Changeset 2724522

Timestamp:

05/16/2022 11:33:17 AM (4 years ago)

Author:

pressmate

Message:

Security updates for plugin approval

Location:

makestories-helper/trunk

Files:

• api/media.php (modified) (1 diff)
• api/publish.php (modified) (9 diffs)
• api/widget.php (modified) (2 diffs)
• assets/images/default-poster.jpeg (added)
• basic-auth.php (modified) (1 diff)
• config.php (modified) (1 diff)
• helpers.php (modified) (1 diff)
• hooks.php (modified) (2 diffs)
• makestories.php (modified) (1 diff)
• pages/category-structure.php (modified) (4 diffs)
• pages/index.php (modified) (5 diffs)
• readme.txt (modified) (1 diff)
• shortcode.php (modified) (1 diff)
• taxonomy-ms_story_category.php (modified) (1 diff)
• templates/archive-stories.php (modified) (1 diff)
• templates/editor-footer.php (modified) (1 diff)
• templates/editor.php (modified) (1 diff)
• templates/listing-story-grid.php (modified) (3 diffs)
• templates/ms-single-post.php (modified) (3 diffs)
• templates/ms-single-widget.php (modified) (1 diff)
• templates/single-story.php (modified) (1 diff)

makestories-helper/trunk/api/media.php

@@ -10 +10 @@
         'post_status'    => 'inherit',
         'posts_per_page' => 30,
-        'paged' => isset($_REQUEST["page"]) ? $_REQUEST["page"] : 1,
+        'paged' => isset($_REQUEST["page"]) ? sanitize_text_field($_REQUEST["page"]) : 1,
     );
 
-    $toSearch = isset($_REQUEST["search"]) ? $_REQUEST["search"] : false;
+    $toSearch = isset($_REQUEST["search"]) ? sanitize_text_field($_REQUEST["search"]) : false;
 
     // Filter query clauses to include filenames.

makestories-helper/trunk/api/publish.php

@@ -10 +10 @@
     header("Content-Type: application/json");
     if((isset($_REQUEST["slug"]) || isset($_REQUEST["post_id"])) && isset($_REQUEST["story"])){
-        $storyId = $_REQUEST["story"];
-        $r = ms_get_story_HTML($_GET['story']);
+        $storyId = sanitize_text_field($_REQUEST["story"]);
+        $r = ms_get_story_HTML($storyId);
         $parsed = json_decode($r, true);
         $html = $parsed['html'];
@@ -17 +17 @@
 
         if(isset($_REQUEST['post_id'])) {
-            $post = get_post((int)$_REQUEST['post_id']);
+            $post = get_post((int)sanitize_text_field($_REQUEST['post_id']));
             if ($post && $post->post_status != 'trash') {
                 $post = $post->ID;
                 $toCreate = false;
 
-                $pages = $_REQUEST["slides"];
+                $pages = sanitize_text_field($_REQUEST["slides"]);
                 update_post_meta($post,"pages", $pages);
             } else {
@@ -28 +28 @@
             }
         }else{
-            $slug = $_REQUEST["slug"];
+            $slug = sanitize_text_field($_REQUEST["slug"]);
             $post = wp_insert_post([
                 "post_content" => $html,
@@ -38 +38 @@
 
             if ($post) {
-                $pages = $_REQUEST["slides"];
+                $pages = sanitize_text_field($_REQUEST["slides"]);
                 add_post_meta($post,"pages", $pages);
             }
@@ -116 +116 @@
             $category = ms_get_default_category();
             if(isset($_REQUEST['category']) && !empty($_REQUEST['category'])){
-                $category = $_REQUEST['category'];
+                $category = sanitize_text_field($_REQUEST['category']);
             }
             wp_set_post_terms($post, $category, MS_TAXONOMY);
         }
         $link = get_post_permalink($post);
-        $slug = $_REQUEST["slug"];
+        $slug = sanitize_text_field($_REQUEST["slug"]);
         wp_update_post([
             "post_content" => str_ireplace(MS_WORDPRESS_CANONICAL_SUBSTITUTION_PLACEHOLDER, $link, $html),
@@ -401 +401 @@
     ];
     if(isset($_REQUEST['story'])){
-        $storyId = $_REQUEST['story'];
-        $postType = $_REQUEST['post_type'];
-        $postKey = $_REQUEST['post_key'];
+        $storyId = sanitize_text_field($_REQUEST['story']);
+        $postType = sanitize_text_field($_REQUEST['post_type']);
+        $postKey = sanitize_text_field($_REQUEST['post_key']);
         $args = [
             "post_type" => $postType,
@@ -434 +434 @@
     ];
     if(isset($_REQUEST['story']) && isset($_REQUEST['post_id'])){
-        $storyId = $_REQUEST['story'];
-        $postId = $_REQUEST['post_id'];
+        $storyId = sanitize_text_field($_REQUEST['story']);
+        $postId = sanitize_text_field($_REQUEST['post_id']);
         $args = [
             "post_type" => MS_POST_TYPE,
@@ -465 +465 @@
     $media = [];
     if(isset($_REQUEST['post_id'])){
-        $postId = $_REQUEST['post_id'];
+        $postId = sanitize_text_field($_REQUEST['post_id']);
         $post = get_post($postId);
         $content = $post->post_content;
@@ -605 +605 @@
     if($_REQUEST['post'] && $_REQUEST['slug']){
         header("Content-Type: application/json");
-        $postId = $_REQUEST['post'];
-        $newTitle = $_REQUEST['slug'];
+        $postId = sanitize_text_field($_REQUEST['post']);
+        $newTitle = sanitize_text_field($_REQUEST['slug']);
         $post = get_post($postId);
         if($post){

makestories-helper/trunk/api/widget.php

@@ -10 +10 @@
     ms_protect_ajax_route();
     header("Content-Type: application/json");
-    if((isset($_REQUEST["widgetId"]) && isset($_REQUEST["widgetName"]) && isset($_REQUEST["container"])) && isset($_REQUEST["script"]) && isset($_REQUEST["type"]) && isset($_REQUEST['divId'])){
-        $widgetId = $_REQUEST["widgetId"];
-        $title = $_REQUEST["widgetName"];
-        $slug = $_REQUEST["slug"];
-        $container = $_REQUEST["container"];
-        $script = $_REQUEST["script"];
-        $jsBlock = $_REQUEST["scriptBlock"];
-        $type = $_REQUEST["type"];
-        $categories = $_REQUEST["tagsSelected"];
-        $design = $_REQUEST["designSelected"];
-        $divId = $_REQUEST['divId'];
+    if(
+        isset($_REQUEST["widgetId"]) &&
+        isset($_REQUEST["widgetName"]) &&
+        isset($_REQUEST["container"]) &&
+        isset($_REQUEST["script"]) &&
+        isset($_REQUEST["type"]) &&
+        isset($_REQUEST['divId'])
+    ){
+        $widgetId = sanitize_text_field($_REQUEST["widgetId"]);
+        $title = sanitize_text_field($_REQUEST["widgetName"]);
+        $slug = sanitize_text_field($_REQUEST["slug"]);
+        $container = sanitize_text_field($_REQUEST["container"]);
+        $script = sanitize_text_field($_REQUEST["script"]);
+        $jsBlock = sanitize_text_field($_REQUEST["scriptBlock"]);
+        $type = sanitize_text_field($_REQUEST["type"]);
+        $categories = sanitize_text_field($_REQUEST["tagsSelected"]);
+        $design = sanitize_text_field($_REQUEST["designSelected"]);
+        $divId = sanitize_text_field($_REQUEST['divId']);
 
         if(isset($_REQUEST['widgetPostId'])) {
-            $post_id = get_post((int)$_REQUEST['widgetPostId']);
+            $widgetPostId = (int)sanitize_text_field($_REQUEST['widgetPostId']);
+            $post_id = get_post($widgetPostId);
             if ($post_id && $post_id->post_status != 'trash') {
                 $post_id = $post_id->ID;
@@ -48 +56 @@
             }
         } else {
-            $slug = $_REQUEST["slug"];
+            $slug = sanitize_text_field($_REQUEST["slug"]);
             $post_id = wp_insert_post([
                 "post_content" => $container,

makestories-helper/trunk/basic-auth.php

@@ -11 +11 @@
         return $user;
     }
-    $username = $_SERVER['PHP_AUTH_USER'];
-    $password = $_SERVER['PHP_AUTH_PW'];
+    $username = sanitize_text_field($_SERVER['PHP_AUTH_USER']);
+    $password = sanitize_text_field($_SERVER['PHP_AUTH_PW']);
     /**
      * In multi-site, wp_authenticate_spam_check filter is run on authentication. This filter calls

makestories-helper/trunk/config.php

@@ -89 +89 @@
     "storyasset.link",
 ]);
+
+define("MS_PLUGIN_BASE_FILE_PATH", plugin_dir_path( __DIR__ ));

makestories-helper/trunk/helpers.php

@@ -75 +75 @@
     $options['categories_enabled'] = isset($_POST['categories_enabled']);
     if(isset($_POST['post_slug'])){
-        $options['post_slug'] = $_POST['post_slug'];
+        $options['post_slug'] = sanitize_text_field($_POST['post_slug']);
     }
     if(isset($_POST['default_category'])){
-        $options['default_category'] = $_POST['default_category'];
+        $options['default_category'] = sanitize_text_field($_POST['default_category']);
     }
     if(isset($_POST['roles']) && is_array($_POST['roles'])){
-        $options['roles'] = $_POST['roles'];
+        $options['roles'] = sanitize_text_field($_POST['roles']);
     }
     $options['to_rewrite'] = true;

makestories-helper/trunk/hooks.php

@@ -248 +248 @@
 // Load more stories using ajax
 function mscpt_more_post_ajax(){
-    $offset = $_POST["offset"];
-    $ppp = $_POST["ppp"];
+    $offset = sanitize_text_field($_POST["offset"]);
+    $ppp = sanitize_text_field($_POST["ppp"]);
 
     // header("Content-Type: text/html");
@@ -297 +297 @@
 //function to reinitialize story player class
 function mscpt_load_post_data_ajax() {
-    $offset = $_POST["offset"];
-    $ppp = $_POST["ppp"];
+    $offset = sanitize_text_field($_POST["offset"]);
+    $ppp = sanitize_text_field($_POST["ppp"]);
 
     header("Content-Type: text/html");

makestories-helper/trunk/makestories.php

@@ -4 +4 @@
 Plugin URI:     https://makestories.io/official-wordpress-webstories-plugin/
 Description:    The leading Google Web Stories Editor is now available to create Stories in WordPress. It is easy to use, allows for extensive customization, and is adaptive for future changes.
-Version:        2.6.4
+Version:        2.6.5
 Author:         MakeStories Team
 Author URI:     https://makestories.io

makestories-helper/trunk/pages/category-structure.php

@@ -8 +8 @@
     // Check if the form is submitted 
     if ( isset( $_POST['category'] ) ) {
-        $category = $_POST['category'];
+        $category = sanitize_text_field($_POST['category']);
         
         wp_insert_term(
@@ -34 +34 @@
                 <th scope="row"><label for="slug">Slug</label></th>
                 <td>
-                    <input id="slug" type="text" name="post_slug" value="<?php if($options['post_slug']){ echo $options['post_slug']; } ?>" class="regular-text">
+                    <input id="slug" type="text" name="post_slug" value="<?php if($options['post_slug']){ echo esc_html($options['post_slug']); } ?>" class="regular-text">
                 </td>
             </tr>
@@ -59 +59 @@
                         ]);
                         foreach($categories as $category) { ?>
-                            <option <?php if($selected === $category->name){ echo "selected"; } ?> value="<?php echo $category->name; ?>"><?php echo $category->name; ?></option>
+                            <option <?php if($selected === $category->name){ echo "selected"; } ?> value="<?php echo esc_attr($category->name); ?>"><?php echo esc_html($category->name); ?></option>
                             <?php
                         }
@@ -77 +77 @@
                         <?php
                         foreach($roleNames as $role => $roleName) { ?>
-                            <label for="role_input_<?php echo $role; ?>">
-                                <input name="roles[]" type="checkbox" id="role_input_<?php echo $role; ?>" value="<?php echo $role; ?>"  <?php if(in_array($role, $options['roles'])){ echo "checked"; } ?>>
-                                <?php echo $roleName; ?></label>
+                            <label for="role_input_<?php echo esc_html($role); ?>">
+                                <input name="roles[]" type="checkbox" id="role_input_<?php echo esc_html($role); ?>" value="<?php echo esc_html($role); ?>"  <?php if(in_array($role, $options['roles'])){ echo "checked"; } ?>>
+                                <?php echo esc_html($roleName); ?></label>
                             <br>
                             <?php

makestories-helper/trunk/pages/index.php

@@ -58 +58 @@
 function mscpt_amp_story_load_editor(){
     if(is_admin() && isset($_GET['page'])){
-        $pagenow = $_GET['page'];
+        $pagenow = sanitize_text_field($_GET['page']);
         if($pagenow === MS_ROUTING['EDITOR']['slug']){
-            $subpage = isset($_GET['mspage']) ? $_GET['mspage'] : "homepage";
+            $subpage = isset($_GET['mspage']) ? sanitize_text_field($_GET['mspage']) : "homepage";
             if($subpage === "preview" && isset($_GET['story'])){
-                $r = ms_get_story_HTML($_GET['story']);
+                $r = ms_get_story_HTML(sanitize_text_field($_GET['story']));
                 $parsed = json_decode($r, true);
                 if(is_array($parsed) && isset($parsed['html'])){
-                    echo $parsed['html'];
+                    echo esc_html($parsed['html']);
                     die();
                 }
@@ -74 +74 @@
 
 function ms_editor_contents() {
-    $subpage = isset($_GET['mspage']) ? $_GET['mspage'] : "homepage";
+    $subpage = isset($_GET['mspage']) ? sanitize_text_field($_GET['mspage']) : "homepage";
     require_once(MS_PLUGIN_BASE_PATH."/templates/editor.php");
 //    die();
@@ -84 +84 @@
 function ms_folded_menu($classes){
     if(is_admin() && isset($_GET['page'])){
-        $pagenow = $_GET['page'];
+        $pagenow = sanitize_text_field($_GET['page']);
         if($pagenow === MS_ROUTING['EDITOR']['slug']){
             return $classes." folded";
@@ -95 +95 @@
 function isMSEditorPage(){
     if(is_admin() && isset($_GET['page'])){
-        $pagenow = $_GET['page'];
+        $pagenow = sanitize_text_field($_GET['page']);
         return $pagenow === MS_ROUTING['EDITOR']['slug'];
     }
@@ -112 +112 @@
     if(isMSEditorPage()){
         require_once(MS_PLUGIN_BASE_PATH."/templates/editor-footer.php");
+        wp_enqueue_script("ms_manifest_script_url", MS_MANIFEST_SCRIPT_URL, [], false, true);
+        wp_enqueue_script("ms_vendor_script_url", MS_VENDOR_SCRIPT_URL, [], false, true);
+        wp_enqueue_script("ms_main_script_url", MS_MAIN_SCRIPT_URL, [], false, true);
     }
 }

makestories-helper/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 4.0
 Tested up to: 5.9.3
+Stable tag: 2.6.5
 Requires PHP: 5.6
 

makestories-helper/trunk/shortcode.php

@@ -14 +14 @@
     <section class="default-stories">
     <?php if ($postCount > 0) { ?>
-    <div id="ajax-posts" class="stories-group" data-posts="<?php echo $default_posts_per_page; ?>" data-ajax="<?php echo $getAjaxUrl; ?>" class="row">
+    <div id="ajax-posts" class="stories-group" data-posts="<?php echo esc_attr($default_posts_per_page); ?>" data-ajax="<?php echo esc_attr($getAjaxUrl); ?>" class="row">
         <?php
         $postsPerPage = $default_posts_per_page;

makestories-helper/trunk/taxonomy-ms_story_category.php

@@ -20 +20 @@
 ?>
 <section class="default-stories">
-    <h3><?php $term = get_term($int_cat,MS_TAXONOMY); echo $term->name; ?></h3>
+    <h3><?php $term = get_term($int_cat,MS_TAXONOMY); echo esc_html($term->name); ?></h3>
     <div class="stories-group">
         <?php

makestories-helper/trunk/templates/archive-stories.php

@@ -8 +8 @@
 <section class="default-stories">
     <?php if ($postCount > 0) { ?>
-    <div id="ajax-posts" class="stories-group" data-posts="<?php echo $default_posts_per_page; ?>" data-ajax="<?php echo $getAjaxUrl; ?>" class="row">
+    <div id="ajax-posts" class="stories-group" data-posts="<?php echo esc_attr($default_posts_per_page); ?>" data-ajax="<?php echo esc_attr($getAjaxUrl); ?>" class="row">
         <?php
         $postsPerPage = $default_posts_per_page;

makestories-helper/trunk/templates/editor-footer.php

@@ -28 +28 @@
     })();
 </script>
-<script src="<?php echo MS_MANIFEST_SCRIPT_URL ?>"></script>
-<script src="<?php echo MS_VENDOR_SCRIPT_URL ?>"></script>
-<script src="<?php echo MS_MAIN_SCRIPT_URL ?>"></script>

makestories-helper/trunk/templates/editor.php

@@ -11 +11 @@
     ?>
     const msWPConfig = {
-        wpBaseUrl: '<?php echo get_site_url(""); ?>',
-        currentPage: "<?php echo $subpage; ?>",
-        wpAdminBaseURL: '<?php echo MS_WP_ADMIN_BASE_URL; ?>',
+        wpBaseUrl: '<?php echo esc_html(get_site_url("")); ?>',
+        currentPage: "<?php echo esc_html($subpage); ?>",
+        wpAdminBaseURL: '<?php echo esc_html(MS_WP_ADMIN_BASE_URL); ?>',
         adminAjaxUrl: '<?php echo admin_url('admin-ajax.php') ?>',
-        cpt: "<?php echo MS_POST_TYPE; ?>",
-        wpStoriesBaseURL: '<?php echo $baseUrl; ?>',
+        cpt: "<?php echo esc_html(MS_POST_TYPE); ?>",
+        wpStoriesBaseURL: '<?php echo esc_html($baseUrl); ?>',
         wpNonce: '<?php echo wp_create_nonce(MS_NONCE_REFERRER) ?>',
-        wpUser: '<?php echo $user->ID; ?>',
-        wpEmail: '<?php echo $user->user_email; ?>',
-        wpUsername: '<?php echo $user->first_name." ".$user->last_name; ?>',
+        wpUser: '<?php echo esc_html($user->ID); ?>',
+        wpEmail: '<?php echo esc_html($user->user_email); ?>',
+        wpUsername: '<?php echo esc_html($user->first_name." ".$user->last_name); ?>',
         isCategoriesEnabled: <?php echo ms_is_categories_enabled() ? "true" : "false"; ?>,
         adminPublishPost: '<?php echo admin_url( 'edit.php?post_type=' . MS_POST_TYPE ); ?>',

makestories-helper/trunk/templates/listing-story-grid.php

@@ -15 +15 @@
     }
     ?>
-        <div class="story-thumb-card card <?php echo $getClassNames[$index]; ?>" data-story-url="<?php echo $permalink; ?>">
+        <div class="story-thumb-card card <?php echo esc_attr($getClassNames[$index]); ?>" data-story-url="<?php echo esc_attr($permalink); ?>">
             <div class="cardin">
                 <div class="cardimage">
                     <?php if ($index%8<=1) { ?>
                         <?php if ($posterLandscape) { ?>
-                            <img src="<?php echo $posterLandscape ?>" alt="Avatar"  class="story-img" />
+                            <img src="<?php echo esc_attr($posterLandscape) ?>" alt="Avatar"  class="story-img" />
                         <?php } else { ?>
-                            <img src="https://www.onl.st/dev-stamps/default.jpeg" alt="Avatar-def-one" class="story-img" />
+                            <img src="<?php echo MS_PLUGIN_BASE_FILE_PATH."assets/images/default-poster.jpeg" ?>" alt="Poster Image" class="story-img" />
                         <?php
                                 }
@@ -30 +30 @@
                     <?php if ($index%8 > 1 && $index%8 < 8) { ?>
                         <?php if ($posterLandscape) { ?>
-                            <img src="<?php echo $posterLandscape ?>" alt="Avatar"  class="story-img" />
+                            <img src="<?php echo esc_attr($posterLandscape) ?>" alt="Avatar"  class="story-img" />
                         <?php } else { ?>
-                            <img src="https://www.onl.st/dev-stamps/default.jpeg" alt="Avatar-def-one" class="story-img" />
+                            <img src="<?php echo MS_PLUGIN_BASE_FILE_PATH."assets/images/default-poster.jpeg" ?>" alt="Poster Image" class="story-img" />
                         <?php
                             }
@@ -39 +39 @@
                 </div>
                 <div class="container">
-                    <p><?php echo $publishDate; ?></p>
-                    <h2><?php echo $title; ?></h2>
+                    <p><?php echo esc_html($publishDate); ?></p>
+                    <h2><?php echo esc_html($title); ?></h2>
                 </div>
             </div>

makestories-helper/trunk/templates/ms-single-post.php

@@ -6 +6 @@
 </div> -->
 <?php $index = 0; ?>
-<div class="story-thumb-card card bigmiddleStory" data-story-url="<?php echo $permalink; ?>">
+<div class="story-thumb-card card bigmiddleStory" data-story-url="<?php echo esc_url($permalink); ?>">
             <div class="cardin">
                 <div class="cardimage">
                     <?php if ($index%8<=1) { ?>
                         <?php if ($posterLandscape) { ?>
-                            <img src="<?php echo $posterLandscape ?>" alt="Avatar"  class="story-img" />
+                            <img src="<?php echo esc_attr($posterLandscape) ?>" alt="Avatar"  class="story-img" />
                         <?php } else { ?>
-                            <img src="https://www.onl.st/dev-stamps/default.jpeg" alt="Avatar-def-one" class="story-img" />
+                            <img src="<?php echo MS_PLUGIN_BASE_FILE_PATH."assets/images/default-poster.jpeg" ?>" alt="Poster Image" class="story-img" />
                         <?php
                                 }
@@ -21 +21 @@
                     <?php if ($index%8 > 1 && $index%8 < 8) { ?>
                         <?php if ($posterLandscape) { ?>
-                            <img src="<?php echo $posterLandscape ?>" alt="Avatar"  class="story-img" />
+                            <img src="<?php echo esc_attr($posterLandscape) ?>" alt="Avatar"  class="story-img" />
                         <?php } else { ?>
-                            <img src="https://www.onl.st/dev-stamps/default.jpeg" alt="Avatar-def-one" class="story-img" />
+                            <img src="<?php echo MS_PLUGIN_BASE_FILE_PATH."assets/images/default-poster.jpeg" ?>" alt="Poster Image" class="story-img" />
                         <?php
                             }
@@ -30 +30 @@
                 </div>
                 <div class="container">
-                    <p><?php echo $publishDate; ?></p>
-                    <h2><?php echo $title; ?></h2>
+                    <p><?php echo esc_html($publishDate); ?></p>
+                    <h2><?php echo esc_html($title); ?></h2>
                 </div>
             </div>

makestories-helper/trunk/templates/ms-single-widget.php

@@ -24 +24 @@
 
         //print the player code
-        echo $scriptNew;
-        echo $div;
+        echo esc_js($scriptNew);
+        echo esc_html($div);
     ?>
 </div>

makestories-helper/trunk/templates/single-story.php

@@ -1 +1 @@
 <div class="story-thumb">
-    <a href="<?php echo $permalink; ?>" target="_blank">
+    <a href="<?php echo esc_url($permalink); ?>" target="_blank">
         <figure>
-            <img src="<?php echo $posterImage ?>" />
+            <img src="<?php echo esc_attr($posterImage) ?>" />
         </figure>
         <div class="bottom-text">
-            <h3><?php echo $title; ?></h3>
-            <p><?php echo $publishDate; ?></p>
+            <h3><?php echo esc_html($title); ?></h3>
+            <p><?php echo esc_html(publishDate); ?></p>
         </div>
     </a>