: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
// wpautop does its "thing"
$post_content = wpautop( $post_content );
$post_content = et_pb_unprep_code_module_for_wpautop( $post_content );
$global_shortcode['shortcode'] = et_core_intentionally_unescaped( $post_content, 'html' );
$excluded_global_options = get_post_meta( $post_id, '_et_pb_excluded_global_options' );
$selective_sync_status = empty( $excluded_global_options ) ? '' : 'updated';
$global_shortcode['sync_status'] = et_core_intentionally_unescaped( $selective_sync_status, 'fixed_string' );
// excluded_global_options is an array with single value which is json string, so just `sanitize_text_field`, because `esc_html` converts quotes and breaks the json string.
$global_shortcode['excluded_options'] = $utils->esc_array( $excluded_global_options, 'sanitize_text_field' );
if ( empty( $global_shortcode ) ) {
$global_shortcode['error'] = 'nothing';
$json_post_data = wp_json_encode( $global_shortcode );
die( et_core_esc_previously( $json_post_data ) );
add_action( 'wp_ajax_et_pb_get_global_module', 'et_pb_get_global_module' );
function et_pb_update_layout() {
if ( ! wp_verify_nonce( $_POST['et_admin_load_nonce'], 'et_admin_load_nonce' ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
$post_id = isset( $_POST['et_template_post_id'] ) ? absint( $_POST['et_template_post_id'] ) : '';
$new_content = isset( $_POST['et_layout_content'] ) ? $_POST['et_layout_content'] : '';
$layout_type = isset( $_POST['et_layout_type'] ) ? sanitize_text_field( $_POST['et_layout_type'] ) : '';
if ( empty( $post_id ) || ! current_user_can( 'edit_post', $post_id ) ) {
'post_content' => $new_content,
$result = wp_update_post( $update );
if ( ! $result || is_wp_error( $result ) ) {
ET_Core_PageResource::remove_static_resources( 'all', 'all' );
if ( 'module' === $layout_type && isset( $_POST['et_unsynced_options'] ) ) {
$unsynced_options = sanitize_text_field( stripslashes( $_POST['et_unsynced_options'] ) );
update_post_meta( $post_id, '_et_pb_excluded_global_options', $unsynced_options );
add_action( 'wp_ajax_et_pb_update_layout', 'et_pb_update_layout' );
function et_pb_load_layout() {
if ( ! wp_verify_nonce( $_POST['et_admin_load_nonce'], 'et_admin_load_nonce' ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
$layout_id = ! empty( $_POST['et_layout_id'] ) ? (int) $_POST['et_layout_id'] : 0;
if ( empty( $layout_id ) || ! current_user_can( 'edit_post', $layout_id ) ) {
// sanitize via allowlisting
$replace_content = isset( $_POST['et_replace_content'] ) && 'on' === $_POST['et_replace_content'] ? 'on' : 'off';
set_theme_mod( 'et_pb_replace_content', $replace_content );
$layout = get_post( $layout_id );
echo et_core_esc_previously( $layout->post_content );
add_action( 'wp_ajax_et_pb_load_layout', 'et_pb_load_layout' );
function et_pb_delete_layout() {
if ( ! wp_verify_nonce( $_POST['et_admin_load_nonce'], 'et_admin_load_nonce' ) ) {
$layout_id = ! empty( $_POST['et_layout_id'] ) ? (int) $_POST['et_layout_id'] : '';
if ( empty( $layout_id ) ) {
if ( ! current_user_can( 'delete_post', $layout_id ) ) {
wp_delete_post( $layout_id );
add_action( 'wp_ajax_et_pb_delete_layout', 'et_pb_delete_layout' );
* Enables zlib compression if needed/supported.
function et_builder_enable_zlib_compression() {
// If compression is already enabled, do nothing
if ( 1 === intval( @ini_get( 'zlib.output_compression' ) ) ) {
// We need to be sure no content has been pushed yet before enabling compression
// to avoid decoding errors. To do so, we flush buffer and then check header_sent
while ( ob_get_level() ) {
// Something has been sent already, could be PHP notices or other plugin output
// We use ob_gzhandler because less prone to errors with WP
if ( function_exists( 'ob_gzhandler' ) ) {
// Faster compression, requires less cpu/memory
@ini_set( 'zlib.output_compression_level', 1 );
ob_start( 'ob_gzhandler' );
function et_pb_get_backbone_templates() {
if ( ! wp_verify_nonce( $_POST['et_admin_load_nonce'], 'et_admin_load_nonce' ) ) {
if ( ! current_user_can( 'edit_posts' ) ) {
$post_type = isset( $_POST['et_post_type'] ) ? sanitize_text_field( $_POST['et_post_type'] ) : '';
$start_from = isset( $_POST['et_templates_start_from'] ) ? sanitize_text_field( $_POST['et_templates_start_from'] ) : 0;
$amount = ET_BUILDER_AJAX_TEMPLATES_AMOUNT;
// Enable zlib compression
et_builder_enable_zlib_compression();
// get the portion of templates
$result = wp_json_encode( ET_Builder_Element::output_templates( $post_type, $start_from, $amount ) );
die( et_core_intentionally_unescaped( $result, 'html' ) );
add_action( 'wp_ajax_et_pb_get_backbone_templates', 'et_pb_get_backbone_templates' );
* Determine if a post is built by a certain builder.
* @param int $post_id The post_id to check.
* @param string $built_by_builder The builder to check if the post is built by. Allowed values: fb, bb.
function et_builder_is_builder_built( $post_id, $built_by_builder ) {
$_post = get_post( $post_id );
// a autosave could be passed as $post_id, and an autosave will not have post_meta and then et_pb_is_pagebuilder_used() will always return false.
$parent_post = wp_is_post_autosave( $post_id ) ? get_post( $_post->post_parent ) : $_post;
if ( ! $post_id || ! $_post || ! is_object( $_post ) || ! et_pb_is_pagebuilder_used( $parent_post->ID ) ) {
// ensure this is an allowed builder post_type
if ( ! in_array( $parent_post->post_type, et_builder_get_builder_post_types() ) ) {
// allowlist the builder slug
$built_by_builder = in_array( $built_by_builder, array( 'fb', 'bb' ) ) ? $built_by_builder : '';
// the built by slug prepended to the first section automatically, in this format: fb_built="1"
$pattern = '/^\[et_pb_section ' . $built_by_builder . '_built="1"/s';
return preg_match( $pattern, $_post->post_content );
function et_is_builder_available_cookie_set() {
static $builder_available = null;
if ( null !== $builder_available ) {
return $builder_available;
foreach( (array) $_COOKIE as $cookie => $value ) {
if ( 0 === strpos( $cookie, 'et-editor-available-post-' ) ) {
$builder_available = true;
return $builder_available;
$builder_available = false;
return $builder_available;
function et_builder_heartbeat_interval() {
return apply_filters( 'et_builder_heartbeat_interval', 30 );
function et_builder_ensure_heartbeat_interval( $response, $screen_id ) {
if ( ! current_user_can( 'edit_posts' ) ) {
if ( ! isset( $response['heartbeat_interval'] ) ) {
if ( et_builder_heartbeat_interval() === $response['heartbeat_interval'] ) {
if ( ! et_is_builder_available_cookie_set() ) {
$response['heartbeat_interval'] = et_builder_heartbeat_interval();
add_filter( 'heartbeat_send', 'et_builder_ensure_heartbeat_interval', 100, 2 );
function et_pb_heartbeat_post_modified( $response ) {
et_core_nonce_verified_previously();
if ( ! current_user_can( 'edit_posts' ) ) {
if ( empty( $_POST['data'] ) ) {
$heartbeat_data = $_POST['data'];
$has_focus = isset( $_POST['has_focus'] ) && 'true' === $_POST['has_focus'] ? true : false;
$heartbeat_data_et = !empty( $heartbeat_data['et'] ) ? $heartbeat_data['et'] : false;
if ( ! empty( $heartbeat_data_et ) ) {
$post_id = ! empty( $heartbeat_data_et['post_id'] ) ? absint( $heartbeat_data_et['post_id'] ) : '';
if ( empty( $heartbeat_data_et['post_id'] ) || ! current_user_can( 'edit_post', $post_id ) ) {
$last_post_modified = sanitize_text_field( $heartbeat_data_et['last_post_modified'] );
$built_by = sanitize_text_field( $heartbeat_data_et['built_by'] );
$force_check = isset( $heartbeat_data_et['force_check'] ) && 'true' === $heartbeat_data_et['force_check'] ? true : false;
$force_autosave = isset( $heartbeat_data_et['force_autosave'] ) && 'true' === $heartbeat_data_et['force_autosave'] ? true : false;
$current_user_id = get_current_user_id();
$_post = get_post( $post_id );
if ( ! $post_id || ! $_post || ! is_object( $_post ) ) {
// minimum sucessful response
'force_check' => $force_check,
'force_autosave' => $force_autosave,
// the editor in focus is not going to be receiving an update from the other editor
// so we can return early
if ( $has_focus && !$force_check ) {
$response['et']['action'] = 'No actions since this editor has focus'; // dev use
$response['et']['action'] = 'No actions since this is a force autosave request'; // dev use
// from here down we know that the following logic applies to the editor
// currently *not* in focus, i.e. the one eligable for a potential sync update
$builder_settings_autosave = get_post_meta( $post_id, "_et_builder_settings_autosave_{$current_user_id}", true );
if ( ! empty( $builder_settings_autosave ) ) {
$response['et']['builder_settings_autosave'] = $builder_settings_autosave;
$post_content = $_post->post_content;
$post_modified = $_post->post_modified;
$autosave = wp_get_post_autosave( $post_id, $current_user_id );
$post_post_modified = date( 'U', strtotime( $post_modified ) );
$response['et']['post_post_modified'] = $_post->post_modified;
if ( !empty( $autosave ) ) {
$response['et']['autosave_exists'] = true;
$autosave_post_modified = date( 'U', strtotime( $autosave->post_modified ) );
$response['et']['autosave_post_modified'] = $autosave->post_modified;
$response['et']['autosave_exists'] = false;
if ( !empty( $autosave ) && $autosave_post_modified > $post_post_modified ) {
$response['et']['used_autosave'] = true;
$post_id = $autosave->ID;
$post_content = $autosave->post_content;
$post_modified = $autosave->post_modified;
$response['et']['used_autosave'] = false;
$response['et']['post_id'] = $post_id;
$response['et']['last_post_modified'] = $last_post_modified;
$response['et']['post_modified'] = $post_modified;
// security short circuit
$_post = get_post( $post_id );
// $post_id could be an autosave
$parent_post = wp_is_post_autosave( $post_id ) ? get_post( $_post->post_parent ) : $_post;
if ( ! et_pb_is_pagebuilder_used( $parent_post->ID ) || ! in_array( $parent_post->post_type, et_builder_get_builder_post_types() ) ) {
// end security short circuit
if ( $last_post_modified !== $post_modified ) {
// check if the newly modified was made by opposite builder,
// and if so, send it back in the response
if ( 'bb' === $built_by ) {
// backend builder in use and in focus
$response['et']['is_built_by_fb'] = et_builder_is_builder_built( $post_id, 'fb' );
// check if latest post_content is built by fb
if ( et_builder_is_builder_built( $post_id, 'fb' ) ) {
if ( et_builder_bfb_enabled() ) {
$post_content_obj = et_fb_process_shortcode( $post_content );
$response['et']['post_content_obj'] = $post_content_obj;
$response['et']['post_content'] = $post_content;
$response['et']['action'] = 'current editor is bb, updated to content that was built by fb'; // dev use
$response['et']['action'] = 'current editor is bb, content wasnt updated by fb'; // dev use
// frontend builder in use and in focus
$response['et']['is_built_by_bb'] = et_builder_is_builder_built( $post_id, 'bb' );
// check if latest post_content is built by bb
if ( et_builder_is_builder_built( $post_id, et_builder_bfb_enabled() ? 'fb' : 'bb' ) ) {
$post_content_obj = et_fb_process_shortcode( $post_content );
$response['et']['post_content_obj'] = $post_content_obj;
$response['et']['action'] = 'current editor is fb, updated to content that was built by bb'; // dev use
$response['et']['action'] = 'current editor is fb, content wasnt updated by bb'; // dev use
$global_presets_manager = ET_Builder_Global_Presets_Settings::instance();
$response['et']['global_presets'] = $global_presets_manager->get_global_presets();
$response['et']['post_not_modified'] = true;
$response['et']['action'] = 'post content not modified externally'; // dev use
add_filter( 'heartbeat_send', 'et_pb_heartbeat_post_modified' );
* Save a post submitted via ETBuilder Heartbeat.
* @copyright 2016 by the WordPress contributors.
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
* This program incorporates work covered by the following copyright and
* b2 is (c) 2001, 2002 Michel Valdrighi - m@tidakada.com - http://tidakada.com
* b2 is released under the GPL
* WordPress - Web publishing software
* Copyright 2003-2010 by the contributors
* WordPress is released under the GPL
* @param array $post_data Associative array of the submitted post data.
* @return mixed The value 0 or WP_Error on failure. The saved post ID on success.
* The ID can be the draft post_id or the autosave revision post_id.
function et_fb_autosave( $post_data ) {
if ( ! defined( 'DOING_AUTOSAVE' ) ) {
define( 'DOING_AUTOSAVE', true );
$post_id = (int) $post_data['post_id'];
$post_data['ID'] = $post_data['post_ID'] = $post_id;
if ( false === wp_verify_nonce( $post_data['et_fb_autosave_nonce'], 'et_fb_autosave_nonce' ) ) {
return new WP_Error( 'invalid_nonce', __( 'Error while saving.', 'et_builder' ) );
$_post = get_post( $post_id );
$current_user_id = get_current_user_id();
if ( ! et_fb_current_user_can_save( $post_id ) ) {
return new WP_Error( 'edit_posts', __( 'Sorry, you are not allowed to edit this item.', 'et_builder' ) );
// NOTE, no stripslashes() needed first as it's already been done on the POST'ed $post_data prior
$shortcode_data = json_decode( $post_data['content'], true );
'post_type' => sanitize_text_field( $post_data['post_type'] ),
$post_data['content'] = et_fb_process_to_shortcode( $shortcode_data, $options );
if ( 'auto-draft' === $_post->post_status ) {
$post_data['post_status'] = 'draft';
if ( ! wp_check_post_lock( $_post->ID ) && get_current_user_id() === $_post->post_author && ( 'auto-draft' === $_post->post_status || 'draft' === $_post->post_status ) ) {
// Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked
return edit_post( wp_slash( $post_data ) );
// Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user.
return wp_create_post_autosave( wp_slash( $post_data ) );
function et_pb_autosave_builder_settings( $post_id, $builder_settings ) {
$current_user_id = get_current_user_id();
// Builder settings autosave
if ( !empty( $builder_settings ) ) {
// Data is coming from `wp_ajax_heartbeat` which ran `wp_unslash` on it,
// `update_post_meta` will do the same, resulting in legit slashes being removed
// The solution is to add those slashes back before updating metas.
$builder_settings = wp_slash( $builder_settings );
// Pseudo activate AB Testing for VB draft/builder-sync interface
if ( isset( $builder_settings['et_pb_use_ab_testing'] ) ) {
// Save autosave/draft AB Testing status
'_et_pb_use_ab_testing_draft',
sanitize_text_field( $builder_settings['et_pb_use_ab_testing'] )
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
