WordPress.org
Get WordPress

Plugin Directory

Changeset 1911882


Ignore:
Timestamp:
07/19/2018 09:19:40 PM (7 years ago)
Author:
mindnl
Message:

fixed security issues

Location:
ad-buttons/tags/3.0
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • ad-buttons/tags/3.0/adbuttons.php

    r1900232 r1911882  
    3636    require_once(ABSPATH . 'wp-admin/includes/upgrade.php');
    3737    dbDelta($structure);
    38    
    39     $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
    40    
     38       
    4139    $wpdb->query("INSERT INTO $table
    4240                             (id, ad_picture, ad_link, ad_text, ad_views, ad_clicks, ad_active)
    43                   VALUES     (1, '".$ab_plugindir."/ab125.jpg', 'http://wordpress.org/plugins/ad-buttons/', 'ads powered by Ad Buttons', 0, 0, 0),
    44                              (2, '".$ab_plugindir."/wordpress_logo.png', 'http://wordpress.org/', 'WordPress.org', 0, 0, 1)");
     41                  VALUES     (1, '".plugins_url( 'ab125.jpg', __FILE__ )."', 'http://wordpress.org/plugins/ad-buttons/', 'ads powered by Ad Buttons', 0, 0, 0),
     42                             (2, '".plugins_url( 'ab125.jpg', __FILE__ )."', 'http://wordpress.org/', 'WordPress.org', 0, 0, 1)");
    4543
    4644    $table = "{$wpdb->prefix}ad_buttons_stats";
     
    265263
    266264    if($widget_adbuttons_cfg['ab_yah']){
    267         $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
    268265        if($widget_adbuttons_cfg['ab_yaht'] == 'url'){
    269             echo'<a href="'.$widget_adbuttons_cfg['ab_yahurl'].'" title="Advertise here"><img src="'.$ab_plugindir.'/your_ad_here.jpg" alt="Advertise here"></a>';
     266            echo'<a href="'.$widget_adbuttons_cfg['ab_yahurl'].'" title="Advertise here"><img src="'.plugins_url( 'your_ad_here.jpg', __FILE__ ).'" alt="Advertise here"></a>';
    270267        } else {
    271             echo'<a href="'.$wp_root.'/?page_id='.$widget_adbuttons_cfg['ab_yourad'].'" title="Advertise here"><img src="'.$ab_plugindir.'/your_ad_here.jpg" alt="Advertise here"></a>';
     268            echo'<a href="'.$wp_root.'/?page_id='.$widget_adbuttons_cfg['ab_yourad'].'" title="Advertise here"><img src="'.plugins_url( 'your_ad_here.jpg', __FILE__ ).'" alt="Advertise here"></a>';
    272269        }
    273270    }
     
    407404add_action("init", "adbuttons_getclick");
    408405
     406add_filter('query_vars','plugin_add_trigger');
     407function plugin_add_trigger($vars) {
     408    $vars[] = 'ab_graph';
     409    return $vars;
     410}
     411 
     412add_action('template_redirect', 'ab_gen_graph');
     413function ab_gen_graph() {
     414    if(intval(get_query_var('ab_graph')) == 1) {
     415        // png image generation code
     416        include('adbuttonsstatsimg.php');
     417        exit;
     418    }
     419}
    409420?>

  • ad-buttons/tags/3.0/adbuttonsact.php

    r1901350 r1911882  
    22if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
    33global $wpdb;
    4 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
     4
    55$ol_flash   = '';
    66$htp        = "http://";
     
    8080            if (!empty($_POST['ab_link'])) {
    8181                if(substr($_POST['ab_link'], 0, 7) == $htp){
    82                     $ab_link = $_POST['ab_link'];
     82                    $ab_link = esc_url($_POST['ab_link']);
    8383                }elseif(substr($_POST['ab_link'], 0, 8) == $htps){
    84                     $ab_link = $_POST['ab_link'];
     84                    $ab_link = esc_url($_POST['ab_link']);
    8585                }else{
    86                     $ab_link = $htp.$_POST['ab_link'];
     86                    $ab_link = esc_url($htp.$_POST['ab_link']);
    8787                }
    8888            }

  • ad-buttons/tags/3.0/adbuttonsadmin.php

    r1901350 r1911882  
    5454            $widget_adbuttons_cfg['ab_adsense_pubid'] = sanitize_text_field($_POST['ab_adsense_pubid']);
    5555            $widget_adbuttons_cfg['ab_adsense_channel'] = (int)$_POST['ab_adsense_channel'];
    56             if (preg_match('/rc:\d{1,2}/', $_POST['ab_adsense_corners']) == 1) $widget_adbuttons_cfg['ab_adsense_corners'] = $_POST['ab_adsense_corners'];
     56            if (preg_match('/rc:\d{1,2}/', $_POST['ab_adsense_corners']) == 1) $widget_adbuttons_cfg['ab_adsense_corners'] = sanitize_text_field($_POST['ab_adsense_corners']);
    5757            $widget_adbuttons_cfg['ab_adsense_col_border'] = (int)hexdec(trim($_POST['ab_adsense_col_border'], "#"));
    5858            $widget_adbuttons_cfg['ab_adsense_col_title'] = (int)hexdec(trim($_POST['ab_adsense_col_title'], "#"));
     
    6767            $widget_adbuttons_cfg['ab_yah'] = (bool)$_POST['ab_yah'];
    6868            $widget_adbuttons_cfg['ab_yourad'] = (bool)$_POST['ab_yourad'];
    69             $widget_adbuttons_cfg['ab_yaht'] = $_POST['ab_yaht'];
    70             $widget_adbuttons_cfg['ab_yahurl'] = $_POST['ab_yahurl'];   
     69            $widget_adbuttons_cfg['ab_yaht'] = sanitize_text_field($_POST['ab_yaht']);
     70            $widget_adbuttons_cfg['ab_yahurl'] = sanitize_text_field($_POST['ab_yahurl'])
    7171            $widget_adbuttons_cfg['ab_fix'] = (bool)$_POST['ab_fix'];
    7272            $widget_adbuttons_cfg['ab_count'] = (int)$_POST['ab_count'];                   
     
    8686<?php
    8787$widget_adbuttons_cfg = get_option('widget_adbuttons_cfg');
    88 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
     88$ab_plugindir = plugins_url( '', __FILE__ );
    8989
    9090echo'<script src="'.esc_html($ab_plugindir).'/color_functions.js"></script>'; ?>

  • ad-buttons/tags/3.0/adbuttonsstats.php

    r1901350 r1911882  
    33
    44global $wpdb;
    5 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
    65
    76if(isset($_GET['month'])){
     
    4746    <a href="<?php echo esc_url( $nplink.'&month='.$prevdate ); ?>">previous month</a>
    4847    <a href="<?php echo esc_url( $nplink.'&month='.$nextdate ); ?>">next month</a> <br/>
    49     <img src="<?php echo $ab_plugindir; ?>/adbuttonsstatsimg.php?graphdate=<?php echo $graphdate;?>">
     48    <img src="<?php echo site_url(); ?>/?ab_graph=1&graphdate=<?php echo $graphdate;?>">
    5049    <br/>
    5150    <p>Bars represent ad views. The scale is shown on the left side. (Each ad is counted individually, so if you are

  • ad-buttons/tags/3.0/adbuttonsstatsimg.php

    r1901350 r1911882  
    11<?php
    2 
    3 require_once('../../../wp-blog-header.php');
    4 
    5 $ab_plugindir = get_option('siteurl').'/'.PLUGINDIR.'/'.dirname(plugin_basename(__FILE__));
     2if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
     3
     4global $wpdb;
    65
    76if(isset($_GET['graphdate'])){
     
    232231            $r_height = round($stat_values[$statdays[$count]]['views'] / $view_scale);
    233232        }
    234         $r_y = 239 - $r_height;
     233        $r_y = 241 - $r_height;
    235234        imagefilledrectangle($im, $r_x, $r_y, $r_x+$r_width, $r_y+$r_height, $lightblue);
    236235    }
Note: See TracChangeset for help on using the changeset viewer.