Changeset 3424939

Timestamp:

12/21/2025 09:31:13 PM (2 months ago)

Author:

vistawp

Message:

Update to version 1.4.3 from GitHub

Location:

vistawp

Files:

• tags/1.4.3 (copied) (copied from vistawp/trunk)
• tags/1.4.3/includes/api/get-params.php (modified) (3 diffs)
• tags/1.4.3/includes/functions.php (modified) (1 diff)
• tags/1.4.3/includes/multiple-display.php (modified) (2 diffs)
• tags/1.4.3/includes/options/license-manager.php (modified) (2 diffs)
• tags/1.4.3/readme.txt (modified) (1 diff)
• tags/1.4.3/templates/fields/checkbox.php (modified) (2 diffs)
• tags/1.4.3/templates/fields/number-field.php (modified) (2 diffs)
• tags/1.4.3/templates/fields/select.php (modified) (2 diffs)
• tags/1.4.3/templates/fields/text-field.php (modified) (2 diffs)
• tags/1.4.3/templates/notifications/general.php (modified) (1 diff)
• tags/1.4.3/templates/notifications/welcome.php (modified) (1 diff)
• tags/1.4.3/templates/pages/main_page.php (modified) (2 diffs)
• tags/1.4.3/templates/shortcodes/simple-listings.php (modified) (5 diffs)
• tags/1.4.3/vista.php (modified) (4 diffs)
• trunk/includes/api/get-params.php (modified) (3 diffs)
• trunk/includes/functions.php (modified) (1 diff)
• trunk/includes/multiple-display.php (modified) (2 diffs)
• trunk/includes/options/license-manager.php (modified) (2 diffs)
• trunk/readme.txt (modified) (1 diff)
• trunk/templates/fields/checkbox.php (modified) (2 diffs)
• trunk/templates/fields/number-field.php (modified) (2 diffs)
• trunk/templates/fields/select.php (modified) (2 diffs)
• trunk/templates/fields/text-field.php (modified) (2 diffs)
• trunk/templates/notifications/general.php (modified) (1 diff)
• trunk/templates/notifications/welcome.php (modified) (1 diff)
• trunk/templates/pages/main_page.php (modified) (2 diffs)
• trunk/templates/shortcodes/simple-listings.php (modified) (5 diffs)
• trunk/vista.php (modified) (4 diffs)

vistawp/tags/1.4.3/includes/api/get-params.php

@@ -38 +38 @@
   public final function get_params(): array {
     $params = array();
+    
+    if (!is_array($_GET)) {
+      return $params;
+    }
+
+    if (!isset($this->mappings) || !is_array($this->mappings)) {
+      return $params;
+    }
+    
     // Loop through mappings, retrieve each mapped field
     foreach ($this->mappings as $getName => $paramName) {
+      if (!is_string($getName) || !is_string($paramName)) {
+        continue;
+      }
 
-      // Make sure mapped field has content
-      if (empty($_GET[$getName]))
+      if (!isset($_GET[$getName]) || empty($_GET[$getName])) {
         continue;
+      }
 
+      $raw_value = $_GET[$getName];
+      
       // Maybe split to array
-      if (is_string($_GET[$getName])) {
-        // Sanitize input
-        $field = \sanitize_text_field($_GET[$getName]);
+      if (is_string($raw_value)) {
+        $field = sanitize_text_field(wp_unslash($raw_value));
+
+        if (empty($field)) {
+          continue;
+        }
         
         // Split parameter if necessary
         $param = preg_split("/(%2C\+)|(, )|\+/", $field);
-        if ($param === false)
+
+        if ($param === false || empty($param)) {
           $param = $field;
+        } else {
+          $param = array_map('sanitize_text_field', $param);
+          $param = array_filter($param, function($value) {
+            return !empty($value);
+          });
+
+          if (empty($param)) {
+            $param = $field;
+          }
+        }
+      } else if (is_array($raw_value)) {
+        $param = $this->sanitize_array_deep($raw_value);
+
+        if (empty($param)) {
+          continue;
+        }
       } else {
-        $param = $_GET[$getName];
+        continue;
       }
       
@@ -69 +103 @@
         // We need to add the new values to the array
         } else if (is_array($params[$paramName])) {
-          foreach ($param as $value)
-            $params[$paramName][] = $value;
+          foreach ($param as $value) {
+            // VALIDACIÓN: Solo añadir valores no vacíos
+            if (!empty($value)) {
+              $params[$paramName][] = $value;
+            }
+          }
         }
       } else if (is_string($param)) {
         // We need to combine the old string and the new into an array
-        if (!isset($params[$paramName]))
+        if (!isset($params[$paramName])) {
           // No previous value, simply set the param
           $params[$paramName] = $param;
-        else if (is_string($params[$paramName]))
+        } else if (is_string($params[$paramName])) {
           $params[$paramName] = array($params[$paramName], $param);
         // We need to add the new value to the old array
-        else if (is_array($params[$paramName]))
+        } else if (is_array($params[$paramName])) {
           $params[$paramName][] = $param;
+        }
       }
     }
@@ -88 +127 @@
   }
 
+  /**
+   * Sanitiza un array de forma recursiva
+   * 
+   * @param array $array Array a sanitizar
+   * @return array Array sanitizado
+   */
+  private function sanitize_array_deep(array $array): array {
+    $sanitized = array();
+    
+    foreach ($array as $key => $value) {
+      $safe_key = sanitize_key($key);
+      
+      if (is_array($value)) {
+        $sanitized[$safe_key] = $this->sanitize_array_deep($value);
+      } else if (is_string($value)) {
+        $sanitized[$safe_key] = sanitize_text_field(wp_unslash($value));
+      } else if (is_numeric($value)) {
+        $sanitized[$safe_key] = $value;
+      }
+    }
+    
+    return $sanitized;
+  }
+
 }

vistawp/tags/1.4.3/includes/functions.php

@@ -102 +102 @@
         $dest = wp_validate_redirect($dest, $fallback_url);
       // Uses JS instead of modifying headers
-      echo("<script>location.href = '{$dest}'</script>");
-    } else { // Headers haven't been sent, can redirect
+      echo '<script>location.href = "' . esc_url($dest) . '"</script>';
+    } else { 
+      // Headers haven't been sent, can redirect
       wp_safe_redirect($dest, $status);
     }

vistawp/tags/1.4.3/includes/multiple-display.php

@@ -121 +121 @@
   public static final function url_querystring($atts, string $content): string {
     // Ensure we have a page shortcode attribute
-    if (!isset($atts['page']))
+    if (!isset($atts['page']) || empty($atts['page'])) {
       return self::NO_PAGE_PARAM;
-    
+    }
+    
+    // Sanitize the page URL
+    $page_url = esc_url_raw($atts['page']);
+    
+    // Verify it's a valid URL after sanitization
+    if (empty($page_url)) {
+      return self::NO_PAGE_PARAM;
+    }
+    
+    // Get and sanitize query string
+    $query_string = '';
+    if (isset($_SERVER['QUERY_STRING']) && !empty($_SERVER['QUERY_STRING'])) {
+      // Sanitize the query string properly
+      $query_string = sanitize_text_field(wp_unslash($_SERVER['QUERY_STRING']));
+      
       // Only allow [A-Za-z0-9 ,&=?%+] chars in validated string
-    $validated = preg_replace("/[^A-Za-z0-9 ,&=?%+]/", '', $_SERVER['QUERY_STRING']);
-    
-    // Construct returned <a> element
-    $query = $validated ? "?" . $validated : "";
-    return "<a href='{$atts['page']}$query'>$content</a>";
+      $query_string = preg_replace('/[^A-Za-z0-9_\-=&?%+]/', '', $query_string);
+    }
+    
+    // Construct query parameter if exists
+    $query = !empty($query_string) ? '?' . $query_string : '';
+    $final_url = esc_url($page_url . $query);
+    
+    // Escape the content for safe HTML output
+    $safe_content = wp_kses_post($content);
+    
+    // Return safely escaped HTML
+    return sprintf(
+      '<a href="%s">%s</a>',
+      $final_url,
+      $safe_content
+    );
   }
 
@@ -148 +174 @@
    */
   public function pagination_button($atts, string $content): string {
-    // Validate attributes
-    if (!is_array($atts) || !($atts['type'] == 'forward' || $atts['type'] == 'backward'))
+    if (!is_array($atts) || !isset($atts['type'])) {
       return self::NO_TYPE_PARAM;
-
-    // Make sure api is called
-    $err = $this->ensure_api();
-    if ($err)
-      return $err;
-
-    // Initialize parameters
-    $disabled = ''; // Whether the button is disabled because we have no more listings in this direction
-    $link = \get_page_link();
-    $listing_count = (int) $this->api_headers['X-Total-Count'][0];
-    $offset = intval($_GET['offset'] ?? 0); // Default offset is 0 as this is the start of the list
-    $limit = intval($_GET['limit'] ?? self::DEFAULT_LIMIT); // No sanitization here or prev line as only intval is used
-    $class = 'vista-listings-paginator ';
-
-    // Assign button params based on type
-    if ($atts['type'] == 'forward') {
-      $class .= "listings-forward";
-      $remainder = $listing_count - ($offset + $limit);
-      if ($remainder <= 0)
-        $disabled = 'disabled'; // Disable if we can't go further
-      $link .= "?offset=" . strval($limit + $offset);
-      if ($remainder < $limit) {
-        $link .= "&limit=$remainder";
-      } else {
-        $link .= "&limit=$limit";
+    }
+    
+    $type = sanitize_key($atts['type']);
+    if ($type !== 'forward' && $type !== 'backward') {
+      return self::NO_TYPE_PARAM;
+    }
+
+    $query_args = array();
+    
+    if (is_array($_GET)) {
+      foreach ($_GET as $param => $value) {
+        $safe_param = sanitize_key($param);
+        
+        if ($safe_param === 'offset' || $safe_param === 'limit') {
+          continue;
+        }
+
+        if (is_array($value)) {
+          $query_args[$safe_param] = array_map(
+            'sanitize_text_field',
+            array_map('wp_unslash', $value)
+          );
+        } else {
+          $query_args[$safe_param] = sanitize_text_field(wp_unslash($value));
+        }
       }
-    } else {
-      $class .= "listings-backward";
-      if ($offset == 0)
-        $disabled = 'disabled'; // Disable if we can't go further
-      $link .= "?offset=" . ($offset - $limit <= 0 ? 0 : $offset - $limit);
-      // Only the last page can have <self::DEFAULT_LIMIT results,
-      // so previous pages always have self::DEFAULT_LIMIT results
-      $link .= "&limit=" . self::DEFAULT_LIMIT;
-    }
-    // Add other parameters
-    foreach ($_GET as $param => $value) {
-      // Sanitize variables
-      $param = \sanitize_text_field($param);
-      $value = \sanitize_text_field($value);
-      if ($param == 'offset' || $param == 'limit') continue; // We've already recaclulated & included offset & limit
-      $link .= "&$param=$value";
-    }
-
-    return "<button class='$class' onclick=\"window.location.href='$link'\" $disabled>$content</button>";
+    }
+    
+    $query_args['offset'] = $new_offset;
+    $query_args['limit'] = $new_limit;
+    
+    $safe_link = add_query_arg($query_args, $base_link);
+
+    return sprintf(
+      '<button class="%s" onclick="window.location.href=\'%s\'" %s>%s</button>',
+      esc_attr($class),
+      esc_url($safe_link),
+      $safe_disabled,
+      wp_kses_post($content)
+    );
   }
 

vistawp/tags/1.4.3/includes/options/license-manager.php

@@ -153 +153 @@
       $this->clear_key();
       // Redirect to the same page after clearing the license key
-      \vista_safe_redirect(\esc_url($_SERVER['REQUEST_URI']));
+      \vista_safe_redirect(add_query_arg(array()));
       exit;
     }
@@ -196 +196 @@
     if ($tier && !array_key_exists($tier, self::TIER_ID)) {
       throw new \InvalidArgumentException(
-        "Invalid tier: " . $tier
+        "Invalid tier: " . esc_html($tier)
       );
     }

vistawp/tags/1.4.3/readme.txt

@@ -4 +4 @@
 Tags: IDX, MLS, idx search, Real Estate Search, IDX plugin, RETS, real-estate  
 Requires at least: 4.7  
-Tested up to: 6.8.3  
-Stable tag: 1.4.2
+Tested up to: 6.8  
+Stable tag: 1.4.3
 Requires PHP: 7.4.1  
 License: GPLv2 or later  

vistawp/tags/1.4.3/templates/fields/checkbox.php

@@ -1 +1 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row containing a group of checkboxes rendered by vista_get_template().
@@ -15 +18 @@
     <div class="vista-field-checkbox">
       <div class="vista-label">
-        <label for="<?= esc_attr($name); ?>"><?= esc_html($title); ?></label>
+        <label for="<?php echo esc_attr($name); ?>"><?php echo esc_html($title); ?></label>
       </div>
       <div class="vista-input">
         <?php foreach ($options as $key => $value) : ?>
-          <label for="<?= esc_attr($prefix . $value); ?>">
-            <input type="checkbox" id="<?= esc_attr($prefix . $value); ?>" name="<?= esc_attr($name); ?>[]" value="<?= esc_attr($value); ?>" <?= (in_array($value, $checked_options)) ? 'checked' : ''; ?> >
-            <?= esc_html($key); ?>
+          <label for="<?php echo esc_attr($prefix . $value); ?>">
+            <input type="checkbox" id="<?php echo esc_attr($prefix . $value); ?>" name="<?php echo esc_attr($name); ?>[]" value="<?php echo esc_attr($value); ?>" <?php echo (in_array($value, $checked_options)) ? 'checked' : ''; ?> >
+            <?php echo esc_html($key); ?>
           </label>
         <?php endforeach; ?>

vistawp/tags/1.4.3/templates/fields/number-field.php

@@ -1 @@
-<?php
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row containing a number input field rendered by vista_get_template().
@@ -16 +18 @@
     <div class="vista-field-number">
       <div class="vista-label">
-        <label for="<?= esc_attr($id); ?>"><?= esc_html($label); ?></label>
+        <label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label>
       </div>
       <div class="vista-input">
-        <input type="number" step="1000" min="0" id="<?= esc_attr($id); ?>" name="<?= esc_attr($name); ?>" value="<?= esc_attr($value); ?>" placeholder="<?= esc_attr($placeholder); ?>">
+        <input type="number" step="1000" min="0" id="<?php echo esc_attr($id); ?>" name="<?php echo esc_attr($name); ?>" value="<?php echo esc_attr($value); ?>" placeholder="<?php echo esc_attr($placeholder); ?>">
       </div>
     </div>

vistawp/tags/1.4.3/templates/fields/select.php

@@ -1 @@
-<?php
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row containing a select input field rendered by vista_get_template().
@@ -18 +20 @@
     <div class="vista-field-select">
       <div class="vista-label">
-        <label for="<?= esc_attr($id); ?>"><?= esc_html($label); ?></label>
+        <label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label>
       </div>
       <div class="vista-input">
-        <select id="<?= esc_attr($id); ?>" name="<?= esc_attr($name); ?>">
+        <select id="<?php echo esc_attr($id); ?>" name="<?php echo esc_attr($name); ?>">
           <?php foreach ($options as $value) : ?>
-            <option value="<?= esc_attr($value); ?>" <?= '' === $value ? 'disabled' : ''; ?> <?= ($value === $selected) ? 'selected' : ''; ?>>
-                <?= '' === $value ? esc_html($placeholder) : esc_html($value); ?>
+            <option value="<?php echo esc_attr($value); ?>" <?php echo '' === $value ? 'disabled' : ''; ?> <?php echo ($value === $selected) ? 'selected' : ''; ?>>
+                <?php echo '' === $value ? esc_html($placeholder) : esc_html($value); ?>
             </option>
           <?php endforeach; ?>

vistawp/tags/1.4.3/templates/fields/text-field.php

@@ -1 +1 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row with a text input field rendered by vista_get_template().
@@ -16 +18 @@
     <div class="vista-field-text">
       <div class="vista-label">
-        <label for="<?= esc_attr($id); ?>"><?= esc_html($label); ?></label>
+        <label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label>
       </div>
       <div class="vista-input">
-        <input type="text" id="<?= esc_attr($id); ?>" name="<?= esc_attr($name); ?>" value="<?= esc_attr($value); ?>" placeholder="<?= esc_attr($placeholder); ?>">
+        <input type="text" id="<?php echo esc_attr($id); ?>" name="<?php echo esc_attr($name); ?>" value="<?php echo esc_attr($value); ?>" placeholder="<?php echo esc_attr($placeholder); ?>">
       </div>
     </div>

vistawp/tags/1.4.3/templates/notifications/general.php

@@ -1 @@
-<div class="notice is-dismissible notice-<?= esc_attr($type); ?>">
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
+?>
+
+<div class="notice is-dismissible notice-<?php echo  esc_attr($type); ?>">
   <div id="vistawp-banner">
-    <img height="50" src="<?= esc_url(\vista_plugin_url('img/vista_banner_icon.svg')); ?>">
-    <p class="vsta-text-<?= esc_attr($type); ?>"> <?= esc_html($text) ?> </p>
+    <img height="50" src="<?php echo  esc_url(\vista_plugin_url('img/vista_banner_icon.svg')); ?>">
+    <p class="vsta-text-<?php echo  esc_attr($type); ?>"> <?php echo  esc_html($text) ?> </p>
   </div>
 </div>

vistawp/tags/1.4.3/templates/notifications/welcome.php

@@ +1 @@
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
+?>
+
 <div id="vistawp-welcome" class="notice is-dismissible">
   <div>
-    <img width="100" src="<?= esc_html(\vista_plugin_url('img/vista_logo.png')); ?>">
+    <img width="100" src="<?php echo  esc_html(\vista_plugin_url('img/vista_logo.png')); ?>">
   </div>
   <div>
     <h3>Thanks for activating VistaWP</h3>
-    <p>Head to the <a href="<?= \get_home_url() . '/wp-admin/admin.php?page=vista_main'; ?>">settings page</a> to get started</p>
+    <p>Head to the <a href="<?php echo  \get_home_url() . '/wp-admin/admin.php?page=vista_main'; ?>">settings page</a> to get started</p>
   </div>
 </div>

vistawp/tags/1.4.3/templates/pages/main_page.php

@@ -1 +1 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for the main page of the VistaWP plugin, returned by vista_get_template().
@@ -37 +39 @@
   </p><br />
 
-  <form method="post" action="<?php echo esc_url($_SERVER['REQUEST_URI']); ?>">
+  <form method="post" action="<?php echo esc_url(add_query_arg(array())); ?>">
     <input type="submit" name="generate_pages" value="Generate Vista Pages" class="button-primary vsta-gen-btn">
   </form>

vistawp/tags/1.4.3/templates/shortcodes/simple-listings.php

@@ -1 +1 @@
 <?php
+ 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for the shotcode simple listings, returned by vista_get_template().
@@ -15 +18 @@
 <div class="vista-sl-pagination">
   <div class="vista-sl-results">
-    <label class="vista-sl-<?=$theme?>-results-label">[vista_listings_total] results</label>
+    <label class="vista-sl-<?php echo esc_attr($theme); ?>-results-label">[vista_listings_total] results</label>
   </div>
-  <div class="vista-sl-<?=$theme?>-prev">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-prev">
     [vista_listings_paginator type=backward]Prev[/vista_listings_paginator]
   </div>
-  <div class="vista-sl-<?=$theme?>-next">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-next">
     [vista_listings_paginator type=forward]Next[/vista_listings_paginator]
   </div>
@@ -28 +31 @@
 <div class="vista-sl-container">
   [vista_listings_list]
-  <div class="vista-sl-card vista-sl-<?=$theme?>-card">
+  <div class="vista-sl-card vista-sl-<?php echo esc_attr($theme); ?>-card">
     <div class="vista-sl-photo">
-      <a href="<?=$dest . '?listing='?>[mlsId]" class="vista-sl-photo-link">
+      <a href="<?php echo esc_url($dest . '?listing='); ?>[mlsId]" class="vista-sl-photo-link">
         [first-photo]
       </a>
     </div>
     
-    <div class="vista-sl-<?=$theme?>-address">
-      <a href="<?=$dest . '?listing='?>[mlsId]" class="vista-sl-address-link">
+    <div class="vista-sl-<?php echo esc_attr($theme); ?>-address">
+      <a href="<?php echo esc_url($dest . '?listing='); ?>[mlsId]" class="vista-sl-address-link">
         <h2>[address]</h2>
       </a>
     </div>
 
-    <div class="vista-sl-<?=$theme?>-price">
+    <div class="vista-sl-<?php echo esc_attr($theme); ?>-price">
       <p>$[listPrice]</p>
     </div>
 
     <div class="vista-sl-info">
-      <div class="vista-sl-<?=$theme?>-beds">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-beds">
         <p>[bedrooms]</p><p>Beds</p>
       </div>
-      <div class="vista-sl-<?=$theme?>-baths">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-baths">
         <p>[baths]</p><p>Baths</p>
       </div>
-      <div class="vista-sl-<?=$theme?>-sqft">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-sqft">
         <p>[sqft]</p><p>Sq. Ft.</p>
       </div>
@@ -58 +61 @@
 
     <div class="vista-sl-agent-info">
-      <div class="vista-sl-<?=$theme?>-listingid">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-listingid">
         <p>ID: #[listingId]</p>
       </div>
-      <div class="vista-sl-<?=$theme?>-status">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-status">
         <p>Status: [status]</p>
       </div>
     </div>
 
-    <div class="vista-sl-<?=$theme?>-btn">
-      <a href="<?= \get_home_url() . $dest . '?listing='?>[mlsId]" class="vista-sl-<?=$theme?>-link">View Property</a>
+    <div class="vista-sl-<?php echo esc_attr($theme); ?>-btn">
+      <a href="<?php echo esc_url(\get_home_url() . $dest . '?listing='); ?>[mlsId]" class="vista-sl-<?php echo esc_attr($theme); ?>-link">View Property</a>
     </div>
 
@@ -79 +82 @@
 <div class="vista-sl-pagination">
   <div class="vista-sl-results">
-    <label class="vista-sl-<?=$theme?>-results-label">[vista_listings_total] results</label>
+    <label class="vista-sl-<?php echo esc_attr($theme); ?>-results-label">[vista_listings_total] results</label>
   </div>
-  <div class="vista-sl-<?=$theme?>-prev">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-prev">
     [vista_listings_paginator type=backward]Prev[/vista_listings_paginator]
   </div>
-  <div class="vista-sl-<?=$theme?>-next">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-next">
     [vista_listings_paginator type=forward]Next[/vista_listings_paginator]
   </div>

vistawp/tags/1.4.3/vista.php

@@ -3 +3 @@
 * Plugin Name: VistaWP
 * Description: Retrieves and displays real estate listings
-* Version: 1.4.2
+* Version: 1.4.3
 * Author: VistaWP
 * Author URI: https://vistawp.com/
@@ -15 +15 @@
 
 // general constants
-define( 'VISTA__PLUGIN_VERSION', '1.4.2' );
+define( 'VISTA__PLUGIN_VERSION', '1.4.3' );
 define( 'VISTA__PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 define( 'VISTA__PLUGIN_URL', plugin_dir_url( __FILE__ ) );
@@ -28 +28 @@
 * @author VistaWP
 * @link https://vistawp.com/
-* @version 1.4.2
+* @version 1.4.3
 */
 class Main {
@@ -388 +388 @@
     <p>
       The VistaWP plugin has encountered a fatal error and self-deactivated. 
-      Error message: <?php echo $GLOBALS['vista_error_message']; ?>
+      Error message: <?php echo esc_html($GLOBALS['vista_error_message']); ?>
     </p>
  </div>

vistawp/trunk/includes/api/get-params.php

@@ -38 +38 @@
   public final function get_params(): array {
     $params = array();
+    
+    if (!is_array($_GET)) {
+      return $params;
+    }
+
+    if (!isset($this->mappings) || !is_array($this->mappings)) {
+      return $params;
+    }
+    
     // Loop through mappings, retrieve each mapped field
     foreach ($this->mappings as $getName => $paramName) {
+      if (!is_string($getName) || !is_string($paramName)) {
+        continue;
+      }
 
-      // Make sure mapped field has content
-      if (empty($_GET[$getName]))
+      if (!isset($_GET[$getName]) || empty($_GET[$getName])) {
         continue;
+      }
 
+      $raw_value = $_GET[$getName];
+      
       // Maybe split to array
-      if (is_string($_GET[$getName])) {
-        // Sanitize input
-        $field = \sanitize_text_field($_GET[$getName]);
+      if (is_string($raw_value)) {
+        $field = sanitize_text_field(wp_unslash($raw_value));
+
+        if (empty($field)) {
+          continue;
+        }
         
         // Split parameter if necessary
         $param = preg_split("/(%2C\+)|(, )|\+/", $field);
-        if ($param === false)
+
+        if ($param === false || empty($param)) {
           $param = $field;
+        } else {
+          $param = array_map('sanitize_text_field', $param);
+          $param = array_filter($param, function($value) {
+            return !empty($value);
+          });
+
+          if (empty($param)) {
+            $param = $field;
+          }
+        }
+      } else if (is_array($raw_value)) {
+        $param = $this->sanitize_array_deep($raw_value);
+
+        if (empty($param)) {
+          continue;
+        }
       } else {
-        $param = $_GET[$getName];
+        continue;
       }
       
@@ -69 +103 @@
         // We need to add the new values to the array
         } else if (is_array($params[$paramName])) {
-          foreach ($param as $value)
-            $params[$paramName][] = $value;
+          foreach ($param as $value) {
+            // VALIDACIÓN: Solo añadir valores no vacíos
+            if (!empty($value)) {
+              $params[$paramName][] = $value;
+            }
+          }
         }
       } else if (is_string($param)) {
         // We need to combine the old string and the new into an array
-        if (!isset($params[$paramName]))
+        if (!isset($params[$paramName])) {
           // No previous value, simply set the param
           $params[$paramName] = $param;
-        else if (is_string($params[$paramName]))
+        } else if (is_string($params[$paramName])) {
           $params[$paramName] = array($params[$paramName], $param);
         // We need to add the new value to the old array
-        else if (is_array($params[$paramName]))
+        } else if (is_array($params[$paramName])) {
           $params[$paramName][] = $param;
+        }
       }
     }
@@ -88 +127 @@
   }
 
+  /**
+   * Sanitiza un array de forma recursiva
+   * 
+   * @param array $array Array a sanitizar
+   * @return array Array sanitizado
+   */
+  private function sanitize_array_deep(array $array): array {
+    $sanitized = array();
+    
+    foreach ($array as $key => $value) {
+      $safe_key = sanitize_key($key);
+      
+      if (is_array($value)) {
+        $sanitized[$safe_key] = $this->sanitize_array_deep($value);
+      } else if (is_string($value)) {
+        $sanitized[$safe_key] = sanitize_text_field(wp_unslash($value));
+      } else if (is_numeric($value)) {
+        $sanitized[$safe_key] = $value;
+      }
+    }
+    
+    return $sanitized;
+  }
+
 }

vistawp/trunk/includes/functions.php

@@ -102 +102 @@
         $dest = wp_validate_redirect($dest, $fallback_url);
       // Uses JS instead of modifying headers
-      echo("<script>location.href = '{$dest}'</script>");
-    } else { // Headers haven't been sent, can redirect
+      echo '<script>location.href = "' . esc_url($dest) . '"</script>';
+    } else { 
+      // Headers haven't been sent, can redirect
       wp_safe_redirect($dest, $status);
     }

vistawp/trunk/includes/multiple-display.php

@@ -121 +121 @@
   public static final function url_querystring($atts, string $content): string {
     // Ensure we have a page shortcode attribute
-    if (!isset($atts['page']))
+    if (!isset($atts['page']) || empty($atts['page'])) {
       return self::NO_PAGE_PARAM;
-    
+    }
+    
+    // Sanitize the page URL
+    $page_url = esc_url_raw($atts['page']);
+    
+    // Verify it's a valid URL after sanitization
+    if (empty($page_url)) {
+      return self::NO_PAGE_PARAM;
+    }
+    
+    // Get and sanitize query string
+    $query_string = '';
+    if (isset($_SERVER['QUERY_STRING']) && !empty($_SERVER['QUERY_STRING'])) {
+      // Sanitize the query string properly
+      $query_string = sanitize_text_field(wp_unslash($_SERVER['QUERY_STRING']));
+      
       // Only allow [A-Za-z0-9 ,&=?%+] chars in validated string
-    $validated = preg_replace("/[^A-Za-z0-9 ,&=?%+]/", '', $_SERVER['QUERY_STRING']);
-    
-    // Construct returned <a> element
-    $query = $validated ? "?" . $validated : "";
-    return "<a href='{$atts['page']}$query'>$content</a>";
+      $query_string = preg_replace('/[^A-Za-z0-9_\-=&?%+]/', '', $query_string);
+    }
+    
+    // Construct query parameter if exists
+    $query = !empty($query_string) ? '?' . $query_string : '';
+    $final_url = esc_url($page_url . $query);
+    
+    // Escape the content for safe HTML output
+    $safe_content = wp_kses_post($content);
+    
+    // Return safely escaped HTML
+    return sprintf(
+      '<a href="%s">%s</a>',
+      $final_url,
+      $safe_content
+    );
   }
 
@@ -148 +174 @@
    */
   public function pagination_button($atts, string $content): string {
-    // Validate attributes
-    if (!is_array($atts) || !($atts['type'] == 'forward' || $atts['type'] == 'backward'))
+    if (!is_array($atts) || !isset($atts['type'])) {
       return self::NO_TYPE_PARAM;
-
-    // Make sure api is called
-    $err = $this->ensure_api();
-    if ($err)
-      return $err;
-
-    // Initialize parameters
-    $disabled = ''; // Whether the button is disabled because we have no more listings in this direction
-    $link = \get_page_link();
-    $listing_count = (int) $this->api_headers['X-Total-Count'][0];
-    $offset = intval($_GET['offset'] ?? 0); // Default offset is 0 as this is the start of the list
-    $limit = intval($_GET['limit'] ?? self::DEFAULT_LIMIT); // No sanitization here or prev line as only intval is used
-    $class = 'vista-listings-paginator ';
-
-    // Assign button params based on type
-    if ($atts['type'] == 'forward') {
-      $class .= "listings-forward";
-      $remainder = $listing_count - ($offset + $limit);
-      if ($remainder <= 0)
-        $disabled = 'disabled'; // Disable if we can't go further
-      $link .= "?offset=" . strval($limit + $offset);
-      if ($remainder < $limit) {
-        $link .= "&limit=$remainder";
-      } else {
-        $link .= "&limit=$limit";
+    }
+    
+    $type = sanitize_key($atts['type']);
+    if ($type !== 'forward' && $type !== 'backward') {
+      return self::NO_TYPE_PARAM;
+    }
+
+    $query_args = array();
+    
+    if (is_array($_GET)) {
+      foreach ($_GET as $param => $value) {
+        $safe_param = sanitize_key($param);
+        
+        if ($safe_param === 'offset' || $safe_param === 'limit') {
+          continue;
+        }
+
+        if (is_array($value)) {
+          $query_args[$safe_param] = array_map(
+            'sanitize_text_field',
+            array_map('wp_unslash', $value)
+          );
+        } else {
+          $query_args[$safe_param] = sanitize_text_field(wp_unslash($value));
+        }
       }
-    } else {
-      $class .= "listings-backward";
-      if ($offset == 0)
-        $disabled = 'disabled'; // Disable if we can't go further
-      $link .= "?offset=" . ($offset - $limit <= 0 ? 0 : $offset - $limit);
-      // Only the last page can have <self::DEFAULT_LIMIT results,
-      // so previous pages always have self::DEFAULT_LIMIT results
-      $link .= "&limit=" . self::DEFAULT_LIMIT;
-    }
-    // Add other parameters
-    foreach ($_GET as $param => $value) {
-      // Sanitize variables
-      $param = \sanitize_text_field($param);
-      $value = \sanitize_text_field($value);
-      if ($param == 'offset' || $param == 'limit') continue; // We've already recaclulated & included offset & limit
-      $link .= "&$param=$value";
-    }
-
-    return "<button class='$class' onclick=\"window.location.href='$link'\" $disabled>$content</button>";
+    }
+    
+    $query_args['offset'] = $new_offset;
+    $query_args['limit'] = $new_limit;
+    
+    $safe_link = add_query_arg($query_args, $base_link);
+
+    return sprintf(
+      '<button class="%s" onclick="window.location.href=\'%s\'" %s>%s</button>',
+      esc_attr($class),
+      esc_url($safe_link),
+      $safe_disabled,
+      wp_kses_post($content)
+    );
   }
 

vistawp/trunk/includes/options/license-manager.php

@@ -153 +153 @@
       $this->clear_key();
       // Redirect to the same page after clearing the license key
-      \vista_safe_redirect(\esc_url($_SERVER['REQUEST_URI']));
+      \vista_safe_redirect(add_query_arg(array()));
       exit;
     }
@@ -196 +196 @@
     if ($tier && !array_key_exists($tier, self::TIER_ID)) {
       throw new \InvalidArgumentException(
-        "Invalid tier: " . $tier
+        "Invalid tier: " . esc_html($tier)
       );
     }

vistawp/trunk/readme.txt

@@ -4 +4 @@
 Tags: IDX, MLS, idx search, Real Estate Search, IDX plugin, RETS, real-estate  
 Requires at least: 4.7  
-Tested up to: 6.8.3  
-Stable tag: 1.4.2
+Tested up to: 6.8  
+Stable tag: 1.4.3
 Requires PHP: 7.4.1  
 License: GPLv2 or later  

vistawp/trunk/templates/fields/checkbox.php

@@ -1 +1 @@
 <?php
+
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row containing a group of checkboxes rendered by vista_get_template().
@@ -15 +18 @@
     <div class="vista-field-checkbox">
       <div class="vista-label">
-        <label for="<?= esc_attr($name); ?>"><?= esc_html($title); ?></label>
+        <label for="<?php echo esc_attr($name); ?>"><?php echo esc_html($title); ?></label>
       </div>
       <div class="vista-input">
         <?php foreach ($options as $key => $value) : ?>
-          <label for="<?= esc_attr($prefix . $value); ?>">
-            <input type="checkbox" id="<?= esc_attr($prefix . $value); ?>" name="<?= esc_attr($name); ?>[]" value="<?= esc_attr($value); ?>" <?= (in_array($value, $checked_options)) ? 'checked' : ''; ?> >
-            <?= esc_html($key); ?>
+          <label for="<?php echo esc_attr($prefix . $value); ?>">
+            <input type="checkbox" id="<?php echo esc_attr($prefix . $value); ?>" name="<?php echo esc_attr($name); ?>[]" value="<?php echo esc_attr($value); ?>" <?php echo (in_array($value, $checked_options)) ? 'checked' : ''; ?> >
+            <?php echo esc_html($key); ?>
           </label>
         <?php endforeach; ?>

vistawp/trunk/templates/fields/number-field.php

@@ -1 @@
-<?php
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row containing a number input field rendered by vista_get_template().
@@ -16 +18 @@
     <div class="vista-field-number">
       <div class="vista-label">
-        <label for="<?= esc_attr($id); ?>"><?= esc_html($label); ?></label>
+        <label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label>
       </div>
       <div class="vista-input">
-        <input type="number" step="1000" min="0" id="<?= esc_attr($id); ?>" name="<?= esc_attr($name); ?>" value="<?= esc_attr($value); ?>" placeholder="<?= esc_attr($placeholder); ?>">
+        <input type="number" step="1000" min="0" id="<?php echo esc_attr($id); ?>" name="<?php echo esc_attr($name); ?>" value="<?php echo esc_attr($value); ?>" placeholder="<?php echo esc_attr($placeholder); ?>">
       </div>
     </div>

vistawp/trunk/templates/fields/select.php

@@ -1 @@
-<?php
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row containing a select input field rendered by vista_get_template().
@@ -18 +20 @@
     <div class="vista-field-select">
       <div class="vista-label">
-        <label for="<?= esc_attr($id); ?>"><?= esc_html($label); ?></label>
+        <label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label>
       </div>
       <div class="vista-input">
-        <select id="<?= esc_attr($id); ?>" name="<?= esc_attr($name); ?>">
+        <select id="<?php echo esc_attr($id); ?>" name="<?php echo esc_attr($name); ?>">
           <?php foreach ($options as $value) : ?>
-            <option value="<?= esc_attr($value); ?>" <?= '' === $value ? 'disabled' : ''; ?> <?= ($value === $selected) ? 'selected' : ''; ?>>
-                <?= '' === $value ? esc_html($placeholder) : esc_html($value); ?>
+            <option value="<?php echo esc_attr($value); ?>" <?php echo '' === $value ? 'disabled' : ''; ?> <?php echo ($value === $selected) ? 'selected' : ''; ?>>
+                <?php echo '' === $value ? esc_html($placeholder) : esc_html($value); ?>
             </option>
           <?php endforeach; ?>

vistawp/trunk/templates/fields/text-field.php

@@ -1 +1 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for a form row with a text input field rendered by vista_get_template().
@@ -16 +18 @@
     <div class="vista-field-text">
       <div class="vista-label">
-        <label for="<?= esc_attr($id); ?>"><?= esc_html($label); ?></label>
+        <label for="<?php echo esc_attr($id); ?>"><?php echo esc_html($label); ?></label>
       </div>
       <div class="vista-input">
-        <input type="text" id="<?= esc_attr($id); ?>" name="<?= esc_attr($name); ?>" value="<?= esc_attr($value); ?>" placeholder="<?= esc_attr($placeholder); ?>">
+        <input type="text" id="<?php echo esc_attr($id); ?>" name="<?php echo esc_attr($name); ?>" value="<?php echo esc_attr($value); ?>" placeholder="<?php echo esc_attr($placeholder); ?>">
       </div>
     </div>

vistawp/trunk/templates/notifications/general.php

@@ -1 @@
-<div class="notice is-dismissible notice-<?= esc_attr($type); ?>">
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
+?>
+
+<div class="notice is-dismissible notice-<?php echo  esc_attr($type); ?>">
   <div id="vistawp-banner">
-    <img height="50" src="<?= esc_url(\vista_plugin_url('img/vista_banner_icon.svg')); ?>">
-    <p class="vsta-text-<?= esc_attr($type); ?>"> <?= esc_html($text) ?> </p>
+    <img height="50" src="<?php echo  esc_url(\vista_plugin_url('img/vista_banner_icon.svg')); ?>">
+    <p class="vsta-text-<?php echo  esc_attr($type); ?>"> <?php echo  esc_html($text) ?> </p>
   </div>
 </div>

vistawp/trunk/templates/notifications/welcome.php

@@ +1 @@
+<?php 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
+?>
+
 <div id="vistawp-welcome" class="notice is-dismissible">
   <div>
-    <img width="100" src="<?= esc_html(\vista_plugin_url('img/vista_logo.png')); ?>">
+    <img width="100" src="<?php echo  esc_html(\vista_plugin_url('img/vista_logo.png')); ?>">
   </div>
   <div>
     <h3>Thanks for activating VistaWP</h3>
-    <p>Head to the <a href="<?= \get_home_url() . '/wp-admin/admin.php?page=vista_main'; ?>">settings page</a> to get started</p>
+    <p>Head to the <a href="<?php echo  \get_home_url() . '/wp-admin/admin.php?page=vista_main'; ?>">settings page</a> to get started</p>
   </div>
 </div>

vistawp/trunk/templates/pages/main_page.php

@@ -1 +1 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for the main page of the VistaWP plugin, returned by vista_get_template().
@@ -37 +39 @@
   </p><br />
 
-  <form method="post" action="<?php echo esc_url($_SERVER['REQUEST_URI']); ?>">
+  <form method="post" action="<?php echo esc_url(add_query_arg(array())); ?>">
     <input type="submit" name="generate_pages" value="Generate Vista Pages" class="button-primary vsta-gen-btn">
   </form>

vistawp/trunk/templates/shortcodes/simple-listings.php

@@ -1 +1 @@
 <?php
+ 
+if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+
 /**
  * Template for the shotcode simple listings, returned by vista_get_template().
@@ -15 +18 @@
 <div class="vista-sl-pagination">
   <div class="vista-sl-results">
-    <label class="vista-sl-<?=$theme?>-results-label">[vista_listings_total] results</label>
+    <label class="vista-sl-<?php echo esc_attr($theme); ?>-results-label">[vista_listings_total] results</label>
   </div>
-  <div class="vista-sl-<?=$theme?>-prev">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-prev">
     [vista_listings_paginator type=backward]Prev[/vista_listings_paginator]
   </div>
-  <div class="vista-sl-<?=$theme?>-next">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-next">
     [vista_listings_paginator type=forward]Next[/vista_listings_paginator]
   </div>
@@ -28 +31 @@
 <div class="vista-sl-container">
   [vista_listings_list]
-  <div class="vista-sl-card vista-sl-<?=$theme?>-card">
+  <div class="vista-sl-card vista-sl-<?php echo esc_attr($theme); ?>-card">
     <div class="vista-sl-photo">
-      <a href="<?=$dest . '?listing='?>[mlsId]" class="vista-sl-photo-link">
+      <a href="<?php echo esc_url($dest . '?listing='); ?>[mlsId]" class="vista-sl-photo-link">
         [first-photo]
       </a>
     </div>
     
-    <div class="vista-sl-<?=$theme?>-address">
-      <a href="<?=$dest . '?listing='?>[mlsId]" class="vista-sl-address-link">
+    <div class="vista-sl-<?php echo esc_attr($theme); ?>-address">
+      <a href="<?php echo esc_url($dest . '?listing='); ?>[mlsId]" class="vista-sl-address-link">
         <h2>[address]</h2>
       </a>
     </div>
 
-    <div class="vista-sl-<?=$theme?>-price">
+    <div class="vista-sl-<?php echo esc_attr($theme); ?>-price">
       <p>$[listPrice]</p>
     </div>
 
     <div class="vista-sl-info">
-      <div class="vista-sl-<?=$theme?>-beds">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-beds">
         <p>[bedrooms]</p><p>Beds</p>
       </div>
-      <div class="vista-sl-<?=$theme?>-baths">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-baths">
         <p>[baths]</p><p>Baths</p>
       </div>
-      <div class="vista-sl-<?=$theme?>-sqft">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-sqft">
         <p>[sqft]</p><p>Sq. Ft.</p>
       </div>
@@ -58 +61 @@
 
     <div class="vista-sl-agent-info">
-      <div class="vista-sl-<?=$theme?>-listingid">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-listingid">
         <p>ID: #[listingId]</p>
       </div>
-      <div class="vista-sl-<?=$theme?>-status">
+      <div class="vista-sl-<?php echo esc_attr($theme); ?>-status">
         <p>Status: [status]</p>
       </div>
     </div>
 
-    <div class="vista-sl-<?=$theme?>-btn">
-      <a href="<?= \get_home_url() . $dest . '?listing='?>[mlsId]" class="vista-sl-<?=$theme?>-link">View Property</a>
+    <div class="vista-sl-<?php echo esc_attr($theme); ?>-btn">
+      <a href="<?php echo esc_url(\get_home_url() . $dest . '?listing='); ?>[mlsId]" class="vista-sl-<?php echo esc_attr($theme); ?>-link">View Property</a>
     </div>
 
@@ -79 +82 @@
 <div class="vista-sl-pagination">
   <div class="vista-sl-results">
-    <label class="vista-sl-<?=$theme?>-results-label">[vista_listings_total] results</label>
+    <label class="vista-sl-<?php echo esc_attr($theme); ?>-results-label">[vista_listings_total] results</label>
   </div>
-  <div class="vista-sl-<?=$theme?>-prev">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-prev">
     [vista_listings_paginator type=backward]Prev[/vista_listings_paginator]
   </div>
-  <div class="vista-sl-<?=$theme?>-next">
+  <div class="vista-sl-<?php echo esc_attr($theme); ?>-next">
     [vista_listings_paginator type=forward]Next[/vista_listings_paginator]
   </div>

vistawp/trunk/vista.php

@@ -3 +3 @@
 * Plugin Name: VistaWP
 * Description: Retrieves and displays real estate listings
-* Version: 1.4.2
+* Version: 1.4.3
 * Author: VistaWP
 * Author URI: https://vistawp.com/
@@ -15 +15 @@
 
 // general constants
-define( 'VISTA__PLUGIN_VERSION', '1.4.2' );
+define( 'VISTA__PLUGIN_VERSION', '1.4.3' );
 define( 'VISTA__PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 define( 'VISTA__PLUGIN_URL', plugin_dir_url( __FILE__ ) );
@@ -28 +28 @@
 * @author VistaWP
 * @link https://vistawp.com/
-* @version 1.4.2
+* @version 1.4.3
 */
 class Main {
@@ -388 +388 @@
     <p>
       The VistaWP plugin has encountered a fatal error and self-deactivated. 
-      Error message: <?php echo $GLOBALS['vista_error_message']; ?>
+      Error message: <?php echo esc_html($GLOBALS['vista_error_message']); ?>
     </p>
  </div>