Changeset 2681715

Timestamp:

02/19/2022 09:15:03 AM (4 years ago)

Author:

frier

Message:

20220219 update

Location:

books-papers

Files:

• tags/0.20210223 (added)
• tags/0.20210223/README.md (added)
• tags/0.20210223/books-n-papers.php (added)
• tags/0.20210223/classes (added)
• tags/0.20210223/classes/.gitkeep (added)
• tags/0.20210223/classes/article.php (added)
• tags/0.20210223/classes/author.php (added)
• tags/0.20210223/classes/book.php (added)
• tags/0.20210223/classes/bridge.php (added)
• tags/0.20210223/classes/conference.php (added)
• tags/0.20210223/classes/functions (added)
• tags/0.20210223/classes/functions/bridge-replace_pub_updated.php (added)
• tags/0.20210223/classes/functions/bridge-replace_publications.php (added)
• tags/0.20210223/classes/item.php (added)
• tags/0.20210223/js (added)
• tags/0.20210223/js/.gitkeep (added)
• tags/0.20210223/js/append.js (added)
• tags/0.20210223/js/appendPapers.js (added)
• tags/0.20210223/js/authorSelection.js (added)
• tags/0.20210223/js/authorSelectionPaper.js (added)
• tags/0.20210223/js/help.js (added)
• tags/0.20210223/js/readFile.js (added)
• tags/0.20210223/js/stickyScroll.js (added)
• tags/0.20210223/js/typeSelect.js (added)
• tags/0.20210223/pages (added)
• tags/0.20210223/pages/.gitkeep (added)
• tags/0.20210223/pages/add-author-page.php (added)
• tags/0.20210223/pages/add-paper-page.php (added)
• tags/0.20210223/pages/import-data-page.php (added)
• tags/0.20210223/pages/loadAnimation.php (added)
• tags/0.20210223/pages/manage-author-page.php (added)
• tags/0.20210223/pages/manage-papers-page.php (added)
• tags/0.20210223/pages/settings-page.php (added)
• tags/0.20210223/pages/style.css (added)
• tags/0.20210223/pages/title-page.php (added)
• tags/0.20210223/readme.txt (added)
• trunk/books-n-papers.php (modified) (39 diffs)
• trunk/readme.txt (modified) (3 diffs)

books-papers/trunk/books-n-papers.php

@@ -3 +3 @@
 Plugin Name: Books & Papers
 Plugin URI: 
-Version: 0.20210223
+Version: 0.20220219
 Author: Research in Theory of Magnetism Department of Taras Shevchenko National University of Kyiv
 Author_URI: http://ritm.knu.ua/
@@ -115 +115 @@
     {
         include(bnpp_plugin_dir . "./pages/add-author-page.php");
-        if(isset($_POST['firstName'])&&isset($_POST['lastName'])&& check_admin_referer('bnp_add_author') && current_user_can('publish_pages')) //checks vital inputs for author creation
+        if(isset($_POST['firstName'])&&isset($_POST['lastName'])&& check_admin_referer('bnp_add_author') && current_user_can('publish_pages') && !preg_match("/[\"'*?<>|]$/", $_POST["firstName"]) && !preg_match("/[\"'*?<>|]$/", $_POST["lastName"])) //checks vital inputs for author creation
         {
             $author = new BNPP_Author($this->dbAuthors); //creates author object and fills data fields
             $author->firstName = sanitize_text_field($_POST['firstName']);
             $author->lastName = sanitize_text_field($_POST['lastName']);
-            $author->email = sanitize_email($_POST['email']);
-            $author->personalUrl = sanitize_text_field($_POST['url']);
-            $author->slug = sanitize_text_field($_POST['slug']);
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["email"])){
+                $author->email = sanitize_email($_POST['email']);
+            }
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["url"])){
+                $author->personalUrl = sanitize_text_field($_POST['url']);
+            }
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["slug"])){
+                $author->personalUrl = sanitize_text_field($_POST['slug']);
+            }
             $author->InsertAuthorInfo(); //calls author creation function
             $timeout = get_option('bnpp_timeout_step') * 100;
-            //echo "<script>window.onload = function () { document.getElementById('success').innerHTML = 'Author $author->firstName $author->lastName was added.';setTimeout(function() {window.location=document.location.href;},$timeout);  } </script>";
         }
     }
@@ -154 +159 @@
             } else if(sanitize_text_field($_POST["checkManage"])=="update") //checks if modification call was recieved
             {
-                $sql = $wpdb->prepare("UPDATE $this->dbAuthors SET first_name = %s, last_name = %s, email = %s, personal_url = %s, slug = %s WHERE (id = %d)", array(sanitize_text_field($_POST["firstName"]), sanitize_text_field($_POST["lastName"]), sanitize_email($_POST["email"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["slug"]), sanitize_text_field($_POST["authorID"]))); //updates author data in table
-                $wpdb->query($sql);
+                if(!preg_match("/[\"'*?<>|]$/", $_POST["firstName"]) && !preg_match("/[\"'*?<>|]$/", $_POST["lastName"])){
+                    $sql = $wpdb->prepare("UPDATE $this->dbAuthors SET first_name = %s, last_name = %s, email = %s, personal_url = %s, slug = %s WHERE (id = %d)", array(sanitize_text_field($_POST["firstName"]), sanitize_text_field($_POST["lastName"]), (!preg_match("/[\"'*?<>|]$/", $_POST["email"]) ? sanitize_email($_POST["email"]) : ""), (!preg_match("/[\"'*?<>|]$/", $_POST["url"]) ? sanitize_text_field($_POST["url"]) : ""), (!preg_match("/[\"'*?<>|]$/", $_POST["slug"]) ? sanitize_text_field($_POST["slug"]) : ""), sanitize_text_field($_POST["authorID"]))); //updates author data in table
+                    $wpdb->query($sql);
+                }
                 echo "<script>window.onload = function () { document.getElementById('success').innerHTML = 'Author " . sanitize_text_field($_POST['authorID']) . " has been updated.';setTimeout(function() {window.location=document.location.href;},$timeout); }</script>";
             }
@@ -179 +186 @@
             echo "<script>window.location=document.location.href;</script>";
         }
-        if(isset($_POST["promote"])&& check_admin_referer('bnp_promote_authors') && current_user_can('publish_pages'))
+        if(isset($_POST["promote"])&& check_admin_referer('bnp_promote_authors') && current_user_can('publish_pages') && !preg_match("/[\"'*?<>|]$/", $_POST["firstName"]) && !preg_match("/[\"'*?<>|]$/", $_POST["lastName"]))
         {
             $author = new BNPP_Author($this->dbAuthors); //creates author object and fills data fields
             $author->firstName = sanitize_text_field($_POST['firstName']);
             $author->lastName = sanitize_text_field($_POST['lastName']);
-            $author->email = sanitize_email($_POST['email']);
-            $author->personalUrl = sanitize_text_field($_POST['url']);
-            $author->slug = sanitize_text_field($_POST['slug']);
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["email"])){
+                $author->email = sanitize_email($_POST['email']);
+            }
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["url"])){
+                $author->personalUrl = sanitize_text_field($_POST['url']);
+            }
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["slug"])){
+                $author->personalUrl = sanitize_text_field($_POST['slug']);
+            }
             $author->InsertAuthorInfo(); //calls author creation function
             $newAuthor = $wpdb->get_results("SELECT * FROM $this->dbAuthors ORDER BY id DESC LIMIT 1");
@@ -212 +225 @@
             echo "<script>window.onload = function () { document.getElementById('success').innerHTML = 'Author $author->firstName $author->lastName was added.';setTimeout(function() {window.location=document.location.href;},$timeout);  } </script>";
         }
+    }
+    
+    function clean_input($text_input){ //cleans input text data from prohibited symbols
+        if(preg_match("/[\"'*<>|]$/", $text_input)){
+            $to_replace = array("'", "\"", "*", "<", ">", "|", "\\");
+            $text_input = str_replace($to_replace, "", $text_input);
+        }
+        return $text_input;
     }
     
@@ -261 +282 @@
                 $fileName = "";
                 if(isset($_POST["file_m"]) && sanitize_text_field($_POST["file_m"])!="")
-                    $fileName = sanitize_text_field($_POST["file_m"]);
+                    $fileName = $this->clean_input(sanitize_text_field($_POST["file_m"]));
                 else
                     $fileName = sanitize_mime_type($_FILES['file']['name']);
-                $this->bridge->addArticle(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), $this->bridge->checkJournal(sanitize_text_field($_POST["journal"])), sanitize_text_field($_POST["volume"]), sanitize_text_field($_POST["issue"]), $char1val, $char2val, $char3val, sanitize_text_field($_POST["preprint"])); //writes article data in table
+                $this->bridge->addArticle(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), $this->bridge->checkJournal($this->clean_input(sanitize_text_field($_POST["journal"]))), sanitize_text_field($_POST["volume"]), sanitize_text_field($_POST["issue"]), $char1val, $char2val, $char3val, sanitize_text_field($_POST["preprint"])); //writes article data in table
                 $art_id;
                 $data = $wpdb->get_results("SELECT id FROM " . $this->dbArticles . " ORDER By id DESC LIMIT 1"); //gets id of previously created article
@@ -275 +296 @@
                     if(isset($_POST["author" . $k]))
                     { //relates every author with article
-                        $this->bridge->addArticleAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), $art_id);
+                        $this->bridge->addArticleAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), $art_id);
                     }
                 }
@@ -282 +303 @@
                     if(isset($_POST["tag" . $k]))
                     { //relates every tag with article
-                        $this->bridge->addArticleTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), $art_id);
+                        $this->bridge->addArticleTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), $art_id);
                     }
                 }
@@ -308 +329 @@
                 $fileName = "";
                 if(isset($_POST["file_m"]) && sanitize_text_field($_POST["file_m"])!="")
-                    $fileName = sanitize_text_field($_POST["file_m"]);
+                    $fileName = $this->clean_input(sanitize_text_field($_POST["file_m"]));
                 else
                     $fileName = sanitize_mime_type($_FILES['file']['name']);
-                $this->bridge->addConference(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), sanitize_text_field($_POST["bookTitle"]), sanitize_text_field($_POST["confPages"]), $char1val, $char2val, $char3val); //writes conference data in table
+                $this->bridge->addConference(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), sanitize_text_field($_POST["bookTitle"]), $this->clean_input(sanitize_text_field($_POST["confPages"])), $char1val, $char2val, $char3val); //writes conference data in table
                 $art_id;
                 $data = $wpdb->get_results("SELECT id FROM " . $this->dbConferences . " ORDER By id DESC LIMIT 1"); //gets id of previously created conference
@@ -322 +343 @@
                     if(isset($_POST["author" . $k]))
                     { //relates every author with conference
-                        $this->bridge->addConferenceAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), $art_id);
+                        $this->bridge->addConferenceAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), $art_id);
                     }
                 }
@@ -329 +350 @@
                     if(isset($_POST["tag" . $k]))
                     { //relates every tag with conference
-                        $this->bridge->addConferenceTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), $art_id);
+                        $this->bridge->addConferenceTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), $art_id);
                     }
                 }
@@ -355 +376 @@
                 $fileName = "";
                 if(isset($_POST["file_m"]) && sanitize_text_field($_POST["file_m"])!="")
-                    $fileName = sanitize_text_field($_POST["file_m"]);
+                    $fileName = $this->clean_input(sanitize_text_field($_POST["file_m"]));
                 else
                     $fileName = sanitize_mime_type($_FILES['file']['name']);
-                $this->bridge->addBook(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), sanitize_text_field($_POST["publisher"]), sanitize_text_field($_POST["chapter"]), sanitize_text_field($_POST["isbn"]), $char1val, $char2val, $char3val); //writes book data in table
+                $this->bridge->addBook(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), $this->clean_input(sanitize_text_field($_POST["publisher"])), $this->clean_input(sanitize_text_field($_POST["chapter"])), $this->clean_input(sanitize_text_field($_POST["isbn"])), $char1val, $char2val, $char3val); //writes book data in table
                 $art_id;
                 $data = $wpdb->get_results("SELECT id FROM " . $this->dbBooks . " ORDER By id DESC LIMIT 1"); //gets id of previously created book
@@ -369 +390 @@
                     if(isset($_POST["author" . $k]))
                     { //relates every author with book
-                        $this->bridge->addBookAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), $art_id);
+                        $this->bridge->addBookAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), $art_id);
                     }
                 }
@@ -376 +397 @@
                     if(isset($_POST["editor" . $k]))
                     { //relates every editor with book
-                        $this->bridge->addBookEditor($this->bridge->checkAuthor(sanitize_text_field($_POST["editor" . $k])), $art_id);
+                        $this->bridge->addBookEditor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["editor" . $k]))), $art_id);
                     }
                 }
@@ -383 +404 @@
                     if(isset($_POST["tag" . $k]))
                     { //relates every tag with book
-                        $this->bridge->addBookTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), $art_id);
+                        $this->bridge->addBookTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), $art_id);
                     }
                 }
@@ -451 +472 @@
                         if(isset($_POST["author" . $k]) && sanitize_text_field($_POST["author" . $k])!="")
                         { //creates new relations between article and authors
-                            $this->bridge->addArticleAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addArticleAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -459 +480 @@
                         if(isset($_POST["tag" . $k]) && sanitize_text_field($_POST["tag" . $k])!="")
                         { //creates new relations between article and tags
-                            $this->bridge->addArticleTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addArticleTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -479 +500 @@
                     $fileName = "";
                     if(isset($_POST["file_m"]) && sanitize_text_field($_POST["file_m"])!="")
-                        $fileName = sanitize_text_field($_POST["file_m"]);
+                        $fileName = $this->clean_input(sanitize_text_field($_POST["file_m"]));
                     else
                         $fileName = sanitize_mime_type($_FILES['file']['name']);
-                    $this->bridge->manageArticle(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), $this->bridge->checkJournal(sanitize_text_field($_POST["journal"])), sanitize_text_field($_POST["volume"]), sanitize_text_field($_POST["issue"]), sanitize_text_field($_POST["articleID"]), $char1val, $char2val, $char3val, sanitize_text_field($_POST["preprint"]));
+                    $this->bridge->manageArticle(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), $this->bridge->checkJournal($this->clean_input(sanitize_text_field($_POST["journal"]))), sanitize_text_field($_POST["volume"]), sanitize_text_field($_POST["issue"]), sanitize_text_field($_POST["articleID"]), $char1val, $char2val, $char3val, sanitize_text_field($_POST["preprint"]));
                     if(isset($_FILES['file']) && sanitize_mime_type($_FILES['file']['name']) != "")
                     {
@@ -521 +542 @@
                         if(isset($_POST["author" . $k]) && sanitize_text_field($_POST["author" . $k])!="")
                         {
-                            $this->bridge->addConferenceAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addConferenceAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -529 +550 @@
                         if(isset($_POST["tag" . $k]) && sanitize_text_field($_POST["tag" . $k])!="")
                         { //creates new relations between conference and tags
-                            $this->bridge->addConferenceTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addConferenceTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -549 +570 @@
                     $fileName = "";
                     if(isset($_POST["file_m"]) && sanitize_text_field($_POST["file_m"])!="")
-                        $fileName = sanitize_text_field($_POST["file_m"]);
+                        $fileName = $this->clean_input(sanitize_text_field($_POST["file_m"]));
                     else
                         $fileName = sanitize_mime_type($_FILES['file']['name']);
-                    $this->bridge->manageConference(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), sanitize_text_field($_POST["bookTitle"]), sanitize_text_field($_POST["confPages"]), sanitize_text_field($_POST["articleID"]), $char1val, $char2val, $char3val);
+                    $this->bridge->manageConference(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), sanitize_text_field($_POST["bookTitle"]), $this->clean_input(sanitize_text_field($_POST["confPages"])), sanitize_text_field($_POST["articleID"]), $char1val, $char2val, $char3val);
                     if(isset($_FILES['file']) && sanitize_mime_type($_FILES['file']['name']) != "")
                     {
@@ -591 +612 @@
                         if(isset($_POST["author" . $k]) && sanitize_text_field($_POST["author" . $k])!="")
                         {
-                            $this->bridge->addBookAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addBookAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -599 +620 @@
                         if(isset($_POST["editor" . $k]) && sanitize_text_field($_POST["editor" . $k])!="")
                         {
-                            $this->bridge->addBookEditor($this->bridge->checkAuthor(sanitize_text_field($_POST["editor" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addBookEditor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["editor" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -607 +628 @@
                         if(isset($_POST["tag" . $k]) && sanitize_text_field($_POST["tag" . $k])!="")
                         { //creates new relations between book and tags
-                            $this->bridge->addBookTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), sanitize_text_field($_POST['articleID']));
+                            $this->bridge->addBookTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), sanitize_text_field($_POST['articleID']));
                         }
                     }
@@ -627 +648 @@
                     $fileName = "";
                     if(isset($_POST["file_m"]) && sanitize_text_field($_POST["file_m"])!="")
-                        $fileName = sanitize_text_field($_POST["file_m"]);
+                        $fileName = $this->clean_input(sanitize_text_field($_POST["file_m"]));
                     else
                         $fileName = sanitize_mime_type($_FILES['file']['name']);
-                    $this->bridge->manageBook(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), sanitize_text_field($_POST["publisher"]), sanitize_text_field($_POST["chapter"]), sanitize_text_field($_POST["isbn"]), sanitize_text_field($_POST["articleID"]), $char1val, $char2val, $char3val);
+                    $this->bridge->manageBook(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $fileName, sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), $this->clean_input(sanitize_text_field($_POST["publisher"])), $this->clean_input(sanitize_text_field($_POST["chapter"])), $this->clean_input(sanitize_text_field($_POST["isbn"])), sanitize_text_field($_POST["articleID"]), $char1val, $char2val, $char3val);
                     if(isset($_FILES['file']) && sanitize_mime_type($_FILES['file']['name']) != "")
                     {
@@ -739 +760 @@
             if($_POST["paperType"]=="article") //inserts article paper info
             {
-                $this->bridge->addArticle(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), sanitize_text_field($_POST["file"]), sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), $this->bridge->checkJournal(sanitize_text_field($_POST["journal"])), sanitize_text_field($_POST["volume"]), sanitize_text_field($_POST["issue"]), $char1val, $char2val, $char3val, sanitize_text_field($_POST["preprint"])); //writes article data in table
+                $this->bridge->addArticle(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $this->clean_input(sanitize_text_field($_POST["file"])), sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), $this->bridge->checkJournal($this->clean_input(sanitize_text_field($_POST["journal"]))), sanitize_text_field($_POST["volume"]), sanitize_text_field($_POST["issue"]), $char1val, $char2val, $char3val, sanitize_text_field($_POST["preprint"])); //writes article data in table
                 $art_id;
                 $data = $wpdb->get_results("SELECT id FROM " . $this->dbArticles . " ORDER By id DESC LIMIT 1"); //gets id of previously created article
@@ -750 +771 @@
                     if(isset($_POST["author" . $k]))
                     { //relates every author with article
-                        $this->bridge->addArticleAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), $art_id);
+                        $this->bridge->addArticleAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), $art_id);
                     }
                 }
                 if(isset($_POST["tag"]))
                 { //relates tags with article
-                    $this->bridge->addArticleTag($this->bridge->checkTag(sanitize_text_field($_POST["tag"])), $art_id);
+                    $this->bridge->addArticleTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag"]))), $art_id);
                 }
                 for($k = 0; $k <= 20; $k++)
@@ -761 +782 @@
                     if(isset($_POST["tag" . $k]))
                     { //relates tags with article
-                        $this->bridge->addArticleTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), $art_id);
+                        $this->bridge->addArticleTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), $art_id);
                     }
                 }
             } else if(sanitize_text_field($_POST["paperType"])=="conference") //inserts conference info
             {
-                $this->bridge->addConference(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), sanitize_text_field($_POST["file"]), sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), sanitize_text_field($_POST["bookTitle"]), sanitize_text_field($_POST["confPages"]), $char1val, $char2val, $char3val); //writes conference data in table
+                $this->bridge->addConference(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $this->clean_input(sanitize_text_field($_POST["file"])), sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), sanitize_text_field($_POST["bookTitle"]), $this->clean_input(sanitize_text_field($_POST["confPages"])), $char1val, $char2val, $char3val); //writes conference data in table
                 $art_id;
                 $data = $wpdb->get_results("SELECT id FROM " . $this->dbConferences . " ORDER By id DESC LIMIT 1"); //gets id of previously created conference
@@ -777 +798 @@
                     if(isset($_POST["author" . $k]))
                     { //relates every author with conference
-                        $this->bridge->addConferenceAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), $art_id);
+                        $this->bridge->addConferenceAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), $art_id);
                     }
                 }
                 if(isset($_POST["tag"]))
                 { //relates tags with article
-                    $this->bridge->addConferenceTag($this->bridge->checkTag(sanitize_text_field($_POST["tag"])), $art_id);
+                    $this->bridge->addConferenceTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag"]))), $art_id);
                 }
                 for($k = 0; $k <= 20; $k++)
@@ -788 +809 @@
                     if(isset($_POST["tag" . $k]))
                     { //relates tags with article
-                        $this->bridge->addConferenceTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), $art_id);
+                        $this->bridge->addConferenceTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), $art_id);
                     }
                 }
             } else if(sanitize_text_field($_POST["paperType"])=="book") //inserts book info
             {
-                $this->bridge->addBook(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), sanitize_text_field($_POST["pages"]), sanitize_text_field($_POST["doi"]), sanitize_text_field($_POST["url"]), sanitize_text_field($_POST["issn"]), sanitize_text_field($_POST["supp"]), sanitize_text_field($_POST["file"]), sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), sanitize_text_field($_POST["arxiv"]), sanitize_text_field($_POST["publisher"]), sanitize_text_field($_POST["chapter"]), sanitize_text_field($_POST["isbn"]), $char1val, $char2val, $char3val); //writes book data in table
+                $this->bridge->addBook(sanitize_text_field($_POST["title"]), sanitize_text_field($_POST["year"]), $this->clean_input(sanitize_text_field($_POST["pages"])), $this->clean_input(sanitize_text_field($_POST["doi"])), $this->clean_input(sanitize_text_field($_POST["url"])), $this->clean_input(sanitize_text_field($_POST["issn"])), $this->clean_input(sanitize_text_field($_POST["supp"])), $this->clean_input(sanitize_text_field($_POST["file"])), sanitize_text_field($_POST["date"]), sanitize_text_field($_POST["public"]), $this->clean_input(sanitize_text_field($_POST["arxiv"])), $this->clean_input(sanitize_text_field($_POST["publisher"])), $this->clean_input(sanitize_text_field($_POST["chapter"])), $this->clean_input(sanitize_text_field($_POST["isbn"])), $char1val, $char2val, $char3val); //writes book data in table
                 $art_id;
                 $data = $wpdb->get_results("SELECT id FROM " . $this->dbBooks . " ORDER By id DESC LIMIT 1"); //gets id of previously created book
@@ -804 +825 @@
                     if(isset($_POST["author" . $k]))
                     { //relates every author with book
-                        $this->bridge->addBookAuthor($this->bridge->checkAuthor(sanitize_text_field($_POST["author" . $k])), $art_id);
+                        $this->bridge->addBookAuthor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["author" . $k]))), $art_id);
                     }
                 }
@@ -811 +832 @@
                     if(isset($_POST["editor" . $k]))
                     { //relates every editor with book
-                        $this->bridge->addBookEditor($this->bridge->checkAuthor(sanitize_text_field($_POST["editor" . $k])), $art_id);
+                        $this->bridge->addBookEditor($this->bridge->checkAuthor($this->clean_input(sanitize_text_field($_POST["editor" . $k]))), $art_id);
                     }
                 }
                 if(isset($_POST["tag"]))
                 { //relates tags with article
-                    $this->bridge->addBookTag($this->bridge->checkTag(sanitize_text_field($_POST["tag"])), $art_id);
+                    $this->bridge->addBookTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag"]))), $art_id);
                 }
                 for($k = 0; $k <= 20; $k++)
@@ -822 +843 @@
                     if(isset($_POST["tag" . $k]))
                     { //relates tags with article
-                        $this->bridge->addBookTag($this->bridge->checkTag(sanitize_text_field($_POST["tag" . $k])), $art_id);
+                        $this->bridge->addBookTag($this->bridge->checkTag($this->clean_input(sanitize_text_field($_POST["tag" . $k]))), $art_id);
                     }
                 }
@@ -862 +883 @@
         if(isset($_POST["prefix"])&& check_admin_referer('bnp_prefix_setting') && current_user_can('publish_pages')) //checks if db prefix was set
         {
-            if(sanitize_text_field($_POST["prefix"]) != "") //if not empty, sets new prefix value
+            if(sanitize_text_field($_POST["prefix"]) != "" && preg_match("/^[a-zA-Z0-9_-]*$/", $_POST["prefix"])) //if not empty, sets new prefix value
             {
                 update_option('bnpp_tables_created', false);
                 update_option('bnpp_custom_db_prefix',sanitize_text_field($_POST["prefix"]));
                 echo "<script type='text/javascript'> window.location=document.location.href;</script>";
+            } else {
+                echo "<script type='text/javascript'> alert('The prefix cannot contain special characters. Please, use letters, numbers, dash and underscore only!'); window.location=document.location.href;</script>";
             }
         }
@@ -872 +895 @@
         if(isset($_POST["comp_rbracket"])&& check_admin_referer('bnp_compatibility_setting') && current_user_can('publish_pages'))
         {
-            update_option('bnpp_comp_rbracket',sanitize_text_field($_POST["comp_rbracket"]));
-            update_option('bnpp_comp_lbracket',sanitize_text_field($_POST["comp_lbracket"]));
+            if(preg_match("/^[a-zA-Z0-9_\[\](){}-]*$/", $_POST["comp_rbracket"])){
+                update_option('bnpp_comp_rbracket',sanitize_text_field($_POST["comp_rbracket"]));
+            } else {
+                echo "<script type='text/javascript'> alert('The brackets cannot contain special characters. Please, use letters, numbers, dash, brackets and underscore only!'); window.location=document.location.href;</script>";
+            }
+            if(preg_match("/^[a-zA-Z0-9_\[\](){}-]*$/", $_POST["comp_lbracket"])){
+                update_option('bnpp_comp_lbracket',sanitize_text_field($_POST["comp_lbracket"]));
+            } else {
+                echo "<script type='text/javascript'> alert('The brackets cannot contain special characters. Please, use letters, numbers, dash, brackets and underscore only!'); window.location=document.location.href;</script>";
+            }
             if(isset($_POST["comp_pub"]))
                 update_option('bnpp_comp_pub',true);
@@ -903 +934 @@
         if(isset($_POST["upload_abs_hidden"])&& check_admin_referer('bnp_upload_dir_setting') && current_user_can('publish_pages'))
         {
-            update_option('bnpp_upload_dir',sanitize_text_field($_POST["upload"]));
+            if(!preg_match("/[\"'*?<>|]$/", $_POST["upload"])){
+                update_option('bnpp_upload_dir',sanitize_text_field($_POST["upload"]));
+            } else {
+                echo "<script type='text/javascript'> alert('Cannot accept the upload folder path. Please, avoid using these symbols for the folder: \", \', *, ?, <, >, |'); window.location=document.location.href;</script>";
+            }
             if(isset($_POST["upload_abs"]))
                 update_option('bnpp_upload_dir_abs',true);
@@ -928 +963 @@
             }
             update_option('bnpp_list_division',sanitize_text_field($_POST["listDivision"]));
-            update_option('bnpp_list_division_style',sanitize_text_field($_POST["listDivisionStyle"]));
+            if(preg_match("/^[a-zA-Z0-9_.,:; #()%-]*$/", $_POST["listDivisionStyle"])){
+                update_option('bnpp_list_division_style',sanitize_text_field($_POST["listDivisionStyle"]));
+            } else {
+                echo "<script type='text/javascript'> alert('Style input contains disallowed symbols.'); window.location=document.location.href;</script>";
+            }
             update_option('bnpp_list_order',sanitize_text_field($_POST["listOrder"]));
             echo "<script type='text/javascript'> window.location=document.location.href;</script>";
@@ -934 +973 @@
         if(isset($_POST["lstylevalue"])&& check_admin_referer('bnp_lstyle_setting') && current_user_can('publish_pages'))
         {
-            update_option('bnpp_lstyle_value',sanitize_text_field($_POST["lstylevalue"]));
-            echo "<script type='text/javascript'> window.location=document.location.href;</script>";
+            if(preg_match("/^[a-zA-Z0-9_.,:; #()%-]*$/", $_POST["lstylevalue"])){
+                update_option('bnpp_lstyle_value',sanitize_text_field($_POST["lstylevalue"]));
+                echo "<script type='text/javascript'> window.location=document.location.href;</script>";
+            } else {
+                echo "<script type='text/javascript'> alert('Style input contains disallowed symbols.'); window.location=document.location.href;</script>";
+            }
         }
         //sets characteristics values
         if(isset($_POST["char1name"])&& check_admin_referer('bnp_char1_setting') && current_user_can('publish_pages'))
         {
-            update_option('bnpp_custom_char1_name',sanitize_text_field($_POST["char1name"]));
-            update_option('bnpp_custom_char1_value',sanitize_text_field($_POST["char1value"]));
+            if(preg_match("/^[a-zA-Z0-9_-]*$/", $_POST["char1name"])){
+                update_option('bnpp_custom_char1_name',sanitize_text_field($_POST["char1name"]));
+            } else {
+                echo "<script type='text/javascript'> alert('The characteristic name cannot contain special characters. Please, use letters, numbers, dash and underscore only!'); window.location=document.location.href;</script>";
+            }
+            if(preg_match("/^[a-zA-Z0-9_.,:; #()%-]*$/", $_POST["char1value"])){
+                update_option('bnpp_custom_char1_value',sanitize_text_field($_POST["char1value"]));
+            } else {
+                echo "<script type='text/javascript'> alert('Style input contains disallowed symbols.'); window.location=document.location.href;</script>";
+            }
             echo "<script type='text/javascript'> window.location=document.location.href;</script>";
         }
         if(isset($_POST["char2name"])&& check_admin_referer('bnp_char2_setting') && current_user_can('publish_pages'))
         {
-            update_option('bnpp_custom_char2_name',sanitize_text_field($_POST["char2name"]));
-            update_option('bnpp_custom_char2_value',sanitize_text_field($_POST["char2value"]));
+            if(preg_match("/^[a-zA-Z0-9_-]*$/", $_POST["char2name"])){
+                update_option('bnpp_custom_char2_name',sanitize_text_field($_POST["char2name"]));
+            } else {
+                echo "<script type='text/javascript'> alert('The characteristic name cannot contain special characters. Please, use letters, numbers, dash and underscore only!'); window.location=document.location.href;</script>";
+            }
+            if(preg_match("/^[a-zA-Z0-9_.,:; #()%-]*$/", $_POST["char2value"])){
+                update_option('bnpp_custom_char2_value',sanitize_text_field($_POST["char2value"]));
+            } else {
+                echo "<script type='text/javascript'> alert('Style input contains disallowed symbols.'); window.location=document.location.href;</script>";
+            }
             echo "<script type='text/javascript'> window.location=document.location.href;</script>";
         }
         if(isset($_POST["char3name"])&& check_admin_referer('bnp_char3_setting') && current_user_can('publish_pages'))
         {
-            update_option('bnpp_custom_char3_name',sanitize_text_field($_POST["char3name"]));
-            update_option('bnpp_custom_char3_value',sanitize_text_field($_POST["char3value"]));
+            if(preg_match("/^[a-zA-Z0-9_-]*$/", $_POST["char3name"])){
+                update_option('bnpp_custom_char3_name',sanitize_text_field($_POST["char3name"]));
+            } else {
+                echo "<script type='text/javascript'> alert('The characteristic name cannot contain special characters. Please, use letters, numbers, dash and underscore only!'); window.location=document.location.href;</script>";
+            }
+            if(preg_match("/^[a-zA-Z0-9_.,:; #()%-]*$/", $_POST["char3value"])){
+                update_option('bnpp_custom_char3_value',sanitize_text_field($_POST["char3value"]));
+            } else {
+                echo "<script type='text/javascript'> alert('Style input contains disallowed symbols.'); window.location=document.location.href;</script>";
+            }
             echo "<script type='text/javascript'> window.location=document.location.href;</script>";
         }
@@ -969 +1036 @@
             } else
             {
-                $this->bridge->dropTables(get_option('custom_db_prefix'));
+                $this->bridge->dropTables(get_option('bnpp_custom_db_prefix'));
                 update_option('bnpp_drop_db_tables',true);
                 update_option('bnpp_db_import_debug', 'No logs');

books-papers/trunk/readme.txt

@@ -4 +4 @@
 Tags: academic, publication, paper, article, conference, proceedings, bibliography, management, auto-fill, autofill
 Requires at least: 5.1.1
-Tested up to: 5.6
-Stable tag: 0.20210223
+Tested up to: 5.9
+Stable tag: 0.20220219
 Requires PHP: 5.6
 License: GPLv2 or later
@@ -113 +113 @@
 == Changelog ==
 
+= 0.20220219 =
+* Fixed input fields vulnerability.
+
 = 0.20210223 =
 * Fixed bug with incorrect representation of several authors with the same surnames.
@@ -202 +205 @@
 == Upgrade Notice ==
 
+= 0.20220219 =
+* Fixed input fields vulnerability.
+
 = 0.20210223 =
 * Fixed bug with incorrect representation of several authors with the same surnames.