$post_id = isset( $post->ID ) ? $post->ID : (int) et_()->array_get( $_POST, 'current_page.id' ); // phpcs:ignore WordPress.Security.NonceVerification -- This function does not change any state, and is therefore not susceptible to CSRF.
$exclude_woo = wp_doing_ajax() || ! et_is_woocommerce_plugin_active() || 'latest' === ET_Builder_Module_Helper_Woocommerce_Modules::get_product_default();
$default_categories = array( get_term_by( 'name', 'Uncategorized', 'category' ) );
$categories = et_pb_get_post_categories( $post_id, $default_categories );
$block_id = et_()->array_get( $_GET, 'blockId', '' );
'url' => esc_url( $current_url ),
'permalink' => esc_url( remove_query_arg( 'et_fb', $current_url ) ),
'backendBuilderUrl' => esc_url( sprintf( admin_url( '/post.php?post=%d&action=edit' ), get_the_ID() ) ),
'id' => isset( $post->ID ) ? $post->ID : false,
'title' => esc_html( get_the_title() ),
'thumbnailUrl' => isset( $post->ID ) ? esc_url( get_the_post_thumbnail_url( $post->ID, $thumbnail_size ) ) : '',
'thumbnailId' => isset( $post->ID ) ? get_post_thumbnail_id( $post->ID ) : '',
'authorName' => esc_html( get_the_author() ),
'authorUrl' => isset( $authordata->ID ) && isset( $authordata->user_nicename ) ? esc_html( get_author_posts_url( $authordata->ID, $authordata->user_nicename ) ) : false,
// translators: post author name.
'authorUrlTitle' => sprintf( esc_html__( 'Posts by %s', 'et_builder' ), get_the_author() ),
'date' => intval( get_the_time( 'U' ) ),
'categories' => $categories,
'commentsPopup' => esc_html( $comment_count_text ),
'commentsCount' => esc_html( $comment_count ),
'comments_popup_tb' => esc_html__( '12 Comments', 'et_builder' ),
'paged' => is_front_page() ? $et_paged : $paged,
'post_modified' => isset( $post->ID ) ? esc_attr( $post->post_modified ) : '',
'blockId' => ET_GB_Block_Layout::is_layout_block_preview() ? sanitize_title( et_()->array_get( $_GET, 'blockId', '' ) ) : '', // phpcs:ignore WordPress.Security.NonceVerification -- This function does not change any state, and is therefore not susceptible to CSRF.
'langCode' => get_locale(),
'page_layout' => $post_id ? get_post_meta( $post_id, '_et_pb_page_layout', true ) : '',
'woocommerceComponents' => $exclude_woo ? array() : et_fb_current_page_woocommerce_components(),
'woocommerceTabs' => et_builder_tb_enabled() && et_is_woocommerce_plugin_active() ?
ET_Builder_Module_Helper_Woocommerce_Modules::get_default_tab_options() : et_fb_woocommerce_tabs(),
'inactive_module_notice' => esc_html__(
'WooCommerce must be active for this module to appear',
return apply_filters( 'et_fb_current_page_params', $current_page );
* Ajax Callback :: Process computed property.
function et_pb_process_computed_property() {
if ( ! isset( $_POST['et_pb_process_computed_property_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_POST['et_pb_process_computed_property_nonce'] ), 'et_pb_process_computed_property_nonce' ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
if ( ! isset( $_POST['depends_on'], $_POST['conditional_tags'], $_POST['current_page'] ) ) {
// Shouldn't even be a possibility, but...
// Since computing `__page` can exit here too, we need to json_encode the reponse.
// This is needed in case jQuery migrate is disabled (eg via plugin) otherwise the AJAX success callback
// won't be executed (because json is malformed).
die( wp_json_encode( null ) );
$utils = ET_Core_Data_Utils::instance();
// phpcs:disable ET.Sniffs.ValidatedSanitizedInput -- Sanitization of following arrays is done at the time of accessing an array values.
$depends_on = isset( $_POST['depends_on'] ) ? $_POST['depends_on'] : array();
$conditional_tags = isset( $_POST['conditional_tags'] ) ? $_POST['conditional_tags'] : array();
$current_page = isset( $_POST['current_page'] ) ? $_POST['current_page'] : array();
$conditional_tags = array_intersect_key( $conditional_tags, et_fb_conditional_tag_params() );
$current_page = array_intersect_key( $current_page, et_fb_current_page_params() );
$conditional_tags = $utils->sanitize_text_fields( $conditional_tags );
$current_page = $utils->sanitize_text_fields( $current_page );
if ( empty( $current_page['id'] ) || ! current_user_can( 'edit_post', $current_page['id'] ) ) {
// $_POST['depends_on'] is a single dimensional assoc array created by jQuery.ajax data param, sanitize each key and value, they will both be strings
foreach ( $depends_on as $key => $value ) {
if ( et_()->includes( $value, '%' ) ) {
// `sanitize_text_fields` removes octets `%[a-f0-9]{2}` and would zap icon values / `%date`
// so we prefix octets with `_` to protected them and remove the prefix after sanitization.
$prepared_value = preg_replace( '/%([a-f0-9]{2})/', '%_$1', $value );
$sanitized_value = preg_replace( '/%_([a-f0-9]{2})/', '%$1', sanitize_text_field( $prepared_value ) );
$sanitized_value = sanitize_text_field( $value );
$depends_on[ sanitize_text_field( $key ) ] = $sanitized_value;
$module_slug = isset( $_POST['module_type'] ) ? sanitize_text_field( $_POST['module_type'] ) : '';
$post_type = isset( $_POST['post_type'] ) ? sanitize_text_field( $_POST['post_type'] ) : '';
// Since VB performance, it is introduced single ajax request for several property
// in that case, computed_property posted data can be as an array
// hence we get the raw post data value, then sanitize it afterward either as array or string.
// @phpcs:ignore ET.Sniffs.ValidatedSanitizedInput.InputNotSanitized -- Will be sanitized conditionally as string or array afterward.
$computed_property = isset( $_POST['computed_property'] ) ? $_POST['computed_property'] : '';
$computed_property = is_array( $computed_property ) ? array_map( 'sanitize_text_field', $computed_property ) : sanitize_text_field( $computed_property );
// get all fields for module.
$fields = ET_Builder_Element::get_module_fields( $post_type, $module_slug );
// make sure only valid fields are being passed through.
$depends_on = array_intersect_key( $depends_on, $fields );
if ( is_array( $computed_property ) ) {
foreach ( $computed_property as $property ) {
if ( ! isset( $fields[ $property ], $fields[ $property ]['computed_callback'] ) ) {
$callback = $fields[ $property ]['computed_callback'];
if ( is_callable( $callback ) ) {
// @phpcs:ignore Generic.PHP.ForbiddenFunctions.Found -- The callback is hard-coded in module fields configuration.
$results[ $property ] = call_user_func( $callback, $depends_on, $conditional_tags, $current_page );
if ( empty( $results ) ) {
die( wp_json_encode( $results ) );
// computed property field.
$field = $fields[ $computed_property ];
$callback = $field['computed_callback'];
if ( is_callable( $callback ) ) {
// @phpcs:ignore Generic.PHP.ForbiddenFunctions.Found -- The callback is hard-coded in module fields configuration.
die( wp_json_encode( call_user_func( $callback, $depends_on, $conditional_tags, $current_page ) ) );
add_action( 'wp_ajax_et_pb_process_computed_property', 'et_pb_process_computed_property' );
* Process shortcode json.
* @param array $object Shortcodes object.
* @param array $options Options.
* @param string $library_item_type Library item type.
* @param bool $escape_content_slashes Whether escape content slashes.
function et_fb_process_to_shortcode( $object, $options = array(), $library_item_type = '', $escape_content_slashes = true ) {
$default_options = array(
'force_valid_slugs' => false,
'apply_global_presets' => false,
$options = wp_parse_args( $options, $default_options );
$global_presets_manager = ET_Builder_Global_Presets_Settings::instance();
// do not proceed if $object is empty.
if ( empty( $object ) ) {
$font_icon_fields = ! empty( $options['post_type'] ) ? ET_Builder_Element::get_font_icon_fields( $options['post_type'] ) : false;
$structure_types = ET_Builder_Element::get_structure_module_slugs();
if ( in_array( $library_item_type, array( 'module', 'row' ), true ) ) {
$excluded_elements = array();
switch ( $library_item_type ) {
$excluded_elements = array( 'et_pb_section', 'et_pb_row', 'et_pb_column' );
$excluded_elements = array( 'et_pb_section' );
foreach ( $object as $item ) {
// do not proceed if $item is empty.
while ( in_array( $item['type'], $excluded_elements, true ) ) {
$item = $item['content'][0];
if ( $options['force_valid_slugs'] ) {
// we need to supply a reasonable default post type to get a simple list of slugs,
// otherwise the function will return an array of arrays of slugs for every possible post_type.
$slug_post_type = ! empty( $options['post_type'] ) ? $options['post_type'] : 'page';
$valid_slugs = ET_Builder_Element::get_module_slugs_by_post_type( $slug_post_type );
foreach ( $_object as $item ) {
// do not proceed if $item is empty.
$type = sanitize_text_field( $item['type'] );
$type = esc_attr( $type );
// if option enabled, reject invalid slugs.
if ( $options['force_valid_slugs'] ) {
if ( ! in_array( $type, $valid_slugs, true ) ) {
if ( ! empty( $item['raw_child_content'] ) ) {
$content = stripslashes( $item['raw_child_content'] );
if ( $options['apply_global_presets'] ) {
$module_type = $global_presets_manager->maybe_convert_module_type( $type, $item['attrs'] );
$module_global_presets = $global_presets_manager->get_module_presets_settings( $module_type, $item['attrs'] );
$item['attrs'] = array_merge( $module_global_presets, $item['attrs'] );
foreach ( $item['attrs'] as $attribute => $value ) {
// ignore computed fields.
if ( '__' === substr( $attribute, 0, 2 ) ) {
$attribute = sanitize_text_field( $attribute );
// Sanitize input properly.
if ( isset( $font_icon_fields[ $item['type'] ][ $attribute ] ) ) {
$value = esc_attr( $value );
if ( in_array( $attribute, array( 'content', 'raw_content' ), true ) ) {
// do not override the content if item has raw_child_content.
if ( empty( $item['raw_child_content'] ) ) {
$content = trim( $content );
if ( ! empty( $content ) && 'content' === $attribute ) {
$content = "\n\n" . $content . "\n\n";
// Since WordPress version 5.1, any links in the content that
// has "target" attribute will be automatically added
// rel="noreferrer noopener" attribute. This attribute added
// after the shortcode processed in et_fb_process_to_shortcode
// function. This become an issue for the builder while parsing the shortcode attributes
// because the double quote that wrapping the "rel" attribute value is not encoded.
// So we need to manipulate "target" attribute here before storing the content by renaming
// is as "data-et-target-link". Later in "et_pb_fix_shortcodes" function
// we will turn it back as "target".
$value = str_replace( ' target=', ' data-et-target-link=', $value );
$is_include_attr = false;
&& et_pb_hover_options()->get_field_base_name( $attribute ) !== $attribute
&& et_pb_hover_options()->is_enabled( et_pb_hover_options()->get_field_base_name( $attribute ), $item['attrs'] ) ) {
&& et_pb_responsive_options()->get_field_base_name( $attribute ) !== $attribute
&& et_pb_responsive_options()->is_enabled( et_pb_responsive_options()->get_field_base_name( $attribute ), $item['attrs'] ) ) {
if ( $is_include_attr ) {
// TODO, should we check for and handle default here? probably done in FB alredy...
// Make sure double quotes are encoded, before adding values to shortcode.
$value = str_ireplace( '"', '%22', $value );
// Make sure single backslash is encoded, before adding values to Shortcode.
if ( 'breadcrumb_separator' === $attribute ) {
$value = str_ireplace( '\\', '%5c', $value );
// Encode backslash for custom CSS-related and json attributes.
$json_attributes = array( 'checkbox_options', 'radio_options', 'select_options' );
if ( 0 === strpos( $attribute, 'custom_css_' ) || in_array( $attribute, $json_attributes, true ) ) {
$value = str_ireplace( '\\', '%92', $value );
} elseif ( et_builder_parse_dynamic_content( $value )->is_dynamic() ) {
$value = str_replace( '\\', '%92', $value );
$attributes .= ' ' . esc_attr( $attribute ) . '="' . et_core_esc_previously( $value ) . '"';
$attributes = str_replace( array( '[', ']' ), array( '%91', '%93' ), $attributes );
// prefix sections with a fb_built attr flag.
if ( 'et_pb_section' === $type ) {
$attributes = ' fb_built="1"' . $attributes;
// start the opening tag.
$output .= '[' . $type . $attributes;
// close the opening tag, depending on self closing.
if ( empty( $content ) && ! isset( $item['content'] ) && ! in_array( $type, $structure_types, true ) ) {
// if applicable, add inner content and close tag.
if ( ! $open_tag_only ) {
if ( 'et_pb_section' === $type && isset( $item['attrs'] ) && isset( $item['attrs']['fullwidth'] ) && 'on' !== $item['attrs']['fullwidth'] && isset( $item['attrs']['specialty'] ) && 'on' !== $item['attrs']['specialty'] && ( ! isset( $item['content'] ) || ! is_array( $item['content'] ) ) ) {
// insert empty row if saving empty Regular section to make it work correctly in BB.
$output .= '[et_pb_row admin_label="Row"][/et_pb_row]';
} elseif ( isset( $item['content'] ) && is_array( $item['content'] ) ) {
$output .= et_fb_process_to_shortcode( $item['content'], $options, '', $escape_content_slashes );
if ( ! empty( $content ) ) {
if ( et_is_builder_plugin_active() && in_array( $type, ET_Builder_Element::get_has_content_modules(), true ) ) {
// Wrap content in autop to avoid tagless content on FE due to content is edited on html editor and only
// have one-line without newline wrap which prevent `the_content`'s wpautop filter to properly wrap it.
$content = wpautop( $content );
if ( isset( $item['content'] ) ) {
$_content = $item['content'];
if ( $escape_content_slashes ) {
$_content = str_replace( '\\', '\\\\', $_content );
if ( et_is_builder_plugin_active() && in_array( $type, ET_Builder_Element::get_has_content_modules(), true ) ) {
// Wrap content in autop to avoid tagless content on FE due to content is edited on html editor and only
// have one-line without newline wrap which prevent `the_content`'s wpautop filter to properly wrap it.
$_content = wpautop( $_content );
$output .= '[/' . $type . ']';
* Ajax Callback :: Render shortcode output.
function et_fb_ajax_render_shortcode() {
if ( ! isset( $_POST['et_pb_render_shortcode_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_POST['et_pb_render_shortcode_nonce'] ), 'et_pb_render_shortcode_nonce' ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
$utils = ET_Core_Data_Utils::instance();
global $et_pb_predefined_module_index;
$et_pb_predefined_module_index = isset( $_POST['et_fb_module_index'] ) && 'default' !== $_POST['et_fb_module_index'] ? sanitize_text_field( $_POST['et_fb_module_index'] ) : false;
$options = isset( $_POST['options'] ) ? $utils->sanitize_text_fields( $_POST['options'] ) : array(); // phpcs:ignore ET.Sniffs.ValidatedSanitizedInput -- sanitize_text_fields sanitize the options.
// enforce valid module slugs only
// shortcode slugs need to be allowlisted so as to prevent malicious shortcodes from being generated and run through do_shortcode().
$options['force_valid_slugs'] = true;
// phpcs:ignore ET.Sniffs.ValidatedSanitizedInput -- $_POST['object'] will not be stored in db.
$object = isset( $_POST['object'] ) ? $_POST['object'] : array();
// convert shortcode array to shortcode string.
$shortcode = et_fb_process_to_shortcode( $object, $options );
// take shortcode string and ensure it's properly sanitized for the purposes of this function.
$shortcode = et_pb_enforce_builder_shortcode( $shortcode );
$output = do_shortcode( $shortcode );
$styles = ET_Builder_Element::get_style();
if ( ! empty( $styles ) ) {
'<style type="text/css" class="et-builder-advanced-style">
wp_send_json_success( $output );
add_action( 'wp_ajax_et_fb_ajax_render_shortcode', 'et_fb_ajax_render_shortcode' );
* Determine current user can save the post.
* @param int $post_id Post id.
* @param string $status Post status.
function et_fb_current_user_can_save( $post_id, $status = '' ) {
if ( is_page( $post_id ) ) {
if ( ! current_user_can( 'edit_pages' ) ) {
if ( ! current_user_can( 'publish_pages' ) && 'publish' === $status ) {
if ( ! current_user_can( 'edit_published_pages' ) && 'publish' === get_post_status( $post_id ) ) {
if ( ! current_user_can( 'edit_others_pages' ) && ! current_user_can( 'edit_page', $post_id ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
if ( ! current_user_can( 'publish_posts' ) && 'publish' === $status ) {
if ( ! current_user_can( 'edit_published_posts' ) && 'publish' === get_post_status( $post_id ) ) {
if ( ! current_user_can( 'edit_others_posts' ) && ! current_user_can( 'edit_post', $post_id ) ) {
* Ajax Callback :: Drop backup/autosave depending on exit type.
function et_fb_ajax_drop_autosave() {
if ( ! isset( $_POST['et_fb_drop_autosave_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_POST['et_fb_drop_autosave_nonce'] ), 'et_fb_drop_autosave_nonce' ) ) {
$post_id = isset( $_POST['post_id'] ) ? absint( $_POST['post_id'] ) : 0;
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
