Changeset 2562230

Timestamp:

07/11/2021 11:44:30 AM (5 years ago)

Author:

RPG84

Message:

4.6.60

• Escaped all echo's of variables

Location:

tradetracker-store

Files:

• tags/4.6.59 (added)
• tags/4.6.59/Tradetracker-Store.php (added)
• tags/4.6.59/cache (added)
• tags/4.6.59/css (added)
• tags/4.6.59/css/base-jquery-ui.css (added)
• tags/4.6.59/css/black-tie-jquery-ui.css (added)
• tags/4.6.59/css/blitzer-jquery-ui.css (added)
• tags/4.6.59/css/cupertino-jquery-ui.css (added)
• tags/4.6.59/css/dark-hive-jquery-ui.css (added)
• tags/4.6.59/css/dot-luv-jquery-ui.css (added)
• tags/4.6.59/css/eggplant-jquery-ui.css (added)
• tags/4.6.59/css/excite-bike-jquery-ui.css (added)
• tags/4.6.59/css/flick-jquery-ui.css (added)
• tags/4.6.59/css/hot-sneaks-jquery-ui.css (added)
• tags/4.6.59/css/humanity-jquery-ui.css (added)
• tags/4.6.59/css/le-frog-jquery-ui.css (added)
• tags/4.6.59/css/mint-choc-jquery-ui.css (added)
• tags/4.6.59/css/overcast-jquery-ui.css (added)
• tags/4.6.59/css/pepper-grinder-jquery-ui.css (added)
• tags/4.6.59/css/redmond-jquery-ui.css (added)
• tags/4.6.59/css/smoothness-jquery-ui.css (added)
• tags/4.6.59/css/south-street-jquery-ui.css (added)
• tags/4.6.59/css/start-jquery-ui.css (added)
• tags/4.6.59/css/sunny-jquery-ui.css (added)
• tags/4.6.59/css/swanky-purse-jquery-ui.css (added)
• tags/4.6.59/css/trontastic-jquery-ui.css (added)
• tags/4.6.59/css/ui-darkness-jquery-ui.css (added)
• tags/4.6.59/css/ui-lightness-jquery-ui.css (added)
• tags/4.6.59/css/vader-jquery-ui.css (added)
• tags/4.6.59/debug.php (added)
• tags/4.6.59/front.php (added)
• tags/4.6.59/functions.php (added)
• tags/4.6.59/images (added)
• tags/4.6.59/images/No_image.png (added)
• tags/4.6.59/images/ajax-loader.gif (added)
• tags/4.6.59/images/more.png (added)
• tags/4.6.59/import (added)
• tags/4.6.59/import/database.php (added)
• tags/4.6.59/import/xml.php (added)
• tags/4.6.59/import/xmlsplit.php (added)
• tags/4.6.59/js (added)
• tags/4.6.59/js/expand.js (added)
• tags/4.6.59/menu (added)
• tags/4.6.59/menu/expand.js (added)
• tags/4.6.59/menu/faq.php (added)
• tags/4.6.59/menu/images (added)
• tags/4.6.59/menu/images/Premium-addons.png (added)
• tags/4.6.59/menu/images/add-edit-stores.png (added)
• tags/4.6.59/menu/images/debug.png (added)
• tags/4.6.59/menu/images/enhanced-distribution.png (added)
• tags/4.6.59/menu/images/item-selection.png (added)
• tags/4.6.59/menu/images/kruisje.png (added)
• tags/4.6.59/menu/images/layout-settings.png (added)
• tags/4.6.59/menu/images/more.png (added)
• tags/4.6.59/menu/images/overlay.png (added)
• tags/4.6.59/menu/images/product-page.png (added)
• tags/4.6.59/menu/images/screenshot-1.png (added)
• tags/4.6.59/menu/images/tb-close.png (added)
• tags/4.6.59/menu/images/vinkje.png (added)
• tags/4.6.59/menu/images/xml-feed-options.png (added)
• tags/4.6.59/menu/itemselect.php (added)
• tags/4.6.59/menu/layout.php (added)
• tags/4.6.59/menu/main.js (added)
• tags/4.6.59/menu/menu.css (added)
• tags/4.6.59/menu/menu.php (added)
• tags/4.6.59/menu/news.php (added)
• tags/4.6.59/menu/pluginsettings.php (added)
• tags/4.6.59/menu/premium.php (added)
• tags/4.6.59/menu/releaselog.php (added)
• tags/4.6.59/menu/search.php (added)
• tags/4.6.59/menu/showlayout.php (added)
• tags/4.6.59/menu/store.php (added)
• tags/4.6.59/menu/style.css (added)
• tags/4.6.59/menu/xmlfeed.php (added)
• tags/4.6.59/menu/xmloption.php (added)
• tags/4.6.59/readme.txt (added)
• tags/4.6.59/screenshot-1.png (added)
• tags/4.6.59/screenshot-2.png (added)
• tags/4.6.59/screenshot-3.png (added)
• tags/4.6.59/splits (added)
• tags/4.6.59/tinymce (added)
• tags/4.6.59/tinymce/cart.png (added)
• tags/4.6.59/tinymce/test.js (added)
• tags/4.6.59/tinymce/tinyTT.php (added)
• tags/4.6.59/tinymce/tinymce.php (added)
• tags/4.6.59/tinymce/ttmce.js (added)
• tags/4.6.59/translation (added)
• tags/4.6.59/translation/default.mo (added)
• tags/4.6.59/translation/default.po (added)
• tags/4.6.59/translation/tradetracker-store-nl_NL.mo (added)
• tags/4.6.59/translation/tradetracker-store-nl_NL.po (added)
• tags/4.6.59/translation/ttstore-nl_NL.mo (added)
• tags/4.6.59/translation/ttstore-nl_NL.po (added)
• tags/4.6.59/uninstall.php (added)
• tags/4.6.59/upgrading.php (added)
• tags/4.6.59/widget (added)
• tags/4.6.59/widget/widget.php (added)
• tags/4.6.60 (added)
• tags/4.6.60/Tradetracker-Store.php (added)
• tags/4.6.60/cache (added)
• tags/4.6.60/css (added)
• tags/4.6.60/css/base-jquery-ui.css (added)
• tags/4.6.60/css/black-tie-jquery-ui.css (added)
• tags/4.6.60/css/blitzer-jquery-ui.css (added)
• tags/4.6.60/css/cupertino-jquery-ui.css (added)
• tags/4.6.60/css/dark-hive-jquery-ui.css (added)
• tags/4.6.60/css/dot-luv-jquery-ui.css (added)
• tags/4.6.60/css/eggplant-jquery-ui.css (added)
• tags/4.6.60/css/excite-bike-jquery-ui.css (added)
• tags/4.6.60/css/flick-jquery-ui.css (added)
• tags/4.6.60/css/hot-sneaks-jquery-ui.css (added)
• tags/4.6.60/css/humanity-jquery-ui.css (added)
• tags/4.6.60/css/le-frog-jquery-ui.css (added)
• tags/4.6.60/css/mint-choc-jquery-ui.css (added)
• tags/4.6.60/css/overcast-jquery-ui.css (added)
• tags/4.6.60/css/pepper-grinder-jquery-ui.css (added)
• tags/4.6.60/css/redmond-jquery-ui.css (added)
• tags/4.6.60/css/smoothness-jquery-ui.css (added)
• tags/4.6.60/css/south-street-jquery-ui.css (added)
• tags/4.6.60/css/start-jquery-ui.css (added)
• tags/4.6.60/css/sunny-jquery-ui.css (added)
• tags/4.6.60/css/swanky-purse-jquery-ui.css (added)
• tags/4.6.60/css/trontastic-jquery-ui.css (added)
• tags/4.6.60/css/ui-darkness-jquery-ui.css (added)
• tags/4.6.60/css/ui-lightness-jquery-ui.css (added)
• tags/4.6.60/css/vader-jquery-ui.css (added)
• tags/4.6.60/debug.php (added)
• tags/4.6.60/front.php (added)
• tags/4.6.60/functions.php (added)
• tags/4.6.60/images (added)
• tags/4.6.60/images/No_image.png (added)
• tags/4.6.60/images/ajax-loader.gif (added)
• tags/4.6.60/images/more.png (added)
• tags/4.6.60/import (added)
• tags/4.6.60/import/database.php (added)
• tags/4.6.60/import/xml.php (added)
• tags/4.6.60/import/xmlsplit.php (added)
• tags/4.6.60/js (added)
• tags/4.6.60/js/expand.js (added)
• tags/4.6.60/menu (added)
• tags/4.6.60/menu/expand.js (added)
• tags/4.6.60/menu/faq.php (added)
• tags/4.6.60/menu/images (added)
• tags/4.6.60/menu/images/Premium-addons.png (added)
• tags/4.6.60/menu/images/add-edit-stores.png (added)
• tags/4.6.60/menu/images/debug.png (added)
• tags/4.6.60/menu/images/enhanced-distribution.png (added)
• tags/4.6.60/menu/images/item-selection.png (added)
• tags/4.6.60/menu/images/kruisje.png (added)
• tags/4.6.60/menu/images/layout-settings.png (added)
• tags/4.6.60/menu/images/more.png (added)
• tags/4.6.60/menu/images/overlay.png (added)
• tags/4.6.60/menu/images/product-page.png (added)
• tags/4.6.60/menu/images/screenshot-1.png (added)
• tags/4.6.60/menu/images/tb-close.png (added)
• tags/4.6.60/menu/images/vinkje.png (added)
• tags/4.6.60/menu/images/xml-feed-options.png (added)
• tags/4.6.60/menu/itemselect.php (added)
• tags/4.6.60/menu/layout.php (added)
• tags/4.6.60/menu/main.js (added)
• tags/4.6.60/menu/menu.css (added)
• tags/4.6.60/menu/menu.php (added)
• tags/4.6.60/menu/news.php (added)
• tags/4.6.60/menu/pluginsettings.php (added)
• tags/4.6.60/menu/premium.php (added)
• tags/4.6.60/menu/releaselog.php (added)
• tags/4.6.60/menu/search.php (added)
• tags/4.6.60/menu/showlayout.php (added)
• tags/4.6.60/menu/store.php (added)
• tags/4.6.60/menu/style.css (added)
• tags/4.6.60/menu/xmlfeed.php (added)
• tags/4.6.60/menu/xmloption.php (added)
• tags/4.6.60/readme.txt (added)
• tags/4.6.60/screenshot-1.png (added)
• tags/4.6.60/screenshot-2.png (added)
• tags/4.6.60/screenshot-3.png (added)
• tags/4.6.60/splits (added)
• tags/4.6.60/tinymce (added)
• tags/4.6.60/tinymce/cart.png (added)
• tags/4.6.60/tinymce/test.js (added)
• tags/4.6.60/tinymce/tinyTT.php (added)
• tags/4.6.60/tinymce/tinymce.php (added)
• tags/4.6.60/tinymce/ttmce.js (added)
• tags/4.6.60/translation (added)
• tags/4.6.60/translation/default.mo (added)
• tags/4.6.60/translation/default.po (added)
• tags/4.6.60/translation/tradetracker-store-nl_NL.mo (added)
• tags/4.6.60/translation/tradetracker-store-nl_NL.po (added)
• tags/4.6.60/translation/ttstore-nl_NL.mo (added)
• tags/4.6.60/translation/ttstore-nl_NL.po (added)
• tags/4.6.60/uninstall.php (added)
• tags/4.6.60/upgrading.php (added)
• tags/4.6.60/widget (added)
• tags/4.6.60/widget/widget.php (added)
• trunk/Tradetracker-Store.php (modified) (2 diffs)
• trunk/debug.php (modified) (16 diffs)
• trunk/front.php (modified) (16 diffs)
• trunk/functions.php (modified) (7 diffs)
• trunk/import/database.php (modified) (4 diffs)
• trunk/import/xmlsplit.php (modified) (2 diffs)
• trunk/js/expand.js (modified) (1 diff)
• trunk/menu/expand.js (modified) (1 diff)
• trunk/menu/faq.php (modified) (1 diff)
• trunk/menu/itemselect.php (modified) (17 diffs)
• trunk/menu/layout.php (modified) (17 diffs)
• trunk/menu/menu.css (modified) (1 diff)
• trunk/menu/menu.php (modified) (8 diffs)
• trunk/menu/news.php (modified) (1 diff)
• trunk/menu/pluginsettings.php (modified) (21 diffs)
• trunk/menu/premium.php (modified) (6 diffs)
• trunk/menu/releaselog.php (modified) (1 diff)
• trunk/menu/search.php (modified) (6 diffs)
• trunk/menu/showlayout.php (modified) (2 diffs)
• trunk/menu/store.php (modified) (29 diffs)
• trunk/menu/xmlfeed.php (modified) (12 diffs)
• trunk/menu/xmloption.php (modified) (11 diffs)
• trunk/readme.txt (modified) (2 diffs)
• trunk/tinymce/tinyTT.php (modified) (1 diff)
• trunk/upgrading.php (modified) (1 diff)
• trunk/widget/widget.php (modified) (1 diff)

tradetracker-store/trunk/Tradetracker-Store.php

@@ -3 +3 @@
 * Plugin Name: Tradetracker-Store
 * Plugin URI: https://wpaffiliatefeed.com
-* Version: 4.6.59
+* Version: 4.6.60
 * Description: A Plugin that will add a TradeTracker affiliate feed to your site with several options to choose from.
 * Author: Robert Braam
@@ -13 +13 @@
 global $wpdb;
 $TT_Storepro_table_prefix=$wpdb->prefix.'tradetracker_';
+define( 'TT_STORE_pluginurl', plugin_dir_url( __FILE__ ) );
 define( 'TT_STORE_pluginpath', plugin_dir_path( __FILE__ ) );
 define('TT_StorePRO_TABLE_PREFIX', $TT_Storepro_table_prefix);

tradetracker-store/trunk/debug.php

@@ -16 +16 @@
 
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
         <div id="TB_title">
@@ -26 +26 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
 <?php
     echo "<strong>";
@@ -87 +87 @@
         _e('Premium gives this error:', 'tradetracker-store'); 
         echo " ";
-        echo $response->get_error_message();;
+        echo esc_attr($response->get_error_message());
         echo "</font><br>";
     } else { 
@@ -119 +119 @@
         echo "</strong><br>";
         foreach ( $head_footer_errors as $error )
-        echo '<font color=red>' . esc_html( $error ) . '</font><br>';
+        echo '<font color=red>' . wp_kses_post($error ) . '</font><br>';
     } else {
         echo "<p><strong>";
@@ -142 +142 @@
     foreach ( $storetableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -159 +159 @@
     foreach ( $multitableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -176 +176 @@
     foreach ( $extratableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -193 +193 @@
     foreach ( $layouttableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -211 +211 @@
     foreach ( $itemtableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -228 +228 @@
     foreach ( $xmltableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -245 +245 @@
     foreach ( $cattableoverview as $overview ) 
     {
-        echo "<tr><td>".$overview->Field."</td>";
-        echo "<td>".$overview->Type."</td></tr>";       
+        echo "<tr><td>".esc_attr($overview->Field)."</td>";
+        echo "<td>".esc_attr($overview->Type)."</td></tr>";     
     }   
     echo "</table>";
@@ -255 +255 @@
     echo "</strong>";
     echo "<p>";
-    echo $ttmemoryusage;
+    echo wp_kses_post($ttmemoryusage);
     
 
@@ -269 +269 @@
 function ttstoreerrordetect($show) {
     global $head_footer_errors;
-    $foldersplits = plugin_dir_path( __FILE__ )."splits/";
-    $foldercache = plugin_dir_path( __FILE__ )."cache/";
+    $foldersplits = TT_STORE_plugipath."splits/";
+    $foldercache = TT_STORE_plugipath."cache/";
 
     $tterror = "no";
@@ -298 +298 @@
     if ($tterror == "yes"){
         $warning = __('Error detected in TradeTracker Store plugin, please see <a href=admin.php?page=tt-store&option=debug>debug page</a>','tradetracker-store');
-        add_action('admin_notices', create_function( '', "echo \"<div class='error'><p>$warning</p></div>\";" ) );
+        add_action('admin_notices', create_function( '', "echo \"<div class='error'><p>esc_attr($warning)</p></div>\";" ) );
         if($show=="yes"){
             return "yes";
@@ -362 +362 @@
     $updatebgtext = __('Run update in background','tradetracker-store');
     $resettext = __('Restart import','tradetracker-store');
-    echo "<div class=\"updated\"><p><strong>".$update." ".get_option("Tradetracker_xml_update")." | ".get_option("Tradetracker_feedsimported")." | <a href=\"admin.php?page=tt-store&update=yes\">".$updatetext."</a> | <a href=\"admin.php?page=tt-store&bgupdate=yes\">".$updatebgtext."</a> | <a href=\"admin.php?page=tt-store&reset=yes\">".$resettext."</a></strong></p></div>";
+    echo "<div class=\"updated\"><p><strong>".esc_attr($update)." ".get_option("Tradetracker_xml_update")." | ".get_option("Tradetracker_feedsimported")." | <a href=\"admin.php?page=tt-store&update=yes\">".esc_attr($updatetext)."</a> | <a href=\"admin.php?page=tt-store&bgupdate=yes\">".esc_attr($updatebgtext)."</a> | <a href=\"admin.php?page=tt-store&reset=yes\">".esc_attr($resettext)."</a></strong></p></div>";
     $errorfile = get_option("Tradetracker_importerror");
     if(!empty($errorfile)){
@@ -369 +369 @@
         $osmessage =  __('<strong>The following XML splits gave an error or were empty during the last import. So they are possibly not imported. More information about this can be found <a href="http://wpaffiliatefeed.com/624/frequently-asked-questions/my-import-gives-an-error/">here</a> </strong>','tradetracker-store');
         $osmessage .= str_replace($oldvalue,$newvalue,$errorfile);
-        echo "<div class='error'>".$osmessage." <a href=\"admin.php?page=tt-store&errordel=yes\">Close</a></div>";
+        echo "<div class='error'>".esc_attr($osmessage)." <a href=\"admin.php?page=tt-store&errordel=yes\">Close</a></div>";
     }
 }

tradetracker-store/trunk/front.php

@@ -4 +4 @@
 ..--==[ Function to add the stylesheet for the store ]==--.. 
 */
+add_filter( 'wp_kses_allowed_html', 'prefix_filter_allowed_html', 10, 2 );
+/**
+     * Add "onclick" to allowed KSES output.
+     *
+     * @param $allowed
+     * @param $context
+     * @return mixed
+     */
+function prefix_filter_allowed_html( $allowed, $context ) {
+    if ( 'post' === $context ) {
+        $allowed['a']['onclick'] = true;
+    }
+
+    return $allowed;
+}
 function TTstore_scripts() { 
         wp_enqueue_script( 'jquery' );
@@ -13 +28 @@
         wp_localize_script( 'ttstoreexpand-script', 'ttstoreexpand_object',
         array( 
-            'imgurl' => plugin_dir_url( __FILE__ ).'/images/more.png'
+            'imgurl' => TT_STORE_pluginurl.'/images/more.png'
 ));
     $ttsliderenable = get_option("Tradetracker_sliderenable");
@@ -58 +73 @@
     }
     if(get_option("Tradetracker_usecss") == "1"){
-        //echo "<link rel=\"stylesheet\" href=\"".get_option('Tradetracker_csslink')."\" type=\"text/css\" />";
+        //echo "<link rel=\"stylesheet\" href=\"".esc_url(get_option('Tradetracker_csslink'))."\" type=\"text/css\" />";
         //echo "<link href=\"http://ajax.googleapis.com/ajax/libs/jqueryui/1.10.1/themes/".$ttslidertheme."/jquery-ui.css\" rel=\"stylesheet\" type=\"text/css\"/>";
 
@@ -67 +82 @@
     global $ttstorelayouttable;
     global $ttstoremultitable;
-    $style .= "<style type=\"text/css\" media=\"screen\">";
+    echo "<style type=\"text/css\" media=\"screen\">";
     $multi=$wpdb->get_results("SELECT multiname, laywidth, layfont, layfontsize, laycolortitle, laycolorbuttonfont, laycolorbutton, laycolorborder, laycolorfooter, laycolorimagebg, laycolorfont FROM ".$ttstoremultitable.",".$ttstorelayouttable." where ".$ttstoremultitable.".multilayout=".$ttstorelayouttable.".id");
     foreach ($multi as $multi_val){
@@ -150 +165 @@
         
     }
-    $style .= "\n.cleared {border: medium none;clear: both;float: none;font-size: 1px;margin: 0;padding: 0;}";
-    $style .= "\n.ttstorelink a { font-size:0px; }";
-    $style .= "</style>";
-    echo $style;
+    $style .= "\n.ttstore_moreinfo{display:none;}";
+    echo  wp_filter_nohtml_kses($style);
+    echo "\n.cleared {border: medium none;clear: both;float: none;font-size: 1px;margin: 0;padding: 0;}";
+    echo "\n.ttstorelink a { font-size:0px; }";
+    echo  "</style>";
+
     }
 }
@@ -207 +224 @@
     if(isset($_GET['ipp'])){
         if(is_numeric($_GET['ipp']) && $_GET['ipp'] > "0"){
-            $itemsperpage = $_GET['ipp'];
+            $itemsperpage = ttstore_sanitize($_GET['ipp']);
         } else {
             $itemsperpage = $wpdb->get_var( "SELECT multipageamount FROM $ttstoremultitable where id='".$winkelvol."';"  );
@@ -226 +243 @@
     }
     if(isset($_GET['multisorting'])){
-        $userperpage .= "<input type=\"hidden\" value=\"".esc_attr($_GET['multisorting'])."\" name=\"multisorting\">";
+        $userperpage .= "<input type=\"hidden\" value=\"".ttstore_sanitize($_GET['multisorting'])."\" name=\"multisorting\">";
     }
     if(isset($_GET['multiorder'])){
-        $userperpage .= "<input type=\"hidden\" value=\"".esc_attr($_GET['multiorder'])."\" name=\"multiorder\">";
+        $userperpage .= "<input type=\"hidden\" value=\"".ttstore_sanitize($_GET['multiorder'])."\" name=\"multiorder\">";
     }
     $userperpage .= __('Items per page: ','tradetracker-store');
@@ -281 +298 @@
     if(isset($_GET['ipp'])){
         if(is_numeric($_GET['ipp']) && $_GET['ipp'] > "0" ){
-            $ipp = $_GET['ipp'];
+            $ipp = ttstore_sanitize($_GET['ipp']);
         } else {
             $ipp = $max_items;
@@ -290 +307 @@
     if(isset($_GET['pmin']) && isset($_GET['pmax'])){
         if(is_numeric($_GET['pmin']) && is_numeric($_GET['pmax'])){
-            $min_price = $_GET['pmin'];
-            $max_pricecur = $_GET['pmax'];
+            $min_price = ttstore_sanitize($_GET['pmin']);
+            $max_pricecur = ttstore_sanitize($_GET['pmax']);
         } else {
             $min_price = $min_price;
@@ -444 +461 @@
             }
             if(isset($_GET['ipp']) && is_numeric($_GET['ipp']) && $_GET['ipp']>"0"){
-                $itemsperpage = $_GET['ipp'];
+                $itemsperpage = ttstore_sanitize($_GET['ipp']);
             } else {
                 $itemsperpage = $multi_val->multipageamount;
@@ -450 +467 @@
             $pages = ceil($totalitems / $itemsperpage)-1;
             if(isset($_GET['tsp']) && is_numeric($_GET['tsp'])){
-                $currentpage = $_GET['tsp'];
+                $currentpage = ttstore_sanitize($_GET['tsp']);
                 $nextpage = $currentpage * $multi_val->multipageamount;
             } else {
@@ -618 +635 @@
             }
             if(isset($_GET['ipp']) && is_numeric($_GET['ipp']) && $_GET['ipp']>"0"){
-                $itemsperpage = $_GET['ipp'];
+                $itemsperpage = ttstore_sanitize($_GET['ipp']);
             } else {
                 $itemsperpage = $multi_val->multipageamount;
@@ -624 +641 @@
             $pages = ceil($totalitems / $itemsperpage)-1;
             if(isset($_GET['tsp']) && is_numeric($_GET['tsp'])){
-                $currentpage = $_GET['tsp'];
+                $currentpage = ttstore_sanitize($_GET['tsp']);
                 $nextpage = $currentpage * $multi_val->multipageamount;
                 if($totalitems <= $nextpage ){
@@ -722 +739 @@
             }
         }
-    $storeitems = "";
+    $storeitems = "<div class\"TTSTore_store\">";
     $i="1";
     foreach ($visits as $product){
@@ -741 +758 @@
                 $moretext = __('More info', 'tradetracker-store');
                 $more = "<div class=\"".$storename."store-more store-more\">
-                        <img src=\"".plugin_dir_url( __FILE__ )."/images/more.png\" style=\"border:0;\" border=\"0\" name=\"img".$i."\" width=\"11\" height=\"13\" border=\"0\" >
-                        <a href=\"#first\" onClick=\"shoh('".$i."');\" >".$moretext."</a> 
-                        <div style=\"display: none;\" id=\"".$i."\" > 
+                        <img src=\"".plugin_dir_url( __FILE__ )."/images/more.png\" style=\"border:0;\" border=\"0\" id=\"img".$storename."".$i."\" width=\"11\" height=\"13\" border=\"0\" >
+                        <a href=\"#first\" onClick=\"shoh('".$storename."".$i."');\" >".$moretext."</a> 
+                        <div style=\"display: none;\" id=\"".$storename."".$i."\" class=\"ttstore_moreinfo\"> 
                             <table style=\"width:".$widthmore."px;\" width=\"".$widthmore."\">".$extraname."</table>
                         </div>
@@ -870 +887 @@
     }
         $storeitems .= "<!-- These items are shown using the TradeTracker Store plugin - http://wpaffiliatefeed.com -->";
+        $storeitems .= "</div>";
     if ($usedhow == 1){
         return $storeitems;
     }
     if ($usedhow == 2){
-        echo $storeitems; 
+        echo wp_kses_post($storeitems); 
     }
     

tradetracker-store/trunk/functions.php

@@ -11 +11 @@
     }
 }
+function ttstore_sanitize($array_or_string) {
+    if( is_string($array_or_string) ){
+        $array_or_string = sanitize_text_field($array_or_string);
+    }elseif( is_array($array_or_string) ){
+        foreach ( $array_or_string as $key => &$value ) {
+            if ( is_array( $value ) ) {
+                $value = sanitize_text_or_array_field($value);
+            }
+            else {
+                $value = sanitize_text_field( $value );
+            }
+        }
+    }
+
+    return $array_or_string;
+}
 function tt_store_arrayDiffEmulation($arrayFrom, $arrayAgainst)
 {
@@ -53 +69 @@
         if($response['body'] != $updatetime){
             $url = 'https://wpaffiliatefeed.com/tradetracker-store/sites.xml';
-            $permfile = plugin_dir_path( __FILE__ )."cache/sites.xml";
+            $permfile = TT_STORE_plugipath."cache/sites.xml";
             $tmpfile = download_url( $url, $timeout = 300 );
             copy( $tmpfile, $permfile );
@@ -59 +75 @@
             
             $url = 'https://wpaffiliatefeed.com/tradetracker-store/faq.xml';
-            $permfile = plugin_dir_path( __FILE__ )."cache/faq.xml";
+            $permfile = TT_STORE_plugipath."cache/faq.xml";
             $tmpfile = download_url( $url, $timeout = 300 );
             copy( $tmpfile, $permfile );
@@ -65 +81 @@
             
             $url = 'https://wpaffiliatefeed.com/category/news/feed/';
-            $permfile = plugin_dir_path( __FILE__ )."cache/news.xml";
+            $permfile = TT_STORE_plugipath."cache/news.xml";
             $tmpfile = download_url( $url, $timeout = 300 );
             copy( $tmpfile, $permfile );
@@ -71 +87 @@
             
             $url = 'https://wpaffiliatefeed.com/category/news/feed/';
-            $permfile = plugin_dir_path( __FILE__ )."cache/releaselog.xml";
+            $permfile = TT_STORE_plugipath."cache/releaselog.xml";
             $tmpfile = download_url( $url, $timeout = 300 );
             copy( $tmpfile, $permfile );
@@ -117 +133 @@
 }
 function loadpremium(){
-    $foldercache = plugin_dir_path( __FILE__ )."cache/";
+    $foldercache = TT_STORE_pluginpath."cache/";
     if(is_writable($foldercache)){
         $providers = get_option('Tradetracker_premiumapi');
@@ -137 +153 @@
 function premium_updater(){
     global $wpdb;
-    $foldercache = plugin_dir_path( __FILE__ )."cache/";
+    $foldercache = TT_STORE_plugipath."cache/";
     $us = $_SERVER['HTTP_HOST'];
     delete_option('tt_premium_function');

tradetracker-store/trunk/import/database.php

@@ -132 +132 @@
     if ($xmlcronjob == "0"){
         $feednumercount = $xmlfeednumber;
-        echo "<br /><strong>Feeds Completed: </strong> ".$feednumercount."/".count($xmlfeed)."";
+        echo "<br /><strong>Feeds Completed: </strong> ".esc_attr($feednumercount)."/".count($xmlfeed)."";
         $feedsimported = sprintf(__('<strong>Feeds Completed: </strong> %1$s / %2$s','tradetracker-store'), $feednumercount, count($xmlfeed));
         update_option( "Tradetracker_feedsimported", $feedsimported );
@@ -141 +141 @@
         echo "<div style=\"width:".round($percent * $scale)."px;\"></div>";
         echo "</div>".round($percent,'2')."%"; 
-        echo "<br /><strong>Currently Importing: </strong>".$xmlfeed[$xmlfeednumber][0];
+        echo "<br /><strong>Currently Importing: </strong>".esc_attr($xmlfeed[$xmlfeednumber][0]);
         //echo "<br /><strong>File: </strong>".$files[$xmldatabasecount];
         tt_store_log_me("TT Database: ".$xmlfeed[$xmlfeednumber][0]);
@@ -246 +246 @@
                             foreach($product->additional->children() as $datachild){
                                 if($datachild['name']!=""){
-                                    echo " ik doe dit ";
                                     if($i == $totalextra){
                                         $queryextra .= "('".$productID."', '".$datachild['name']."', '".str_replace("'","''", $datachild)."')";
@@ -316 +315 @@
         echo convert(memory_get_peak_usage());
         echo "/".convert(str2bytes(ini_get('memory_limit')));
-        echo "<br /><strong>Items imported:</strong><br />".$item_count;
+        echo "<br /><strong>Items imported:</strong><br />".esc_attr($item_count);
     }
     $ttmemoryusage = get_option("Tradetracker_memoryusage");

tradetracker-store/trunk/import/xmlsplit.php

@@ -25 +25 @@
     $exportfile = fopen($folderhome."/$newfile","w");
         $url = $xmlfile;
-        $permfile = plugin_dir_path( __FILE__ ).".cache/cache.xml";
+        $permfile = TT_STORE_plugipath.".cache/cache.xml";
         $tmpfile = download_url( $url, $timeout = 300 );
         copy( $tmpfile, $permfile );
@@ -124 +124 @@
     //$needed   = array("product>", "<productID>", "</productID>");
         $url = $xmlfile;
-        $permfile = plugin_dir_path( __FILE__ ).".cache/cache.xml";
+        $permfile = TT_STORE_plugipath.".cache/cache.xml";
         $tmpfile = download_url( $url, $timeout = 300 );
         copy( $tmpfile, $permfile );

tradetracker-store/trunk/js/expand.js

@@ -53 +53 @@
     
     if (document.getElementById) { // DOM3 = IE5, NS6
-        if (document.getElementById(id).style.display == "none"){
-            document.getElementById(id).style.display = 'block';
-            filter(("img"+id),'imgin');         
+        if (document.getElementById(id).style.display == "block"){
+            document.getElementById(id).style.display = 'none';
+            filter(("img"+id),'imgout');            
         } else {
-            filter(("img"+id),'imgout');
-            document.getElementById(id).style.display = 'none';         
+            filter(("img"+id),'imgin');
+            document.getElementById(id).style.display = 'block';            
         }   
     } else { 
         if (document.layers) {  
-            if (document.id.display == "none"){
+            if (document.id.display == "block"){
+                document.id.display = 'none';
+                filter(("img"+id),'imgout');
+            } else {
+                filter(("img"+id),'imgin'); 
                 document.id.display = 'block';
-                filter(("img"+id),'imgin');
-            } else {
-                filter(("img"+id),'imgout');    
-                document.id.display = 'none';
             }
         } else {
-            if (document.all.id.style.visibility == "none"){
-                document.all.id.style.display = 'block';
+            if (document.all.id.style.visibility == "block"){
+                document.all.id.style.display = 'none';
             } else {
                 filter(("img"+id),'imgout');
-                document.all.id.style.display = 'none';
+                document.all.id.style.display = 'block';
             }
         }

tradetracker-store/trunk/menu/expand.js

@@ -53 +53 @@
     
     if (document.getElementById) { // DOM3 = IE5, NS6
-        if (document.getElementById(id).style.display == "none"){
-            document.getElementById(id).style.display = 'block';
-            filter(("img"+id),'imgin');         
+        if (document.getElementById(id).style.display == "block"){
+            document.getElementById(id).style.display = 'none';
+            filter(("img"+id),'imgout');            
         } else {
-            filter(("img"+id),'imgout');
-            document.getElementById(id).style.display = 'none';         
+            filter(("img"+id),'imgin');
+            document.getElementById(id).style.display = 'block';            
         }   
     } else { 
         if (document.layers) {  
-            if (document.id.display == "none"){
+            if (document.id.display == "block"){
+                document.id.display = 'none';
+                filter(("img"+id),'imgout');
+            } else {
+                filter(("img"+id),'imgin'); 
                 document.id.display = 'block';
-                filter(("img"+id),'imgin');
-            } else {
-                filter(("img"+id),'imgout');    
-                document.id.display = 'none';
             }
         } else {
-            if (document.all.id.style.visibility == "none"){
-                document.all.id.style.display = 'block';
+            if (document.all.id.style.visibility == "block"){
+                document.all.id.style.display = 'none';
             } else {
                 filter(("img"+id),'imgout');
-                document.all.id.style.display = 'none';
+                document.all.id.style.display = 'block';
             }
         }

tradetracker-store/trunk/menu/faq.php

@@ -17 +17 @@
         if(!isset($faqcategory)){
             $faqcategory = $faqs->faqcategory;
-            echo "<li><strong>$faqcategory</strong></li>";
-            echo "<li><a href=\"".$faqs->faqadres."\" target=\"_blank\">".$faqs->faqnaam."</a></li>";
+            echo "<li><strong>".esc_attr($faqcategory)."</strong></li>";
+            echo "<li><a href=\"".esc_url($faqs->faqadres)."\" target=\"_blank\">".esc_attr($faqs->faqnaam)."</a></li>";
         } else if($faqs->faqcategory != "".$faqcategory.""){
             $faqcategory = $faqs->faqcategory;
-            echo "<li><strong>$faqcategory</strong></li>";
-            echo "<li><a href=\"".$faqs->faqadres."\" target=\"_blank\">".$faqs->faqnaam."</a></li>";
+            echo "<li><strong>".esc_attr($faqcategory)."</strong></li>";
+            echo "<li><a href=\"".esc_url($faqs->faqadres)."\" target=\"_blank\">".esc_attr($faqs->faqnaam)."</a></li>";
         } else {
-            echo "<li><a href=\"".$faqs->faqadres."\" target=\"_blank\">".$faqs->faqnaam."</a></li>";
+            echo "<li><a href=\"".esc_url($faqs->faqadres)."\" target=\"_blank\">".esc_attr($faqs->faqnaam)."</a></li>";
         }   
     }

tradetracker-store/trunk/menu/itemselect.php

@@ -32 +32 @@
 
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
         <div id="TB_title">
@@ -42 +42 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-    <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+    <table width="<?php echo esc_attr($adminwidth-15); ?>">
         <tr>
             <td>
@@ -83 +83 @@
         <tr>
             <td>
-                <?php echo $layout_val->multiname; ?>
+                <?php echo esc_attr($layout_val->multiname); ?>
             </td>
             <td>
                 <?php if($layout_val->id > "1"){ ?>
-                    <a href="admin.php?page=tt-store&option=store&function=new&return=item&multiid=<?php echo $layout_val->id; ?>"><?php _e("Edit Store", "ttstore"); ?></a>
+                    <a href="admin.php?page=tt-store&option=store&function=new&return=item&multiid=<?php echo esc_attr($layout_val->id); ?>"><?php _e("Edit Store", "ttstore"); ?></a>
                 <?php } ?>
             </td>
             <td>
-                <a href="admin.php?page=tt-store&option=itemselect&function=select&multiid=<?php echo $layout_val->id; ?>"><?php _e("Select Items", "ttstore"); ?></a>
+                <a href="admin.php?page=tt-store&option=itemselect&function=select&multiid=<?php echo esc_attr($layout_val->id); ?>"><?php _e("Select Items", "ttstore"); ?></a>
             </td>
             <td>
                 <?php if(isset($productcount)){ ?>
-                    <a href="admin.php?page=tt-store&option=itemselect&function=delete&multiid=<?php echo $layout_val->id; ?>"><?php printf(__('All %d selected Item(s)', 'tradetracker-store'), $productcount); ?></a>
+                    <a href="admin.php?page=tt-store&option=itemselect&function=delete&multiid=<?php echo esc_attr($layout_val->id); ?>"><?php printf(__('All %d selected Item(s)', 'tradetracker-store'), $productcount); ?></a>
                 <?php } ?>
             </td>
             <td>
                 <?php if(isset($emptyproductcount) && $emptyproductcount > "0"){ ?>
-                    <a href="admin.php?page=tt-store&option=itemselect&function=deleteempty&multiid=<?php echo $layout_val->id; ?>"><?php echo $emptyproductcount; ?> <?php _e("items no longer in a feed", "ttstore"); ?></a>
+                    <a href="admin.php?page=tt-store&option=itemselect&function=deleteempty&multiid=<?php echo esc_attr($layout_val->id); ?>"><?php echo esc_attr($emptyproductcount); ?> <?php _e("items no longer in a feed", "ttstore"); ?></a>
                     <?php $emptyproductcount = ""; ?>
                 <?php } ?>
@@ -106 +106 @@
             <td>
                 <?php if(isset($multiid) && $layout_val->id == $multiid){
-                    echo $deleted;
+                    echo esc_html($deleted);
                 } ?>
             </td>
@@ -132 +132 @@
         $multiid = intval($_GET['multiid']);
     if( isset($_POST[ $ttstoresubmit ]) && $_POST[ $ttstoresubmit ] == 'Y' ) {
-        $Tradetracker_items = $_POST['item'];
-            if (is_array($Tradetracker_items)) {
-                        foreach ($Tradetracker_items as &$tag) {    
-                    $tag = esc_attr($tag);
-                        }
-                        unset($tag );
-                } else {
-                        $Tradetracker_items = esc_attr($Tradetracker_items);
-                 }
+        $Tradetracker_items = ttstore_sanitize($_POST['item']);
         if((isset($Tradetracker_items) && $Tradetracker_items != "") || $Tradetracker_items == ""){
             $query = "DELETE FROM `".$ttstoreitemtable."` WHERE `".$ttstoreitemtable."`.`storeID` = ".$multiid."";
@@ -389 +381 @@
 
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
         <div id="TB_title">
@@ -399 +391 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
         <form class="" action="admin.php" method="get">
         <input type="hidden" name="page" value="tt-store">
         <input type="hidden" name="option" value="itemselect">
         <input type="hidden" name="function" value="select">
-        <input type="hidden" name="multiid" value="<?php echo $multiid;?>">
-        <input type="hidden" name="limit" value="<?php echo $limit;?>">
-        <input type="hidden" name="order" value="<?php echo $order;?>">
-        <input class="s" type="text" name="search" value="<?php if(isset($keyword)) {  echo $keyword;} ?>">
+        <input type="hidden" name="multiid" value="<?php echo esc_attr($multiid);?>">
+        <input type="hidden" name="limit" value="<?php echo esc_attr($limit);?>">
+        <input type="hidden" name="order" value="<?php echo esc_attr($order);?>">
+        <input class="s" type="text" name="search" value="<?php if(isset($keyword)) {  echo esc_attr($keyword);} ?>">
         <?php if(!isset($_GET['title'])&&!isset($_GET['description'])){ ?>
             <input type="checkbox" name="title" checked="checked" value="yes">title
@@ -433 +425 @@
         <input class="searchsubmit" type="submit" title="search item" value="Search">
         </form>
-<table width="<?php echo $adminwidth-30; ?>" border="0">
+<table width="<?php echo esc_attr($adminwidth-30); ?>" border="0">
     <tr>
         <td width="50%" align="left">
-            <?php _e("Showing products", "ttstore"); ?> <b><? echo $first; ?></b> - <b><?php echo $last; ?></b> <?php _e("of", "ttstore"); ?> <b><?php echo $numrows; ?></b>
+            <?php _e("Showing products", "ttstore"); ?> <b><? echo esc_attr($first); ?></b> - <b><?php echo esc_attr($last); ?></b> <?php _e("of", "ttstore"); ?> <b><?php echo esc_attr($numrows); ?></b>
         </td>
         <td width="50%" align="right">
-            <?php if ($currentpage != 0) { $back_page = $currentpage - $limit; echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".$searchlink."&multiid=".$multiid."&order=$order".$filterurl."&currentpage=$back_page&limit=$limit\"><</a>");} ?> <?php _e("Page", "ttstore"); ?> <b><?php echo $current; ?></b> <?php _e("of", "ttstore"); ?> <b><?php echo $total; ?></b> <?php if (!((($currentpage+$limit) / $limit) >= $pages) && $pages != 1) { $next_page = $currentpage + $limit; echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".$searchlink."&multiid=".$multiid."&order=$order".$filterurl."&currentpage=$next_page&limit=$limit\">></a>");} ?>
+            <?php if ($currentpage != 0) { $back_page = $currentpage - $limit; echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=$order".esc_attr($filterurl)."&currentpage=".esc_attr($back_page)."&limit=".esc_attr($limit)."\"><</a>");} ?> <?php _e("Page", "ttstore"); ?> <b><?php echo esc_attr($current); ?></b> <?php _e("of", "ttstore"); ?> <b><?php echo esc_attr($total); ?></b> <?php if (!((($currentpage+$limit) / $limit) >= $pages) && $pages != 1) { $next_page = $currentpage + $limit; echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=$order".esc_attr($filterurl)."&currentpage=".esc_attr($next_page)."&limit=".esc_attr($limit)."\">></a>");} ?>
         </td>
     </tr>
     <tr>
         <td colspan="2" align="right">
-            <?php _e("Results per-page:", "ttstore"); ?> <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo $searchlink; ?>&multiid=<?php echo $multiid; ?>&order=<?php echo $order; ?><?php echo $filterurl; ?>&currentpage=<?php echo $currentpage; ?>&limit=100">100</a> | <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo $searchlink; ?>&multiid=<?php echo $multiid; ?>&order=<?php echo $order; ?><?php echo $filterurl;?>&currentpage=<?php echo $currentpage; ?>&limit=200">200</a> | <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo $searchlink; ?>&multiid=<?php echo $multiid; ?>&order=<?php echo $order; ?><?php echo $filterurl;?>&currentpage=<?php echo $currentpage; ?>&limit=500">500</a> | <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo $searchlink; ?>&multiid=<?php echo $multiid; ?>&order=<?php echo $order; ?><?php echo $filterurl; ?>&currentpage=<?php echo $currentpage; ?>&limit=1000">1000</a>
+            <?php _e("Results per-page:", "ttstore"); ?> <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo esc_attr($searchlink); ?>&multiid=<?php echo esc_attr($multiid); ?>&order=<?php echo esc_attr($order); ?><?php echo esc_attr($filterurl); ?>&currentpage=<?php echo esc_attr($currentpage); ?>&limit=100">100</a> | <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo esc_attr($searchlink); ?>&multiid=<?php echo esc_attr($multiid); ?>&order=<?php echo esc_attr($order); ?><?php echo esc_attr($filterurl);?>&currentpage=<?php echo esc_attr($currentpage); ?>&limit=200">200</a> | <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo esc_attr($searchlink); ?>&multiid=<?php echo esc_attr($multiid); ?>&order=<?php echo esc_attr($order); ?><?php echo esc_attr($filterurl);?>&currentpage=<?php echo esc_attr($currentpage); ?>&limit=500">500</a> | <a href="admin.php?page=tt-store&option=itemselect&function=select<?php echo esc_attr($searchlink); ?>&multiid=<?php echo esc_attr($multiid); ?>&order=<?php echo esc_attr($order); ?><?php echo esc_attr($filterurl); ?>&currentpage=<?php echo esc_attr($currentpage); ?>&limit=1000">1000</a>
         </td>
     </tr>
@@ -498 +490 @@
     }
 }
-    echo "<table width=\"<?php echo $adminwidth-15; ?>\" border=\"0\" style=\"border-width: 0px;padding:0px;border-spacing:0px;\">";
+    echo "<table width=\"".esc_attr($adminwidth-15)."\" border=\"0\" style=\"border-width: 0px;padding:0px;border-spacing:0px;\">";
         echo "<tr><td width=\"20\">";
             if(!isset($_GET['selected']) || $_GET['selected']==""){
-            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".$limit."&function=select".$searchlink."&multiid=".$multiid."&order=".$order."".$filterurl."&selected=yes\">"; _e('Selected', 'tradetracker-store'); echo "</a></b>";
-            } else {
-            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".$limit."&function=select".$searchlink."".$filterurl."&multiid=".$multiid."\">"; _e('Selected', 'tradetracker-store'); echo "</a></b>";
+            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".esc_attr($limit)."&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=".esc_attr($order)."".esc_attr($filterurl)."&selected=yes\">"; _e('Selected', 'tradetracker-store'); echo "</a></b>";
+            } else {
+            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".esc_attr($limit)."&function=select".esc_attr($searchlink)."".esc_attr($filterurl)."&multiid=".esc_attr($multiid)."\">"; _e('Selected', 'tradetracker-store'); echo "</a></b>";
             }
         echo "</td><td width=\"200\">";
-            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".$limit."&function=select".$searchlink."&multiid=".$multiid."&order=productID".$filterurl."\">"; _e('ProductID', 'tradetracker-store'); echo "</a></b>";
+            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".esc_attr($limit)."&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=productID".esc_attr($filterurl)."\">"; _e('ProductID', 'tradetracker-store'); echo "</a></b>";
         echo "</td><td width=\"435\">";
-            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".$limit."&function=select".$searchlink."&multiid=".$multiid."&order=name".$filterurl."\">"; _e('Product name', 'tradetracker-store'); echo "</a></b>";
+            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".esc_attr($limit)."&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=name".esc_attr($filterurl)."\">"; _e('Product name', 'tradetracker-store'); echo "</a></b>";
         echo "</td><td width=\"180\">";
-            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".$limit."&function=select".$searchlink."&multiid=".$multiid."&order=xmlfeed".$filterurl."\">"; _e('XMLFeed', 'tradetracker-store'); echo "</a></b>";
+            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".esc_attr($limit)."&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=xmlfeed".esc_attr($filterurl)."\">"; _e('XMLFeed', 'tradetracker-store'); echo "</a></b>";
         echo "</td><td width=\"50\">";
-            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".$limit."&function=select".$searchlink."&multiid=".$multiid."&order=price".$filterurl."\">"; _e('Price', 'tradetracker-store'); echo "</a></b>";
+            echo "<b><a href=\"admin.php?page=tt-store&option=itemselect&limit=".esc_attr($limit)."&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=price".esc_attr($filterurl)."\">"; _e('Price', 'tradetracker-store'); echo "</a></b>";
         echo "</td><td width=\"65\">";
             echo "<b>"; _e('Currency', 'tradetracker-store'); echo "</b>";
@@ -521 +513 @@
 
     echo "<form name=\"form2\" method=\"post\" action=\"\">";
-        echo $ttstorehidden;
+        echo esc_attr($ttstorehidden);
             $array2="";
             $colors = "1";
@@ -531 +523 @@
                 }
                 $array2 .= ",".$product->productID."";
-                echo "<tr style=\"".$tdbgcolor.";\"><td>";
+                echo "<tr style=\"".esc_attr($tdbgcolor).";\"><td>";
             if(isset($_GET['selected']) && $_GET['selected']=="yes"){
                 if(!empty($productID) && in_array($product->productID, $productID, true))
                 {
-                    echo "<input type=\"checkbox\" checked=\"yes\" name=\"item[]\" value=".$product->productID." /></td><td>";
+                    echo "<input type=\"checkbox\" checked=\"yes\" name=\"item[]\" value=".esc_attr($product->productID)." /></td><td>";
                     $xmlfeedname = get_option('Tradetracker_xmlname');
-                    echo $product->productID;
+                    echo esc_attr($product->productID);
                     echo "</td><td><span class=\"link1\"><a href=\"javascript: void(0)\">";
-                    echo $product->name;
-                    echo "<span><img src=\"".$imageURL."\" width=\"400px\"></span></a></span></td><td>";
+                    echo esc_attr($product->name);
+                    echo "<span><img src=\"".esc_url($imageURL)."\" width=\"400px\"></span></a></span></td><td>";
                     $xmlfeed=$wpdb->get_var("SELECT xmlname FROM ".$ttstorexmltable." where id=".$product->xmlfeed.""); 
-                    echo $xmlfeed;
+                    echo esc_attr($xmlfeed);
                     echo "</td><td>";
-                    echo $product->price;
+                    echo esc_attr($product->price);
                     echo "</td><td>";
-                    echo $product->currency;
+                    echo esc_attr($product->currency);
                     $extraname = "";
                     $extravar ="";
@@ -560 +552 @@
                     }
                     if($extraname != ""){
-                        echo "</td><td><span class=\"link\"><a href=\"javascript: void(0)\">"; _e("Yes", "ttstore"); echo "<span><table><tr>".$extraname."</tr><tr>".$extravar."</tr></table> </span></a></span></td></tr>";
+                        echo "</td><td><span class=\"link\"><a href=\"javascript: void(0)\">"; _e("Yes", "ttstore"); echo "<span><table><tr>".esc_attr($extraname)."</tr><tr>".esc_attr($extravar)."</tr></table> </span></a></span></td></tr>";
                     } else {
                         echo "</td><td>"; _e("No", "ttstore"); echo "</td></tr>";
@@ -574 +566 @@
                 if(!empty($productID) && in_array($product->productID, $productID, true))
                 {
-                    echo "<input type=\"checkbox\" checked=\"yes\" name=\"item[]\" value=".$product->productID." /></td><td>";
+                    echo "<input type=\"checkbox\" checked=\"yes\" name=\"item[]\" value=".esc_attr($product->productID)." /></td><td>";
                 } else {
-                    echo "<input type=\"checkbox\" name=\"item[]\" value=".$product->productID." /></td><td>";
+                    echo "<input type=\"checkbox\" name=\"item[]\" value=".esc_attr($product->productID)." /></td><td>";
                 }
                 if($product->imageURL==""){
@@ -584 +576 @@
                 }
                 $xmlfeedname = get_option('Tradetracker_xmlname');
-                echo $product->productID;
+                echo esc_attr($product->productID);
                 echo "</td><td><span class=\"link1\"><a href=\"javascript: void(0)\">";
-                echo $product->name;
-                echo "<span><img src=\"".$imageURL."\" width=\"400px\">$product->description</a></span></span></td><td>";
+                echo esc_attr($product->name);
+                echo "<span><img src=\"".esc_url($imageURL)."\" width=\"400px\">$product->description</a></span></span></td><td>";
                 $xmlfeed=$wpdb->get_var("SELECT xmlname FROM ".$ttstorexmltable." where id=".$product->xmlfeed.""); 
-                echo $xmlfeed;
+                echo esc_attr($xmlfeed);
                 echo "</td><td>";
-                echo $product->price;
+                echo esc_attr($product->price);
                 echo "</td><td>";
-                echo $product->currency;
+                echo esc_attr($product->currency);
                 $extraname = "";
                 $extravar ="";
@@ -607 +599 @@
                 }
                 if($extraname != ""){
-                    echo "</td><td><span class=\"link\"><a href=\"javascript: void(0)\">"; _e("Yes", "ttstore"); echo "<span><table><tr>".$extraname."</tr><tr>".$extravar."</tr></table> </span></a></span></td></tr>";
+                    echo "</td><td><span class=\"link\"><a href=\"javascript: void(0)\">"; _e("Yes", "ttstore"); echo "<span><table><tr>".esc_attr($extraname)."</tr><tr>".esc_attr($extravar)."</tr></table> </span></a></span></td></tr>";
                 } else {
                     echo "</td><td>"; _e("No", "ttstore"); echo "</td></tr>";
@@ -626 +618 @@
             if(isset($result)){
                 $result = implode(",", $result);
-                echo "<input type=\"hidden\" name=\"itemsother\" value=\"".$result."\" />";
+                echo "<input type=\"hidden\" name=\"itemsother\" value=\"".esc_attr($result)."\" />";
             }
         }
@@ -635 +627 @@
     if ($currentpage != 0) { // Don't show back link if current page is first page.
         $back_page = $currentpage - $limit;
-        echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".$searchlink."&multiid=".$multiid."&order=$order".$filterurl."&currentpage=$back_page&limit=$limit\">back</a>    \n");
+        echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=$order".esc_attr($filterurl)."&currentpage=".esc_attr($back_page)."&limit=".esc_attr($limit)."\">back</a>    \n");
     }
     for ($i=1; $i <= $pages; $i++){
         $ppage = $limit*($i - 1);
         if ($ppage == $currentpage){
-            echo("<b>$i</b> \n"); // If current page don't give link, just text.
+            echo("<b>".esc_attr($i)."</b> \n"); // If current page don't give link, just text.
         }else{
-            echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".$searchlink."&multiid=".$multiid."&order=$order".$filterurl."&currentpage=$ppage&limit=$limit\">$i</a> \n");
+            echo("<a href=\"admin.php?page=tt-store&option=itemselect&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=$order".esc_attr($filterurl)."&currentpage=".esc_attr($ppage)."&limit=".esc_attr($limit)."\">".esc_attr($i)."</a> \n");
         }
     }
     if (!((($currentpage+$limit) / $limit) >= $pages) && $pages != 1) { // If last page don't give next link.
         $next_page = $currentpage + $limit;
-        echo("    <a href=\"admin.php?page=tt-store&option=itemselect&function=select".$searchlink."&multiid=".$multiid."&order=$order".$filterurl."&currentpage=$next_page&limit=$limit\">next</a>\n");
+        echo("    <a href=\"admin.php?page=tt-store&option=itemselect&function=select".esc_attr($searchlink)."&multiid=".esc_attr($multiid)."&order=$order".esc_attr($filterurl)."&currentpage=".esc_attr($next_page)."&limit=".esc_attr($limit)."\">next</a>\n");
     }
     echo "</td></tr></table>";

tradetracker-store/trunk/menu/layout.php

@@ -68 +68 @@
     //see if form has been submitted
     if( isset($_POST[ $ttstoresubmit ]) && $_POST[ $ttstoresubmit ] == 'Y' ) {
-        $Tradetracker_width_val = sanitize_text_field($_POST[ $Tradetracker_width_name ]);
-        $Tradetracker_layoutname_val = sanitize_text_field($_POST[ $Tradetracker_layoutname_name ]);
-            $Tradetracker_font_val = sanitize_text_field($_POST[ $Tradetracker_font_name ]);
-            $Tradetracker_fontsize_val = sanitize_text_field($_POST[ $Tradetracker_fontsize_name ]);
-        $Tradetracker_colortitle_val = sanitize_text_field($_POST[ $Tradetracker_colortitle_name ]);
-        $Tradetracker_colorfooter_val = sanitize_text_field($_POST[ $Tradetracker_colorfooter_name ]);
-        $Tradetracker_colorimagebg_val = sanitize_text_field($_POST[ $Tradetracker_colorimagebg_name ]);
-        $Tradetracker_colorfont_val = sanitize_text_field($_POST[ $Tradetracker_colorfont_name ]);
-        $Tradetracker_colorborder_val = sanitize_text_field($_POST[ $Tradetracker_colorborder_name ]);
-        $Tradetracker_colorbutton_val = sanitize_text_field($_POST[ $Tradetracker_colorbutton_name ]);
-        $Tradetracker_colorbuttonfont_val = sanitize_text_field($_POST[ $Tradetracker_colorbuttonfont_name ]);
+        $Tradetracker_width_val = ttstore_sanitize($_POST[ $Tradetracker_width_name ]);
+        $Tradetracker_layoutname_val = ttstore_sanitize($_POST[ $Tradetracker_layoutname_name ]);
+            $Tradetracker_font_val = ttstore_sanitize($_POST[ $Tradetracker_font_name ]);
+            $Tradetracker_fontsize_val = ttstore_sanitize($_POST[ $Tradetracker_fontsize_name ]);
+        $Tradetracker_colortitle_val = ttstore_sanitize($_POST[ $Tradetracker_colortitle_name ]);
+        $Tradetracker_colorfooter_val = ttstore_sanitize($_POST[ $Tradetracker_colorfooter_name ]);
+        $Tradetracker_colorimagebg_val = ttstore_sanitize($_POST[ $Tradetracker_colorimagebg_name ]);
+        $Tradetracker_colorfont_val = ttstore_sanitize($_POST[ $Tradetracker_colorfont_name ]);
+        $Tradetracker_colorborder_val = ttstore_sanitize($_POST[ $Tradetracker_colorborder_name ]);
+        $Tradetracker_colorbutton_val = ttstore_sanitize($_POST[ $Tradetracker_colorbutton_name ]);
+        $Tradetracker_colorbuttonfont_val = ttstore_sanitize($_POST[ $Tradetracker_colorbuttonfont_name ]);
 
         if($Tradetracker_width_val=="" || $Tradetracker_layoutname_val ==""){
@@ -188 +188 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
         <div id="TB_title">
@@ -199 +199 @@
         </div>
         
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-        <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+        <table width="<?php echo esc_attr($adminwidth-15); ?>">
             <tr>
                 <td colspan="4">
@@ -251 +251 @@
             <tr>
                 <td>
-                    <?php echo $layout_val->layname; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laywidth; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->layfont; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->layfontsize; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolortitle; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolorimagebg; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolorfooter; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolorfont; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolorborder; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolorbutton; ?>
-                </td>
-                <td>
-                    <?php echo $layout_val->laycolorbuttonfont; ?>
-                </td>
-                <td>
-                    <?php if($layout_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=layout&function=new&layoutid=".$layout_val->id."\">".__('Edit','tradetracker-store')."</a>"; } ?>
+                    <?php echo esc_attr($layout_val->layname); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laywidth); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->layfont); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->layfontsize); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolortitle); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolorimagebg); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolorfooter); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolorfont); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolorborder); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolorbutton); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($layout_val->laycolorbuttonfont); ?>
+                </td>
+                <td>
+                    <?php if($layout_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=layout&function=new&layoutid=".esc_attr($layout_val->id)."\">".__('Edit','tradetracker-store')."</a>"; } ?>
                 </td>
             </tr>
@@ -305 +305 @@
 <div  id="TB_overlay" class="TB_overlayBG"></div>
 
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -318 +318 @@
         </div>
         <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
     <div id="ttstoreboxlayout">
     </div>
-        <input type="hidden" name="layoutid" value="<?php if(isset($layoutid)){ echo $layoutid;} ?>">
-<table width="<?php echo $adminwidth-15; ?>">
+        <input type="hidden" name="layoutid" value="<?php if(isset($layoutid)){ echo esc_attr($layoutid);} ?>">
+<table width="<?php echo esc_attr($adminwidth-15); ?>">
     <tr>
         <td>
@@ -330 +330 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_layoutname_name; ?>" class="target" id="layoutname" value="<?php if(isset($Tradetracker_layoutname_val)){ echo $Tradetracker_layoutname_val; }?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_layoutname_name; ?>" class="target" id="layoutname" value="<?php if(isset($Tradetracker_layoutname_val)){ echo esc_attr($Tradetracker_layoutname_val); }?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?>
         </td>
@@ -341 +341 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_width_name; ?>" class="target" id="layoutwidth" value="<?php if(isset($Tradetracker_width_val)){ echo $Tradetracker_width_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_width_name; ?>" class="target" id="layoutwidth" value="<?php if(isset($Tradetracker_width_val)){ echo esc_attr($Tradetracker_width_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?>
         </td>
@@ -353 +353 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_font_name; ?>" class="target" id="layoutfont" value="<?php if(isset($Tradetracker_font_val)){ echo $Tradetracker_font_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_font_name; ?>" class="target" id="layoutfont" value="<?php if(isset($Tradetracker_font_val)){ echo esc_attr($Tradetracker_font_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
             <a href="http://www.w3schools.com/cssref/css_websafe_fonts.asp" target="_blank">WebSafe Fonts</a>
         </td>
@@ -365 +365 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_fontsize_name; ?>" class="target" id="layoutfontsize" value="<?php if(isset($Tradetracker_fontsize_val)){ echo $Tradetracker_fontsize_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_fontsize_name; ?>" class="target" id="layoutfontsize" value="<?php if(isset($Tradetracker_fontsize_val)){ echo esc_attr($Tradetracker_fontsize_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>
@@ -376 +376 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colortitle_name; ?>" class="target" id="layoutcolortitle" value="<?php if(isset($Tradetracker_colortitle_val)){ echo $Tradetracker_colortitle_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>> 
+            <input type="text" name="<?php echo $Tradetracker_colortitle_name; ?>" class="target" id="layoutcolortitle" value="<?php if(isset($Tradetracker_colortitle_val)){ echo esc_attr($Tradetracker_colortitle_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>> 
             <a href="http://www.2createawebsite.com/build/hex-colors.html#colorgenerator" target="_blank">Color Picker</a> <?php _e("(use hex code including #. Like: #000000)", 'tradetracker-store' ); ?>
         </td>
@@ -388 +388 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colorimagebg_name; ?>" class="target" id="layoutcolorimagebg" value="<?php if(isset($Tradetracker_colorimagebg_val)){ echo $Tradetracker_colorimagebg_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_colorimagebg_name; ?>" class="target" id="layoutcolorimagebg" value="<?php if(isset($Tradetracker_colorimagebg_val)){ echo esc_attr($Tradetracker_colorimagebg_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>
@@ -399 +399 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colorfooter_name; ?>" class="target" id="layoutcolorfooter" value="<?php if(isset($Tradetracker_colorfooter_val)){ echo $Tradetracker_colorfooter_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_colorfooter_name; ?>" class="target" id="layoutcolorfooter" value="<?php if(isset($Tradetracker_colorfooter_val)){ echo esc_attr($Tradetracker_colorfooter_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>
@@ -409 +409 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colorborder_name; ?>" class="target" id="layoutcolorborder" value="<?php if(isset($Tradetracker_colorborder_val)){  echo $Tradetracker_colorborder_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_colorborder_name; ?>" class="target" id="layoutcolorborder" value="<?php if(isset($Tradetracker_colorborder_val)){  echo esc_attr($Tradetracker_colorborder_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>
@@ -419 +419 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colorbutton_name; ?>" class="target" id="layoutcolorbutton" value="<?php if(isset($Tradetracker_colorbutton_val)){ echo $Tradetracker_colorbutton_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_colorbutton_name; ?>" class="target" id="layoutcolorbutton" value="<?php if(isset($Tradetracker_colorbutton_val)){ echo esc_attr($Tradetracker_colorbutton_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>
@@ -429 +429 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colorbuttonfont_name; ?>" class="target" id="layoutcolorbuttonfont" value="<?php if(isset($Tradetracker_colorbuttonfont_val)){ echo $Tradetracker_colorbuttonfont_val; } ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_colorbuttonfont_name; ?>" class="target" id="layoutcolorbuttonfont" value="<?php if(isset($Tradetracker_colorbuttonfont_val)){ echo esc_attr($Tradetracker_colorbuttonfont_val); } ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>
@@ -439 +439 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_colorfont_name; ?>" class="target" id="layoutcolorfont" value="<?php if(isset($Tradetracker_colorfont_val)){ echo $Tradetracker_colorfont_val;} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
+            <input type="text" name="<?php echo $Tradetracker_colorfont_name; ?>" class="target" id="layoutcolorfont" value="<?php if(isset($Tradetracker_colorfont_val)){ echo esc_attr($Tradetracker_colorfont_val);} ?>" size="20" <?php if($readonlylock == "yes"){echo "readonly";} ?>>
         </td>
     </tr>

tradetracker-store/trunk/menu/menu.css

@@ -136 +136 @@
 
 .ttstore-moreinfo {
+    display: none;
     -moz-transition-duration: 0.4s;
     background: none repeat scroll 0 0 #FFFFFF;

tradetracker-store/trunk/menu/menu.php

@@ -20 +20 @@
 function ttstore_admin_css() {
     wp_enqueue_style( 'TTStore_Admin_menu', plugins_url( 'menu.css' , __FILE__ ), array(), '1.0' );
-    wp_enqueue_script('loadjsttadmin', plugins_url( 'expand.js' , __FILE__ ));
+    wp_enqueue_script('loadjsttadmin', TT_STORE_pluginurl. 'menu/expand.js');
         wp_localize_script( 'loadjsttadmin', 'ttstoreexpand_object',
         array( 
-            'imgurl' => plugin_dir_url( __DIR__ ).'/images/more.png'
+            'imgurl' => TT_STORE_pluginurl.'images/more.png'
         )
         );
@@ -42 +42 @@
 
 <style type="text/css" media="screen">
-#ttstorebox { width:<?php echo $adminwidth; ?>px; }
-#ttstoreboxtop {width: <?php echo $adminwidth-10; ?>px;}
-#ttstoreboxoptions {width:<?php echo $adminwidth-10; ?>px;}
-#ttstoreboxbottom {width: <?php echo $adminwidth-10; ?>px;}
+#ttstorebox { width:<?php echo esc_attr($adminwidth); ?>px; }
+#ttstoreboxtop {width: <?php echo esc_attr($adminwidth-10); ?>px;}
+#ttstoreboxoptions {width:<?php echo esc_attr($adminwidth-10); ?>px;}
+#ttstoreboxbottom {width: <?php echo esc_attr($adminwidth-10); ?>px;}
 </style>
 <?php
@@ -225 +225 @@
         ".$menuarray[$row]["Vink"]."
     </div>";
-$readmore .= "<img src=\"".plugins_url( 'images\more.png' , __FILE__ )."\" style=\"border:0;\" border=\"0\" name=\"img".$menuarray[$row]["Name"]."\" width=\"0\" height=\"0\">
+$readmore .= "<img src=\"".plugins_url( 'images\more.png' , __FILE__ )."\" style=\"border:0;\" border=\"0\" id=\"img".$menuarray[$row]["Name"]."\" width=\"0\" height=\"0\">
     <div style=\"display: none;\" id=\"".$menuarray[$row]["Name"]."\" class=\"ttstore-moreinfo\">
         ".$menuarray[$row]["Longdesc"]."
@@ -231 +231 @@
     $i++;
     if($i=="3"){
-        echo $readmore;
+        echo wp_kses_post($readmore);
         $i=0;
         $readmore="";
@@ -237 +237 @@
     
 }
-echo $readmore;
+echo wp_kses_post($readmore);
 echo "</div>";
 
@@ -259 +259 @@
     $site_dir = $foldercache.'sites.xml';
     if (!file_exists($site_dir)) {
-        $site_dir = 'https://wpaffiliatefeed.com/tradetracker-store/sites.xml'; 
-        $ch = curl_init($site_dir);
-        $fp = fopen($foldercache."sites.xml", "w");
-        curl_setopt($ch, CURLOPT_HEADER, 0);
-        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-        curl_setopt($ch, CURLOPT_FILE, $fp);
-        curl_exec($ch);
-        curl_close($ch);
-        fclose($fp);
+            $url = 'https://wpaffiliatefeed.com/tradetracker-store/sites.xml';
+            $permfile = TT_STORE_plugipath."cache/sites.xml";
+            $tmpfile = download_url( $url, $timeout = 300 );
+            copy( $tmpfile, $permfile );
+            unlink( $tmpfile ); 
         $site_dir = fopen($foldercache."sites.xml","r");
     } 
@@ -275 +271 @@
         foreach($sites as $site) // loop through our items
         {
-        echo "<li><a href=\"".$site->siteadres."\" target=\"_blank\">".$site->sitenaam."</a>";      
+        echo "<li><a href=\"".esc_url($site->siteadres)."\" target=\"_blank\">".esc_attr($site->sitenaam)."</a>";       
         }
     }
@@ -301 +297 @@
         foreach($news as $newsmsg) // loop through our items
         {
-            echo "<strong><a href=\"".$newsmsg->item->link."\">".$newsmsg->item->title."</a></strong><br><strong>Posted: ".date("d M Y",strtotime($newsmsg->item->pubDate))."</strong><br>".$newsmsg->item->description."";
+            echo "<strong><a href=\"".esc_url($newsmsg->item->link)."\">".esc_attr($newsmsg->item->title)."</a></strong><br><strong>Posted: ".date("d M Y",strtotime($newsmsg->item->pubDate))."</strong><br>".esc_attr($newsmsg->item->description)."";
         }
     }

tradetracker-store/trunk/menu/news.php

@@ -14 +14 @@
         foreach($news->channel->item as $newsmsg) // loop through our items
         {
-            echo "<li><strong><a href=\"".$newsmsg->link."\">".$newsmsg->title."</a></strong><br><strong>Posted: ".date("d M Y",strtotime($newsmsg->pubDate))."</strong><br>".$newsmsg->description."</li>";
+            echo "<li><strong><a href=\"".esc_url($newsmsg->link)."\">".esc_attr($newsmsg->title)."</a></strong><br><strong>Posted: ".date("d M Y",strtotime($newsmsg->pubDate))."</strong><br>".esc_attr($newsmsg->description)."</li>";
         }
     echo "</ul>";

tradetracker-store/trunk/menu/pluginsettings.php

@@ -49 +49 @@
     //see if form has been submitted
     if( isset($_POST[ $ttstoresubmit ]) && $_POST[ $ttstoresubmit ] == 'Y' ) {
-        $Tradetracker_fancylink_val = sanitize_text_field($_POST[ $Tradetracker_fancylink_name ]);
-        $Tradetracker_debugemail_val = sanitize_text_field($_POST[ $Tradetracker_debugemail_name ]);
-        $Tradetracker_importtool_val = sanitize_text_field($_POST[ $Tradetracker_importtool_name ]);
-        $Tradetracker_loadextra_val = sanitize_text_field($_POST[ $Tradetracker_loadextra_name ]);
-        $Tradetracker_removelayout_val = sanitize_text_field($_POST[ $Tradetracker_removelayout_name ]);
-        $Tradetracker_removestores_val = sanitize_text_field($_POST[ $Tradetracker_removestores_name ]);
-        $Tradetracker_removeproducts_val = sanitize_text_field($_POST[ $Tradetracker_removeproducts_name ]);
-        $Tradetracker_removexml_val = sanitize_text_field($_POST[ $Tradetracker_removexml_name ]);
-        $Tradetracker_removeother_val = sanitize_text_field($_POST[ $Tradetracker_removeother_name ]);
-        $Tradetracker_adminheight_val = sanitize_text_field($_POST[ $Tradetracker_adminheight_name ]);
-        $Tradetracker_adminwidth_val = sanitize_text_field($_POST[ $Tradetracker_adminwidth_name ]);
-        $Tradetracker_showurl_val = sanitize_text_field($_POST[ $Tradetracker_showurl_name ]);
-        $Tradetracker_usecss_val = sanitize_text_field($_POST[ $Tradetracker_usecss_name ]);
-        $Tradetracker_csslink_val = sanitize_text_field($_POST[ $Tradetracker_csslink_name ]);
-        $Tradetracker_TTnewcategory_val = sanitize_text_field($_POST[ $Tradetracker_TTnewcategory_name ]);
-        $Tradetracker_slidertheme_val = sanitize_text_field($_POST[ $Tradetracker_slidertheme_name ]);
-        $Tradetracker_sliderenable_val = sanitize_text_field($_POST[ $Tradetracker_sliderenable_name ]);
+        $Tradetracker_fancylink_val = ttstore_sanitize($_POST[ $Tradetracker_fancylink_name ]);
+        $Tradetracker_debugemail_val = ttstore_sanitize($_POST[ $Tradetracker_debugemail_name ]);
+        $Tradetracker_importtool_val = ttstore_sanitize($_POST[ $Tradetracker_importtool_name ]);
+        $Tradetracker_loadextra_val = ttstore_sanitize($_POST[ $Tradetracker_loadextra_name ]);
+        $Tradetracker_removelayout_val = ttstore_sanitize($_POST[ $Tradetracker_removelayout_name ]);
+        $Tradetracker_removestores_val = ttstore_sanitize($_POST[ $Tradetracker_removestores_name ]);
+        $Tradetracker_removeproducts_val = ttstore_sanitize($_POST[ $Tradetracker_removeproducts_name ]);
+        $Tradetracker_removexml_val = ttstore_sanitize($_POST[ $Tradetracker_removexml_name ]);
+        $Tradetracker_removeother_val = ttstore_sanitize($_POST[ $Tradetracker_removeother_name ]);
+        $Tradetracker_adminheight_val = ttstore_sanitize($_POST[ $Tradetracker_adminheight_name ]);
+        $Tradetracker_adminwidth_val = ttstore_sanitize($_POST[ $Tradetracker_adminwidth_name ]);
+        $Tradetracker_showurl_val = ttstore_sanitize($_POST[ $Tradetracker_showurl_name ]);
+        $Tradetracker_usecss_val = ttstore_sanitize($_POST[ $Tradetracker_usecss_name ]);
+        $Tradetracker_csslink_val = ttstore_sanitize($_POST[ $Tradetracker_csslink_name ]);
+        $Tradetracker_TTnewcategory_val = ttstore_sanitize($_POST[ $Tradetracker_TTnewcategory_name ]);
+        $Tradetracker_slidertheme_val = ttstore_sanitize($_POST[ $Tradetracker_slidertheme_name ]);
+        $Tradetracker_sliderenable_val = ttstore_sanitize($_POST[ $Tradetracker_sliderenable_name ]);
 
         if ( get_option("Tradetracker_fancylink")  != $Tradetracker_fancylink_val) {
@@ -128 +128 @@
 
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -140 +140 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-            <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+            <table width="<?php echo esc_attr($adminwidth)-15; ?>">
                 <tr>
                     <td width="400px">
@@ -151 +151 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_TTnewcategory_name; ?>" <?php if($Tradetracker_TTnewcategory_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_TTnewcategory_name; ?>" <?php if($Tradetracker_TTnewcategory_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_TTnewcategory_name); ?>" <?php if($Tradetracker_TTnewcategory_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_TTnewcategory_name); ?>" <?php if($Tradetracker_TTnewcategory_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
                     </td>
                 </tr>
@@ -168 +168 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_sliderenable_name; ?>" <?php if($Tradetracker_sliderenable_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_sliderenable_name; ?>" <?php if($Tradetracker_sliderenable_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_sliderenable_name); ?>" <?php if($Tradetracker_sliderenable_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_sliderenable_name); ?>" <?php if($Tradetracker_sliderenable_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
                     </td>
                 </tr>
@@ -182 +182 @@
                     </td>
                     <td>
-                        <select name="<?php echo $Tradetracker_slidertheme_name; ?>">
+                        <select name="<?php echo esc_attr($Tradetracker_slidertheme_name); ?>">
                             <option <?php if($Tradetracker_slidertheme_val == "base") { echo "selected=\"selected\""; } ?> value="base">Base</option>
                             <option <?php if($Tradetracker_slidertheme_val == "ui-lightness") { echo "selected=\"selected\""; } ?> value="ui-lightness">Ui Lightness</option>
@@ -226 +226 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_usecss_name; ?>" <?php if($Tradetracker_usecss_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_usecss_name; ?>" <?php if($Tradetracker_usecss_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_usecss_name); ?>" <?php if($Tradetracker_usecss_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_usecss_name); ?>" <?php if($Tradetracker_usecss_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
                     </td>
                 </tr>
@@ -238 +238 @@
                     </td>
                     <td>
-                        <input type="text" name="<?php echo $Tradetracker_csslink_name; ?>" value="<?php echo $Tradetracker_csslink_val; ?>" size="70"> <br />
+                        <input type="text" name="<?php echo esc_attr($Tradetracker_csslink_name); ?>" value="<?php echo esc_attr($Tradetracker_csslink_val); ?>" size="70"> <br />
 <?php $exampleurl = plugins_url( 'style.css' , __FILE__ ); ?>
 <?php printf(__('Make sure this is not saved in the plugins folder. Cause that will be overwritten with an update. For an example go to <a href="%s" target="_blank">here</a>','tradetracker-store'),$exampleurl);?>
@@ -255 +255 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_debugemail_name; ?>" <?php if($Tradetracker_debugemail_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_debugemail_name; ?>" <?php if($Tradetracker_debugemail_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_debugemail_name); ?>" <?php if($Tradetracker_debugemail_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_debugemail_name); ?>" <?php if($Tradetracker_debugemail_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
                     </td>
                 </tr>
@@ -267 +267 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_fancylink_name; ?>" <?php if($Tradetracker_fancylink_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_fancylink_name; ?>" <?php if($Tradetracker_fancylink_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_fancylink_name); ?>" <?php if($Tradetracker_fancylink_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store');?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_fancylink_name); ?>" <?php if($Tradetracker_fancylink_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store');?>
                     </td>
                 </tr>
@@ -280 +280 @@
                     <td>
                         <?php if (ini_get('allow_url_fopen') == true) { ?>
-                            <input type="radio" name="<?php echo $Tradetracker_importtool_name; ?>" <?php if($Tradetracker_importtool_val==1) {echo "checked";} ?> value="1"> <?php _e('Fopen (most reliable)','tradetracker-store'); ?>
+                            <input type="radio" name="<?php echo esc_attr($Tradetracker_importtool_name); ?>" <?php if($Tradetracker_importtool_val==1) {echo "checked";} ?> value="1"> <?php _e('Fopen (most reliable)','tradetracker-store'); ?>
                         <?php } ?>
                         <?php if (function_exists('curl_init')) { ?>
                             <br>
-                            <input type="radio" name="<?php echo $Tradetracker_importtool_name; ?>" <?php if($Tradetracker_importtool_val==2){echo "checked";} ?> value="2"> <?php _e('Curl/Fwrite (can run out of memory)','tradetracker-store'); ?>
+                            <input type="radio" name="<?php echo esc_attr($Tradetracker_importtool_name); ?>" <?php if($Tradetracker_importtool_val==2){echo "checked";} ?> value="2"> <?php _e('Curl/Fwrite (can run out of memory)','tradetracker-store'); ?>
                             <br>
-                            <input type="radio" name="<?php echo $Tradetracker_importtool_name; ?>" <?php if($Tradetracker_importtool_val==3){echo "checked";} ?> value="3"> <?php _e('Curl (sometimes causes issues)','tradetracker-store'); ?>
+                            <input type="radio" name="<?php echo esc_attr($Tradetracker_importtool_name); ?>" <?php if($Tradetracker_importtool_val==3){echo "checked";} ?> value="3"> <?php _e('Curl (sometimes causes issues)','tradetracker-store'); ?>
                         <?php } ?>
                     </td>
@@ -297 +297 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_loadextra_name; ?>" <?php if($Tradetracker_loadextra_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_loadextra_name; ?>" <?php if($Tradetracker_loadextra_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?> <?php _e('(Can prevent timeouts, But then you cannot show extra fields)','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_loadextra_name); ?>" <?php if($Tradetracker_loadextra_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_loadextra_name); ?>" <?php if($Tradetracker_loadextra_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?> <?php _e('(Can prevent timeouts, But then you cannot show extra fields)','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -309 +309 @@
                     </td>
                     <td>
-                        <input type="text" name="<?php echo $Tradetracker_adminheight_name; ?>" value="<?php echo $Tradetracker_adminheight_val; ?>" size="20">
+                        <input type="text" name="<?php echo esc_attr($Tradetracker_adminheight_name); ?>" value="<?php echo esc_attr($Tradetracker_adminheight_val); ?>" size="20">
                     </td>
                 </tr>
@@ -319 +319 @@
                     </td>
                     <td>
-                        <input type="text" name="<?php echo $Tradetracker_adminwidth_name; ?>" value="<?php echo $Tradetracker_adminwidth_val; ?>" size="20">
+                        <input type="text" name="<?php echo esc_attr($Tradetracker_adminwidth_name); ?>" value="<?php echo esc_attr($Tradetracker_adminwidth_val); ?>" size="20">
                     </td>
                 </tr>
@@ -329 +329 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_showurl_name; ?>" <?php if($Tradetracker_showurl_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_showurl_name; ?>" <?php if($Tradetracker_showurl_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_showurl_name); ?>" <?php if($Tradetracker_showurl_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_showurl_name); ?>" <?php if($Tradetracker_showurl_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -346 +346 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_removelayout_name; ?>" <?php if($Tradetracker_removelayout_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?> 
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_removelayout_name; ?>" <?php if($Tradetracker_removelayout_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removelayout_name); ?>" <?php if($Tradetracker_removelayout_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?> 
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removelayout_name); ?>" <?php if($Tradetracker_removelayout_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -358 +358 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_removestores_name; ?>" <?php if($Tradetracker_removestores_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_removestores_name; ?>" <?php if($Tradetracker_removestores_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removestores_name); ?>" <?php if($Tradetracker_removestores_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removestores_name); ?>" <?php if($Tradetracker_removestores_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -370 +370 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_removeproducts_name; ?>" <?php if($Tradetracker_removeproducts_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_removeproducts_name; ?>" <?php if($Tradetracker_removeproducts_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removeproducts_name); ?>" <?php if($Tradetracker_removeproducts_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removeproducts_name); ?>" <?php if($Tradetracker_removeproducts_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -382 +382 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_removexml_name; ?>" <?php if($Tradetracker_removexml_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_removexml_name; ?>" <?php if($Tradetracker_removexml_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removexml_name); ?>" <?php if($Tradetracker_removexml_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removexml_name); ?>" <?php if($Tradetracker_removexml_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -394 +394 @@
                     </td>
                     <td>
-                        <input type="radio" name="<?php echo $Tradetracker_removeother_name; ?>" <?php if($Tradetracker_removeother_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
-                        <br>
-                        <input type="radio" name="<?php echo $Tradetracker_removeother_name; ?>" <?php if($Tradetracker_removeother_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removeother_name); ?>" <?php if($Tradetracker_removeother_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                        <br>
+                        <input type="radio" name="<?php echo esc_attr($Tradetracker_removeother_name); ?>" <?php if($Tradetracker_removeother_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -404 +404 @@
             <?php
                 if(isset($saved)){
-                    echo $saved;
+                    echo wp_kses_post($saved);
                 }
             ?>

tradetracker-store/trunk/menu/premium.php

@@ -13 +13 @@
     //see if form has been submitted
     if( isset($_POST[ $ttstoresubmit ]) && $_POST[ $ttstoresubmit ] == 'Y' ) {
-            $premiumapi = $_POST['premiumapi'];
-            if (is_array($premiumapi)) {
-            foreach ($premiumapi as &$tag) {
-                $tag = esc_attr($tag);
-            }
-            unset($tag );
-        } else {
-            $premiumapi = esc_attr($premiumapi);
-        }
-            $premiumprov = $_POST['premiumprov'];
-            if (is_array($premiumprov)) {
-            foreach ($premiumprov as &$tag) {
-                $tag = esc_attr($tag);
-            }
-            unset($tag );
-        } else {
-            $premiumprov = esc_attr($premiumprov);
-        }
+            $premiumapi = ttstore_sanitize($_POST['premiumapi']);
+            $premiumprov = ttstore_sanitize($_POST['premiumprov']);
         $Tradetracker_premiumprov_val = $premiumprov;
-        $Tradetracker_premiumapi_val = str_replace(" ","", $_POST['premiumapi']);
+        $Tradetracker_premiumapi_val = str_replace(" ","", ttstore_sanitize($_POST['premiumapi']));
         $remove_null_number = true;
         $Tradetracker_premiumapi_val = array_combine($Tradetracker_premiumprov_val, $Tradetracker_premiumapi_val);
         if ( get_option("Tradetracker_premiumapi")  != $Tradetracker_premiumapi_val) {
-            echo "and this";
             update_option( $Tradetracker_premiumapi_name, $Tradetracker_premiumapi_val );
             update_option('Tradetracker_premiumupdate', "" );
@@ -49 +32 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -61 +44 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-        <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+        <table width="<?php echo esc_attr($adminwidth)-15; ?>">
         <tr><td colspan="2"><b><?php _e('Add extra productfeed providers','tradetracker-store'); ?></b></td></tr>
     <?php
@@ -80 +63 @@
             <tr>
                 <td>
-                    <label for="<?php echo $key; ?>" title="<?php printf(__('If you bought an API key to use %s please fill it in here.','tradetracker-store'),$key); ?>" class="info">
+                    <label for="<?php echo esc_attr($key); ?>" title="<?php printf(__('If you bought an API key to use %s please fill it in here.','tradetracker-store'),$key); ?>" class="info">
                         <?php printf(__('%s APIKey:', 'tradetracker-store'),$key); ?> 
                     </label> 
                 </td>
                 <td>
-                    <input type="hidden" name="premiumprov[<?php echo $i;?>]" value="<?php echo $key; ?>">
-                    <input type="text" name="premiumapi[<?php echo $i;?>]" value="<?php echo $Tradetracker_premiumapi_val[$key]; ?>" size="40"> <?php echo $accepted; ?>
+                    <input type="hidden" name="premiumprov[<?php echo esc_attr($i);?>]" value="<?php echo esc_attr($key); ?>">
+                    <input type="text" name="premiumapi[<?php echo esc_attr($i);?>]" value="<?php echo esc_attr($Tradetracker_premiumapi_val[$key]); ?>" size="40"> <?php echo esc_attr($accepted); ?>
                 </td>
             </tr>
@@ -110 +93 @@
             <tr>
                 <td>
-                    <label for="<?php echo $key; ?>" title="<?php printf(__('If you bought an API key to use %s please fill it in here.','tradetracker-store'),$key); ?>" class="info">
+                    <label for="<?php echo esc_attr($key); ?>" title="<?php printf(__('If you bought an API key to use %s please fill it in here.','tradetracker-store'),$key); ?>" class="info">
                         <?php printf(__('%s APIKey:', 'tradetracker-store'),$key); ?> 
                     </label> 
                 </td>
                 <td>
-                    <input type="hidden" name="premiumprov[<?php echo $i;?>]" value="<?php echo $key; ?>">
-                    <input type="text" name="premiumapi[<?php echo $i;?>]" value="<?php echo $Tradetracker_premiumapi_val[$key]; ?>" size="40"> <?php echo $accepted; ?>
+                    <input type="hidden" name="premiumprov[<?php echo esc_attr($i);?>]" value="<?php echo esc_attr($key); ?>">
+                    <input type="text" name="premiumapi[<?php echo esc_attr($i);?>]" value="<?php echo esc_attr($Tradetracker_premiumapi_val[$key]); ?>" size="40"> <?php echo esc_attr($accepted); ?>
                 </td>
             </tr>
@@ -128 +111 @@
             <?php
                 if(isset($saved)){
-                    echo $saved;
+                    echo wp_kses_post($saved);
                 }
             ?>

tradetracker-store/trunk/menu/releaselog.php

@@ -14 +14 @@
         foreach($rllog->channel->item as $newsmsg) // loop through our items
         {
-            echo "<li><strong><a href=\"".$newsmsg->link."\">".$newsmsg->title."</a></strong><br><strong>Posted: ".date("d M Y",strtotime($newsmsg->pubDate))."</strong><br>".$newsmsg->description."</li>";
+            echo "<li><strong><a href=\"".esc_url($newsmsg->link)."\">".esc_attr($newsmsg->title)."</a></strong><br><strong>Posted: ".date("d M Y",strtotime($newsmsg->pubDate))."</strong><br>".esc_attr($newsmsg->description)."</li>";
         }
     echo "</ul>";

tradetracker-store/trunk/menu/search.php

@@ -18 +18 @@
 
         //get posted data
-        $Tradetracker_searchlayout_val = sanitize_text_field($_POST[ $Tradetracker_searchlayout_name ]);
+        $Tradetracker_searchlayout_val = ttstore_sanitize($_POST[ $Tradetracker_searchlayout_name ]);
 
         //save the posted value in the database
@@ -33 +33 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -45 +45 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-            <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+            <table width="<?php echo esc_attr($adminwidth)-15; ?>">
     <tr>
         <td>
@@ -54 +54 @@
         </td>
         <td>
-            <select width="200" style="width: 200px" name="<?php echo $Tradetracker_searchlayout_name; ?>">
+            <select width="200" style="width: 200px" name="<?php echo esc_attr($Tradetracker_searchlayout_name); ?>">
 <?php
 
@@ -62 +62 @@
 
             if($layout_val->id == get_option("Tradetracker_searchlayout")) {
-                echo "<option selected=\"selected\" value=\"".$layout_val->id."\">$layout_val->multiname</option>";
+                echo "<option selected=\"selected\" value=\"".esc_attr($layout_val->id)."\">$layout_val->multiname</option>";
             } else {
-                echo "<option value=\"".$layout_val->id."\">$layout_val->multiname</option>";
+                echo "<option value=\"".esc_attr($layout_val->id)."\">$layout_val->multiname</option>";
             }
         }
@@ -82 +82 @@
             <?php
                 if(isset($saved)){
-                    echo $saved;
+                    echo wp_kses_post($saved);
                 }
             ?>

tradetracker-store/trunk/menu/showlayout.php

@@ -1 +1 @@
 <?php
-$name = esc_attr($_POST['layoutname']);
-$width = esc_attr($_POST['layoutwidth']);
+$name = ttstore_sanitize($_POST['layoutname']);
+$width = ttstore_sanitize($_POST['layoutwidth']);
 if($width == ""){
     $width="200";
 }
-$font = esc_attr($_POST['layoutfont']);
-$fontsize = esc_attr($_POST['layoutfontsize']);
-$colortitle = esc_attr($_POST['layoutcolortitle']);
-$colorimagebg = esc_attr($_POST['layoutcolorimagebg']);
-$colorfooter = esc_attr($_POST['layoutcolorfooter']);
-$colorborder = esc_attr($_POST['layoutcolorborder']);
-$colorbutton = esc_attr($_POST['layoutcolorbutton']);
-$colorbuttonfont = esc_attr($_POST['layoutcolorbuttonfont']);
-$colorfont = esc_attr($_POST['layoutcolorfont']);
+$font = ttstore_sanitize($_POST['layoutfont']);
+$fontsize = ttstore_sanitize($_POST['layoutfontsize']);
+$colortitle = ttstore_sanitize($_POST['layoutcolortitle']);
+$colorimagebg = ttstore_sanitize($_POST['layoutcolorimagebg']);
+$colorfooter = ttstore_sanitize($_POST['layoutcolorfooter']);
+$colorborder = ttstore_sanitize($_POST['layoutcolorborder']);
+$colorbutton = ttstore_sanitize($_POST['layoutcolorbutton']);
+$colorbuttonfont = ttstore_sanitize($_POST['layoutcolorbuttonfont']);
+$colorfont = ttstore_sanitize($_POST['layoutcolorfont']);
 
 
 $widthtitle = $width-6;
 echo "<style type=\"text/css\" media=\"screen\">";
-echo ".store-outerbox{width:".$width."px;color:".$colorfont.";font-family:".$font.";float:left;min-height:353px;border:solid 1px ".$colorborder.";position:relative;}";
-echo ".store-titel{width:".$widthtitle."px;background-color:".$colortitle.";color:".$colorfont.";float:left;position:relative;height:30px;line-height:15px;font-size:".$fontsize."px;padding:3px;font-weight:bold;text-align:center;}";
-echo ".store-image{width:".$width."px;height:180px;padding:0px;overflow:hidden;margin: auto;background-color:".$colorimagebg.";}";
+echo ".store-outerbox{width:".esc_attr($width)."px;color:".esc_attr($colorfont).";font-family:".esc_attr($font).";float:left;min-height:353px;border:solid 1px ".esc_attr($colorborder).";position:relative;}";
+echo ".store-titel{width:".esc_attr($widthtitle)."px;background-color:".esc_attr($colortitle).";color:".esc_attr($colorfont).";float:left;position:relative;height:30px;line-height:15px;font-size:".esc_attr($fontsize)."px;padding:3px;font-weight:bold;text-align:center;}";
+echo ".store-image{width:".esc_attr($width)."px;height:180px;padding:0px;overflow:hidden;margin: auto;background-color:".esc_attr($colorimagebg).";}";
 echo ".store-image img{display: block;border:0px;margin: auto;}";
-echo ".store-footer{width:".$width."px;background-color:".$colorfooter.";float:left;position:relative;min-height:137px;}";
-echo ".store-description{width:".$widthtitle."px;color:".$colorfont.";position:relative;top:5px;left:5px;height:90px;line-height:14px;font-size:".$fontsize."px;overflow:auto;}";
-echo ".store-more{min-height:20px; width:".$widthtitle."px;position: relative;float: left;margin-top:10px;margin-left:5px;margin-bottom: 5px;}";
+echo ".store-footer{width:".esc_attr($width)."px;background-color:".esc_attr($colorfooter).";float:left;position:relative;min-height:137px;}";
+echo ".store-description{width:".esc_attr($widthtitle)."px;color:".esc_attr($colorfont).";position:relative;top:5px;left:5px;height:90px;line-height:14px;font-size:".esc_attr($fontsize)."px;overflow:auto;}";
+echo ".store-more{min-height:20px; width:".esc_attr($widthtitle)."px;position: relative;float: left;margin-top:10px;margin-left:5px;margin-bottom: 5px;}";
 echo ".store-more img{margin:0px !important;}";
-echo ".store-price {border: 0 solid #65B9C1;color: #4E4E4E !important;float: right;font-size: ".$fontsize."px !important;font-weight: bold !important;height: 30px !important;position: relative;text-align: center !important;width: 80px !important;}";
-echo ".store-price table {background-color: ".$colorfooter." !important;border: 1px none !important;border-collapse: inherit !important;float: right;margin-left: 1px;margin-top: 1px;text-align: center !important;}";
+echo ".store-price {border: 0 solid #65B9C1;color: #4E4E4E !important;float: right;font-size: ".esc_attr($fontsize)."px !important;font-weight: bold !important;height: 30px !important;position: relative;text-align: center !important;width: 80px !important;}";
+echo ".store-price table {background-color: ".esc_attr($colorfooter)." !important;border: 1px none !important;border-collapse: inherit !important;float: right;margin-left: 1px;margin-top: 1px;text-align: center !important;}";
 echo ".store-price table tr {padding: 1px !important;}";
 echo ".store-price table tr td {padding: 1px !important;}";
 echo ".store-price table td, table th, table tr {border: 1px solid #CCCCCC;padding: 0 !important;}";
-echo ".store-price table td.euros {font-size: ".$fontsize."px !important;letter-spacing: -1px !important; }";
-echo ".store-price {background-color: ".$colorborder." !important;}";
-echo ".buttons a, .buttons button {height:18px;background-color: ".$colorbutton.";border: 1px solid ".$colorbutton.";bottom: 0;color: ".$colorbuttonfont.";cursor: pointer;display: block;float: left;font-size: ".$fontsize."px;font-weight: bold;margin-top: 0;padding: 5px 10px 5px 7px;position: relative;text-decoration: none;width: 100px;}";
+echo ".store-price table td.euros {font-size: ".esc_attr($fontsize)."px !important;letter-spacing: -1px !important; }";
+echo ".store-price {background-color: ".esc_attr($colorborder)." !important;}";
+echo ".buttons a, .buttons button {height:18px;background-color: ".esc_attr($colorbutton).";border: 1px solid ".esc_attr($colorbutton).";bottom: 0;color: ".esc_attr($colorbuttonfont).";cursor: pointer;display: block;float: left;font-size: ".esc_attr($fontsize)."px;font-weight: bold;margin-top: 0;padding: 5px 10px 5px 7px;position: relative;text-decoration: none;width: 100px;}";
 echo ".buttons button {overflow: visible;padding: 4px 10px 3px 7px;width: auto;}";
 echo ".buttons button[type] {line-height: 17px;padding: 5px 10px 5px 7px;}";
 echo ":first-child + html button[type] {padding: 4px 10px 3px 7px;}";
 echo ".buttons button img, .buttons a img {border: medium none;margin: 0 3px -3px 0 !important;padding: 0;}";
-echo ".button.regular, .buttons a.regular {color: ".$colorbuttonfont.";}";
-echo ".buttons a.regular:hover, button.regular:hover {background-color: #4E4E4E;border: 1px solid #4E4E4E;color: ".$colorbuttonfont.";}";
-echo ".buttons a.regular:active {background-color: #FFFFFF;border: 1px solid ".$colorbutton.";color: ".$colorbuttonfont.";}";
+echo ".button.regular, .buttons a.regular {color: ".esc_attr($colorbuttonfont).";}";
+echo ".buttons a.regular:hover, button.regular:hover {background-color: #4E4E4E;border: 1px solid #4E4E4E;color: ".esc_attr($colorbuttonfont).";}";
+echo ".buttons a.regular:active {background-color: #FFFFFF;border: 1px solid ".esc_attr($colorbutton).";color: ".esc_attr($colorbuttonfont).";}";
 echo "</style>";
 
@@ -46 +46 @@
         <div class="store-outerbox">
             <div class="store-titel">
-                <?php echo $name; ?>
+                <?php echo esc_attr($name); ?>
             </div>          
             <div class="store-image">
-                <img src="" style="max-width:<?php echo $width; ?>px;max-height:180px;">
+                <img src="" style="max-width:<?php echo esc_attr($width); ?>px;max-height:180px;">
             </div>
             <div class="store-footer">
                 <div class="store-description">
-                    The description for the item you can buy using the <?php echo $font; ?> font using font-size <?php echo $fontsize; ?>
+                    The description for the item you can buy using the <?php echo esc_attr($font); ?> font using font-size <?php echo esc_attr($fontsize); ?>
                 </div>
                 <div class="store-more"></div>

tradetracker-store/trunk/menu/store.php

@@ -35 +35 @@
     }
     if(isset($_GET['delete'])){
-        $delete = absint($_GET['delete']);
+        $delete = ttstore_sanitize($_GET['delete']);
         if($delete>"1"){
             $wpdb->query("DELETE FROM ".$ttstoremultitable." WHERE `id` = ".$delete."");
@@ -43 +43 @@
     if (isset($_GET['multiid']) || isset($_POST['multiid'])){
         if(isset($_GET['multiid'])){
-            $multiid = absint($_GET['multiid']);
+            $multiid = ttstore_sanitize($_GET['multiid']);
         } 
         if(isset($_POST['multiid'])){
-            $multiid = absint($_POST['multiid']);
+            $multiid = ttstore_sanitize($_POST['multiid']);
         } 
         $multi=$wpdb->get_results("SELECT buynow, multixmlfeed, multisorting, multiorder,multimaxprice,multiminprice, multicurrency, multiproductpage, multiname, multilayout, multiamount, multipageamount, multilightbox, categories FROM ".$ttstoremultitable." where id='".$multiid."'");
@@ -118 +118 @@
     if( isset($_POST[ $ttstoresubmit ]) && $_POST[ $ttstoresubmit ] == 'Y' ) {
         // Read their posted value
-            $Tradetracker_buynow_val = sanitize_text_field($_POST[ $Tradetracker_buynow_name ]);
-            $Tradetracker_multixmlfeed_val = sanitize_text_field($_POST[ $Tradetracker_multixmlfeed_name ]);
-            $Tradetracker_multiname_val = sanitize_text_field($_POST[ $Tradetracker_multiname_name ]);
-            $Tradetracker_multisorting_val = sanitize_text_field($_POST[ $Tradetracker_multisorting_name ]);
-            $Tradetracker_multiorder_val = sanitize_text_field($_POST[ $Tradetracker_multiorder_name ]);
-            $Tradetracker_multilayout_val = sanitize_text_field($_POST[ $Tradetracker_multilayout_name ]);
-        $Tradetracker_multiamount_val = sanitize_text_field($_POST[ $Tradetracker_multiamount_name ]);
-        $Tradetracker_multipageamount_val = sanitize_text_field($_POST[ $Tradetracker_multipageamount_name ]);
-        $Tradetracker_multilightbox_val = sanitize_text_field($_POST[ $Tradetracker_multilightbox_name ]);
-        $Tradetracker_multiproductpage_val = sanitize_text_field($_POST[ $Tradetracker_multiproductpage_name ]);
-        $Tradetracker_multimaxprice_val = sanitize_text_field($_POST[ $Tradetracker_multimaxprice_name ]);
-        $Tradetracker_multiminprice_val = sanitize_text_field($_POST[ $Tradetracker_multiminprice_name ]);
-        $Tradetracker_multicurrency_val = sanitize_text_field($_POST[ $Tradetracker_multicurrency_name ]);
+            $Tradetracker_buynow_val = ttstore_sanitize($_POST[ $Tradetracker_buynow_name ]);
+            $Tradetracker_multixmlfeed_val = ttstore_sanitize($_POST[ $Tradetracker_multixmlfeed_name ]);
+            $Tradetracker_multiname_val = ttstore_sanitize($_POST[ $Tradetracker_multiname_name ]);
+            $Tradetracker_multisorting_val = ttstore_sanitize($_POST[ $Tradetracker_multisorting_name ]);
+            $Tradetracker_multiorder_val = ttstore_sanitize($_POST[ $Tradetracker_multiorder_name ]);
+            $Tradetracker_multilayout_val = ttstore_sanitize($_POST[ $Tradetracker_multilayout_name ]);
+        $Tradetracker_multiamount_val = ttstore_sanitize($_POST[ $Tradetracker_multiamount_name ]);
+        $Tradetracker_multipageamount_val = ttstore_sanitize($_POST[ $Tradetracker_multipageamount_name ]);
+        $Tradetracker_multilightbox_val = ttstore_sanitize($_POST[ $Tradetracker_multilightbox_name ]);
+        $Tradetracker_multiproductpage_val = ttstore_sanitize($_POST[ $Tradetracker_multiproductpage_name ]);
+        $Tradetracker_multimaxprice_val = ttstore_sanitize($_POST[ $Tradetracker_multimaxprice_name ]);
+        $Tradetracker_multiminprice_val = ttstore_sanitize($_POST[ $Tradetracker_multiminprice_name ]);
+        $Tradetracker_multicurrency_val = ttstore_sanitize($_POST[ $Tradetracker_multicurrency_name ]);
         if(isset($_POST[ $Tradetracker_categories_name ])){
-            $Tradetracker_categories_val = serialize($_POST[ $Tradetracker_categories_name ]);
+            $Tradetracker_categories_val = serialize(ttstore_sanitize($_POST[ $Tradetracker_categories_name ]));
         } else {
             $Tradetracker_categories_val = "";
@@ -218 +218 @@
                 ?>
                 <script type="text/javascript">
-                    window.location.href='<?php echo $exitlink; ?>';
+                    window.location.href='<?php echo esc_url($exitlink); ?>';
                 </script>
                 <?php
@@ -233 +233 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
         <div id="TB_title">
@@ -243 +243 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-        <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+        <table width="<?php echo esc_attr($adminwidth)-15; ?>">
             <tr>
                 <td>
@@ -284 +284 @@
             </tr>
 <?php
-        $sort = $_GET['sort'];
+        $sort = sanitize_text_field($_GET['sort']);
         if(!isset($sort) || $sort == ""){
             $sort = 'id';
@@ -293 +293 @@
             <tr>
                 <td>
-                    <?php echo $store_val->id; ?>
-                </td>
-                <td>
-                    <?php echo $store_val->multiname; ?>
-                </td>
-                <td>
-                    <?php echo $store_val->multisorting; ?>
-                </td>
-                <td>
-                    <?php echo $store_val->multiorder; ?>
-                </td>
-                <td>
-                    <?php echo $store_val->layname; ?>
-                </td>
-                <td>
-                    <?php if ($store_val->multixmlfeed == "*"){_e('All Feeds','tradetracker-store');} else { $xmlfeed=$wpdb->get_var("SELECT xmlname FROM ".$ttstorexmltable." where id=".$store_val->multixmlfeed.""); echo $xmlfeed; }?>
-                </td>
-                <td>
-                    <?php echo $store_val->buynow; ?>
-                </td>
-                <td>
-                    <?php echo $store_val->multiamount; ?>
+                    <?php echo esc_attr($store_val->id); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($store_val->multiname); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($store_val->multisorting); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($store_val->multiorder); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($store_val->layname); ?>
+                </td>
+                <td>
+                    <?php if ($store_val->multixmlfeed == "*"){_e('All Feeds','tradetracker-store');} else { $xmlfeed=$wpdb->get_var("SELECT xmlname FROM ".$ttstorexmltable." where id=".$store_val->multixmlfeed.""); echo esc_attr($xmlfeed); }?>
+                </td>
+                <td>
+                    <?php echo esc_attr($store_val->buynow); ?>
+                </td>
+                <td>
+                    <?php echo esc_attr($store_val->multiamount); ?>
                 </td>
                 <td>
@@ -320 +320 @@
                 </td>
                 <td>
-                    <?php if($store_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=store&function=new&multiid=".$store_val->id."\">".__('Edit','tradetracker-store')."</a>"; } ?>
-                </td>
-                <td>
-                    <?php if($store_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=store&delete=".$store_val->id."\">".__('Delete','tradetracker-store')."</a>"; } ?>
-                </td>
-                <td>
-                    <?php if($store_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=store&function=new&copyid=".$store_val->id."\">".__('Copy','tradetracker-store')."</a>"; } ?>
+                    <?php if($store_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=store&function=new&multiid=".esc_attr($store_val->id)."\">".__('Edit','tradetracker-store')."</a>"; } ?>
+                </td>
+                <td>
+                    <?php if($store_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=store&delete=".esc_attr($store_val->id)."\">".__('Delete','tradetracker-store')."</a>"; } ?>
+                </td>
+                <td>
+                    <?php if($store_val->id>"1"){ echo "<a href=\"admin.php?page=tt-store&option=store&function=new&copyid=".esc_attr($store_val->id)."\">".__('Copy','tradetracker-store')."</a>"; } ?>
                 </td>
             </tr>
@@ -348 +348 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -360 +360 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-
-        <input type="hidden" name="multiid" value="<?php if(isset($multiid)){ echo $multiid;} ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+
+        <input type="hidden" name="multiid" value="<?php if(isset($multiid)){ echo esc_attr($multiid);} ?>">
         <?php if(isset($returnpage)){ echo "<input type=\"hidden\" name=\"return\" value=\"item\">"; }?>
-<table width="<?php echo $adminwidth-15; ?>">
+<table width="<?php echo esc_attr($adminwidth)-15; ?>">
     <tr>
         <td>
@@ -372 +372 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_multiname_name; ?>" value="<?php if(isset($Tradetracker_multiname_val)) {echo $Tradetracker_multiname_val;} ?>" size="30"> 
+            <input type="text" name="<?php echo esc_attr($Tradetracker_multiname_name); ?>" value="<?php if(isset($Tradetracker_multiname_val)) {echo esc_attr($Tradetracker_multiname_val);} ?>" size="30"> 
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?>
             <?php _e('This cannot start with a number','tradetracker-store'); ?>
@@ -384 +384 @@
         </td>
         <td>
-            <select width="200" style="width: 200px" name="<?php echo $Tradetracker_multisorting_name; ?>">
+            <select width="200" style="width: 200px" name="<?php echo esc_attr($Tradetracker_multisorting_name); ?>">
 <?php
         $sorting=array('rand()','price', 'categorie', 'name');
         foreach ($sorting as $sorting_val){
             if(isset($Tradetracker_multisorting_val) && $sorting_val == $Tradetracker_multisorting_val) {
-                echo "<option selected=\"selected\" value=\"".$sorting_val."\">$sorting_val</option>";
+                echo "<option selected=\"selected\" value=\"".esc_attr($sorting_val)."\">$sorting_val</option>";
             } else {
-                echo "<option value=\"".$sorting_val."\">$sorting_val</option>";
+                echo "<option value=\"".esc_attr($sorting_val)."\">$sorting_val</option>";
             }
         }
@@ -406 +406 @@
         </td>
         <td>
-            <select width="200" style="width: 200px" name="<?php echo $Tradetracker_multiorder_name; ?>">
+            <select width="200" style="width: 200px" name="<?php echo esc_attr($Tradetracker_multiorder_name); ?>">
 <?php
         $ordering=array('desc','asc');
         foreach ($ordering as $ordering_val){
             if(isset($Tradetracker_multiorder_val) && $ordering_val == $Tradetracker_multiorder_val) {
-                echo "<option selected=\"selected\" value=\"".$ordering_val."\">$ordering_val</option>";
+                echo "<option selected=\"selected\" value=\"".esc_attr($ordering_val)."\">$ordering_val</option>";
             } else {
-                echo "<option value=\"".$ordering_val."\">$ordering_val</option>";
+                echo "<option value=\"".esc_attr($ordering_val)."\">$ordering_val</option>";
             }
         }
@@ -428 +428 @@
         </td>
         <td>
-            <select width="200" style="width: 200px" name="<?php echo $Tradetracker_multilayout_name; ?>">
+            <select width="200" style="width: 200px" name="<?php echo esc_attr($Tradetracker_multilayout_name); ?>">
 <?php
         $layout=$wpdb->get_results("SELECT id, layname FROM ".$ttstorelayouttable."");
         foreach ($layout as $layout_val){
             if(isset($Tradetracker_multilayout_val) && $layout_val->id == $Tradetracker_multilayout_val) {
-                echo "<option selected=\"selected\" value=\"".$layout_val->id."\">$layout_val->layname</option>";
+                echo "<option selected=\"selected\" value=\"".esc_attr($layout_val->id)."\">$layout_val->layname</option>";
             } else {
-                echo "<option value=\"".$layout_val->id."\">$layout_val->layname</option>";
+                echo "<option value=\"".esc_attr($layout_val->id)."\">$layout_val->layname</option>";
             }
         }
@@ -456 +456 @@
                 </td>
                 <td>
-                    <input type="radio" name="<?php echo $Tradetracker_multiproductpage_name; ?>" <?php if(isset($Tradetracker_multiproductpage_val) && $Tradetracker_multiproductpage_val=="1") {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?> 
+                    <input type="radio" name="<?php echo esc_attr($Tradetracker_multiproductpage_name); ?>" <?php if(isset($Tradetracker_multiproductpage_val) && $Tradetracker_multiproductpage_val=="1") {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?> 
                     <br>
-                    <input type="radio" name="<?php echo $Tradetracker_multiproductpage_name; ?>" <?php if((isset($Tradetracker_multiproductpage_val) && $Tradetracker_multiproductpage_val=="0") || !isset($Tradetracker_multiproductpage_val)){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                    <input type="radio" name="<?php echo esc_attr($Tradetracker_multiproductpage_name); ?>" <?php if((isset($Tradetracker_multiproductpage_val) && $Tradetracker_multiproductpage_val=="0") || !isset($Tradetracker_multiproductpage_val)){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
                 </td>
             </tr>
@@ -465 +465 @@
         }
         if (!isset($productpage)){
-                echo "<input type=\"hidden\" name=\"".$Tradetracker_multiproductpage_name."\" value=\"".$Tradetracker_multiproductpage_val."\">";
+                echo "<input type=\"hidden\" name=\"".esc_attr($Tradetracker_multiproductpage_name)."\" value=\"".esc_attr($Tradetracker_multiproductpage_val)."\">";
         }
     }
@@ -477 +477 @@
         </td>
         <td>
-            <select width="200" style="width: 200px" name="<?php echo $Tradetracker_multixmlfeed_name; ?>" onchange="toggleOther();">
+            <select width="200" style="width: 200px" name="<?php echo esc_attr($Tradetracker_multixmlfeed_name); ?>" onchange="toggleOther();">
 <?php
         if(!isset($$Tradetracker_multixmlfeed_val) || $Tradetracker_multixmlfeed_val == "*"){
@@ -488 +488 @@
         foreach ($xmlfeed as $xml) {
             if($Tradetracker_multixmlfeed_val != "*" && $Tradetracker_multixmlfeed_val == $xml->id) {
-                echo "<option selected=\"selected\" value=\"".$xml->id."\">".$xml->xmlname."</option>";
+                echo "<option selected=\"selected\" value=\"".esc_attr($xml->id)."\">".esc_attr($xml->xmlname)."</option>";
             } else {
-                echo "<option value=\"".$xml->id."\">".$xml->xmlname."</option>";
+                echo "<option value=\"".esc_attr($xml->id)."\">".esc_attr($xml->xmlname)."</option>";
             }
         }
@@ -533 +533 @@
                     if(is_serialized($Tradetracker_categories_val)){
                         if(in_array($categorieselect->categorieid, unserialize($Tradetracker_categories_val), true)) {
-                            echo "<input type=\"checkbox\" checked=\"yes\" name=\"".$Tradetracker_categories_name."[]\" value=\"".$categorieselect->categorieid."\" />".$xmlfeedname[$categorieselect->xmlfeed]->xmlname." - ".$categorieselect->categorie."<br />";
+                            echo "<input type=\"checkbox\" checked=\"yes\" name=\"".esc_attr($Tradetracker_categories_name)."[]\" value=\"".esc_attr($categorieselect->categorieid)."\" />".esc_attr($xmlfeedname[$categorieselect->xmlfeed]->xmlname)." - ".esc_attr($categorieselect->categorie)."<br />";
                         } else {
-                            echo "<input type=\"checkbox\" name=\"".$Tradetracker_categories_name."[]\" value=\"".$categorieselect->categorieid."\" />".$xmlfeedname[$categorieselect->xmlfeed]->xmlname." - ".$categorieselect->categorie."<br />";
+                            echo "<input type=\"checkbox\" name=\"".esc_attr($Tradetracker_categories_name)."[]\" value=\"".esc_attr($categorieselect->categorieid)."\" />".esc_attr($xmlfeedname[$categorieselect->xmlfeed]->xmlname)." - ".esc_attr($categorieselect->categorie)."<br />";
                         }
                     } else {
-                        echo "<input type=\"checkbox\" name=\"".$Tradetracker_categories_name."[]\" value=\"".$categorieselect->categorieid."\" />".$xmlfeedname[$categorieselect->xmlfeed]->xmlname." - ".$categorieselect->categorie."<br />";
+                        echo "<input type=\"checkbox\" name=\"".esc_attr($Tradetracker_categories_name)."[]\" value=\"".esc_attr($categorieselect->categorieid)."\" />".esc_attr($xmlfeedname[$categorieselect->xmlfeed]->xmlname)." - ".esc_attr($categorieselect->categorie)."<br />";
                     }
                     echo "</td></tr>";
@@ -562 +562 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_buynow_name; ?>" value="<?php if(isset($Tradetracker_buynow_val)) { echo $Tradetracker_buynow_val; }?>" size="30"> 
+            <input type="text" name="<?php echo esc_attr($Tradetracker_buynow_name); ?>" value="<?php if(isset($Tradetracker_buynow_val)) { echo esc_attr($Tradetracker_buynow_val); }?>" size="30"> 
         </td>
     </tr>
@@ -572 +572 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_multiamount_name; ?>" value="<?php if (!isset($Tradetracker_multiamount_val)) {echo "10"; } else {echo $Tradetracker_multiamount_val;} ?>" size="30">
+            <input type="text" name="<?php echo esc_attr($Tradetracker_multiamount_name); ?>" value="<?php if (!isset($Tradetracker_multiamount_val)) {echo "10"; } else {echo esc_attr($Tradetracker_multiamount_val);} ?>" size="30">
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?> <?php _e('use 0 if you don\'t want a limit at all','tradetracker-store'); ?>
         </td>
@@ -583 +583 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_multipageamount_name; ?>" value="<?php if (!isset($Tradetracker_multipageamount_val)) {echo "10"; } else {echo $Tradetracker_multipageamount_val;} ?>" size="30">
+            <input type="text" name="<?php echo esc_attr($Tradetracker_multipageamount_name); ?>" value="<?php if (!isset($Tradetracker_multipageamount_val)) {echo "10"; } else {echo esc_attr($Tradetracker_multipageamount_val);} ?>" size="30">
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?> <?php _e('Use 0 if you want to show all items on 1 page','tradetracker-store'); ?>
         </td>
@@ -597 +597 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_multiminprice_name; ?>" value="<?php if (!isset($Tradetracker_multiminprice_val)) {echo "0"; } else {echo $Tradetracker_multiminprice_val;} ?>" size="30">
+            <input type="text" name="<?php echo esc_attr($Tradetracker_multiminprice_name); ?>" value="<?php if (!isset($Tradetracker_multiminprice_val)) {echo "0"; } else {echo esc_attr($Tradetracker_multiminprice_val);} ?>" size="30">
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?> <?php _e('use 0 if you don\'t want a pricelimit at all','tradetracker-store'); ?>
         </td>
@@ -608 +608 @@
         </td>
         <td>
-            <input type="text" name="<?php echo $Tradetracker_multimaxprice_name; ?>" value="<?php if (!isset($Tradetracker_multimaxprice_val)) {echo "0"; } else {echo $Tradetracker_multimaxprice_val;} ?>" size="30">
+            <input type="text" name="<?php echo esc_attr($Tradetracker_multimaxprice_name); ?>" value="<?php if (!isset($Tradetracker_multimaxprice_val)) {echo "0"; } else {echo esc_attr($Tradetracker_multimaxprice_val);} ?>" size="30">
             <?php if(isset($error)){ echo "<font color=\"red\">*</font>"; }?> <?php _e('use 0 if you don\'t want a pricelimit at all','tradetracker-store'); ?>
         </td>
     </tr>
 <?php } else {
-        echo "<input type=\"hidden\" name=\"".$Tradetracker_multimaxprice_name."\" value=\"".$Tradetracker_multimaxprice_val."\">";
-        echo "<input type=\"hidden\" name=\"".$Tradetracker_multiminprice_name."\" value=\"".$Tradetracker_multiminprice_val."\">";
+        echo "<input type=\"hidden\" name=\"".esc_attr($Tradetracker_multimaxprice_name)."\" value=\"".esc_attr($Tradetracker_multimaxprice_val)."\">";
+        echo "<input type=\"hidden\" name=\"".esc_attr($Tradetracker_multiminprice_name)."\" value=\"".esc_attr($Tradetracker_multiminprice_val)."\">";
 } ?>
     <tr>
@@ -623 +623 @@
         </td>
         <td>
-            <select width="200" style="width: 200px" name="<?php echo $Tradetracker_multicurrency_name; ?>">
+            <select width="200" style="width: 200px" name="<?php echo esc_attr($Tradetracker_multicurrency_name); ?>">
 <?php
         $currency=array('u20AC','u0024', 'u20a4', 'u007Au0142');
@@ -629 +629 @@
             $curdisplay = str_replace('u','&#x',$currency_val). ";";
             if(isset($Tradetracker_multicurrency_val) && $currency_val == $Tradetracker_multicurrency_val) {
-                echo "<option selected=\"selected\" value=\"".$currency_val."\">$curdisplay </option>";
+                echo "<option selected=\"selected\" value=\"".esc_attr($currency_val)."\">$curdisplay </option>";
             } else {
-                echo "<option value=\"".$currency_val."\">$curdisplay </option>";
+                echo "<option value=\"".esc_attr($currency_val)."\">$curdisplay </option>";
             }
         }
@@ -647 +647 @@
         </td>
         <td>
-            <input type="radio" name="<?php echo $Tradetracker_multilightbox_name; ?>" <?php if(isset($Tradetracker_multilightbox_val) && $Tradetracker_multilightbox_val=="1") {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?> (<a href="http://wordpress.org/extend/plugins/wp-jquery-lightbox/" target="_blank"><?php _e('You will need this plugin','tradetracker-store'); ?></a>)
-        </td>
-    </tr>
-    <tr>
-        <td>
-        </td>
-        <td>
-            <input type="radio" name="<?php echo $Tradetracker_multilightbox_name; ?>" <?php if((isset($Tradetracker_multilightbox_val) && $Tradetracker_multilightbox_val=="0") || !isset($Tradetracker_multilightbox_val)){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+            <input type="radio" name="<?php echo esc_attr($Tradetracker_multilightbox_name); ?>" <?php if(isset($Tradetracker_multilightbox_val) && $Tradetracker_multilightbox_val=="1") {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?> (<a href="http://wordpress.org/extend/plugins/wp-jquery-lightbox/" target="_blank"><?php _e('You will need this plugin','tradetracker-store'); ?></a>)
+        </td>
+    </tr>
+    <tr>
+        <td>
+        </td>
+        <td>
+            <input type="radio" name="<?php echo esc_attr($Tradetracker_multilightbox_name); ?>" <?php if((isset($Tradetracker_multilightbox_val) && $Tradetracker_multilightbox_val=="0") || !isset($Tradetracker_multilightbox_val)){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
         </td>
     </tr>
@@ -662 +662 @@
             <?php
                 if(isset($saved)){
-                    echo $saved;
+                    echo wp_kses_post($saved);
                 }
                 if(isset($error)){
-                    echo $error;
+                    echo wp_kses_post($error);
                 }
             ?>

tradetracker-store/trunk/menu/xmlfeed.php

@@ -31 +31 @@
         $xmlfile = $xmlfeed->xmlfeed;
         $url = $xmlfile;
-        $permfile = plugin_dir_path( __FILE__ ).".cache/cache.xml";
+        $permfile = TT_STORE_plugipath.".cache/cache.xml";
         $tmpfile = download_url( $url, $timeout = 300 );
         copy( $tmpfile, $permfile );
@@ -48 +48 @@
                     $buffer = stream_get_line($handle, 10000);
                 echo "<br><a href=\"admin.php?page=tt-store&option=xmlfeed\">Back</a>";
-                echo "<br><strong>XMLlink:</strong> ".$xmlfile;
-                echo "<br><strong>XMLname:</strong> ".$xmlfeed->xmlname;
+                echo "<br><strong>XMLlink:</strong> ".esc_attr($xmlfile);
+                echo "<br><strong>XMLname:</strong> ".esc_attr($xmlfeed->xmlname);
                 if(isset($server)){
-                    echo "<br><strong>Server message:</strong> ".$server;
+                    echo "<br><strong>Server message:</strong> ".esc_attr($server);
                 }
                 if(isset($error)){
-                    echo "<br><strong>Possible error:</strong> ".$error;
+                    echo "<br><strong>Possible error:</strong> ".esc_attr($error);
                 }
                 echo "<pre>";               
@@ -77 +77 @@
     if( isset($_POST[ $ttstoresubmit ]) && $_POST[ $ttstoresubmit ] == 'Y' ) {
         if(isset($_POST['xmlfeedid']) && !empty($_POST['xmlfeedid'])){
-            $Tradetracker_xmlid_val = sanitize_text_field($_POST['xmlfeedid']);
-            $Tradetracker_xml_val = sanitize_text_field($_POST['xmlfeed']);
-            $Tradetracker_xmlconv_val = sanitize_text_field($_POST['xmlfeedconv']);
-            $Tradetracker_xmlname_val = sanitize_text_field($_POST['xmlname']); 
-            $Tradetracker_autoimport_val = sanitize_text_field($_POST['autoimport']);
+            $Tradetracker_xmlid_val = ttstore_sanitize($_POST['xmlfeedid']);
+            $Tradetracker_xml_val = ttstore_sanitize($_POST['xmlfeed']);
+            $Tradetracker_xmlconv_val = ttstore_sanitize($_POST['xmlfeedconv']);
+            $Tradetracker_xmlname_val = ttstore_sanitize($_POST['xmlname']);    
+            $Tradetracker_autoimport_val = ttstore_sanitize($_POST['autoimport']);
             if(!empty($Tradetracker_xml_val)){
                 $wpdb->update( 
@@ -111 +111 @@
         } else {
             //get posted data
-            $Tradetracker_xml_val = sanitize_text_field($_POST['xmlfeed']);
-            $Tradetracker_xmlconv_val = sanitize_text_field($_POST['xmlfeedconv']);
-            $Tradetracker_xmlname_val = sanitize_text_field($_POST['xmlname']);
-            $Tradetracker_autoimport_val = sanitize_text_field($_POST['autoimport']);
+            $Tradetracker_xml_val = ttstore_sanitize($_POST['xmlfeed']);
+            $Tradetracker_xmlconv_val = ttstore_sanitize($_POST['xmlfeedconv']);
+            $Tradetracker_xmlname_val = ttstore_sanitize($_POST['xmlname']);
+            $Tradetracker_autoimport_val = ttstore_sanitize($_POST['autoimport']);
             if(!empty($Tradetracker_xml_val)){
                     $currentpage["xmlfeed"]=$Tradetracker_xml_val;
@@ -140 +140 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -153 +153 @@
         </div>
         <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-            <table width="<?php echo $adminwidth-15; ?>">
+            <table width="<?php echo esc_attr($adminwidth)-15; ?>">
             <?php
                 $xmlfeed=$wpdb->get_results("SELECT xmlfeed, xmlname, xmlprovider, autoimport, id FROM ".$ttstorexmltable." order by xmlname");
@@ -186 +186 @@
                     foreach ($xmlfeed as $xml) {
                         echo "<tr><td>";
-                        echo "<a href=\"".$xml->xmlfeed."\">Feed</a>";
-                        echo "</td><td>";
-                        echo $xml->xmlname;
-                        echo "</td><td>";
-                        echo $xml->xmlprovider; 
-                        echo "</td><td>";
-                        echo "<a href=\"admin.php?page=tt-store&option=xmlfeed&edit=".$xml->id."\">".__("Edit","ttstore")."</a>";
-                        echo "</td><td>";
-                        echo "<a href=\"admin.php?page=tt-store&option=xmlfeed&delete=".$xml->id."\">".__("Delete","ttstore")."</a>";
-                        echo "</td><td>";
-                        echo "<a href=\"admin.php?page=tt-store&option=xmlfeed&test=".$xml->id."\">".__("Test","ttstore")."</a>";
+                        echo "<a href=\"".esc_url($xml->xmlfeed)."\">Feed</a>";
+                        echo "</td><td>";
+                        echo esc_attr($xml->xmlname);
+                        echo "</td><td>";
+                        echo esc_attr($xml->xmlprovider);   
+                        echo "</td><td>";
+                        echo "<a href=\"admin.php?page=tt-store&option=xmlfeed&edit=".esc_attr($xml->id)."\">".__("Edit","ttstore")."</a>";
+                        echo "</td><td>";
+                        echo "<a href=\"admin.php?page=tt-store&option=xmlfeed&delete=".esc_attr($xml->id)."\">".__("Delete","ttstore")."</a>";
+                        echo "</td><td>";
+                        echo "<a href=\"admin.php?page=tt-store&option=xmlfeed&test=".esc_attr($xml->id)."\">".__("Test","ttstore")."</a>";
                         echo "</td><td>";
                         if($xml->autoimport == "1"){
@@ -209 +209 @@
                 }
                     ?>
-                <table width="<?php echo $adminwidth-15; ?>">
+                <table width="<?php echo esc_attr($adminwidth)-15; ?>">
                 <tr>
                     <td>
@@ -228 +228 @@
                     $oldfeed = $wpdb->get_row("SELECT xmlfeed, xmlname, xmlprovider, id, autoimport FROM ".$ttstorexmltable." where id='$TTedit'");
                     echo "<tr><td>";
-                    echo "<input type=\"text\" name=\"xmlfeed\" value=\"".$oldfeed->xmlfeed."\" size=\"50\">";
-                    echo "</td><td>";
-                    echo "<input type=\"text\" name=\"xmlname\" value=\"".$oldfeed->xmlname."\" size=\"20\">";
-                    echo "</td><td>";
-                    echo "<input type=\"hidden\" name=\"xmlfeedid\" value=\"".$oldfeed->id."\" size=\"40\">";
+                    echo "<input type=\"text\" name=\"xmlfeed\" value=\"".esc_attr($oldfeed->xmlfeed)."\" size=\"50\">";
+                    echo "</td><td>";
+                    echo "<input type=\"text\" name=\"xmlname\" value=\"".esc_attr($oldfeed->xmlname)."\" size=\"20\">";
+                    echo "</td><td>";
+                    echo "<input type=\"hidden\" name=\"xmlfeedid\" value=\"".esc_attr($oldfeed->id)."\" size=\"40\">";
 
                     if(get_option('tt_premium_provider')=="") {
@@ -241 +241 @@
                         foreach($provider as $providers) {
                             if($providers == $oldfeed->xmlprovider){
-                                echo "<option value=\"".$providers."\" selected=\"selected\">".$providers."</option>";
+                                echo "<option value=\"".esc_attr($providers)."\" selected=\"selected\">".esc_attr($providers)."</option>";
                             } else {
-                                echo "<option value=\"".$providers."\">".$providers."</option>";
+                                echo "<option value=\"".esc_attr($providers)."\">".esc_attr($providers)."</option>";
                             }
                         }
@@ -265 +265 @@
                         $provider = get_option('tt_premium_provider');
                         foreach($provider as $providers) {
-                            echo "<option value=\"".$providers."\">".$providers."</option>";
+                            echo "<option value=\"".esc_attr($providers)."\">".esc_attr($providers)."</option>";
                         }
                         echo "</select>";
@@ -285 +285 @@
             <?php
                 if(isset($saved)){
-                    echo $saved;
+                    echo wp_kses_post($saved);
                 }
             ?>

tradetracker-store/trunk/menu/xmloption.php

@@ -31 +31 @@
 
         //get posted data
-        $Tradetracker_xmlfeedsperupdate_val = sanitize_text_field($_POST[ $Tradetracker_xmlfeedsperupdate_name ]);
-        $Tradetracker_xmlupdate_val = sanitize_text_field($_POST[ $Tradetracker_xmlupdate_name ]);
-        $Tradetracker_currency_val = $_POST[ $Tradetracker_currency_name ];
-        if (is_array($Tradetracker_currency_val)) {
-                    foreach ($Tradetracker_currency_val as &$tag) {
-                        $tag = esc_attr($tag);
-                    }
-                    unset($tag );
-            } else {
-                    $Tradetracker_currency_val = esc_attr($Tradetracker_currency_val);
-            }
-        $Tradetracker_currencyloc_val = $_POST[ $Tradetracker_currencyloc_name ];
-        if (is_array($Tradetracker_currencyloc_val)) {
-                    foreach ($Tradetracker_currencyloc_val as &$tag) {
-                        $tag = esc_attr($tag);
-                    }
-                    unset($tag );
-            } else {
-                    $Tradetracker_currencyloc_val = esc_attr($Tradetracker_currencyloc_val);
-            }
+        $Tradetracker_xmlfeedsperupdate_val = ttstore_sanitize($_POST[ $Tradetracker_xmlfeedsperupdate_name ]);
+        $Tradetracker_xmlupdate_val = ttstore_sanitize($_POST[ $Tradetracker_xmlupdate_name ]);
+        $Tradetracker_currency_val = ttstore_sanitize($_POST[ $Tradetracker_currency_name ]);
+        $Tradetracker_currencyloc_val = ttstore_sanitize($_POST[ $Tradetracker_currencyloc_name ]);
         if(isset($_POST['extra'])){
-            $extraPost = $_POST['extra'];
-            if (is_array($extraPost)) {
-                        foreach ($extraPost as &$tag) { 
-                    $tag = esc_attr($tag);
-                        }
-                        unset($tag );
-                } else {
-                        $extraPost = esc_attr($extraPost);
-                 }
+            $extraPost = ttstore_sanitize($_POST['extra']);
             $Tradetracker_extra_val = $extraPost;
         } else {
@@ -67 +43 @@
         if(isset($_POST['oldcur'])){
             $Tradetracker_newcur_val = "";
-            $a1=$_POST['oldcur']; 
-            if (is_array($a1)) {
-                        foreach ($a1 as &$tag) {    
-                    $tag = esc_attr($tag);
-                        }
-                        unset($tag );
-                } else {
-                        $a1 = esc_attr($a1);
-                 }
-
-            $a2 = $_POST['newcur']; 
-            if (is_array($a2)) {
-                        foreach ($a2 as &$tag) {    
-                    $tag = esc_attr($tag);
-                        }
-                        unset($tag );
-                } else {
-                        $a2 = esc_attr($a2);
-                 }
+            $a1=ttstore_sanitize($_POST['oldcur']); 
+            $a2 = ttstore_sanitize($_POST['newcur']); 
             $Tradetracker_newcur_val = array_combine($a1,$a2);
         } else {
@@ -119 +78 @@
 <?php $adminheight = get_option("Tradetracker_adminheight"); ?>
 <div  id="TB_overlay" class="TB_overlayBG"></div>
-<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo $adminwidth; ?>px;">
+<div id="TB_window1" style="left: auto;margin-left: auto;margin-right: auto; margin-top: 0;right: auto;top: 48px;visibility: visible;z-index:100051;width: <?php echo esc_attr($adminwidth); ?>px;">
     <div id="ttstorebox">
     <form name="form1" method="post" action="">
@@ -131 +90 @@
             </div>
         </div>
-        <div id="ttstoreboxoptions" style="max-height:<?php echo $adminheight; ?>px;">
-            <table width="<?php echo $adminwidth-15; ?>">
+        <div id="ttstoreboxoptions" style="max-height:<?php echo esc_attr($adminheight); ?>px;">
+            <table width="<?php echo esc_attr($adminwidth)-15; ?>">
                 <tr>
                     <td>
@@ -156 +115 @@
                             if(!empty($Tradetracker_extra_val)){
                                 if(in_array($extraselect[extrafield], $Tradetracker_extra_val, true)) {
-                                    echo "<input type=\"checkbox\" checked=\"yes\" name=\"extra[]\" value=\"".$extraselect[extrafield]."\" />".$extraselect[extrafield]."<br />";
+                                    echo "<input type=\"checkbox\" checked=\"yes\" name=\"extra[]\" value=\"".esc_attr($extraselect[extrafield])."\" />".esc_attr($extraselect[extrafield])."<br />";
                                 } else {
-                                    echo "<input type=\"checkbox\" name=\"extra[]\" value=\"".$extraselect[extrafield]."\" />".$extraselect[extrafield]."<br />";
+                                    echo "<input type=\"checkbox\" name=\"extra[]\" value=\"".esc_attr($extraselect[extrafield])."\" />".esc_attr($extraselect[extrafield])."<br />";
                                 }
                             } else {
-                                    echo "<input type=\"checkbox\" name=\"extra[]\" value=\"".$extraselect[extrafield]."\" />".$extraselect[extrafield]."<br />";
+                                    echo "<input type=\"checkbox\" name=\"extra[]\" value=\"".esc_attr($extraselect[extrafield])."\" />".esc_attr($extraselect[extrafield])."<br />";
                             }
                             if($i=="1"){
@@ -183 +142 @@
                     </td>
                     <td>
-                        <input type="text" name="<?php echo $Tradetracker_xmlupdate_name; ?>" value="<?php if($Tradetracker_xmlupdate_val==""){ echo "00:00:00"; } else { echo $Tradetracker_xmlupdate_val;} ?>" size="20"> <?php _e('Time has to be in hh:mm:ss','tradetracker-store'); ?>
+                        <input type="text" name="<?php echo esc_attr($Tradetracker_xmlupdate_name); ?>" value="<?php if($Tradetracker_xmlupdate_val==""){ echo "00:00:00"; } else { echo esc_attr($Tradetracker_xmlupdate_val);} ?>" size="20"> <?php _e('Time has to be in hh:mm:ss','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -193 +152 @@
                     </td>
                     <td>
-                        <input type="text" name="<?php echo $Tradetracker_xmlfeedsperupdate_name; ?>" value="<?php if($Tradetracker_xmlfeedsperupdate_val==""){ echo "0"; } else { echo $Tradetracker_xmlfeedsperupdate_val;} ?>" size="20"> <?php _e('0 if you want it to go through all feeds, else it will import x amount of feeds every 10 minutes till all feeds are imported','tradetracker-store'); ?>
+                        <input type="text" name="<?php echo esc_attr($Tradetracker_xmlfeedsperupdate_name); ?>" value="<?php if($Tradetracker_xmlfeedsperupdate_val==""){ echo "0"; } else { echo esc_attr($Tradetracker_xmlfeedsperupdate_val);} ?>" size="20"> <?php _e('0 if you want it to go through all feeds, else it will import x amount of feeds every 10 minutes till all feeds are imported','tradetracker-store'); ?>
                     </td>
                 </tr>
@@ -203 +162 @@
             </td>
             <td>
-                <input type="radio" name="<?php echo $Tradetracker_currency_name; ?>" <?php if($Tradetracker_currency_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
+                <input type="radio" name="<?php echo esc_attr($Tradetracker_currency_name); ?>" <?php if($Tradetracker_currency_val==1) {echo "checked";} ?> value="1"> <?php _e('Yes','tradetracker-store'); ?>
                 <br>
-                <input type="radio" name="<?php echo $Tradetracker_currency_name; ?>" <?php if($Tradetracker_currency_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
+                <input type="radio" name="<?php echo esc_attr($Tradetracker_currency_name); ?>" <?php if($Tradetracker_currency_val==0){echo "checked";} ?> value="0"> <?php _e('No','tradetracker-store'); ?>
             </td>
         </tr>
@@ -215 +174 @@
             </td>
             <td>
-                <input type="radio" name="<?php echo $Tradetracker_currencyloc_name; ?>" <?php if($Tradetracker_currencyloc_val==1) {echo "checked";} ?> value="1"> <?php _e('After the price','tradetracker-store'); ?>
+                <input type="radio" name="<?php echo esc_attr($Tradetracker_currencyloc_name); ?>" <?php if($Tradetracker_currencyloc_val==1) {echo "checked";} ?> value="1"> <?php _e('After the price','tradetracker-store'); ?>
                 <br>
-                <input type="radio" name="<?php echo $Tradetracker_currencyloc_name; ?>" <?php if($Tradetracker_currencyloc_val==0){echo "checked";} ?> value="0"> <?php _e('Before the price','tradetracker-store'); ?>
+                <input type="radio" name="<?php echo esc_attr($Tradetracker_currencyloc_name); ?>" <?php if($Tradetracker_currencyloc_val==0){echo "checked";} ?> value="0"> <?php _e('Before the price','tradetracker-store'); ?>
             </td>
         </tr>
@@ -252 +211 @@
                 <tr>
                     <td>
-                        <input type="text" readonly="readonly" name="oldcur[<?php echo $i; ?>]" value="<?php echo $currency_val->currency; ?>">
-                    </td>
-                    <td>
-                        <input type="text" name="newcur[<?php echo $i; ?>]" value="<?php echo $array[$key]; ?>">                        
+                        <input type="text" readonly="readonly" name="oldcur[<?php echo esc_attr($i); ?>]" value="<?php echo esc_attr($currency_val->currency); ?>">
+                    </td>
+                    <td>
+                        <input type="text" name="newcur[<?php echo esc_attr($i); ?>]" value="<?php echo esc_attr($array[$key]); ?>">                        
                     </td>
                 </tr>
@@ -268 +227 @@
             <?php
                 if(isset($saved)){
-                    echo $saved;
+                    echo wp_kses_post($saved);
                 }
             ?>

tradetracker-store/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 4
 Tested up to: 5.7.2
-Stable tag: 4.6.59
+Stable tag: 4.6.60
 
 A plugin that lets you import an XML productfeed from TradeTracker. 
@@ -42 +42 @@
 
 == Changelog ==
+= 4.6.60 =
+- Escaped all echo's of variables
+
 = 4.6.59 =
 - Rewrote the importer to fully rely on the download function within Wordpress instead of Curl

tradetracker-store/trunk/tinymce/tinyTT.php

@@ -81 +81 @@
     $storeoverview=$wpdb->get_results("SELECT id, multiname FROM ".$ttstoremultitable."");
     foreach ($storeoverview as $store_val){
-        echo "<option value=\"".$store_val->id."\">".$store_val->multiname."</option>";
+        echo "<option value=\"".esc_attr($store_val->id)."\">".esc_attr($store_val->multiname)."</option>";
     }
 ?>

tradetracker-store/trunk/upgrading.php

@@ -352 +352 @@
         $file = $Tradetracker_xml_val;
         foreach($file as $key => $value) {
-            echo "<tr><td>";
             if($key !=""){
                 $wpdb->insert( 

tradetracker-store/trunk/widget/widget.php

@@ -61 +61 @@
                 foreach ($storeoverview as $store_val){
                     if($instance['TT_number']==$store_val->id){
-                        echo "<option value=\"".$store_val->id."\" selected=\"selected\">".$store_val->multiname."</option>";
+                        echo "<option value=\"".esc_attr($store_val->id)."\" selected=\"selected\">".esc_attr($store_val->multiname)."</option>";
                     } else {
-                        echo "<option value=\"".$store_val->id."\">".$store_val->multiname."</option>";
+                        echo "<option value=\"".esc_attr($store_val->id)."\">".esc_attr($store_val->multiname)."</option>";
                     }
                 }