Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3479046

Timestamp:

03/10/2026 12:15:42 PM (3 weeks ago)

Author:

softaculous

Message:

New version 2.0.9

Location:

pagelayer/trunk

Files:

: 7 edited

init.php (modified) (1 diff)
main/ajax.php (modified) (9 diffs)
main/class.php (modified) (1 diff)
main/functions.php (modified) (2 diffs)
main/shortcode_functions.php (modified) (1 diff)
pagelayer.php (modified) (1 diff)
readme.txt (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

pagelayer/trunk/init.php

r3464204	r3479046
6	6	define('PAGELAYER_BASE', plugin_basename(PAGELAYER_FILE));
7	7	define('PAGELAYER_PREMIUM_BASE', 'pagelayer-pro/pagelayer-pro.php');
8		define('PAGELAYER_VERSION', '2.0.8');
	8	define('PAGELAYER_VERSION', '2.0.9');
9	9	define('PAGELAYER_DIR', dirname(PAGELAYER_FILE));
10	10	define('PAGELAYER_SLUG', 'pagelayer');

pagelayer/trunk/main/ajax.php

-                      r3464204
+                      r3479046
     if(isset($_REQUEST['pagelayer_section_id'])){
         $get_url = PAGELAYER_API.'/library.php?give_id='.$_REQUEST['pagelayer_section_id'].(!empty($pagelayer->license['license']) ? '&license='.$pagelayer->license['license'] : '').'&url='.rawurlencode(site_url());
+        $get_url = PAGELAYER_API.'/library.php?give_id='.sanitize_text_field($_REQUEST['pagelayer_section_id']).(!empty($pagelayer->license['license']) ? '&license='.$pagelayer->license['license'] : '').'&url='.rawurlencode(site_url());
         // For SitePad users
 …
     if(isset($_REQUEST['pagelayer_section_id'])){
         $get_url = PAGELAYER_API.'/library.php?give_id='.$_REQUEST['pagelayer_section_id'].(!empty($pagelayer->license['license']) ? '&license='.$pagelayer->license['license'] : '').'&url='.rawurlencode(site_url());
+        $get_url = PAGELAYER_API.'/library.php?give_id='.sanitize_text_field($_REQUEST['pagelayer_section_id']).(!empty($pagelayer->license['license']) ? '&license='.$pagelayer->license['license'] : '').'&url='.rawurlencode(site_url());
         // For SitePad users
 …
     // Some AJAX security
     check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
+    // TODO : Allowed
+    echo pagelayer_widget_posts($_POST);
+    // This ajax call is only used during post/page editing
+    if(!current_user_can('edit_posts')){
+        echo __pl('no_permission');
+        wp_die();
+    }
+    $sanitized_post = pagelayer_sanitize_posts_data($_POST);
+    echo pagelayer_widget_posts($sanitized_post);
     wp_die();
 …
     check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
+    // This ajax call is only used during post/page editing
+    if(!current_user_can('edit_posts')){
+        echo __pl('no_permission');
+        wp_die();
+    }
     // Load shortcodes
     pagelayer_load_shortcodes();
+    // TODO : Allowed
+    echo pagelayer_posts($_POST);
+    $sanitized_post = pagelayer_sanitize_posts_data($_POST, false);
+    echo pagelayer_posts($sanitized_post);
     wp_die();
+}
 …
     $sc = '[pl_archive_posts '.$string.'][/pl_archive_posts]';
-    // TODO : Allowed
     echo pagelayer_the_content($sc);
     wp_die();
 …
+            }
             $body .= $k."\t : \t $".$k."\n";
+            $body .= sanitize_text_field($k)."\t : \t $".$k."\n";
+        }
 …
         // If After logout URL, then save
         if(!empty($_REQUEST['logout_url'])){
             update_user_option($user->ID, 'pagelayer_logout_url', $_REQUEST['logout_url']);
+            update_user_option($user->ID, 'pagelayer_logout_url', sanitize_url($_REQUEST['logout_url']));
+        }
 …
     check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
+    if(!current_user_can('edit_posts')){
+        echo __pl('no_permission');
+        wp_die();
+    }
     $args = array(
         'post_type' => $_POST['type'],
         'orderby' => $_POST['post_order'],
         'order' => $_POST['order'],
         'hierarchical' => (empty($_POST['hier']) || $_POST['hier'] == null ? '' : $_POST['hier']),
         'number' => (empty($_POST['depth']) || $_POST['depth'] == null ? '' : $_POST['depth']),
+        'post_type' => sanitize_text_field($_POST['type']),
+        'orderby' => sanitize_text_field($_POST['post_order']),
+        'order' => sanitize_text_field($_POST['order']),
+        'hierarchical' => (empty($_POST['hier']) || $_POST['hier'] == null ? '' : sanitize_text_field($_POST['hier'])),
+        'number' => (empty($_POST['depth']) || $_POST['depth'] == null ? '' : sanitize_text_field($_POST['depth'])),
         'posts_per_page' => -1,
     );
 …
     // Some AJAX security
     check_ajax_referer('pagelayer_ajax', 'pagelayer_nonce');
+    if(!current_user_can('edit_posts')){
+        echo __pl('no_permission');
+        wp_die();
+    }
     $args = array(

pagelayer/trunk/main/class.php

r3384061	r3479046
43	43	var $template_header;
44	44	var $template_post;
	45	var $template_editor;
45	46	var $template_footer;
46	47	var $template_popup_ids;

pagelayer/trunk/main/functions.php

-                      r3464204
+                      r3479046
     // These events not start with on
     $not_allowed = array('click', 'dblclick', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'load', 'unload', 'change', 'submit', 'reset', 'select', 'blur', 'focus', 'keydown', 'keypress', 'keyup', 'afterprint', 'beforeprint', 'beforeunload', 'error', 'hashchange', 'message', 'offline', 'online', 'pagehide', 'pageshow', 'popstate', 'resize', 'storage', 'contextmenu', 'input', 'invalid', 'search', 'mousewheel', 'wheel', 'drag', 'dragend', 'dragenter', 'dragleave', 'dragover', 'dragstart', 'drop', 'scroll', 'copy', 'cut', 'paste', 'abort', 'canplay', 'canplaythrough', 'cuechange', 'durationchange', 'emptied', 'ended', 'loadeddata', 'loadedmetadata', 'loadstart', 'pause', 'play', 'playing', 'progress', 'ratechange', 'seeked', 'seeking', 'stalled', 'suspend', 'timeupdate', 'volumechange', 'waiting', 'toggle', 'animationstart', 'animationcancel', 'animationend', 'animationiteration', 'auxclick', 'beforeinput', 'beforematch', 'beforexrselect', 'compositionend', 'compositionstart', 'compositionupdate', 'contentvisibilityautostatechange', 'focusout', 'focusin', 'fullscreenchange', 'fullscreenerror', 'gotpointercapture', 'lostpointercapture', 'mouseenter', 'mouseleave', 'pointercancel', 'pointerdown', 'pointerenter', 'pointerleave', 'pointermove', 'pointerout', 'pointerover', 'pointerrawupdate', 'pointerup', 'scrollend', 'securitypolicyviolation', 'touchcancel', 'touchend', 'touchmove', 'touchstart', 'transitioncancel', 'transitionend', 'transitionrun', 'transitionstart', 'MozMousePixelScroll', 'DOMActivate', 'afterscriptexecute', 'beforescriptexecute', 'DOMMouseScroll', 'willreveal', 'gesturechange', 'gestureend', 'gesturestart', 'mouseforcechanged', 'mouseforcedown', 'mouseforceup', 'mouseforceup', 'beforetoggle');
+    $not_allowed = array('click', 'dblclick', 'mousedown', 'mousemove', 'mouseout', 'mouseover', 'mouseup', 'load', 'unload', 'change', 'submit', 'reset', 'select', 'blur', 'focus', 'keydown', 'keypress', 'keyup', 'afterprint', 'beforeprint', 'beforeunload', 'error', 'hashchange', 'message', 'offline', 'online', 'pagehide', 'pageshow', 'popstate', 'resize', 'storage', 'contextmenu', 'input', 'invalid', 'search', 'mousewheel', 'wheel', 'drag', 'dragend', 'dragenter', 'dragleave', 'dragover', 'dragstart', 'drop', 'scroll', 'copy', 'cut', 'paste', 'abort', 'canplay', 'canplaythrough', 'cuechange', 'durationchange', 'emptied', 'ended', 'loadeddata', 'loadedmetadata', 'loadstart', 'pause', 'play', 'playing', 'progress', 'ratechange', 'seeked', 'seeking', 'stalled', 'suspend', 'timeupdate', 'volumechange', 'waiting', 'toggle', 'animationstart', 'animationcancel', 'animationend', 'animationiteration', 'auxclick', 'beforeinput', 'beforematch', 'beforexrselect', 'compositionend', 'compositionstart', 'compositionupdate', 'contentvisibilityautostatechange', 'focusout', 'focusin', 'fullscreenchange', 'fullscreenerror', 'gotpointercapture', 'lostpointercapture', 'mouseenter', 'mouseleave', 'pointercancel', 'pointerdown', 'pointerenter', 'pointerleave', 'pointermove', 'pointerout', 'pointerover', 'pointerrawupdate', 'pointerup', 'scrollend', 'securitypolicyviolation', 'touchcancel', 'touchend', 'touchmove', 'touchstart', 'transitioncancel', 'transitionend', 'transitionrun', 'transitionstart', 'MozMousePixelScroll', 'DOMActivate', 'afterscriptexecute', 'beforescriptexecute', 'DOMMouseScroll', 'willreveal', 'gesturechange', 'gestureend', 'gesturestart', 'mouseforcechanged', 'mouseforcedown', 'mouseforceup', 'mouseforceup', 'beforetoggle', 'selectstart', 'selectionchange');
     $not_allowed = implode('|', $not_allowed);
 …
     return $str;
+}
+// Sanitize posts data for WP_Query
+function pagelayer_sanitize_posts_data($data, $only_allowed = true) {
+    $allowed_keys = [
+        'post_type', 'posts_per_page', 'order', 'orderby', 'paged',
+        'filter_by', 'term', 'exc_term', 'cat', 'category_name',
+        'tag', 'author', 'author_name', 'post__in', 'post__not_in',
+        'include', 'exclude', 'search', 's', 'exact', 'sentence',
+        'post_status', 'post_parent', 'offset',
+        'posts_per_archive_page', 'page', 'ignore_sticky_posts'
+    ];
+    $sanitized = [];
+    foreach($data as $key => $value){
+        if($only_allowed && !in_array($key, $allowed_keys)) {
+            continue;
+        }
+        $sanitized[$key] = pagelayer_sanitize_text_field($value);
+    }
+    // Security: Restrict post_status to prevent information disclosure
+    // Only users who can read private posts or edit others' posts should be able to query non-public statuses
+    if(isset($sanitized['post_status'])){
+        $requested_status = $sanitized['post_status'];
+        // If requesting something other than publish, verify permissions
+        if ($requested_status !== 'publish') {
+            // Check if the user has permission to read private posts or edit others' posts
+            // This prevents contributors from seeing titles of private posts they don't own.
+            if (!current_user_can('read_private_posts') && !current_user_can('edit_others_posts')) {
+                $sanitized['post_status'] = 'publish';
+            }
+        }
+    }else{
+        // Default to publish for safety if not specified
+        $sanitized['post_status'] = 'publish';
+    }
+    if(isset($sanitized['posts_per_page'])){
+        $sanitized['posts_per_page'] = (int) $sanitized['posts_per_page'];
+        if ($sanitized['posts_per_page'] > 100) {
+            $sanitized['posts_per_page'] = 100;
+        }
+    }
+    if(isset($sanitized['paged'])){
+        $sanitized['paged'] = (int) $sanitized['paged'];
+    }
+    if(isset($sanitized['offset'])){
+        $sanitized['offset'] = (int) $sanitized['offset'];
+    }
+    if(isset($sanitized['post__in']) && is_string($sanitized['post__in'])){
+        $sanitized['post__in'] = array_map('intval', explode(',', $sanitized['post__in']));
+    }
+    if(isset($sanitized['post__not_in']) && is_string($sanitized['post__not_in'])){
+        $sanitized['post__not_in'] = array_map('intval', explode(',', $sanitized['post__not_in']));
+    }
+    if(isset($sanitized['post_parent'])){
+        $sanitized['post_parent'] = (int) $sanitized['post_parent'];
+    }
+    if(isset($sanitized['cat'])){
+        $sanitized['cat'] = (int) $sanitized['cat'];
+    }
+    if(isset($sanitized['author'])){
+        $sanitized['author'] = (int) $sanitized['author'];
+    }
+    return $sanitized;
+}

pagelayer/trunk/main/shortcode_functions.php

-                      r3411050
+                      r3479046
+}
+// Anchor Handler
+function pagelayer_sc_anchor(&$el){
+    $el['atts']['title'] = empty($el['atts']['title']) ? '' : esc_attr(sanitize_html_class( $el['atts']['title']));
+}
 function pagelayer_sc_google_maps(&$el){

pagelayer/trunk/pagelayer.php

r3464204	r3479046
4	4	Plugin URI: http://wordpress.org/plugins/pagelayer/
5	5	Description: Pagelayer is a WordPress page builder plugin. Its very easy to use and very light on the browser.
6		Version: 2.0.8
	6	Version: 2.0.9
7	7	Author: Pagelayer Team
8	8	Author URI: https://pagelayer.com/

pagelayer/trunk/readme.txt

-                      r3464204
+                      r3479046
 Tested up to: 6.9
 Requires PHP: 5.5
 Stable tag: 2.0.8
+Stable tag: 2.0.9
 License: LGPL v2.1
 License URI: http://www.gnu.org/licenses/lgpl-2.1.html
 …
 == Changelog ==
+= 2.0.9 (March 09, 2026) =
+* [Bug Fix] Improved XSS security checks.
+* [Bug-Fix] There was some PHP warnings. This is fixed.
 = 2.0.8 (FEB 16, 2026) =

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: