Changeset 3136302

Timestamp:

08/15/2024 07:55:02 PM (20 months ago)

Author:

levantoan

Message:

FIX Authenticated (Author+) PHP Object Injection. Thanks to Lucio Sá

Location:

devvn-image-hotspot

Files:

• tags/1.2.4 (added)
• tags/1.2.4/admin (added)
• tags/1.2.4/admin/css (added)
• tags/1.2.4/admin/css/bootstrap.css (added)
• tags/1.2.4/admin/css/maps_points_style.css (added)
• tags/1.2.4/admin/inc (added)
• tags/1.2.4/admin/inc/add_shortcode_devvn_ihotspot.php (added)
• tags/1.2.4/admin/inc/cpt-ihotspot.php (added)
• tags/1.2.4/admin/inc/metabox-donate.php (added)
• tags/1.2.4/admin/inc/settings.php (added)
• tags/1.2.4/admin/js (added)
• tags/1.2.4/admin/js/bootstrap.min.js (added)
• tags/1.2.4/admin/js/maps_points.js (added)
• tags/1.2.4/devvn-image-hotspot.php (added)
• tags/1.2.4/frontend (added)
• tags/1.2.4/frontend/css (added)
• tags/1.2.4/frontend/css/ihotspot.min.css (added)
• tags/1.2.4/frontend/css/jquery.powertip.min.css (added)
• tags/1.2.4/frontend/css/maps_points.css (added)
• tags/1.2.4/frontend/js (added)
• tags/1.2.4/frontend/js/jquery.ihotspot.min.js (added)
• tags/1.2.4/frontend/js/jquery.powertip.min.js (added)
• tags/1.2.4/frontend/js/maps_points.js (added)
• tags/1.2.4/i18n (added)
• tags/1.2.4/i18n/languages (added)
• tags/1.2.4/i18n/languages/devvn-image-hotspot.pot (added)
• tags/1.2.4/languages (added)
• tags/1.2.4/languages/devvn-image-hotspot.pot (added)
• tags/1.2.4/license.txt (added)
• tags/1.2.4/readme.txt (added)
• tags/1.2.4/screenshot-1.png (added)
• tags/1.2.4/screenshot-2.png (added)
• trunk/admin/inc/add_shortcode_devvn_ihotspot.php (modified) (1 diff)
• trunk/admin/js/maps_points.js (modified) (1 diff)
• trunk/devvn-image-hotspot.php (modified) (8 diffs)
• trunk/readme.txt (modified) (2 diffs)

devvn-image-hotspot/trunk/admin/inc/add_shortcode_devvn_ihotspot.php

@@ -12 +12 @@
     
     $data_post = get_post_meta($idPost, 'hotspot_content', true);
+
+    if(!is_serialized($data_post) && !is_array($data_post) && is_string($data_post)){
+        $data_post = json_decode($data_post, true);
+    }
 
     if(!$data_post){

devvn-image-hotspot/trunk/admin/js/maps_points.js

@@ -125 +125 @@
                     source https://github.com/ccbgs/load_editor
                     */
-                    quicktags({id : fullId});
-                    tinymce.init({
-                        selector:"#" + fullId,
-                        content_css : meta_image.editor_style,
-                        min_height: 200,
-                        textarea_name: "pointdata[content][]",                      
-                        relative_urls:false,
-                        remove_script_host:false,
-                        convert_urls:false,
-                        browser_spellcheck:false,
-                        fix_list_elements:true,
-                        entities:"38,amp,60,lt,62,gt",
-                        entity_encoding:"raw",
-                        keep_styles:false,
-                        //paste_webkit_styles:"font-weight font-style color",
-                        //preview_styles:"font-family font-size font-weight font-style text-decoration text-transform",
-                        wpeditimage_disable_captions:false,
-                        wpeditimage_html5_captions:true,
-                        plugins:"charmap,hr,media,paste,tabfocus,textcolor,wordpress,wpeditimage,wpgallery,wplink,wpdialogs,wpview",                        
-                        resize:"vertical",
-                        menubar:false,
-                        wpautop:true,
-                        indent:false,
-                        toolbar1:"bold,italic,strikethrough,bullist,numlist,blockquote,hr,alignleft,aligncenter,alignright,link,unlink,wp_more,spellchecker,wp_adv",
-                        toolbar2:"formatselect,underline,alignjustify,forecolor,pastetext,removeformat,charmap,outdent,indent,undo,redo,wp_help",
-                        toolbar3:"",
-                        toolbar4:"",
-                        tabfocus_elements:":prev,:next",                                    
-                    });
-                    
-                    // this is needed for the editor to initiate
-                    tinyMCE.execCommand('mceFocus', false, fullId);
-                    tinyMCE.execCommand('mceRemoveEditor', false, fullId);
-                    tinyMCE.execCommand('mceAddEditor', false, fullId);                     
+                    if(typeof quicktags != "undefined") {
+                        quicktags({id: fullId});
+                    }
+
+                    if(typeof tinymce != "undefined") {
+                        tinymce.init({
+                            selector: "#" + fullId,
+                            content_css: meta_image.editor_style,
+                            min_height: 200,
+                            textarea_name: "pointdata[content][]",
+                            relative_urls: false,
+                            remove_script_host: false,
+                            convert_urls: false,
+                            browser_spellcheck: false,
+                            fix_list_elements: true,
+                            entities: "38,amp,60,lt,62,gt",
+                            entity_encoding: "raw",
+                            keep_styles: false,
+                            //paste_webkit_styles:"font-weight font-style color",
+                            //preview_styles:"font-family font-size font-weight font-style text-decoration text-transform",
+                            wpeditimage_disable_captions: false,
+                            wpeditimage_html5_captions: true,
+                            plugins: "charmap,hr,media,paste,tabfocus,textcolor,wordpress,wpeditimage,wpgallery,wplink,wpdialogs,wpview",
+                            resize: "vertical",
+                            menubar: false,
+                            wpautop: true,
+                            indent: false,
+                            toolbar1: "bold,italic,strikethrough,bullist,numlist,blockquote,hr,alignleft,aligncenter,alignright,link,unlink,wp_more,spellchecker,wp_adv",
+                            toolbar2: "formatselect,underline,alignjustify,forecolor,pastetext,removeformat,charmap,outdent,indent,undo,redo,wp_help",
+                            toolbar3: "",
+                            toolbar4: "",
+                            tabfocus_elements: ":prev,:next",
+                        });
+
+                        // this is needed for the editor to initiate
+                        tinyMCE.execCommand('mceFocus', false, fullId);
+                        tinyMCE.execCommand('mceRemoveEditor', false, fullId);
+                        tinyMCE.execCommand('mceAddEditor', false, fullId);
+
+                    }
                     
                     doDraggable();

devvn-image-hotspot/trunk/devvn-image-hotspot.php

@@ -5 +5 @@
 Description: Image Hotspot help you add hotspot to your images.
 Author: Le Van Toan
-Version: 1.2.3
+Version: 1.2.4
 Author URI: https://levantoan.com/
 Text Domain: devvn-image-hotspot
@@ -30 +30 @@
 defined( 'ABSPATH' ) or die( 'No script kiddies please!' );
 
-define('DEVVN_IHOTSPOT_VER', '1.2.3');
+define('DEVVN_IHOTSPOT_VER', '1.2.4');
 define('DEVVN_IHOTSPOT_DEV_MOD', true);
+
 if ( !defined( 'DEVVN_IHOTSPOT_BASENAME' ) )
     define( 'DEVVN_IHOTSPOT_BASENAME', plugin_basename( __FILE__ ) );
 
-define('DEVVN_IHOTSPOT_POINT_DEFAULT',serialize(array(
+define('DEVVN_IHOTSPOT_POINT_DEFAULT', json_encode(array(
     'countPoint'    =>  '',
     'content'       =>  '',
@@ -46 +47 @@
     'pins_class'    =>  ''
 )));
-define('DEVVN_IHOTSPOT_PINS_DEFAULT',serialize(array(
+define('DEVVN_IHOTSPOT_PINS_DEFAULT', json_encode(array(
     'countPoint'    =>  '',
     'imgPoint'      =>  '',
@@ -98 +99 @@
 
     $data_post = get_post_meta($post->ID, 'hotspot_content', true);
+
+    if(!is_serialized($data_post) && !is_array($data_post) && is_string($data_post)){
+        $data_post = json_decode($data_post, true);
+    }
 
     if(!$data_post){
@@ -308 +313 @@
         'data_points'       =>  $dataPoints
     );
-    update_post_meta($post_id, 'hotspot_content', $data_post);
+    update_post_meta($post_id, 'hotspot_content', json_encode($data_post));
     /*remove_action( 'save_post', 'devvn_ihotspot_save_meta_box_data' );
     wp_update_post(array(
@@ -358 +363 @@
         
         wp_enqueue_script( 'jquery-ui-core' );
-        wp_enqueue_script('jquery-ui-droppable');       
-        
-        /*wp_register_script( 'bootstrap-js', plugin_dir_url( __FILE__ ) . 'admin/js/bootstrap.min.js', array( 'jquery' ), DEVVN_IHOTSPOT_VER, true );
-        wp_enqueue_script( 'bootstrap-js' );*/
-
-        wp_register_script( 'maps_points', plugin_dir_url( __FILE__ ) . 'admin/js/maps_points.js', array( 'jquery' ), DEVVN_IHOTSPOT_VER, true );
+        wp_enqueue_script('jquery-ui-droppable');
+
+        wp_register_script( 'devvn-tinymce', home_url('/wp-includes/js/tinymce/wp-tinymce.js'), array(), DEVVN_IHOTSPOT_VER, true );
+
+        wp_register_script( 'maps_points', plugin_dir_url( __FILE__ ) . 'admin/js/maps_points.js', array( 'jquery', 'quicktags', 'devvn-tinymce', 'editor'), DEVVN_IHOTSPOT_VER, true );
         wp_localize_script( 'maps_points', 'meta_image',
             array(
@@ -405 +409 @@
 function devvn_ihotspot_get_input_point_default($data = array()){
     if(!is_array($data)) $data = array();
-    $data = wp_parse_args($data,unserialize(DEVVN_IHOTSPOT_POINT_DEFAULT));
+    $data = wp_parse_args($data, json_decode(DEVVN_IHOTSPOT_POINT_DEFAULT, true));
         
     $countPoint                 = isset($data['countPoint'])?$data['countPoint']:'';
@@ -527 +531 @@
 function devvn_ihotspot_get_pins_default($datapin = array()){
     if(!is_array($datapin)) $datapin = array();
-    $datapin = wp_parse_args($datapin,unserialize(DEVVN_IHOTSPOT_PINS_DEFAULT));
+    $datapin = wp_parse_args($datapin, json_decode(DEVVN_IHOTSPOT_PINS_DEFAULT, true));
     $countPoint = $datapin['countPoint'];
     $imgPin = $datapin['imgPoint'];
     $topPin = $datapin['top'];
     $leftPin = $datapin['left'];
-    $pins_image_custom = $datapin['pins_image_custom'];
+    $pins_image_custom = isset($datapin['pins_image_custom']) && $datapin['pins_image_custom'] ? $datapin['pins_image_custom'] : '';
     if($pins_image_custom) $imgPin = $pins_image_custom;
     ob_start();

devvn-image-hotspot/trunk/readme.txt

@@ -4 +4 @@
 Tags: hotspot, points, image, maps, image hotspot
 Requires at least: 4.3
-Tested up to: 5.9.1
-Stable tag: 1.2.3
+Tested up to: 6.6.1
+Stable tag: 1.2.4
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0
@@ -50 +50 @@
 
 For more information, see [Releases](https://levantoan.com/devvn-image-hotspot).
+
+= 1.2.4 - 16/08/2024 =
+
+* FIX Authenticated (Author+) PHP Object Injection. Thanks to Lucio Sá
+* Add editor js and tinymce js
 
 = 1.2.2 - 05/03/2022 =