Changeset 2384440

Timestamp:

09/18/2020 12:46:06 PM (5 years ago)

Author:

onwebchat_dev

Message:

security bug fix

Location:

onwebchat

Files:

• tags/3.2.0 (copied) (copied from onwebchat/trunk)
• tags/3.2.0/images/onwebchat-logo.png (copied) (copied from onwebchat/trunk/images/onwebchat-logo.png)
• tags/3.2.0/onwebchat.php (copied) (copied from onwebchat/trunk/onwebchat.php) (7 diffs)
• tags/3.2.0/readme.txt (copied) (copied from onwebchat/trunk/readme.txt) (2 diffs)
• trunk/onwebchat.php (modified) (7 diffs)
• trunk/readme.txt (modified) (2 diffs)

onwebchat/tags/3.2.0/onwebchat.php

@@ -5 +5 @@
 Description: onWebChat is a live chat system, that helps you communicate with your website's visitors.
 Author: onWebChat
-Version: 3.1.0
+Version: 3.2.0
 Author URI: https://www.onwebchat.com
 */
@@ -71 +71 @@
      *****************************************************************/
     if ( isset( $_POST["action"] ) && $_POST["action"] == "login" ) {
+
+
+        // the following lines are added to verify a correct security nonce(token) by using "wp_verify_nonce()"
+        if (! isset($_POST['_wpnonce'])
+         || ! wp_verify_nonce( $_POST['_wpnonce'], 'on_web_chat_nonce')){
+            print 'Sorry, your nonce did not verify.';
+            exit;
+         }
 
         $options = get_option('onwebchat_plugin_option');
@@ -226 +234 @@
             <?php
 
+            //create nonce(token)
+            wp_nonce_field('on_web_chat_nonce');
+
             // Login Page
             if($isConnected != true) {
@@ -274 +285 @@
                 // display user email
                 if($options!=''){
+                    //sanitize user-provided parameter
+                    $email = esc_html($options);
                     $html = '<br><h3 class="header-1-p2">Activated for onWebChat account: </h3>';
-                    $html .= "<strong class='account-id'>$options</strong> ";
+                    $html .= "<strong class='account-id'>$email</strong> ";
                 }
 
@@ -314 +327 @@
 
                 <div id="onwc_show_on_pages_div" style="display:none">
-                    <input id="showonpages" name="showonpages" class="showhidepages" type="text" value="<?php echo get_option( 'onwebchat_plugin_option_show_pages' ); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
+                    <input id="showonpages" name="showonpages" class="showhidepages" type="text" value="<?php echo esc_attr(get_option( 'onwebchat_plugin_option_show_pages' )); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
                 </div>
                 <div id="onwc_hide_on_pages_div" style="display:none">
-                    <input id="hideonpages" name="hideonpages" class="showhidepages" type="text" value="<?php echo get_option( 'onwebchat_plugin_option_hide_pages' ); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
+                    <input id="hideonpages" name="hideonpages" class="showhidepages" type="text" value="<?php echo esc_attr(get_option( 'onwebchat_plugin_option_hide_pages' )); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
                 </div>
 
@@ -328 +341 @@
                     <strong>onWebChat API:</strong>
                     <br>
-                    <textarea class="chatid-text-field" style="margin-left: 0px;" rows="10" name="onwebchat-api"><?php echo $onwebchatApi; ?></textarea>
+                    <!-- sanitize user-provided parameter  -->
+                    <textarea class="chatid-text-field" style="margin-left: 0px;" rows="10" name="onwebchat-api"><?php echo esc_html($onwebchatApi); ?></textarea>
                     <br>
                     <br>
@@ -338 +352 @@
 
                 <!-- hiden fields -->
-                <input class="chatid-text-field-hide" type="text" name="chatId" value="<?php echo $chatId; ?>"/>
-                <input class="chatid-text-field-hide" type="text" name="onWebChatUser" value="<?php echo get_option( 'onwebchat_plugin_option_user' ); ?>"/>
+                <input class="chatid-text-field-hide" type="text" name="chatId" value="<?php echo esc_attr($chatId); ?>"/>
+                <input class="chatid-text-field-hide" type="text" name="onWebChatUser" value="<?php echo esc_attr(get_option( 'onwebchat_plugin_option_user' )); ?>"/>
                 <input class="chatid-text-field-hide" type="text" name="isSecondPage" value="1"/>
 

onwebchat/tags/3.2.0/readme.txt

@@ -19 +19 @@
 
 Don't twice and start now! It takes less than a minute, to get started, just install onWebChat live chat plugin and [sign up for our service on www.onwebchat.com](https://www.onwebchat.com/signup.php "onWebChat sign up page")
+
+[youtube https://www.youtube.com/embed/YihmL6BpEvc?rel=0]
 
 
@@ -124 +126 @@
 == Changelog ==
 
+= onWebChat Live Chat (Chat version 3.2.0) =
+* Security bug fix
+
 = onWebChat Live Chat (Chat version 3.1.0) =
 * Javascript api commands support

onwebchat/trunk/onwebchat.php

@@ -5 +5 @@
 Description: onWebChat is a live chat system, that helps you communicate with your website's visitors.
 Author: onWebChat
-Version: 3.1.0
+Version: 3.2.0
 Author URI: https://www.onwebchat.com
 */
@@ -71 +71 @@
      *****************************************************************/
     if ( isset( $_POST["action"] ) && $_POST["action"] == "login" ) {
+
+
+        // the following lines are added to verify a correct security nonce(token) by using "wp_verify_nonce()"
+        if (! isset($_POST['_wpnonce'])
+         || ! wp_verify_nonce( $_POST['_wpnonce'], 'on_web_chat_nonce')){
+            print 'Sorry, your nonce did not verify.';
+            exit;
+         }
 
         $options = get_option('onwebchat_plugin_option');
@@ -226 +234 @@
             <?php
 
+            //create nonce(token)
+            wp_nonce_field('on_web_chat_nonce');
+
             // Login Page
             if($isConnected != true) {
@@ -274 +285 @@
                 // display user email
                 if($options!=''){
+                    //sanitize user-provided parameter
+                    $email = esc_html($options);
                     $html = '<br><h3 class="header-1-p2">Activated for onWebChat account: </h3>';
-                    $html .= "<strong class='account-id'>$options</strong> ";
+                    $html .= "<strong class='account-id'>$email</strong> ";
                 }
 
@@ -314 +327 @@
 
                 <div id="onwc_show_on_pages_div" style="display:none">
-                    <input id="showonpages" name="showonpages" class="showhidepages" type="text" value="<?php echo get_option( 'onwebchat_plugin_option_show_pages' ); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
+                    <input id="showonpages" name="showonpages" class="showhidepages" type="text" value="<?php echo esc_attr(get_option( 'onwebchat_plugin_option_show_pages' )); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
                 </div>
                 <div id="onwc_hide_on_pages_div" style="display:none">
-                    <input id="hideonpages" name="hideonpages" class="showhidepages" type="text" value="<?php echo get_option( 'onwebchat_plugin_option_hide_pages' ); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
+                    <input id="hideonpages" name="hideonpages" class="showhidepages" type="text" value="<?php echo esc_attr(get_option( 'onwebchat_plugin_option_hide_pages' )); ?>" /><a href="#" style="text-decoration: none;" onmouseover="document.getElementById('help').style.visibility = 'visible'"; ONMOUSEOUT="document.getElementById('help').style.visibility = 'hidden'"><strong><font size="4" face="Arial"> ? </font></strong></a>
                 </div>
 
@@ -328 +341 @@
                     <strong>onWebChat API:</strong>
                     <br>
-                    <textarea class="chatid-text-field" style="margin-left: 0px;" rows="10" name="onwebchat-api"><?php echo $onwebchatApi; ?></textarea>
+                    <!-- sanitize user-provided parameter  -->
+                    <textarea class="chatid-text-field" style="margin-left: 0px;" rows="10" name="onwebchat-api"><?php echo esc_html($onwebchatApi); ?></textarea>
                     <br>
                     <br>
@@ -338 +352 @@
 
                 <!-- hiden fields -->
-                <input class="chatid-text-field-hide" type="text" name="chatId" value="<?php echo $chatId; ?>"/>
-                <input class="chatid-text-field-hide" type="text" name="onWebChatUser" value="<?php echo get_option( 'onwebchat_plugin_option_user' ); ?>"/>
+                <input class="chatid-text-field-hide" type="text" name="chatId" value="<?php echo esc_attr($chatId); ?>"/>
+                <input class="chatid-text-field-hide" type="text" name="onWebChatUser" value="<?php echo esc_attr(get_option( 'onwebchat_plugin_option_user' )); ?>"/>
                 <input class="chatid-text-field-hide" type="text" name="isSecondPage" value="1"/>
 

onwebchat/trunk/readme.txt

@@ -19 +19 @@
 
 Don't twice and start now! It takes less than a minute, to get started, just install onWebChat live chat plugin and [sign up for our service on www.onwebchat.com](https://www.onwebchat.com/signup.php "onWebChat sign up page")
+
+[youtube https://www.youtube.com/embed/YihmL6BpEvc?rel=0]
 
 
@@ -124 +126 @@
 == Changelog ==
 
+= onWebChat Live Chat (Chat version 3.2.0) =
+* Security bug fix
+
 = onWebChat Live Chat (Chat version 3.1.0) =
 * Javascript api commands support