Merge branch 'main' into install-kit-event

assets/dev/js/frontend/utils/video-api/youtube-loader.js

@@ -6,7 +6,7 @@ export default class YoutubeLoader extends BaseLoader {
 	}
 
 	getURLRegex() {
-		return /^(?:https?:\/\/)?(?:www\.)?(?:m\.)?(?:youtu\.be\/|youtube\.com\/(?:(?:watch)?\?(?:.*&)?vi?=|(?:embed|v|vi|user)\/))([^?&"'>]+)/;
+		return /^(?:https?:\/\/)?(?:www\.)?(?:m\.)?(?:youtu\.be\/|youtube\.com\/(?:(?:watch)?\?(?:.*&)?vi?=|(?:embed|v|vi|user|shorts)\/))([^?&"'>]+)/;
 	}
 
 	isApiLoaded() {

assets/dev/scss/frontend/conditionals/e-swiper.scss

@@ -116,6 +116,14 @@
 			}
 		}
 
+		.elementor-swiper {
+			position: relative;
+		}
+
+		.elementor-main-swiper {
+			position: static;
+		}
+
 		&.elementor-arrows-position- {
 
 			&outside {

changelog.txt

@@ -1,5 +1,13 @@
 == Changelog ==
 
+= 3.25.11 - 2024-12-10 =
+
+* Tweak: Updated `eicons` library to v5.34.0
+* Security Fix: Improved code security enforcement in Image widget
+* Security Fix: Improved code security enforcement in Connect process
+* Security Fix: Improved code security enforcement in Progress bar widget
+* Fix: YouTube video in lightbox is not presented as expected in Video widget ([#29241](https://github.com/elementor/elementor/issues/29241))
+
 = 3.25.10 - 2024-11-24 =
 
 * Security Fix: Improved code security enforcement in Typography control

core/common/modules/connect/admin.php

@@ -29,6 +29,12 @@ public function register_admin_menu( Admin_Menu_Manager $admin_menu ) {
 	 * @access public
 	 */
 	public function on_load_page() {
+		if ( ! $this->user_has_enough_permissions() ) {
+			wp_die( 'You do not have sufficient permissions to access this page.', 'You do not have sufficient permissions to access this page.', [
+				'back_link' => true,
+			] );
+		}
+
 		if ( isset( $_GET['action'], $_GET['app'] ) ) {
 			$manager = Plugin::$instance->common->get_component( 'connect' );
 
@@ -59,6 +65,18 @@ public function on_load_page() {
 		}
 	}
 
+	private function user_has_enough_permissions() {
+		if ( current_user_can( 'manage_options' ) ) {
+			return true;
+		}
+
+		if ( 'library' === Utils::get_super_global_value( $_GET, 'app' ) ) {
+			return current_user_can( 'edit_posts' );
+		}
+
+		return false;
+	}
+
 	/**
 	 * @since 2.3.0
 	 * @access public

includes/embed.php

@@ -28,7 +28,7 @@ class Embed {
 	 * @var array Provider URL structure regex.
 	 */
 	private static $provider_match_masks = [
-		'youtube' => '/^.*(?:youtu\.be\/|youtube(?:-nocookie)?\.com\/(?:(?:watch)?\?(?:.*&)?vi?=|(?:embed|v|vi|user)\/))([^\?&\"\'>]+)/',
+		'youtube' => '/^.*(?:youtu\.be\/|youtube(?:-nocookie)?\.com\/(?:(?:watch)?\?(?:.*&)?vi?=|(?:embed|v|vi|user|shorts)\/))([^\?&\"\'>]+)/',
 		'vimeo' => '/^.*vimeo\.com\/(?:[a-z]*\/)*([‌​0-9]{6,11})[?]?.*/',
 		'dailymotion' => '/^.*dailymotion.com\/(?:video|hub)\/([^_]+)[^#]*(#video=([^_&]+))?/',
 		'videopress' => [

includes/managers/image.php

@@ -29,7 +29,7 @@ class Images_Manager {
 	 * @access public
 	 */
 	public function get_images_details() {
-		if ( ! current_user_can( Editor::EDITING_CAPABILITY ) ) {
+		if ( ! current_user_can( 'publish_posts' ) ) {
 			wp_send_json_error( 'Permission denied' );
 		}
 

includes/widgets/progress.php

@@ -423,13 +423,13 @@ protected function render() {
 
 		if ( ! Utils::is_empty( $settings['title'] ) ) { ?>
 			<<?php Utils::print_validated_html_tag( $settings['title_tag'] ); ?> <?php $this->print_render_attribute_string( 'title' ); ?>>
-				<?php $this->print_unescaped_setting( 'title' ); ?>
+				<?php echo wp_kses_post( $settings['title'] ); ?>
 			</<?php Utils::print_validated_html_tag( $settings['title_tag'] ); ?>>
 		<?php } ?>
 
 		<div <?php $this->print_render_attribute_string( 'wrapper' ); ?>>
 			<div <?php $this->print_render_attribute_string( 'progress-bar' ); ?>>
-				<span <?php $this->print_render_attribute_string( 'inner_text' ); ?>><?php $this->print_unescaped_setting( 'inner_text' ); ?></span>
+				<span <?php $this->print_render_attribute_string( 'inner_text' ); ?>><?php echo wp_kses_post( $settings['inner_text'] ); ?></span>
 				<?php if ( 'show' === $settings['display_percentage'] ) { ?>
 					<span class="elementor-progress-percentage"><?php echo $progress_percentage; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>%</span>
 				<?php } ?>
@@ -495,11 +495,11 @@ protected function content_template() {
 		view.addInlineEditingAttributes( 'inner_text' );
 		#>
 		<# if ( settings.title ) { #>
-			<{{ title_tag }} {{{ view.getRenderAttributeString( 'title' ) }}}>{{{ settings.title }}}</{{ title_tag }}>
+			<{{ title_tag }} {{{ view.getRenderAttributeString( 'title' ) }}}>{{ settings.title }}</{{ title_tag }}>
 		<# } #>
 		<div {{{ view.getRenderAttributeString( 'progressWrapper' ) }}}>
 			<div class="elementor-progress-bar" data-max="{{ progress_percentage }}">
-				<span {{{ view.getRenderAttributeString( 'inner_text' ) }}}>{{{ settings.inner_text }}}</span>
+				<span {{{ view.getRenderAttributeString( 'inner_text' ) }}}>{{ settings.inner_text }}</span>
 				<# if ( 'show' === settings.display_percentage ) { #>
 					<span class="elementor-progress-percentage">{{{ progress_percentage }}}%</span>
 				<# } #>

modules/ai/module.php

@@ -348,13 +348,6 @@ public function get_product_images_ajax() {
 			];
 		}
 
-		$supported_post_types = get_option( 'elementor_cpt_support', [] );
-		$new_post_type = 'product';
-		if ( ! in_array( $new_post_type, $supported_post_types, true ) ) {
-			$supported_post_types[] = $new_post_type;
-			update_option( 'elementor_cpt_support', $supported_post_types );
-		}
-
 		wp_send_json_success( [ 'product_images' => array_slice( $image_ids, 0, 10 ) ] );
 
 		wp_die();

modules/editor-events/module.php

@@ -53,6 +53,7 @@ private function register_experiment() {
 			'title' => esc_html__( 'Elementor Editor Events', 'elementor' ),
 			'description' => esc_html__( 'Editor events processing', 'elementor' ),
 			'hidden' => true,
+			'release_status' => Experiments_Manager::RELEASE_STATUS_ALPHA,
 			'default' => Experiments_Manager::STATE_INACTIVE,
 		] );
 	}

modules/home/module.php

@@ -92,6 +92,7 @@ private function register_layout_experiment(): void {
 			'title' => esc_html__( 'Elementor Home Screen', 'elementor' ),
 			'description' => esc_html__( 'Default Elementor menu page.', 'elementor' ),
 			'hidden' => true,
+			'release_status' => Experiments_Manager::RELEASE_STATUS_STABLE,
 			'default' => Experiments_Manager::STATE_ACTIVE,
 		] );
 	}

readme.txt

@@ -346,6 +346,14 @@ You can also add a new language via [translate.wordpress.org](https://go.element
 
 == Changelog ==
 
+= 3.25.11 - 2024-12-10 =
+
+* Tweak: Updated `eicons` library to v5.34.0
+* Security Fix: Improved code security enforcement in Image widget
+* Security Fix: Improved code security enforcement in Connect process
+* Security Fix: Improved code security enforcement in Progress bar widget
+* Fix: YouTube video in lightbox is not presented as expected in Video widget ([#29241](https://github.com/elementor/elementor/issues/29241))
+
 = 3.25.10 - 2024-11-24 =
 
 * Security Fix: Improved code security enforcement in Typography control

tests/phpunit/elementor/core/common/modules/connect/apps/test-common-app.php

@@ -529,4 +529,39 @@ private function get_connected_user() {
 
 		return $user;
 	}
+
+	public function test_get_remote_authorize_url_with_plg_data() {
+		// Arrange
+		$_GET['utm_source'] = 'test-source';
+		$_GET['utm_medium'] = 'test-medium';
+		$_GET['utm_campaign'] = 'test-campaign';
+		$_GET['utm_not_allowed_param'] = 'test-test';
+
+		$utm_campaign = [
+			'source' => 'transient-source',
+			'medium' => 'transient-medium',
+			'campaign' => 'transient-campaign',
+		];
+
+		set_transient( 'elementor_core_campaign', $utm_campaign );
+
+		// Act
+		$url = $this->app_stub->proxy_get_remote_authorize_url();
+
+		// Assert
+		$parsed_url = parse_url( $url );
+		$parsed_query_params = [];
+		parse_str( $parsed_url['query'], $parsed_query_params );
+
+		$this->assertEquals( 'my.elementor.com', $parsed_url['host'] );
+		$this->assertEquals( '/connect/v1/mock-app', $parsed_url['path'] );
+		$this->assertEquals( 'authorize', $parsed_query_params['action'] );
+		$this->assertEquals( 'transient-source', $parsed_query_params['utm_source'] );
+		$this->assertEquals( 'transient-medium', $parsed_query_params['utm_medium'] );
+		$this->assertEquals( 'transient-campaign', $parsed_query_params['utm_campaign'] );
+
+		$this->assertArrayNotHasKey( 'utm_not_allowed_param', $parsed_query_params );
+		$this->assertArrayNotHasKey( 'utm_term', $parsed_query_params );
+		$this->assertArrayNotHasKey( 'utm_content', $parsed_query_params );
+	}
 }

tests/playwright/sanity/context-menu.test.ts

@@ -3,7 +3,6 @@ import { parallelTest as test } from '../parallelTest';
 import WpAdminPage from '../pages/wp-admin-page';
 import EditorPage from '../pages/editor-page';
 import ContextMenu from '../pages/widgets/context-menu';
-import Style from '../pages/elementor-panel-tabs/style';
 
 test.describe( 'Context menu', () => {
 	test( 'Edit widget test', async ( { page, apiRequests }, testInfo ) => {
@@ -44,12 +43,12 @@ test.describe( 'Context menu', () => {
 		const editor = new EditorPage( page, testInfo );
 		const wpAdmin = new WpAdminPage( page, testInfo, apiRequests );
 		const contextMenu = new ContextMenu( page, testInfo );
-		const styleTab = new Style( page, testInfo );
 		const headingSelector = '.elementor-heading-title';
 
 		await wpAdmin.openNewPage();
 		await editor.addWidget( 'heading' );
-		await styleTab.setColorPicker( 'heading', '#E46E6E' );
+		await editor.openPanelTab( 'style' );
+		await editor.setColorControlValue( 'title_color', '#E46E6E' );
 		await expect( editor.getPreviewFrame().locator( headingSelector ) ).toHaveCSS( 'color', 'rgb(228, 110, 110)' );
 		await contextMenu.selectWidgetContextMenuItem( 'heading', 'Reset style' );
 		await expect( editor.getPreviewFrame().locator( headingSelector ) ).toHaveCSS( 'color', 'rgb(110, 193, 228)' );