Changeset 3209430

Timestamp:

12/17/2024 06:43:48 PM (13 months ago)

Author:

arothman

Message:

Additional output escaping added to RSS download function.

File:

• pcrecruiter-extensions/trunk/PCRecruiter-Extensions.php (modified) (8 diffs)

pcrecruiter-extensions/trunk/PCRecruiter-Extensions.php

@@ -19 +19 @@
 }
 add_action( 'wp_enqueue_scripts', 'pcr_assets' );
+function sanitize_loadurl($urlparam)
+        {
+            // Allow only letters, numbers, periods, equals, colons, question marks, forward slashes, percent signs, and spaces
+            return preg_replace('/[^a-zA-Z0-9\.\=\:\?\/%\s]/', '', $urlparam);
+            
+        }
 function pcr_frame($atts)
 {
@@ -30 +36 @@
     $sid = intval($a['form']);
     $loadurl = $a['link'];
-    function sanitize_loadurl($urlparam)
-        {
-            // Allow only letters, numbers, periods, equals, colons, question marks, forward slashes, percent signs, and spaces
-            return preg_replace('/[^a-zA-Z0-9\.\=\:\?\/%\s]/', '', $urlparam);
-            
-        }
     $loadurl = sanitize_loadurl($loadurl);
     $initialheight = intval($a['initialheight']);
@@ -84 +84 @@
     $doc->appendChild($iframe);
 
-    return "<!-- Start PCRecruiter WP 1.4.2-->"
+    return "<!-- Start PCRecruiter WP 1.4.21-->"
         . $pcrframecss
         . $doc->saveHTML()
@@ -462 +462 @@
     public function print_section_info()
     {
-        echo '<p>When enabled, this feature will duplicate PCRecruiter\'s dynamic RSS feed as a static file at <a target="_blank" href="'. site_url() .'/wp-content/uploads/pcrjobfeed.xml">'. site_url() .'/wp-content/uploads/pcrjobfeed.xml</a>. You may use this data as a source for plugins and other third-party feed utilities.</p><p><strong>The settings in this panel are NOT required for standard PCRecruiter Job Board embedding functions.</strong> Checking the "Job Feed Enabled" box below without proper values in the rest of this form may introduce errors into your website. Please <a target="_blank" href="https://help.pcrecruiter.com">contact PCRecruiter Support</a> for guidance if you wish to enable this feature.</p>';
-
+        echo '<p>When enabled, this feature will duplicate PCRecruiter\'s dynamic RSS feed as a static file at <a target="_blank" href="'. esc_url( site_url() ) .'/wp-content/uploads/pcrjobfeed.xml">'. esc_url( site_url() ) .'/wp-content/uploads/pcrjobfeed.xml</a>. You may use this data as a source for plugins and other third-party feed utilities.</p>';
          // Check to see if "Store Local Feed" is active. If it is, show the manual save button
                 if($this->options['activation'] ?? false){
@@ -470 +469 @@
                     if (file_exists($fname)) {
                         $d = date ("F d Y H:i:s", filectime($fname));
-                        echo "<em style=\"font-weight:bold\">" . $filename . " last updated: " . $d . " (UTC).</em>";
+                        echo "<em style=\"font-weight:bold\">" . esc_html( $filename ) . " last updated: " . esc_html( $d ) . " (UTC).</em>";
                     } else {
-                        echo "<i>File " .$fname . " doesn't exist...</i>";
+                        echo "<i>File " . esc_html( $fname ) . " doesn't exist...</i>";
                     }
                 }
@@ -496 +495 @@
         echo "<select id='frequency' name='pcr_feed_options[frequency]'>";
         foreach($items as $item) {
-            $selected = ($this->options['frequency']==$item) ? 'selected="selected"' : '';
-            echo "<option value='$item' $selected>$item</option>";
+            $selected = ($this->options['frequency'] == $item) ? 'selected="selected"' : '';
+            echo "<option value='" . esc_attr( $item ) . "' " . esc_attr( $selected ) . ">" . esc_html( $item ) . "</option>";
         }
         echo "</select>";
@@ -522 +521 @@
 
         printf(
-            '<input type="text" id="custom_fields" name="pcr_feed_options[custom_fields]" value="%s" size="60" /><br /><span style="font-size:.8em;">Comma separated.</span>',
+            '<input type="text" id="custom_fields" name="pcr_feed_options[custom_fields]" value="%s" size="60" /><br /><span style="font-size:.8em;">Comma separated. Be sure to replace any %%20 characters with spaces.</span>',
             isset( $this->options['custom_fields'] ) ? esc_attr( $this->options['custom_fields']) : ''
         );
@@ -547 +546 @@
             $check2 = "";
         }
-        printf('<input type="radio" id="job" name="pcr_feed_options[mode]" value="job" %s /> Job Link<br />', $check1);
-        printf('<input type="radio" id="apply" name="pcr_feed_options[mode]" value="apply" %s /> Apply Link<br />', $check2);
+    printf('<input type="radio" id="%s" name="pcr_feed_options[mode]" value="job" %s /> %s<br />', 
+        esc_attr('job'), 
+        esc_attr($check1), 
+        esc_html('Job Link')
+    );
+    printf('<input type="radio" id="%s" name="pcr_feed_options[mode]" value="apply" %s /> %s<br />', 
+        esc_attr('apply'), 
+        esc_attr($check2), 
+        esc_html('Apply Link')
+    );
     }
 }