Plugin Directory

Changeset 3161680


Ignore:
Timestamp:
10/02/2024 06:44:28 PM (17 months ago)
Author:
switcorp
Message:

v1.1.0
Security fixes

Location:
activitytime
Files:
354 added
10 edited

Legend:

Unmodified
Added
Removed
  • activitytime/trunk/README.txt

    r2974887 r3161680  
    55Requires at least: 5.0
    66Tested up to: 6.3
    7 Stable tag: 1.0.9
     7Stable tag: 1.1.0
    88License: GPLv2 or later
    99License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    6868== Changelog ==
    6969
     70= 1.1.0 =
     71* Security fix
     72
    7073= 1.0.9 =
    7174* Activity time By Post Type
  • activitytime/trunk/activitytime.php

    r2974887 r3161680  
    1717 * Plugin URI:        https://swit.hr/
    1818 * Description:       Plugin will accurately measure all activity time per page and user like working time, reading time, watching time, sessions time for specific user on specific page.
    19  * Version:           1.0.9
     19 * Version:           1.1.0
    2020 * Author:            SWIT
    2121 * Author URI:        https://swit.hr/
     
    3939 * Rename this for your plugin and update it as you release new versions.
    4040 */
    41 define( 'ACTIVITYTIME_VERSION', '1.0.8' );
     41define( 'ACTIVITYTIME_VERSION', '1.1.0' );
    4242define( 'ACTIVITYTIME_NAME', 'actt' );
    4343define( 'ACTIVITYTIME_PATH', plugin_dir_path( __FILE__ ) );
  • activitytime/trunk/application/controllers/Actt_time_by_postacc.php

    r2949270 r3161680  
    205205        // configuration
    206206        $where = array();
    207         $post_type = sanitize_text_field($this->input->get('post_type'));
     207        $post_type = sanitize_text_field($this->input->get('type'));
    208208        if(!empty($post_type)) {
    209209
     
    223223        }
    224224
     225        $field_user = sanitize_text_field($this->input->get('filter_user'));
     226        if(!empty($field_user))
     227            $where['(user_info LIKE "%'.esc_html($field_user).'%")'] = NULL;
     228       
    225229        /* modify GET for actt_prepare_search_query_GET */
    226230        global $_GET;
  • activitytime/trunk/application/views/actt_sessions/index.php

    r2893745 r3161680  
    7979    var table;
    8080
    81     $('#din-table input[type="text"]').val('');
     81    $('#din-table input[type="text"]:not([name="filter_user"])').val('');
    8282
    8383    /* update filters for export */
  • activitytime/trunk/application/views/actt_time_by_post_pageacc/index.php

    r2949270 r3161680  
    223223                $('#din-table input[type="text"],.dataTables_filter input.dinamic_par,input[name="post_type"]').on('input', function()
    224224                {
    225                     var query_filter = $('#din-table input[type="text"],.dataTables_filter input.dinamic_par,input[name="post_type"]').serialize();
     225                    var query_filter = $('#din-table input[type="text"],.dataTables_filter input.dinamic_par,input[name="post_type"]').serialize().replace('post_type','type');
    226226                    $('.export_csv').attr('href', '<?php echo get_admin_url() . "admin.php?page=actt_time_by_postacc&function=export_csv_per_page"; ?>&'+query_filter.replace(/-/g, "+hyphens+"));
    227227                });
  • activitytime/trunk/application/views/actt_time_per_page/index.php

    r2893745 r3161680  
    8282jQuery(document).ready(function($) {
    8383
    84     $('#din-table input[type="text"]').val('');
     84    $('#din-table input[type="text"]:not([name="filter_title"])').val('');
    8585
    8686    /* update filters for export */
  • activitytime/trunk/application/views/actt_time_per_pageacc/index.php

    r2893745 r3161680  
    8989    });*/
    9090
    91     $('#din-table input[type="text"]').val('');
     91    $('#din-table input[type="text"]:not([name="filter_title"])').val('');
    9292
    9393    $('#din-table input[type="text"]').on('keyup', function()
    9494    {
    95         var query_filter = $('#din-table input[type="text"]').serialize();
     95        var query_filter = $('#din-table input[type="text"]').serialize().replace('post_type','type');
    9696
    9797        $('.export_csv').attr('href', '<?php echo get_admin_url() . "admin.php?page=actt_time_per_pageacc&function=export_csv_per_pageacc"; ?>&'+query_filter);
  • activitytime/trunk/includes/class-activitytime.php

    r2974887 r3161680  
    377377        global $wpdb;
    378378
     379
     380        $wmvc_xss_clean_uri = function($uri_prepared) {
     381           
     382            $uri_prepared = str_replace(array('SELECT ', '"',"'",'%2527','%27','UPDATE ','SLEEP('), '', $uri_prepared);
     383
     384            $dangerous_schemes = ['javascript:', 'data:', 'vbscript:', 'alert(','OR 1=1'];
     385            foreach ($dangerous_schemes as $scheme) {
     386                if (stripos($uri_prepared, $scheme) === 0) {
     387                    return '';
     388                }
     389            }
     390       
     391            return $uri_prepared;
     392        };
     393       
    379394        // regular update time_end
    380        
    381395        $query = 'UPDATE '.$wpdb->prefix.'actt_visited_pages SET time_end=\''.current_time( 'mysql' ).
    382                  '\' WHERE request_uri = \''.sanitize_text_field(wmvc_xss_clean($uri_prepared)).'\'';
     396                 '\' WHERE request_uri = \''.esc_sql($wmvc_xss_clean_uri(sanitize_text_field(wmvc_xss_clean($uri_prepared)))).'\'';
    383397   
    384398        if(!empty(get_current_user_id()))
     
    388402        else
    389403        {
    390             $query .= ' AND ip=\''.sanitize_text_field(actt_get_the_user_ip()).'\'';
     404            $query .= ' AND ip=\''.esc_sql(sanitize_text_field(actt_get_the_user_ip())).'\'';
    391405        }
    392406
  • activitytime/trunk/vendor/Winter_MVC/core/helpers.php

    r2949270 r3161680  
    837837    foreach($options as $key=>$val)
    838838    {
    839         $output.= '<option value="'.$key.'" '.($selected==$key?'selected':'').'>'.$val.'</option>';
     839        $output.= '<option value="'.$key.'" '.($selected==$key&&$selected != ''?'selected':'').'>'.$val.'</option>';
    840840    }
    841841
     
    953953        <a class="delete-custom-img <?php if ( ! $you_have_file  ) { echo 'hidden'; } ?>"
    954954        href="#">
    955             <?php echo esc_html__('Remove file','wmvc_win') ?>
     955            <?php echo esc_html__('Remove all files','wmvc_win') ?>
    956956        </a>
    957957    </p>
     
    10471047        <a class="button button-secondary delete-custom-img <?php if ( ! $you_have_img  ) { echo 'hidden'; } ?>"
    10481048        href="#">
    1049             <?php echo esc_html__('Remove images','wmvc_win') ?>
     1049            <?php echo esc_html__('Remove all images','wmvc_win') ?>
    10501050        </a>
    10511051    </p>
     
    11511151    // Remove namespaced elements (we do not need them)
    11521152    $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
     1153    $data = preg_replace("/(\b1=1\b|\) OR\b)/", "", $data);
     1154    $data = preg_replace("/alert\(/", "", $data);
    11531155
    11541156    do
  • activitytime/trunk/vendor/Winter_MVC/core/mvc_loader.php

    r2949270 r3161680  
    7878        if(empty($this->plugin_directory))
    7979        {
    80             $file = WINTER_MVC_PATH.'/../../application/helpers/'.sanitize_file_name(ucfirst($filename)).'.php';
    81         }
    82         else
    83         {
    84             $file = $this->plugin_directory.'application/helpers/'.sanitize_file_name(ucfirst($filename)).'.php';
     80            $file = WINTER_MVC_PATH.'/../../application/helpers/'.ucfirst(sanitize_file_name($filename)).'.php';
     81        }
     82        else
     83        {
     84            $file = $this->plugin_directory.'application/helpers/'.ucfirst(sanitize_file_name($filename)).'.php';
    8585        }
    8686
     
    9393        if(empty($this->plugin_directory))
    9494        {
    95             $file = WINTER_MVC_PATH.'/../../application/controllers/'.sanitize_file_name(ucfirst($class)).'.php';
    96         }
    97         else
    98         {
    99             $file = $this->plugin_directory.'application/controllers/'.sanitize_file_name(ucfirst($class)).'.php';
     95            $file = WINTER_MVC_PATH.'/../../application/controllers/'.ucfirst(sanitize_file_name($class)).'.php';
     96        }
     97        else
     98        {
     99            $file = $this->plugin_directory.'application/controllers/'.ucfirst(sanitize_file_name($class)).'.php';
    100100        }
    101101
     
    197197        if(empty($this->plugin_directory))
    198198        {
    199             $file = WINTER_MVC_PATH.'/../../application/models/'.sanitize_file_name(ucfirst($class)).'.php';
    200         }
    201         else
    202         {
    203             $file = $this->plugin_directory.'application/models/'.sanitize_file_name(ucfirst($class)).'.php';
     199            $file = WINTER_MVC_PATH.'/../../application/models/'.ucfirst(sanitize_file_name($class)).'.php';
     200        }
     201        else
     202        {
     203            $file = $this->plugin_directory.'application/models/'.ucfirst(sanitize_file_name($class)).'.php';
    204204        }
    205205       
Note: See TracChangeset for help on using the changeset viewer.