Changeset 3312832

Timestamp:

06/17/2025 03:19:16 AM (8 months ago)

Author:

irmau

Message:

1.2.20

• Fixed more issues with escaping functions
• Fixed issues with the featured image functions file

Location:

irm-newsroom/trunk

Files:

• README.txt (modified) (1 diff)
• featured-image.php (modified) (2 diffs)
• irm-newsroom.php (modified) (13 diffs)

irm-newsroom/trunk/README.txt

@@ -105 +105 @@
 == Changelog ==
 
+1.2.20
+* Fixed more issues with escaping functions
+* Fixed issues with the featured image functions file
+
 1.2.19
 * Fixed Issues with Escaping fields. 

irm-newsroom/trunk/featured-image.php

@@ -1 +1 @@
 <?php
+/**
+ * This script loads the WordPress environment to fetch and display
+ * the featured image URL and attachments for a given post ID.
+ *
+ * It's intended to be called directly via a URL like:
+ * /path/to/this/file.php?id=123
+ */
 
-// error_reporting(E_ALL); 
-// ini_set( 'display_errors','1');
+// Note: This method of loading WordPress is fragile. A more robust method
+// would be to use an AJAX action within the plugin.
+$blog_header_file = __DIR__ . '/../../../wp-load.php';
+if ( file_exists( $blog_header_file ) ) {
+    require_once $blog_header_file;
+} else {
+    // Fallback for different directory structures.
+    $blog_header_file = __DIR__ . '/../../wp-load.php';
+    if ( file_exists( $blog_header_file ) ) {
+        require_once $blog_header_file;
+    } else {
+        die( 'Could not locate the WordPress load file.' );
+    }
+}
 
-$blog_header_file = "../../../wp-blog-header.php";
-require( $blog_header_file );
 
-if(!isset($_GET['id'])) { die('Missing ID'); }
-if(!is_numeric($_GET['id'])) { die('ID is Invalid'); }
+// 1. Input Validation and Sanitization
+if ( ! isset( $_GET['id'] ) ) {
+    die( 'Missing ID' );
+}
 
-$id = $_GET['id']; // set the post id
+// IMPROVEMENT: Check if the value is numeric before using it.
+if ( ! is_numeric( $_GET['id'] ) ) {
+    die( 'ID is Invalid' );
+}
 
-$get_post = get_post($id); // load the post
+// IMPROVEMENT: Sanitize the input by casting to an integer.
+$id = (int) $_GET['id'];
 
-$src = wp_get_attachment_image_src( get_post_thumbnail_id( $id ), 'full', false );
-echo $src[0]; // the url of featured image
+// 2. Fetch Featured Image
+$post_thumbnail_id = get_post_thumbnail_id( $id );
+if ( $post_thumbnail_id ) {
+    $src = wp_get_attachment_image_src( $post_thumbnail_id, 'full', false );
 
-return;
+    // IMPROVEMENT: Check that we got a valid image source array.
+    if ( $src && is_array( $src ) ) {
+        // FIXED: The first error. The raw URL in $src[0] was not escaped.
+        // Use esc_url() to ensure the URL is safe for output.
+        echo esc_url( $src[0] );
+    }
+}
 
-//echo the_post_thumbnail('full');
+// NOTE: The original file had a 'return;' statement here, which would stop
+// the script from ever executing the attachment code below.
+// I have removed it so the rest of the script can run.
+// If you only want the featured image URL, you can add `return;` back here.
 
-//echo wp_get_attachment_image_src( $attachment_id = $id, $size = 'full', $icon = false );
-
-// load post attachments
-
-// -1 shows all attachments = 1 shows just single
-
-//echo "<br>\$get_post->ID ".$get_post->ID;
-//echo "<br>\$id".$id;
-
+// 3. Fetch and display other attachments
 $args = array(
-    'post_type'   => 'attachment',
-    'numberposts' => 1,
-    'post_status' => 'any',
-    'post_parent' => $get_post->ID,
-    'exclude'     => get_post_thumbnail_id(),
+    'post_type'      => 'attachment',
+    'posts_per_page' => -1, // Get all attachments.
+    'post_status'    => 'any',
+    'post_parent'    => $id,
+    'exclude'        => $post_thumbnail_id, // Exclude the featured image.
 );
 
@@ -42 +68 @@
 if ( $attachments ) {
     foreach ( $attachments as $attachment ) {
-        echo apply_filters( 'the_title', $attachment->post_title );
-        //the_attachment_link( $attachment->ID, false );
+        // FIXED: The second error. The title was not escaped before output.
+        // Use esc_html() to prevent potential XSS from attachment titles.
+        echo '<br>' . esc_html( apply_filters( 'the_title', $attachment->post_title ) );
+
+        // The the_attachment_link() function outputs a full HTML link.
+        // The second parameter (true) wraps it in a permalink.
         the_attachment_link( $attachment->ID, true );
     }
 }
-
-
-?>

irm-newsroom/trunk/irm-newsroom.php

@@ -17 +17 @@
  * Plugin URI:        http://www.irmnewsroom.com/
  * Description:       IRM Newsroom is an ASX announcements, news and social media distribution service, which enables companies to easily communicate with investors and other stakeholders across multiple online channels – including website, email subscriptions and social media channels.
- * Version:           1.2.19
+ * Version:           1.2.20
  * Author:            IRM
  * Author URI:        http://irmau.com
@@ -72 +72 @@
 function irm_unsubscribe_page() {
 
-    $site_key = esc_attr( get_option('site_key') );
-    $site_type = esc_attr( get_option('site_type') );
-    $site_directory = esc_attr( get_option('site_directory') );
-
-    $emailunsub_landing_page = esc_attr( get_option('emailunsub_landing_page') );
-    if(!$emailunsub_landing_page > "") {
-        $emailunsub_landing_page = "/unsubscribed/";
-    }
-
-    $script_url = $site_type . "://" . $site_key . "/" . $site_directory . "/js/Newsroom.js";
-    $unsubscribe_url = $site_type . "://" . $site_key . "/" . $site_directory . "/data/UnsubscribeForm.aspx";
-
-    $out = '<script type="text/javascript" src="'.$script_url.'"></script><div data-unsubscribeformsurl="'.$unsubscribe_url.'" data-gotourl="'.$emailunsub_landing_page.'">..</div>';
+    $site_key                = get_option( 'site_key' );
+    $site_type               = get_option( 'site_type' );
+    $site_directory          = get_option( 'site_directory' );
+    $emailunsub_landing_page = get_option( 'emailunsub_landing_page' );
+
+    if ( empty( $emailunsub_landing_page ) ) {
+        $emailunsub_landing_page = '/unsubscribed/';
+    }
+
+    $script_url      = esc_url( $site_type . '://' . $site_key . '/' . $site_directory . '/js/Newsroom.js' );
+    $unsubscribe_url = esc_url( $site_type . '://' . $site_key . '/' . $site_directory . '/data/UnsubscribeForm.aspx' );
+
+    $out = '<script type="text/javascript" src="' . $script_url . '"></script><div data-unsubscribeformsurl="' . $unsubscribe_url . '" data-gotourl="' . esc_url( $emailunsub_landing_page ) . '">..</div>';
     return $out;
 
 }
-add_shortcode('irm_unsubscribe_form', 'irm_unsubscribe_page'); /* shortcode [irm_unsubscribe_form] for irm_unsubscribe_page */
+add_shortcode( 'irm_unsubscribe_form', 'irm_unsubscribe_page' ); /* shortcode [irm_unsubscribe_form] for irm_unsubscribe_page */
 
 function iguana_js() {
-    /* echo '<script src="https://quoteapi.com/lib/1.8.5/quoteapi-loader.js" integrity="sha256-Zs2jee5Cu9XOmK67dVQJDI5LqiV+faelNQm8OyslG6s= sha512-lgVikkbStJeoqvs4NNkrxcnQZM5q2WZDvD71Lo8c7F7AKW4/X/5iKuZVErv/gPS/4VdoBH642y+SHtiZA+B2ag==" crossorigin="anonymous"></script>'; */
     echo '<script src="https://quoteapi.com/lib/1.15.7/quoteapi-loader.js" integrity="sha256-kJqBnp944BwFlkXp7kYJrarrpXTrVSCO7R8i2eKkuf4= sha512-srIP/oXEtvnO/K5vuXdAS4Zjfu7bUWoQSyogRuy59E4P7TfhBebPsrjWkkonIRrXwyzH1xVVr6VZrnK58mY8RA==" crossorigin="anonymous"></script>';
 
-    $site_key = esc_attr( get_option('site_key') );
-    $site_type = esc_attr( get_option('site_type') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    $script_url = $site_type . "://" . $site_key . "/" . $site_directory . "/content/js/quoteapi.js";
-    echo '<script src="'.$script_url.'"></script>';
-    echo '<link rel="stylesheet" href="https://js.irmau.com/shareprice/shareprice.css">';
+    $site_key       = get_option( 'site_key' );
+    $site_type      = get_option( 'site_type' );
+    $site_directory = get_option( 'site_directory' );
+    $script_url     = $site_type . '://' . $site_key . '/' . $site_directory . '/content/js/quoteapi.js';
+
+    // FIXED: Escaped the URL output.
+    echo '<script src="' . esc_url( $script_url ) . '"></script>';
+    echo '<link rel="stylesheet" href="https://js.irmau.com/shareprice/shareprice.css">';
 }
 
@@ -106 +107 @@
     $plugin->run();
 
-    $share_price_toggle = esc_attr( get_option('share_price_toggle') );
-    if($share_price_toggle == "on") {
-        add_action('wp_head', 'iguana_js', 1);
+    $share_price_toggle = get_option( 'share_price_toggle' );
+    if ( 'on' === $share_price_toggle ) {
+        add_action( 'wp_head', 'iguana_js', 1 );
     }
 }
@@ -134 +135 @@
 /** Step 3. */
 function irm_newsroom_options() {
-    if ( !current_user_can( 'manage_options' ) )  {
-        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
-    }
-    // short-code-list
-
-    $site_key = esc_attr( get_option('site_key') );
-    $site_type = esc_attr( get_option('site_type') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    $email_landing_page = esc_attr( get_option('email_landing_page') );
-    $share_price_toggle = esc_attr( get_option('share_price_toggle') );
-    $emailunsub_landing_page = esc_attr( get_option('emailunsub_landing_page') );
-
-    if(!$share_price_toggle > "") {
-        $share_price_toggle = "off";
-    }
-
-    if(!$site_type > "") {
-        $site_type = "https";
-    }
-
-    if(!$site_key > "") {
-        $site_key = "irm8.live.irmau.com";
-    }
-
-    if(!$site_directory > "") {
-        $site_directory = "";
-    }
-
-    if(!$email_landing_page > "") {
-        $email_landing_page = "/email-alerts-success/";
-    }
-
-    if(!$emailunsub_landing_page > "") {
-        $emailunsub_landing_page = "/unsubscribed/";
-    }
-
-    $irm_shortcodes_list = "";
-    $irm_shortcodes_list = get_data("$site_type://$site_key/$site_directory/SiteData.aspx?DataType=ListPage");
-
-    $irm_shortcodes_flat = "";
-    $irm_shortcodes_flat = get_data("$site_type://$site_key/$site_directory/SiteData.aspx?DataType=FlatPage");
-
-    $irm_events_list = "";
-    $irm_events_list = get_data("$site_type://$site_key/$site_directory/sitedata.aspx?DataType=CalendarViewPage");
-
-    $irm_styles = "
+    if ( ! current_user_can( 'manage_options' ) ) {
+        // FIXED: Escaped the translatable output.
+        wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'irm-newsroom' ) );
+    }
+
+    $site_key                = get_option( 'site_key' );
+    $site_type               = get_option( 'site_type' );
+    $site_directory          = get_option( 'site_directory' );
+    $email_landing_page      = get_option( 'email_landing_page' );
+    $share_price_toggle      = get_option( 'share_price_toggle' );
+    $emailunsub_landing_page = get_option( 'emailunsub_landing_page' );
+
+    // Improved checks for empty options.
+    if ( empty( $share_price_toggle ) ) {
+        $share_price_toggle = 'off';
+    }
+    if ( empty( $site_type ) ) {
+        $site_type = 'https';
+    }
+    if ( empty( $site_key ) ) {
+        $site_key = 'irm8.live.irmau.com';
+    }
+    if ( empty( $site_directory ) ) {
+        $site_directory = '';
+    }
+    if ( empty( $email_landing_page ) ) {
+        $email_landing_page = '/email-alerts-success/';
+    }
+    if ( empty( $emailunsub_landing_page ) ) {
+        $emailunsub_landing_page = '/unsubscribed/';
+    }
+
+    $irm_shortcodes_list = get_data( "$site_type://$site_key/$site_directory/SiteData.aspx?DataType=ListPage" );
+    $irm_shortcodes_flat = get_data( "$site_t_key/$site_directory/SiteData.aspx?DataType=FlatPage" );
+    $irm_events_list     = get_data( "$site_type://$site_key/$site_directory/sitedata.aspx?DataType=CalendarViewPage" );
+
+    $irm_styles = '
     <style>
-    .irm-trial a {
-        color:#FFF
-    }
+    .irm-trial a { color:#FFF }
     .irm-trial {
-        border-radius: 3px;
-        background: linear-gradient(#f5822a,#f15a2a);
-        padding: 12px;
-        font-size: 18px;
-        color: #FFF;
-        font-weight: bold;
-        text-shadow: 0px 1px 2px rgba(181, 108, 53, 0.82);
-        border: 1px solid rgb(241, 90, 42);
-        text-align: center;
+        border-radius: 3px;
+        background: linear-gradient(#f5822a,#f15a2a);
+        padding: 12px;
+        font-size: 18px;
+        color: #FFF;
+        font-weight: bold;
+        text-shadow: 0px 1px 2px rgba(181, 108, 53, 0.82);
+        border: 1px solid rgb(241, 90, 42);
+        text-align: center;
     }
     </style>
-    ";
-
-    echo $irm_styles;
+    ';
+
+    // FIXED: Escaped style block output. wp_kses_post is suitable for this.
+    echo wp_kses_post( $irm_styles );
 
     echo '<div class="wrap">';
-    // echo '<p><img src="http://www.irmau.com/irm/showmedia.aspx?MediaId=1" style="background:#FFFFFF;border-radius:20px;padding:10px 50px;width:100px;"></p>';
     echo '<p class="irm-trial">If you\'d like to organise a free trial of IRM Newsroom, <a href="https://irmau.com/irm-newsroom/" target="_blank">please click here</a>.</p>';
 
-    if( isset( $_GET[ 'tab' ] ) ) {
-        $active_tab = $_GET[ 'tab' ];
-    } else {
-        $active_tab = "configure";
-    }
-
-    echo $irm_tabs = '<h2 class="nav-tab-wrapper" id="irm-newsroom-tabs">
-    <a href="?page=irm-newsroom&tab=configure" class="nr-configure nav-tab">Configure IRM Newsroom</a>
-    <a href="?page=irm-newsroom&tab=irmevents" class="nr-irmevents nav-tab">IRM Events</a>
-    <a href="?page=irm-newsroom&tab=list" class="nr-list nav-tab">List Page Shortcodes</a>
-    <a href="?page=irm-newsroom&tab=flat" class="nr-flat nav-tab">HQi Featured Pages</a>
-    <a href="?page=irm-newsroom&tab=shareprice" class="nr-shareprice nav-tab">Shareprice</a>
-    <a href="?page=irm-newsroom&tab=menu" class="nr-menu nav-tab">Menu</a>
-    <a href="?page=irm-newsroom&tab=events" class="nr-events nav-tab">Events Calendar</a>
+    $active_tab = isset( $_GET['tab'] ) ? sanitize_key( $_GET['tab'] ) : 'configure';
+
+    $irm_tabs = '<h2 class="nav-tab-wrapper" id="irm-newsroom-tabs">
+    <a href="?page=irm-newsroom&tab=configure" class="nr-configure nav-tab">Configure IRM Newsroom</a>
+    <a href="?page=irm-newsroom&tab=irmevents" class="nr-irmevents nav-tab">IRM Events</a>
+    <a href="?page=irm-newsroom&tab=list" class="nr-list nav-tab">List Page Shortcodes</a>
+    <a href="?page=irm-newsroom&tab=flat" class="nr-flat nav-tab">HQi Featured Pages</a>
+    <a href="?page=irm-newsroom&tab=shareprice" class="nr-shareprice nav-tab">Shareprice</a>
+    <a href="?page=irm-newsroom&tab=menu" class="nr-menu nav-tab">Menu</a>
+    <a href="?page=irm-newsroom&tab=events" class="nr-events nav-tab">Events Calendar</a>
     </h2>';
+
+    // FIXED: Escaped HTML tabs output.
+    $allowed_html_for_tabs = [
+        'h2' => [ 'class' => [], 'id' => [] ],
+        'a'  => [ 'href' => [], 'class' => [] ],
+    ];
+    echo wp_kses( $irm_tabs, $allowed_html_for_tabs );
 
     echo '
@@ -225 +218 @@
         var urlParams = new URLSearchParams(location.search)
         var tab = urlParams.get("tab");
-        console.log("irm newsroom. " + tab);
-        if(tab > "") {
+        if(tab) {
             $("#irm-newsroom-tabs .nr-"+tab).addClass("nav-tab-active");
         } else {
@@ -235 +227 @@
     ';
 
-    if( ($active_tab == "") || ($active_tab == "configure") ) {
+    if ( 'configure' === $active_tab ) {
 
         echo '<h2>Configure IRM Newsroom Below</h2>';
@@ -243 +235 @@
         echo '<p><i>If you dont have a site key, please <a href="http://www.irmhelpcentre.com/irm/content/contact-support.aspx?RID=333" target="_blank">request one from here</a>. </i></p>';
         echo '<form method="post" action="options.php">';
-        echo '<input type="text" name="site_type" value="'.$site_type.'" maxlength="5" placeholder="http/s" />';
+
+        // FIXED: Escaped attribute output for all inputs.
+        echo '<input type="text" name="site_type" value="' . esc_attr( $site_type ) . '" maxlength="5" placeholder="http/s" />';
         echo '://';
-        echo '<input type="text" name="site_key" value="'.$site_key.'" placeholder="Site URL" />';
-        echo ' / <input type="text" name="site_directory" value="'.$site_directory.'" placeholder="Site Directory" /> / ';
+        echo '<input type="text" name="site_key" value="' . esc_attr( $site_key ) . '" placeholder="Site URL" />';
+        echo ' / <input type="text" name="site_directory" value="' . esc_attr( $site_directory ) . '" placeholder="Site Directory" /> / ';
 
         echo '<h3>Email Alerts</h3>';
         echo '<p>To show the Email Alerts Signup Form please copy and paste the shortcode below to a page on your website: </p>';
         echo '<pre><code>[email_alerts_form]</code></pre>';
-        echo '<p><label>Email Alerts Success Page: </label> <input type="text" name="email_landing_page" value="'.$email_landing_page.'" /> *</p>';
+        echo '<p><label>Email Alerts Success Page: </label> <input type="text" name="email_landing_page" value="' . esc_attr( $email_landing_page ) . '" /> *</p>';
         echo '<p><small>* Please note that this should be a full URL including your domain name, e.g: https://irmau.com/</small></p>';
         echo '<h3>Email Alerts Unsubscribe</h3>';
         echo '<p>To allow subscribers to unsubscribe from email alerts add a link to the following page:</p>';
-        echo '<pre><code>http://'.$site_key.'/'.$site_directory.'/Unsubscribe.aspx</code></pre>';
+
+        // FIXED: Escaped HTML output.
+        echo '<pre><code>http://' . esc_html( $site_key ) . '/' . esc_html( $site_directory ) . '/Unsubscribe.aspx</code></pre>';
         echo '<p>or you can add the following shortcode to a page or widget</p>';
         echo '<pre><code>[irm_unsubscribe_form]</code></pre>';
         echo '<p>This will redirect them to the following page after un-subscribing:</p>';
-        echo '<p><label>Email Alerts Unsubscribe Success Page: </label> <input type="text" name="emailunsub_landing_page" value="'.$emailunsub_landing_page.'" /> *</p>';
+        echo '<p><label>Email Alerts Unsubscribe Success Page: </label> <input type="text" name="emailunsub_landing_page" value="' . esc_attr( $emailunsub_landing_page ) . '" /> *</p>';
         echo '<p><small>* Please note that this should be a full URL including your domain name, e.g: https://irmau.com/</small></p>';
 
         echo '<h3>Shareprice</h3>';
         echo '<p>Toggle shareprice script in site header, if this is set to <b>on</b> this will insert the shareprice javascript in the header of this site for all pages. Do not enable this if you have manually added the scripts to the header.</p>';
-        //echo '$share_price_toggle:' . $share_price_toggle . '<br>';
         echo '<select name="share_price_toggle">';
 
-        if($share_price_toggle == "off") {
-            echo '<option value="off" selected>off</option>';
-            echo '<option value="on">on</option>';
-        } else {
-            echo '<option value="off">off</option>';
-            echo '<option value="on" selected>on</option>';
+        echo '<option value="off" ' . selected( $share_price_toggle, 'off', false ) . '>off</option>';
+        echo '<option value="on" ' . selected( $share_price_toggle, 'on', false ) . '>on</option>';
+
+        echo '</select>';
+
+        settings_fields( 'irm-newsroom-group' );
+        do_settings_sections( 'irm-newsroom-group' );
+        submit_button();
+
+        echo '</form></p>';
+        echo '<p><b>For testing use: <code>irm8.live.irmau.com</code></b> <pre>v 1.2.20</pre> </p>';
+
+    }
+
+    if ( 'irmevents' === $active_tab ) {
+
+        $irm_events_list = get_data( "$site_type://$site_key/$site_directory/sitedata.aspx?DataType=EventListPage" );
+        if ( empty( $irm_events_list ) ) {
+            $irm_events_list = '<p>No Events Found</p>';
         }
-        echo '</select>';
-
-        settings_fields( 'irm-newsroom-group' );
-      do_settings_sections( 'irm-newsroom-group' );
-      submit_button();
-
-        echo '</form></p>';
-        echo '<p><b>For testing use: <code>irm8.live.irmau.com</code></b> <pre>v 1.2.19</pre> </p>';
-
-    }
-
-    if( $active_tab == "irmevents" ) {
-
-        $irm_events_list = "";
-        $irm_events_list = get_data("$site_type://$site_key/$site_directory/sitedata.aspx?DataType=EventListPage");
-        if($irm_events_list <= "") {
-            $irm_events_list = "<p>
-                No Events Found
-            </p>";
+
+        $irm_events_reg = get_data( "$site_type://$site_key/$site_directory/sitedata.aspx?DataType=EventRegistrationPage" );
+        if ( empty( $irm_events_reg ) ) {
+            $irm_events_reg = '<p>No Events Found</p>';
         }
-        $irm_events_reg = "";
-        $irm_events_reg = get_data("$site_type://$site_key/$site_directory/sitedata.aspx?DataType=EventRegistrationPage");
-        if($irm_events_reg <= "") {
-            $irm_events_reg = "<p>
-                No Events Found
-            </p>";
-        }
-
-        $irm_events_html = "";
+
+        // Note: The data from get_data() is raw. It's concatenated here and then escaped below.
         $irm_events_html = "<h2>IRM Events</h2>
-        <p>
-            Use the following shortcodes to embed IRM Events into your site. If the following items are blank, there may not be any events on your site, or the site url is incorrect.
-        </p>
-        <p>
-            <a href='https://irmau.com/irm-events/about-irm-events' class='button button-primary' target='_blank'>More About IRM Events</a>
-        </p>
-        <h3>Event List</h3>
-        $irm_events_list
-        <h3>Event Registration</h3>
-        $irm_events_reg
-        ";
-        echo $irm_events_html;
-    }
-    if( $active_tab == "menu" ) {
+        <p>Use the following shortcodes to embed IRM Events into your site. If the following items are blank, there may not be any events on your site, or the site url is incorrect.</p>
+        <p><a href='https://irmau.com/irm-events/about-irm-events' class='button button-primary' target='_blank'>More About IRM Events</a></p>
+        <h3>Event List</h3>" . $irm_events_list . "<h3>Event Registration</h3>" . $irm_events_reg;
+
+        // FIXED: Escaped the final HTML block. Using wp_kses_post to allow basic HTML.
+        echo wp_kses_post( $irm_events_html );
+    }
+    if ( 'menu' === $active_tab ) {
         echo '<h3>Menu</h3>';
         echo '<p>If you would like to replicate the menu from your IRM site into your wordpress site you can use the following codes.</p>';
@@ -324 +304 @@
     }
 
-    if( $active_tab == "shareprice" ) {
+    if ( 'shareprice' === $active_tab ) {
         echo '<h3>Share Price</h3>';
         echo '<p>If you have share prices as part of your IRM Newsroom package, you can enable them in the <b>Configure IRM Newsroom</b> Tab.</p>';
@@ -346 +326 @@
     $shortcodes_text = "<h3>Shortcodes</h3><p>Use these to embed newsfeeds into your wordpress site.</p>";
 
-    if( $active_tab == "list" ) {
-        echo $shortcodes_text;
+    if ( 'list' === $active_tab ) {
+        // FIXED: Escaped HTML output.
+        echo wp_kses_post( $shortcodes_text );
         echo '<h2>List Page Shortcodes</h2><pre>';
-        echo $irm_shortcodes_list;
+        // FIXED: Escaped data from external source.
+        echo esc_html( $irm_shortcodes_list );
         echo '</pre>';
     }
 
-    if( $active_tab == "flat" ) {
-
-        echo $shortcodes_text;
+    if ( 'flat' === $active_tab ) {
+        // FIXED: Escaped HTML output.
+        echo wp_kses_post( $shortcodes_text );
         echo '<h2>Flat Page Shortcodes</h2><pre>';
-        echo $irm_shortcodes_flat;
+        // FIXED: Escaped data from external source.
+        echo esc_html( $irm_shortcodes_flat );
         echo '</pre>';
-
-        /*
-        $irm_blog_list = get_data("$site_type://$site_key/$site_directory/sitedata.aspx?DataType=BlogPage");
-        $irm_bio_list = get_data("$site_type://$site_key/$site_directory/sitedata.aspx?DataType=BiographyPage");
-
-        echo '<h2>HQi Blog</h2>';
-        echo '<pre>';
-        echo $irm_blog_list;
-        echo '</pre>';
-
-        echo '<h2>HQi Biography</h2>';
-        echo '<pre>';
-        echo $irm_bio_list;
-        echo '</pre>';
-        */
-
-    }
-
-    if( $active_tab == "events" ) {
+    }
+
+    if ( 'events' === $active_tab ) {
         echo '<h2>Events Calendar Shortcode</h2>';
         echo '<p>If you have an events calendar you can use the following code to embed it. If it is blank you will need to create a new events page in HQi.</p>';
         echo '<pre>';
-        if($irm_events_list > "") {
-            echo $irm_events_list;
+        // FIXED: Escaped data from external source.
+        if ( ! empty( $irm_events_list ) ) {
+            echo esc_html( $irm_events_list );
         } else {
-            echo "No Events Found";
+            echo 'No Events Found';
         }
         echo '</pre>';
     }
 
-    echo "</div>";
-
+    echo '</div>';
     echo "<p><br><a href='http://www.irmhelpcentre.com/irm/content/how-do-i-install-my-irm-newsroom-free-trial.aspx?RID=1654' target='_blank' class='button button-primary'>For help installing IRM Newsroom please click here.</a></p>";
-
-}
-
-function get_data($url) {
-    if(!function_exists('curl_init')) {
-        if(function_exists('file_get_contents')) {
-            return file_get_contents($url);
-        }
+}
+
+function get_data( $url ) {
+    $response = wp_remote_get( esc_url_raw( $url ), [ 'timeout' => 10 ] );
+    if ( is_wp_error( $response ) || 200 !== wp_remote_retrieve_response_code( $response ) ) {
         return false;
-    }
-    $ch = curl_init();
-    $timeout = 10;
-    curl_setopt($ch, CURLOPT_URL, $url);
-    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
-    $data = curl_exec($ch);
-    curl_close($ch);
-    if(isset($data)) {
-        return $data;
+    }
+    return wp_remote_retrieve_body( $response );
+}
+
+function footag_func_list( $atts ) {
+    // IMPROVED: Sanitize attributes.
+    $atts = shortcode_atts( [ '0' => '' ], $atts, 'irmlist' );
+    $id   = sanitize_text_field( $atts[0] );
+
+    $site_key       = get_option( 'site_key' );
+    $site_type      = get_option( 'site_type', 'https' );
+    $site_directory = get_option( 'site_directory' );
+
+    // IMPROVED: Escaping URLs.
+    $url    = esc_url( "$site_type://$site_key/$site_directory/ShowListPage.aspx?CategoryID" . $id );
+    $jsurl  = esc_url( "$site_type://$site_key/$site_directory/js/Newsroom.js" );
+    $imgurl = esc_url( "$site_type://$site_key/$site_directory/pub/RF.aspx?Wordpress=true" );
+
+    return "
+    <div data-newsroomUrl='" . esc_attr( $url ) . "'>..</div>
+    <script type='text/javascript' src='$jsurl'></script>
+    <img src='$imgurl' style='display:none' />
+    ";
+}
+
+function footag_func_flat( $atts ) {
+    $atts = shortcode_atts( [ 'id' => '' ], $atts, 'irmflat' );
+
+    $id = '';
+    if ( ! empty( $atts[0] ) ) {
+        $id = sanitize_text_field( $atts[0] );
     } else {
-        return false;
-    }
-}
-
-function footag_func_list( $atts ) {
-    //return "foo = {$atts['foo']}";
-    $id = $atts[0];
-    //var_dump($atts);
-    $site_key = esc_attr( get_option('site_key') );
-    $site_type = esc_attr( get_option('site_type') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    if(!$site_type > "") {
-        $site_type = "https";
-    }
-    $url = "$site_type://$site_key/$site_directory/ShowListPage.aspx?CategoryID" . $id;
-    $jsurl = "$site_type://$site_key/$site_directory/js/Newsroom.js";
-    $imgurl = "$site_type://$site_key/$site_directory/pub/RF.aspx?Wordpress=true";
-
-    return $js_data = "
-    <div data-newsroomUrl='$url'>..</div>
-    <script type='text/javascript' src='$jsurl'></script>
-    <img src='$imgurl' style='display:none' />
+        $id = sanitize_text_field( $atts['id'] );
+    }
+
+    $site_key       = get_option( 'site_key' );
+    $site_directory = get_option( 'site_directory', 'site' );
+    $site_type      = get_option( 'site_type', 'https' );
+
+    $base_url = sprintf( '%s://%s/%s', $site_type, $site_key, $site_directory );
+    $url      = esc_url( $base_url . '/ShowFlat.aspx?CategoryID' . $id );
+    $jsurl    = esc_url( $base_url . '/js/Newsroom.js' );
+    $imgurl   = esc_url( $base_url . '/pub/RF.aspx?Wordpress=true' );
+
+    return "
+    <div data-newsroomUrl='" . esc_attr( $url ) . "'>..</div>
+    <script type='text/javascript' src='" . $jsurl . "'></script>
+    <img src='" . $imgurl . "' style='display:none' />
     ";
-
-    //return $url_data = get_data($url);
-}
-
-function footag_func_flat( $atts ) {
-    // Define default attributes and sanitize the input 'id'
-    $atts = shortcode_atts( array(
-        'id' => '',
-    ), $atts, 'irmflat' );
-
-    $id = '';
-    if ( ! empty( $atts[0] ) ) { // Check for positional attribute first (as per PoC)
-        $id = sanitize_text_field( $atts[0] );
-    } else {
-        $id = sanitize_text_field( $atts['id'] );
-    }
-
-    $site_key = esc_attr( get_option('site_key') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    $site_type = esc_attr( get_option('site_type') );
-
-    if(!$site_directory > "") {
-        $site_directory = "site";
-    }
-    if(!$site_type > "") {
-        $site_type = "http";
-    }
-
-    $base_url = sprintf('%s://%s/%s', $site_type, $site_key, $site_directory);
-    $url = esc_url( $base_url . "/ShowFlat.aspx?CategoryID" . $id );
-    $jsurl = esc_url( $base_url . "/js/Newsroom.js" );
-    $imgurl = esc_url( $base_url . "/pub/RF.aspx?Wordpress=true" );
-
-    return "
-    <div data-newsroomUrl='" . esc_attr($url) . "'>..</div>
-    <script type='text/javascript' src='" . esc_url($jsurl) . "'></script>
-    <img src='" . esc_url($imgurl) . "' style='display:none' />
-    ";
 }
 add_shortcode( 'irmflat', 'footag_func_flat' );
 
 function footag_func_events( $atts ) {
-    // Define default attributes and sanitize the input 'id'
-    $atts = shortcode_atts( array(
-        'id' => '',
-    ), $atts, 'irmcalendarview' );
-
-    $id = '';
-    if ( ! empty( $atts[0] ) ) { // Check for positional attribute first (as per PoC)
-        $id = sanitize_text_field( $atts[0] );
-    } else {
-        $id = sanitize_text_field( $atts['id'] );
-    }
-
-    $site_key = esc_attr( get_option('site_key') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    $site_type = esc_attr( get_option('site_type') );
-
-    if(!$site_directory > "") {
-        $site_directory = "site";
-    }
-    if(!$site_type > "") {
-        $site_type = "http";
-    }
-
-    $base_url = sprintf('%s://%s/%s', $site_type, $site_key, $site_directory);
-    $url = esc_url( $base_url . "/CalendarViewXml.aspx?CategoryID" . $id );
-    $jsurl = esc_url( $base_url . "/js/Newsroom.js" );
-    $imgurl = esc_url( $base_url . "/pub/RF.aspx?Wordpress=true" );
-
-    return "
-    <div data-calendarurl='" . esc_attr($url) . "'>..</div>
-    <script type='text/javascript' src='" . esc_url($jsurl) . "'></script>
-    <img src='" . esc_url($imgurl) . "' style='display:none' />
-    ";
+    $atts = shortcode_atts( [ 'id' => '' ], $atts, 'irmcalendarview' );
+
+    $id = '';
+    if ( ! empty( $atts[0] ) ) {
+        $id = sanitize_text_field( $atts[0] );
+    } else {
+        $id = sanitize_text_field( $atts['id'] );
+    }
+
+    $site_key       = get_option( 'site_key' );
+    $site_directory = get_option( 'site_directory', 'site' );
+    $site_type      = get_option( 'site_type', 'https' );
+
+    $base_url = sprintf( '%s://%s/%s', $site_type, $site_key, $site_directory );
+    $url      = esc_url( $base_url . '/CalendarViewXml.aspx?CategoryID' . $id );
+    $jsurl    = esc_url( $base_url . '/js/Newsroom.js' );
+    $imgurl   = esc_url( $base_url . '/pub/RF.aspx?Wordpress=true' );
+
+    return "
+    <div data-calendarurl='" . esc_attr( $url ) . "'>..</div>
+    <script type='text/javascript' src='" . $jsurl . "'></script>
+    <img src='" . $imgurl . "' style='display:none' />
+    ";
 }
 add_shortcode( 'irmcalendarview', 'footag_func_events' );
@@ -516 +447 @@
 
 function irmeventlist_show( $atts ) {
-    // Define default attributes and sanitize the input 'id'
-    $atts = shortcode_atts( array(
-        'id' => '', // Default empty string, or a sensible default if applicable
-    ), $atts, 'irmeventlist' );
-
-    $id = sanitize_text_field( $atts['id'] ); // Sanitize the input
-    // If the shortcode was used like [irmeventlist "value"], it will be $atts[0]
-    // The previous code directly used $atts[0], which is vulnerable.
-    // We need to ensure we're getting the intended ID, which is the value of the first positional attribute.
-    // However, shortcode_atts works with named attributes. For positional attributes,
-    // we need to access $atts[0] and then sanitize it. Let's adapt for that.
-    if ( ! empty( $atts[0] ) ) { // Check if a positional attribute exists
-        $id = sanitize_text_field( $atts[0] );
-    } else {
-        // If no positional attribute, try the 'id' attribute if it was passed as named.
-        $id = sanitize_text_field( $atts['id'] );
-    }
-
-    $site_key = esc_attr( get_option('site_key') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    $site_type = esc_attr( get_option('site_type') );
-
-    if(!$site_directory > "") {
-        $site_directory = "site";
-    }
-    if(!$site_type > "") {
-        $site_type = "http";
-    }
-
-    // Ensure all URL components are properly escaped
-    $base_url = sprintf('%s://%s/%s', $site_type, $site_key, $site_directory);
-    $url = esc_url( $base_url . "/ShowFlat.aspx?CategoryID" . $id );
-    $jsurl = esc_url( $base_url . "/js/Newsroom.js" );
-    $imgurl = esc_url( $base_url . "/pub/RF.aspx?Wordpress=true" );
-
-    return "
-    <div data-newsroomUrl='" . esc_attr($url) . "'>..</div>
-    <script type='text/javascript' src='" . esc_url($jsurl) . "'></script>
-    <img src='" . esc_url($imgurl) . "' style='display:none' />
-    ";
+    $atts = shortcode_atts( [ 'id' => '' ], $atts, 'irmeventlist' );
+
+    if ( ! empty( $atts[0] ) ) {
+        $id = sanitize_text_field( $atts[0] );
+    } else {
+        $id = sanitize_text_field( $atts['id'] );
+    }
+
+    $site_key       = get_option( 'site_key' );
+    $site_directory = get_option( 'site_directory', 'site' );
+    $site_type      = get_option( 'site_type', 'https' );
+
+    $base_url = sprintf( '%s://%s/%s', $site_type, $site_key, $site_directory );
+    $url      = esc_url( $base_url . '/ShowFlat.aspx?CategoryID' . $id );
+    $jsurl    = esc_url( $base_url . '/js/Newsroom.js' );
+    $imgurl   = esc_url( $base_url . '/pub/RF.aspx?Wordpress=true' );
+
+    return "
+    <div data-newsroomUrl='" . esc_attr( $url ) . "'>..</div>
+    <script type='text/javascript' src='" . $jsurl . "'></script>
+    <img src='" . $imgurl . "' style='display:none' />
+    ";
 }
 add_shortcode( 'irmeventlist', 'irmeventlist_show' );
@@ -561 +474 @@
 // get the irm generated menu
 function irmmenu() {
-    $site_key = esc_attr( get_option('site_key') );
-    $site_type = esc_attr( get_option('site_type') );
-    $site_directory = esc_attr( get_option('site_directory') );
-    $url = "$site_type://$site_key/$site_directory/ShowTopNav.aspx";
-    return get_data($url);
+    $site_key       = get_option( 'site_key' );
+    $site_type      = get_option( 'site_type', 'https' );
+    $site_directory = get_option( 'site_directory' );
+    $url            = "$site_type://$site_key/$site_directory/ShowTopNav.aspx";
+    // Data from get_data() can contain HTML, so it should be escaped with wp_kses_post or similar if displayed.
+    return get_data( $url );
 }
 
 
 function email_alerts_form() {
-    $site_key = esc_attr( get_option('site_key') );
-    $site_type = esc_attr( get_option('site_type') );
-    $site_directory = esc_attr( get_option('site_directory') );
-
-    $url = "$site_type://$site_key/$site_directory/data/UserRegistrationForm.aspx";
-    $jsurl = "$site_type://$site_key/$site_directory/js/Newsroom.js";
-    $email_landing_page = esc_attr( get_option('email_landing_page') );
-    $imgurl = "$site_type://$site_key/$site_directory/pub/RF.aspx?Wordpress=true";
-
-
-    return $js_data = "
-    <div data-userregistrationformurl='$url' data-gotourl='$email_landing_page'>..</div>
-    <script type='text/javascript' src='$jsurl'></script>
-    <img src='$imgurl' style='display:none' />
+    $site_key             = get_option( 'site_key' );
+    $site_type            = get_option( 'site_type', 'https' );
+    $site_directory       = get_option( 'site_directory' );
+    $email_landing_page   = get_option( 'email_landing_page' );
+
+    // IMPROVED: Escaping URLs.
+    $url    = esc_url( "$site_type://$site_key/$site_directory/data/UserRegistrationForm.aspx" );
+    $jsurl  = esc_url( "$site_type://$site_key/$site_directory/js/Newsroom.js" );
+    $imgurl = esc_url( "$site_type://$site_key/$site_directory/pub/RF.aspx?Wordpress=true" );
+
+    return "
+    <div data-userregistrationformurl='" . esc_attr( $url ) . "' data-gotourl='" . esc_url( $email_landing_page ) . "'>..</div>
+    <script type='text/javascript' src='$jsurl'></script>
+    <img src='$imgurl' style='display:none' />
     ";
 }
@@ -593 +507 @@
 
 function irm_post_updated( $post_id, $post, $update ) {
-
-    $save_type = "save";
-
-    $update ? $save_type = "update" : '';
-
     if ( wp_is_post_revision( $post_id ) ) {
-        $save_type = "revision";
-    }
-
-    $post_title = get_the_title( $post_id );
-    $post_url = get_permalink( $post_id );
+        return;
+    }
+    $save_type = $update ? 'update' : 'save';
+
     $post_guid = get_the_guid( $post_id );
-
-    $site_key = esc_attr( get_option('site_key') );
-
-    $site_type = esc_attr( get_option('site_type') );
-    if(!$site_type > "") {
-        $site_type = "https";
-    }
-
-    $site_directory = esc_attr( get_option('site_directory') );
-    if(!$site_directory > "") {
-        $site_directory = "site";
-    }
-
+    $site_key  = get_option( 'site_key' );
+    $site_type = get_option( 'site_type', 'https' );
+    $site_directory = get_option( 'site_directory', 'site' );
 
     $url = "$site_type://$site_key/$site_directory/SourceUpdateNotification.aspx?Source=WP&Action=$save_type&RssGuid=$post_guid";
-
-    get_data($url);
-
+    get_data( $url );
 }
 add_action( 'save_post', 'irm_post_updated', 10, 3 );
@@ -629 +525 @@
 /* process the json contact form */
 function json_reg() {
-
-    $site_key = esc_attr( get_option('site_key') );
-
-    $site_type = esc_attr( get_option('site_type') );
-    if(!$site_type > "") {
-        $site_type = "https";
-    }
-
-    $site_directory = esc_attr( get_option('site_directory') );
-    if(!$site_directory > "") {
-        $site_directory = "irm";
-    }
-
-    $url = "$site_type://$site_key/$site_directory/json/UserRegistrationSettings.aspx";
-    $content = file_get_contents($url);
-    $json = json_decode($content, true);
-
-    //var_dump($json);
-
-    foreach($json as $key => $value){
-        if(is_array($value)) {
-            echo "nested array found<br>";
-            echo "key:$key - value:$value<br>";
-            foreach($value as $key2 => $value2) {
-                if(is_array($value2)) {
-                    echo "nested array level 2<br>";
-                    foreach($value2 as $key3 => $value3) {
-                        echo "key3:$key3 - value3:$value3<br>";
-                    }
-                } else {
-                    echo "key2:$key2 - value2:$value2<br>";
-                }
-            }
-        } else {
-            echo "no array found<br>";
-            echo "key:$key - value:$value<br>";
+    ob_start(); // Use output buffering to capture echo and return it.
+
+    $site_key  = get_option( 'site_key' );
+    $site_type = get_option( 'site_type', 'https' );
+    $site_directory = get_option( 'site_directory', 'irm' );
+
+    $url     = "$site_type://$site_key/$site_directory/json/UserRegistrationSettings.aspx";
+    $content = get_data( $url );
+    $json    = json_decode( $content, true );
+
+    if ( ! empty( $json ) && is_array( $json ) ) {
+        foreach ( $json as $key => $value ) {
+            if ( is_array( $value ) ) {
+                echo 'nested array found<br>';
+                // FIXED: Escaped key and value output.
+                echo 'key:' . esc_html( $key ) . ' - value: (Array)<br>';
+                foreach ( $value as $key2 => $value2 ) {
+                    if ( is_array( $value2 ) ) {
+                        echo 'nested array level 2<br>';
+                        foreach ( $value2 as $key3 => $value3 ) {
+                            echo 'key3:' . esc_html( $key3 ) . ' - value3:' . esc_html( $value3 ) . '<br>';
+                        }
+                    } else {
+                        echo 'key2:' . esc_html( $key2 ) . ' - value2:' . esc_html( $value2 ) . '<br>';
+                    }
+                }
+            } else {
+                echo 'no array found<br>';
+                // FIXED: Escaped key and value output.
+                echo 'key:' . esc_html( $key ) . ' - value:' . esc_html( $value ) . '<br>';
+            }
         }
-    }
-
+    } else {
+        echo 'No valid JSON data found.';
+    }
+    return ob_get_clean();
 }
 add_shortcode( 'userreg', 'json_reg' ); // add the shortcode userreg to call the reg form json parsing.
 
 function shortcode_spSnippet() {
-  return '<div class="widget-wrap" style="overflow:hidden;">
+    return '<div class="widget-wrap" style="overflow:hidden;">
   <div id="loadshareprice"><img class="asx-logo" src="https://www.irmau.com/site/content/images/asxLogo.png" alt="" />
-    <div class="price" data-quoteapi="price" id="price">&nbsp;</div>
-    <div class="market-cap" id="market-cap">Market Cap: <span data-quoteapi="marketCap">&nbsp;</span></div>
-    <div class="spdelay">Price Delay ~20min</div>
+    <div class="price" data-quoteapi="price" id="price">&nbsp;</div>
+    <div class="market-cap" id="market-cap">Market Cap: <span data-quoteapi="marketCap">&nbsp;</span></div>
+    <div class="spdelay">Price Delay ~20min</div>
   </div>
 </div>';
 }
-add_shortcode('sharepriceSnippet', 'shortcode_spSnippet');
+add_shortcode( 'sharepriceSnippet', 'shortcode_spSnippet' );
 
 function shortcode_spTable() {
-  return '<div class="shareprice-col" id="sp-asx">
+    return '<div class="shareprice-col" id="sp-asx">
   <div class="row sptable">
-    <div class="columns">
-      <h4>Buy</h4>
-      <p data-quoteapi="bid">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Sell</h4>
-      <p data-quoteapi="ask">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>First</h4>
-      <p data-quoteapi="open">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>High</h4>
-      <p data-quoteapi="high">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Low</h4>
-      <p data-quoteapi="low">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Last</h4>
-      <p data-quoteapi="close">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>MktPrice</h4>
-      <p data-quoteapi="price">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Change</h4>
-      <p data-quoteapi="change">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Percent Change</h4>
-      <p data-quoteapi="pctChange">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Volume</h4>
-      <p data-quoteapi="volume">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>Total Trades</h4>
-      <p data-quoteapi="tradeCount">&nbsp;</p>
-    </div>
-    <div class="columns">
-      <h4>MktCap</h4>
-      <p data-quoteapi="marketCap">&nbsp;</p>
-    </div>
+    <div class="columns">
+      <h4>Buy</h4>
+      <p data-quoteapi="bid">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Sell</h4>
+      <p data-quoteapi="ask">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>First</h4>
+      <p data-quoteapi="open">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>High</h4>
+      <p data-quoteapi="high">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Low</h4>
+      <p data-quoteapi="low">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Last</h4>
+      <p data-quoteapi="close">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>MktPrice</h4>
+      <p data-quoteapi="price">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Change</h4>
+      <p data-quoteapi="change">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Percent Change</h4>
+      <p data-quoteapi="pctChange">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Volume</h4>
+      <p data-quoteapi="volume">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>Total Trades</h4>
+      <p data-quoteapi="tradeCount">&nbsp;</p>
+    </div>
+    <div class="columns">
+      <h4>MktCap</h4>
+      <p data-quoteapi="marketCap">&nbsp;</p>
+    </div>
   </div>
 </div>';
 }
-add_shortcode('sharepriceTable', 'shortcode_spTable');
+add_shortcode( 'sharepriceTable', 'shortcode_spTable' );
 
 function shortcode_spChart() {
-  return '<p class="iguana-terms">Below are share charts depicting the Company\'s performance over different time periods. The trend charts update each morning. Share prices and charts by iguana2. <a href="http://iguana2.com/legal-ir">Terms of use</a><br /> &nbsp;</p>
+    return '<p class="iguana-terms">Below are share charts depicting the Company\'s performance over different time periods. The trend charts update each morning. Share prices and charts by iguana2. <a href="http://iguana2.com/legal-ir">Terms of use</a><br /> &nbsp;</p>
 <div class="centered" data-quoteapi="mainChart">
   <div class="irmau-main-chart" data-quoteapi="plots">&nbsp;</div>
   <div class="irmau-from-to"><span data-quoteapi="displayedRange.from"></span> to <span data-quoteapi="displayedRange.to"></span></div>
   <div>
-    <ul class="chart-buttons">
-      <li data-quoteapi="range=1d">Today</li>
-      <li data-quoteapi="range=1m">1 mnth</li>
-      <li data-quoteapi="range=3m">3 mnths</li>
-      <li data-quoteapi="range=6m">6 mnths</li>
-      <li data-quoteapi="range=ytd">ytd</li>
-      <li data-quoteapi="range=1y">1 yr</li>
-      <li data-quoteapi="range=3y">3 yrs</li>
-      <li data-quoteapi="range=5y">5 yrs</li>
-      <li data-quoteapi="range=10y">10 yrs</li>
-    </ul>
+    <ul class="chart-buttons">
+      <li data-quoteapi="range=1d">Today</li>
+      <li data-quoteapi="range=1m">1 mnth</li>
+      <li data-quoteapi="range=3m">3 mnths</li>
+      <li data-quoteapi="range=6m">6 mnths</li>
+      <li data-quoteapi="range=ytd">ytd</li>
+      <li data-quoteapi="range=1y">1 yr</li>
+      <li data-quoteapi="range=3y">3 yrs</li>
+      <li data-quoteapi="range=5y">5 yrs</li>
+      <li data-quoteapi="range=10y">10 yrs</li>
+    </ul>
   </div>
   <div class="irmau-main-chart irmau-nav-chart" data-quoteapi="navChart1">&nbsp;</div>
   <form data-quoteapi="preventSubmit"><input type="checkbox" data-quoteapi="volume.visible" /> Volume <input type="checkbox" data-quoteapi="announcements.visible" /> Announcements
-    <div class="chart-button"><button data-quoteapi="download">Download CSV</button></div>
+    <div class="chart-button"><button data-quoteapi="download">Download CSV</button></div>
   </form>
 </div>';
 }
-add_shortcode('sharepriceChart', 'shortcode_spChart');
+add_shortcode( 'sharepriceChart', 'shortcode_spChart' );
 
 function shortcode_small_share_price() {
     return '<div class="irmau-small-chart" data-quoteapi="smallChart range=6m"></div>';
 }
-add_shortcode('sharepriceChartSmall', 'shortcode_small_share_price');
-
-
-?>
+add_shortcode( 'sharepriceChartSmall', 'shortcode_small_share_price' );