From 58171cf8ca51bbf0194fe9f6b0f9071a1624e38e Mon Sep 17 00:00:00 2001 From: tbradsha <32492176+tbradsha@users.noreply.github.com> Date: Mon, 4 May 2026 13:17:59 -0600 Subject: [PATCH 01/10] Escape CRM strings --- .../plugins/crm/admin/company/view.page.php | 7 ++--- .../plugins/crm/admin/contact/view.page.php | 6 ++-- .../plugins/crm/includes/ZeroBSCRM.Delete.php | 20 ++++++------- .../plugins/crm/includes/ZeroBSCRM.Edit.php | 28 +++++++++---------- .../ZeroBSCRM.MetaBoxes3.Companies.php | 10 +++---- .../ZeroBSCRM.MetaBoxes3.Invoices.php | 20 ++++++------- .../includes/ZeroBSCRM.MetaBoxes3.Quotes.php | 12 ++++---- .../crm/includes/ZeroBSCRM.TagManager.php | 19 ++++++------- .../plugins/crm/js/ZeroBSCRM.admin.email.js | 1 - .../crm/js/ZeroBSCRM.admin.tags.metabox.js | 1 - 10 files changed, 60 insertions(+), 64 deletions(-) diff --git a/projects/plugins/crm/admin/company/view.page.php b/projects/plugins/crm/admin/company/view.page.php index e42a9e378dd9..a50acea3ba95 100644 --- a/projects/plugins/crm/admin/company/view.page.php +++ b/projects/plugins/crm/admin/company/view.page.php @@ -939,14 +939,13 @@ function jpcrm_render_company_view_page( $id = -1 ) { diff --git a/projects/plugins/crm/admin/contact/view.page.php b/projects/plugins/crm/admin/contact/view.page.php index 16a1ea5069fc..e34ef67d6d53 100644 --- a/projects/plugins/crm/admin/contact/view.page.php +++ b/projects/plugins/crm/admin/contact/view.page.php @@ -1365,14 +1365,14 @@ function jpcrm_render_contact_view_page( $id = -1 ) { objID ); ?>, - objdbname: 'objType ); ?>', - nonce: 'objType ) ); ?>' + objid: objID; ?>, + objdbname: objType, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>, + nonce: objType ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?> }; var zbsDrawEditViewBlocker = false; var zbsDrawEditAJAXBlocker = false; - var zbsObjectViewLinkPrefixCustomer = ''; - var zbsObjectEditLinkPrefixCustomer = ''; - var zbsObjectViewLinkPrefixCompany = ''; - var zbsListViewLink = 'listViewSlug ); ?>'; + var zbsObjectViewLinkPrefixCustomer = ; + var zbsObjectEditLinkPrefixCustomer = ; + var zbsObjectViewLinkPrefixCompany = ; + var zbsListViewLink = listViewSlug ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>; - var zbsClick2CallType = parseInt(''); + var zbsClick2CallType = ; var zbsEditViewLangLabels = { - 'today': '', - 'view': '', - 'contact': '', - 'company': '', + 'today': , + 'view': , + 'contact': , + 'company': , - + ', - 'unabletodelete': '' + 'error': , + 'unabletodelete': }; jQuery(function(){ @@ -767,9 +767,9 @@ public function html( $company, $metabox ) { // postbag! var data = { 'action': 'delFile', - 'zbsfType': 'objType ); ?>', + 'zbsfType': objType, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>, 'zbsDel': delUrl, // could be csv, never used though - 'zbsCID': , + 'zbsCID': , 'sec': window.zbscrmjs_secToken }; diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Invoices.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Invoices.php index 81fdb3608c5b..753f2541a78d 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Invoices.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Invoices.php @@ -112,7 +112,7 @@ public function html( $invoice, $metabox ) { } ?> - + 0 ) { - echo 'var zbsJS_prefillobjtype = ' . esc_js( $prefill_obj ) . ';'; + echo 'var zbsJS_prefillobjtype = ' . (int) $prefill_obj . ';'; } if ( $prefill_id > 0 ) { - echo 'var zbsJS_prefillid = ' . esc_js( $prefill_id ) . ';'; + echo 'var zbsJS_prefillid = ' . (int) $prefill_id . ';'; } - echo 'var zbsJS_prefillemail = \'' . esc_js( $prefill_email ) . '\';'; - echo 'var zbsJS_prefillname = \'' . esc_js( $prefill_name ) . '\';'; + echo 'var zbsJS_prefillemail = ' . wp_json_encode( $prefill_email, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';'; + echo 'var zbsJS_prefillname = ' . wp_json_encode( $prefill_name, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ';'; // only sendemail if have active template :) echo 'var zbsJS_invEmailActive = ' . ( zeroBSCRM_get_email_status( ZBSEMAIL_EMAILINVOICE ) == 1 ? '1' : '-1' ) . ';'; @@ -537,10 +537,10 @@ public function html( $invoice, $metabox ) { var zbsInvoicesCurrentlyDeleting = false; var zbsMetaboxFilesLang = { - 'err': '', - 'unabletodel' : '', - 'viewcontact' : '', - 'viewcompany' : '', + 'err': , + 'unabletodel' : , + 'viewcontact' : , + 'viewcompany' : , } jQuery(function(){ @@ -564,7 +564,7 @@ public function html( $invoice, $metabox ) { 'action': 'delFile', 'zbsfType': 'invoices', 'zbsDel': delUrl, // could be csv, never used though - 'zbsCID': , + 'zbsCID': , 'sec': window.zbscrmjs_secToken }; diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Quotes.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Quotes.php index 800bcddffa24..cc9e92545395 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Quotes.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Quotes.php @@ -122,7 +122,7 @@ public function html( $quote, $metabox ) { // Debug echo 'Quote:
'.print_r($quote,1).'
'; ?> - + ' + contactID + '"> '; + var navButton = ' ' + + ''; jQuery('#zbs-quote-learn-nav').append(navButton); // bind @@ -831,7 +831,7 @@ public function html( $quote, $metabox ) {
var zbscrmjs_secToken = \'' . esc_js( wp_create_nonce( 'zbscrmjs-ajax-nonce' ) ) . '\';'; + echo ''; ?> @@ -1047,8 +1047,8 @@ public function html( $quote, $metabox ) { var zbsQuotesCurrentlyDeleting = false; var zbsMetaboxFilesLang = { - 'err': '', - 'unabletodel' : '', + 'err': , + 'unabletodel' : , } @@ -1073,7 +1073,7 @@ public function html( $quote, $metabox ) { 'action': 'delFile', 'zbsfType': 'quotes', 'zbsDel': delUrl, // could be csv, never used though - 'zbsCID': , + 'zbsCID': , 'sec': window.zbscrmjs_secToken }; diff --git a/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php b/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php index eb3978d9f769..86594a9c30de 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php @@ -298,20 +298,19 @@ public function drawTagView() { // General options for listview var zbsEditSettings = { - objID; ?>,*/ ?> - objdbname: 'objType ); ?>' + objdbname: objType, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?> }; var zbsDrawEditViewBlocker = false; var zbsDrawEditAJAXBlocker = false; - var zbsObjectViewLinkPrefixCustomer = ''; - var zbsObjectEditLinkPrefixCustomer = ''; - var zbsObjectViewLinkPrefixCompany = ''; - var zbsListViewLink = 'listViewSlug ); ?>'; - var zbsClick2CallType = parseInt(''); + var zbsObjectViewLinkPrefixCustomer = ; + var zbsObjectEditLinkPrefixCustomer = ; + var zbsObjectViewLinkPrefixCompany = ; + var zbsListViewLink = listViewSlug ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>; + var zbsClick2CallType = ; var zbsEditViewLangLabels = { - 'today': '', + 'today': , typeInt; ?>, emid: emailid, sec: window.zbs_root.zbsnonce, }; diff --git a/projects/plugins/crm/js/ZeroBSCRM.admin.tags.metabox.js b/projects/plugins/crm/js/ZeroBSCRM.admin.tags.metabox.js index 35e9e7a479c5..785b46b90ed6 100644 --- a/projects/plugins/crm/js/ZeroBSCRM.admin.tags.metabox.js +++ b/projects/plugins/crm/js/ZeroBSCRM.admin.tags.metabox.js @@ -344,7 +344,6 @@ function zeroBSCRMJS_tagManager_bindTagEditButtons() { const data = { action: 'zbs_delete_tag', - // don't need, is unique id 'objtype': typeInt; ?>, tagid: lTagID, sec: window.zbscrmjs_secToken, }; From 857540ade2009ee53d1517c9eac91b5a5aff8787 Mon Sep 17 00:00:00 2001 From: tbradsha <32492176+tbradsha@users.noreply.github.com> Date: Mon, 4 May 2026 13:21:12 -0600 Subject: [PATCH 02/10] Add changelog --- .../plugins/crm/changelog/fix-crm-escape_strings_properly | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 projects/plugins/crm/changelog/fix-crm-escape_strings_properly diff --git a/projects/plugins/crm/changelog/fix-crm-escape_strings_properly b/projects/plugins/crm/changelog/fix-crm-escape_strings_properly new file mode 100644 index 000000000000..d382f08121ec --- /dev/null +++ b/projects/plugins/crm/changelog/fix-crm-escape_strings_properly @@ -0,0 +1,4 @@ +Significance: patch +Type: fixed + +Use proper escaping functions on strings. From 0e81d8b4a1f4876c87553c81a4fbceeb108667c1 Mon Sep 17 00:00:00 2001 From: tbradsha <32492176+tbradsha@users.noreply.github.com> Date: Mon, 4 May 2026 13:32:37 -0600 Subject: [PATCH 03/10] More esc_js replacements --- .../plugins/crm/includes/ZeroBSCRM.Core.Menus.Top.php | 2 +- projects/plugins/crm/includes/ZeroBSCRM.List.php | 2 +- .../crm/includes/ZeroBSCRM.MetaBoxes3.Contacts.php | 2 +- .../plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Forms.php | 2 +- .../plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Logs.php | 2 +- .../crm/includes/ZeroBSCRM.MetaBoxes3.QuoteTemplates.php | 2 +- .../crm/includes/ZeroBSCRM.MetaBoxes3.TagManager.php | 2 +- .../plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Tasks.php | 2 +- .../crm/includes/ZeroBSCRM.MetaBoxes3.Transactions.php | 2 +- .../crm/modules/mailpoet/admin/mailpoet-hub/main.page.php | 4 ++-- .../portal/endpoints/class-single-quote-endpoint.php | 8 ++++---- .../crm/modules/woo-sync/admin/woo-sync-hub/main.page.php | 4 ++-- 12 files changed, 17 insertions(+), 17 deletions(-) diff --git a/projects/plugins/crm/includes/ZeroBSCRM.Core.Menus.Top.php b/projects/plugins/crm/includes/ZeroBSCRM.Core.Menus.Top.php index 2a6c45fec3c0..1501bd73e832 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.Core.Menus.Top.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.Core.Menus.Top.php @@ -158,7 +158,7 @@ function zeroBSCRM_admin_top_menu( $branding = 'zero-bs-crm', $page = 'dash' ) { // } AJAX nonce, rest is dealt with in the admin global js :) ?> - + extraJS ) && ! empty( $this->extraJS ) ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Contacts.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Contacts.php index 50520704cd9b..9662dbefadbd 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Contacts.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Contacts.php @@ -203,7 +203,7 @@ public function html( $contact, $metabox ) { // phpcs:ignore VariableAnalysis.Co } ?> - + - + - +
diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.QuoteTemplates.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.QuoteTemplates.php index fe3c6246a169..4f2ef893617f 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.QuoteTemplates.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.QuoteTemplates.php @@ -82,7 +82,7 @@ public function html( $quote_template, $metabox ) { // phpcs:ignore VariableAnal $quote_template_content = $quote_template['content']; } ?> - + var zbsTagListLang = { diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Tasks.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Tasks.php index 3e974b0d95c1..fa4795404553 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Tasks.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Tasks.php @@ -98,7 +98,7 @@ public function html( $task, $metabox ) { // PerfTest: zeroBSCRM_performanceTest_finishTimer('custmetabox-dataget'); // PerfTest: zeroBSCRM_performanceTest_startTimer('custmetabox-draw'); ?> - + - + @@ -158,7 +158,7 @@ function jpcrm_mailpoet_render_hub_page() {
diff --git a/projects/plugins/crm/modules/portal/endpoints/class-single-quote-endpoint.php b/projects/plugins/crm/modules/portal/endpoints/class-single-quote-endpoint.php index d1f558495398..e5e6dc814fe9 100644 --- a/projects/plugins/crm/modules/portal/endpoints/class-single-quote-endpoint.php +++ b/projects/plugins/crm/modules/portal/endpoints/class-single-quote-endpoint.php @@ -106,10 +106,10 @@ function single_quote_html_output( $quote_id = -1, $quote_hash = '' ) {
@@ -294,7 +294,7 @@ function jpcrm_woosync_render_hub_page() {
From 3f8b2d110b94e4bc175827e6129dd0373c0cee7e Mon Sep 17 00:00:00 2001 From: tbradsha <32492176+tbradsha@users.noreply.github.com> Date: Mon, 4 May 2026 14:30:58 -0600 Subject: [PATCH 04/10] Escape key as well --- projects/plugins/crm/includes/ZeroBSCRM.Delete.php | 2 +- projects/plugins/crm/includes/ZeroBSCRM.Edit.php | 2 +- projects/plugins/crm/includes/ZeroBSCRM.TagManager.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/projects/plugins/crm/includes/ZeroBSCRM.Delete.php b/projects/plugins/crm/includes/ZeroBSCRM.Delete.php index e31ed59e81c5..df23297e00f9 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.Delete.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.Delete.php @@ -515,7 +515,7 @@ public function drawView() { echo ','; } - echo esc_html( $labelK ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); + echo wp_json_encode( $labelK, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ++$labelCount; diff --git a/projects/plugins/crm/includes/ZeroBSCRM.Edit.php b/projects/plugins/crm/includes/ZeroBSCRM.Edit.php index 52ea519ac8c7..a721fda0b869 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.Edit.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.Edit.php @@ -427,7 +427,7 @@ public function drawEditViewHTML() { echo ','; } - echo esc_html( $labelK ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); + echo wp_json_encode( $labelK, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ++$labelCount; diff --git a/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php b/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php index 86594a9c30de..146956d17c12 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.TagManager.php @@ -321,7 +321,7 @@ public function drawTagView() { echo ','; } - echo esc_html( $labelK ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); + echo wp_json_encode( $labelK, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ++$labelCount; From 912406d6fa2db03dc04797c11b5dfb4ae4ae7e0b Mon Sep 17 00:00:00 2001 From: tbradsha <32492176+tbradsha@users.noreply.github.com> Date: Mon, 4 May 2026 14:59:24 -0600 Subject: [PATCH 05/10] Simplify output --- projects/plugins/crm/includes/ZeroBSCRM.Delete.php | 9 +++------ projects/plugins/crm/includes/ZeroBSCRM.Edit.php | 9 +++------ projects/plugins/crm/includes/ZeroBSCRM.List.php | 3 +-- .../crm/includes/ZeroBSCRM.MetaBoxes3.TagManager.php | 5 +---- projects/plugins/crm/includes/ZeroBSCRM.TagManager.php | 8 +++----- 5 files changed, 11 insertions(+), 23 deletions(-) diff --git a/projects/plugins/crm/includes/ZeroBSCRM.Delete.php b/projects/plugins/crm/includes/ZeroBSCRM.Delete.php index df23297e00f9..aa4bf8def4fc 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.Delete.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.Delete.php @@ -524,11 +524,8 @@ public function drawView() { ?> }; - - - ; + + }; - - - ; + + }; + var zbscrmjs_secToken = ; extraJS ) && ! empty( $this->extraJS ) ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.TagManager.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.TagManager.php index 9621c373e04f..d5a534526d31 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.TagManager.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.TagManager.php @@ -202,10 +202,7 @@ public function html( $contact, $metabox ) { ?> + + var zbscrmjs_secToken = ; + Date: Mon, 4 May 2026 17:32:10 -0600 Subject: [PATCH 06/10] Process arrays in PHP and escape with wp_json_encode() --- .../crm/admin/settings/custom-fields.page.php | 59 ++++++++-------- .../plugins/crm/admin/settings/tax.page.php | 15 +++-- .../plugins/crm/includes/ZeroBSCRM.Delete.php | 30 ++------- .../crm/includes/ZeroBSCRM.Edit.Segment.php | 48 ++++++------- .../plugins/crm/includes/ZeroBSCRM.Edit.php | 50 +++++--------- .../plugins/crm/includes/ZeroBSCRM.List.php | 67 ++++++++----------- .../ZeroBSCRM.MetaBoxes3.Companies.php | 11 +-- .../ZeroBSCRM.MetaBoxes3.Contacts.php | 15 ++--- .../ZeroBSCRM.MetaBoxes3.Invoices.php | 15 +++-- .../includes/ZeroBSCRM.MetaBoxes3.Quotes.php | 12 ++-- .../ZeroBSCRM.MetaBoxes3.TagManager.php | 29 ++++---- .../ZeroBSCRM.MetaBoxes3.Transactions.php | 32 ++++----- .../crm/includes/ZeroBSCRM.TagManager.php | 59 ++++++---------- .../endpoints/class-single-quote-endpoint.php | 15 +++-- 14 files changed, 201 insertions(+), 256 deletions(-) diff --git a/projects/plugins/crm/admin/settings/custom-fields.page.php b/projects/plugins/crm/admin/settings/custom-fields.page.php index 57453ba05012..827d97b9bca3 100644 --- a/projects/plugins/crm/admin/settings/custom-fields.page.php +++ b/projects/plugins/crm/admin/settings/custom-fields.page.php @@ -461,6 +461,32 @@ function ( $field_name ) use ( $sort_field_names, $custom_type ) { + __( 'Custom Field', 'zero-bs-crm' ), + 'remove' => __( 'Remove', 'zero-bs-crm' ), + 'tel' => __( 'Telephone', 'zero-bs-crm' ), + 'numbdec' => __( 'Numeric (Decimals)', 'zero-bs-crm' ), + 'numb' => __( 'Numeric', 'zero-bs-crm' ), + 'placeholder' => __( 'Placeholder', 'zero-bs-crm' ), + 'csvopt' => __( "CSV of Options (e.g. 'a,b,c')", 'zero-bs-crm' ), + 'fieldname' => __( 'Field Name', 'zero-bs-crm' ), + 'fieldplacehold' => __( 'Field Placeholder Text', 'zero-bs-crm' ), + 'fileboxname' => __( 'File Box Name', 'zero-bs-crm' ), + 'password' => __( 'Password', 'zero-bs-crm' ), + 'encryptedtext' => __( 'Encrypted Text', 'zero-bs-crm' ), + 'radiobuttons' => __( 'Radio Buttons', 'zero-bs-crm' ), + 'prefix' => __( 'Prefix', 'zero-bs-crm' ), + 'nextnumber' => __( 'Next Number', 'zero-bs-crm' ), + 'suffix' => __( 'Suffix', 'zero-bs-crm' ), + 'prefixe' => __( '(e.g. ABC-)', 'zero-bs-crm' ), + 'nextnumbere' => __( '(e.g. 1)', 'zero-bs-crm' ), + 'suffixe' => __( '(e.g. -FINI)', 'zero-bs-crm' ), + 'fieldtype' => __( 'Field Type:', 'zero-bs-crm' ), + 'autonumberformat' => __( 'Autonumber Format', 'zero-bs-crm' ), + 'autonumberguide' => __( 'Autonumber Guide', 'zero-bs-crm' ), + ); + ?> diff --git a/projects/plugins/crm/admin/settings/tax.page.php b/projects/plugins/crm/admin/settings/tax.page.php index 3b2de5082275..aad56d2f9e85 100644 --- a/projects/plugins/crm/admin/settings/tax.page.php +++ b/projects/plugins/crm/admin/settings/tax.page.php @@ -217,16 +217,17 @@ + __( 'Tax Rate Name', 'zero-bs-crm' ), + 'defaultTaxPerc' => __( 'Tax Rate %', 'zero-bs-crm' ), + 'percSymbol' => __( '%', 'zero-bs-crm' ), + ); + ?> + __( 'General Error', 'zero-bs-crm' ), + 'generalerror' => __( 'There was a general error.', 'zero-bs-crm' ), + 'currentlyInSegment' => __( 'Contacts currently match these conditions.', 'zero-bs-crm' ), + 'previewTitle' => __( 'Contacts Preview (randomised)', 'zero-bs-crm' ), + 'noName' => __( 'Unnamed Contact', 'zero-bs-crm' ), + 'noEmail' => __( 'No Email', 'zero-bs-crm' ), + 'notags' => __( 'No Tags Found', 'zero-bs-crm' ), + 'nostatuses' => __( 'No Statuses Found', 'zero-bs-crm' ), + 'noextsources' => __( 'No External Sources Found', 'zero-bs-crm' ), + 'no_mailpoet_statuses' => __( 'No MailPoet Statuses Found', 'zero-bs-crm' ), + 'nosegmentid' => __( 'No Segment ID Found.', 'zero-bs-crm' ), + 'to' => __( 'to', 'zero-bs-crm' ), + 'eg' => __( 'e.g.', 'zero-bs-crm' ), + 'saveSegment' => __( 'Save Segment', 'zero-bs-crm' ) . ' ', + 'savedSegment' => __( 'Segment Saved', 'zero-bs-crm' ) . ' ', + 'contactfields' => '=== ' . __( 'Contact Fields', 'zero-bs-crm' ) . ' ===', + 'default_description' => __( 'Condition which selects contacts based on given value', 'zero-bs-crm' ), + ); + ?> postType ) { + case 'zerobs_customer': + $zbs_list_view_obj_name = __( 'Contact', 'zero-bs-crm' ); + break; + case 'zerobs_company': + $zbs_list_view_obj_name = jpcrm_label_company(); + break; + case 'zerobs_quote': + $zbs_list_view_obj_name = __( 'Quote', 'zero-bs-crm' ); + break; + case 'zerobs_invoice': + $zbs_list_view_obj_name = __( 'Invoice', 'zero-bs-crm' ); + break; + case 'zerobs_transaction': + $zbs_list_view_obj_name = __( 'Transaction', 'zero-bs-crm' ); + break; + case 'zerobs_form': + $zbs_list_view_obj_name = __( 'Form', 'zero-bs-crm' ); + break; + case 'zerobs_quotetemplate': + $zbs_list_view_obj_name = __( 'Quote Template', 'zero-bs-crm' ); + break; + default: + $zbs_list_view_obj_name = __( 'Item', 'zero-bs-crm' ); + break; + } + ?> // General options for listview @@ -568,46 +595,8 @@ public function drawListView() { var zbsListViewLink = 'postPage ) ); /* phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */ ?>'; var zbsExportPostURL = 'slugs['export-tools'] ) ); ?>'; var zbsTagSkipLinkPrefix = zbsListViewLink + '&zbs_tag='; - var zbsListViewObjName = 'postType ) { - - case 'zerobs_customer': - zeroBSCRM_slashOut( __( 'Contact', 'zero-bs-crm' ) ); - break; - - case 'zerobs_company': - zeroBSCRM_slashOut( jpcrm_label_company() ); - break; - - case 'zerobs_quote': - zeroBSCRM_slashOut( __( 'Quote', 'zero-bs-crm' ) ); - break; - - case 'zerobs_invoice': - zeroBSCRM_slashOut( __( 'Invoice', 'zero-bs-crm' ) ); - break; - - case 'zerobs_transaction': - zeroBSCRM_slashOut( __( 'Transaction', 'zero-bs-crm' ) ); - break; - - case 'zerobs_form': - zeroBSCRM_slashOut( __( 'Form', 'zero-bs-crm' ) ); - break; - - case 'zerobs_quotetemplate': - zeroBSCRM_slashOut( __( 'Quote Template', 'zero-bs-crm' ) ); - break; - - default: - zeroBSCRM_slashOut( __( 'Item', 'zero-bs-crm' ) ); - break; - - } - - ?>'; var zbsClick2CallType = parseInt(''); + var zbsListViewObjName = ; __( 'Error', 'zero-bs-crm' ), + 'unabletodelete' => __( 'Unable to delete this file.', 'zero-bs-crm' ), + ); + ?>
@@ -1259,15 +1257,16 @@ public function html( $contact, $metabox ) { // PerfTest: zeroBSCRM_performanceTest_finishTimer('custmetabox'); // PerfTest: zeroBSCRM_performanceTest_debugOut(); + $jpcrm_metabox_files_lang = array( + 'error' => __( 'Error', 'zero-bs-crm' ), + 'unabletodelete' => __( 'Unable to delete this file.', 'zero-bs-crm' ), + ); + ?> diff --git a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Transactions.php b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Transactions.php index 69c981a51693..b67080fb841a 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Transactions.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.MetaBoxes3.Transactions.php @@ -399,25 +399,27 @@ public function html( $transaction, $metabox ) {
+ __( 'No Invoices Found!', 'zero-bs-crm' ), + 'none' => __( 'None', 'zero-bs-crm' ), + 'view' => __( 'View', 'zero-bs-crm' ), + 'contact' => __( 'Contact', 'zero-bs-crm' ), + 'company' => jpcrm_label_company(), + 'selectinv' => __( 'Select Invoice', 'zero-bs-crm' ), + ); + $jpcrm_transactionedit_links = array( + 'editinvprefix' => jpcrm_esc_link( 'edit', -1, 'zerobs_invoice', true ), + 'editcontactprefix' => jpcrm_esc_link( 'edit', -1, 'zerobs_customer', true ), + 'editcompanyprefix' => jpcrm_esc_link( 'edit', -1, 'zerobs_company', true ), + ); + ?> DAL->getTagsForObjType( - array( - - 'objtypeid' => $zbs->DAL->objTypeID( $this->objType ), // ZBS_TYPE_CONTACT in place of 'contact'=>1, 'transaction'=> etc. - 'excludeEmpty' => false, - 'withCount' => false, - 'ignoreowner' => true, - - ) - ); - $tagsArr = array(); if ( is_array( $tags ) && count( $tags ) > 0 ) { + // make simpler + $tags = $zbs->DAL->getTagsForObjType( + array( + + 'objtypeid' => $zbs->DAL->objTypeID( $this->objType ), // ZBS_TYPE_CONTACT in place of 'contact'=>1, 'transaction'=> etc. + 'excludeEmpty' => false, + 'withCount' => false, + 'ignoreowner' => true, + + ) + ); + $tagsArr = array(); if ( is_array( $tags ) && count( $tags ) > 0 ) { foreach ( $tags as $t ) { $tagsArr[] = $t['name']; } - } - $tags = $tagsArr; + } + $tags = $tagsArr; - ?> + $jpcrm_edit_view_lang_labels = array_merge( + array( 'today' => __( 'Today', 'zero-bs-crm' ) ), + is_array( $this->langLabels ) ? $this->langLabels : array(), + ); + ?> // this forces firing of our custom init in admin.tags.metabox.js var zbsCustomTagInitFunc = 'zbsJS_bindTagManagerInit'; @@ -308,31 +312,10 @@ public function drawTagView() { var zbsObjectViewLinkPrefixCompany = ; var zbsListViewLink = listViewSlug ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>; var zbsClick2CallType = ; - var zbsEditViewLangLabels = { - - 'today': , - - langLabels ) && count( $this->langLabels ) > 0 ) { - foreach ( $this->langLabels as $labelK => $labelV ) { - - if ( $labelCount > 0 ) { - echo ','; - } - - echo wp_json_encode( $labelK, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) . ':' . wp_json_encode( $labelV, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); - - ++$labelCount; - - } - } - ?> - - }; + var zbsEditViewLangLabels = ; var zbscrmjs_secToken = ; -
+ (int) $quote_id, + 'quote_hash' => $quote_hash, + 'proposal_nonce' => wp_create_nonce( 'zbscrmquo-nonce' ), + 'ajax_url' => admin_url( 'admin-ajax.php' ), + ); + ?> Date: Mon, 4 May 2026 17:35:07 -0600 Subject: [PATCH 07/10] More escaping --- .../plugins/crm/includes/ZeroBSCRM.List.php | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/projects/plugins/crm/includes/ZeroBSCRM.List.php b/projects/plugins/crm/includes/ZeroBSCRM.List.php index 659bc0e8b79e..24436766ede3 100644 --- a/projects/plugins/crm/includes/ZeroBSCRM.List.php +++ b/projects/plugins/crm/includes/ZeroBSCRM.List.php @@ -571,31 +571,31 @@ public function drawListView() { var zbsDrawListViewColUpdateBlocker = false; var zbsDrawListViewColUpdateAJAXBlocker = false; - var zbsObjectEmailLinkPrefix = ''; - var zbsObjectViewLinkPrefixCustomer = ''; - var zbsObjectViewLinkPrefixCompany = ''; - var zbsObjectViewLinkPrefixQuote = ''; - var zbsObjectViewLinkPrefixInvoice = ''; - var zbsObjectViewLinkPrefixTransaction = ''; - var zbsObjectViewLinkPrefixForm = ''; - var zbsObjectViewLinkPrefixSegment = ''; - var zbsObjectViewLinkPrefixTask = ''; - - var zbsObjectEditLinkPrefixCustomer = ''; - var zbsObjectEditLinkPrefixCompany = ''; - var zbsObjectEditLinkPrefixQuote = ''; - var zbsObjectEditLinkPrefixQuoteTemplate = ''; - var zbsObjectEditLinkPrefixInvoice = ''; - var zbsObjectEditLinkPrefixTransaction = ''; - var zbsObjectEditLinkPrefixForm = ''; - var zbsObjectEditLinkPrefixSegment = ''; - - var jpcrm_segment_export_url_prefix = 'slugs['export-tools'] . '&segment-id=' ); ?>'; - - var zbsListViewLink = 'postPage ) ); /* phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */ ?>'; - var zbsExportPostURL = 'slugs['export-tools'] ) ); ?>'; - var zbsTagSkipLinkPrefix = zbsListViewLink + '&zbs_tag='; - var zbsClick2CallType = parseInt(''); + var zbsObjectEmailLinkPrefix = ; /* this assumes is contact for now, just sends to prefill - perhaps later add mailto: optional (wh wants lol) */ + var zbsObjectViewLinkPrefixCustomer = ; + var zbsObjectViewLinkPrefixCompany = ; + var zbsObjectViewLinkPrefixQuote = ; + var zbsObjectViewLinkPrefixInvoice = ; + var zbsObjectViewLinkPrefixTransaction = ; + var zbsObjectViewLinkPrefixForm = ; + var zbsObjectViewLinkPrefixSegment = ; + var zbsObjectViewLinkPrefixTask = ; + + var zbsObjectEditLinkPrefixCustomer = ; + var zbsObjectEditLinkPrefixCompany = ; + var zbsObjectEditLinkPrefixQuote = ; + var zbsObjectEditLinkPrefixQuoteTemplate = ; + var zbsObjectEditLinkPrefixInvoice = ; + var zbsObjectEditLinkPrefixTransaction = ; + var zbsObjectEditLinkPrefixForm = ; + var zbsObjectEditLinkPrefixSegment = ; + + var jpcrm_segment_export_url_prefix = slugs['export-tools'] . '&segment-id=' ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>; + + var zbsListViewLink = postPage ) ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); /* phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */ ?>; + var zbsExportPostURL = slugs['export-tools'] ) ), JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ); ?>; + var zbsTagSkipLinkPrefix = zbsListViewLink + '&zbs_tag='; + var zbsClick2CallType = ; var zbsListViewObjName = ; Date: Mon, 4 May 2026 21:08:45 -0600 Subject: [PATCH 08/10] Fix broken JS vars Newlines added in #46809 broke these. Let's one-line them by moving most logic to separate PHP. --- .../plugins/crm/admin/email/main.page.php | 19 +-- .../crm/admin/settings/field-sorts.page.php | 11 +- .../plugins/crm/includes/ZeroBSCRM.List.php | 129 +++++------------- .../ZeroBSCRM.MetaBoxes3.Contacts.php | 62 +-------- .../includes/ZeroBSCRM.MetaBoxes3.Logs.php | 45 ++---- 5 files changed, 61 insertions(+), 205 deletions(-) diff --git a/projects/plugins/crm/admin/email/main.page.php b/projects/plugins/crm/admin/email/main.page.php index c8d98ad8ac2e..32ca3431a6c0 100644 --- a/projects/plugins/crm/admin/email/main.page.php +++ b/projects/plugins/crm/admin/email/main.page.php @@ -349,25 +349,10 @@ function jpcrm_render_emailbox() { // ALTHOUGH THIS WORKS // (Loads a sent msg) // It's not currently used, because send message func doesn't return ID, so just loading sent for now - var zbsMailBoxShowSentID = 0 ) { - echo esc_html( $sentID ); - } else { - echo -1; - } - + $jpcrm_mailbox_sent_id = isset( $_GET['sentID'] ) ? (int) $_GET['sentID'] : -1; // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?> - ; + var zbsMailBoxShowSentID = 0 ? (int) $jpcrm_mailbox_sent_id : -1; ?>; // WH put here to catch reload of page with 'sent' id // ... not sure where rest of your JS sits can't find diff --git a/projects/plugins/crm/admin/settings/field-sorts.page.php b/projects/plugins/crm/admin/settings/field-sorts.page.php index 2ddfd1d9a4e5..1eb224102956 100644 --- a/projects/plugins/crm/admin/settings/field-sorts.page.php +++ b/projects/plugins/crm/admin/settings/field-sorts.page.php @@ -323,16 +323,7 @@