Changeset 3174179

Timestamp:

10/23/2024 09:34:30 AM (15 months ago)

Author:

platformlycom

Message:

Security fix. Fixed CSRF vulnerability. Fixed XSS vulnerability when add API key

Location:

platformly/trunk

Files:

• inc/pages/ply.events.php (modified) (1 diff)
• inc/pages/ply.optins.page.php (modified) (5 diffs)
• inc/pages/ply.pages.php (modified) (5 diffs)
• inc/pages/ply.settings.php (modified) (3 diffs)
• inc/ply.btn.php (modified) (1 diff)
• inc/ply.functions.php (modified) (1 diff)
• js/events.js (modified) (2 diffs)
• js/optins.js (modified) (1 diff)
• js/pages.js (modified) (1 diff)
• js/ply_add_link_functions.js (modified) (4 diffs)
• js/settings.js (modified) (4 diffs)
• platformly.php (modified) (17 diffs)
• readme.txt (modified) (2 diffs)

platformly/trunk/inc/pages/ply.events.php

@@ -38 +38 @@
                 <a href="javascript:;" id="btnPlyRefreshEvents" class="btn btn-default" title="Refresh">&#8635;</a>
                 <hr>
-                <table id="plyEventsTable" class="table">
+                <table id="plyEventsTable" class="table" data-nonce="<?php echo wp_create_nonce("ply_load_data"); ?>">
                     <thead> 
                         <tr> 

platformly/trunk/inc/pages/ply.optins.page.php

@@ -8 +8 @@
 
 if(isset($_POST['saveOptin'])){
+    check_admin_referer('ply_options_save');
     $res = ply_update_optin_info();
     if($res == '1')
@@ -16 +17 @@
 
 if(isset($_POST['removeOptin'])){
+    check_admin_referer('ply_options_remove');
     $res = ply_remove_optin_info();
     if($res == '1')
@@ -36 +38 @@
 $editOptin = false;
 if(isset($_POST['editOptin'])){
+    check_admin_referer('ply_options_edit');
     $editOptin = ply_get_optin_by_id((int)$_POST['editOptin']);
 }
@@ -95 +98 @@
                     <h4 style='display: inline-block; margin-right: 5px'>Please select optin</h4><a target="_blank" href="<?php echo $user['main_url'] ?>/?page=lead_capture.forms" class="btn btn-default">View Optins</a><hr style="margin-top: 5px !important">
                 </div>
-                <div class="col-md-12" id="tdOptins">
+                <div class="col-md-12" id="tdOptins" data-nonce="<?php echo wp_create_nonce("ply_load_data"); ?>">
                     <label>Select project first</label>
                 </div>
@@ -364 +367 @@
     <input type="text" name="formOptinBlurBack" id="formOptinBlurBack" value="" />
     <input type="hidden" name='formOptinWherePages' id='formOptinWherePages' value=''/>
-    
+    <?php wp_nonce_field('ply_options_save'); ?>
     <input type="hidden" name="saveOptin" value="1" />
 </form>
 
 <form id="optinRemoveForm" style="display:none" method="post" action="">
+    <?php wp_nonce_field('ply_options_remove'); ?>
     <input type="hidden" name="removeOptin" id="removeOptin" value="" />
 </form>
 
 <form id="optinEditForm" style="display:none" method="post" action="">
+    <?php wp_nonce_field('ply_options_edit'); ?>
     <input type="hidden" name="editOptin" id="editOptin" value="" />
 </form>

platformly/trunk/inc/pages/ply.pages.php

@@ -13 +13 @@
 
 if(isset($_POST['savePage'])){
+    check_admin_referer('ply_pages_save');
     $res = ply_update_page_info();
     if($res == '1'){
@@ -22 +23 @@
 
 if(isset($_POST['removePage'])){
+    check_admin_referer('ply_pages_remove');
     $res = ply_remove_page_info();
     if($res == '1'){
@@ -43 +45 @@
 $editPage = false;
 if(isset($_POST['editPage'])){
+    check_admin_referer('ply_pages_edit');
     $editPage = ply_get_page_by_id((int)$_POST['editPage']);
 }
@@ -101 +104 @@
                     <h4 style='display: inline-block; margin-right: 5px'>Please select page</h4><a target="_blank" href="<?php echo $user['main_url'] ?>/?page=lead_capture.pages" class="btn btn-default">View Pages</a><hr style="margin-top: 5px !important">
                 </div>
-                <div class="col-md-12" id="tdPages">
+                <div class="col-md-12" id="tdPages" data-nonce="<?php echo wp_create_nonce("ply_load_data"); ?>">
                     <label>Select project first</label>
                 </div>
@@ -242 +245 @@
     <input type="text" name="formPageSlug" id="formPageSlug" value=""/>
     <input type="text" name="formPagePingUpdateServices" id="formPagePingUpdateServices" value=""/>
+    <?php wp_nonce_field('ply_pages_save'); ?>
     <input type="hidden" name="savePage" value="1" />
 </form>
 
 <form id="pageRemoveForm" style="display:none" method="post" action="">
+    <?php wp_nonce_field('ply_pages_remove'); ?>
     <input type="hidden" name="removePage" id="removePage" value="" />
 </form>
 
 <form id="pageEditForm" style="display:none" method="post" action="">
+    <?php wp_nonce_field('ply_pages_edit'); ?>
     <input type="hidden" name="editPage" id="editPage" value="" />
 </form>

platformly/trunk/inc/pages/ply.settings.php

@@ -4 +4 @@
 
 if(isset($_POST['plugin_key'])){
+    check_admin_referer('ply_settings');
     $res = ply_update_plugin_key();
     if($res == '1')
@@ -54 +55 @@
         <label for="plugin_key"></label>
         <input type="text" name="plugin_key" id="plugin_key" style="width:500px;" value="<?php echo $pkey ?>" />
+        <?php wp_nonce_field( 'ply_settings' ); ?>
         <input type="submit" name="button" id="button" class="button" value="Save" /><br />
         <span style="font-size:12px;"> You will need to add your API Key from your Platform.ly account. <br>You can find the API section if you click on your name in the upper right corner on Platform.ly and then on 'Api Keys'.</span>
@@ -112 +114 @@
                     <?php endforeach; ?>
                 </select>
+                <input type="hidden" value="<?php echo wp_create_nonce("ply_save_project_code"); ?>" id="projectCodeNonce">
                 <input id="btnPlySaveProjectCode" class="button" type="button" value="Save"/>
                 <div id="msgPlyGetProgectCodeError"></div>

platformly/trunk/inc/ply.btn.php

@@ -6 +6 @@
     $projectCode = ply_get_project_code();
 ?>
-<div id="ply-add-link-dialog" class="hidden" style="max-width:600px;max-height: 500px;">
+<div id="ply-add-link-dialog" class="hidden" style="max-width:600px;max-height: 500px;" data-nonce="<?php echo wp_create_nonce("ply_load_data"); ?>">
     <div>Loading . . .</div>
 </div>

platformly/trunk/inc/ply.functions.php

@@ -46 +46 @@
 
 function ply_update_plugin_key(){
-    $code = wp_strip_all_tags($_POST['plugin_key'], true);
-    update_option('ply_plugin_key', $code);
-
-    return '1';
+    $code = sanitize_text_field($_POST['plugin_key']);
+    $res = preg_match('/^[a-zA-Z0-9]{32}$/', $code);
+    if($res){
+        $check = wp_remote_get(PLATFORMLY_URL . "/plugin/plugin.check.key.php?plugin_key=" . $code);
+        $check = wp_remote_retrieve_body($check);
+        if($check){
+            $check = json_decode($check, true);
+            if($check['status'] != 'not_found'){
+                update_option('ply_plugin_key', $code);
+                return '1';
+            }
+        }
+    }
+    return 'The API key you added is not correct.';
 }
 

platformly/trunk/js/events.js

@@ -4 +4 @@
     }
     jQuery('#plyEventsTable tbody').html('<tr><td colspan="6">Loading...</td></tr>');
-    jQuery.post(ajaxurl, {'action': 'ply_load_events','projectId': projectId}, function(response){
+    jQuery.post(ajaxurl, {'action': 'ply_load_events','projectId': projectId, '_wpnonce': jQuery('#plyEventsTable').data('nonce')}, function(response){
         data = JSON.parse(response);
         if(data.status!='success'){
@@ -84 +84 @@
     $('#plyProjectSelect').click(function(){
         var projectId = $(this).val();
-        /*$('#msgPlyGetProgectCodeActivated').hide();
-        $('#plyProjectCodeMsgNotExist').hide();
-        $.post(ajaxurl, {'action': 'ply_check_project_code','projectId': projectId}, function(response){
-            if(response){
-                $('#msgPlyGetProgectCodeActivated span').text($('#plyProjectSelect option:selected').text());
-                $('#msgPlyGetProgectCodeActivated').show();
-            }else{
-                $('#plyProjectCodeMsgNotExist').show();
-            }
-        });*/
         loadEvents(projectId);
     });

platformly/trunk/js/optins.js

@@ -5 +5 @@
     var data = {
         'action': 'ply_load_optins',
-        'projectId': projectId
+        'projectId': projectId,
+        '_wpnonce': jQuery('#tdOptins').data('nonce')
     };
 

platformly/trunk/js/pages.js

@@ -6 +6 @@
     var data = {
         'action': 'ply_load_pages',
-        'projectId': projectId
+        'projectId': projectId,
+        '_wpnonce': jQuery('#tdPages').data('nonce')
     };
 

platformly/trunk/js/ply_add_link_functions.js

@@ -5 +5 @@
 function get_ply_tracking_links(){
     jQuery('#ply-add-link-dialog').html('<div>Loading . . .</div>');
-    jQuery.post(ajaxurl, {action: 'ply_get_tracking_links'}, function(response){
+    jQuery.post(ajaxurl, {action: 'ply_get_tracking_links', '_wpnonce': jQuery('#ply-add-link-dialog').data('nonce')}, function(response){
         jQuery('.ui-dialog-buttonpane button:contains("Add Link")').button().hide();
         var data = JSON.parse(response);
@@ -61 +61 @@
 function load_trackingLinks_inDetails(id){
     jQuery('#ply-add-link-dialog').html('<div>Loading . . .</div>');
-    jQuery.post(ajaxurl, {action: 'ply_get_tracking_links_details', id: id}, function(response){
+    jQuery.post(ajaxurl, {action: 'ply_get_tracking_links_details', id: id, '_wpnonce': jQuery('#ply-add-link-dialog').data('nonce')}, function(response){
         var data = JSON.parse(response);
         if(data.status=='success'){
@@ -128 +128 @@
     //ply-project-name
     jQuery('#ply-add-link-dialog').html('<div>Loading . . .</div>');
-    jQuery.post(ajaxurl, {'action': 'ply_get_projects'}, function(response){
+    jQuery.post(ajaxurl, {'action': 'ply_get_projects', '_wpnonce': jQuery('#ply-add-link-dialog').data('nonce')}, function(response){
         var data = JSON.parse(response);
         for(var key in data) {
@@ -149 +149 @@
     jQuery('.ui-dialog-buttonpane button:contains("Copy Code")').button().hide();
     jQuery('#ply-add-link-dialog #ply-events-block').html('<div id="ply-default-event-msg">Loading...</div></div>');
-    jQuery.post(ajaxurl, {'action': 'ply_load_events','projectId': projectId}, function(response){
+    jQuery.post(ajaxurl, {'action': 'ply_load_events','projectId': projectId, '_wpnonce': jQuery('#ply-add-link-dialog').data('nonce')}, function(response){
         var data = JSON.parse(response);
         if(data.status!='success'){

platformly/trunk/js/settings.js

@@ -13 +13 @@
                 $('#msgPlyGetProgectCodeActivated').hide();
                 $('#plyLoadingProjectCode').show();
-                $.post(ajaxurl, {'action': 'ply_save_project_code','projectId': projectId}, function(response){
+                $.post(ajaxurl, {'action': 'ply_save_project_code','projectId': projectId, '_wpnonce': $('#projectCodeNonce').val()}, function(response){
                     data = JSON.parse(response);
                     $('#plyLoadingProjectCode').hide();
@@ -26 +26 @@
         }
     });
-    /* $('#plyProjectSelect').change(function(){
-        $('#msgPlyGetProgectCodeError').hide();
-        $('#msgPlyGetProgectCodeActivated').hide();
-        var projectId = $(this).val();
-        $.post(ajaxurl, {'action': 'ply_check_project_code','projectId': projectId}, function(response){
-            if(response){
-                $('#msgPlyGetProgectCodeActivated span').text($('#plyProjectSelect option:selected').text());
-                $('#msgPlyGetProgectCodeActivated').show();
-            }else{
-                
-            }
-        });
-    }); */
-    /*var prevVal;
-    $('#plyProjectSelect').focus(function(){
-        prevVal = $(this).val();
-    }).change(function(){
-        if($('#plyProjectCodeBlock').hasClass('ply-wc-project-code')){
-            $(this).blur();
-            if(!confirm('Changing the project will change the current project in Platform.ly WooCommerce plugin')){
-                $(this).val(prevVal);
-                return false;
-            }
-        }
-    });*/
     $('#plyCheckboxSetProjectCode').change(function(){
         if($(this).prop('checked')){
@@ -60 +35 @@
         }
         if(!$('#plyProjectCodeBlock').hasClass('ply-wc-project-code')){
-            $.post(ajaxurl, {action: 'ply_project_code_include', includeCode: includeProjectCode}, function(response){});
+            $.post(ajaxurl, {action: 'ply_project_code_include', includeCode: includeProjectCode, '_wpnonce': $('#projectCodeNonce').val()}, function(response){});
         }
     });
@@ -66 +41 @@
         if(!$('#plyProjectCodeBlock').hasClass('ply-wc-project-code')) {
             if (confirm('Are you sure you want to remove the project code?')) {
-                $.post(ajaxurl, {'action': 'ply_remove_project_code'}, function (response) {
+                $.post(ajaxurl, {'action': 'ply_remove_project_code', '_wpnonce': $('#projectCodeNonce').val()}, function (response) {
                     $('#msgPlyGetProgectCodeActivated').hide();
                     alert('Project code was removed.');

platformly/trunk/platformly.php

@@ -4 +4 @@
 Plugin Name: Platform.ly Official
 Description: Platform.ly plugin is the easiest way to setup your optins and pages that your created with Platform.ly. After building your optin or page with our interactive WYSIWYG builders, you can set them up to show on your site with just a couple of clicks.
-Version: 1.13
+Version: 1.14
 Author: Platform.ly
 Author URI: https://www.platform.ly/
@@ -16 +16 @@
 define("PLATFORMLY_URL", "https://pageserver.platform.ly");
 
-define('PLATFORMLY_PLUGIN_VERSION', '1.11');
+define('PLATFORMLY_PLUGIN_VERSION', '1.14');
 
 include plugin_dir_path(__FILE__) . '/inc/ply.functions.php';
@@ -92 +92 @@
 
 function ply_settings(){
-    wp_enqueue_script('ply_optins_script', plugin_dir_url(__FILE__)."js/settings.js");
+    wp_enqueue_script('ply_optins_script', plugin_dir_url(__FILE__)."js/settings.js", array(),1);
     include plugin_dir_path(__FILE__) . 'inc/pages/ply.settings.php';
 }
@@ -101 +101 @@
     wp_enqueue_style('select2', plugin_dir_url(__FILE__)."css/select2.min.css");
     wp_enqueue_script('select2', plugin_dir_url(__FILE__)."js/select2.min.js");
-    wp_enqueue_script('ply_optins_script', plugin_dir_url(__FILE__)."js/optins.js");
+    wp_enqueue_script('ply_optins_script', plugin_dir_url(__FILE__)."js/optins.js", array(),1);
     include plugin_dir_path(__FILE__) . 'inc/pages/ply.optins.page.php';
 }
@@ -108 +108 @@
     wp_enqueue_style('bootstrap_styles', plugin_dir_url(__FILE__)."css/bootstrap.min.css");
     wp_enqueue_style('bootstrap_theme_styles', plugin_dir_url(__FILE__)."css/bootstrap-theme.min.css");
-    wp_enqueue_script('ply_pages_script', plugin_dir_url(__FILE__)."js/pages.js");
+    wp_enqueue_script('ply_pages_script', plugin_dir_url(__FILE__)."js/pages.js", array(),1);
     include plugin_dir_path(__FILE__) . 'inc/pages/ply.pages.php';
 }
@@ -117 +117 @@
     wp_enqueue_script('bootstrap_script', plugin_dir_url(__FILE__)."js/bootstrap.min.js");
     include plugin_dir_path(__FILE__) . 'inc/pages/ply.events.php';
-    wp_enqueue_script('ply_events_script', plugin_dir_url(__FILE__)."js/events.js");
+    wp_enqueue_script('ply_events_script', plugin_dir_url(__FILE__)."js/events.js", array(),1);
 }
 
@@ -230 +230 @@
 
 function ply_load_optins_callback(){
+    check_ajax_referer('ply_load_data');
     $projectId = intval($_POST['projectId']);
     $get_optins = wp_remote_get(PLATFORMLY_URL . "/plugin/plugin.actions.php?plugin_key=" . ply_get_plugin_key() . "&action=listOptins&projectId=" . $projectId);
@@ -238 +239 @@
 
 function ply_load_pages_callback(){
+    check_ajax_referer('ply_load_data');
     $projectId = intval($_POST['projectId']);
     $get_pages = wp_remote_get(PLATFORMLY_URL . "/plugin/plugin.actions.php?plugin_key=" . ply_get_plugin_key() . "&action=listPages&projectId=" . $projectId);
@@ -246 +248 @@
 
 function ply_get_tracking_links_callback(){
+    check_ajax_referer('ply_load_data');
     $result = wp_remote_get(PLATFORMLY_URL . "/plugin/plugin.actions.php?plugin_key=" . ply_get_plugin_key() . "&action=getTrackingLinks");
     $result = wp_remote_retrieve_body($result);
@@ -253 +256 @@
 
 function ply_load_events_callback(){
+    check_ajax_referer('ply_load_data');
     $projectId = intval($_POST['projectId']);
     $result = wp_remote_get(PLATFORMLY_URL . "/plugin/plugin.actions.php?plugin_key=" . ply_get_plugin_key() . "&action=getEvents&projectId=" . $projectId);
@@ -261 +265 @@
 
 function ply_get_tracking_links_details_callback(){
+    check_ajax_referer('ply_load_data');
     $linkId = intval($_POST['id']);
     $result = wp_remote_get(PLATFORMLY_URL . "/plugin/plugin.actions.php?plugin_key=" . ply_get_plugin_key() . "&action=getDetailsTrackingLinks&linkId=" . $linkId);
@@ -269 +274 @@
 
 function ply_save_project_code_callback(){
+    check_ajax_referer('ply_save_project_code');
     $projectId = intval($_POST['projectId']);
     $result = wp_remote_get(PLATFORMLY_URL."/plugin/plugin.actions.php?plugin_key=".ply_get_plugin_key()."&action=getProjectCode&projectId=".$projectId);
@@ -291 +297 @@
 }
 function ply_check_project_code_callback(){
+    check_ajax_referer('ply_load_data');
     $projectId = intval($_POST['projectId']);
     $projectCode = ply_get_project_code($projectId);
@@ -303 +310 @@
 
 function ply_remove_project_code_callback(){
+    check_ajax_referer('ply_save_project_code');
     ply_remove_project_code();
     wp_die();
@@ -308 +316 @@
 
 function ply_project_code_include_callback(){
+    check_ajax_referer('ply_save_project_code');
     $includeCode = isset($_POST['includeCode']) && !empty($_POST['includeCode']) ? true : false;
     ply_project_code_include($includeCode);
@@ -314 +323 @@
 
 function ply_get_projects_callback(){
+    check_ajax_referer('ply_load_data');
     $result = wp_remote_get(PLATFORMLY_URL."/plugin/plugin.actions.php?plugin_key=".ply_get_plugin_key()."&action=listProjects");
     $result = wp_remote_retrieve_body($result);
@@ -446 +456 @@
     wp_enqueue_script('jquery-ui-dialog');
     wp_enqueue_style('wp-jquery-ui-dialog');
-    wp_enqueue_script('ply-add-link', plugin_dir_url(__FILE__) . 'js/ply_add_link_functions.js');
+    wp_enqueue_script('ply-add-link', plugin_dir_url(__FILE__) . 'js/ply_add_link_functions.js', array(),1);
     if(get_user_option('rich_editing') == 'true'){
         add_filter("mce_external_plugins", "add_platform_ly_link_plugin");

platformly/trunk/readme.txt

@@ -1 +1 @@
 === Platform.ly Official ===
 Contributors: platformlycom
-Tags: CRM, ecommerce, custom pages, landing pages, optin forms, events, tracking links, platform.ly, platform, platformly
+Tags: crm, ecommerce, platform.ly, platform, platformly
 Requires at least: 4.6
 Tested up to: 6.6
@@ -78 +78 @@
 == Upgrade Notice ==
 
+= 1.14 =
+- Security fix
+
 = 1.13 =
 - Improvement: Compatibility with WP 6.6