Changeset 1253322

Timestamp:

09/25/2015 11:56:07 AM (9 years ago)

Author:

dustin999

Message:

Security fixes

Location:

local-market-explorer/trunk

Files:

• admin.php (modified) (5 diffs)
• modules-page.php (modified) (3 diffs)
• modules/colleges.php (modified) (2 diffs)
• modules/market-stats.php (modified) (4 diffs)
• modules/walk-score-iframe.php (modified) (1 diff)
• modules/yelp.php (modified) (2 diffs)
• readme.txt (modified) (4 diffs)
• widgets/areas.php (modified) (1 diff)

local-market-explorer/trunk/admin.php

@@ -61 +61 @@
                 "name" => "Walk Score",
                 "description" => "see <a href=\"http://www.walkscore.com\">Walk Score</a>"),
-            "yelp" => array(
-                "name" => "Yelp reviews",
-                "description" => "from <a href=\"http://www.yelp.com\">Yelp</a>"),
             "dsidxpress" => array(
                 "name" => "Newest real estate",
@@ -159 +156 @@
                                         <input class="lme-api-key" type="text" id="local-market-explorer[api-keys][zillow]"
                                             name="local-market-explorer[api-keys][zillow]"
-                                            value="<?php echo $options["api-keys"]["zillow"] ?>" />
+                                            value="<?php if (isset($options["api-keys"]["zillow"])) { echo $options["api-keys"]["zillow"]; } ?>" />
                                     </td>
                                 </tr>
@@ -172 +169 @@
                                         <input class="lme-api-key" type="text" id="local-market-explorer[api-keys][walk-score]"
                                             name="local-market-explorer[api-keys][walk-score]"
-                                            value="<?php echo $options["api-keys"]["walk-score"] ?>" />
-                                    </td>
-                                </tr>
-                                <tr>
-                                    <th>
-                                        <label for="local-market-explorer[api-keys][yelp]">
-                                            Yelp API key:<br>
-                                            <span style="font-size: 10px;">(<a href="http://www.yelp.com/developers/getting_started/api_access" target="_blank">get one</a>)</span>
-                                        </label>
-                                    </th>
-                                    <td>
-                                        <input class="lme-api-key" type="text" id="local-market-explorer[api-keys][yelp]"
-                                            name="local-market-explorer[api-keys][yelp]"
-                                            value="<?php echo $options["api-keys"]["yelp"] ?>" />
+                                            value="<?php if (isset($options["api-keys"]["walk-score"])) { echo $options["api-keys"]["walk-score"]; } ?>" />
                                     </td>
                                 </tr>
@@ -194 +178 @@
                                 <li>
                                     <input type="text" name="local-market-explorer[zillow-username]"
-                                        id="local-market-explorer[zillow-username]" value="<?php echo $options["zillow-username"] ?>" />
+                                        id="local-market-explorer[zillow-username]" value="<?php if (isset($options["zillow-username"])) { echo $options["zillow-username"]; } ?>" />
                                     <label for="local-market-explorer[zillow-username]">
                                         Your username on Zillow.com (for your branding when clicking through on the links)</label>
@@ -426 +410 @@
     }
     static function proxyZillowApiRequest() {
-        $apiBase = "http://www.zillow.com/webservice/" . sanitize_text_field($_GET["api"]) . ".htm?";
+    $theApikey = preg_replace("/[^a-z0-9_\-]+/i", "", esc_js($_GET["api"]));
+    $apiBase = "http://www.zillow.com/webservice/" . urlencode($theApikey) . ".htm";
         $apiParams = $_GET["apiParams"];
-        
-        $finalApiUrl = $apiBase;
-        foreach ($apiParams as $k => $v)
-            $finalApiUrl .= $k . "=" . urlencode($v) . "&";
+                                             
+    $finalApiUrl = $apiBase;
+    $finalApiUrl = add_query_arg( $apiParams, $finalApiUrl );
         if (empty($apiParams["zws-id"])) {
             $options = get_option(LME_OPTION_NAME);
-            $finalApiUrl .= "zws-id=" . urlencode($options["api-keys"]["zillow"]) . "&";
+      $finalApiUrl = add_query_arg( array('zws-id' => urlencode($options["api-keys"]["zillow"])), $finalApiUrl );
         }
-        
+    $finalApiUrl = add_query_arg( array('output' => 'json'), $finalApiUrl );    
+
         $apiResponse = wp_remote_get($finalApiUrl);
         

local-market-explorer/trunk/modules-page.php

@@ -23 +23 @@
                 unset($wp_query->query["lme-action"]);
             } else {
-                $q->query_vars["caller_get_posts"] = true;
+                $q->query_vars["ignore_sticky_posts"] = true;
             }
         }
@@ -134 +134 @@
             if ($module == "schools")
                 $content .= LmeModuleSchools::getModuleHtml($moduleContent["schools"]);
-            if ($module == "yelp")
+            if ($module == "yelp_DISABLED")
                 $content .= LmeModuleYelp::getModuleHtml($moduleContent["yelp"]);
             if ($module == "walk-score")
@@ -181 +181 @@
     static function getNeighborhood() {
         global $wp_query;
-        return urldecode(str_replace(array("-", "_"), array(" ", "-"), $wp_query->query["lme-neighborhood"]));
+    if (isset($wp_query->query["lme-neighborhood"])) {
+          return urldecode(str_replace(array("-", "_"), array(" ", "-"), $wp_query->query["lme-neighborhood"]));
+    }
+    else {
+      return null;
+    }
     }
     static function getCity() {
         global $wp_query;
-        return urldecode(str_replace(array("-", "_"), array(" ", "-"), $wp_query->query["lme-city"]));
+    if (isset($wp_query->query["lme-city"])) {
+          return urldecode(str_replace(array("-", "_"), array(" ", "-"), $wp_query->query["lme-city"]));
+    }
+    else {
+      return null;
+    }
     }
     static function getState() {
         global $wp_query;
-        return $wp_query->query["lme-state"];
+    if (isset($wp_query->query["lme-state"])) {
+          return $wp_query->query["lme-state"];
+    }
+    else {
+      return null;
+    }
     }
     static function getZip() {

local-market-explorer/trunk/modules/colleges.php

@@ -33 +33 @@
         
         if (!empty($opt_zip)) {
-            $areaName = htmlspecialchars($zip);
+            $areaName = htmlspecialchars($opt_zip);
         } else {
             $areaName = htmlspecialchars(ucwords($opt_city) . ", " . strtoupper($opt_state));
@@ -113 +113 @@
 HTML;
         }
-
-        $content .= <<<HTML
+    if (isset($findMoreUrl)) {
+        $content .= <<<HTML
                     </div>
                 </div>
                 <div style="clear: both;"></div> <!-- IE 6 fix -->
                 <div class="lme-colleges-find-more">
-                    Find more <a href="{$findMoreUrl}" rel="nofollow" target="_blank">Colleges in {$state}</a>
+                     Find more <a href="{$findMoreUrl}" rel="nofollow" target="_blank">Colleges in {$state}</a>
                 </div>
                 <div style="clear: both;"></div> <!-- IE 6 fix -->
             </div>
 HTML;
+    }
+    else {
+        $content .= <<<HTML
+                    </div>
+                </div>
+                <div style="clear: both;"></div>
+            </div>
+HTML;
+    }
         return $content;
     }

local-market-explorer/trunk/modules/market-stats.php

@@ -71 +71 @@
         $ownersRentersChart = $demographics[0]->xpath("charts/chart[name='Owners vs. Renters']/url");
         $yearBuiltChart = $demographics[0]->xpath("charts/chart[name='Year Built']/url");
-        
+    
+    $noshowarr = ['PERCENT LISTING PRICE REDUCTION', 'MEDIAN LIST PRICE', 'HOMES FOR SALE','HOMES RECENTLY SOLD','MEDIAN VALUE PER SQ FT','HOMES FOR SALE BY OWNER','NEW CONSTRUCTION','FORECLOSURES'];
+    
         $content = <<<HTML
             <h2 class="lme-module-heading">Real Estate Market Stats</h2>
@@ -77 +79 @@
                 {$zhviHtml}
                 <div class="lme-market-charts-container">
-                    <img src="{$regionChart->url}{$zillowUrlSuffix}" class="lme-zhvi-chart" />
+                    <!--<img src="{$regionChart->url}{$zillowUrlSuffix}" class="lme-zhvi-chart" />
                     <div class="lme-market-charts">
-                        <div>
+            <div>
                             <h4>Zillow Home Value Index</h4>
                             <img src="{$zhviDistributionChart[0]}" />
@@ -88 +90 @@
                         </div>
                     </div>
+          //-->
                     <div class="lme-market-chart-supplemental" style="clear: both;">
                         <h4>Home Size in Square Feet</h4>
@@ -110 +113 @@
             
             $name = htmlentities($attribute->name);
+      if (in_array(trim(strtoupper($name)), $noshowarr)) {
+        continue;
+      }
             $value = (array)$attribute->values->{$localNodeName}->value;
             $nationalValue = (array)$attribute->values->nation->value;
             
-            if ($value["@attributes"]["type"] == "USD") {
+            if ( (isset($value["@attributes"]["type"])) && ($value["@attributes"]["type"] == "USD") ) {
                 $value = "$" . number_format(intval($value["0"]));
                 $nationalValue = "$" . number_format(intval($nationalValue["0"]));
-            } else if ($value["@attributes"]["type"] == "percent") {
+            } else if ( (isset($value["@attributes"]["type"])) && ($value["@attributes"]["type"] == "percent") ) {
                 $value = ($value["0"] * 100) . "%";
                 $nationalValue = ($nationalValue["0"] * 100) . "%";
             } else {
-                $value = number_format(intval($value["0"]));
-                $nationalValue = number_format(intval($nationalValue["0"]));
+        if (isset($value["0"])) {
+                  $value = number_format(intval($value["0"]));
+        }
+        else {
+          $value = number_format(intval(0));
+        }
+        if (isset($nationalValue["0"])) {
+                  $nationalValue = number_format(intval($nationalValue["0"]));
+        }
+        else {
+          $nationalValue = number_format(intval(0));
+        }
             }
-            
+?>
+<?php           
             $content .= <<<HTML
                     <tr>

local-market-explorer/trunk/modules/walk-score-iframe.php

@@ -58 +58 @@
     </div>
     <?php
-    $apiKey = preg_replace('/[^a-z0-9_-]/', '', esc_js($_GET['api-key']));
+    $apiKey = preg_replace('/[^a-z0-9_\-]/', '', esc_js($_GET['api-key']));
     $location = preg_replace('/[^a-z0-9_\-,\']/', '', esc_js(urldecode($_GET['location'])));
     $location = str_replace("'", "\\'", $location);

local-market-explorer/trunk/modules/yelp.php

@@ -36 +36 @@
         wp_enqueue_script("local-market-explorer");
         
-        if (version_compare($wp_version, '3.3', '<')) {
+    include ABSPATH . WPINC .'/version.php';
+    
+    if (version_compare($wp_version, '3.3', '<')) {
             $wp_scripts->in_footer[] = "gmaps3";
             $wp_scripts->in_footer[] = "local-market-explorer";
@@ -42 +44 @@
         
         foreach ($yelpResponse as $business) {
-            $jsonResults[] = (object)array(
-                "name"              => $business->name,
-                "address1"          => $business->address1,
-                "address2"          => $business->address2,
-                "address3"          => $business->address3,
-                "city"              => $business->city,
-                "state_code"        => $business->state_code,
-                "zip"               => $business->zip,
-                "phone"             => $business->phone,
-                "rating_img_url"    => $business->rating_img_url,
-                "review_count"      => $business->review_count,
-                "url"               => $business->url,
-                "latitude"          => $business->latitude,
-                "longitude"         => $business->longitude,
-                "photo_url"         => $business->photo_url
-            );
+      if ( isset($business->latitude) && isset($business->longitude) ) {
+        $jsonResults[] = (object)array(
+          "name"                => $business->name,
+          "address1"            => $business->address1,
+          "address2"            => $business->address2,
+          "address3"            => $business->address3,
+          "city"                => $business->city,
+          "state_code"      => $business->state_code,
+          "zip"             => $business->zip,
+          "phone"               => $business->phone,
+          "rating_img_url"  => $business->rating_img_url,
+          "review_count"        => $business->review_count,
+          "url"             => $business->url,
+          "latitude"            => $business->latitude,
+          "longitude"           => $business->longitude,
+          "photo_url"           => $business->photo_url
+        );
+      }
+      else {
+        $jsonResults[] = (object)array(
+          "name"                => $business->name,
+          "address1"            => $business->address1,
+          "address2"            => $business->address2,
+          "address3"            => $business->address3,
+          "city"                => $business->city,
+          "state_code"      => $business->state_code,
+          "zip"             => $business->zip,
+          "phone"               => $business->phone,
+          "rating_img_url"  => $business->rating_img_url,
+          "review_count"        => $business->review_count,
+          "url"             => $business->url,
+          "latitude"            => null,
+          "longitude"           => null,
+          "photo_url"           => $business->photo_url
+        );
+      }
         }
         

local-market-explorer/trunk/readme.txt

@@ -3 +3 @@
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=10178626
 Feedback page link: http://localmarketexplorer.uservoice.com/
-Tags: zillow, walk score, schools, education.com, real estate, local, city data, yelp, matchcollege, homethinking
+Tags: zillow, walk score, schools, education.com, real estate, local, city data, matchcollege, homethinking
 Requires at least: 2.8
-Tested up to: 3.3
-Stable tag: 3.2.6
+Tested up to: 4.3
+Stable tag: 4.0
 
 This plugin allows WordPress to load data from a number of neighborhood-related APIs to be presented on a single page or within
@@ -20 +20 @@
 * Schools (via [Education.com](http://www.education.com))
 * Walk Score (via [Walk Score](http://www.walkscore.com))
-* Yelp (via [Yelp](http://www.yelp.com))
 * IDX / MLS Real Estate Data (via [dsIDXpress](http://www.dsidxpress.com))
 * Colleges (via [MatchCollege](http://www.matchcollege.com))
@@ -91 +90 @@
 * Small styling fixes
 * Fixes for Zillow market activity and market stats modules
-* Fixed maps in Yelp and NileGuide modules
 
 = 3.1.2 =
@@ -198 +196 @@
 3. Schools module
 4. Walk Score module
-5. Yelp module
-6. Local Classes module
-7. Local Content from NileGuide module
+5. Local Classes module
+6. Local Content from NileGuide module
 7. Colleges module

local-market-explorer/trunk/widgets/areas.php

@@ -2 +2 @@
 class LmeAreasWidget extends WP_Widget {
     function LmeAreasWidget() {
-        $this->WP_Widget("LmeAreas", "Local Market Explorer Areas", array(
-            "classname" => "lme-areas",
-            "description" => "Lists of Local Market Explorer areas with descriptions"
-        ));
+        parent::__construct( 
+      "LmeAreas", 
+      "Local Market Explorer Areas", 
+      array(
+             "classname" => "lme-areas",
+             "description" => "Lists of Local Market Explorer areas with descriptions"
+          )
+    );
     }
     function widget($args, $instance) {