Changeset 3053854

Timestamp:

03/18/2024 07:13:29 PM (22 months ago)

Author:

poporon

Message:

2.5.3

• WordPress 6.4.3 での動作確認。 Compatible with WordPress 6.4.3.
• 「SSRF（サーバーサイドリクエストフォージェリ）」に対する脆弱性があったため、対策を行いました。 Fixed: SSRF vulnerability was discovered and countermeasures were taken.
• 「XSS（クロスサイトスクリプティング）」に対する脆弱性があったため、対策を行いました。 Fixed: XSS vulnerability was discovered and countermeasures were taken.
• 「Reflected-XSS（反射型クロスサイトスクリプティング）」に対する脆弱性があったため、対策を行いました。 Fixed: Reflected-XSS vulnerability was discovered and countermeasures were taken.
• ソーシャルカウントの取得方法を修正しました。 Fixed: Modified "How to access the External Links" to be even more secure.
• URLの安全性チェックを追加しました。 Fixed: Modified "URL Checks" to be even more secure.

Location:

pz-linkcard/trunk

Files:

• css/admin.css (modified) (1 diff)
• js/admin-settings.js (modified) (2 diffs)
• lib/pz-linkcard-cacheman-edit.php (added)
• lib/pz-linkcard-cacheman-list.php (added)
• lib/pz-linkcard-cacheman.php (added)
• lib/pz-linkcard-settings.php (modified) (8 diffs)
• lib/pz-linkcard-style.php (modified) (3 diffs)
• pz-linkcard.php (modified) (18 diffs)
• readme.txt (modified) (1 diff)

pz-linkcard/trunk/css/admin.css

@@ -619 +619 @@
 }
 .pz-lkc-develop-message {
-    margin: 0 0 0 -16px;
-    padding: 8px;
+    position: sticky;
+    z-index: 3;
+    top: 32px;
+    margin: 0 0 0 -20px;
+    padding: 16px 0 0 0;
+    height: 32px;
     background-color: #00aa88 !important;
     color: #ffffff !important;

pz-linkcard/trunk/js/admin-settings.js

@@ -21 +21 @@
         }
 
+        // submitをクリックしたら
+        $('form' ).submit( function() {
+            $('.pz-lkc-dashboard' ).hide();
+            $('.pz-lkc-develop-message' ).hide();
+        } );
+
         // イベント：ReadOnlyになったチェックボックスを動作させなくする
         $('input:checkbox' ).on('click', checkbox_readonly );
@@ -54 +60 @@
 
         $('.pz-lkc-dashboard' ).show();
-
     } );
 

pz-linkcard/trunk/lib/pz-linkcard-settings.php

@@ -1 +1 @@
 <?php defined('ABSPATH' ) || wp_die; ?>
+<?php /* 開発者モード */ if (!$this->options['develop-mode'] ) { echo '<div class="pz-lkc-develop-message">'.__('Currently working in a development environment.', $this->text_domain ).'</div>'; } ?>
 <div class="pz-lkc-dashboard wrap">
-
-    <?php
-    echo    '<h1 class="pz-lkc-header-settings">';
-    /* 開発者モード */
-    if  (!$this->options['develop-mode'] ) {
-        echo '<div class="pz-lkc-develop-message">'.__('Currently working in a development environment.', $this->text_domain ).'</div>';
-    }
-
-    echo    '<span class="pz-lkc-header-settings-icon">';
-    echo    __('&#x2699;&#xfe0f;', $this->text_domain );
-    echo    '</span>';
-    echo    '&nbsp;';
-    echo    __('LinkCard Settings', $this->text_domain );
-    echo    '&ensp;';
-    echo    '<a href="'.$this->options['author-url'].'/pz-linkcard-manager" rel="external noopener help" target="_blank"><img src="'.$this->plugin_dir_url.'img/help.png" width="16" height="16" title="'.__('Help', $this->text_domain ).'" alt="help">';
-    echo    '</a>';
-    echo    '</h1>';
-?>
-
-
-    <div class="pz-lkc-clear-both">&nbsp;</div>
+    <h1 class="pz-lkc-header-settings">
+        <span class="pz-lkc-header-settings-icon"><?php _e('&#x2699;&#xfe0f;', $this->text_domain ); ?></span>
+        &nbsp;
+        <?php _e('LinkCard Settings', $this->text_domain ); ?>
+        &ensp;
+        <a href="<?php echo $this->options['author-url']; ?>/pz-linkcard-manager" rel="external noopener help" target="_blank"><img src="<?php echo $this->plugin_dir_url; ?>img/help.png" width="16" height="16" title="<?php _e('Help', $this->text_domain ); ?>" alt="help"></a>
+        <div class="pz-lkc-header-goto"><a href="<?php echo $this->cacheman_url; ?>"><span class="pz-lkc-header-goto-icon"><?php echo __('&#x1f5c3;&#xfe0f;', $this->text_domain ); ?></span><span class="pz-lkc-header-goto-text"><?php echo __('Cache Manager', $this->text_domain ); ?></span></a><span class="pz-lkc-clear-both"></span></div>
+    </h1>
+
 <?php
-/*  <div class="pz-lkc-header-goto"><a href="<?php echo $this->cacheman_url; ?>"><span class="pz-lkc-header-goto-icon"><?php echo __('&#x1f5c3;&#xfe0f;', $this->text_domain ); ?></span><span class="pz-lkc-header-goto-text"><?php echo __('Cache Manager', $this->text_domain ); ?></span></a></div> */
-
     // 変数の設定
-    $action                 =   isset($_POST['action'])          ? $_POST['action']         : null ;
-    $properties             =   isset($_POST['properties'])      ? $_POST['properties']     : null ;
-    $tab_now                =   isset($_POST['pz-lkc-tab-now'] ) ? $_POST['pz-lkc-tab-now'] : null ;
-
-    if  ($properties ) {
+    $action     =   isset($_REQUEST['action'] )         ? esc_attr($_REQUEST['action'] )            : null;
+    $tab_now    =   isset($_REQUEST['pz-lkc-tab-now'] ) ? esc_attr($_REQUEST['pz-lkc-tab-now'] )    : null;
+
+    if  (isset($_REQUEST['properties'] ) ) {
         check_admin_referer('pz-lkc-settings' );
-        switch  ($action) {
+
+        $properties =   $_REQUEST['properties'];
+        switch  ($action ) {
         case    'init-settings':
             $result         =   $this->pz_InitializeOption();   // オプションの初期化
@@ -53 +41 @@
         default:
             // 「変更を保存」もしくは「プラグインの再起動」をクリックしたとき
+            foreach($properties as $key => $value ) {
+                $properties[$key]       =   stripslashes($value );
+            }
             foreach($this->defaults as $key => $value ) {           // 無いキーを生成
                 if  (!array_key_exists($key, $properties ) ) {
@@ -58 +49 @@
                 }
             }
+
             $this->options  =   $properties;
 
@@ -138 +130 @@
 
             <?php wp_nonce_field('pz-lkc-settings' ); ?>
-            <input type="text" class="pz-lkc-tab-now pz-lkc-hide" name="pz-lkc-tab-now"    value="<?php echo $tab_now; ?>" />
-            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-error"      value="<?php echo $this->options['error-mode']; ?>" />
-            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-debug"      value="<?php echo $this->options['debug-mode']; ?>" />
-            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-admin"      value="<?php echo $this->options['admin-mode']; ?>" />
-            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-develop"    value="<?php echo $this->options['develop-mode']; ?>" />
-            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-multisite"  value="<?php echo $is_multisite; ?>" />
-            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-initialize" value="<?php echo $this->options['flg-initialize']; ?>" />
+            <input type="text" class="pz-lkc-tab-now pz-lkc-hide" name="pz-lkc-tab-now"    value="<?php echo esc_attr($tab_now ); ?>" />
+            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-error"      value="<?php echo esc_attr($this->options['error-mode'] ); ?>" />
+            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-debug"      value="<?php echo esc_attr($this->options['debug-mode'] ); ?>" />
+            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-admin"      value="<?php echo esc_attr($this->options['admin-mode'] ); ?>" />
+            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-develop"    value="<?php echo esc_attr($this->options['develop-mode'] ); ?>" />
+            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-multisite"  value="<?php echo esc_attr($is_multisite ); ?>" />
+            <input type="text" class="pz-lkc-display pz-lkc-hide" name="pz-lkc-initialize" value="<?php echo esc_attr($this->options['flg-initialize'] ); ?>" />
 
             <div class="pz-lkc-tabs">
@@ -193 +185 @@
                         <th scope="row"><?php _e('Occurrence Time', $this->text_domain ); ?></th>
                         <td>
-                            <span class="pz-lkc-admin-only"><input name="properties[error-time]" type="text" value="<?php echo $this->options['error-time']; ?>" readonly="readonly" /></span>
+                            <span class="pz-lkc-admin-only"><input name="properties[error-time]" type="text" value="<?php echo esc_attr($this->options['error-time'] ); ?>" readonly="readonly" /></span>
                             <?php echo ($this->options['error-time'] ) ? date($this->datetime_format, $this->options['error-time'] ) : null ; ?>
                         </td>
@@ -262 +254 @@
                         <th scope="row"><?php echo  __('How to', $this->text_domain ).' '.__('(', $this->text_domain ).__('Japanese Only', $this->text_domain ).__(')', $this->text_domain ); ?></th>
                         <td>
-                            <p><?php echo   esc_attr($this->options['plugin-name']).' Ver.'.esc_attr($this->options['plugin-version'] ); ?></p>
+                            <p><?php echo   esc_attr($this->options['plugin-name'] ).' Ver.'.esc_attr($this->options['plugin-version'] ); ?></p>
                             <p><a href="<?php echo  esc_attr($plugin_url ); ?>" rel="external noopener" target="_blank"><?php echo  esc_attr($plugin_url ); ?></a></p>
                         </td>
@@ -1103 +1095 @@
                     <tr>
                         <th scope="row"><?php _e('Class ID to be Added (for PC)', $this->text_domain ); ?></th>
-                        <td><input name="properties[class-pc]"          type="text" size="40" value="<?php echo (isset($this->options['class-pc']) ? esc_attr($this->options['class-pc']) : '' ); ?>" /></td>
+                        <td><input name="properties[class-pc]"          type="text" size="40" value="<?php echo (isset($this->options['class-pc'] ) ? esc_attr($this->options['class-pc'] ) : '' ); ?>" /></td>
                     </tr>
                     <tr>
                         <th scope="row"><?php _e('Class ID to be Added (for Mobile)', $this->text_domain ); ?></th>
-                        <td><input name="properties[class-mobile]"      type="text" size="40" value="<?php echo (isset($this->options['class-mobile']) ? esc_attr($this->options['class-mobile']) : '' ); ?>" /><br>
+                        <td><input name="properties[class-mobile]"      type="text" size="40" value="<?php echo (isset($this->options['class-mobile'] ) ? esc_attr($this->options['class-mobile'] ) : '' ); ?>" /><br>
                     </tr>
 
@@ -1145 +1137 @@
                     <tr class="pz-lkc-debug-only">
                         <th scope="row"><span class="pz-lkc-admin-text"><?php _e('Administrator Mode', $this->text_domain ); ?></span></th>
-                        <td><label class="pz-lkc-admin-text"><input name="properties[admin-mode]" type="checkbox" value="1" class="pz-lkc-tab-show" <?php checked($this->options['admin-mode'] ); if (!$this->options['admin-mode']) {echo 'readonly="readonly"'; }; if (!$this->options['admin-mode'] ) { echo 'ondblclick="this.readOnly=false;"'; } ?> /><?php _e('Display information that is not normally needed or open special settings.', $this->text_domain ); _e('(Deprecated)', $this->text_domain ); ?></label></td>
+                        <td><label class="pz-lkc-admin-text"><input name="properties[admin-mode]" type="checkbox" value="1" class="pz-lkc-tab-show" <?php checked($this->options['admin-mode'] ); if (!$this->options['admin-mode'] ) {echo 'readonly="readonly"'; }; if (!$this->options['admin-mode'] ) { echo 'ondblclick="this.readOnly=false;"'; } ?> /><?php _e('Display information that is not normally needed or open special settings.', $this->text_domain ); _e('(Deprecated)', $this->text_domain ); ?></label></td>
                     </tr>
 

pz-linkcard/trunk/lib/pz-linkcard-style.php

@@ -368 +368 @@
                 $file_text = str_replace('/*EX-BGCOLOR*/',      'background-color: '.$this->options['ex-bgcolor'].';', $file_text );
             }
-            if ($this->options['ex-image']) {
-                if (preg_match('/https?(:\/\/[-_.!~*\'()a-zA-Z0-9;\/?:\@&=+\$,%#]+)$/', $this->options['ex-image'])) {
-                    $file_text = str_replace('/*EX-IMAGE*/',    'background-image: url("'.$this->options['ex-image'].'");', $file_text );
+            $bg_image       =   esc_url($this->options['ex-image'] );
+            if ($bg_image ) {
+                if (preg_match('/https?(:\/\/[-_.!~*\'()a-zA-Z0-9;\/?:\@&=+\$,%#]+)$/', $bg_image ) ) {
+                    $file_text = str_replace('/*EX-IMAGE*/',    'background-image: url("'.$bg_image.'");', $file_text );
                 } else {
-                    $file_text = str_replace('/*EX-IMAGE*/',    'background-image: '.$this->options['ex-image'].';', $file_text );
+                    $file_text = str_replace('/*EX-IMAGE*/',    'background-image: '.$bg_image.';', $file_text );
                 }
             }
@@ -380 +381 @@
                 $file_text = str_replace('/*IN-BGCOLOR*/',      'background-color: '.$this->options['in-bgcolor'].';', $file_text );
             }
-            if ($this->options['in-image']) {
-                if (preg_match('/https?(:\/\/[-_.!~*\'()a-zA-Z0-9;\/?:\@&=+\$,%#]+)$/', $this->options['in-image'])) {
-                    $file_text = str_replace('/*IN-IMAGE*/',    'background-image: url("'.$this->options['in-image'].'");', $file_text );
+            $bg_image       =   esc_url($this->options['in-image'] );
+            if ($bg_image ) {
+                if (preg_match('/https?(:\/\/[-_.!~*\'()a-zA-Z0-9;\/?:\@&=+\$,%#]+)$/', $bg_image)) {
+                    $file_text = str_replace('/*IN-IMAGE*/',    'background-image: url("'.$bg_image.'");', $file_text );
                 } else {
-                    $file_text = str_replace('/*IN-IMAGE*/',    'background-image: '.$this->options['in-image'].';', $file_text );
+                    $file_text = str_replace('/*IN-IMAGE*/',    'background-image: '.$bg_image.';', $file_text );
                 }
             }
@@ -392 +394 @@
                 $file_text = str_replace('/*TH-BGCOLOR*/',      'background-color: '.$this->options['th-bgcolor'].';', $file_text );
             }
-            if ($this->options['th-image']) {
-                if (preg_match('/https?(:\/\/[-_.!~*\'()a-zA-Z0-9;\/?:\@&=+\$,%#]+)$/', $this->options['th-image'])) {
-                    $file_text = str_replace('/*TH-IMAGE*/',    'background-image: url("'.$this->options['th-image'].'");', $file_text );
+            $bg_image       =   esc_url($this->options['th-image'] );
+            if ($bg_image ) {
+                if (preg_match('/https?(:\/\/[-_.!~*\'()a-zA-Z0-9;\/?:\@&=+\$,%#]+)$/', $bg_image)) {
+                    $file_text = str_replace('/*TH-IMAGE*/',    'background-image: url("'.$bg_image.'");', $file_text );
                 } else {
-                    $file_text = str_replace('/*TH-IMAGE*/',    'background-image: '.$this->options['th-image'].';', $file_text );
+                    $file_text = str_replace('/*TH-IMAGE*/',    'background-image: '.$bg_image.';', $file_text );
                 }
             }

pz-linkcard/trunk/pz-linkcard.php

@@ -3 +3 @@
 /*
 Plugin Name:    Pz-LinkCard
-Plugin URI:     http://poporon.poponet.jp/pz-linkcard
+Plugin URI:     http://popozure.info/pz-linkcard
 Description:    リンクをカード形式で表示します。
-Version:        2.5.2
+Version:        2.5.3
 Author:         Poporon
-Author URI:     http://poporon.poponet.jp
+Author URI:     http://popozure.info
 Text Domain:    pz-linkcard
 Domain Path:    /language
@@ -17 +17 @@
     protected   $defaults           =
         array(
-            'plugin-version'        =>  '2.5.2',
+            'plugin-version'        =>  '2.5.3',
             'plugin-name'           =>  'Pz-LinkCard',
             'plugin-abbreviation'   =>  'Pz-LkC',
@@ -561 +561 @@
         $class_id       =   'linkcard';
         if  ($is_mobile && $this->options['class-mobile'] ) {
-            $class_id   .=  ' '.$this->options['class-mobile'];
+            $class_id   .=  ' '.esc_attr($this->options['class-mobile'] );
         } elseif    ($this->options['class-pc'] ) {
-            $class_id   .=  ' '.$this->options['class-pc'];
+            $class_id   .=  ' '.esc_attr($this->options['class-pc'] );
         }
 
@@ -672 +672 @@
                 $thumbnail_alt  =   null;
                 $favicon_alt    =   null;
-                $info           =   isset($this->options['th-info'] )       ? $this->options['th-info']         : null ;
+                $info_text      =   isset($this->options['th-info'] )       ? $this->options['th-info']         : null ;
                 $sw_thumbnail   =   isset($this->options['in-thumbnail'] )  ? $this->options['in-thumbnail']    : 0 ;
                 $sw_favicon     =   isset($this->options['in-favicon'] )    ? $this->options['in-favicon']      : 0 ;
@@ -684 +684 @@
                 $thumbnail_alt  =   isset($this->options['in-thumbnail-alt'] )  ? $this->options['in-thumbnail-alt']    : null ;
                 $favicon_alt    =   isset($this->options['in-favicon-alt'] )    ? $this->options['in-favicon-alt']      : null ;
-                $info           =   isset($this->options['in-info'] )           ? $this->options['in-info']             : null ;
+                $info_text      =   isset($this->options['in-info'] )           ? $this->options['in-info']             : null ;
                 $sw_thumbnail   =   isset($this->options['in-thumbnail'] )      ? $this->options['in-thumbnail']        : 0 ;
                 $sw_favicon     =   isset($this->options['in-favicon'] )        ? $this->options['in-favicon']          : 0 ;
@@ -708 +708 @@
             $thumbnail_alt      =   isset($this->options['ex-thumbnail-alt'] )  ? $this->options['ex-thumbnail-alt']    : null ;
             $favicon_alt        =   isset($this->options['ex-favicon-alt'] )    ? $this->options['ex-favicon-alt']      : null ;
-            $info               =   isset($this->options['ex-info'] )           ? $this->options['ex-info']             : null ;
+            $info_text          =   isset($this->options['ex-info'] )           ? $this->options['ex-info']             : null ;
             $sw_thumbnail       =   isset($this->options['ex-thumbnail'] )      ? $this->options['ex-thumbnail']        : 0 ;
             $sw_favicon         =   isset($this->options['ex-favicon'] )        ? $this->options['ex-favicon']          : 0 ;
         }
+
+        // XSS対策
+        $more_text          =   esc_attr($more_text );
+        $info_text          =   esc_attr($info_text );
+        $thumbnail_alt      =   esc_attr($thumbnail_alt );
+        $favicon_alt        =   esc_attr($favicon_alt );
 
         // ドメイン名の準備
@@ -969 +975 @@
 
         // サイト情報
-        if  ($info ) {
-            $added_info =   $html_added_op.$info.$html_added_cl;
+        if  ($info_text ) {
+            $added_info =   $html_added_op.$info_text.$html_added_cl;
         } else {
             $added_info =   null;
@@ -981 +987 @@
             $info_date  =   null;
         }
-        $domain_info    =   
-                '<div class="lkc-info">'.
-                    $html_a_op.
-                        $html_favicon.
-                        '<div class="lkc-domain"'.
-                            $title_sitename.'>'.
-                            $disp_sitename.
-                        '</div>'.
-                        $added_info.
-                    $html_a_cl.
-                    $html_sns_info.
-                    $html_url2.
-                    $info_date.
-                '</div>';
+        $domain_info    =   '<div class="lkc-info">'.$html_a_op.$html_favicon.'<div class="lkc-domain"'.$title_sitename.'>'.$disp_sitename.'</div>'.$added_info.$html_a_cl.$html_sns_info.$html_url2.$info_date.'</div>';
 
         // Google AMP用 簡易タグ作成
@@ -1051 +1044 @@
         // URL指定なし
         if  (!$url ) {
+            return  null;
+        }
+
+        // URLの安全性チェック
+        if (!wp_http_validate_url( $url ) ) {
             return  null;
         }
@@ -1324 +1322 @@
         //  $count_before   =   isset($data['sns_twitter'] ) ? $data['sns_twitter'] : -1;
         //  if  ($sns_renew || $count_before < 0 ) {
-        //      $result =   wp_remote_get('https://jsoon.digitiminimi.com/twitter/count.json?url=' .$url_raw, $opt );
+        //      $result =   wp_safe_remote_get('https://jsoon.digitiminimi.com/twitter/count.json?url=' .$url_raw, $opt );
         //      if  (isset($result ) && !is_wp_error($result ) && $result['response']['code'] == 200 ) {
         //          $json   =   json_decode($result['body'] );
@@ -1340 +1338 @@
         //  $count_before   =   intval(isset($data['sns_facebook'] ) ? $data['sns_facebook'] : -1 );
         //  if  ($sns_renew || $count_before < 0 ) {
-        //      $result =   wp_remote_get('https://graph.facebook.com?fields=og_object{engagement}&id=' .$url_raw, $opt );
+        //      $result =   wp_safe_remote_get('https://graph.facebook.com?fields=og_object{engagement}&id=' .$url_raw, $opt );
         //      if  (isset($result ) && !is_wp_error($result ) && $result['response']['code'] == 200 ) {
         //          $json   =   json_decode($result['body'] );
@@ -1356 +1354 @@
             $count_before   =   isset($data['sns_hatena'] ) ? $data['sns_hatena'] : -1;
             if  ($sns_renew || $count_before < 0 ) {
-                $result =   wp_remote_get('http://api.b.st-hatena.com/entry.count?url=' .$url_raw, $opt );
+                $result =   wp_safe_remote_get('http://api.b.st-hatena.com/entry.count?url=' .$url_raw, $opt );
                 if  (isset($result ) && !is_wp_error($result ) && $result['response']['code'] == 200 ) {
                     $count  =   intval($result['body'] );
@@ -1371 +1369 @@
             $count_before   =   isset($data['sns_pocket'] ) ? $data['sns_pocket'] : -1;
             if  ($sns_renew || $count_before < 0 ) {
-                $result =   wp_remote_get('https://widgets.getpocket.com/api/saves?url=' .$url_raw, $opt );
+                $result =   wp_safe_remote_get('https://widgets.getpocket.com/api/saves?url=' .$url_raw, $opt );
                 if  (isset($result ) && !is_wp_error($result ) && $result['response']['code'] == 200 ) {
                     $json   =   json_decode($result['body'] );
@@ -1810 +1808 @@
         }
 
+        // URLの安全性チェック
+        if (!wp_http_validate_url( $url ) ) {
+            return  null;
+        }
+
         // URLエンコード
         $url            =   $this->pz_EncodeURL($url ,true );
@@ -1880 +1883 @@
         } else {                                                        // cURLが使用できない場合
             // wp_remote_get 実行
-            $rget_data          =   wp_remote_get($url );               // wp_remote_get実行
+            $rget_data          =   wp_safe_remote_get($url );              // wp_remote_get実行
             $err_no             =   is_wp_error($rget_data );           // wp_remote_getエラー有無
             $err_message        =   null;                               // wp_remote_getエラーメッセージ
@@ -2390 +2393 @@
     // 管理画面のサブメニュー追加
     public function add_menu() {
-//      $menu_manager   =   __('Pz LkC Cache',  $this->text_domain );
+        $menu_manager   =   __('Pz LkC Cache',  $this->text_domain );
         $menu_settings  =   __('Pz LinkCard',   $this->text_domain );
-//      if  ($this->options['flg-alive'] && $this->options['flg-alive-count'] ) {
-//          global  $wpdb;
-//          $result     =   $wpdb->get_row("SELECT COUNT(*) AS count FROM $this->db_name WHERE alive_result < 100 OR alive_result >= 400");
-//          if  (isset($result ) && isset($result->count ) ) {
-//              $menu_manager   .=  '&nbsp;<span class="update-plugins"><span class="update-count lkc-menu-count">'.$result->count.'</span></span>';
-//          }
-//      }
-//      add_management_page (__('LinkCard Cache Manager',   $this->text_domain ), $menu_manager,    'manage_options', 'pz-linkcard-cacheman',   array($this, 'page_cacheman' ) );
+        if  ($this->options['flg-alive'] && $this->options['flg-alive-count'] ) {
+            global  $wpdb;
+            $result     =   $wpdb->get_row("SELECT COUNT(*) AS count FROM $this->db_name WHERE alive_result < 100 OR alive_result >= 400");
+            if  (isset($result ) && isset($result->count ) ) {
+                $menu_manager   .=  '&nbsp;<span class="update-plugins"><span class="update-count lkc-menu-count">'.$result->count.'</span></span>';
+            }
+        }
+        add_management_page (__('LinkCard Cache Manager',   $this->text_domain ), $menu_manager,    'manage_options', 'pz-linkcard-cacheman',   array($this, 'page_cacheman' ) );
         add_options_page    (__('LinkCard Settings',        $this->text_domain ), $menu_settings,   'manage_options', 'pz-linkcard-settings',   array($this, 'page_settings' ) );
     }
@@ -2418 +2421 @@
             $links,
             array(
+                'manager'   =>  '<a href="'.$this->cacheman_url.'">'.__('Manager' , $this->text_domain ).'</a>',
                 'settings'  =>  '<a href="'.$this->settings_url.'">'.__('Settings', $this->text_domain ).'</a>',
             )
@@ -2423 +2427 @@
     }
 
-//              'manager'   =>  '<a href="'.$this->cacheman_url.'">'.__('Manager' , $this->text_domain ).'</a>',
 
     // プラグインを有効化

pz-linkcard/trunk/readme.txt

@@ -152 +152 @@
 == Changelog ==
 
+= 2.5.3 =
+* WordPress 6.4.3 での動作確認。
+  Compatible with WordPress 6.4.3.
+* 「SSRF（サーバーサイドリクエストフォージェリ）」に対する脆弱性があったため、対策を行いました。
+  Fixed: SSRF vulnerability was discovered and countermeasures were taken.
+* 「XSS（クロスサイトスクリプティング）」に対する脆弱性があったため、対策を行いました。
+  Fixed: XSS vulnerability was discovered and countermeasures were taken.
+* 「Reflected-XSS（反射型クロスサイトスクリプティング）」に対する脆弱性があったため、対策を行いました。
+  Fixed: Reflected-XSS vulnerability was discovered and countermeasures were taken.
+* ソーシャルカウントの取得方法を修正しました。
+  Fixed: Modified "How to access the External Links" to be even more secure.
+* URLの安全性チェックを追加しました。
+  Fixed: Modified "URL Checks" to be even more secure.
+
 = 2.5.2 =
-* 一次的に管理画面を使用できないようにしました。
+* 欠番。
 
 = 2.5.1 =