WordPress.org
Get WordPress

Plugin Directory

Changeset 1410114


Ignore:
Timestamp:
05/04/2016 07:14:27 AM (10 years ago)
Author:
HeroPlugins
Message:

Added user input sanitization

Location:
hero-maps-pro/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • hero-maps-pro/trunk/classes/backend.class.php

    r1087159 r1410114  
    1616            $wpdb->query("
    1717                UPDATE `". $wpdb->prefix ."hmapspro_maps` SET
    18                     `name` = '". $map_object['map_setup']['map_name'] ."',
     18                    `name` = '". sanitize_text_field($map_object['map_setup']['map_name']) ."',
    1919                    `responsive` = ". $map_object['map_setup']['responsive'] .",
    20                     `width` = ". $map_object['map_setup']['map_width'] .",
    21                     `height` = ". $map_object['map_setup']['map_height'] .",
     20                    `width` = ". intval($map_object['map_setup']['map_width']) .",
     21                    `height` = ". intval($map_object['map_setup']['map_height']) .",
    2222                    `map_type` = '". $map_object['map_settings']['map_type'] ."',
    2323                    `map_theme` = '". $map_object['map_settings']['map_theme'] ."',
     
    3939                    `control_overview` = ". $map_object['map_controls']['overview'] .",
    4040                    `control_overview_style` = ". $map_object['map_controls']['overview_style'] .",             
    41                     `marker_drop_delay` = ". $map_object['map_advanced']['marker_drop_delay'] .",
     41                    `marker_drop_delay` = ". intval($map_object['map_advanced']['marker_drop_delay']) .",
    4242                    `marker_animation` = '". $map_object['map_advanced']['marker_animation'] ."',
    43                     `marker_animation_timer` = ". $map_object['map_advanced']['marker_animation_timer'] .",
     43                    `marker_animation_timer` = ". intval($map_object['map_advanced']['marker_animation_timer']) .",
    4444                    `marker_tooltip` = ". $map_object['map_advanced']['marker_tooltip'] .",
    4545                    `map_load_zoom` = ". $map_object['map_advanced']['map_load_zoom'] .",
    4646                    `marker_click_zoom` = ". $map_object['map_advanced']['marker_click_zoom'] .",                   
    4747                    `javascript_callback` = ". $map_object['map_developers']['javascript_callback'] .",
    48                     `callback_method` = '". $map_object['map_developers']['callback_method'] ."',
    49                     `css_class` = '". $map_object['map_developers']['css_class'] ."'
     48                    `callback_method` = '". sanitize_text_field($map_object['map_developers']['callback_method']) ."',
     49                    `css_class` = '". sanitize_text_field($map_object['map_developers']['css_class']) ."'
    5050                WHERE
    5151                    `map_id` = ". $map_object['map_setup']['map_id'] .";
     
    7676                                ". intval($marker['marker_id']) .",
    7777                                '". $marker['latlng'] ."',
    78                                 '". $marker['title'] ."',
     78                                '". sanitize_text_field($marker['title']) ."',
    7979                                ". $info_window_show .",
    80                                 '". $marker['info_window_content'] ."',
     80                                '". sanitize_text_field($marker['info_window_content']) ."',
    8181                                ". $link_show .",
    82                                 '". $marker['link_title'] ."',
    83                                 '". $marker['link'] ."',
     82                                '". sanitize_text_field($marker['link_title']) ."',
     83                                '". sanitize_text_field($marker['link']) ."',
    8484                                '". $marker['link_colour'] ."',
    8585                                '". $marker['link_target'] ."',
    86                                 '". $marker['custom_param'] ."'
     86                                '". sanitize_text_field($marker['custom_param']) ."'
    8787                            );
    8888                        ");
     
    9191                            UPDATE `". $wpdb->prefix ."hmapspro_map_markers`
    9292                            SET `deleted` = 1
    93                             WHERE `map_marker_id` = ". $marker['map_marker_id'] .";
     93                            WHERE `map_marker_id` = ". intval($marker['map_marker_id']) .";
    9494                        ");
    9595                    }elseif($marker['new'] == 'false' && $marker['deleted'] == 'false'){ //update existing marker
     
    100100                                `marker_id` = ". intval($marker['marker_id']) .",
    101101                                `latlng` = '". $marker['latlng'] ."',
    102                                 `title` = '". $marker['title'] ."',
     102                                `title` = '". sanitize_text_field($marker['title']) ."',
    103103                                `info_window_show` = ". $info_window_show .",
    104                                 `info_window_content` = '". $marker['info_window_content'] ."',
     104                                `info_window_content` = '". sanitize_text_field($marker['info_window_content']) ."',
    105105                                `link_show` = ". $link_show .",
    106                                 `link_title` = '". $marker['link_title'] ."',
    107                                 `link` = '". $marker['link'] ."',
     106                                `link_title` = '". sanitize_text_field($marker['link_title']) ."',
     107                                `link` = '". sanitize_text_field($marker['link']) ."',
    108108                                `link_colour` = '". $marker['link_colour'] ."',
    109109                                `link_target` = '". $marker['link_target'] ."',
    110                                 `custom_param` = '". $marker['custom_param'] ."'
     110                                `custom_param` = '". sanitize_text_field($marker['custom_param']) ."'
    111111                            WHERE
    112112                                `map_marker_id` = ". intval($marker['map_marker_id']) .";
     
    275275            global $wpdb;
    276276            //get map name
    277             $map_name = $_POST['map_name'];
     277            $map_name = sanitize_text_field($_POST['map_name']);
    278278            //generate new map
    279279            $wpdb->query("

  • hero-maps-pro/trunk/classes/core/auto_generate.class.php

    r1409054 r1410114  
    4646                        //place the core view (index.php)
    4747                        $handle = fopen(realpath($dir) .'/index.php', 'w');
    48                         fwrite($handle, '<script type="text/javascript" src="<?php echo $_GET[\'v\']; ?>js/view.core.js" data-cfasync="false"></script>' ."\n");
     48                        fwrite($handle, '<script type="text/javascript" src="<?php echo htmlspecialchars($_GET[\'v\'], ENT_QUOTES, \'UTF-8\'); ?>js/view.core.js" data-cfasync="false"></script>' ."\n");
    4949                        fwrite($handle, '<div class="hero_viewport">'. "\n" .'</div>');
    5050                        fclose($handle);
     
    6363                                    //place the view
    6464                                    $handle = fopen(realpath($dir) .'/'. $sub['view'] .'.view.php', 'w');
    65                                     fwrite($handle, '<script type="text/javascript" src="<?php echo $_GET[\'vp\']; ?>js/'. $sub['view'] .'.view.js" data-cfasync="false"></script>' ."\n");
     65                                    fwrite($handle, '<script type="text/javascript" src="<?php echo htmlspecialchars($_GET[\'vp\'], ENT_QUOTES, \'UTF-8\'); ?>js/'. $sub['view'] .'.view.js" data-cfasync="false"></script>' ."\n");
    6666                                    fclose($handle);
    6767                                }

  • hero-maps-pro/trunk/hmapspro.php

    r1409054 r1410114  
    66        Plugin URI: http://www.heroplugins.com
    77        Description: Easily create your own Google Maps with a simple drag and drop interface
    8         Version: 2.2.0
     8        Version: 2.1.2
    99        Author: Hero Plugins
    1010        Author URI: http://www.heroplugins.com
     
    5959        private $plugin_friendly_name = 'Hero Maps Pro';
    6060        private $plugin_friendly_description = 'Easily create your own Google Maps with a simple drag and drop interface';
    61         private $plugin_version = '2.2.0';
     61        private $plugin_version = '2.1.2';
    6262        private $plugin_prefix = 'hmapspro_';
    6363        private $first_release = '2014-11-24';
    64         private $last_update = '2016-05-02';
     64        private $last_update = '2016-02-04';
    6565        private $api_version = '2.0.1';
    6666       

  • hero-maps-pro/trunk/readme.txt

    r1409054 r1410114  
    44Requires at least: 4.0.0
    55Tested up to: 4.5.1
    6 Stable Tag: 2.2.0
     6Stable Tag: 2.2.1
    77License: GPLv2 or later
    88License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    6969== Changelog ==
    7070
     71= 2.2.1 =
     72* Added user input sanitization
     73
    7174= 2.2.0 =
    7275* Cross-site scripting vulnerability patch
Note: See TracChangeset for help on using the changeset viewer.