V4.21.0 (#444)

* Update ci.yml.

* Fix tests for running with WP 6.9.

* Fix weird cron bug in tests with WP 6.9.

* Update changelog from readme.txt

* Remove the test line from readme.txt.

* Update changelog from readme.txt

* Bump up the version to 4.21.0.

* [zip] Update create-zip.yml.

* [zip] Update create-zip.yml.

* Test with WC 10.4.

* Fix Fluent Forms after update.

* Update changelog from readme.txt

* Rework JS upon FluentForm Conversational update.

* Fix the inability to send FluentForms Conversational Form.

* Update changelog from readme.txt

* Add anti-spam entry check for FluentForms.
Refactoring to use non-global post data for entries.

* Grammar.

* Fix tests.

* Fix double rendering of the hCaptcha widget on the Elementor Form.

* Fix double rendering of the hCaptcha widget on the Elementor Form.

* Fix menu layout on Playground.

* Fix the racing condition which sometimes led to double rendering of the hCaptcha widget on any forms.

* Fix the racing condition which sometimes led to double rendering of the hCaptcha widget on any forms.

* Fix the racing condition which sometimes led to double rendering of the hCaptcha widget on any forms.

* Fix the racing condition which sometimes led to double rendering of the hCaptcha widget on any forms.

* Fix menu layout on Playground.

* Fix jests in hcaptcha.test.js.

* Fix jests in hcaptcha.test.js.

* Fix jests in app.test.js.

* Fix jests in hcaptcha-elementor-pro.test.js.

* Remove debug statement.

* Update changelog from readme.txt

* [zip] Bump up version to 4.21.0-RC2.

* Add anti-spam entry check for Forminator.

* Restore 100% coverage for Forminator.

* 4.21.0 part2.

* qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion #39

* qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion #39

* Update src/php/Admin/Notifications.php

Co-authored-by: e271828- <[email protected]>

* Update src/php/Admin/NotificationsBase.php

Co-authored-by: e271828- <[email protected]>

* Update src/php/Admin/WhatsNew.php

Co-authored-by: e271828- <[email protected]>

* Update src/php/Admin/WhatsNew.php

Co-authored-by: e271828- <[email protected]>

* Update tests/php/integration/Admin/NotificationsTest.php

Co-authored-by: e271828- <[email protected]>

* Fix phpcs.

* Code style.

* Update readme.txt.

* Fix tests.

* Update readme.txt

* Update readme.txt

---------

Co-authored-by: hCaptcha GHA <[email protected]>
Co-authored-by: e271828- <[email protected]>

Author: 3 people

assets/css/admin-nf.css

@@ -0,0 +1,8 @@
+.hcaptcha-notice-label {
+	font-weight: 600;
+	padding: 8px 0;
+}
+
+.hcaptcha-notice-description {
+	padding: 15px 0;
+}

assets/css/integrations.css

@@ -157,10 +157,15 @@
 
 .hcaptcha-integrations table tr td fieldset {
 	width: 100%;
+	overflow: hidden;
+	min-inline-size: unset;
 }
 
 .hcaptcha-integrations table tr td fieldset label {
 	width: 100%;
+	white-space: nowrap;
+	text-overflow: ellipsis;
+	overflow: hidden;
 }
 
 #hcaptcha-options label + .helper {
@@ -211,10 +216,12 @@
 
 #hcaptcha-options label + .helper i.antispam-honeypot {
 	background-image: url('../images/antispam-honeypot.svg');
+	background-color: #fff;
 }
 
 #hcaptcha-options label + .helper i.antispam-fst {
 	background-image: url('../images/antispam-fst.svg');
+	background-color: #fff;
 	width: 20px;
 	transform: translateY(1px);
 	margin-inline-start: 2px;

assets/css/whats-new.css

@@ -109,7 +109,23 @@
 }
 
 .hcaptcha-whats-new-block {
-	padding: 75px 13%;
+	display: flex;
+	padding: 25px 10%;
+	gap: 25px;
+	align-items: center;
+}
+
+.hcaptcha-whats-new-block.left {
+	flex-direction: row;
+}
+
+.hcaptcha-whats-new-block.right {
+	flex-direction: row-reverse;
+}
+
+.hcaptcha-whats-new-block.center {
+	flex-direction: column;
+	text-align: center;
 }
 
 .hcaptcha-whats-new-block:first-of-type {
@@ -120,8 +136,22 @@
 	background: #f0f2f5;
 }
 
-.hcaptcha-whats-new-block.center {
-	text-align: center;
+.hcaptcha-whats-new-text {
+	/*flex: 0 0 calc(70% - 20px); !* 20px — half of the gap *!*/
+	flex: 7;
+}
+
+.hcaptcha-whats-new-block.center .hcaptcha-whats-new-text {
+	flex: 0 0 100%;
+}
+
+.hcaptcha-whats-new-image {
+	/*flex: 0 0 calc(70% - 20px); !* 20px — half of the gap *!*/
+	flex: 3;
+}
+
+.hcaptcha-whats-new-block.center .hcaptcha-whats-new-image {
+	flex: 0 0 100%;
 }
 
 .hcaptcha-whats-new-badge {
@@ -156,12 +186,18 @@
 	margin: 15px 0;
 }
 
-.hcaptcha-whats-new-button {
-	margin-bottom: 50px;
+.hcaptcha-whats-new-message ul {
+	margin-top: -10px;
+}
+
+.hcaptcha-whats-new-message ul li {
+	list-style: inside;
 }
 
 .hcaptcha-whats-new-image img {
 	max-width: 100%;
+	height: auto;
+	display: block;
 }
 
 @media (max-width: 600px) {

assets/images/ai-abilities.png

@@ -23,16 +23,6 @@ const hcaptchaElementorPro = function() {
 			return window?.parent?.HCaptchaMainObject?.params ?? '';
 		}
 	);
-
-	elementorFrontend.hooks.addAction(
-		'frontend/element_ready/widget',
-		function( $scope ) {
-			if ( $scope[ 0 ].classList.contains( 'elementor-widget-form' ) ) {
-				// Elementor reinserts an element during editing, so we need to bind events again.
-				hCaptchaBindEvents();
-			}
-		}
-	);
 };
 
 window.hCaptchaElementorPro = hcaptchaElementorPro;

assets/js/hcaptcha-elementor-pro.js

@@ -21,6 +21,14 @@ const hCaptchaFluentForm = window.hCaptchaFluentForm || ( function( window, $ )
 		onHCaptchaLoaded() {
 			const formSelector = '.ffc_conv_form';
 
+			// We assume there should be only one conversational form on the page.
+			const form = document.querySelector( formSelector );
+			const hasCaptcha = () => form.querySelector( 'h-captcha' ) !== null;
+
+			if ( hasCaptcha() ) {
+				return;
+			}
+
 			const hasOwnCaptcha = () => {
 				return document.getElementById( 'hcaptcha-container' ) !== null;
 			};
@@ -29,15 +37,13 @@ const hCaptchaFluentForm = window.hCaptchaFluentForm || ( function( window, $ )
 			 * Process conversational form.
 			 */
 			const processForm = () => {
-				// We assume there should be only one conversational form on the page.
-				const form = document.querySelector( formSelector );
 				const submitBtnSelector = '.ff-btn';
 
-				const isSubmitVisible = ( qForm ) => {
-					return qForm.querySelector( submitBtnSelector ) !== null;
-				};
-
 				const addCaptcha = () => {
+					if ( hasCaptcha() ) {
+						return;
+					}
+
 					const hCaptchaHiddenClass = 'h-captcha-hidden';
 					const hCaptchaClass = 'h-captcha';
 					const hiddenCaptcha = document.getElementsByClassName( hCaptchaHiddenClass )[ 0 ];
@@ -63,17 +69,17 @@ const hCaptchaFluentForm = window.hCaptchaFluentForm || ( function( window, $ )
 				const mutationObserverCallback = ( mutationList ) => {
 					for ( const mutation of mutationList ) {
 						if (
-							! (
-								mutation.type === 'attributes' &&
-								mutation.attributeName === 'class' &&
-								mutation.oldValue && mutation.oldValue.includes( 'q-is-inactive' )
-							)
+							mutation.type === 'attributes' &&
+							mutation.attributeName === 'class'
 						) {
-							continue;
-						}
-
-						if ( isSubmitVisible( mutation.target ) ) {
-							addCaptcha();
+							const el = mutation.target;
+
+							if (
+								el.classList.contains( 'vff' ) &&
+								el.classList.contains( 'ffc_last_step' )
+							) {
+								addCaptcha();
+							}
 						}
 					}
 				};
@@ -82,18 +88,14 @@ const hCaptchaFluentForm = window.hCaptchaFluentForm || ( function( window, $ )
 					return;
 				}
 
-				const qFormSelector = '.q-form';
-				const qForms = form.querySelectorAll( qFormSelector );
 				const config = {
 					attributes: true,
-					attributeOldValue: true,
+					attributeFilter: [ 'class' ],
+					subtree: true,
 				};
 
-				[ ...qForms ].map( ( qForm ) => {
-					const observer = new MutationObserver( mutationObserverCallback );
-					observer.observe( qForm, config );
-					return qForm;
-				} );
+				const observer = new MutationObserver( mutationObserverCallback );
+				observer.observe( form, config );
 			};
 
 			function waitForElement( selector ) {

assets/js/hcaptcha-fluentform.js

@@ -88,7 +88,7 @@ export class helper {
 			this.params = new URLSearchParams();
 		}
 
-		return this.params.get( actionName );
+		return this.params.get( actionName ) ?? '';
 	}
 
 	/**

assets/js/hcaptcha-helper.js

@@ -1,11 +1,35 @@
 /* global jQuery, HCaptchaPlaygroundObject */
 
-const hCaptchaPlayground = window.hCaptchaPlayground || ( function( window, $ ) {
+const hCaptchaPlayground = window.hCaptchaPlayground || ( function( window, document, $ ) {
 	const app = {
 		init() {
+			app.fixMenu();
 			$( document ).on( 'ajaxSuccess', app.ajaxSuccessHandler );
 		},
 
+		// Fix admin menu.
+		fixMenu() {
+			const host = window.location.hostname ?? '';
+
+			let inIframe = false;
+
+			try {
+				inIframe = window.self !== window.top;
+			} catch ( e ) {
+				// If cross-origin blocks access to window.top, we are in an iframe.
+				inIframe = true;
+			}
+
+			// Apply only on playground.wordpress.net.
+			if ( inIframe && host === 'playground.wordpress.net' ) {
+				const adminBar = document.getElementById( 'wpadminbar' );
+
+				if ( adminBar ) {
+					adminBar.style.marginTop = '4px';
+				}
+			}
+		},
+
 		// jQuery ajaxSuccess handler.
 		ajaxSuccessHandler( event, xhr, settings ) {
 			const params = new URLSearchParams( settings.data );
@@ -40,7 +64,7 @@ const hCaptchaPlayground = window.hCaptchaPlayground || ( function( window, $ )
 	};
 
 	return app;
-}( window, jQuery ) );
+}( window, document, jQuery ) );
 
 window.hCaptchaPlayground = hCaptchaPlayground;
 

assets/js/playground.js

@@ -1,3 +1,16 @@
+= 4.21.0 =
+* Added AI-ready security actions via the WordPress Abilities API, enabling automated threat inspection and response.
+* Added compatibility with the latest version of the Ninja Forms plugin.
+* Fixed FluentForms integrations after the latest FluentForms update.
+* Fixed the inability to send FluentForms Conversational Form.
+* Fixed the racing condition which sometimes led to double rendering of the hCaptcha widget on any forms.
+* Fixed double rendering of the hCaptcha widget on the Elementor Form.
+* Fixed an error activating a free plugin when its premium version is not available.
+* Fixed highlighting of the suggested plugin when it is already activated.
+* Fixed an attempt for installation of an already installed plugin.
+* Fixed installing plugins declared as WordPress dependencies.
+* Fixed Jetpack test form appearance on the Playground.
+
 = 4.20.0 =
 * Added Divi 5 support.
 * Added onboarding wizard.

changelog.txt

@@ -10,7 +10,7 @@
  * Plugin Name:          hCaptcha for WP
  * Plugin URI:           https://www.hcaptcha.com/
  * Description:          hCaptcha keeps out bots and spam while putting privacy first. It is a drop-in replacement for reCAPTCHA.
- * Version:              4.20.0
+ * Version:              4.21.0
  * Requires at least:    5.3
  * Requires PHP:         7.2
  * Author:               hCaptcha
@@ -21,7 +21,7 @@
  * Domain Path:          /languages/
  *
  * WC requires at least: 3.0
- * WC tested up to:      10.3
+ * WC tested up to:      10.4
  */
 
 // phpcs:ignore Generic.Commenting.DocComment.MissingShort
@@ -39,7 +39,7 @@
 /**
  * Plugin version.
  */
-const HCAPTCHA_VERSION = '4.20.0';
+const HCAPTCHA_VERSION = '4.21.0';
 
 /**
  * Path to the plugin dir.