: str_replace(): Passing null to parameter #2 ($replace) of type array|string is deprecated in
if ( ! class_exists( 'PPW_Shortcode' ) ) {
private $supported_roles;
private $supported_post_types;
* The main class name which using to add the index.
private $main_class_name;
* Register the short code ppwp_content_protector with WordPress
* and include the asserts for it.
public function __construct() {
$this->attributes = apply_filters(
PPW_Constants::HOOK_SHORT_CODE_ATTRS,
'headline' => PPW_Constants::DEFAULT_SHORTCODE_HEADLINE,
'description' => PPW_Constants::DEFAULT_SHORTCODE_DESCRIPTION,
'button' => PPW_Constants::DEFAULT_SHORTCODE_BUTTON,
'whitelisted_roles' => '',
'label' => PPW_Constants::DEFAULT_SHORTCODE_LABEL,
'error_msg' => PPW_Constants::DEFAULT_SHORTCODE_ERROR_MSG,
'loading' => PPW_Constants::DEFAULT_SHORTCODE_LOADING,
'show_password' => PPW_Constants::DEFAULT_SHORTCODE_SHOW_PASSWORD,
'show_password_text' => PPW_Constants::DEFAULT_SHORTCODE_SHOW_PASSWORD_TEXT,
'desc_above_btn' => PPW_Constants::DEFAULT_SHORTCODE_DESC_ABOVE_PWD_BTN,
'desc_below_form' => PPW_Constants::DEFAULT_SHORTCODE_DESC_BELOW_PWD_FORM,
// Defined by WordPress: https://wordpress.org/support/article/roles-and-capabilities/.
$this->supported_roles = apply_filters(
PPW_Constants::HOOK_SUPPORTED_WHITELIST_ROLES,
$this->supported_post_types = apply_filters(
PPW_Constants::HOOK_SUPPORTED_POST_TYPES,
add_shortcode( PPW_Constants::PPW_HOOK_SHORT_CODE_NAME, array( $this, 'render_shortcode' ) );
add_filter( 'ppw_content_shortcode_source', array( $this, 'render_block_content' ), 15 );
add_action( 'the_post', array( $this, 'maybe_remove_ppwp_shortcode' ), 10 );
add_action( 'the_post', array( $this, 'maybe_add_ppwp_shortcode' ), 99999 );
* Need to keep the old Pro version work, because the sidewide shortcode is using global var ppwContentGlobal.
if ( defined( 'PPW_PRO_VERSION' ) ) {
$pro_version = ppw_get_pro_version();
if ( version_compare( $pro_version, '1.2.2', '<' ) ) {
add_action( 'wp_enqueue_scripts', array( $this, 'add_scripts' ) );
$this->main_class_name = PPW_Constants::DEFAULT_SHORTCODE_CLASS_NAME;
* Maybe remove shortcode before WPBakery and WordPress do_shortcode in FrontEnd.
public function maybe_remove_ppwp_shortcode() {
if ( ! ppw_free_has_support_shortcode_page_builder() ) {
remove_shortcode( PPW_Constants::PPW_HOOK_SHORT_CODE_NAME );
* Maybe add shortcode back.
public function maybe_add_ppwp_shortcode() {
if ( ! ppw_free_has_support_shortcode_page_builder() ) {
add_filter( 'the_content', function ( $content ) {
add_shortcode( PPW_Constants::PPW_HOOK_SHORT_CODE_NAME, array( $this, 'render_shortcode' ) );
/* translators: Opening curly double quote. */
$opening_quote = _x( '“', 'opening curly double quote' );
/* translators: Closing curly double quote. */
$closing_quote = _x( '”', 'closing curly double quote' );
/* translators: Apostrophe, for example in 'cause or can't. */
$apos = _x( '’', 'apostrophe' );
/* translators: Prime, for example in 9' (nine feet). */
$prime = _x( '′', 'prime' );
/* translators: Double prime, for example in 9" (nine inches). */
$double_prime = _x( '″', 'double prime' );
/* translators: Opening curly single quote. */
$opening_single_quote = _x( '‘', 'opening curly single quote' );
/* translators: Closing curly single quote. */
$closing_single_quote = _x( '’', 'closing curly single quote' );
$matches = ppw_free_search_shortcode_content( $content );
if ( ! empty( $matches ) ) {
foreach ( $matches as $match ) {
// The shortcode argument list
$old_argument_shortcode = $match[3];
$argument_shortcode = $match[3];
$argument_shortcode = str_replace( $opening_quote, '"', $argument_shortcode );
$argument_shortcode = str_replace( $closing_quote, '"', $argument_shortcode );
$argument_shortcode = str_replace( $apos, '\'', $argument_shortcode );
$argument_shortcode = str_replace( $prime, '\'', $argument_shortcode );
$argument_shortcode = str_replace( $double_prime, '"', $argument_shortcode );
$argument_shortcode = str_replace( $opening_single_quote, '\'', $argument_shortcode );
$argument_shortcode = str_replace( $closing_single_quote, '\'', $argument_shortcode );
$content = str_replace( $old_argument_shortcode, $argument_shortcode, $content );
$content = do_shortcode( $content );
* Get short code instance
public static function get_instance() {
return new PPW_Shortcode();
* Render password form or restricted content
* 0. Check current post type is in whitelist types
* 1. Check is valid attributes
* 2. Check whitelist roles
* 3. Check password is correct compare to Cookie
* @param array $attrs list of attributes including password.
* @param string $content the content inside short code.
public function render_shortcode( $attrs, $content = null ) {
// In case the shortcode is outside in the loop, the page is 0.
$number = ! empty( $page ) ? $page : 1;
$this->attributes = apply_filters( 'ppw_pcp_attributes', $this->attributes, $number );
$message = $this->is_valid_shortcode( $attrs, $content );
$message = apply_filters( 'ppw_pcp_valid_shortcode', $message, $attrs );
if ( true !== $message ) {
return $this->get_invalid_shortcode_message( $message, $attrs );
'<div class="%s">%s</div>',
$this->get_main_class_name( $attrs ),
$whitelisted_roles = apply_filters( PPW_Constants::HOOK_SHORT_CODE_WHITELISTED_ROLES, $attrs['whitelisted_roles'] );
if ( $this->is_whitelisted_role( $whitelisted_roles ) ) {
// Remember to wrap the content between the parent div. If you want to replace the shortcode content.
return apply_filters( PPW_Constants::HOOK_SHORTCODE_RENDER_CONTENT, $content, $attrs );
// Unlock content by datetime.
$unlocked = apply_filters( 'ppw_shortcode_unlock_content', $this->is_unlock_content_by_time( $attrs ), $attrs );
return apply_filters( PPW_Constants::HOOK_SHORTCODE_RENDER_CONTENT, $content, $attrs );
do_action( PPW_Constants::HOOK_SHORT_CODE_BEFORE_CHECK_PASSWORD, $content );
// Passwords attribute format: passwords="123 345 898942".
$passwords = apply_filters( PPW_Constants::HOOK_SHORTCODE_PASSWORDS, array_filter( explode( ' ', trim( $attrs['passwords'] ) ), 'strlen' ), $attrs );
foreach ( $passwords as $password ) {
// When passwords attribute having special characters eg: <script>alert('hello')</script>. WP will encode the HTML tag. Need to decode to compare the value in Cookie.
$hashed_password = wp_hash_password( wp_specialchars_decode( $password ) );
if ( $this->is_valid_password( $hashed_password ) ) {
// Remember to wrap the content between the parent div. If you want to replace the shortcode content.
return apply_filters( PPW_Constants::HOOK_SHORTCODE_RENDER_CONTENT, $content, $attrs );
do_action( PPW_Constants::HOOK_SHORT_CODE_AFTER_CHECK_PASSWORD, $content );
// Show custom text instead of password form.
$custom_form = apply_filters( PPW_Constants::HOOK_SHORTCODE_BEFORE_RENDER_PASSWORD_FORM, false, $attrs );
if ( false !== $custom_form ) {
'<div class="%s">%s</div>',
$this->get_main_class_name( $attrs ),
$this->massage_attributes( $custom_form )
$password_form = $this->get_restricted_content_form( $attrs, $number );
return apply_filters( 'ppw_pcp_password_form', $password_form, $attrs );
* Show content if user set on_date or off_date attribute.
* $on_date: Date to unlock content
* $off_date: Date to protect content.
* @param array $attrs Attributes.
* @return false True is unlock content else false.
private function is_unlock_content_by_time( $attrs ) {
if ( '' !== $attrs['on'] ) {
$on_date = strtotime( $attrs['on'] );
if ( '' !== $attrs['off'] ) {
$off_date = strtotime( $attrs['off'] );
// Show password form if on_date and off_date are empty.
if ( ! $on_date && ! $off_date ) {
$now = current_time( 'timestamp' );
// Unlock content between on_date and off_date.
if ( $on_date && $off_date && $on_date <= $now && $off_date >= $now ) {
return apply_filters( 'ppw_shortcode_unlock_content_by_time', true, $attrs );
// Unlock content from on_date.
if ( $on_date && ! $off_date && $now >= $on_date ) {
return apply_filters( 'ppw_shortcode_unlock_content_by_time', true, $attrs );
* Require javascript bundle file for shortcode.
public function add_scripts() {
static $count_script = 0;
$assert_folder = '/public/js/dist';
$is_using_pcp_recaptcha = PPW_Recaptcha::get_instance()->using_pcp_recaptcha();
PPW_DIR_URL . "$assert_folder/ppw-rc-form.bundle.js",
'ajax_url' => admin_url( 'admin-ajax.php' ),
'restUrl' => get_rest_url(),
'ajax_nonce' => wp_create_nonce( 'ppw_pcp_nonce' ),
'nonce' => wp_create_nonce( 'wp_rest' ),
'cookieExpiration' => $this->get_cookie_expiration(),
'supportedClassNames' => apply_filters(
'ppw_shortcode_supported_class_name',
'defaultType' => PPW_Constants::DEFAULT_SHORTCODE_CLASS_NAME,
'LOADING' => _x( 'Loading...', PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
'isUsingPCPRecaptcha' => $is_using_pcp_recaptcha
// Avoid conflict with updating post on Gutenberg when updating post.
if ( ! defined( 'REST_REQUEST' ) || ! REST_REQUEST ) {
if ( $is_using_pcp_recaptcha && $count_script === 1 ) {
add_action( 'wp_footer', function () {
PPW_Recaptcha::get_instance()->add_recaptcha_to_head();
* Check whether short code is valid.
* @param array $attrs Shortcode attributes.
* @param string $content Short code content.
private function is_valid_shortcode( $attrs, $content ) {
if ( ! $this->is_supported_post_types( get_post_type() ) ) {
/* translators: %s: Short code name */
$message = sprintf( __( 'Our Free version [%s] shortcode doesn\'t support Custom Post Type', PPW_Constants::DOMAIN ), PPW_Constants::PPW_HOOK_SHORT_CODE_NAME );
return apply_filters( PPW_Constants::HOOK_SHORTCODE_NOT_SUPPORT_TYPE_ERROR_MESSAGE, $message );
/* translators: %s: Short code name */
$message = sprintf( __( '[%s] Empty content, invalid attributes or values', PPW_Constants::DOMAIN ), PPW_Constants::PPW_HOOK_SHORT_CODE_NAME );
$message = apply_filters( PPW_Constants::HOOK_SHORT_CODE_ERROR_MESSAGE, $message );
if ( $this->is_empty_content( $content, $attrs ) ) {
if ( ! $this->is_valid_attributes( $attrs ) ) {
private function is_valid_date( $attrs ) {
if ( '' !== $attrs['on'] && ! ppw_free_validate_date( $attrs['on'] ) ) {
if ( '' !== $attrs['off'] && ! ppw_free_validate_date( $attrs['off'] ) ) {
* Check if the password is valid, comparing with cookie.
* @param string $password Password.
private function is_valid_password( $password ) {
$is_valid = apply_filters( 'ppw_shortcode_is_valid_password_with_cookie', false, $password, $_COOKIE );
return apply_filters( 'ppw_shortcode_after_check_is_valid_password_with_cookie', $is_valid, $password, array() );
$cookie_name = 'ppw_rc-' . get_the_ID();
if ( ! isset( $_COOKIE[ $cookie_name ] ) ) {
$cookie_val = json_decode( wp_unslash( $_COOKIE[ $cookie_name ] ) ); // phpcs:ignore -- Here do not need to sanitize $_COOKIE data, because we use it for comparision.
if ( ! is_array( $cookie_val ) ) {
foreach ( $cookie_val as $val ) {
if ( get_the_ID() !== (int) $val->post_id ) {
foreach ( $val->passwords as $cookie_pass ) {
//if ( $wp_hasher->CheckPassword( $cookie_pass, $password ) ) {
if ( wp_check_password( $cookie_pass, $password ) ) {
* Get restricted content form.
* @param array $attrs Short-code attributes.
* @param int $number Short-code attributes.
private function get_restricted_content_form( $attrs, $number ) {
if ( wp_validate_boolean( $attrs['show_password'] ) ) {
$checkbox = '<label class="ppw-pcp-checkbox-label"><input class="ppw-pcp-checkbox" type="checkbox" /> ' . _x( $this->massage_attributes( $attrs['show_password_text'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ) . '</label>';
if ( wp_validate_boolean( $attrs['desc_above_btn'] ) ) {
$desc_above_btn = '<span class="ppw-pcp-pf-desc-above-btn">'._x( $this->massage_attributes( $attrs['desc_above_btn'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ).'</span>';
// Temp hide recaptcha on section protection.
if ( PPW_Recaptcha::get_instance()->using_pcp_recaptcha() && empty( $attrs['section'] ) ) {
$recaptcha_input = PPW_Recaptcha::get_instance()->get_recaptcha_input();
PPW_Constants::HOOK_SHORT_CODE_TEMPLATE,
PPW_DIR_PATH . 'includes/views/shortcode/view-ppw-restriced-content-form.php'
$form_template = ob_get_contents();
$className = '' === $attrs['class'] ? $this->get_main_class_name( $attrs ) : $this->get_main_class_name( $attrs ) . ' ' . $attrs['class'];
PPW_Constants::SHORT_CODE_FORM_HEADLINE => _x( $this->massage_attributes( $attrs['headline'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
PPW_Constants::SHORT_CODE_FORM_INSTRUCT => _x( $this->massage_attributes( $attrs['description'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
PPW_Constants::SHORT_CODE_FORM_PLACEHOLDER => _x( $this->massage_attributes( $attrs['placeholder'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
PPW_Constants::SHORT_CODE_FORM_AUTH => get_the_ID(),
PPW_Constants::SHORT_CODE_BUTTON => _x( wp_kses_post( $attrs['button'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
PPW_Constants::SHORT_CODE_FORM_CURRENT_URL => $this->get_the_permalink_without_cache( wp_rand( 0, 100 ) ),
PPW_Constants::SHORT_CODE_FORM_ID => esc_attr( '' === $attrs['id'] ? get_the_ID() . wp_rand( 0, 1000 ) : wp_kses_post( $attrs['id'] ) ),
PPW_Constants::SHORT_CODE_FORM_CLASS => esc_attr( $className ),
PPW_Constants::SHORT_CODE_PASSWORD_LABEL => _x( $this->massage_attributes( $attrs['label'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
PPW_Constants::SHORTCODE_ABOVE_PASSWORD_INPUT => apply_filters( 'ppw_pcp_above_password_field', '', $attrs ),
PPW_Constants::SHORTCODE_BELOW_PASSWORD_INPUT => apply_filters( 'ppw_pcp_below_password_field', '', $attrs ),
PPW_Constants::SHORT_CODE_FORM_ERROR_MESSAGE => '',
PPW_Constants::SHORTCODE_DESC_ABOVE_BTN => $desc_above_btn,
PPW_Constants::SHORTCODE_DESC_BELOW_FORM => _x( $this->massage_attributes( $attrs['desc_below_form'] ), PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
'[PPW_CHECKBOX]' => $checkbox,
'[PPW_BUTTON_LOADING]' => esc_attr_x( $attrs['loading'], PPW_Constants::CONTEXT_PCP_PASSWORD_FORM, PPW_Constants::DOMAIN ),
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
