WordPress.org
Get WordPress

Plugin Directory

Changeset 2664933


Ignore:
Timestamp:
01/25/2022 08:05:16 PM (3 years ago)
Author:
StatCounter
Message:

Added additional sanitation to prevent XSS attacks

Location:
official-statcounter-plugin-for-wordpress/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • official-statcounter-plugin-for-wordpress/trunk/StatCounter-Wordpress-Plugin.php

    r1808879 r2664933  
    22/*
    33 * Plugin Name: Official StatCounter Plugin
    4  * Version: 2.0.6
     4 * Version: 2.0.7
    55 * Plugin URI: http://statcounter.com/
    66 * Description: Adds the StatCounter tracking code to your blog. <br>To get setup: 1) Activate this plugin  2) Enter your StatCounter Project ID and Security Code in the <a href="options-general.php?page=StatCounter-Wordpress-Plugin.php"><strong>options page</strong></a>.
     
    7474
    7575        // Update the Project ID
    76         $sc_project = trim($_POST[key_sc_project]);
    77         if ($sc_project == '') {
    78             $sc_project = sc_project_default;
    79         }
    80         update_option(key_sc_project, $sc_project);
     76        $sc_project = sanitize_text_field(trim($_POST[key_sc_project]));
     77        if (ctype_digit($sc_project) == 0) {
     78            echo "<script>alert('Project ID should be numbers only')</script>";
     79        } else {
     80            if ($sc_project == '') {
     81                $sc_project = sc_project_default;
     82            }
     83            if (strlen($sc_project) > 16) {
     84                echo "<script>alert('Project ID is invalid')</script>";
     85            } else {
     86                update_option(key_sc_project, $sc_project);
     87            }
     88        }
    8189
    8290        // Update the Security ID
    83         $sc_security = trim($_POST[key_sc_security]);
    84         if ($sc_security =='') {
    85             $sc_security = sc_security_default;
    86         }
    87         update_option(key_sc_security, $sc_security);
     91        $sc_security = sanitize_text_field(trim($_POST[key_sc_security]));
     92        $sc_security = str_replace('"', '', $sc_security);
     93        $sc_security = stripslashes($sc_security);
     94        if (ctype_alnum(trim($sc_security, '"')) == 0) {
     95            echo "<script>alert('Security code should be numbers and letters only')</script>";
     96        } else {
     97            if ($sc_security =='') {
     98                $sc_security = sc_security_default;
     99            }
     100            if (strlen($sc_security) > 16) {
     101                echo "<script>alert('Security code is invalid')</script>";
     102            } else {
     103                update_option(key_sc_security, $sc_security);
     104            }
     105        }
    88106
    89107        // Update the position
     
    227245        <script>
    228246            <!--
    229             var sc_project=<?php echo $sc_project; ?>;
    230             var sc_security="<?php echo $sc_security; ?>";
     247            var sc_project=<?php echo esc_html($sc_project); ?>;
     248            var sc_security="<?php echo esc_html($sc_security); ?>";
    231249            <?php
    232250            if($sc_invisible==1) {
     
    259277            }
    260278        }?>
    261         <noscript><div class="statcounter"><a title="web analytics" href="<?php echo $protocol; ?>//statcounter.com/"><img class="statcounter" src="<?php echo $protocol; ?>//c.statcounter.com/<?php echo $sc_project; ?>/0/<?php echo $sc_security; ?>/<?php echo $sc_invisible; ?>/" alt="web analytics" /></a></div></noscript>
     279        <noscript><div class="statcounter"><a title="web analytics" href="<?php echo $protocol; ?>//statcounter.com/"><img class="statcounter" src="<?php echo $protocol; ?>//c.statcounter.com/<?php echo esc_html($sc_project); ?>/0/<?php echo $sc_security; ?>/<?php echo $sc_invisible; ?>/" alt="web analytics" /></a></div></noscript>
    262280        <!-- End of StatCounter Code -->
    263281        <?php

  • official-statcounter-plugin-for-wordpress/trunk/readme.txt

    r2545594 r2664933  
    44Tags: web, statistics, stats, hit, counter, visitor, ip, tracker, analytics
    55Requires at least: 2.0.2
    6 Tested up to: 5.7
    7 Stable tag: 2.0.6
     6Tested up to: 5.8.3
     7Stable tag: 2.0.7
    88License: GPLv2 or later
    99License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    7070
    7171== Changelog ==
     72= 2.0.7 =
     73Added additional sanitation to prevent XSS attacks
     74
    7275= 2.0.6 =
    7376Readme fix
     
    142145== Upgrade Notice ==
    143146
     147= 2.0.7 =
     148Added additional sanitation to prevent XSS attacks
     149
    144150= 1.6.9 =
    145151Fixed small bug with form
Note: See TracChangeset for help on using the changeset viewer.