Changeset 2474203

Timestamp:

02/13/2021 11:06:05 AM (5 years ago)

Author:

nimeshrmr

Message:

Version 3.2 update

Location:

wp-private-content-plus

Files:

• tags/3.2/admin/templates/admin-menu-visibility.php (modified) (2 diffs)
• tags/3.2/admin/templates/global-page-restriction-settings.php (modified) (1 diff)
• tags/3.2/admin/templates/global-post-restriction-settings.php (modified) (1 diff)
• tags/3.2/admin/templates/menu-page-container.php (modified) (1 diff)
• tags/3.2/admin/templates/password-global-settings.php (modified) (1 diff)
• tags/3.2/admin/templates/restriction-permission-settings.php (modified) (1 diff)
• tags/3.2/admin/templates/search-general-settings.php (modified) (1 diff)
• tags/3.2/admin/templates/search-restrictions.php (modified) (1 diff)
• tags/3.2/admin/templates/upme-member-list.php (modified) (1 diff)
• tags/3.2/admin/templates/upme-member-profile.php (modified) (1 diff)
• tags/3.2/admin/templates/upme-search.php (modified) (1 diff)
• tags/3.2/classes/class-wppcp-admin-stats.php (modified) (9 diffs)
• tags/3.2/classes/class-wppcp-ip-restrictions.php (modified) (2 diffs)
• tags/3.2/classes/class-wppcp-posts.php (modified) (3 diffs)
• tags/3.2/classes/class-wppcp-private-content.php (modified) (2 diffs)
• tags/3.2/classes/class-wppcp-settings.php (modified) (45 diffs)
• tags/3.2/classes/class-wppcp-site-lockdown.php (modified) (3 diffs)
• tags/3.2/classes/class-wppcp-widgets.php (modified) (1 diff)
• tags/3.2/classes/class-wppcp-woocommerce-tab-manager.php (modified) (1 diff)
• tags/3.2/functions.php (modified) (3 diffs)
• tags/3.2/readme.txt (modified) (1 diff)
• tags/3.2/templates/global-password-form.php (modified) (1 diff)
• tags/3.2/templates/manage-file-attachments.php (modified) (6 diffs)
• tags/3.2/templates/plugin-help.php (modified) (1 diff)
• tags/3.2/templates/post-page-restriction-meta.php (modified) (5 diffs)
• tags/3.2/templates/private-user-page.php (modified) (1 diff)
• tags/3.2/templates/woo-tabs-restriction-meta.php (modified) (2 diffs)
• trunk/admin/templates/admin-menu-visibility.php (modified) (2 diffs)
• trunk/admin/templates/global-page-restriction-settings.php (modified) (1 diff)
• trunk/admin/templates/global-post-restriction-settings.php (modified) (1 diff)
• trunk/admin/templates/menu-page-container.php (modified) (1 diff)
• trunk/admin/templates/password-global-settings.php (modified) (1 diff)
• trunk/admin/templates/restriction-permission-settings.php (modified) (1 diff)
• trunk/admin/templates/search-general-settings.php (modified) (1 diff)
• trunk/admin/templates/search-restrictions.php (modified) (1 diff)
• trunk/admin/templates/upme-member-list.php (modified) (1 diff)
• trunk/admin/templates/upme-member-profile.php (modified) (1 diff)
• trunk/admin/templates/upme-search.php (modified) (1 diff)
• trunk/classes/class-wppcp-admin-stats.php (modified) (9 diffs)
• trunk/classes/class-wppcp-ip-restrictions.php (modified) (2 diffs)
• trunk/classes/class-wppcp-posts.php (modified) (3 diffs)
• trunk/classes/class-wppcp-private-content.php (modified) (2 diffs)
• trunk/classes/class-wppcp-settings.php (modified) (45 diffs)
• trunk/classes/class-wppcp-site-lockdown.php (modified) (3 diffs)
• trunk/classes/class-wppcp-widgets.php (modified) (1 diff)
• trunk/classes/class-wppcp-woocommerce-tab-manager.php (modified) (1 diff)
• trunk/functions.php (modified) (3 diffs)
• trunk/readme.txt (modified) (1 diff)
• trunk/templates/global-password-form.php (modified) (1 diff)
• trunk/templates/manage-file-attachments.php (modified) (6 diffs)
• trunk/templates/plugin-help.php (modified) (1 diff)
• trunk/templates/post-page-restriction-meta.php (modified) (5 diffs)
• trunk/templates/private-user-page.php (modified) (1 diff)
• trunk/templates/woo-tabs-restriction-meta.php (modified) (2 diffs)

wp-private-content-plus/tags/3.2/admin/templates/admin-menu-visibility.php

@@ -5 +5 @@
     $user_roles = $wppcp->roles_capability->wppcp_user_roles();
 
+    $admin_menu_visibility = esc_html($admin_menu_visibility);
 ?>
 <table class="form-table wppcp-settings-list">
@@ -26 +27 @@
               if($role_key != 'administrator'){
           ?>
-          <input type="checkbox" <?php echo $checked_val; ?> class="wppcp_admin_menu_item_roles" id="wppcp_admin_menu_item_roles" name="wppcp_admin_menu_item_roles[]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+          <input type="checkbox" <?php echo $checked_val; ?> class="wppcp_admin_menu_item_roles" id="wppcp_admin_menu_item_roles" name="wppcp_admin_menu_item_roles[]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
           <?php } ?>  
       <?php } ?>

wp-private-content-plus/tags/3.2/admin/templates/global-page-restriction-settings.php

@@ -59 +59 @@
                                 if($role_key != 'administrator'){
                             ?>
-                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_page_restriction[all_page_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_page_restriction[all_page_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                             <?php } ?>  
                         <?php } ?>

wp-private-content-plus/tags/3.2/admin/templates/global-post-restriction-settings.php

@@ -59 +59 @@
                                 if($role_key != 'administrator'){
                             ?>
-                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_post_restriction[all_post_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_post_restriction[all_post_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                             <?php } ?>  
                         <?php } ?>

wp-private-content-plus/tags/3.2/admin/templates/menu-page-container.php

@@ -5 +5 @@
 
 <div class="wrap">
-    <?php echo $tabs; ?>
-    <?php echo $tab_content; ?>
+    <?php echo ($tabs); ?>
+    <?php echo ($tab_content); ?>
 
 </div>

wp-private-content-plus/tags/3.2/admin/templates/password-global-settings.php

@@ -3 +3 @@
     extract($wppcp_password_settings_data);    
         
+    $global_password_protect = esc_html($global_password_protect);
 ?>
 

wp-private-content-plus/tags/3.2/admin/templates/restriction-permission-settings.php

@@ -22 +22 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_feature_restrictions[wppcp_feature_permission_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_feature_restrictions[wppcp_feature_permission_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/tags/3.2/admin/templates/search-general-settings.php

@@ -14 +14 @@
         $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/site-advanced-search-restrictions/?ref=pro-search-settings" >'.
                     __('View More','wppcp'). '</a>';
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions');
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions'));
     }
 ?>

wp-private-content-plus/tags/3.2/admin/templates/search-restrictions.php

@@ -18 +18 @@
         $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/site-advanced-search-restrictions/?ref=pro-search-res" >'.
                     __('View More','wppcp'). '</a>';
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions');
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions'));
     }
 ?>

wp-private-content-plus/tags/3.2/admin/templates/upme-member-list.php

@@ -46 +46 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_list[upme_member_list_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_list[upme_member_list_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/tags/3.2/admin/templates/upme-member-profile.php

@@ -46 +46 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_profile[upme_member_profile_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_profile[upme_member_profile_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/tags/3.2/admin/templates/upme-search.php

@@ -46 +46 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_search[upme_search_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_search[upme_search_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/tags/3.2/classes/class-wppcp-admin-stats.php

@@ -73 +73 @@
         $individual_protection = array();
         if($results['single_data']['post_count'] > 0){
-            $individual_protection[] = "<span>" . $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+            $individual_protection[] = "<span>" . (int) $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
         }
         if($results['single_data']['page_count'] > 0){
-            $individual_protection[] = "<span>" .$results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+            $individual_protection[] = "<span>" . (int) $results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
         }
         if($results['single_data']['cpt_count'] > 0){
-            $individual_protection[] = "<span>" .$results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
+            $individual_protection[] = "<span>" . (int) $results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
         }
 
@@ -90 +90 @@
         $global_protection = array();
         if($results['global_data']['restrict_all_posts_status'] == '1'){
-            $global_protection[] = "<span>" .$results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+            $global_protection[] = "<span>" . (int) $results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
         }
         if($results['global_data']['restrict_all_pages_status'] == '1'){
-            $global_protection[] = "<span>" .$results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+            $global_protection[] = "<span>" . (int) $results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
         }
         
@@ -103 +103 @@
         $password_protection = '';      
         if(isset($results['password_data']['status'])){
-            $password_protection = "<span>" .$results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
-                                    "<span>" .$results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
-                                    "<span>" .$results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
+            $password_protection = "<span>" . (int) $results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
+                                    "<span>" . (int) $results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
+                                    "<span>" . (int) $results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
             $password_protection .= __(' are protected','wppcp');
         
@@ -112 +112 @@
         $menu_protection = '';
         if($results['menu_data']['count'] > 0){
-            $menu_protection = "<span>" .$results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
+            $menu_protection = "<span>" . (int) $results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
             $menu_protection .= __(' are protected','wppcp');
         
@@ -119 +119 @@
         $widget_protection = '';
         if($results['widgets_data']['count'] > 0){
-            $widget_protection = "<span>" .$results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
+            $widget_protection = "<span>" . (int) $results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
             $widget_protection .= __(' are protected','wppcp');
         
@@ -126 +126 @@
         $shortcode_protection = '';
         if($results['shortcode_data']['count'] > 0){
-            $shortcode_protection = "<span>" .$results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
+            $shortcode_protection = "<span>" . (int) $results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
             $shortcode_protection .= __(' are protected','wppcp');
         
@@ -133 +133 @@
         $private_page_protection = '';
         if($results['private_page_data']['count'] > 0){
-            $private_page_protection = "<span>" .$results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
+            $private_page_protection = "<span>" . (int) $results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
     
         }
@@ -139 +139 @@
         $attachment_protection = array();
         if($results['attachment_data']['post_count'] > 0){
-            $attachment_protection[] = "<span>" .$results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
+            $attachment_protection[] = "<span>" . (int) $results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
         }
         if($results['attachment_data']['page_count'] > 0){
-            $attachment_protection[] = "<span>" .$results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
+            $attachment_protection[] = "<span>" . (int) $results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
         }
         if($results['attachment_data']['cpt_count'] > 0){
-            $attachment_protection[] = "<span>" .$results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
+            $attachment_protection[] = "<span>" . (int) $results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
         }
 
@@ -157 +157 @@
         $search_protection = array();
         if($results['search_data']['blocked_posts'] > 0){
-            $search_protection[] = "<span>" .$results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
+            $search_protection[] = "<span>" . (int) $results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
         }
         if($results['search_data']['blocked_pages'] > 0){
-            $search_protection[] = "<span>" .$results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
+            $search_protection[] = "<span>" . (int) $results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
         }
         $search_protection = implode("-", $search_protection);

wp-private-content-plus/tags/3.2/classes/class-wppcp-ip-restrictions.php

@@ -8 +8 @@
 
     public function validate_ip_restrictions(){
-        global $wppcp,$wp_query,$wppcp_cpt_id;;
+        global $wppcp,$wp_query,$wppcp_cpt_id;
         $private_content_settings  = get_option('wppcp_options');
         if(!isset($private_content_settings['general']['private_content_module_status'])){
@@ -36 +36 @@
                 if($url != ''){
                     $url = rtrim($url , '/');
-                    array_push($filtered_allowed_urls, $url);
+                    array_push($filtered_allowed_urls, esc_url($url));
                 }
             }

wp-private-content-plus/tags/3.2/classes/class-wppcp-posts.php

@@ -20 +20 @@
             $post_json_results = array();
 
-            $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='page' order by $wpdb->posts.post_date desc limit 20";
+            $query  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%s'  && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='page' order by $wpdb->posts.post_date desc limit 20", '%'.$search_text.'%' );
+
+            // $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='page' order by $wpdb->posts.post_date desc limit 20";
             $result = $wpdb->get_results($query);
             if($result){
@@ -42 +44 @@
             $post_json_results = array();
 
-            $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='post' order by $wpdb->posts.post_date desc limit 20";
+            $query  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%s'  && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='post' order by $wpdb->posts.post_date desc limit 20", '%'.$search_text.'%' );
             $result = $wpdb->get_results($query);
             if($result){
@@ -66 +68 @@
             $post_json_results = array();
 
-            $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='".$post_type."' order by $wpdb->posts.post_date desc limit 20";
+            
+
+            $query  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%s'  && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='%s' order by $wpdb->posts.post_date desc limit 20", '%'.$search_text.'%', $post_type );
+
             $result = $wpdb->get_results($query);
             if($result){

wp-private-content-plus/tags/3.2/classes/class-wppcp-private-content.php

@@ -67 +67 @@
 
             if($result){
-                return stripslashes(do_shortcode($result[0]->content));
+                return (stripslashes(do_shortcode($result[0]->content)));
             }else{
                 return stripslashes(get_option('wppcp_parivate_page_starter_content'));
@@ -1112 +1112 @@
                 if($type != 'none'){
                     $users = isset($_POST['wppcp_bulk_private_page_upload_users']) ? (array) $_POST['wppcp_bulk_private_page_upload_users'] : array();
-
-                    $content = isset($_POST['wppcp_bulk_private_page_upload_content']) ? $_POST['wppcp_bulk_private_page_upload_content'] : '';
+                    
+                    $content = isset($_POST['wppcp_bulk_private_page_upload_content']) ? wp_kses_post($_POST['wppcp_bulk_private_page_upload_content']) : '';
 
                     foreach ($users as $key => $user_id) {

wp-private-content-plus/tags/3.2/classes/class-wppcp-settings.php

@@ -549 +549 @@
 
                         $user_id = isset($_POST['wppcp_user_id']) ? (int) $_POST['wppcp_user_id'] : 0; 
-                        $private_content = isset($_POST['wppcp_private_page_content']) ? ( $_POST['wppcp_private_page_content']) : '';
+                        
+                        $private_content = isset($_POST['wppcp_private_page_content']) ? wp_kses_post( $_POST['wppcp_private_page_content']) : '';
                         $updated_date = date("Y-m-d H:i:s");
                         
@@ -601 +602 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_general'])){
             foreach($_POST['wppcp_general'] as $k=>$v){
@@ -609 +611 @@
                     case 'author_post_page_restrictions_status':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'post_page_redirect_url':
                         $v = esc_url_raw($v);
-                        break;
-
-                }
-                $this->settings[$k] = $v;
+                        $this->settings[$k] = $v;
+                        break;
+                }                
             }            
         }
@@ -630 +632 @@
     public function save_wppcp_section_information(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_information'])){
             foreach($_POST['wppcp_information'] as $k=>$v){
@@ -639 +641 @@
                     case 'pro_info_private_page':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }   
 
@@ -670 +673 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_global_post_restriction'])){
             foreach($_POST['wppcp_global_post_restriction'] as $k=>$v){
                 switch ($k) {
                     case 'restrict_all_posts_status':
+                        $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
+                        break;
                     case 'all_post_visibility':
                         $v = sanitize_text_field($v);
+                        if(in_array($v, array('all','guest','member','role'))){
+                            $this->settings[$k] = $v;
+                        }
+                        break;
+                    case 'all_post_user_roles':
+                        if(is_array($v)){
+                            $roles_arr = array();
+                            foreach ($v as $user_role_v) {
+                                $roles_arr[] = sanitize_text_field($user_role_v);
+                            } 
+                            $this->settings[$k] =  $roles_arr;
+                        }
+                        
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -693 +713 @@
     public function save_wppcp_section_global_page(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_global_page_restriction'])){
             foreach($_POST['wppcp_global_page_restriction'] as $k=>$v){
                 switch ($k) {
                     case 'restrict_all_pages_status':
+                        $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
+                        break;
                     case 'all_page_visibility':
                         $v = sanitize_text_field($v);
-                        break;
+                        if(in_array($v, array('all','guest','member','role'))){
+                            $this->settings[$k] = $v;
+                        }
+                        break;
+                    case 'all_page_user_roles':
+                        if(is_array($v)){
+                            $roles_arr = array();
+                            foreach ($v as $user_role_v) {
+                                $roles_arr[] = sanitize_text_field($user_role_v);
+                            } 
+                            $this->settings[$k] =  $roles_arr;
+                        }
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -738 +772 @@
 
     }
-    
-    /* Display private user page add content form */
-    // public function private_user_page(){
-    //     global $wppcp,$wppcp_private_page_params,$wpdb;
-        
-    //     $wppcp_private_page_params = array();
-        
-    //     $this->load_wppcp_select2_scripts_style();
-        
-    //     $private_page_user = 0;
-    //     if($_POST && isset($_POST['wppcp_private_page_user_load']) && ( current_user_can('manage_options') || current_user_can('wppcp_manage_options') ) ){
-    //         $private_page_user = isset($_POST['wppcp_private_page_user']) ? (int) ( $_POST['wppcp_private_page_user'] ) : 0;
-    //         $user = get_user_by( 'id', $private_page_user );
-    //         $wppcp_private_page_params['display_name'] = $user->data->display_name;
-    //         $wppcp_private_page_params['user_id'] = $private_page_user;
-    //     }
-        
-
-        
-    //     if($_POST && isset($_POST['wppcp_private_page_content_submit']) && ( current_user_can('manage_options') || current_user_can('wppcp_manage_options') ) ){
-
-    //         if (isset( $_POST['wppcp_private_page_nonce_field'] ) && wp_verify_nonce( $_POST['wppcp_private_page_nonce_field'], 'wppcp_private_page_nonce' ) ) {
-
-    //             $user_id = isset($_POST['wppcp_user_id']) ? (int) $_POST['wppcp_user_id'] : 0; 
-    //             $private_content = isset($_POST['wppcp_private_page_content']) ? ( $_POST['wppcp_private_page_content']) : '';
-    //             $updated_date = date("Y-m-d H:i:s");
-                
-    //             $sql  = $wpdb->prepare( "SELECT content FROM " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE . " WHERE user_id = %d ", $user_id );
-    //             $result = $wpdb->get_results($sql);
-    //             if($result){
-    //                 $sql  = $wpdb->prepare( "Update " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE ." set content=%s,updated_at=%s where user_id=%d ", $private_content,$updated_date, $user_id );
-    //             }else{
-    //                 $sql  = $wpdb->prepare( "Insert into " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE ."(user_id,content,type,updated_at) values(%d,%s,%s,%s)", $user_id, $private_content, 'ADMIN', $updated_date );
-    //             }
-                
-                
-    //             if($wpdb->query($sql) === FALSE){
-    //                 $wppcp_private_page_params['message'] = __('Private content update failed.','wppcp');
-    //                 $wppcp_private_page_params['message_status'] = FALSE;
-    //             }else{
-    //                 $wppcp_private_page_params['message'] = __('Private content updated successfully.','wppcp');
-    //                 $wppcp_private_page_params['message_status'] = TRUE;
-    //             }        
-    //         }
-    //     }
-        
-    //     $sql  = $wpdb->prepare( "SELECT content FROM " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE . " WHERE user_id = %d ", $private_page_user );
-    //     $result = $wpdb->get_results($sql);
-    //     if($result){
-    //         $wppcp_private_page_params['private_content'] = stripslashes($result[0]->content);
-    //     }else{
-    //         $wppcp_private_page_params['private_content'] = '';
-    //     }
-        
-        
-        
-        
-    //     ob_start();
-    //     $wppcp->template_loader->get_template_part('private-user-page');
-    //     $display = ob_get_clean();        
-    //     echo $display;
-    // }
+
     
     /* Load Select 2 library for settings section */
@@ -873 +846 @@
     public function save_wppcp_section_wppcp_permissions(){
         global $wppcp,$wp_roles;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_feature_restrictions'])){
 
@@ -883 +856 @@
                             $v[$key] = sanitize_text_field($value);
                         }
-                        
-                        break;
-
-
-                }
-                $this->settings[$k] = $v;
+                        $this->settings[$k] = $v;                        
+                        break;
+                }                
             }      
                
@@ -994 +964 @@
     public function save_wppcp_section_security_ip(){
         global $wppcp;
-
+        $this->settings = array(); 
         if(isset($_POST['wppcp_security_ip'])){
             foreach($_POST['wppcp_security_ip'] as $k=>$v){
@@ -1000 +970 @@
                     case 'restriction_status':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'allowed_urls':
                     case 'whitelisted':
                         $v = sanitize_textarea_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'redirect_url':
                         $v = esc_url_raw($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1024 +997 @@
     public function save_wppcp_section_search_general(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_search_general'])){
             foreach($_POST['wppcp_search_general'] as $k=>$v){
@@ -1034 +1007 @@
                            $v[$key] = (int) ($post_id);
                         }
-                        
-                        break;                   
-
-                }
-
-                $this->settings[$k] = $v;
-            }      
-               
+                        $this->settings[$k] = $v;
+                        break;                
+
+                }                
+            }                
         }
         
@@ -1052 +1022 @@
     public function save_wppcp_section_search_restrictions(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_search_restrictions'])){
             foreach($_POST['wppcp_search_restrictions'] as $k=>$v){
@@ -1062 +1032 @@
                            $v[$key] = sanitize_text_field($post_types);
                         }
-                        
+                        $this->settings[$k] = $v;
                         break;                   
 
                 }
-                $this->settings[$k] = $v;
+                
             } 
 
@@ -1105 +1075 @@
     public function save_wppcp_section_password_global(){
         global $wppcp;
+
+        $this->settings = array();
 
         if(isset($_POST['wppcp_password_global'])){
@@ -1114 +1086 @@
 
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                     case 'password_form_message':
                         $v = wp_kses_post($v);
+                        $this->settings[$k] = $v;
                         break;
 
                     case 'allowed_urls':
                         $v = sanitize_textarea_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1251 +1226 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_general'])){
             foreach($_POST['wppcp_upme_general'] as $k=>$v){
@@ -1257 +1233 @@
                     case 'redirect_to_upme_login':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1274 +1251 @@
     public function save_wppcp_section_upme_search(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_search'])){
             foreach($_POST['wppcp_upme_search'] as $k=>$v){
@@ -1280 +1257 @@
                     case 'upme_search_visibility':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1298 +1276 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_member_list'])){
             foreach($_POST['wppcp_upme_member_list'] as $k=>$v){
@@ -1303 +1282 @@
                     case 'upme_member_list_visibility':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1320 +1300 @@
     public function save_wppcp_section_upme_member_profile(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_member_profile'])){
             foreach($_POST['wppcp_upme_member_profile'] as $k=>$v){
@@ -1326 +1306 @@
                     case 'upme_member_profile_visibility':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1360 +1341 @@
             $individual_protection = array();
             if($results['single_data']['post_count'] > 0){
-                $individual_protection[] = "<span>" . $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+                $individual_protection[] = "<span>" . (int) $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
             }
             if($results['single_data']['page_count'] > 0){
-                $individual_protection[] = "<span>" .$results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+                $individual_protection[] = "<span>" . (int) $results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
             }
             if($results['single_data']['cpt_count'] > 0){
-                $individual_protection[] = "<span>" .$results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
+                $individual_protection[] = "<span>" .(int) $results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
             }
 
@@ -1377 +1358 @@
             $global_protection = array();
             if($results['global_data']['restrict_all_posts_status'] == '1'){
-                $global_protection[] = "<span>" .$results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+                $global_protection[] = "<span>" .(int) $results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
             }
             if($results['global_data']['restrict_all_pages_status'] == '1'){
-                $global_protection[] = "<span>" .$results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+                $global_protection[] = "<span>" .(int) $results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
             }
             
@@ -1390 +1371 @@
             $password_protection = '';      
             if(isset($results['password_data']['status'])){
-                $password_protection = "<span>" .$results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
-                                        "<span>" .$results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
-                                        "<span>" .$results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
+                $password_protection = "<span>" .(int) $results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
+                                        "<span>" .(int) $results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
+                                        "<span>" .(int) $results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
                 $password_protection .= __(' are protected','wppcp');
             
@@ -1399 +1380 @@
             $menu_protection = '';
             if($results['menu_data']['count'] > 0){
-                $menu_protection = "<span>" .$results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
+                $menu_protection = "<span>" .(int) $results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
                 $menu_protection .= __(' are protected','wppcp');
             
@@ -1406 +1387 @@
             $widget_protection = '';
             if($results['widgets_data']['count'] > 0){
-                $widget_protection = "<span>" .$results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
+                $widget_protection = "<span>" .(int) $results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
                 $widget_protection .= __(' are protected','wppcp');
             
@@ -1413 +1394 @@
             $shortcode_protection = '';
             if($results['shortcode_data']['count'] > 0){
-                $shortcode_protection = "<span>" .$results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
+                $shortcode_protection = "<span>" .(int) $results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
                 $shortcode_protection .= __(' are protected','wppcp');
             
@@ -1420 +1401 @@
             $private_page_protection = '';
             if($results['private_page_data']['count'] > 0){
-                $private_page_protection = "<span>" .$results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
+                $private_page_protection = "<span>" .(int) $results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
         
             }
@@ -1426 +1407 @@
             $attachment_protection = array();
             if($results['attachment_data']['post_count'] > 0){
-                $attachment_protection[] = "<span>" .$results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
+                $attachment_protection[] = "<span>" .(int) $results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
             }
             if($results['attachment_data']['page_count'] > 0){
-                $attachment_protection[] = "<span>" .$results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
+                $attachment_protection[] = "<span>" .(int) $results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
             }
             if($results['attachment_data']['cpt_count'] > 0){
-                $attachment_protection[] = "<span>" .$results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
+                $attachment_protection[] = "<span>" .(int) $results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
             }
 
@@ -1444 +1425 @@
             $search_protection = array();
             if($results['search_data']['blocked_posts'] > 0){
-                $search_protection[] = "<span>" .$results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
+                $search_protection[] = "<span>" .(int) $results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
             }
             if($results['search_data']['blocked_pages'] > 0){
-                $search_protection[] = "<span>" .$results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
+                $search_protection[] = "<span>" .(int) $results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
             }
             $search_protection = implode("-", $search_protection);
@@ -1460 +1441 @@
             if($individual_protection != ''){
                 $table .= "<tr><th>". __('Individual Post/Page Protection','wppcp'). "</th>
-                                <td>".$individual_protection."</td>
+                                <td>".esc_html($individual_protection)."</td>
                             </tr>";
                 $protection_count++;
@@ -1467 +1448 @@
             if($global_protection != ''){ 
                 $table .= "<tr><th>". __('Global Post/Page Protection','wppcp'). "</th>
-                                        <td>".$global_protection. "</td>
+                                        <td>".esc_html($global_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1474 +1455 @@
             if($password_protection != ''){ 
                 $table .= "<tr><th>". __('Password Protection','wppcp'). "</th>
-                                        <td>".$password_protection. "</td>
+                                        <td>".esc_html($password_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1481 +1462 @@
             if($menu_protection != ''){ 
                 $table .= "<tr><th>". __('Menu Protection','wppcp'). "</th>
-                                        <td>".$menu_protection. "</td>
+                                        <td>".esc_html($menu_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1488 +1469 @@
             if($widget_protection != ''){ 
                 $table .= "<tr><th>". __('Widget Protection','wppcp'). "</th>
-                                        <td>".$widget_protection. "</td>
+                                        <td>".esc_html($widget_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1495 +1476 @@
             if($shortcode_protection != ''){ 
                 $table .= "<tr><th>". __('Shortcode Protection','wppcp'). "</th>
-                                        <td>".$shortcode_protection. "</td>
+                                        <td>".esc_html($shortcode_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1502 +1483 @@
             if($attachment_protection != ''){
                 $table .= "<tr><th>". __('Attachment Protection','wppcp'). "</th>
-                                        <td>".$attachment_protection. "</td>
+                                        <td>".esc_html($attachment_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1509 +1490 @@
             if($private_page_protection != ''){
                 $table .= "<tr><th>". __('Private Page','wppcp'). "</th>
-                                        <td>".$private_page_protection. "</td>
+                                        <td>".esc_html($private_page_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1516 +1497 @@
             if($search_protection != ''){ 
                 $table .= "<tr><th>". __('Search Protection','wppcp'). "</th>
-                                        <td>".$search_protection. "</td>
+                                        <td>".esc_html($search_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1582 +1563 @@
                       </div>
                       <footer> 
-                        <input id="wppcp_init_version" type="hidden" value="'.$wppcp_init_version.'" />
-                        <input id="wppcp_init_date" type="hidden" value="'.$wppcp_init_date.'" />
+                        <input id="wppcp_init_version" type="hidden" value="'.esc_html($wppcp_init_version).'" />
+                        <input id="wppcp_init_date" type="hidden" value="'.esc_html($wppcp_init_date).'" />
                         <input id="wppcp_init_admin_email" type="hidden" value="'.get_option('admin_email').'" />
                         <input id="wppcp-deactivate-reasons-submit" class="wppcp-modal-btn wppcp-modal-btn-small" type="button" value="'.__('Submit & Deactivate','wppcp').'" />

wp-private-content-plus/tags/3.2/classes/class-wppcp-site-lockdown.php

@@ -75 +75 @@
     public function save_settings($tab,$params){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_site_lockdown'])){
+            
             foreach($_POST['wppcp_site_lockdown'] as $k=>$v){
                 switch ($k) {
-                    case 'allowed_posts':
-                    case 'allowed_pages':
+                    case 'lockdown_allowed_pages':
+                    case 'lockdown_allowed_posts':
+                        if(is_array($v)){
+                            $post_arr = array();
+                            foreach ($v as $post_ids) {
+                                array_push($post_arr, (int) $post_ids);
+                            }
+                            $this->settings[$k] = $post_arr;
+                        }
                         break;
                     case 'lockdown_status':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'allowed_urls':
                         $v = sanitize_textarea_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'redirect_url':
                         $v = esc_url_raw($v);
+                        $this->settings[$k] = $v;
                         break;
                 }
-                $this->settings[$k] = $v;
-            }              
+                
+            }     
+                     
         }
         
@@ -179 +191 @@
             if('wp-login' == $redirect_url){
                 $url = add_query_arg( 'redirect_to', $current_page_url, wp_login_url() );
-                wp_redirect($url);
+                wp_redirect(esc_url($url));
                 
             }else{
@@ -185 +197 @@
                 $url = add_query_arg( 'redirect_to', $current_page_url, ($redirect_url) );
                 // echo $url;exit;
-                wp_redirect($url);
+                wp_redirect(esc_url($url));
             }             
             exit;

wp-private-content-plus/tags/3.2/classes/class-wppcp-widgets.php

@@ -44 +44 @@
                     $checked = checked( true, in_array( $role, $visible_roles ) , false );
            
-                    $display .= '<input   type="checkbox" name="'.$widget->get_field_name('wppcp_visibility_roles').'[]" id="'.$widget->get_field_id('wppcp_visibility_roles').'" '.$checked.' value="'.$role.'" />
+                    $display .= '<input   type="checkbox" name="'. esc_html($widget->get_field_name('wppcp_visibility_roles')).'[]" id="'.esc_html($widget->get_field_id('wppcp_visibility_roles')).'" '.$checked.' value="'.esc_html($role).'" />
                                     <label for="">
-                                    '.$name .'
+                                    '.esc_html($name) .'
                                 </label><br/>';
     

wp-private-content-plus/tags/3.2/classes/class-wppcp-woocommerce-tab-manager.php

@@ -136 +136 @@
         $post_id = str_replace("wppcp_woo_", "", $key);
         $product_tab = get_post($post_id);
-        echo do_shortcode($product_tab->post_content);
+        echo wp_kses_post(do_shortcode($product_tab->post_content));
     }
 

wp-private-content-plus/tags/3.2/functions.php

@@ -10 +10 @@
     foreach ($query_comp as $param) {
         $params = explode('=', $param);
-        $key = isset($params[0]) ? $params[0] : '';
-        $value = isset($params[1]) ? $params[1] : '';
+        $key = isset($params[0]) ? sanitize_text_field($params[0]) : '';
+        $value = isset($params[1]) ? sanitize_text_field($params[1]) : '';
         $build_url = esc_url_raw(add_query_arg($key, $value, $build_url));
     }
@@ -114 +114 @@
     $wppcp->template_loader->get_template_part('addons','feed');
     $display = ob_get_clean();
-    echo $display;
+    echo wp_kses_post($display);
 }
 
@@ -154 +154 @@
 <?php 
     $display = ob_get_clean();
-    return $display;
+    return wp_kses_post($display);
 }
 

wp-private-content-plus/tags/3.2/readme.txt

@@ -184 +184 @@
 = 3.2 =
 * Fix security issue related to group creation
+* Improve security in all plugin files
 
 = 3.1 =

wp-private-content-plus/tags/3.2/templates/global-password-form.php

@@ -52 +52 @@
     <div class="wppcp_panel_title"><?php echo esc_html($protected_form_header); ?></div>
     <?php if($password_protect_error != ''){ ?>
-        <div class="wppcp_panel_error"><?php echo $password_protect_error; ?></div>
+        <div class="wppcp_panel_error"><?php echo wp_kses_post($password_protect_error); ?></div>
     <?php } ?>
 

wp-private-content-plus/tags/3.2/templates/manage-file-attachments.php

@@ -28 +28 @@
             $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/restrict-pro-post-attachments-and-downloads/?ref=pro-attachments" >'.
                         __('View More','wppcp'). '</a>';
-            echo wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_attachments');
+            echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_attachments'));
  
         }
@@ -48 +48 @@
                         $attached_name = isset($attach_data['name']) ? $attach_data['name'] : '';
                         $attached_desc = isset($attach_data['desc']) ? $attach_data['desc'] : '';
-                        $attached_visibility = isset($attach_data['visibility']) ? $attach_data['visibility'] : 'all';
-                        $attached_download_permission = isset($attach_data['download_permission']) ? $attach_data['download_permission'] : 'all';
+                        $attached_visibility = isset($attach_data['visibility']) ? esc_html($attach_data['visibility']) : 'all';
+                        $attached_download_permission = isset($attach_data['download_permission']) ? esc_html($attach_data['download_permission']) : 'all';
                         $attached_mime = isset($attach_data['mime']) ? $attach_data['mime'] : '';
 
@@ -63 +63 @@
                     <div class='wppcp-attachments-panel-file-single'>
                         <div class='wppcp-attachments-panel-file-left'>
-                            <img src="<?php echo esc_url($attach_image_url); ?>" data-attachment-id="<?php echo $attach_data['attach_id']; ?>" class='wppcp-attachment-preview' />
+                            <img src="<?php echo esc_url($attach_image_url); ?>" data-attachment-id="<?php echo (int) $attach_data['attach_id']; ?>" class='wppcp-attachment-preview' />
                             <div class='wppcp-slider-images-panel-gallery-icons'><?php echo $image_icons; ?></div> 
                         </div>
@@ -69 +69 @@
                             <div class='wppcp-attachments-panel-file-row'>
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('File Name','wppcp'); ?></div>
-                                <div class='wppcp-attachments-panel-file-field'><input type='text' name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][name]' value='<?php echo esc_html($attached_name); ?>' /></div>
+                                <div class='wppcp-attachments-panel-file-field'><input type='text' name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][name]' value='<?php echo esc_html($attached_name); ?>' /></div>
                             </div>
                             <div class='wppcp-attachments-panel-file-row'>
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('File Description','wppcp'); ?></div>
-                                <div class='wppcp-attachments-panel-file-field'><textarea name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][desc]' ><?php echo esc_html($attached_desc); ?></textarea></div>
+                                <div class='wppcp-attachments-panel-file-field'><textarea name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][desc]' ><?php echo esc_html($attached_desc); ?></textarea></div>
                             </div>
                             <div class='wppcp-attachments-panel-file-row'>
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('File Visibility','wppcp'); ?></div>
                                 <div class='wppcp-attachments-panel-file-field'>
-                                    <select class='wppcp-attachments-panel-file-visibility' name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][visibility]' >
+                                    <select class='wppcp-attachments-panel-file-visibility' name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][visibility]' >
                                         <option <?php echo selected($attached_visibility,'all'); ?> value="all"><?php _e('Everyone','wppcp'); ?></option>
                                         <option <?php echo selected($attached_visibility,'guest'); ?> value="guest"><?php _e('Guests','wppcp'); ?></option>
@@ -88 +88 @@
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('Download Permission','wppcp'); ?></div>
                                 <div class='wppcp-attachments-panel-file-field'>
-                                    <select class='wppcp-attachments-panel-file-download-permission' name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][download_permission]' >
+                                    <select class='wppcp-attachments-panel-file-download-permission' name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][download_permission]' >
                                         <option <?php echo selected($attached_download_permission,'all'); ?> value="all"><?php _e('Everyone','wppcp'); ?></option>
                                         <option <?php echo selected($attached_download_permission,'guest'); ?> value="guest"><?php _e('Guests','wppcp'); ?></option>
@@ -96 +96 @@
                             </div>
                         </div>
-                        <input type="hidden" value="<?php echo esc_html($attached_mime); ?>" name="wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][mime]" />
+                        <input type="hidden" value="<?php echo esc_html($attached_mime); ?>" name="wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][mime]" />
                     </div>
                     

wp-private-content-plus/tags/3.2/templates/plugin-help.php

@@ -12 +12 @@
     <h1><?php echo esc_html($title); ?></h1>
     <div class="about-text">
-        <?php echo $desc; ?>
+        <?php echo wp_kses_post($desc); ?>
     </div>
 

wp-private-content-plus/tags/3.2/templates/post-page-restriction-meta.php

@@ -6 +6 @@
     $post_type = $post->post_type;
 
-    $visibility = get_post_meta( $post->ID, '_wppcp_post_page_visibility', true );
+    $visibility = esc_html(get_post_meta( $post->ID, '_wppcp_post_page_visibility', true ));
     $redirection_url = get_post_meta( $post->ID, '_wppcp_post_page_redirection_url', true );
 
@@ -46 +46 @@
         $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/global-custom-post-type-protection/?ref=pro-cpt" >'.
                     __('View More','wppcp'). '</a>';
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_post_restrictions');
+
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_post_restrictions'));
     } 
 
@@ -53 +54 @@
         $message .= sprintf(__('%sGo PRO%s and add users to user groups or membership levels. Protection rules can be applied on user groups or membership 
             levels instead of selecting users for each post/page','wppcp'), '<strong>','</strong>' );
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_restrictions');
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_restrictions'));
     }
 ?>
@@ -85 +86 @@
                 if($role_key != 'administrator'){
             ?>
-            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_post_page_roles[]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_post_page_roles[]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
             <?php } ?>  
         <?php } ?>      
@@ -101 +102 @@
                     $display_name = $user->data->display_name;
             ?>
-                <option value='<?php echo $user_id; ?>' selected ><?php echo $display_name; ?></option>
+                <option value='<?php echo $user_id; ?>' selected ><?php echo esc_html($display_name); ?></option>
             <?php } ?>
         </select>   

wp-private-content-plus/tags/3.2/templates/private-user-page.php

@@ -58 +58 @@
                 $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/private-page-dashboard-users/?ref=pro-private-page" >'.
                             __('View More','wppcp'). '</a>';
-                echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_private_page');
+                echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_private_page'));
             }
         ?>

wp-private-content-plus/tags/3.2/templates/woo-tabs-restriction-meta.php

@@ -6 +6 @@
     $post_type = $post->post_type;
 
-    $visibility = get_post_meta( $post->ID, '_wppcp_woo_tabs_visibility', true );
+    $visibility = esc_html(get_post_meta( $post->ID, '_wppcp_woo_tabs_visibility', true ));
     $redirection_url = get_post_meta( $post->ID, '_wppcp_woo_tabs_redirection_url', true );
 
@@ -49 +49 @@
                 if($role_key != 'administrator'){
             ?>
-            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_woo_tabs_roles[]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_woo_tabs_roles[]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
             <?php } ?>  
         <?php } ?>      

wp-private-content-plus/trunk/admin/templates/admin-menu-visibility.php

@@ -5 +5 @@
     $user_roles = $wppcp->roles_capability->wppcp_user_roles();
 
+    $admin_menu_visibility = esc_html($admin_menu_visibility);
 ?>
 <table class="form-table wppcp-settings-list">
@@ -26 +27 @@
               if($role_key != 'administrator'){
           ?>
-          <input type="checkbox" <?php echo $checked_val; ?> class="wppcp_admin_menu_item_roles" id="wppcp_admin_menu_item_roles" name="wppcp_admin_menu_item_roles[]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+          <input type="checkbox" <?php echo $checked_val; ?> class="wppcp_admin_menu_item_roles" id="wppcp_admin_menu_item_roles" name="wppcp_admin_menu_item_roles[]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
           <?php } ?>  
       <?php } ?>

wp-private-content-plus/trunk/admin/templates/global-page-restriction-settings.php

@@ -59 +59 @@
                                 if($role_key != 'administrator'){
                             ?>
-                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_page_restriction[all_page_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_page_restriction[all_page_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                             <?php } ?>  
                         <?php } ?>

wp-private-content-plus/trunk/admin/templates/global-post-restriction-settings.php

@@ -59 +59 @@
                                 if($role_key != 'administrator'){
                             ?>
-                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_post_restriction[all_post_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_global_post_restriction[all_post_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                             <?php } ?>  
                         <?php } ?>

wp-private-content-plus/trunk/admin/templates/menu-page-container.php

@@ -5 +5 @@
 
 <div class="wrap">
-    <?php echo $tabs; ?>
-    <?php echo $tab_content; ?>
+    <?php echo ($tabs); ?>
+    <?php echo ($tab_content); ?>
 
 </div>

wp-private-content-plus/trunk/admin/templates/password-global-settings.php

@@ -3 +3 @@
     extract($wppcp_password_settings_data);    
         
+    $global_password_protect = esc_html($global_password_protect);
 ?>
 

wp-private-content-plus/trunk/admin/templates/restriction-permission-settings.php

@@ -22 +22 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_feature_restrictions[wppcp_feature_permission_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_feature_restrictions[wppcp_feature_permission_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/trunk/admin/templates/search-general-settings.php

@@ -14 +14 @@
         $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/site-advanced-search-restrictions/?ref=pro-search-settings" >'.
                     __('View More','wppcp'). '</a>';
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions');
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions'));
     }
 ?>

wp-private-content-plus/trunk/admin/templates/search-restrictions.php

@@ -18 +18 @@
         $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/site-advanced-search-restrictions/?ref=pro-search-res" >'.
                     __('View More','wppcp'). '</a>';
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions');
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_search_restrictions'));
     }
 ?>

wp-private-content-plus/trunk/admin/templates/upme-member-list.php

@@ -46 +46 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_list[upme_member_list_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_list[upme_member_list_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/trunk/admin/templates/upme-member-profile.php

@@ -46 +46 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_profile[upme_member_profile_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_member_profile[upme_member_profile_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/trunk/admin/templates/upme-search.php

@@ -46 +46 @@
                         if($role_key != 'administrator'){
                     ?>
-                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_search[upme_search_user_roles][]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+                    <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_upme_search[upme_search_user_roles][]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
                     <?php } ?>  
                 <?php } ?>

wp-private-content-plus/trunk/classes/class-wppcp-admin-stats.php

@@ -73 +73 @@
         $individual_protection = array();
         if($results['single_data']['post_count'] > 0){
-            $individual_protection[] = "<span>" . $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+            $individual_protection[] = "<span>" . (int) $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
         }
         if($results['single_data']['page_count'] > 0){
-            $individual_protection[] = "<span>" .$results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+            $individual_protection[] = "<span>" . (int) $results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
         }
         if($results['single_data']['cpt_count'] > 0){
-            $individual_protection[] = "<span>" .$results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
+            $individual_protection[] = "<span>" . (int) $results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
         }
 
@@ -90 +90 @@
         $global_protection = array();
         if($results['global_data']['restrict_all_posts_status'] == '1'){
-            $global_protection[] = "<span>" .$results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+            $global_protection[] = "<span>" . (int) $results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
         }
         if($results['global_data']['restrict_all_pages_status'] == '1'){
-            $global_protection[] = "<span>" .$results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+            $global_protection[] = "<span>" . (int) $results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
         }
         
@@ -103 +103 @@
         $password_protection = '';      
         if(isset($results['password_data']['status'])){
-            $password_protection = "<span>" .$results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
-                                    "<span>" .$results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
-                                    "<span>" .$results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
+            $password_protection = "<span>" . (int) $results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
+                                    "<span>" . (int) $results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
+                                    "<span>" . (int) $results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
             $password_protection .= __(' are protected','wppcp');
         
@@ -112 +112 @@
         $menu_protection = '';
         if($results['menu_data']['count'] > 0){
-            $menu_protection = "<span>" .$results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
+            $menu_protection = "<span>" . (int) $results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
             $menu_protection .= __(' are protected','wppcp');
         
@@ -119 +119 @@
         $widget_protection = '';
         if($results['widgets_data']['count'] > 0){
-            $widget_protection = "<span>" .$results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
+            $widget_protection = "<span>" . (int) $results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
             $widget_protection .= __(' are protected','wppcp');
         
@@ -126 +126 @@
         $shortcode_protection = '';
         if($results['shortcode_data']['count'] > 0){
-            $shortcode_protection = "<span>" .$results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
+            $shortcode_protection = "<span>" . (int) $results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
             $shortcode_protection .= __(' are protected','wppcp');
         
@@ -133 +133 @@
         $private_page_protection = '';
         if($results['private_page_data']['count'] > 0){
-            $private_page_protection = "<span>" .$results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
+            $private_page_protection = "<span>" . (int) $results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
     
         }
@@ -139 +139 @@
         $attachment_protection = array();
         if($results['attachment_data']['post_count'] > 0){
-            $attachment_protection[] = "<span>" .$results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
+            $attachment_protection[] = "<span>" . (int) $results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
         }
         if($results['attachment_data']['page_count'] > 0){
-            $attachment_protection[] = "<span>" .$results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
+            $attachment_protection[] = "<span>" . (int) $results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
         }
         if($results['attachment_data']['cpt_count'] > 0){
-            $attachment_protection[] = "<span>" .$results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
+            $attachment_protection[] = "<span>" . (int) $results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
         }
 
@@ -157 +157 @@
         $search_protection = array();
         if($results['search_data']['blocked_posts'] > 0){
-            $search_protection[] = "<span>" .$results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
+            $search_protection[] = "<span>" . (int) $results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
         }
         if($results['search_data']['blocked_pages'] > 0){
-            $search_protection[] = "<span>" .$results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
+            $search_protection[] = "<span>" . (int) $results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
         }
         $search_protection = implode("-", $search_protection);

wp-private-content-plus/trunk/classes/class-wppcp-ip-restrictions.php

@@ -8 +8 @@
 
     public function validate_ip_restrictions(){
-        global $wppcp,$wp_query,$wppcp_cpt_id;;
+        global $wppcp,$wp_query,$wppcp_cpt_id;
         $private_content_settings  = get_option('wppcp_options');
         if(!isset($private_content_settings['general']['private_content_module_status'])){
@@ -36 +36 @@
                 if($url != ''){
                     $url = rtrim($url , '/');
-                    array_push($filtered_allowed_urls, $url);
+                    array_push($filtered_allowed_urls, esc_url($url));
                 }
             }

wp-private-content-plus/trunk/classes/class-wppcp-posts.php

@@ -20 +20 @@
             $post_json_results = array();
 
-            $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='page' order by $wpdb->posts.post_date desc limit 20";
+            $query  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%s'  && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='page' order by $wpdb->posts.post_date desc limit 20", '%'.$search_text.'%' );
+
+            // $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='page' order by $wpdb->posts.post_date desc limit 20";
             $result = $wpdb->get_results($query);
             if($result){
@@ -42 +44 @@
             $post_json_results = array();
 
-            $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='post' order by $wpdb->posts.post_date desc limit 20";
+            $query  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%s'  && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='post' order by $wpdb->posts.post_date desc limit 20", '%'.$search_text.'%' );
             $result = $wpdb->get_results($query);
             if($result){
@@ -66 +68 @@
             $post_json_results = array();
 
-            $query = "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%".$search_text."%' && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='".$post_type."' order by $wpdb->posts.post_date desc limit 20";
+            
+
+            $query  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE $wpdb->posts.post_title like '%s'  && $wpdb->posts.post_status='publish'  && $wpdb->posts.post_type='%s' order by $wpdb->posts.post_date desc limit 20", '%'.$search_text.'%', $post_type );
+
             $result = $wpdb->get_results($query);
             if($result){

wp-private-content-plus/trunk/classes/class-wppcp-private-content.php

@@ -67 +67 @@
 
             if($result){
-                return stripslashes(do_shortcode($result[0]->content));
+                return (stripslashes(do_shortcode($result[0]->content)));
             }else{
                 return stripslashes(get_option('wppcp_parivate_page_starter_content'));
@@ -1112 +1112 @@
                 if($type != 'none'){
                     $users = isset($_POST['wppcp_bulk_private_page_upload_users']) ? (array) $_POST['wppcp_bulk_private_page_upload_users'] : array();
-
-                    $content = isset($_POST['wppcp_bulk_private_page_upload_content']) ? $_POST['wppcp_bulk_private_page_upload_content'] : '';
+                    
+                    $content = isset($_POST['wppcp_bulk_private_page_upload_content']) ? wp_kses_post($_POST['wppcp_bulk_private_page_upload_content']) : '';
 
                     foreach ($users as $key => $user_id) {

wp-private-content-plus/trunk/classes/class-wppcp-settings.php

@@ -549 +549 @@
 
                         $user_id = isset($_POST['wppcp_user_id']) ? (int) $_POST['wppcp_user_id'] : 0; 
-                        $private_content = isset($_POST['wppcp_private_page_content']) ? ( $_POST['wppcp_private_page_content']) : '';
+                        
+                        $private_content = isset($_POST['wppcp_private_page_content']) ? wp_kses_post( $_POST['wppcp_private_page_content']) : '';
                         $updated_date = date("Y-m-d H:i:s");
                         
@@ -601 +602 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_general'])){
             foreach($_POST['wppcp_general'] as $k=>$v){
@@ -609 +611 @@
                     case 'author_post_page_restrictions_status':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'post_page_redirect_url':
                         $v = esc_url_raw($v);
-                        break;
-
-                }
-                $this->settings[$k] = $v;
+                        $this->settings[$k] = $v;
+                        break;
+                }                
             }            
         }
@@ -630 +632 @@
     public function save_wppcp_section_information(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_information'])){
             foreach($_POST['wppcp_information'] as $k=>$v){
@@ -639 +641 @@
                     case 'pro_info_private_page':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }   
 
@@ -670 +673 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_global_post_restriction'])){
             foreach($_POST['wppcp_global_post_restriction'] as $k=>$v){
                 switch ($k) {
                     case 'restrict_all_posts_status':
+                        $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
+                        break;
                     case 'all_post_visibility':
                         $v = sanitize_text_field($v);
+                        if(in_array($v, array('all','guest','member','role'))){
+                            $this->settings[$k] = $v;
+                        }
+                        break;
+                    case 'all_post_user_roles':
+                        if(is_array($v)){
+                            $roles_arr = array();
+                            foreach ($v as $user_role_v) {
+                                $roles_arr[] = sanitize_text_field($user_role_v);
+                            } 
+                            $this->settings[$k] =  $roles_arr;
+                        }
+                        
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -693 +713 @@
     public function save_wppcp_section_global_page(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_global_page_restriction'])){
             foreach($_POST['wppcp_global_page_restriction'] as $k=>$v){
                 switch ($k) {
                     case 'restrict_all_pages_status':
+                        $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
+                        break;
                     case 'all_page_visibility':
                         $v = sanitize_text_field($v);
-                        break;
+                        if(in_array($v, array('all','guest','member','role'))){
+                            $this->settings[$k] = $v;
+                        }
+                        break;
+                    case 'all_page_user_roles':
+                        if(is_array($v)){
+                            $roles_arr = array();
+                            foreach ($v as $user_role_v) {
+                                $roles_arr[] = sanitize_text_field($user_role_v);
+                            } 
+                            $this->settings[$k] =  $roles_arr;
+                        }
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -738 +772 @@
 
     }
-    
-    /* Display private user page add content form */
-    // public function private_user_page(){
-    //     global $wppcp,$wppcp_private_page_params,$wpdb;
-        
-    //     $wppcp_private_page_params = array();
-        
-    //     $this->load_wppcp_select2_scripts_style();
-        
-    //     $private_page_user = 0;
-    //     if($_POST && isset($_POST['wppcp_private_page_user_load']) && ( current_user_can('manage_options') || current_user_can('wppcp_manage_options') ) ){
-    //         $private_page_user = isset($_POST['wppcp_private_page_user']) ? (int) ( $_POST['wppcp_private_page_user'] ) : 0;
-    //         $user = get_user_by( 'id', $private_page_user );
-    //         $wppcp_private_page_params['display_name'] = $user->data->display_name;
-    //         $wppcp_private_page_params['user_id'] = $private_page_user;
-    //     }
-        
-
-        
-    //     if($_POST && isset($_POST['wppcp_private_page_content_submit']) && ( current_user_can('manage_options') || current_user_can('wppcp_manage_options') ) ){
-
-    //         if (isset( $_POST['wppcp_private_page_nonce_field'] ) && wp_verify_nonce( $_POST['wppcp_private_page_nonce_field'], 'wppcp_private_page_nonce' ) ) {
-
-    //             $user_id = isset($_POST['wppcp_user_id']) ? (int) $_POST['wppcp_user_id'] : 0; 
-    //             $private_content = isset($_POST['wppcp_private_page_content']) ? ( $_POST['wppcp_private_page_content']) : '';
-    //             $updated_date = date("Y-m-d H:i:s");
-                
-    //             $sql  = $wpdb->prepare( "SELECT content FROM " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE . " WHERE user_id = %d ", $user_id );
-    //             $result = $wpdb->get_results($sql);
-    //             if($result){
-    //                 $sql  = $wpdb->prepare( "Update " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE ." set content=%s,updated_at=%s where user_id=%d ", $private_content,$updated_date, $user_id );
-    //             }else{
-    //                 $sql  = $wpdb->prepare( "Insert into " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE ."(user_id,content,type,updated_at) values(%d,%s,%s,%s)", $user_id, $private_content, 'ADMIN', $updated_date );
-    //             }
-                
-                
-    //             if($wpdb->query($sql) === FALSE){
-    //                 $wppcp_private_page_params['message'] = __('Private content update failed.','wppcp');
-    //                 $wppcp_private_page_params['message_status'] = FALSE;
-    //             }else{
-    //                 $wppcp_private_page_params['message'] = __('Private content updated successfully.','wppcp');
-    //                 $wppcp_private_page_params['message_status'] = TRUE;
-    //             }        
-    //         }
-    //     }
-        
-    //     $sql  = $wpdb->prepare( "SELECT content FROM " . $wpdb->prefix . WPPCP_PRIVATE_CONTENT_TABLE . " WHERE user_id = %d ", $private_page_user );
-    //     $result = $wpdb->get_results($sql);
-    //     if($result){
-    //         $wppcp_private_page_params['private_content'] = stripslashes($result[0]->content);
-    //     }else{
-    //         $wppcp_private_page_params['private_content'] = '';
-    //     }
-        
-        
-        
-        
-    //     ob_start();
-    //     $wppcp->template_loader->get_template_part('private-user-page');
-    //     $display = ob_get_clean();        
-    //     echo $display;
-    // }
+
     
     /* Load Select 2 library for settings section */
@@ -873 +846 @@
     public function save_wppcp_section_wppcp_permissions(){
         global $wppcp,$wp_roles;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_feature_restrictions'])){
 
@@ -883 +856 @@
                             $v[$key] = sanitize_text_field($value);
                         }
-                        
-                        break;
-
-
-                }
-                $this->settings[$k] = $v;
+                        $this->settings[$k] = $v;                        
+                        break;
+                }                
             }      
                
@@ -994 +964 @@
     public function save_wppcp_section_security_ip(){
         global $wppcp;
-
+        $this->settings = array(); 
         if(isset($_POST['wppcp_security_ip'])){
             foreach($_POST['wppcp_security_ip'] as $k=>$v){
@@ -1000 +970 @@
                     case 'restriction_status':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'allowed_urls':
                     case 'whitelisted':
                         $v = sanitize_textarea_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'redirect_url':
                         $v = esc_url_raw($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1024 +997 @@
     public function save_wppcp_section_search_general(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_search_general'])){
             foreach($_POST['wppcp_search_general'] as $k=>$v){
@@ -1034 +1007 @@
                            $v[$key] = (int) ($post_id);
                         }
-                        
-                        break;                   
-
-                }
-
-                $this->settings[$k] = $v;
-            }      
-               
+                        $this->settings[$k] = $v;
+                        break;                
+
+                }                
+            }                
         }
         
@@ -1052 +1022 @@
     public function save_wppcp_section_search_restrictions(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_search_restrictions'])){
             foreach($_POST['wppcp_search_restrictions'] as $k=>$v){
@@ -1062 +1032 @@
                            $v[$key] = sanitize_text_field($post_types);
                         }
-                        
+                        $this->settings[$k] = $v;
                         break;                   
 
                 }
-                $this->settings[$k] = $v;
+                
             } 
 
@@ -1105 +1075 @@
     public function save_wppcp_section_password_global(){
         global $wppcp;
+
+        $this->settings = array();
 
         if(isset($_POST['wppcp_password_global'])){
@@ -1114 +1086 @@
 
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                     case 'password_form_message':
                         $v = wp_kses_post($v);
+                        $this->settings[$k] = $v;
                         break;
 
                     case 'allowed_urls':
                         $v = sanitize_textarea_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1251 +1226 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_general'])){
             foreach($_POST['wppcp_upme_general'] as $k=>$v){
@@ -1257 +1233 @@
                     case 'redirect_to_upme_login':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1274 +1251 @@
     public function save_wppcp_section_upme_search(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_search'])){
             foreach($_POST['wppcp_upme_search'] as $k=>$v){
@@ -1280 +1257 @@
                     case 'upme_search_visibility':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1298 +1276 @@
         global $wppcp;
 
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_member_list'])){
             foreach($_POST['wppcp_upme_member_list'] as $k=>$v){
@@ -1303 +1282 @@
                     case 'upme_member_list_visibility':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1320 +1300 @@
     public function save_wppcp_section_upme_member_profile(){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_upme_member_profile'])){
             foreach($_POST['wppcp_upme_member_profile'] as $k=>$v){
@@ -1326 +1306 @@
                     case 'upme_member_profile_visibility':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
 
                 }
-                $this->settings[$k] = $v;
+                
             }      
                
@@ -1360 +1341 @@
             $individual_protection = array();
             if($results['single_data']['post_count'] > 0){
-                $individual_protection[] = "<span>" . $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+                $individual_protection[] = "<span>" . (int) $results['single_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
             }
             if($results['single_data']['page_count'] > 0){
-                $individual_protection[] = "<span>" .$results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+                $individual_protection[] = "<span>" . (int) $results['single_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
             }
             if($results['single_data']['cpt_count'] > 0){
-                $individual_protection[] = "<span>" .$results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
+                $individual_protection[] = "<span>" .(int) $results['single_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>" ;
             }
 
@@ -1377 +1358 @@
             $global_protection = array();
             if($results['global_data']['restrict_all_posts_status'] == '1'){
-                $global_protection[] = "<span>" .$results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
+                $global_protection[] = "<span>" .(int) $results['global_data']['post_count'] . __(' Posts ','wppcp')."</span>" ;
             }
             if($results['global_data']['restrict_all_pages_status'] == '1'){
-                $global_protection[] = "<span>" .$results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
+                $global_protection[] = "<span>" .(int) $results['global_data']['page_count'] . __(' Pages ','wppcp')."</span>" ;
             }
             
@@ -1390 +1371 @@
             $password_protection = '';      
             if(isset($results['password_data']['status'])){
-                $password_protection = "<span>" .$results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
-                                        "<span>" .$results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
-                                        "<span>" .$results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
+                $password_protection = "<span>" .(int) $results['password_data']['post_count'] . __(' Posts ','wppcp')."</span>"  . " - " .
+                                        "<span>" .(int) $results['password_data']['page_count'] . __(' Pages ','wppcp')."</span>"  ." - " .
+                                        "<span>" .(int) $results['password_data']['cpt_count'] . __(' Custom Post Types ','wppcp')."</span>"  ;
                 $password_protection .= __(' are protected','wppcp');
             
@@ -1399 +1380 @@
             $menu_protection = '';
             if($results['menu_data']['count'] > 0){
-                $menu_protection = "<span>" .$results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
+                $menu_protection = "<span>" .(int) $results['menu_data']['count'] . __(' Menu Items ','wppcp')."</span>"  ;
                 $menu_protection .= __(' are protected','wppcp');
             
@@ -1406 +1387 @@
             $widget_protection = '';
             if($results['widgets_data']['count'] > 0){
-                $widget_protection = "<span>" .$results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
+                $widget_protection = "<span>" .(int) $results['widgets_data']['count'] . __(' Widgets ','wppcp')."</span>"  ;
                 $widget_protection .= __(' are protected','wppcp');
             
@@ -1413 +1394 @@
             $shortcode_protection = '';
             if($results['shortcode_data']['count'] > 0){
-                $shortcode_protection = "<span>" .$results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
+                $shortcode_protection = "<span>" .(int) $results['shortcode_data']['count'] . __(' Post/Page Content Blocks ','wppcp') ."</span>" ;
                 $shortcode_protection .= __(' are protected','wppcp');
             
@@ -1420 +1401 @@
             $private_page_protection = '';
             if($results['private_page_data']['count'] > 0){
-                $private_page_protection = "<span>" .$results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
+                $private_page_protection = "<span>" .(int) $results['private_page_data']['count'].__(' Users ','wppcp') . "</span>" . __('have private page with protected content. ','wppcp') ."</span>" ;
         
             }
@@ -1426 +1407 @@
             $attachment_protection = array();
             if($results['attachment_data']['post_count'] > 0){
-                $attachment_protection[] = "<span>" .$results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
+                $attachment_protection[] = "<span>" .(int) $results['attachment_data']['post_count'] . __(' Post ','wppcp')."</span>" ;
             }
             if($results['attachment_data']['page_count'] > 0){
-                $attachment_protection[] = "<span>" .$results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
+                $attachment_protection[] = "<span>" .(int) $results['attachment_data']['page_count'] . __(' Page ','wppcp')."</span>" ;
             }
             if($results['attachment_data']['cpt_count'] > 0){
-                $attachment_protection[] = "<span>" .$results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
+                $attachment_protection[] = "<span>" .(int) $results['attachment_data']['cpt_count'] . __(' Custom Post Type ','wppcp')."</span>" ;
             }
 
@@ -1444 +1425 @@
             $search_protection = array();
             if($results['search_data']['blocked_posts'] > 0){
-                $search_protection[] = "<span>" .$results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
+                $search_protection[] = "<span>" .(int) $results['search_data']['blocked_posts'] . __(' Posts ','wppcp')."</span>" ;
             }
             if($results['search_data']['blocked_pages'] > 0){
-                $search_protection[] = "<span>" .$results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
+                $search_protection[] = "<span>" .(int) $results['search_data']['blocked_pages'] . __(' Pages ','wppcp')."</span>" ;
             }
             $search_protection = implode("-", $search_protection);
@@ -1460 +1441 @@
             if($individual_protection != ''){
                 $table .= "<tr><th>". __('Individual Post/Page Protection','wppcp'). "</th>
-                                <td>".$individual_protection."</td>
+                                <td>".esc_html($individual_protection)."</td>
                             </tr>";
                 $protection_count++;
@@ -1467 +1448 @@
             if($global_protection != ''){ 
                 $table .= "<tr><th>". __('Global Post/Page Protection','wppcp'). "</th>
-                                        <td>".$global_protection. "</td>
+                                        <td>".esc_html($global_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1474 +1455 @@
             if($password_protection != ''){ 
                 $table .= "<tr><th>". __('Password Protection','wppcp'). "</th>
-                                        <td>".$password_protection. "</td>
+                                        <td>".esc_html($password_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1481 +1462 @@
             if($menu_protection != ''){ 
                 $table .= "<tr><th>". __('Menu Protection','wppcp'). "</th>
-                                        <td>".$menu_protection. "</td>
+                                        <td>".esc_html($menu_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1488 +1469 @@
             if($widget_protection != ''){ 
                 $table .= "<tr><th>". __('Widget Protection','wppcp'). "</th>
-                                        <td>".$widget_protection. "</td>
+                                        <td>".esc_html($widget_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1495 +1476 @@
             if($shortcode_protection != ''){ 
                 $table .= "<tr><th>". __('Shortcode Protection','wppcp'). "</th>
-                                        <td>".$shortcode_protection. "</td>
+                                        <td>".esc_html($shortcode_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1502 +1483 @@
             if($attachment_protection != ''){
                 $table .= "<tr><th>". __('Attachment Protection','wppcp'). "</th>
-                                        <td>".$attachment_protection. "</td>
+                                        <td>".esc_html($attachment_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1509 +1490 @@
             if($private_page_protection != ''){
                 $table .= "<tr><th>". __('Private Page','wppcp'). "</th>
-                                        <td>".$private_page_protection. "</td>
+                                        <td>".esc_html($private_page_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1516 +1497 @@
             if($search_protection != ''){ 
                 $table .= "<tr><th>". __('Search Protection','wppcp'). "</th>
-                                        <td>".$search_protection. "</td>
+                                        <td>".esc_html($search_protection). "</td>
                                     </tr>";
                 $protection_count++;
@@ -1582 +1563 @@
                       </div>
                       <footer> 
-                        <input id="wppcp_init_version" type="hidden" value="'.$wppcp_init_version.'" />
-                        <input id="wppcp_init_date" type="hidden" value="'.$wppcp_init_date.'" />
+                        <input id="wppcp_init_version" type="hidden" value="'.esc_html($wppcp_init_version).'" />
+                        <input id="wppcp_init_date" type="hidden" value="'.esc_html($wppcp_init_date).'" />
                         <input id="wppcp_init_admin_email" type="hidden" value="'.get_option('admin_email').'" />
                         <input id="wppcp-deactivate-reasons-submit" class="wppcp-modal-btn wppcp-modal-btn-small" type="button" value="'.__('Submit & Deactivate','wppcp').'" />

wp-private-content-plus/trunk/classes/class-wppcp-site-lockdown.php

@@ -75 +75 @@
     public function save_settings($tab,$params){
         global $wppcp;
-
+        $this->settings = array();
         if(isset($_POST['wppcp_site_lockdown'])){
+            
             foreach($_POST['wppcp_site_lockdown'] as $k=>$v){
                 switch ($k) {
-                    case 'allowed_posts':
-                    case 'allowed_pages':
+                    case 'lockdown_allowed_pages':
+                    case 'lockdown_allowed_posts':
+                        if(is_array($v)){
+                            $post_arr = array();
+                            foreach ($v as $post_ids) {
+                                array_push($post_arr, (int) $post_ids);
+                            }
+                            $this->settings[$k] = $post_arr;
+                        }
                         break;
                     case 'lockdown_status':
                         $v = sanitize_text_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'allowed_urls':
                         $v = sanitize_textarea_field($v);
+                        $this->settings[$k] = $v;
                         break;
                     case 'redirect_url':
                         $v = esc_url_raw($v);
+                        $this->settings[$k] = $v;
                         break;
                 }
-                $this->settings[$k] = $v;
-            }              
+                
+            }     
+                     
         }
         
@@ -179 +191 @@
             if('wp-login' == $redirect_url){
                 $url = add_query_arg( 'redirect_to', $current_page_url, wp_login_url() );
-                wp_redirect($url);
+                wp_redirect(esc_url($url));
                 
             }else{
@@ -185 +197 @@
                 $url = add_query_arg( 'redirect_to', $current_page_url, ($redirect_url) );
                 // echo $url;exit;
-                wp_redirect($url);
+                wp_redirect(esc_url($url));
             }             
             exit;

wp-private-content-plus/trunk/classes/class-wppcp-widgets.php

@@ -44 +44 @@
                     $checked = checked( true, in_array( $role, $visible_roles ) , false );
            
-                    $display .= '<input   type="checkbox" name="'.$widget->get_field_name('wppcp_visibility_roles').'[]" id="'.$widget->get_field_id('wppcp_visibility_roles').'" '.$checked.' value="'.$role.'" />
+                    $display .= '<input   type="checkbox" name="'. esc_html($widget->get_field_name('wppcp_visibility_roles')).'[]" id="'.esc_html($widget->get_field_id('wppcp_visibility_roles')).'" '.$checked.' value="'.esc_html($role).'" />
                                     <label for="">
-                                    '.$name .'
+                                    '.esc_html($name) .'
                                 </label><br/>';
     

wp-private-content-plus/trunk/classes/class-wppcp-woocommerce-tab-manager.php

@@ -136 +136 @@
         $post_id = str_replace("wppcp_woo_", "", $key);
         $product_tab = get_post($post_id);
-        echo do_shortcode($product_tab->post_content);
+        echo wp_kses_post(do_shortcode($product_tab->post_content));
     }
 

wp-private-content-plus/trunk/functions.php

@@ -10 +10 @@
     foreach ($query_comp as $param) {
         $params = explode('=', $param);
-        $key = isset($params[0]) ? $params[0] : '';
-        $value = isset($params[1]) ? $params[1] : '';
+        $key = isset($params[0]) ? sanitize_text_field($params[0]) : '';
+        $value = isset($params[1]) ? sanitize_text_field($params[1]) : '';
         $build_url = esc_url_raw(add_query_arg($key, $value, $build_url));
     }
@@ -114 +114 @@
     $wppcp->template_loader->get_template_part('addons','feed');
     $display = ob_get_clean();
-    echo $display;
+    echo wp_kses_post($display);
 }
 
@@ -154 +154 @@
 <?php 
     $display = ob_get_clean();
-    return $display;
+    return wp_kses_post($display);
 }
 

wp-private-content-plus/trunk/readme.txt

@@ -184 +184 @@
 = 3.2 =
 * Fix security issue related to group creation
+* Improve security in all plugin files
 
 = 3.1 =

wp-private-content-plus/trunk/templates/global-password-form.php

@@ -52 +52 @@
     <div class="wppcp_panel_title"><?php echo esc_html($protected_form_header); ?></div>
     <?php if($password_protect_error != ''){ ?>
-        <div class="wppcp_panel_error"><?php echo $password_protect_error; ?></div>
+        <div class="wppcp_panel_error"><?php echo wp_kses_post($password_protect_error); ?></div>
     <?php } ?>
 

wp-private-content-plus/trunk/templates/manage-file-attachments.php

@@ -28 +28 @@
             $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/restrict-pro-post-attachments-and-downloads/?ref=pro-attachments" >'.
                         __('View More','wppcp'). '</a>';
-            echo wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_attachments');
+            echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_attachments'));
  
         }
@@ -48 +48 @@
                         $attached_name = isset($attach_data['name']) ? $attach_data['name'] : '';
                         $attached_desc = isset($attach_data['desc']) ? $attach_data['desc'] : '';
-                        $attached_visibility = isset($attach_data['visibility']) ? $attach_data['visibility'] : 'all';
-                        $attached_download_permission = isset($attach_data['download_permission']) ? $attach_data['download_permission'] : 'all';
+                        $attached_visibility = isset($attach_data['visibility']) ? esc_html($attach_data['visibility']) : 'all';
+                        $attached_download_permission = isset($attach_data['download_permission']) ? esc_html($attach_data['download_permission']) : 'all';
                         $attached_mime = isset($attach_data['mime']) ? $attach_data['mime'] : '';
 
@@ -63 +63 @@
                     <div class='wppcp-attachments-panel-file-single'>
                         <div class='wppcp-attachments-panel-file-left'>
-                            <img src="<?php echo esc_url($attach_image_url); ?>" data-attachment-id="<?php echo $attach_data['attach_id']; ?>" class='wppcp-attachment-preview' />
+                            <img src="<?php echo esc_url($attach_image_url); ?>" data-attachment-id="<?php echo (int) $attach_data['attach_id']; ?>" class='wppcp-attachment-preview' />
                             <div class='wppcp-slider-images-panel-gallery-icons'><?php echo $image_icons; ?></div> 
                         </div>
@@ -69 +69 @@
                             <div class='wppcp-attachments-panel-file-row'>
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('File Name','wppcp'); ?></div>
-                                <div class='wppcp-attachments-panel-file-field'><input type='text' name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][name]' value='<?php echo esc_html($attached_name); ?>' /></div>
+                                <div class='wppcp-attachments-panel-file-field'><input type='text' name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][name]' value='<?php echo esc_html($attached_name); ?>' /></div>
                             </div>
                             <div class='wppcp-attachments-panel-file-row'>
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('File Description','wppcp'); ?></div>
-                                <div class='wppcp-attachments-panel-file-field'><textarea name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][desc]' ><?php echo esc_html($attached_desc); ?></textarea></div>
+                                <div class='wppcp-attachments-panel-file-field'><textarea name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][desc]' ><?php echo esc_html($attached_desc); ?></textarea></div>
                             </div>
                             <div class='wppcp-attachments-panel-file-row'>
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('File Visibility','wppcp'); ?></div>
                                 <div class='wppcp-attachments-panel-file-field'>
-                                    <select class='wppcp-attachments-panel-file-visibility' name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][visibility]' >
+                                    <select class='wppcp-attachments-panel-file-visibility' name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][visibility]' >
                                         <option <?php echo selected($attached_visibility,'all'); ?> value="all"><?php _e('Everyone','wppcp'); ?></option>
                                         <option <?php echo selected($attached_visibility,'guest'); ?> value="guest"><?php _e('Guests','wppcp'); ?></option>
@@ -88 +88 @@
                                 <div class='wppcp-attachments-panel-file-label'><?php _e('Download Permission','wppcp'); ?></div>
                                 <div class='wppcp-attachments-panel-file-field'>
-                                    <select class='wppcp-attachments-panel-file-download-permission' name='wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][download_permission]' >
+                                    <select class='wppcp-attachments-panel-file-download-permission' name='wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][download_permission]' >
                                         <option <?php echo selected($attached_download_permission,'all'); ?> value="all"><?php _e('Everyone','wppcp'); ?></option>
                                         <option <?php echo selected($attached_download_permission,'guest'); ?> value="guest"><?php _e('Guests','wppcp'); ?></option>
@@ -96 +96 @@
                             </div>
                         </div>
-                        <input type="hidden" value="<?php echo esc_html($attached_mime); ?>" name="wppcp_attachments[<?php echo $attach_data['attach_id']; ?>][mime]" />
+                        <input type="hidden" value="<?php echo esc_html($attached_mime); ?>" name="wppcp_attachments[<?php echo (int) $attach_data['attach_id']; ?>][mime]" />
                     </div>
                     

wp-private-content-plus/trunk/templates/plugin-help.php

@@ -12 +12 @@
     <h1><?php echo esc_html($title); ?></h1>
     <div class="about-text">
-        <?php echo $desc; ?>
+        <?php echo wp_kses_post($desc); ?>
     </div>
 

wp-private-content-plus/trunk/templates/post-page-restriction-meta.php

@@ -6 +6 @@
     $post_type = $post->post_type;
 
-    $visibility = get_post_meta( $post->ID, '_wppcp_post_page_visibility', true );
+    $visibility = esc_html(get_post_meta( $post->ID, '_wppcp_post_page_visibility', true ));
     $redirection_url = get_post_meta( $post->ID, '_wppcp_post_page_redirection_url', true );
 
@@ -46 +46 @@
         $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/global-custom-post-type-protection/?ref=pro-cpt" >'.
                     __('View More','wppcp'). '</a>';
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_post_restrictions');
+
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_post_restrictions'));
     } 
 
@@ -53 +54 @@
         $message .= sprintf(__('%sGo PRO%s and add users to user groups or membership levels. Protection rules can be applied on user groups or membership 
             levels instead of selecting users for each post/page','wppcp'), '<strong>','</strong>' );
-        echo wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_restrictions');
+        echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes_large','wppcp_pro_info_post_restrictions'));
     }
 ?>
@@ -85 +86 @@
                 if($role_key != 'administrator'){
             ?>
-            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_post_page_roles[]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_post_page_roles[]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
             <?php } ?>  
         <?php } ?>      
@@ -101 +102 @@
                     $display_name = $user->data->display_name;
             ?>
-                <option value='<?php echo $user_id; ?>' selected ><?php echo $display_name; ?></option>
+                <option value='<?php echo $user_id; ?>' selected ><?php echo esc_html($display_name); ?></option>
             <?php } ?>
         </select>   

wp-private-content-plus/trunk/templates/private-user-page.php

@@ -58 +58 @@
                 $message .= ' <a target="_blank" href="https://www.wpexpertdeveloper.com/private-page-dashboard-users/?ref=pro-private-page" >'.
                             __('View More','wppcp'). '</a>';
-                echo wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_private_page');
+                echo wp_kses_post(wppcp_display_pro_info_box($message,'post_meta_boxes','wppcp_pro_info_private_page'));
             }
         ?>

wp-private-content-plus/trunk/templates/woo-tabs-restriction-meta.php

@@ -6 +6 @@
     $post_type = $post->post_type;
 
-    $visibility = get_post_meta( $post->ID, '_wppcp_woo_tabs_visibility', true );
+    $visibility = esc_html(get_post_meta( $post->ID, '_wppcp_woo_tabs_visibility', true ));
     $redirection_url = get_post_meta( $post->ID, '_wppcp_woo_tabs_redirection_url', true );
 
@@ -49 +49 @@
                 if($role_key != 'administrator'){
             ?>
-            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_woo_tabs_roles[]" value='<?php echo $role_key; ?>'><?php echo $role; ?><br/>
+            <input type="checkbox" <?php echo $checked_val; ?> name="wppcp_woo_tabs_roles[]" value='<?php echo $role_key; ?>'><?php echo esc_html($role); ?><br/>
             <?php } ?>  
         <?php } ?>