Changeset 3219339

Timestamp:

01/09/2025 12:00:52 AM (14 months ago)

Author:

123host

Message:

Improved XSS security

Location:

speakout/trunk

Files:

• includes/class.settings.php (modified) (1 diff)
• includes/emailpetition.php (modified) (1 diff)
• includes/install.php (modified) (1 diff)
• readme.txt (modified) (3 diffs)
• speakout-email-petitions.php (modified) (2 diffs)

speakout/trunk/includes/class.settings.php

@@ -116 +116 @@
         $this->g_recaptcha_version          = $options['g_recaptcha_version'];
         $this->g_recaptcha_status           = $options['g_recaptcha_status'];
-        $this->g_recaptcha_site_key           = $options['g_recaptcha_site_key'];
-        $this->g_recaptcha_secret_key         = $options['g_recaptcha_secret_key'];
+        $this->g_recaptcha_site_key         = $options['g_recaptcha_site_key'];
+        $this->g_recaptcha_secret_key       = $options['g_recaptcha_secret_key'];
         $this->hcaptcha_status              = $options['hcaptcha_status'];
-        $this->hcaptcha_site_key           = $options['hcaptcha_site_key'];
-        $this->hcaptcha_secret_key         = $options['hcaptcha_secret_key'];
+        $this->hcaptcha_site_key            = $options['hcaptcha_site_key'];
+        $this->hcaptcha_secret_key          = $options['hcaptcha_secret_key'];
         $this->display_anedot               = $options['display_anedot'];
         $this->display_sharing              = $options['display_sharing'];

speakout/trunk/includes/emailpetition.php

@@ -134 +134 @@
 
             // shortcode attributes
-            $width = isset( $attr[ 'width' ] ) ? 'style="width: ' . $attr[ 'width' ] . ';"': '';
-            $height = isset( $attr[ 'height' ] ) ? 'style="height: ' . $attr[ 'height' ] . ' !important;"': '';
-            $css_classes = isset( $attr[ 'class' ] ) ? $css_classes = $attr[ 'class' ] : '';
+            $width = isset( $attr['width'] ) && preg_match( '/^\d+(px|%)?$/', $attr['width'] ) ? 'style="width: ' . esc_attr( $attr['width'] ) . ';"' : '';
+            $height = isset( $attr['height'] ) && preg_match( '/^\d+(px|%)?$/', $attr['height'] ) ? 'style="height: ' . esc_attr( $attr['height'] ) . ';"' : '';
+            $css_classes = isset( $attr[ 'class' ] ) ? $css_classes = esc_attr($attr[ 'class' ]) : '';
             $progress_width = ( $options[ 'petition_theme' ] == 'basic' ) ? 300 : 200; // defaults
-            $progress_width = isset( $attr[ 'progresswidth' ] ) ? $attr[ 'progresswidth' ] : $progress_width;
-            
-            // Function to detect potential JavaScript in shorcode
-            function contains_js($input) {
-                $pattern = '/(javascript|on\w+|<script|<\/script|<\?|<\w+[^>]*\s*on\w+\s*=\s*["\']?[^>"\']+["\']?)/i';
-                return preg_match($pattern, $input);
-            }
-
-            // Validate and sanitize shortcode attributes
-            if (isset( $attr['width']) && contains_js($attr['width']) || 
-                isset( $attr['height']) && contains_js($attr['height']) || 
-                isset( $attr['css_classes']) && contains_js($attr['css_classes']  ) || 
-                isset( $attr['progresswidth']) && contains_js($attr['progresswidth'])) {
-                // Handle potential injection attempt
-                die('Invalid javascript detected in shortcode');
-            }
+            $progress_width = isset( $attr[ 'progresswidth' ] ) ? esc_attr( $attr[ 'progresswidth' ] ): $progress_width;         
 
             if ( !$expired ) {

speakout/trunk/includes/install.php

@@ -232 +232 @@
         "g_recaptcha_site_key"  => "",
         "hcaptcha_status"       => "",
-        "hcaptcha__site_key"    => "",
+        "hcaptcha_site_key"     => "",
         "hcaptcha_secret_key"   => "",
         "anedot_page_id"        => "",

speakout/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.7
 Requires PHP: 7.4
-Stable tag: 4.4.2
+Stable tag: 4.5.0
 License: GPLv2 or later 
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -22 +22 @@
 
 == Changelog ==
+
+== 4.5.0 ==
+
+* improvement: further refined bug fixed in 4.4.0 - thanks Darius S. @ patchstack.com
+
+== 4.4.3 ==
+
+* improvement: updated old changelog link at end of current changelog
 
 == 4.4.2 ==
@@ -191 +199 @@
 [Earlier Changelog][2]
 
-[2]: https://speakoutpetitions.com/changelog "SpeakOut! Changelog"
+[2]: https://speakoutpetitions.com/speakout-free-changelog/ "SpeakOut! old Changelog"
 
 

speakout/trunk/speakout-email-petitions.php

@@ -16 +16 @@
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
-Version: 4.4.2
+Version: 4.5.0
 
 {Plugin Name} is free software: you can redistribute it and/or modify
@@ -32 +32 @@
 
 global $wpdb, $db_petitions, $db_signatures, $dk_speakout_version;
-$dk_speakout_version = '4.4.2';
+$dk_speakout_version = '4.5.0';
 $db_petitions  = $wpdb->prefix . 'dk_speakout_petitions';
 $db_signatures = $wpdb->prefix . 'dk_speakout_signatures';