Changeset 3309680

Timestamp:

06/11/2025 09:44:11 AM (6 months ago)

Author:

10web

Message:

• Fixed: Security issue.
• Fixed: Deprecated issue.

Location:

form-maker/trunk

Files:

• admin/views/Options_fm.php (modified) (4 diffs)
• admin/views/Submissions_fm.php (modified) (1 diff)
• css/style_submissions.css (modified) (1 diff)
• form-maker.php (modified) (3 diffs)
• form_maker_insert.php (modified) (3 diffs)
• frontend/models/form_maker.php (modified) (3 diffs)
• readme.txt (modified) (2 diffs)

form-maker/trunk/admin/views/Options_fm.php

@@ -82 +82 @@
             <span class="wd-group">
               <label class="wd-label" for="public_key"><?php _e('Site key', WDFMInstance(self::PLUGIN)->prefix); ?></label>
-              <input id="public_key" name="public_key" value="<?php echo $public_key; ?>" type="text" />
+              <input id="public_key" name="public_key" value="<?php echo esc_attr($public_key); ?>" type="text" />
             </span>
             <span class="wd-group">
               <label class="wd-label" for="private_key"><?php _e('Secret key', WDFMInstance(self::PLUGIN)->prefix); ?></label>
-              <input id="private_key" name="private_key" value="<?php echo $private_key; ?>" type="text" />
+              <input id="private_key" name="private_key" value="<?php echo esc_attr($private_key); ?>" type="text" />
               <p class="description">
                 <?php echo sprintf(__('%s for your site from ReCaptcha website and copy the provided here.', WDFMInstance(self::PLUGIN)->prefix), '<a href="https://www.google.com/recaptcha/intro/index.html" target="_blank">' . __('Get ReCaptcha Site and Secret Keys', WDFMInstance(self::PLUGIN)->prefix) . '</a>'); ?>
@@ -93 +93 @@
             <span class="wd-group">
               <label class="wd-label" for="recaptcha_score"><?php _e('Minimum ReCaptcha v3 Score to allow submission', WDFMInstance(self::PLUGIN)->prefix); ?></label>
-              <input id="recaptcha_score" name="recaptcha_score" value="<?php echo $recaptcha_score == '' ? 0.5 : $recaptcha_score; ?>" type="number" max="1" min="0" step="0.1" />
+              <input id="recaptcha_score" name="recaptcha_score" value="<?php echo esc_attr($recaptcha_score === '' ? 0.5 : $recaptcha_score); ?>" type="number" max="1" min="0" step="0.1" />
               <p class="description">
                 <?php echo sprintf(__('ReCaptcha v3 returns a score based on the user interactions with your forms. Scores range from 0.0 to 1.0, with 0.0 indicating abusive traffic and 1.0 indicating good traffic. %sVisit%s ReCaptcha admin to review verification statistics.', WDFMInstance(self::PLUGIN)->prefix), '<a href="https://www.google.com/recaptcha/admin/" target="_blank">', '</a>'); ?>
@@ -110 +110 @@
             <span class="wd-group">
               <label class="wd-label" for="map_key"><?php _e('Map API Key', WDFMInstance(self::PLUGIN)->prefix); ?></label>
-              <input id="map_key" name="map_key" value="<?php echo $map_key; ?>" type="text" />
+              <input id="map_key" name="map_key" value="<?php echo esc_attr($map_key); ?>" type="text" />
               <p class="description">
                 <?php echo _e('Get', WDFMInstance(self::PLUGIN)->prefix); ?>
@@ -128 +128 @@
             <span class="wd-group">
               <label class="wd-label" for="csv_delimiter"><?php _e('CSV Delimiter', WDFMInstance(self::PLUGIN)->prefix); ?></label>
-              <input id="csv_delimiter" name="csv_delimiter" value="<?php echo $csv_delimiter; ?>" type="text" />
+              <input id="csv_delimiter" name="csv_delimiter" value="<?php echo esc_attr($csv_delimiter); ?>" type="text" />
               <p class="description"><?php _e('This option sets the symbol, which will be used to separate the values in CSV file of form submissions.', WDFMInstance(self::PLUGIN)->prefix); ?></p>
             </span>

form-maker/trunk/admin/views/Submissions_fm.php

@@ -753 +753 @@
                                             <td id="<?php echo $sorted_labels_id[$h]; ?>_fc" class="<?php echo $sorted_labels_id[$h]; ?>_fc sub-align" <?php echo $styleStr; ?> data-colname="<?php echo !empty($label_name_ids[$sorted_labels_id[$h]]) ? $label_name_ids[$sorted_labels_id[$h]] : ''; ?>" <?php echo ($savedb == 2 &&  $sorted_label_types[$h] == "type_paypal_payment_status") ? $check_payment_status : ""; ?> style="width:<?php echo $status_column_width; ?>; max-width:<?php echo $status_column_width; ?>;">
                                                 <?php if ( $sorted_label_types[$h] == 'type_signature' ) { ?>
-                                                    <img src="<?php echo $textdata['text']; ?>" style="width:50px; border: 1px solid #ddd;"/>
+                                                    <img src="<?php echo esc_url($element_value); ?>" style="width:50px; border: 1px solid #ddd;"/>
                                                 <?php
                                                 }

form-maker/trunk/css/style_submissions.css

@@ -39 +39 @@
 .submissions tbody tr {
   border-bottom: solid 1px #ddd !important;
+  display:table-row!important
 }
 .submissions td {

form-maker/trunk/form-maker.php

@@ -4 +4 @@
  * Plugin URI: https://10web.io/plugins/wordpress-form-maker/?utm_source=form_maker&utm_medium=free_plugin
  * Description: This plugin is a modern and advanced tool for easy and fast creating of a WordPress Form. The backend interface is intuitive and user friendly which allows users far from scripting and programming to create WordPress Forms.
- * Version: 1.15.33
+ * Version: 1.15.34
  * Author: 10Web Form Builder Team
  * Author URI: https://10web.io/plugins/?utm_source=form_maker&utm_medium=free_plugin 
@@ -27 +27 @@
   public $front_urls = array();
   public $main_file = '';
-  public $plugin_version = '1.15.33';
-  public $db_version = '2.15.33';
+  public $plugin_version = '1.15.34';
+  public $db_version = '2.15.34';
   public $menu_postfix = '_fm';
   public $plugin_postfix = '';
@@ -520 +520 @@
     add_action('load-' . $submissions_page, array($this, 'submissions_per_page'));
 
-    add_submenu_page(null, __('Blocked IPs', $this->prefix), __('Blocked IPs', $this->prefix), 'manage_options', 'blocked_ips' . $this->menu_postfix, array($this, 'form_maker'));
+    add_submenu_page('', __('Blocked IPs', $this->prefix), __('Blocked IPs', $this->prefix), 'manage_options', 'blocked_ips' . $this->menu_postfix, array($this, 'form_maker'));
     add_submenu_page($parent_slug, __('Themes', $this->prefix), __('Themes', $this->prefix), 'manage_options', 'themes' . $this->menu_postfix, array($this, 'form_maker'));
     add_submenu_page($parent_slug, __('Options', $this->prefix), __('Options', $this->prefix), 'manage_options', 'options' . $this->menu_postfix, array($this, 'form_maker'));
-    add_submenu_page(null, __('Uninstall', $this->prefix), __('Uninstall', $this->prefix), 'manage_options', 'uninstall' . $this->menu_postfix, array($this, 'form_maker'));
+    add_submenu_page('', __('Uninstall', $this->prefix), __('Uninstall', $this->prefix), 'manage_options', 'uninstall' . $this->menu_postfix, array($this, 'form_maker'));
 
     if ( current_user_can('manage_options') && $this->is_free ) {

form-maker/trunk/form_maker_insert.php

@@ -393 +393 @@
       'checkout_mode' => '0',
       'paypal_email' => '',
-      'payment_currency' => 'UDS',
+      'payment_currency' => 'USD',
       'tax' => '0',
       'savedb' => '1',
@@ -471 +471 @@
       'checkout_mode' => 'testmode',
       'paypal_email' => '',
-      'payment_currency' => 'UDS',
+      'payment_currency' => 'USD',
       'tax' => '0',
       'savedb' => '1',
@@ -549 +549 @@
       'checkout_mode' => 'testmode',
       'paypal_email' => '',
-      'payment_currency' => 'UDS',
+      'payment_currency' => 'USD',
       'tax' => '0',
       'savedb' => '1',

form-maker/trunk/frontend/models/form_maker.php

@@ -2432 +2432 @@
                     fclose($indexfile);
                     $htaccessfile = fopen($upload_dir[ 'basedir' ] . '/' . $destination . "/signatures/.htaccess", "w");
-                    fwrite($htaccessfile, "deny from all");
+                    fwrite($htaccessfile, '<FilesMatch "\.(?!jpe?g$|png$|gif$|webp$).*$">' . PHP_EOL . 'Deny from all' . PHP_EOL . '</FilesMatch>');
                     fclose($htaccessfile);
                 }
@@ -2447 +2447 @@
                         $indexfile = fopen($dirTmp."/index.html", "w");
                         fclose($indexfile);
-                        $htaccessfile = fopen($dirTmp . "/.htaccess", "w");
-                        fwrite($htaccessfile, "deny from all");
-                        fclose($htaccessfile);
+                        if( $dir === 'signature' ) {
+                            $htaccessfile = fopen($dirTmp . "/.htaccess", "w");
+                            fwrite($htaccessfile, '<FilesMatch "\.(?!jpe?g$|png$|gif$|webp$).*$">' . PHP_EOL . 'Deny from all' . PHP_EOL . '</FilesMatch>');
+                            fclose($htaccessfile);
+                        }
                     }
                   }
@@ -2691 +2693 @@
           $this->set_submission_total( $total_field_subm_data );
 
-          $total = $total + ($total * $tax) / 100;
+          $total = floatval($total) + (floatval($total) * floatval($tax)) / 100;
           if ( isset( $paypal[ 'shipping' ] ) ) {
             $total = $total + $paypal[ 'shipping' ];

form-maker/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 4.6
 Tested up to: 6.8
-Stable tag: 1.15.33
+Stable tag: 1.15.34
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -558 +558 @@
 
 == Changelog ==
+= 1.15.34 =
+* Fixed: Security issue.
+* Fixed: Deprecated issue.
+
 = 1.15.33 =
 * Fixed: Security issue fix.