Changeset 2223036

Timestamp:

01/06/2020 06:43:33 PM (6 years ago)

Author:

indextwo

Message:

Security & guideline updates as per WP email

Location:

stylebidet

Files:

• tags/0.6.0/assets/vnm-admin.css (modified) (2 diffs)
• tags/0.6.0/stylebidet.php (modified) (7 diffs)
• trunk/assets/vnm-admin.css (modified) (2 diffs)
• trunk/stylebidet.php (modified) (7 diffs)

stylebidet/tags/0.6.0/assets/vnm-admin.css

@@ -6 +6 @@
 */
 
-@import url('https://fonts.googleapis.com/css?family=Ubuntu:400,400i,500,500i');
-
 /*
     ADMIN AREA
@@ -13 +11 @@
 
 .vnmadmin-wrapper {
-    font-family:                            "Ubuntu", sans-serif;
     color:                                  #2A3350;
 }

stylebidet/tags/0.6.0/stylebidet.php

@@ -11 +11 @@
 Copyright (C) 2010-2020 Lawrie Malen // Very New Media
 Created: 02-02-2010
-Updated: 03-01-2020
+Updated: 06-01-2020
 
 */
@@ -160 +160 @@
 function vnmStyleBidet_settingsPage() {
     
+    //  Let's get the options set in the db by default
+    
+    $optionsArray = vnmStyleBidet_getOptions();
+    
+    //  Let's check if any data has been posted
+    
+    $shouldUpdate = false;
     $updated = false;
-    
-    //  Let's get the options set in the db by default
-    
-    $optionsArray = vnmStyleBidet_getOptions();
+    $updateFailed = false;
+    
+    if (isset($_REQUEST['updateVNMStyleBidetSettings'])) {
+        
+        //  Does the current user have permission to complete this action?
+        
+        if (empty($_POST) || !check_admin_referer('vnm_stylebidet_nonce_action', 'stylebidet_admin_nonce') || !apply_filters('stylebidet_user_allowed', current_user_can('manage_options'))) {
+            $updateFailed = true;
+        }
+        
+        //  Does the nonce check pass?
+        
+        if (isset($_POST['nonce']) && sanitize_html_class($_POST['action']) === 'stylebidet_update_settings' && wp_verify_nonce(sanitize_html_class($_POST['nonce']), 'stylebidet_update_settings')) {
+            $shouldUpdate = true;
+        } else {
+            $updateFailed = true;
+        }
+    }
     
     foreach ($optionsArray as $option=>$value) {
@@ -170 +191 @@
         //  Save, if required
         
-        if (isset($_REQUEST['updateVNMStyleBidetSettings'])) {
+        if ($shouldUpdate) {
             if (array_key_exists($option, $_POST)) {
-                if ($_POST[$option]) {
-                    
-                    update_option('vnmStyleBidet_' . $option, 1);   // We can assume it's 'on'
+                if (isset($_POST[$option]) && sanitize_html_class($_POST[$option]) === 'on') {
+                    
+                    update_option('vnmStyleBidet_' . $option, 1);   // It's checked, so we switch the option on
                     
                 } else {
                     
-                    update_option('vnmStyleBidet_' . $option, 0);   // We can assume it's unchecked
+                    update_option('vnmStyleBidet_' . $option, 0);   // It's unchecked, so switch the option off
                     
                 }
@@ -258 +279 @@
         <?php endif; ?>
         
+        <?php if ($updateFailed) : ?>
+            <section class="wrapper updated">
+                <div class="padded-section">
+                    <span class="dashicons dashicons-warning notice-icon secondarycolor"></span>
+                    <?php _e('Uh oh, it looks like you can\'t do that.', 'styebidet'); ?>
+                </div>
+            </section>
+        <?php endif; ?>
+        
         <?php
             ///
@@ -277 +307 @@
             <div class="padded-section">
                 <form action="<?php echo $_SERVER['PHP_SELF']; ?>?page=vnmStyleBidetSettings" class="form" method="post">
-                        
+                    
+                    <input type="hidden" name="action" value="stylebidet_update_settings" />
+                    <input type="hidden" name="nonce" value="<?php echo wp_create_nonce('stylebidet_update_settings'); ?>" />
+                    <?php wp_nonce_field('vnm_stylebidet_nonce_action','stylebidet_admin_nonce' ); ?>
+                    
                     <table class="form-table">
                         
@@ -434 +468 @@
             <div class="vnm-rating-request box">
                 <?php
-                    /*printf(
+                    printf(
                         __('Is StyleBidet making your life a little easier? %sWhy not leave us a %s review?%s %s', 'stylebidet'),
-                        '<a href="thing" target="_blank">',
+                        '<a href="https://wordpress.org/plugins/stylebidet/" target="_blank">',
                         '<span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span>',
                         '</a>',
                         '<span class="dashicons dashicons-smiley"></span>'
-                    );*/
+                    );
                 ?>
             </div>
@@ -479 +513 @@
         //  Include htmLawed (this is pretty much only used for <font> & inline style tags
         
-        include_once('includes/htmlLawed.php');
+        if (!function_exists('htmLawed')) {
+            include_once('includes/htmlLawed.php');
+        }
         
         //  Adding a 'nonsense' value so that at lest there's something in the array

stylebidet/trunk/assets/vnm-admin.css

@@ -6 +6 @@
 */
 
-@import url('https://fonts.googleapis.com/css?family=Ubuntu:400,400i,500,500i');
-
 /*
     ADMIN AREA
@@ -13 +11 @@
 
 .vnmadmin-wrapper {
-    font-family:                            "Ubuntu", sans-serif;
     color:                                  #2A3350;
 }

stylebidet/trunk/stylebidet.php

@@ -11 +11 @@
 Copyright (C) 2010-2020 Lawrie Malen // Very New Media
 Created: 02-02-2010
-Updated: 03-01-2020
+Updated: 06-01-2020
 
 */
@@ -160 +160 @@
 function vnmStyleBidet_settingsPage() {
     
+    //  Let's get the options set in the db by default
+    
+    $optionsArray = vnmStyleBidet_getOptions();
+    
+    //  Let's check if any data has been posted
+    
+    $shouldUpdate = false;
     $updated = false;
-    
-    //  Let's get the options set in the db by default
-    
-    $optionsArray = vnmStyleBidet_getOptions();
+    $updateFailed = false;
+    
+    if (isset($_REQUEST['updateVNMStyleBidetSettings'])) {
+        
+        //  Does the current user have permission to complete this action?
+        
+        if (empty($_POST) || !check_admin_referer('vnm_stylebidet_nonce_action', 'stylebidet_admin_nonce') || !apply_filters('stylebidet_user_allowed', current_user_can('manage_options'))) {
+            $updateFailed = true;
+        }
+        
+        //  Does the nonce check pass?
+        
+        if (isset($_POST['nonce']) && sanitize_html_class($_POST['action']) === 'stylebidet_update_settings' && wp_verify_nonce(sanitize_html_class($_POST['nonce']), 'stylebidet_update_settings')) {
+            $shouldUpdate = true;
+        } else {
+            $updateFailed = true;
+        }
+    }
     
     foreach ($optionsArray as $option=>$value) {
@@ -170 +191 @@
         //  Save, if required
         
-        if (isset($_REQUEST['updateVNMStyleBidetSettings'])) {
+        if ($shouldUpdate) {
             if (array_key_exists($option, $_POST)) {
-                if ($_POST[$option]) {
-                    
-                    update_option('vnmStyleBidet_' . $option, 1);   // We can assume it's 'on'
+                if (isset($_POST[$option]) && sanitize_html_class($_POST[$option]) === 'on') {
+                    
+                    update_option('vnmStyleBidet_' . $option, 1);   // It's checked, so we switch the option on
                     
                 } else {
                     
-                    update_option('vnmStyleBidet_' . $option, 0);   // We can assume it's unchecked
+                    update_option('vnmStyleBidet_' . $option, 0);   // It's unchecked, so switch the option off
                     
                 }
@@ -258 +279 @@
         <?php endif; ?>
         
+        <?php if ($updateFailed) : ?>
+            <section class="wrapper updated">
+                <div class="padded-section">
+                    <span class="dashicons dashicons-warning notice-icon secondarycolor"></span>
+                    <?php _e('Uh oh, it looks like you can\'t do that.', 'styebidet'); ?>
+                </div>
+            </section>
+        <?php endif; ?>
+        
         <?php
             ///
@@ -277 +307 @@
             <div class="padded-section">
                 <form action="<?php echo $_SERVER['PHP_SELF']; ?>?page=vnmStyleBidetSettings" class="form" method="post">
-                        
+                    
+                    <input type="hidden" name="action" value="stylebidet_update_settings" />
+                    <input type="hidden" name="nonce" value="<?php echo wp_create_nonce('stylebidet_update_settings'); ?>" />
+                    <?php wp_nonce_field('vnm_stylebidet_nonce_action','stylebidet_admin_nonce' ); ?>
+                    
                     <table class="form-table">
                         
@@ -434 +468 @@
             <div class="vnm-rating-request box">
                 <?php
-                    /*printf(
+                    printf(
                         __('Is StyleBidet making your life a little easier? %sWhy not leave us a %s review?%s %s', 'stylebidet'),
-                        '<a href="thing" target="_blank">',
+                        '<a href="https://wordpress.org/plugins/stylebidet/" target="_blank">',
                         '<span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span><span class="dashicons dashicons-star-filled"></span>',
                         '</a>',
                         '<span class="dashicons dashicons-smiley"></span>'
-                    );*/
+                    );
                 ?>
             </div>
@@ -479 +513 @@
         //  Include htmLawed (this is pretty much only used for <font> & inline style tags
         
-        include_once('includes/htmlLawed.php');
+        if (!function_exists('htmLawed')) {
+            include_once('includes/htmlLawed.php');
+        }
         
         //  Adding a 'nonsense' value so that at lest there's something in the array