Changeset 2973108

Timestamp:

09/29/2023 07:02:10 PM (2 years ago)

Author:

RobertPHeller

Message:

Sanitize and Escape everything.

Location:

weblibrarian/trunk

Files:

• WebLibrarian.php (modified) (8 diffs)
• includes/WEBLIB_Collection_Admin.php (modified) (35 diffs)
• includes/WEBLIB_PatronRecord_Admin.php (modified) (9 diffs)
• includes/WEBLIB_Statistics_Admin.php (modified) (2 diffs)
• includes/WEBLIB_Users_Admin.php (modified) (3 diffs)
• includes/admin_page_classes.php (modified) (5 diffs)
• readme.txt (modified) (1 diff)

weblibrarian/trunk/WebLibrarian.php

@@ -4 +4 @@
  * Plugin URI: http://www.deepsoft.com/WebLibrarian
  * Description: A plugin that implements a web-based library catalog and circulation System
- * Version: 3.5.8.3
+ * Version: 3.5.8.4
  * Author: Robert Heller
  * Author URI: http://www.deepsoft.com/
@@ -284 +284 @@
     // AJAX callbacks
     function UpdatePatronID() {
-      $userid = $_REQUEST['userid'];
-      $patronid = $_REQUEST['patronid'];
+      $userid = sanitize_text_field($_REQUEST['userid']);
+      $patronid = sanitize_text_field($_REQUEST['patronid']);
       $xml_response = '<?xml version="1.0" ?>';
 
@@ -313 +313 @@
         wp_die( __('You do not have sufficient permissions to access this page.','weblibrarian') );
       }
-      $searchname = $_REQUEST['searchname'];
+      $searchname = sanitize_text_field($_REQUEST['searchname']);
       $xml_response = '<?xml version="1.0" ?>';
 
@@ -341 +341 @@
     }
     function PlaceHoldOnItem() {
-      $barcode = $_REQUEST['barcode'];
+      $barcode = sanitize_text_field($_REQUEST['barcode']);
       $xml_response = '<?xml version="1.0" ?>';
 
       if (current_user_can('manage_circulation') && isset($_REQUEST['patronid'])) {
-        $patronid = $_REQUEST['patronid'];
+        $patronid = sanitize_text_field($_REQUEST['patronid']);
       } else {
         $patronid = get_user_meta(wp_get_current_user()->ID,'PatronID',true);
@@ -399 +399 @@
     }
     function RenewItem() {
-      $barcode = $_REQUEST['barcode'];
+      $barcode = sanitize_text_field($_REQUEST['barcode']);
       $xml_response = '<?xml version="1.0" ?>';
 
@@ -492 +492 @@
           if ( isset($content_func) && is_string($content_func) )
           do_action( "admin_head_{$content_func}" );
-          $tab = isset($_REQUEST['tab'])?$_REQUEST['tab']:'links';
+          $tab = isset($_REQUEST['tab'])?sanitize_text_field($_REQUEST['tab']):'links';
           
       ?></head>
@@ -552 +552 @@
         wp_die("Opps too late");
       }
-      $dataselection = $_REQUEST['dataselection'];
+      $dataselection = sanitize_text_field($_REQUEST['dataselection']);
       
       //file_put_contents("php://stderr","*** WebLibrarian::ExportLibraryData: dataselection = $dataselection\n");
@@ -608 +608 @@
       }
       
-      $year  = isset( $_REQUEST['year'] )  ? $_REQUEST['year']  : date('Y',time());
-      $month = isset( $_REQUEST['month'] ) ? $_REQUEST['month'] : date('m',time());
+      $year  = isset( $_REQUEST['year'] )  ? sanitize_text_field($_REQUEST['year'])  : date('Y',time());
+      $month = isset( $_REQUEST['month'] ) ? sanitize_text_field($_REQUEST['month']) : date('m',time());
       $MonthNames = 
       array('Month Totals','January','February','March','April','May','June',

weblibrarian/trunk/includes/WEBLIB_Collection_Admin.php

@@ -51 +51 @@
   }
   function search_box($text, $input_id) {
-    if ( empty( $_REQUEST['s'] ) && !$this->has_items() ) return;
+    if ( empty( sanitize_text_field($_REQUEST['s']) ) && !$this->has_items() ) return;
 
     $input_id = $input_id . '-search-input';
 
-    if ( ! empty( $_REQUEST['orderby'] ) )
-      echo '<input type="hidden" name="orderby" value="' . esc_attr( $_REQUEST['orderby'] ) . '" />';
-    if ( ! empty( $_REQUEST['order'] ) )
-      echo '<input type="hidden" name="order" value="' . esc_attr( $_REQUEST['order'] ) . '" />';
-    $field = isset ($_REQUEST['f']) ? $_REQUEST['f'] : 'title';
+    if ( ! empty( sanitize_text_field($_REQUEST['orderby']) ) )
+      echo '<input type="hidden" name="orderby" value="' . esc_attr( sanitize_text_field($_REQUEST['orderby']) ) . '" />';
+    if ( ! empty( sanitize_text_field($_REQUEST['order']) ) )
+      echo '<input type="hidden" name="order" value="' . esc_attr( sanitize_text_field($_REQUEST['order']) ) . '" />';
+    $field = isset ($_REQUEST['f']) ? sanitize_text_field($_REQUEST['f']) : 'title';
 ?>
 <p class="search-box">
@@ -70 +70 @@
              'ISBN'  => 'isbn',
              'Keyword' => 'keyword') as $l => $f) {
-        ?><option value="<?php echo $f; ?>"<?php
+        ?><option value="<?php echo esc_attr($f); ?>"<?php
           if ($f == $field) {echo ' selected="selected"';}
         ?>><?php echo $l; ?></option>
@@ -165 +165 @@
 
   function column_cb ($item) {
-    return '<input type="checkbox" name="checked[]" value="'.$item.'" />';
+    return '<input type="checkbox" name="checked[]" value="'.esc_attr($item).'" />';
   }
   function column_title ($item) {
@@ -181 +181 @@
                         admin_url('admin.php')).'">'.
         __('View','weblibrarian')."</a>",
-    'delete' => '<a href="'.add_query_arg(array('page' => $_REQUEST['page'],
+    'delete' => '<a href="'.add_query_arg(array('page' => sanitize_text_field($_REQUEST['page']),
                             'action' => 'delete',
                           'barcode' => $item),
@@ -208 +208 @@
   function current_action() {
     
-    if ( isset( $_REQUEST['action'] ) && -1 != $_REQUEST['action'] )
-      return $_REQUEST['action'];
-
-    if ( isset( $_REQUEST['action2'] ) && -1 != $_REQUEST['action2'] )
-      return $_REQUEST['action2'];
+    if ( isset( $_REQUEST['action'] ) && -1 != sanitize_text_field($_REQUEST['action']) )
+      return sanitize_text_field($_REQUEST['action']);
+
+    if ( isset( $_REQUEST['action2'] ) && -1 != sanitize_text_field($_REQUEST['action2']) )
+      return sanitize_text_field($_REQUEST['action2']);
   }
 
@@ -220 +220 @@
     switch ($action) {
       case 'delete':
-    if ( isset($_REQUEST['checked']) && !empty($_REQUEST['checked'])) {
-      foreach ( $_REQUEST['checked'] as $thebarcode ) {
+    if ( isset($_REQUEST['checked']) && !empty(sanitize_text_field($_REQUEST['checked']))) {
+      foreach ( sanitize_text_field($_REQUEST['checked']) as $thebarcode ) {
         WEBLIB_ItemInCollection::DeleteItemByBarCode($thebarcode);
         WEBLIB_ItemInCollection::DeleteKeywordsByBarCode($thebarcode);
       }
     } else if ( isset($_REQUEST['barcode']) ) {
-      WEBLIB_ItemInCollection::DeleteItemByBarCode($_REQUEST['barcode']);
-      WEBLIB_ItemInCollection::DeleteKeywordsByBarCode($_REQUEST['barcode']);
+      WEBLIB_ItemInCollection::DeleteItemByBarCode(sanitize_text_field($_REQUEST['barcode']));
+      WEBLIB_ItemInCollection::DeleteKeywordsByBarCode(sanitize_text_field($_REQUEST['barcode']));
     }     
     break;
@@ -255 +255 @@
     $this->process_bulk_action();
 
-    $search = isset( $_REQUEST['s'] ) ? $_REQUEST['s'] : '';
-    $field  = isset( $_REQUEST['f'] ) ? $_REQUEST['f'] : 'title';
-    $orderby = isset( $_REQUEST['orderby'] ) ? $_REQUEST['orderby'] : 'barcode';
+    $search = isset( $_REQUEST['s'] ) ? sanitize_text_field($_REQUEST['s']) : '';
+    $field  = isset( $_REQUEST['f'] ) ? sanitize_text_field($_REQUEST['f']) : 'title';
+    $orderby = isset( $_REQUEST['orderby'] ) ? sanitize_text_field($_REQUEST['orderby']) : 'barcode';
     if ( empty( $orderby ) ) $orderby = 'barcode';
-    $order = isset( $_REQUEST['order'] ) ? $_REQUEST['order'] : 'ASC';
+    $order = isset( $_REQUEST['order'] ) ? sanitize_text_field($_REQUEST['order']) : 'ASC';
     if ( empty( $order ) ) $order = 'ASC';
 
@@ -350 +350 @@
       $item    = $this->getitemfromform('');
       if ($message == '') {
-    $barcode = isset($_REQUEST['barcode']) ? $_REQUEST['barcode'] : '';
+    $barcode = isset($_REQUEST['barcode']) ? sanitize_text_field($_REQUEST['barcode']) : '';
     $newbarcode  = $item->store($barcode);
     $keywords = $this->getkeywordsfromform();
@@ -370 +370 @@
     } else if ( isset($_REQUEST['updateitem']) && 
         isset($_REQUEST['barcode']) ) {
-      $message = $this->checkiteminform($_REQUEST['barcode']);
-      $item    = $this->getitemfromform($_REQUEST['barcode']);
+      $message = $this->checkiteminform(sanitize_text_field($_REQUEST['barcode']));
+      $item    = $this->getitemfromform(sanitize_text_field($_REQUEST['barcode']));
       if ($message == '') {
     $item->store();
@@ -392 +392 @@
       $this->viewkeywords = $item->keywordsof();
     } else {
-      $this->viewmode = isset($_REQUEST['mode']) ? $_REQUEST['mode'] : 'add';
-      $this->viewbarcode = isset($_REQUEST['barcode']) ? $_REQUEST['barcode'] : '';
+      $this->viewmode = isset($_REQUEST['mode']) ? sanitize_text_field($_REQUEST['mode']) : 'add';
+      $this->viewbarcode = isset($_REQUEST['barcode']) ? sanitize_text_field($_REQUEST['barcode']) : '';
       switch ($this->viewmode) {
     case 'edit':
@@ -438 +438 @@
     if ( isset($_REQUEST['paged']) ) {
       $paged = sanitize_text_field($_REQUEST['paged']);
-      ?><input type="hidden" name="paged" value="<?php echo $paged; ?>" /><?php
+      ?><input type="hidden" name="paged" value="<?php echo esc_attr($paged); ?>" /><?php
     }
     if ( isset($_REQUEST['screen-options-apply']) ) {
       $screenopts = sanitize_text_field($_REQUEST['screen-options-apply']);
-      ?><input type="hidden" name="screen-options-apply" value="<?php echo $screenopts; ?>" /><?php
+      ?><input type="hidden" name="screen-options-apply" value="<?php echo esc_attr($screenopts); ?>" /><?php
     }
     if ( isset($_REQUEST['wp_screen_options']['option']) ) {
       $wpscreenoptsopt = sanitize_text_field($_REQUEST['wp_screen_options']['option']);
-      ?><input type="hidden" name="wp_screen_options[option]" value="<?php echo $wpscreenoptsopt; ?>" /><?php
+      ?><input type="hidden" name="wp_screen_options[option]" value="<?php echo esc_attr($wpscreenoptsopt); ?>" /><?php
     }
     if ( isset($_REQUEST['wp_screen_options']['value']) ) {
       $wpscreenoptsval = sanitize_text_field($_REQUEST['wp_screen_options']['value']);
-      ?><input type="hidden" name="wp_screen_options[value]" value="<?php echo $wpscreenoptsval; ?>" /><?php
+      ?><input type="hidden" name="wp_screen_options[value]" value="<?php echo esc_attr($wpscreenoptsval); ?>" /><?php
     }
     if ($this->viewmode == 'view') {
@@ -464 +464 @@
                    style="width:75%;"
                    maxlength="16"
-                   value="<?php echo stripslashes($this->viewbarcode); ?>"<?php
+                   value="<?php echo esc_attr(stripslashes($this->viewbarcode)); ?>"<?php
                    if ($this->viewmode != 'add') {
                      echo ' readonly="readonly"';
@@ -474 +474 @@
            style="width:75%;"
            maxlength="128"
-           value="<?php echo stripslashes($this->viewitem->title()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->title())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="itemauthor" style="width:20%;"><?php _e('Author:','weblibrarian'); ?></label></th>
@@ -481 +481 @@
            style="width:75%;"
            maxlength="64"
-           value="<?php echo stripslashes($this->viewitem->author()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->author())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="subject" style="width:20%;"><?php _e('Subject:','weblibrarian'); ?></label></th>
@@ -488 +488 @@
            style="width:75%;"
            maxlength="128"
-           value="<?php echo stripslashes($this->viewitem->subject()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->subject())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="description" style="width:20%;"><?php _e('Description:','weblibrarian'); ?></label></th>
@@ -495 +495 @@
               style="width:75%);"
               rows="5" cols="64"
-              <?php echo $ro; ?>><?php echo stripslashes($this->viewitem->description()); ?></textarea></td></tr>
+              <?php echo $ro; ?>><?php echo esc_attr(stripslashes($this->viewitem->description())); ?></textarea></td></tr>
       <tr valign="top">
     <th scope="row"><label for="itemcategory" style="width:20%;"><?php _e('Category:','weblibrarian'); ?></label></th>
@@ -502 +502 @@
            style="width:75%;"
            maxlength="36"
-           value="<?php echo stripslashes($this->viewitem->category()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->category())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="media" style="width:20%;"><?php _e('Media:','weblibrarian'); ?></label></th>
@@ -509 +509 @@
            style="width:75%;"
            maxlength="36"
-           value="<?php echo stripslashes($this->viewitem->media()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->media())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="publisher" style="width:20%;"><?php _e('Publisher:','weblibrarian'); ?></label></th>
@@ -523 +523 @@
            style="width:75%;"
            maxlength="36"
-           value="<?php echo stripslashes($this->viewitem->publocation()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->publocation())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="pubdate" style="width:20%;"><?php _e('Publish Date:','weblibrarian'); ?></label></th>
@@ -530 +530 @@
            style="width:75%;"
            maxlength="40"
-           value="<?php echo $this->viewitem->pubdate(); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr($this->viewitem->pubdate()); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="edition" style="width:20%;"><?php _e('Edition:','weblibrarian'); ?></label></th>
@@ -537 +537 @@
            style="width:75%;"
            maxlength="36"
-           value="<?php echo stripslashes($this->viewitem->edition()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->edition())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="isbn" style="width:20%;"><?php _e('ISBN:','weblibrarian'); ?></label></th>
@@ -544 +544 @@
            style="width:75%;"
            maxlength="20"
-           value="<?php echo stripslashes($this->viewitem->isbn()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->isbn())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <th scope="row"><label for="type" style="width:20%;"><?php _e('Type:','weblibrarian'); ?></label></th>
@@ -552 +552 @@
              name="type" 
              style="width:75%;" 
-             value="<?php echo stripslashes($this->viewitem->type()); ?>"
+             value="<?php echo esc_attr(stripslashes($this->viewitem->type())); ?>"
              readonly="readonly" /><?php
       } else {
@@ -560 +560 @@
         if ($existingtype == '') $existingtype = $alltypes[0];
         foreach ($alltypes as $atype) {
-          ?><option value="<?php echo $atype; ?>"<?php
+          ?><option value="<?php echo esc_attr($atype); ?>"<?php
         if ($atype == $existingtype) echo ' selected="selected"';
-          ?>><?php echo $atype; ?></option><?php
+          ?>><?php echo esc_html($atype); ?></option><?php
         }
         ?></select><?php
@@ -572 +572 @@
            style="width:75%;"
            maxlength="256"
-           value="<?php echo stripslashes($this->viewitem->thumburl()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->thumburl())); ?>"<?php echo $ro; ?> /></td></tr>
               <tr valign="top">
     <th scope="row"><label for="callnumber" style="width:20%;"><?php _e('Call Number:','weblibrarian'); ?></label></th>
@@ -579 +579 @@
            style="width:75%;"
            maxlength="36"
-           value="<?php echo stripslashes($this->viewitem->callnumber()); ?>"<?php echo $ro; ?> /></td></tr>
+           value="<?php echo esc_attr(stripslashes($this->viewitem->callnumber())); ?>"<?php echo $ro; ?> /></td></tr>
       <tr valign="top">
     <td colspan="2" width="100%">
@@ -592 +592 @@
         ?><textarea id="itemedit-keyword-list" name="keywordlist" 
                 rows="3" cols="20" class="the-keywords"<?php echo $ro; ?> ><?php
-          echo implode(',',$this->viewkeywords); ?></textarea><?php
+          echo implode(',',esc_html($this->viewkeywords)); ?></textarea><?php
        if ($this->viewmode != 'view') {
       ?></div><div class="hide-if-no-js">
@@ -648 +648 @@
     $result = '';
     if ($this->viewmode == 'add') {
-      $newbarcode = $_REQUEST['barcode'];
+      $newbarcode = sanitize_text_field($_REQUEST['barcode']);
       if ($newbarcode != '') {
     if (!preg_match('/^[a-zA-Z0-9]+$/',$newbarcode) || strlen($barcode) > 16) {
@@ -655 +655 @@
       }
     }
-    if ($_REQUEST['title'] == '') {
+    if (sanitize_text_field( $_REQUEST['title'] ) == '') {
       $result .= '<br /><span id="error">'.__('Title is invalid','weblibrarian').'</span>';
     }
-    if ($_REQUEST['itemauthor'] == '') {
+    if (sanitize_text_field($_REQUEST['itemauthor']) == '') {
       $result .= '<br /><span id="error">'.__('Author is invalid','weblibrarian').'</span>';
     }
-    if ($_REQUEST['subject'] == '') {
+    if (sanitize_text_field($_REQUEST['subject']) == '') {
       $result .= '<br /><span id="error">'.__('Subject is invalid','weblibrarian').'</span>';
     }
-    WEBLIB_Patrons_Admin::ValidHumanDate($_REQUEST['pubdate'],$dummy,__('Publication Date','weblibrarian'),$result);
-    if ($_REQUEST['type'] == '') {
+    WEBLIB_Patrons_Admin::ValidHumanDate(sanitize_text_field($_REQUEST['pubdate']),$dummy,__('Publication Date','weblibrarian'),$result);
+    if (sanitize_text_field($_REQUEST['type']) == '') {
       $result .= '<br /><span id="error">'.__('Type is invalid','weblibrarian').'</span>';
     }
@@ -674 +674 @@
   {
     $item = new WEBLIB_ItemInCollection($barcode);
-    $item->set_title($_REQUEST['title']);
-    $item->set_author($_REQUEST['itemauthor']);
-    $item->set_subject($_REQUEST['subject']);
-    $item->set_description($_REQUEST['description']);
-    $item->set_category($_REQUEST['itemcategory']);
-    $item->set_media($_REQUEST['media']);
-    $item->set_publisher($_REQUEST['publisher']);
-    $item->set_publocation($_REQUEST['publocation']);
-    if (WEBLIB_Patrons_Admin::ValidHumanDate($_REQUEST['pubdate'],$thepubdate,'Publication Date',$error)) {
+    $item->set_title(sanitize_text_field($_REQUEST['title']));
+    $item->set_author(sanitize_text_field($_REQUEST['itemauthor']));
+    $item->set_subject(sanitize_text_field($_REQUEST['subject']));
+    $item->set_description(sanitize_text_field($_REQUEST['description']));
+    $item->set_category(sanitize_text_field($_REQUEST['itemcategory']));
+    $item->set_media(sanitize_text_field($_REQUEST['media']));
+    $item->set_publisher(sanitize_text_field($_REQUEST['publisher']));
+    $item->set_publocation(sanitize_text_field($_REQUEST['publocation']));
+    if (WEBLIB_Patrons_Admin::ValidHumanDate(sanitize_text_field($_REQUEST['pubdate']),$thepubdate,'Publication Date',$error)) {
       $item->set_pubdate($thepubdate);
     }
-    $item->set_edition($_REQUEST['edition']);
-    $item->set_isbn($_REQUEST['isbn']);
-    $item->set_type($_REQUEST['type']);
-    $item->set_thumburl($_REQUEST['thumburl']);
-    $item->set_callnumber($_REQUEST['callnumber']);
+    $item->set_edition(sanitize_text_field($_REQUEST['edition']));
+    $item->set_isbn(sanitize_text_field($_REQUEST['isbn']));
+    $item->set_type(sanitize_text_field($_REQUEST['type']));
+    $item->set_thumburl(sanitize_text_field($_REQUEST['thumburl']));
+    $item->set_callnumber(sanitize_text_field($_REQUEST['callnumber']));
     return $item;
   }
@@ -695 +695 @@
   function getkeywordsfromform()
   {
-    return explode(',',$_REQUEST['keywordlist']);
+    return explode(',',sanitize_text_field($_REQUEST['keywordlist']));
   }
 
@@ -717 +717 @@
     if (!isset($_REQUEST['doupload']) ) return '';
     $filename = $_FILES['file_name']['tmp_name'];
-    $use_csv_headers = $_REQUEST['use_csv_header'];
-    $field_sep = stripslashes($_REQUEST['field_sep']);
-    $enclose_char = stripslashes($_REQUEST['enclose_char']);
+    $use_csv_headers = sanitize_text_field($_REQUEST['use_csv_header']);
+    $field_sep = stripslashes(sanitize_text_field($_REQUEST['field_sep']));
+    $enclose_char = stripslashes(sanitize_text_field($_REQUEST['enclose_char']));
     /*$escape_char = stripslashes($_REQUEST['escape_char']);*/
     $result = WEBLIB_ItemInCollection::upload_csv($filename,$use_csv_headers,
@@ -728 +728 @@
   function display_bulk_upload_form($returnURL) {
     if ( isset($_REQUEST['paged']) ) {
-      ?><input type="hidden" name="paged" value="<?php echo $_REQUEST['paged'] ?>" /><?php
+      ?><input type="hidden" name="paged" value="<?php echo esc_attr(sanitize_text_field($_REQUEST['paged'])) ?>" /><?php
     }
     if ( isset($_REQUEST['screen-options-apply']) ) {
-      ?><input type="hidden" name="screen-options-apply" value="<?php echo $_REQUEST['screen-options-apply'] ?>" /><?php
+      ?><input type="hidden" name="screen-options-apply" value="<?php echo esc_attr(sanitize_text_field($_REQUEST['screen-options-apply'])) ?>" /><?php
     }
     if ( isset($_REQUEST['wp_screen_options']['option']) ) {
-      ?><input type="hidden" name="wp_screen_options[option]" value="<?php echo $_REQUEST['wp_screen_options']['option'] ?>" /><?php
+      ?><input type="hidden" name="wp_screen_options[option]" value="<?php echo esc_attr(sanitize_text_field($_REQUEST['wp_screen_options']['option'])) ?>" /><?php
     }
     if ( isset($_REQUEST['wp_screen_options']['value']) ) {
-      ?><input type="hidden" name="wp_screen_options[value]" value="<?php echo $_REQUEST['wp_screen_options']['value'] ?>" /><?php
+      ?><input type="hidden" name="wp_screen_options[value]" value="<?php echo esc_attr(sanitize_text_field($_REQUEST['wp_screen_options']['value'])) ?>" /><?php
     }
     ?><p><label for="file_name"><?php _e('CSV File:','weblibrarian'); ?></label>
      <input type="file" id="file_name" name="file_name" 
-        value="<?php echo $_REQUEST['file_name']; ?>" /></p>
+        value="<?php echo esc_attr(sanitize_text_field($_REQUEST['file_name'])); ?>" /></p>
       <p><label for="use_csv_header"><?php _e('Use CSV Header?','weblibrarian'); ?></label>
      <input type="checkbox" name="use_csv_header" id="use_csv_header" 
@@ -749 +749 @@
      <select id="field_sep" name="field_sep">
      <option value="," <?php if (!isset($_REQUEST['field_sep']) ||
-                     $_REQUEST['field_sep'] == ',') {
+                     sanitize_text_field($_REQUEST['field_sep']) == ',') {
                    echo 'selected="selected"'; 
                  } ?>>,</option>
      <option value="<?php echo "\t"; ?>" <?php 
         if (isset($_REQUEST['field_sep']) && 
-            $_REQUEST['field_sep'] == "\t") {
+            sanitize_text_field($_REQUEST['field_sep']) == "\t") {
           echo 'selected="selected"'; 
         } ?>><?php _e('TAB','weblibrarian'); ?></option>
@@ -762 +762 @@
      <option value='<?php echo '"'; ?>' <?php
         if (!isset($_REQUEST['enclose_char']) ||
-            $_REQUEST['enclose_char'] == '"') {
+            sanitize_text_field($_REQUEST['enclose_char']) == '"') {
           echo 'selected="selected"'; 
         } ?>>&quot;</option>
      <option value="'" <?php
         if (isset($_REQUEST['enclose_char']) &&
-            $_REQUEST['enclose_char'] == "'") {
+            sanitize_text_field($_REQUEST['enclose_char']) == "'") {
           echo 'selected="selected"';
         } ?>>'</option>

weblibrarian/trunk/includes/WEBLIB_PatronRecord_Admin.php

@@ -206 +206 @@
   }
   function current_action() {
-    if ( isset( $_REQUEST['action'] ) && -1 != $_REQUEST['action'] )
-      return $_REQUEST['action'];
-
-    if ( isset( $_REQUEST['action2'] ) && -1 != $_REQUEST['action2'] )
-      return $_REQUEST['action2'];
+    if ( isset( $_REQUEST['action'] ) && -1 != sanitize_text_field($_REQUEST['action']) )
+      return sanitize_text_field($_REQUEST['action']);
+
+    if ( isset( $_REQUEST['action2'] ) && -1 != sanitize_text_field($_REQUEST['action2']) )
+      return sanitize_text_field($_REQUEST['action2']);
   }
 
@@ -217 +217 @@
     switch ($action) {
       case 'removehold':
-    if ( isset($_REQUEST['checked']) && !empty($_REQUEST['checked'])) {
-      foreach ( $_REQUEST['checked'] as $theitem ) {
+    if ( isset($_REQUEST['checked']) && !empty(sanitize_text_field($_REQUEST['checked']))) {
+      foreach ( sanitize_text_field($_REQUEST['checked']) as $theitem ) {
         WEBLIB_HoldItem::DeleteHeldItemByBarcodeAndPatronId($theitem,
                             $this->patronid);
@@ -224 +224 @@
         } else if ( isset($_REQUEST['barcode']) ) {
       WEBLIB_HoldItem::DeleteHeldItemByBarcodeAndPatronId(
-            $_REQUEST['barcode'],$this->patronid);
+            sanitize_text_field($_REQUEST['barcode']),$this->patronid);
     }
     break;
@@ -233 +233 @@
     $message = '';
     $this->process_bulk_action();
-    $orderby = isset( $_REQUEST['orderby'] ) ? $_REQUEST['orderby'] : 'barcode';
+    $orderby = isset( $_REQUEST['orderby'] ) ? sanitize_text_field($_REQUEST['orderby']) : 'barcode';
     if ( empty( $orderby ) ) $orderby = 'barcode';
-    $order = isset( $_REQUEST['order'] ) ? $_REQUEST['order'] : 'ASC';
+    $order = isset( $_REQUEST['order'] ) ? sanitize_text_field($_REQUEST['order']) : 'ASC';
     if ( empty( $order ) ) $order = 'ASC';
     // Deal with columns
@@ -328 +328 @@
   }
   function current_action() {
-    if ( isset( $_REQUEST['action'] ) && -1 != $_REQUEST['action'] )
-      return $_REQUEST['action'];
-
-    if ( isset( $_REQUEST['action2'] ) && -1 != $_REQUEST['action2'] )
-      return $_REQUEST['action2'];
+    if ( isset( $_REQUEST['action'] ) && -1 != sanitize_text_field($_REQUEST['action']) )
+      return sanitize_text_field($_REQUEST['action']);
+
+    if ( isset( $_REQUEST['action2'] ) && -1 != sanitize_text_field($_REQUEST['action2']) )
+      return sanitize_text_field($_REQUEST['action2']);
   }
 
@@ -338 +338 @@
     $message = '';
     $action = $this->current_action();
-    if ( isset($_REQUEST['action']) && $_REQUEST['action'] != -1 ) {
-      $theaction = $_REQUEST['action'];
-    } else if ( isset($_REQUEST['action2']) && $_REQUEST['action2'] != -1 ) {
-      $theaction = $_REQUEST['action2'];
+    if ( isset($_REQUEST['action']) && sanitize_text_field($_REQUEST['action']) != -1 ) {
+      $theaction = sanitize_text_field($_REQUEST['action']);
+    } else if ( isset($_REQUEST['action2']) && sanitize_text_field($_REQUEST['action2']) != -1 ) {
+      $theaction = sanitize_text_field($_REQUEST['action2']);
     } else {
       $theaction = 'none';
@@ -349 +349 @@
     if ( isset($_REQUEST['barcode']) ) {
       $m = WEBLIB_OutItem::RenewByBarcodeAndPatronID(
-                $_REQUEST['barcode'],$this->patronid);
+                sanitize_text_field($_REQUEST['barcode']),$this->patronid);
       if (preg_match('/ Renewed\.$/',$m)) {
         $message .= '<p>'.$m.'</p>';
@@ -356 +356 @@
       }
     } else {
-      foreach ( $_REQUEST['checked'] as $barcode ) {
+      foreach ( sanitize_text_field($_REQUEST['checked']) as $barcode ) {
         $m = WEBLIB_OutItem::RenewByBarcodeAndPatronID(
                 $barcode,$this->patronid);
@@ -374 +374 @@
     $message = '';
     $message = $this->process_bulk_action();
-    $orderby = isset( $_REQUEST['orderby'] ) ? $_REQUEST['orderby'] : 'barcode';
+    $orderby = isset( $_REQUEST['orderby'] ) ? sanitize_text_field($_REQUEST['orderby']) : 'barcode';
     if ( empty( $orderby ) ) $orderby = 'barcode';
-    $order = isset( $_REQUEST['order'] ) ? $_REQUEST['order'] : 'ASC';
+    $order = isset( $_REQUEST['order'] ) ? sanitize_text_field($_REQUEST['order']) : 'ASC';
     if ( empty( $order ) ) $order = 'ASC';
 

weblibrarian/trunk/includes/WEBLIB_Statistics_Admin.php

@@ -126 +126 @@
   function extra_tablenav( $which ) {
     if ($which == 'top') {
-      ?><input type="hidden" name="year" value="<?php echo $this->year; ?>" />
-    <input type="hidden" name="month" value="<?php echo $this->month; ?>" /><?php
+      ?><input type="hidden" name="year" value="<?php echo esc_attr($this->year); ?>" />
+    <input type="hidden" name="month" value="<?php echo esc_attr($this->month); ?>" /><?php
     }
 
@@ -157 +157 @@
     $this->check_permissions();
     $message = '';
-    $this->year = isset($_REQUEST['year']) ? $_REQUEST['year'] : date('Y',time());
-    $this->month = isset($_REQUEST['month']) ? $_REQUEST['month'] : date('m',time());
+    $this->year = isset($_REQUEST['year']) ? sanitize_text_field($_REQUEST['year']) : date('Y',time());
+    $this->month = isset($_REQUEST['month']) ? sanitize_text_field($_REQUEST['month']) : date('m',time());
 
     if ( isset($_REQUEST['filter_top']) ) {
-      $this->year = isset($_REQUEST['year_top']) ? $_REQUEST['year_top'] : $this->year;
-      $this->month = isset($_REQUEST['month_top']) ? $_REQUEST['month_top'] : $this->month;
+      $this->year = isset($_REQUEST['year_top']) ? sanitize_text_field($_REQUEST['year_top']) : $this->year;
+      $this->month = isset($_REQUEST['month_top']) ? sanitize_text_field($_REQUEST['month_top']) : $this->month;
     } else if ( isset($_REQUEST['filter_bottom']) ) {
-      $this->year = isset($_REQUEST['year_bottom']) ? $_REQUEST['year_bottom'] : $this->year;
-      $this->month = isset($_REQUEST['month_bottom']) ? $_REQUEST['month_bottom'] : $this->month;
+      $this->year = isset($_REQUEST['year_bottom']) ? sanitize_text_field($_REQUEST['year_bottom']) : $this->year;
+      $this->month = isset($_REQUEST['month_bottom']) ? sanitize_text_field($_REQUEST['month_bottom']) : $this->month;
     }
     //file_put_contents("php://stderr","*** WEBLIB_Statistics_Admin::prepare_items: this->year = $this->year\n");

weblibrarian/trunk/includes/WEBLIB_Users_Admin.php

@@ -126 +126 @@
     $message = '';
     if ( isset( $_REQUEST['setid']) ) {
-      $patronid = $_REQUEST['patronid'];
-      $user_id  = $_REQUEST['user_id'];
+      $patronid = sanitize_text_field($_REQUEST['patronid']);
+      $user_id  = sanitize_text_field($_REQUEST['user_id']);
       $user = get_userdata($user_id);
       $patron = new WEBLIB_Patron($patronid);
@@ -141 +141 @@
     }
     global $usersearch;
-    $usersearch = isset( $_REQUEST['s'] ) ? stripslashes( trim( $_REQUEST['s'] ) ) : '';
+    $usersearch = isset( $_REQUEST['s'] ) ? stripslashes( trim( sanitize_text_field($_REQUEST['s']) ) ) : '';
     // Deal with columns
     $columns = $this->get_columns();    // All of our columns
@@ -188 +188 @@
       $patronid = 0;
       if (isset($_REQUEST['patronid']) ) {
-    $patronid = $_REQUEST['patronid'];
+    $patronid = sanitize_text_field($_REQUEST['patronid']);
     $patron = new WEBLIB_Patron($patronid);
     $error = '';

weblibrarian/trunk/includes/admin_page_classes.php

@@ -115 +115 @@
       } 
       if ( isset($_REQUEST['saveoptions']) ) {
-        $new_public_key = (isset($_REQUEST['aws_public_key']))?$_REQUEST['aws_public_key']:'';
-        $new_private_key = (isset($_REQUEST['aws_private_key']))?$_REQUEST['aws_private_key']:'';
-        $new_regiondom = (isset($_REQUEST['aws_regiondom']))?$_REQUEST['aws_regiondom']:'';
-        $new_associate_tag = (isset($_REQUEST['associate_tag']))?$_REQUEST['associate_tag']:'';
+        $new_public_key = (isset($_REQUEST['aws_public_key']))?sanitize_text_field($_REQUEST['aws_public_key']):'';
+        $new_private_key = (isset($_REQUEST['aws_private_key']))?sanitize_text_field($_REQUEST['aws_private_key']):'';
+        $new_regiondom = (isset($_REQUEST['aws_regiondom']))?sanitize_text_field($_REQUEST['aws_regiondom']):'';
+        $new_associate_tag = (isset($_REQUEST['associate_tag']))?sanitize_text_field($_REQUEST['associate_tag']):'';
     $message = ''; $valid = true;
         if ($new_public_key == '' && $new_private_key == '' && $new_associate_tag == '') {
@@ -142 +142 @@
     }
     if ($valid) {   
-      update_option('weblib_aws_public_key',$_REQUEST['aws_public_key']);
-      update_option('weblib_aws_private_key',$_REQUEST['aws_private_key']);
-      update_option('weblib_aws_regiondom',$_REQUEST['aws_regiondom']);
-      update_option('weblib_associate_tag',$_REQUEST['associate_tag']);
-      update_option('weblib_debugdb',$_REQUEST['debugdb']);
+      update_option('weblib_aws_public_key',sanitize_text_field($_REQUEST['aws_public_key']));
+      update_option('weblib_aws_private_key',sanitize_text_field($_REQUEST['aws_private_key']));
+      update_option('weblib_aws_regiondom',sanitize_text_field($_REQUEST['aws_regiondom']));
+      update_option('weblib_associate_tag',sanitize_text_field($_REQUEST['associate_tag']));
+      update_option('weblib_debugdb',sanitize_text_field($_REQUEST['debugdb']));
       $message = '<p>'.__('Options Saved','weblibrarian').'</p>';
     }
@@ -166 +166 @@
          <td><input type="text" id="aws_public_key" 
             name="aws_public_key" 
-            value="<?php echo $aws_public_key; ?>"
+            value="<?php echo esc_attr($aws_public_key); ?>"
              style="width:75%" /></td></tr>
       <tr valign="top">
@@ -173 +173 @@
          <td><input type="text" id="aws_private_key" 
             name="aws_private_key" 
-            value="<?php echo $aws_private_key; ?>"
+            value="<?php echo esc_attr($aws_private_key); ?>"
              style="width:75%" /></td></tr>
       <tr valign="top">
@@ -214 +214 @@
          <td><input type="text" id="associate_tag"
             name="associate_tag"
-            value="<?php echo $associate_tag; ?>"
+            value="<?php echo esc_attr($associate_tag); ?>"
             style="width:75%" /></td></tr>
       <tr valign="top">

weblibrarian/trunk/readme.txt

@@ -157 +157 @@
 == Changelog ==
 
+= 3.5.8.4 =
+
+Sanitize and Escape everything.
+
 = 3.5.8.3 =