Changeset 3018504

Timestamp:

01/08/2024 01:35:53 AM (2 years ago)

Author:

ibenic

Message:

Pushing 3.5.1

Location:

wp-sponsors/trunk

Files:

• README.txt (modified) (2 diffs)
• admin/class-wp-sponsors-admin.php (modified) (3 diffs)
• admin/partials/meta-boxes/sponsor-info.php (modified) (3 diffs)
• includes/class-wp-sponsors-blocks.php (modified) (2 diffs)
• includes/class-wp-sponsors-shortcodes.php (modified) (2 diffs)
• includes/class-wp-sponsors-widget.php (modified) (6 diffs)
• includes/class-wp-sponsors.php (modified) (1 diff)
• public/class-wp-sponsors-public.php (modified) (6 diffs)
• wp-sponsors.php (modified) (1 diff)

wp-sponsors/trunk/README.txt

@@ -4 +4 @@
 Tags: post type, images, partners, sponsors
 Requires at least: 3.1.0
-Tested up to: 5.7.1
+Tested up to: 6.4.2
 Requires PHP: 7.0
-Stable tag: 3.5.0
+Stable tag: 3.5.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -110 +110 @@
 == Changelog ==
 
+= 3.5.1 - 2024-01-08 =
+* Security update
+
 = 3.5.0 - 2021-05-14 =
 * New: Shortcode attribute verticalcenter for slider to define if we need to center the images/content vertically. On by default.

wp-sponsors/trunk/admin/class-wp-sponsors-admin.php

@@ -99 +99 @@
         wp_enqueue_script( $this->wp_sponsors, WP_SPONSORS_URL . 'assets/dist/js/admin.js', array( 'jquery' ), $this->version, false );
         wp_localize_script($this->wp_sponsors, 'objectL10n', array(
-            'title' => __('Select a sponsor logo', 'wp-sponsors'),
+            'title'  => __('Select a sponsor logo', 'wp-sponsors'),
             'button' => __('Add image', 'wp-sponsors')
-            ));
+        ));
 
     }
@@ -131 +131 @@
         // Checks for input and sanitizes/saves if needed
         if ( isset( $_POST['_website'] ) ) {
-            update_post_meta( $post_id, '_website', sanitize_text_field( $_POST['_website'] ) );
+            update_post_meta( $post_id, '_website', sanitize_text_field( wp_unslash( $_POST['_website'] ) ) );
         }
 
         if ( isset( $_POST['_email'] ) ) {
-            update_post_meta( $post_id, '_email', sanitize_text_field( $_POST['_email'] ) );
+            update_post_meta( $post_id, '_email', sanitize_text_field( wp_unslash( $_POST['_email'] ) ) );
         }
 
         if ( isset( $_POST['wp_sponsors_desc'] ) ) {
-            update_post_meta( $post_id, 'wp_sponsors_desc', $_POST['wp_sponsors_desc'] );
+            update_post_meta( $post_id, 'wp_sponsors_desc', wp_kses_post( wp_unslash( $_POST['wp_sponsors_desc'] ) ) );
         }
 
@@ -222 +222 @@
         if(is_admin()) {
             if(get_option( 'sponsors_db_version') < 2 ) {
-                $update = new WP_Sponsors_upgrade( $this->version );
-                $update->run( 'upgrade200' );
+                wp_sponsors_update_200();
+                wp_sponsors_update_post_type_300();
             }
             return;

wp-sponsors/trunk/admin/partials/meta-boxes/sponsor-info.php

@@ -3 +3 @@
 // Display code/markup goes here. Don't forget to include nonces!
 // Noncename needed to verify where the data originated
-echo '<input type="hidden" name="wp_sponsors_nonce" id="wp_sponsors_nonce" value="' . wp_create_nonce( plugin_basename( __FILE__ ) ) . '" />';
+echo '<input type="hidden" name="wp_sponsors_nonce" id="wp_sponsors_nonce" value="' . esc_attr( wp_create_nonce( plugin_basename( __FILE__ ) ) ) . '" />';
 // Get the url data if its already been entered
 $meta_value = get_post_meta( get_the_ID(), '_website', true );
@@ -11 +11 @@
 // Checks and displays the retrieved value
 echo '<p class="post-attributes-label-wrapper"><label for="wp_sponsors_url" class="post-attributes-label">' . __( 'Link', 'wp-sponsors' ) . '</label></p>';
-echo '<input type="url" name="_website" value="' . $meta_value . '" class="widefat" />';
+echo '<input type="url" name="_website" value="' . esc_attr( $meta_value ) . '" class="widefat" />';
 
 
@@ -18 +18 @@
 // Checks and displays the retrieved value
 echo '<p class="post-attributes-label-wrapper"><label for="wp_sponosrs_email" class="post-attributes-label">' . __( 'Email', 'wp-sponsors' ) . '</label></p>';
-echo '<input type="email" id="wp_sponosrs_email" name="_email" value="' . $meta_value . '" class="widefat" />';
+echo '<input type="email" id="wp_sponosrs_email" name="_email" value="' . esc_attr( $meta_value ) . '" class="widefat" />';
 
 

wp-sponsors/trunk/includes/class-wp-sponsors-blocks.php

@@ -192 +192 @@
                 'wp-sponsors-block-js',
                 WP_SPONSORS_URL . '/assets/dist/js/gutenberg.js',
-                array( 'wp-blocks', 'wp-i18n', 'wp-element', 'wp-components', 'wp-editor', 'wp-compose' )
+                array( 'wp-blocks', 'wp-i18n', 'wp-element', 'wp-components', 'wp-editor', 'wp-compose' ),
+                filemtime( WP_SPONSORS_PATH . '/assets/dist/js/gutenberg.js', )
             );
         }
@@ -210 +211 @@
             'wp-sponsors-block-css',
             WP_SPONSORS_URL . '/assets/dist/css/gutenberg.css',
-            array( 'wp-edit-blocks' )
+            array( 'wp-edit-blocks' ),
+            filemtime( WP_SPONSORS_PATH . '/assets/dist/css/gutenberg.css', )
         );
     }

wp-sponsors/trunk/includes/class-wp-sponsors-shortcodes.php

@@ -265 +265 @@
                     ),
                 );*/
-                $style['containerPre'] = '<div id="wp-sponsors" class="clearfix slider wp-sponsors ' . $atts['slider_image'] . ' ' . ( 1 === absint( $atts['verticalcenter'] ) ? 'vertical-center' : '' ) . '" data-slick="' . esc_attr( wp_json_encode( $slickSettings ) ) . '">';
+                $style['containerPre'] = '<div id="wp-sponsors" class="clearfix slider wp-sponsors ' . esc_attr( $atts['slider_image'] ) . ' ' . ( 1 === absint( $atts['verticalcenter'] ) ? 'vertical-center' : '' ) . '" data-slick="' . esc_attr( wp_json_encode( $slickSettings ) ) . '">';
                 $style['containerPost'] = '</div>';
                 $style['wrapperClass'] = 'sponsor-item';
@@ -299 +299 @@
                     }
 
-                    echo '<' . $style['wrapperPre'] . ' class="' . $style['wrapperClass'] . ' ' . $class . '">';
+                    echo '<' . $style['wrapperPre'] . ' class="' . esc_attr( $style['wrapperClass'] ) . ' ' . esc_attr( $class ) . '">';
                     $sponsor_html = '';
 

wp-sponsors/trunk/includes/class-wp-sponsors-widget.php

@@ -64 +64 @@
             echo $args['before_title'] . $title . $args['after_title'];
         } ?>
-        <ul class="<?php echo $instance['display_option']; ?>">
+        <ul class="<?php echo esc_attr( $instance['display_option'] ); ?>">
             <?php while ( $query->have_posts() ) : $query->the_post(); ?>
                 <?php
@@ -94 +94 @@
                     if ( ! $image || $use_title ) {
                         ?>
-                        <div class="sponsor-title widget-title"><?php echo the_title(); ?></div>
+                        <div class="sponsor-title widget-title"><?php echo esc_html( the_title( '', '', false ) ); ?></div>
                         <?php
                     }
@@ -113 +113 @@
                         if ( $desc ) {
                             echo '<br/>';
-                            echo '<p class="sponsor-desc">' . $desc . '</p>';
+                            echo '<p class="sponsor-desc">' . wp_kses_post( $desc ) . '</p>';
                         }
                     }
@@ -180 +180 @@
         $cats = get_terms( 'sponsor_categories' ); ?>
         <p>
-            <label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title', 'wp-sponsors' ); ?></label>
-            <input id="<?php echo $this->get_field_id( 'title' ); ?>"
-                   name="<?php echo $this->get_field_name( 'title' ); ?>" value="<?php echo $instance['title']; ?>"
+            <label for="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>"><?php _e( 'Title', 'wp-sponsors' ); ?></label>
+            <input id="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>"
+                   name="<?php echo esc_attr( $this->get_field_name( 'title' ) ); ?>" value="<?php echo esc_attr( $instance['title'] ); ?>"
                    style="width:100%;"/>
         </p>
         <?php if ( ! empty( $cats ) && ! is_wp_error( $cats ) ) { ?>
             <p>
-                <label for="<?php echo $this->get_field_id( 'category' ); ?>"> <?php echo __( 'Category', 'wp-sponsors' ) ?></label>
-                <select id="<?php echo $this->get_field_id( 'category' ); ?>"
-                        name="<?php echo $this->get_field_name( 'category' ); ?>" class="widefat" style="width:100%;">
-                    <option value="all"><?php echo _e( 'All', 'wp-sponsors' ); ?></option>
+                <label for="<?php echo esc_attr( $this->get_field_id( 'category' ) ); ?>"> <?php echo __( 'Category', 'wp-sponsors' ) ?></label>
+                <select id="<?php echo esc_attr( $this->get_field_id( 'category' ) ); ?>"
+                        name="<?php echo esc_attr( $this->get_field_name( 'category' ) ); ?>" class="widefat" style="width:100%;">
+                    <option value="all"><?php echo __( 'All', 'wp-sponsors' ); ?></option>
                     <?php foreach ( $cats as $cat ) { ?>
                         <option <?php selected( $instance['category'], $cat->slug, 'selected' ); ?>
-                                value="<?php echo $cat->slug; ?>"><?php echo $cat->name; ?></option>
+                                value="<?php echo esc_attr( $cat->slug ); ?>"><?php echo esc_html( $cat->name ); ?></option>
                     <?php } ?>
                 </select>
@@ -199 +199 @@
         <?php } ?>
         <p>
-            <label for="<?php echo $this->get_field_id( 'display_option' ); ?>"> <?php echo __( 'Display', 'wp-sponsors' ) ?></label>
-            <select id="<?php echo $this->get_field_id( 'display_option' ); ?>"
-                    name="<?php echo $this->get_field_name( 'display_option' ); ?>" class="widefat" style="width:100%;">
+            <label for="<?php echo esc_attr( $this->get_field_id( 'display_option' ) ); ?>"> <?php echo __( 'Display', 'wp-sponsors' ) ?></label>
+            <select id="<?php echo esc_attr( $this->get_field_id( 'display_option' ) ); ?>"
+                    name="<?php echo esc_attr( $this->get_field_name( 'display_option' ) ); ?>" class="widefat" style="width:100%;">
                 <option <?php selected( $instance['display_option'], 'vertical' ); ?>
-                        value="vertical"><?php echo _e( 'Vertical (best for sidebars)', 'wp-sponsors' ); ?></option>
+                        value="vertical"><?php echo __( 'Vertical (best for sidebars)', 'wp-sponsors' ); ?></option>
                 <option <?php selected( $instance['display_option'], 'horizontal' ); ?>
-                        value="horizontal"><?php echo _e( 'Horizontal (best for footers)', 'wp-sponsors' ); ?></option>
+                        value="horizontal"><?php echo __( 'Horizontal (best for footers)', 'wp-sponsors' ); ?></option>
             </select>
 
         </p>
         <p>
-            <label for="<?php echo $this->get_field_id( 'order_by' ); ?>"> <?php echo __( 'Order by', 'wp-sponsors' ) ?></label>
-            <select id="<?php echo $this->get_field_id( 'order_by' ); ?>"
-                    name="<?php echo $this->get_field_name( 'order_by' ); ?>" class="widefat" style="width:100%;">
+            <label for="<?php echo esc_attr( $this->get_field_id( 'order_by' ) ); ?>"> <?php echo __( 'Order by', 'wp-sponsors' ) ?></label>
+            <select id="<?php echo esc_attr( $this->get_field_id( 'order_by' ) ); ?>"
+                    name="<?php echo esc_attr( $this->get_field_name( 'order_by' ) ); ?>" class="widefat" style="width:100%;">
                 <option <?php selected( $instance['order_by'], 'menu_order' ); ?>
-                        value="menu_order"><?php echo _e( 'Weight', 'wp-sponsors' ); ?></option>
+                        value="menu_order"><?php echo __( 'Weight', 'wp-sponsors' ); ?></option>
                 <option <?php selected( $instance['order_by'], 'title' ); ?>
-                        value="title"><?php echo _e( 'Title', 'wp-sponsors' ); ?></option>
+                        value="title"><?php echo __( 'Title', 'wp-sponsors' ); ?></option>
                 <option <?php selected( $instance['order_by'], 'rand' ); ?>
-                        value="rand"><?php echo _e( 'Random', 'wp-sponsors' ); ?></option>
+                        value="rand"><?php echo __( 'Random', 'wp-sponsors' ); ?></option>
             </select>
         </p>
         <p>
-            <label for="<?php echo $this->get_field_id( 'max' ); ?>"><?php _e( 'Number of sponsors to show  (leave to show all)', 'wp-sponsors' ); ?></label>
-            <input id="<?php echo $this->get_field_id( 'max' ); ?>" name="<?php echo $this->get_field_name( 'max' ); ?>"
-                   value="<?php echo $instance['max']; ?>" style="width:100%;" type="number"/>
-        </p>
-        <p>
-            <input type="checkbox" id="<?php echo $this->get_field_id( 'show_title' ); ?>"
-                   name="<?php echo $this->get_field_name( 'show_title' ); ?>" <?php checked( $instance['show_title'], 'on' ); ?> />
-            <label for="<?php echo $this->get_field_id( 'show_title' ); ?>"><?php echo __( 'Show sponsor title', 'wp-sponsors' ) ?></label>
-        </p>
-        <p>
-            <input type="checkbox" id="<?php echo $this->get_field_id( 'check_images' ); ?>"
-                   name="<?php echo $this->get_field_name( 'check_images' ); ?>" <?php checked( $instance['check_images'], 'on' ); ?> />
-            <label for="<?php echo $this->get_field_id( 'check_images' ); ?>"><?php echo __( 'Show sponsor logo', 'wp-sponsors' ) ?></label>
-        </p>
-        <p>
-            <label for="<?php echo $this->get_field_id( 'image_size' ); ?>"> <?php echo __( 'Image Size', 'wp-sponsors' ) ?></label>
-            <select id="<?php echo $this->get_field_id( 'image_size' ); ?>"
-                    name="<?php echo $this->get_field_name( 'image_size' ); ?>" class="widefat" style="width:100%;">
+            <label for="<?php echo esc_attr( $this->get_field_id( 'max' ) ); ?>"><?php _e( 'Number of sponsors to show  (leave to show all)', 'wp-sponsors' ); ?></label>
+            <input id="<?php echo esc_attr( $this->get_field_id( 'max' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'max' ) ); ?>"
+                   value="<?php echo esc_attr( $instance['max'] ); ?>" style="width:100%;" type="number"/>
+        </p>
+        <p>
+            <input type="checkbox" id="<?php echo esc_attr( $this->get_field_id( 'show_title' ) ); ?>"
+                   name="<?php echo esc_attr( $this->get_field_name( 'show_title' ) ); ?>" <?php checked( $instance['show_title'], 'on' ); ?> />
+            <label for="<?php echo esc_attr( $this->get_field_id( 'show_title' ) ); ?>"><?php echo __( 'Show sponsor title', 'wp-sponsors' ) ?></label>
+        </p>
+        <p>
+            <input type="checkbox" id="<?php echo esc_attr( $this->get_field_id( 'check_images' ) ); ?>"
+                   name="<?php echo esc_attr( $this->get_field_name( 'check_images' ) ); ?>" <?php checked( $instance['check_images'], 'on' ); ?> />
+            <label for="<?php echo esc_attr( $this->get_field_id( 'check_images' ) ); ?>"><?php echo __( 'Show sponsor logo', 'wp-sponsors' ) ?></label>
+        </p>
+        <p>
+            <label for="<?php echo esc_attr( $this->get_field_id( 'image_size' ) ); ?>"> <?php echo __( 'Image Size', 'wp-sponsors' ) ?></label>
+            <select id="<?php echo esc_attr( $this->get_field_id( 'image_size' ) ); ?>"
+                    name="<?php echo esc_attr( $this->get_field_name( 'image_size' ) ); ?>" class="widefat" style="width:100%;">
                 <?php
                     foreach( $images_sizes as $size ) {
                         ?>
                         <option <?php selected( $instance['image_size'], $size ); ?>
-                                value="<?php echo esc_attr( $size ); ?>"><?php echo $size ?></option>
+                                value="<?php echo esc_attr( $size ); ?>"><?php echo esc_html( $size ); ?></option>
                         <?php
                     }
@@ -251 +251 @@
         </p>
         <p>
-            <input type="checkbox" id="<?php echo $this->get_field_id( 'show_description' ); ?>"
-                   name="<?php echo $this->get_field_name( 'show_description' ); ?>" <?php checked( $instance['show_description'], 'on' ); ?> />
-            <label for="<?php echo $this->get_field_id( 'show_description' ); ?>"><?php echo __( 'Show sponsor description', 'wp-sponsors' ) ?></label>
-        </p>
-        <p>
-            <input type="checkbox" id="<?php echo $this->get_field_id( 'target_blank' ); ?>"
-                   name="<?php echo $this->get_field_name( 'target_blank' ); ?>" <?php checked( $instance['target_blank'], 'on' ); ?> />
-            <label for="<?php echo $this->get_field_id( 'target_blank' ); ?>"><?php echo __( 'Open links in a new window', 'wp-sponsors' ) ?></label>
+            <input type="checkbox" id="<?php echo esc_attr( $this->get_field_id( 'show_description' ) ); ?>"
+                   name="<?php echo esc_attr( $this->get_field_name( 'show_description' ) ); ?>" <?php checked( $instance['show_description'], 'on' ); ?> />
+            <label for="<?php echo esc_attr( $this->get_field_id( 'show_description' ) ); ?>"><?php echo __( 'Show sponsor description', 'wp-sponsors' ) ?></label>
+        </p>
+        <p>
+            <input type="checkbox" id="<?php echo esc_attr( $this->get_field_id( 'target_blank' ) ); ?>"
+                   name="<?php echo esc_attr( $this->get_field_name( 'target_blank' ) ); ?>" <?php checked( $instance['target_blank'], 'on' ); ?> />
+            <label for="<?php echo esc_attr( $this->get_field_id( 'target_blank' ) ); ?>"><?php echo __( 'Open links in a new window', 'wp-sponsors' ) ?></label>
 
         </p>

wp-sponsors/trunk/includes/class-wp-sponsors.php

@@ -70 +70 @@
 
         $this->wp_sponsors = 'wp-sponsors';
-        $this->version     = '3.5.0';
+        $this->version     = '3.5.1';
 
         $this->define_constants();

wp-sponsors/trunk/public/class-wp-sponsors-public.php

@@ -122 +122 @@
         if ( $this->form_errors ) {
             foreach ( $this->form_errors as $error ) {
-                echo '<div class="wp-sponsors-form-notice wp-sponsors-form-error">' . $error . '</div>';
+                echo '<div class="wp-sponsors-form-notice wp-sponsors-form-error">' . wp_kses_post( $error ) . '</div>';
             }
         }
@@ -128 +128 @@
         if ( $this->form_notices ) {
             foreach ( $this->form_notices as $notice ) {
-                echo '<div class="wp-sponsors-form-notice">' . $notice . '</div>';
+                echo '<div class="wp-sponsors-form-notice">' . wp_kses_post( $notice ) . '</div>';
             }
         }
@@ -151 +151 @@
         }
 
-        $name = isset( $posted_data['name'] ) ? $posted_data['name'] : '';
+        $name = isset( $posted_data['name'] ) ? sanitize_text_field( $posted_data['name'] ) : '';
 
         if ( ! $name ) {
@@ -157 +157 @@
         }
 
-        $email = isset( $posted_data['email'] ) ? $posted_data['email'] : '';
+        $email = isset( $posted_data['email'] ) ? sanitize_text_field( $posted_data['email'] ) : '';
 
         if ( ! $email ) {
@@ -163 +163 @@
         }
 
-        $desc  = isset( $posted_data['desc'] ) ? $posted_data['desc'] : '';
-        $url   = isset( $posted_data['website'] ) ? $posted_data['website'] : '';
+        $desc  = isset( $posted_data['desc'] ) ? sanitize_textarea_field( $posted_data['desc'] ) : '';
+        $url   = isset( $posted_data['website'] ) ? sanitize_url( $posted_data['website'] ) : '';
 
         do_action( 'sponsors_acquisition_form_before_submit', $this, $posted_data );
@@ -197 +197 @@
         $sponsor = get_post( $sponsor_id );
 
-        $sponsor_link = admin_url( 'post.php?post=' . $sponsor_id . '&action=edit');
-        $subject = sprintf( __( 'New Sponsor Submitted: %s', 'wp-sponsors' ), $sponsor->post_title );
+        $sponsor_link = admin_url( 'post.php?post=' . absint( $sponsor_id ) . '&action=edit');
+        $subject = sprintf( __( 'New Sponsor Submitted: %s', 'wp-sponsors' ), esc_html( $sponsor->post_title ) );
         $message = __( 'Hi, there was a new sponsor submission on your site!', 'wp-sponsors' );
-        $message .= sprintf( __( 'You can check it out here: %s', 'wp-sponsors' ), '<a href="' . esc_url( $sponsor_link ) . '">' . $sponsor_link . '</a>' );
+        $message .= sprintf( __( 'You can check it out here: %s', 'wp-sponsors' ), '<a href="' . esc_url( $sponsor_link ) . '">' . esc_html( $sponsor_link ) . '</a>' );
         $to = get_option( 'admin_email' );
 

wp-sponsors/trunk/wp-sponsors.php

@@ -5 +5 @@
  * Plugin URI:        http://www.wpsimplesponsorships.com
  * Description:       Add links and logo's for your sponsors/partners/etc to your sidebars and posts with our widget and shortcode.
- * Version:           3.5.0
+ * Version:           3.5.1
  * Author:            Simple Sponsorships
  * Author URI:        http://www.wpsimplesponsorships.com