Context Navigation

← Previous Changeset
Next Changeset →

Changeset 2721774

Timestamp:

05/11/2022 08:04:09 AM (4 years ago)

Author:

likebtn

Message:

Update

Location:

likebtn-like-button/tags/2.6.44

Files:

: 6 edited

includes/tab_votes.php (modified) (8 diffs)
likebtn_like_button.php (modified) (44 diffs)
templates/like-box.php (modified) (2 diffs)
templates/liked-by-user-widget.php (modified) (5 diffs)
templates/most-liked-widget.php (modified) (5 diffs)
templates/um-liked-content.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

likebtn-like-button/tags/2.6.44/includes/tab_votes.php

-                      r2721442
+                      r2721774
                             <option value="">-- <?php _e('Any', 'likebtn-like-button'); ?> --</option>
                             <?php foreach ($likebtn_entities as $entity_name_value => $entity_title): ?>
                                 <option value="<?php echo $entity_name_value; ?>" <?php selected($entity_name, $entity_name_value); ?> ><?php _e($entity_title, 'likebtn-like-button'); ?></option>
+                                <option value="<?php echo esc_attr($entity_name_value); ?>" <?php selected($entity_name, $entity_name_value); ?> ><?php echo esc_html(__($entity_title, 'likebtn-like-button')); ?></option>
                             <?php endforeach ?>
                         </select>
 …
                     <div class="likebtn-form-group">
                         <label><?php _e('Item ID', 'likebtn-like-button'); ?>:</label>
                         <input type="text" name="likebtn_post_id" value="<?php echo htmlspecialchars($post_id) ?>" size="10" />
+                        <input type="text" name="likebtn_post_id" value="<?php echo esc_attr($post_id) ?>" size="10" />
                     </div>
                     <br/>
                     <div class="likebtn-form-group">
                         <label><?php _e('User ID', 'likebtn-like-button'); ?>:</label>
                         <input type="text" name="likebtn_user_id" value="<?php echo htmlspecialchars($user_id) ?>" size="10" />
+                        <input type="text" name="likebtn_user_id" value="<?php echo esc_attr($user_id) ?>" size="10" />
                     </div>
                     <div class="likebtn-form-group">
                         <label><?php _e('IP'); ?>:</label>
                         <input type="text" name="likebtn_ip" value="<?php echo htmlspecialchars($ip) ?>" size="20"/>
+                        <input type="text" name="likebtn_ip" value="<?php echo esc_attr($ip) ?>" size="20"/>
                     </div>
 …
                 <select name="likebtn_blog_id" >
                     <?php foreach ($blogs as $blog_id_value => $blog_title): ?>
                         <option value="<?php echo $blog_id_value; ?>" <?php selected($votes_blog_id, $blog_id_value); ?> ><?php echo $blog_title; ?></option>
+                        <option value="<?php echo esc_attr($blog_id_value); ?>" <?php selected($votes_blog_id, $blog_id_value); ?> ><?php echo esc_html($blog_title); ?></option>
                     <?php endforeach ?>
                 </select>&nbsp;&nbsp;
 …
             <select name="likebtn_page_size" >
                 <?php foreach ($likebtn_page_sizes as $page_size_value): ?>
                     <option value="<?php echo $page_size_value; ?>" <?php selected($page_size, $page_size_value); ?> ><?php echo $page_size_value ?></option>
+                    <option value="<?php echo esc_attr($page_size_value); ?>" <?php selected($page_size, $page_size_value); ?> ><?php echo esc_html($page_size_value) ?></option>
                 <?php endforeach ?>
 …
                     <input class="button-primary" type="submit" name="show" value="<?php _e('View', 'likebtn-like-button'); ?>" />
                     &nbsp;
                     <?php _e('Votes Found', 'likebtn-like-button'); ?>: <strong><?php echo $total_found ?></strong>
+                    <?php _e('Votes Found', 'likebtn-like-button'); ?>: <strong><?php echo esc_html($total_found) ?></strong>
                 </nobr>
                 <?php if (count($votes) && $p->lastpage > 1): ?>
 …
+            }
             jQuery.getJSON('<?php echo admin_url('admin-ajax.php') ?>?action=likebtn_vgaph&nonce=<?php echo wp_create_nonce('likebtn_vgaph'); ?>&<?php echo $_SERVER['QUERY_STRING'] ?>', function(response) {
+            jQuery.getJSON('<?php echo admin_url('admin-ajax.php') ?>?action=likebtn_vgaph&nonce=<?php echo wp_create_nonce('likebtn_vgaph'); ?>&<?php echo esc_url($_SERVER['QUERY_STRING']) ?>', function(response) {
                 if (!response.data) {
 …
             // Load data from server
             jQuery.getJSON('<?php echo admin_url('admin-ajax.php') ?>?action=likebtn_vgaph&level='+level+'&timestamp='+timestamp+'&nonce=<?php echo wp_create_nonce('likebtn_vgaph'); ?>&<?php echo $_SERVER['QUERY_STRING'] ?>', function(response) {
+            jQuery.getJSON('<?php echo admin_url('admin-ajax.php') ?>?action=likebtn_vgaph&level='+level+'&timestamp='+timestamp+'&nonce=<?php echo wp_create_nonce('likebtn_vgaph'); ?>&<?php echo esc_url($_SERVER['QUERY_STRING']) ?>', function(response) {
                 if (response.error_message) {
 …
     <div id="likebtn_export" class="likebtn_export hidden">
         <form action="<?php echo admin_url('admin-ajax.php') ?>?action=likebtn_export_votes&<?php echo $_SERVER['QUERY_STRING'] ?>" method="post" target="_blank">
+        <form action="<?php echo admin_url('admin-ajax.php') ?>?action=likebtn_export_votes&<?php echo esc_url($_SERVER['QUERY_STRING']) ?>" method="post" target="_blank">
             <input type="hidden" name="export" value="1" />
             <input type="hidden" name="nonce" value="<?php echo wp_create_nonce( 'likebtn_export_votes' ); ?>" />

likebtn-like-button/tags/2.6.44/likebtn_like_button.php

-                      r2721442
+                      r2721774
             var likebtn_msg_f_submit2 = "<?php echo likebtn_esctr_msg(__('Submit and KEEP plugin active', 'likebtn-like-button')) ?>";
             var likebtn_msg_f_tmp = "<?php echo likebtn_esctr_msg(__('Deactivating for time being', 'likebtn-like-button')) ?>";
             var likebtn_msg_f_offer1 = "<?php echo likebtn_esctr_msg(strtr(__('Here is your personal <strong style="font-size:20px;">%discount%% OFF</strong> coupon. Enter the code on %a_start%Upgrade%a_end% page and click Apply!', 'likebtn-like-button'), array('%discount%'=>65, '%a_start%'=>'<a href="'.__("https://likebtn.com/en/customer.php/upgrade/", 'likebtn-like-button')."?site_id=".get_option('likebtn_site_id')."&engine=wordpress&add_website=".$_SERVER['SERVER_NAME'].'" target="_blank">', '%a_end%'=>'</a>'))) ?>";
+            var likebtn_msg_f_offer1 = "<?php echo likebtn_esctr_msg(strtr(__('Here is your personal <strong style="font-size:20px;">%discount%% OFF</strong> coupon. Enter the code on %a_start%Upgrade%a_end% page and click Apply!', 'likebtn-like-button'), array('%discount%'=>65, '%a_start%'=>'<a href="'.__("https://likebtn.com/en/customer.php/upgrade/", 'likebtn-like-button')."?site_id=".get_option('likebtn_site_id')."&engine=wordpress&add_website=".esc_attr($_SERVER['SERVER_NAME']).'" target="_blank">', '%a_end%'=>'</a>'))) ?>";
             var likebtn_msg_f_offer2 = "<?php echo __("Enjoy!", 'likebtn-like-button') ?>";
         </script>
 …
 function likebtn_admin_header() {
     $logo_url = _likebtn_get_public_url() . 'img/logo.png';
+    $header = <<<HEADER
+    <div class="wrap" id="likebtn">
+HEADER;
+    $header .= '
+    $header = '<div class="wrap" id="likebtn">
         <div id="poststuff">
             <div id="post-body" class="metabox-holder columns-2">
 …
                         <div class="postbox likebtn_logo">
                             <div class="inside likebtn_sidebar_inside">
                                 <a href="https://likebtn.com/en/wordpress-like-button-plugin" target="_blank" title="LikeBtn.com"><img alt="" src="'.$logo_url.'" /></a>
+                                <a href="https://likebtn.com/en/wordpress-like-button-plugin" target="_blank" title="LikeBtn.com"><img alt="" src="'.esc_url($logo_url).'" /></a>
                                 <input type="submit" id="likebtn_contact" value="' . __('Contact Us', 'likebtn-like-button') . '" class="button-primary" onclick="likebtnContactUs()">
                             </div>
 …
             <div id="likebtn_trial_info" class="likebtn_sidebar_section">
                 <a href="javascript:jQuery(\'#likebtn_trial_help\').toggle();void(0);">'.__('What is TRIAL?', 'likebtn-like-button').'</a>
                 <div id="likebtn_trial_help" style="display:none"><br/>'.strtr(__('During the TRIAL period you can enjoy ULTRA features for 7 days. After TRIAL expires your website is switched to the %a_begin%FREE%a_end% plan (all the votes will be kept!) and you can continue using FREE plan or go Premium.', 'likebtn-like-button'), array('%a_begin%'=>'<a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&engine=wordpress&add_website='.$_SERVER['SERVER_NAME'].'\');void(0);">', '%a_end%'=>'</a>')).'</div>
+                <div id="likebtn_trial_help" style="display:none"><br/>'.strtr(__('During the TRIAL period you can enjoy ULTRA features for 7 days. After TRIAL expires your website is switched to the %a_begin%FREE%a_end% plan (all the votes will be kept!) and you can continue using FREE plan or go Premium.', 'likebtn-like-button'), array('%a_begin%'=>'<a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&engine=wordpress&add_website='.esc_attr($_SERVER['SERVER_NAME']).'\');void(0);">', '%a_end%'=>'</a>')).'</div>
             </div>';
+    }
 …
     //if ($plan_synced && $likebtn_plan != LIKEBTN_PLAN_ULTRA) {
         $html .= '<input class="button-secondary likebtn_button_upgrade" type="button" value="'.__('Upgrade', 'likebtn-like-button').'" onclick="likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&engine=wordpress&add_website='.$_SERVER['SERVER_NAME'].'\')" /> &nbsp;';
+        $html .= '<input class="button-secondary likebtn_button_upgrade" type="button" value="'.__('Upgrade', 'likebtn-like-button').'" onclick="likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&engine=wordpress&add_website='.esc_attr($_SERVER['SERVER_NAME']).'\')" /> &nbsp;';
     //}
     if ($plan_synced && $likebtn_plan != LIKEBTN_PLAN_FREE && $likebtn_plan != LIKEBTN_PLAN_TRIAL) {
         $html .= '<small><a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&prolong=1&engine=wordpress&add_website='.$_SERVER['SERVER_NAME'].'\');void(0);">'.__('Renew Plan', 'likebtn-like-button').'</a></small>';
+        $html .= '<small><a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&prolong=1&engine=wordpress&add_website='.esc_attr($_SERVER['SERVER_NAME']).'\');void(0);">'.__('Renew Plan', 'likebtn-like-button').'</a></small>';
     } else {
         $html .= '<small><a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&engine=wordpress&add_website='.$_SERVER['SERVER_NAME'].'\');void(0);">'.__('Plans & Pricing', 'likebtn-like-button').'</a></small>';
+        $html .= '<small><a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/customer.php/upgrade/', 'likebtn-like-button').'?site_id='.get_option('likebtn_site_id').'&engine=wordpress&add_website='.esc_attr($_SERVER['SERVER_NAME']).'\');void(0);">'.__('Plans & Pricing', 'likebtn-like-button').'</a></small>';
+    }
     $html .= '</div>';
 …
+}
-// sidebar social
-function _likebtn_sidebar_social()
+{
-    $html =<<<HTML
-<div class="likebtn_social">
-    <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FLikeBtn.LikeButton&amp;width&amp;layout=button_count&amp;action=like&amp;show_faces=false&amp;share=false&amp;height=21&amp;appId=192115980991078" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px; width:110px;" allowTransparency="true"></iframe>
-</div>
-<div class="likebtn_social">
-    <a href="https://twitter.com/likebtn" class="twitter-follow-button" data-show-count="true" data-show-screen-name="false" data-width="144px"></a>
-<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
-</div>
-HTML;
-    return $html;
+}
 // sidebar Referral Program
 function _likebtn_sidebar_rp()
+{
+    $public_url = _likebtn_get_public_url();
+    $title = __('Earn Money With LikeBtn!', 'likebtn-like-button');
+    $href = "javascript:likebtnPopup('".__('https://likebtn.com/en/', 'likebtn-like-button')."referral-program');void(0)";
+    $html =<<<HTML
+<center><a href="{$href}" class="likebtn_ttip" title="{$title}" style="display:block"><img src="{$public_url}img/rp.png" style="max-width:60%"/></a></center>
+HTML;
+    $html = '<center><a href="javascript:likebtnPopup(\''.__('https://likebtn.com/en/', 'likebtn-like-button').'referral-program\');void(0)" class="likebtn_ttip" title="'.__('Earn Money With LikeBtn!', 'likebtn-like-button').'" style="display:block"><img src="'._likebtn_get_public_url().'img/rp.png" style="max-width:60%"/></a></center>';
     return $html;
 …
     if (isset($likebtn_plans[$likebtn_plan]) && $plan_synced) {
         // <a href="javascript: likebtnPopup(\''.__('http://likebtn.com/en/', 'likebtn-like-button').'?add_website='.$_SERVER['SERVER_NAME'].'#plans_pricing\'); void(0)" class="likebtn_ttip" title="'.__('Plans & Pricing', 'likebtn-like-button').'"><strong>'.$likebtn_plans[$likebtn_plan].'</strong></a>
+        // <a href="javascript: likebtnPopup(\''.__('http://likebtn.com/en/', 'likebtn-like-button').'?add_website='.esc_attr($_SERVER['SERVER_NAME']).'#plans_pricing\'); void(0)" class="likebtn_ttip" title="'.__('Plans & Pricing', 'likebtn-like-button').'"><strong>'.$likebtn_plans[$likebtn_plan].'</strong></a>
         $plan_html = '<strong>'.$likebtn_plans[$likebtn_plan].'</strong>'.$refresh_html;
 …
     // Poll
     $script = basename($_SERVER['REQUEST_URI']);
+    $script = basename(sanitize_text_field($_SERVER['REQUEST_URI']));
     if (!$script) {
         $script = basename($_SERVER['SCRIPT_NAME']);
+        $script = basename(sanitize_text_field($_SERVER['SCRIPT_NAME']));
+    }
     if (!$script) {
         $script = basename($_SERVER['SCRIPT_FILENAME']);
+        $script = basename(sanitize_text_field($_SERVER['SCRIPT_FILENAME']));
+    }
     $script = preg_replace("/\?.*/", '', $script);
 …
             <select name="likebtn_entity_name" >
                 <?php foreach ($likebtn_entities as $entity_name_value => $entity_title): ?>
                     <option value="<?php echo esc_attr($entity_name_value); ?>" <?php selected($entity_name, $entity_name_value); ?> ><?php _e($entity_title, 'likebtn-like-button'); ?></option>
+                    <option value="<?php echo esc_attr($entity_name_value); ?>" <?php selected($entity_name, $entity_name_value); ?> ><?php echo esc_html(__($entity_title, 'likebtn-like-button')); ?></option>
                 <?php endforeach ?>
             </select></nobr>
 …
                 <div class="inside">
                     <label><?php _e('ID', 'likebtn-like-button'); ?>:</label>
                     <input type="text" name="likebtn_post_id" value="<?php echo htmlspecialchars($post_id) ?>" size="5" />
+                    <input type="text" name="likebtn_post_id" value="<?php echo esc_attr($post_id) ?>" size="5" />
                     &nbsp;&nbsp;
                     <label><?php _e('Title'); ?>:</label>
                     <input type="text" name="likebtn_post_title" value="<?php echo htmlspecialchars($post_title) ?>" size="25"/>
+                    <input type="text" name="likebtn_post_title" value="<?php echo esc_attr($post_title) ?>" size="25"/>
                     &nbsp;&nbsp;
                     <label><?php _e('Status', 'likebtn-like-button'); ?>:</label>
 …
                         <option value=""></option>
                         <?php foreach ($likebtn_post_statuses as $post_status_value => $post_status_title): ?>
                             <option value="<?php echo esc_attr($post_status_value); ?>" <?php selected($post_status, $post_status_value); ?> ><?php echo _e($post_status_title) ?></option>
+                            <option value="<?php echo esc_attr($post_status_value); ?>" <?php selected($post_status, $post_status_value); ?> ><?php echo esc_html(__($post_status_title)) ?></option>
                         <?php endforeach ?>
                     </select>
 …
+    }
+    $items = array();
+    foreach ($_POST['item'] as $item) {
+        $items[] = sanitize_text_field($item);
+    }
     switch ($_POST['bulk_action']) {
         case 'reset':
             // $_POST['item'] must be able to contain any symbols
             $reseted = _likebtn_reset($entity_name, sanitize_text_field($_POST['item']));
+            $reseted = _likebtn_reset($entity_name, $items);
             _likebtn_add_notice(array(
                 'msg' => __('Likes and dislikes for the following number of items have been successfully reseted:', 'likebtn-like-button').' '.$reseted,
 …
         case 'delete':
             // $_POST['item'] must be able to contain any symbols
             $reseted = _likebtn_delete($entity_name, sanitize_text_field($_POST['item']));
+            $reseted = _likebtn_delete($entity_name, $items);
             _likebtn_add_notice(array(
                 'msg' => __('The following number of items have been successfully deleted:', 'likebtn-like-button').' '.$reseted,
 …
+    }
     wp_redirect($_SERVER['REQUEST_URI']);
+    wp_redirect(sanitize_url($_SERVER['REQUEST_URI']));
     exit();
+}
 …
         $identifier = _likebtn_entity_to_identifier($entity_name, $entity_id);
+    }
     $data = ' data-identifier="' . $identifier . '" ';
+    $data = ' data-identifier="' . esc_attr($identifier) . '" ';
     // Site ID
     if (get_option('likebtn_site_id')) {
         $data .= ' data-site_id="' . get_option('likebtn_site_id') . '" ';
+        $data .= ' data-site_id="' . esc_attr(get_option('likebtn_site_id')) . '" ';
+    }
 …
     if (_likebtn_get_option($use_entity_name, 'likebtn_user_logged_in', $values) == LIKEBTN_USER_LOGGED_IN_MODAL && !is_user_logged_in()) {
         $values['voting_enabled'] = '0';
         $data .= ' data-clk_modal="' . htmlspecialchars(_likebtn_get_user_logged_in_alert($use_entity_name)) . '" ';
+        $data .= ' data-clk_modal="' . esc_attr(htmlspecialchars(_likebtn_get_user_logged_in_alert($use_entity_name))) . '" ';
+    }
 …
         $values['group_identifier'] = $entity_name;
+    }
     $likebtn_settings = _likebtn_get_all_settings();
 …
                 $option_value_prepared = likebtn_cur_lang();
+            }
             $data .= ' data-' . $option_name . '="' . $option_value_prepared . '" ';
+            $data .= ' data-' . $option_name . '="' . esc_attr($option_value_prepared) . '" ';
+        }
+    }
 …
     // Add item options
     if ($entity_url && !$prepared_settings['item_url']) {
         $data .= ' data-item_url="' . $entity_url . '" ';
+        $data .= ' data-item_url="' . esc_attr($entity_url) . '" ';
+    }
     if ($entity_title && !$prepared_settings['item_title']) {
 …
         $entity_title = htmlspecialchars($entity_title);
         $data .= ' data-item_title="' . $entity_title . '" ';
+        $data .= ' data-item_title="' . esc_attr($entity_title) . '" ';
+    }
     if ($entity_image && !$prepared_settings['item_image']) {
         $data .= ' data-item_image="' . $entity_image . '" ';
+        $data .= ' data-item_image="' . esc_attr($entity_image) . '" ';
+    }
     if ($entity_date && !$prepared_settings['item_date']) {
         $data .= ' data-item_date="' . $entity_date . '" ';
+        $data .= ' data-item_date="' . esc_attr($entity_date) . '" ';
+    }
 …
         $vt = _likebtn_get_vote_type($identifier, $prepared_settings['voting_frequency']);
         if ($vt) {
             $data .= ' data-vt="'.$vt.'" ';
+            $data .= ' data-vt="'.esc_attr($vt).'" ';
+        }
+    }
 …
     $plugin_v = LIKEBTN_VERSION;
     if ($plugin_v) {
         $data .= ' data-plugin_v="' . $plugin_v . '" ';
+        $data .= ' data-plugin_v="' . esc_attr($plugin_v) . '" ';
+    }
 …
+        }
         $data .= ' data-prx="' . $prx . '" ';
+        $data .= ' data-prx="' . esc_attr($prx) . '" ';
+    }
     // Event handler
 …
     $widget_url = LIKEBTN_WIDGET_URL;
     if ($include_script) {
+        $markup = <<<MARKUP
+<!-- LikeBtn.com BEGIN --><span class="likebtn-wrapper" {$data}></span><script>(function(d, e, s) {a = d.createElement(e);m = d.getElementsByTagName(e)[0];a.async = 1;a.src = s;m.parentNode.insertBefore(a, m)})(document, 'script', '//{$widget_url}'); if (typeof(LikeBtn) != "undefined") { LikeBtn.init(); }</script><!-- LikeBtn.com END -->
+MARKUP;
+        // $data is prepared and escaped above
+        $markup = '<!-- LikeBtn.com BEGIN --><span class="likebtn-wrapper" '.$data.'></span><script>(function(d, e, s) {a = d.createElement(e);m = d.getElementsByTagName(e)[0];a.async = 1;a.src = s;m.parentNode.insertBefore(a, m)})(document, \'script\', \'//'.esc_attr($widget_url).'\'); if (typeof(LikeBtn) != "undefined") { LikeBtn.init(); }</script><!-- LikeBtn.com END -->';
     } else {
+        $markup = <<<MARKUP
+<!-- LikeBtn.com BEGIN --><span class="likebtn-wrapper" {$data}></span><!-- LikeBtn.com END -->
+MARKUP;
+        // $data is prepared and escaped above
+        $markup = '<!-- LikeBtn.com BEGIN --><span class="likebtn-wrapper" '.$data.'></span><!-- LikeBtn.com END -->';
+    }
 …
+    }
     $html_before = apply_filters('likebtn_html_before', $html_before, $entity_name, $entity_id, $values);
     $markup = $html_before . $markup;
+    $markup = wp_kses($html_before, 'post') . $markup;
 …
     $html_after = apply_filters('likebtn_html_after', $html_after, $entity_name, $entity_id, $values);
     $markup = $markup . $html_after;
+    $markup = $markup . wp_kses($html_after, 'post');
     if (($wrap || !empty($values['wrap']) || !empty($values['alignment']) || !empty($values['newline'])) && !is_admin()) {
 …
             if ($alignment == LIKEBTN_ALIGNMENT_RIGHT) {
                 $style .= 'text-align:right;';
                 $markup = '<div class="likebtn_container" style="'.$style.'">' . $markup . '</div>';
+                $markup = '<div class="likebtn_container" style="'.esc_attr($style).'">' . $markup . '</div>';
             } elseif ($alignment == LIKEBTN_ALIGNMENT_CENTER) {
                 $style .= 'text-align:center;';
                 $markup = '<div class="likebtn_container" style="'.$style.'">' . $markup . '</div>';
+                $markup = '<div class="likebtn_container" style="'.esc_attr($style).'">' . $markup . '</div>';
             } else {
                 $markup = '<div class="likebtn_container" style="'.$style.'">' . $markup . '</div>';
+                $markup = '<div class="likebtn_container" style="'.esc_attr($style).'">' . $markup . '</div>';
+            }
+        }
 …
         );
+        // Options sanitizing is done in likebtn_send_vote_notification() function
         $result = likebtn_send_vote_notification($vars, stripslashes_deep($_POST['options']));
 …
         $client_identifier = $user_id;
     } else {
+        // $_SERVER do not need sanitizing here, we need them intact in md5 function();
         $client_identifier = md5($ip.$_SERVER['HTTP_USER_AGENT'].$_SERVER['HTTP_ACCEPT'].$_SERVER['HTTP_ACCEPT_LANGUAGE']);
+    }
 …
             // If suhosin.get.max_value_length is set
             $_GET = array();
             $params = explode('&', $_SERVER['QUERY_STRING']);
+            $params = explode('&', sanitize_text_field($_SERVER['QUERY_STRING']));
             foreach ($params as $pair) {
                 list($key, $value) = explode('=', $pair);
 …
                         try {
                             $http = new WP_Http();
+                            // S_SERVER vars do not need sanitizing here - we pass them as is to the external system
                             $headers = array(
                                 "User-Agent" => $_SERVER['HTTP_USER_AGENT'],
 …
     // global $likebtn_cf_ip_ranges_ipv6;
     $ip = $_SERVER['REMOTE_ADDR'];
+    $ip = sanitize_text_field($_SERVER['REMOTE_ADDR']);
     // Behind CloudFlare
 …
             foreach ($likebtn_cf_ip_ranges_ipv6 as $range) {
                 if (_likebtn_ip_in_range_ipv6($ip, $range)) {
                     return $_SERVER['HTTP_CF_CONNECTING_IP'];
+                    return sanitize_text_field($_SERVER['HTTP_CF_CONNECTING_IP']);
+                }
+            }
 …
             foreach ($likebtn_cf_ip_ranges as $range) {
                 if (_likebtn_ip_in_range($ip, $range)) {
                     return $_SERVER['HTTP_CF_CONNECTING_IP'];
+                    return sanitize_text_field($_SERVER['HTTP_CF_CONNECTING_IP']);
+                }
+            }
 …
     } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
         if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',') > 0) {
             $addr = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
+            $addr = explode(",", sanitize_text_field($_SERVER['HTTP_X_FORWARDED_FOR']));
             $x_ip = trim($addr[0]);
         } else {
             $x_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+            $x_ip = sanitize_text_field($_SERVER['HTTP_X_FORWARDED_FOR']);
+        }
         if ($x_ip != $_SERVER['SERVER_ADDR']) {
 …
+        }
     } else {
         $ip = $_SERVER['REMOTE_ADDR'];
+        $ip = sanitize_text_field($_SERVER['REMOTE_ADDR']);
+    }
 …
 function likebtn_build_sort_by($sort_by, $order)
+{
     parse_str($_SERVER['QUERY_STRING'], $args);
+    parse_str(sanitize_text_field($_SERVER['QUERY_STRING']), $args);
     $args['likebtn_sort_by'] = $sort_by;
     $args['likebtn_sort_by_order'] = $order;
 …
 function likebtn_get_script_name()
+{
     $script_name = $_SERVER['SCRIPT_NAME'];
+    $script_name = sanitize_text_field($_SERVER['SCRIPT_NAME']);
     if (!$script_name) {
         $script_name = $_SERVER['SCRIPT_URL'];
+        $script_name = sanitize_text_field($_SERVER['SCRIPT_URL']);
+    }
     if (!$script_name) {
         $script_name = $_SERVER['PHP_SELF'];
+        $script_name = sanitize_text_field($_SERVER['PHP_SELF']);
+    }
     return $script_name;
 …
 function likebtn_default_notify_text()
+{
     $text = <<<TEXT
+    $text = '
 New {vote_type} on {domain}
 …
 IP address: <a href="{vote_ip_url}">{vote_ip}</a>
 User: <a href="{user_url}">{user_login}</a> <small>(<a href="{user_votes_url}">view user votes</a>)</small>
 TEXT;
+';
     return $text;
+}
 …
         'error_message' => ''
     );
+    if (!is_array($options)) {
+        $options = array();
+    }
     if (!empty($options['likebtn_notify_to'])) {
 …
         return $return;
+    }
+    // Sanitize emails.
+    foreach ($to_emails as $i => $email) {
+        $to_emails[$i] = sanitize_email($email);
+    }
     if (!empty($options['likebtn_notify_from'])) {
         $from = $options['likebtn_notify_from'];
+        $from = sanitize_email($options['likebtn_notify_from']);
     } else {
         $from = get_option('likebtn_notify_from');
 …
     if (!empty($options['likebtn_notify_subject'])) {
         $subject = $options['likebtn_notify_subject'];
+        $subject = sanitize_text_field($options['likebtn_notify_subject']);
     } else {
         $subject = get_option('likebtn_notify_subject');
 …
     if (!empty($options['likebtn_notify_text'])) {
         $template = $options['likebtn_notify_text'];
+        $template = sanitize_textarea_field($options['likebtn_notify_text']);
     } else {
         $template = get_option('likebtn_notify_text');

likebtn-like-button/tags/2.6.44/templates/like-box.php

-                      r2719548
+                      r2721774
         <?php if ($text): ?>
             <div class="likebtn-likebox-txt">
                 <?php echo $text; ?>
+                <?php echo wp_kses($text, 'post'); ?>
             </div>
         <?php endif ?>
 …
         <?php foreach ($user_loop as $user): ?>
             <div class="likebtn-likebox-user" >
                 <a href="<?php echo $user['url']?>" title="<?php echo $user['name'] ?>" class="likebtn-likebox-lnk"><img width="32" height="32" alt="<?php echo $user['name'] ?>" class="avatar avatar-32 user-<?php echo $user['user_id']?>-avatar gravatar" src="<?php echo $user['avatar']?>"></a>
+                <a href="<?php echo esc_attr($user['url']) ?>" title="<?php echo esc_attr($user['name']) ?>" class="likebtn-likebox-lnk"><img width="32" height="32" alt="<?php echo esc_attr($user['name']) ?>" class="avatar avatar-32 user-<?php echo esc_attr($user['user_id']) ?>-avatar gravatar" src="<?php echo esc_attr($user['avatar']) ?>"></a>
             </div>
         <?php endforeach; ?>

likebtn-like-button/tags/2.6.44/templates/liked-by-user-widget.php

-                      r2719548
+                      r2721774
 <?php if (!empty($before_widget)): ?>
     <?php echo $before_widget; ?>
+    <?php echo wp_kses($before_widget, 'post'); ?>
 <?php endif ?>
 <?php if (!empty($title)): ?>
     <?php if (!empty($before_title)): ?>
         <?php echo $before_title; ?>
+        <?php echo wp_kses($before_title, 'post'); ?>
     <?php endif ?>
     <?php echo $title; ?>
+    <?php echo wp_kses($title, 'post'); ?>
     <?php if (!empty($after_title)): ?>
         <?php echo $after_title; ?>
+        <?php echo wp_kses($after_title, 'post'); ?>
     <?php endif ?>
 <?php endif ?>
 …
     <ul class="likebtn-mlw">
     <?php foreach ($post_loop as $post): ?>
         <li id="post-<?php echo $post['id'] ?>" class="likebtn-mlw-item" >
             <a href="<?php echo $post['link'] ?>" title="<?php echo $post['title'] ?>">
+        <li id="post-<?php echo esc_attr($post['id']) ?>" class="likebtn-mlw-item" >
+            <a href="<?php echo esc_attr($post['link']) ?>" title="<?php echo esc_attr($post['title']) ?>">
                 <?php if ($show_thumbnail): ?>
                     <?php if ('image/' == substr( $post['post_mime_type'], 0, 6 ) ): ?>
 …
                 <?php endif ?>
                 <div class="likebtn-mlw-title">
                     <?php echo $post['title'] ?><?php if ($show_likes || $show_dislikes): ?>&nbsp;<span class="likebtn-item-likes"><nobr>(
+                    <?php echo esc_html($post['title']) ?><?php if ($show_likes || $show_dislikes): ?>&nbsp;<span class="likebtn-item-likes"><nobr>(
                     <?php endif ?>
                     <?php echo $show_likes ? $post['likes'] : ''; ?>
+                    <?php echo $show_likes ? (int)$post['likes'] : ''; ?>
                     <?php if ($show_likes && $show_dislikes): ?>
+                        /
                     <?php endif ?>
                     <?php echo $show_dislikes ? $post['dislikes'] : ''; ?>
+                    <?php echo $show_dislikes ? (int)$post['dislikes'] : ''; ?>
                     <?php if ($show_likes || $show_dislikes): ?>
                         )</nobr></span>
 …
                     <small>/</small>
                 <?php endif ?>
                 <small class="likebtn-mlw-author"><i><?php echo $post['author_name'] ?></i></small>
+                <small class="likebtn-mlw-author"><i><?php echo esc_html($post['author_name']) ?></i></small>
             <?php endif ?>
             <?php if ($show_excerpt): ?>
                 <div class="likebtn-mlw-excerpt"><?php echo $post['excerpt'] ?></div>
+                <div class="likebtn-mlw-excerpt"><?php echo esc_html($post['excerpt']) ?></div>
             <?php endif ?>
             <?php if ($post['button_html']): ?>
                 <div class="likebtn-mlw-button"><?php echo $post['button_html']; ?></div>
+                <div class="likebtn-mlw-button"><?php echo wp_kses($post['button_html'], 'post'); ?></div>
             <?php endif ?>
             <?php if ($show_thumbnail || $show_excerpt): ?>
 …
 <?php if (!empty($after_widget)): ?>
     <?php echo $after_widget; ?>
+    <?php echo wp_kses($after_widget, 'post'); ?>
 <?php endif ?>

likebtn-like-button/tags/2.6.44/templates/most-liked-widget.php

-                      r2719548
+                      r2721774
 <?php if (!empty($before_widget)): ?>
     <?php echo $before_widget; ?>
+    <?php echo wp_kses($before_widget, 'post'); ?>
 <?php endif ?>
 <?php if (!empty($title)): ?>
     <?php if (!empty($before_title)): ?>
         <?php echo $before_title; ?>
+        <?php echo wp_kses($before_title, 'post'); ?>
     <?php endif ?>
     <?php echo $title; ?>
+    <?php echo wp_kses($title, 'post'); ?>
     <?php if (!empty($after_title)): ?>
         <?php echo $after_title; ?>
+        <?php echo wp_kses($after_title, 'post'); ?>
     <?php endif ?>
 <?php endif ?>
 …
     <ul class="likebtn-mlw">
     <?php foreach ($post_loop as $post): ?>
         <li id="post-<?php echo $post['id'] ?>" class="likebtn-mlw-item" >
             <a href="<?php echo $post['link'] ?>" title="<?php echo esc_attr($post['title']) ?>">
+        <li id="post-<?php echo esc_attr($post['id']) ?>" class="likebtn-mlw-item" >
+            <a href="<?php echo esc_attr($post['link']) ?>" title="<?php echo esc_attr($post['title']) ?>">
                 <?php if ($show_thumbnail): ?>
                     <?php if ('image/' == substr( $post['post_mime_type'], 0, 6 ) ): ?>
 …
                 <?php endif ?>
                 <div class="likebtn-mlw-title">
                     <?php echo $post['title'] ?><?php if ($show_likes || $show_dislikes): ?>&nbsp;<span class="likebtn-item-likes"><nobr>(
+                    <?php echo esc_html($post['title']) ?><?php if ($show_likes || $show_dislikes): ?>&nbsp;<span class="likebtn-item-likes"><nobr>(
                     <?php endif ?>
                     <?php echo $show_likes ? $post['likes'] : ''; ?>
+                    <?php echo $show_likes ? (int)$post['likes'] : ''; ?>
                     <?php if ($show_likes && $show_dislikes): ?>
+                        /
                     <?php endif ?>
                     <?php echo $show_dislikes ? $post['dislikes'] : ''; ?>
+                    <?php echo $show_dislikes ? (int)$post['dislikes'] : ''; ?>
                     <?php if ($show_likes || $show_dislikes): ?>
                         )</nobr></span>
 …
                     <small>/</small>
                 <?php endif ?>
                 <small class="likebtn-mlw-author"><i><?php echo $post['author_name'] ?></i></small>
+                <small class="likebtn-mlw-author"><i><?php echo esc_html($post['author_name']) ?></i></small>
             <?php endif ?>
             <?php if ($show_excerpt): ?>
                 <div class="likebtn-mlw-excerpt"><?php echo $post['excerpt'] ?></div>
+                <div class="likebtn-mlw-excerpt"><?php echo esc_html($post['excerpt']) ?></div>
             <?php endif ?>
             <?php if ($post['button_html']): ?>
                 <div class="likebtn-mlw-button"><?php echo $post['button_html']; ?></div>
+                <div class="likebtn-mlw-button"><?php echo wp_kses($post['button_html'], 'post'); ?></div>
             <?php endif ?>
             <?php if ($show_thumbnail || $show_excerpt): ?>
 …
 <?php if (!empty($after_widget)): ?>
     <?php echo $after_widget; ?>
+    <?php echo wp_kses($after_widget, 'post'); ?>
 <?php endif ?>

likebtn-like-button/tags/2.6.44/templates/um-liked-content.php

r2719548	r2721774
22	22	<i class="um-icon-ios-paper"></i>
23	23	<?php endif ?>
24		<a href="<?php echo ~~$post['link'] ?>"><?php echo $post['title']~~ ?></a>
	24	<a href="<?php echo esc_attr($post['link']) ?>"><?php echo esc_html($post['title']) ?></a>
25	25	</div>
26	26	<div class="um-item-meta">

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: