Changeset 1655594

Timestamp:

05/12/2017 01:03:00 AM (9 years ago)

Author:

shen045

Message:

Sanitize values obtained from querystring immediately

Location:

crafty-social-buttons/trunk

Files:

• README.txt (modified) (2 diffs)
• class-SH-Crafty-Social-Buttons-Plugin.php (modified) (3 diffs)
• crafty-social-buttons.php (modified) (1 diff)
• js/admin.min.js (modified) (1 diff)
• js/public.min.js (modified) (1 diff)
• js/whatsapp-share.min.js (modified) (1 diff)
• views/admin.php (modified) (1 diff)

crafty-social-buttons/trunk/README.txt

@@ -102 +102 @@
 == Changelog ==
 
+= 1.5.8 =
+* Added additional defences against cross site scripting
+
 = 1.5.7 =
 * Fixed potential cross site scripting vulnerability in admin page
@@ -254 +257 @@
 == Upgrade Notice ==
 
+= 1.5.8 =
+* Added additional defences against cross site scripting
+
 = 1.5.7 =
 * Fixed potential cross site scripting vulnerability in admin page

crafty-social-buttons/trunk/class-SH-Crafty-Social-Buttons-Plugin.php

@@ -263 +263 @@
          }
          // get service
-         $service = isset($_GET['service']) ? $_GET['service'] : '';
+         $service = sanitize_text_field(isset($_GET['service']) ? $_GET['service'] : '');
          if (empty($service) || strpos($settings['share_services'], $service) === false) {
             $result->error = true;
@@ -271 +271 @@
 
          // get key
-         $key = isset($_GET['key']) ? $_GET['key'] : '';
+         $key = sanitize_key(isset($_GET['key']) ? $_GET['key'] : '');
          if (empty($key)) {
             $result->error = true;
@@ -280 +280 @@
          // get url
          if ($key == "page") {
-            $url = isset($_GET['url']) ? $_GET['url'] : '';
+            $url = sanitize_text_field(isset($_GET['url']) ? $_GET['url'] : '');
             if (empty($url)) {
                $result->error = true;

crafty-social-buttons/trunk/crafty-social-buttons.php

@@ -16 +16 @@
  * Plugin URI:  http://github.com/sarahhenderson/crafty-social-buttons
  * Description: Adds social sharing buttons and links to your site, including Ravelry, Etsy, Craftsy and Pinterest
- * Version:     1.5.7
+ * Version:     1.5.8
  * Author:      Sarah Henderson
  * Author URI:  http://sarahhenderson.nz

crafty-social-buttons/trunk/js/admin.min.js

@@ -1 +1 @@
 /*! crafty-social-buttons  (c) Sarah Henderson 2017
- * Version 1.5.7 (11-05-2017) */
+ * Version 1.5.8 (12-05-2017) */
 jQuery(document).ready(function(a){a("#csbsort1, #csbsort2").sortable({connectWith:".connectedSortable",update:function(){var b;b=a("#csbsort2 li").map(function(){return a(this).attr("id")}).get(),a(".csb-services").val(b)}}).disableSelection(),a(".csb-services").val(a("#csbsort2 li").map(function(){return a(this).attr("id")}).get()),a(".csb-image-set").change(function(){var b=a(this).val();a.each(a(".csb-services img"),function(c,d){var e=a(d).attr("data-url"),f=a(d).attr("data-alt-url"),g=a(d).attr("data-filename"),h=e+b+"/"+g,i=f+b+"/"+g;a(d).attr("src",h),a(d).attr("data-image-set",b),a.ajax(h,{method:"get",error:function(b,c,e){a(d).attr("src",i)}})})}),a("#share_image_size").bind("input",function(){var b=a(this).val();a.each(a(".csb-services img"),function(c,d){a(d).attr("width",b),a(d).attr("height",b)})}),a("#link_image_size").bind("input",function(){var b=a(this).val();a.each(a(".csb-services img"),function(c,d){a(d).attr("width",b),a(d).attr("height",b)})})});

crafty-social-buttons/trunk/js/public.min.js

@@ -1 +1 @@
 /*! crafty-social-buttons  (c) Sarah Henderson 2017
- * Version 1.5.7 (11-05-2017) */
+ * Version 1.5.8 (12-05-2017) */
 jQuery(document).ready(function(a){var b=[];for(var c in window)0===c.indexOf("crafty_social_buttons_data_")&&b.push(window[c]);for(var d=function(a){return a<1e3?a:a<1e4?(a/1e3).toFixed(1)+"k":Math.floor(a/1e3)+"k"},e=function(b,c,e,f){var g=e+"&service="+b+"&key="+f;"page"==f&&(g+="&url="+c);var h=b.toLowerCase();a.ajax(g,{cache:!1,type:"get",dataType:"json",contentType:"application/json",success:function(b){if(b&&b.count){var c=d(b.count);$count=a(".crafty-social-share-count-"+h+"-"+f),$count.html(c),$count.show()}},error:function(a,b,c){}})},f=0,g=b.length;f<g;f++)for(var h=b[f],i=h.url,j=h.callbackUrl,c=h.key,k=0,l=h.services.length;k<l;k++){var m=h.services[k];e(m,i,j,c)}var n=function(a){var b="height=400,width=640";return a.indexOf("ravelry.com")>-1&&(b="fullscreen=yes"),newwindow=window.open(a,"share",b+",resizable=yes"),window.focus&&newwindow.focus(),!1},o=a(".crafty-social-buttons a.popup");a.each(o,function(b,c){a(c).hasClass("csb-email")||a(c).hasClass("csb-pinterest")||(c.onclick=function(){return n(this.href)})})});

crafty-social-buttons/trunk/js/whatsapp-share.min.js

@@ -1 +1 @@
 /*! crafty-social-buttons  (c) Sarah Henderson 2017
- * Version 1.5.7 (11-05-2017) */
+ * Version 1.5.8 (12-05-2017) */
 jQuery(document).ready(function(a){/Android|webOS|iPhone|iPad|iPod|BlackBerry|BB10|IEMobile|Opera Mini/i.test(navigator.userAgent)&&a("div.crafty-social-share-buttons ul li a.crafty-social-button.csb-whatsapp").show()});

crafty-social-buttons/trunk/views/admin.php

@@ -3 +3 @@
     <h2><?php _e('Crafty Social Buttons', $this->plugin_slug); ?></h2>
 
-    <?php $active_tab = (isset($_GET['tab'])) ? $_GET['tab'] : 'share_options'; ?>
+    <?php $active_tab = sanitize_key(isset($_GET['tab'])) ? $_GET['tab'] : 'share_options'; ?>
 
     <h2 class="nav-tab-wrapper">