( ' ', $order_by . ' ' ); // Default to space if no direction provided.
+
+		if ( ! in_array( strtolower( $order_column ), $allowed_order_columns ) || ! in_array(
+			strtolower( $order_direction ),
+			array(
+				'asc',
+				'desc',
+				'',
+			)
+		) ) {
+			$order_by = 'media_id desc'; // Default order.
+		}
+
 		if ( $order_by ) {
 			$order_by  = esc_sql( $order_by );
 			$qorder_by = " ORDER BY {$this->table_name}.{$order_by}";

app/main/routers/query/RTMediaQuery.php

@@ -632,8 +632,8 @@ public function &query( $query ) {
 			$this->query['activity_id'] = array( 'value' );
 			global $wpdb;
 			// todo cache.
-			$sql_query                           = "select id from {$wpdb->prefix}bp_activity where item_id = 0  and type = 'rtmedia_update'";
-			$this->query['activity_id']['value'] = $wpdb->get_col( $sql_query ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+			$sql_query = $wpdb->prepare( "SELECT id FROM {$wpdb->prefix}bp_activity WHERE item_id = %d AND type = %s", 0, 'rtmedia_update' );
+			$this->query['activity_id']['value'] = $wpdb->get_col( $sql_query );
 		}
 
 		if ( isset( $this->query ) && isset( $this->query['global'] ) ) {

index.php

@@ -3,7 +3,7 @@
  * Plugin Name: rtMedia for WordPress, BuddyPress and bbPress
  * Plugin URI: https://rtmedia.io/?utm_source=dashboard&utm_medium=plugin&utm_campaign=buddypress-media
  * Description: This plugin adds missing media rich features like photos, videos and audio uploading to BuddyPress which are essential if you are building social network, seriously!
- * Version: 4.6.18
+ * Version: 4.6.19
  * Author: rtCamp
  * Text Domain: buddypress-media
  * Author URI: http://rtcamp.com/?utm_source=dashboard&utm_medium=plugin&utm_campaign=buddypress-media
@@ -19,7 +19,7 @@
 	/**
 	 * The version of the plugin
 	 */
-	define( 'RTMEDIA_VERSION', '4.6.18' );
+	define( 'RTMEDIA_VERSION', '4.6.1' );
 }
 
 if ( ! defined( 'RTMEDIA_PATH' ) ) {
@@ -144,4 +144,4 @@ function rtmedia_plugin_deactivate() {
 require_once 'app/main/RTMediaUploadTerms.php';
 
 // Require deactivation survey installer.
-require_once RTMEDIA_PATH . '/lib/deactivation-survey/deactivation-survey.php';
+require_once RTMEDIA_PATH . '/lib/deactivation-survey/deactivation-survey.php';

languages/buddypress-media.po

@@ -2,9 +2,9 @@
 # This file is distributed under the same license as the rtMedia for WordPress, BuddyPress and bbPress package.
 msgid ""
 msgstr ""
-"Project-Id-Version: rtMedia for WordPress, BuddyPress and bbPress 4.6.18\n"
+"Project-Id-Version: rtMedia for WordPress, BuddyPress and bbPress 4.6.19\n"
 "Report-Msgid-Bugs-To: https://rtmedia.io/support/\n"
-"POT-Creation-Date: 2024-01-16 04:41:16+00:00\n"
+"POT-Creation-Date: 2024-04-16 07:27:16+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"

readme.txt

@@ -5,7 +5,7 @@ License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Requires at least: WordPress 4.1
 Tested up to: 6.4.2
-Stable tag: 4.6.18
+Stable tag: 4.6.19
 
 Add albums, photo, audio/video upload, privacy, sharing, front-end uploads & more. All this works on mobile/tablets devices.
 
@@ -119,7 +119,7 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 2.  BuddyPress Settings
 3.  Media Types Settings
 4.  Media Size Settings
-5.  Privacy Settings 
+5.  Privacy Settings
 6.  Other Setiings
 7.  Export/Import Settings
 8.  Media View
@@ -133,6 +133,12 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 
 == Changelog ==
 
+= 4.6.19 [April 16, 2024] =
+
+* Fixed
+
+	* Fixed shortcode security issue.
+
 = 4.6.18 [January 16, 2024] =
 
 * Fixed
@@ -195,13 +201,13 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 = 4.6.13 [December 12, 2022] =
 
 * Enhancement
-   
+
  * Compatible with WordPress latest version 6.1.1
- * Compatible with PHP 8.0.0 
+ * Compatible with PHP 8.0.0
  * Refactored code base.
 
 * Fixed
-    
+
  * Fixed save settings not working issue.
  * Fixed media tab not visible on groups page.
 
@@ -210,14 +216,14 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 
 * Enhancement
 
- * Compatible with BP-Rewrites latest version. 
+ * Compatible with BP-Rewrites latest version.
  * Compatible with with WordPress latest version 6.0.
 
 * Fixed
 
- * UI/UX Issues. 
- * Fixed album count issue for non-admin user and group albums. 
- * Fixed Video thumbnail issue. 
+ * UI/UX Issues.
+ * Fixed album count issue for non-admin user and group albums.
+ * Fixed Video thumbnail issue.
 
 = 4.6.11 [April 27, 2022] =
 
@@ -237,12 +243,12 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 
 * Enhancement
 
- * Compatible with WordPress latest version v5.9. 
- * Compatible with latest version of BuddyPress v10.0.0. 
+ * Compatible with WordPress latest version v5.9.
+ * Compatible with latest version of BuddyPress v10.0.0.
 
 * New Feature
 
- * Edit media option on activity stream with BuddyPress Edit Activity. 
+ * Edit media option on activity stream with BuddyPress Edit Activity.
 
 * Fixed
 
@@ -255,15 +261,15 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 
 * Enhancement
 
- * Added album search functionality. 
+ * Added album search functionality.
  * Added capability to group admin and mod to edit/delete the album.
 
 * FIXED
 
- * UI/UX issues. 
- * Able to upload media to comment if the activity steam option is disabled. 
- * Fixed pagination issue. 
- * Fixed RTL issues. 
+ * UI/UX issues.
+ * Able to upload media to comment if the activity steam option is disabled.
+ * Fixed pagination issue.
+ * Fixed RTL issues.
 
 
 = 4.6.8 [October 26, 2021] =
@@ -1884,6 +1890,9 @@ http://www.youtube.com/watch?v=dJrykKQGDcs
 
 == Upgrade Notice ==
 
+= 4.6.19 =
+rtMedia 4.6.19 with shortcode security fixes.
+
 = 4.6.18 =
 rtMedia 4.6.18 with fixes related to group media.