Changeset 2961271

Timestamp:

08/31/2023 03:41:03 PM (2 years ago)

Author:

coderevolution

Message:

Fixed reported XSS issues

Location:

wp-pocket-urls

Files:

• tags/1.0.2 (added)
• tags/1.0.2/README.txt (added)
• tags/1.0.2/assets (added)
• tags/1.0.2/assets/css (added)
• tags/1.0.2/assets/css/wp-pocketurl.css (added)
• tags/1.0.2/assets/js (added)
• tags/1.0.2/assets/js/copy.js (added)
• tags/1.0.2/assets/js/wp-pocketurl.js (added)
• tags/1.0.2/assets/views (added)
• tags/1.0.2/assets/views/clicks_details.php (added)
• tags/1.0.2/assets/views/link-options.php (added)
• tags/1.0.2/assets/views/other.php (added)
• tags/1.0.2/assets/views/reports.php (added)
• tags/1.0.2/assets/views/settings.php (added)
• tags/1.0.2/assets/views/single-wp_pocketurl_link.php (added)
• tags/1.0.2/classes (added)
• tags/1.0.2/classes/class-add-tax.php (added)
• tags/1.0.2/classes/class-wp-pocketurl-admin.php (added)
• tags/1.0.2/classes/class-wp-pocketurl-clicks.php (added)
• tags/1.0.2/classes/class-wp-pocketurl-reports.php (added)
• tags/1.0.2/classes/class-wp-pocketurl.php (added)
• tags/1.0.2/languages (added)
• tags/1.0.2/languages/wp-pocketurl.pot (added)
• tags/1.0.2/res (added)
• tags/1.0.2/res/diacritics.php (added)
• tags/1.0.2/uninstall.php (added)
• tags/1.0.2/wp-pocketurl.php (added)
• trunk/README.txt (modified) (2 diffs)
• trunk/assets/views/reports.php (modified) (1 diff)
• trunk/classes/class-wp-pocketurl-admin.php (modified) (2 diffs)
• trunk/classes/class-wp-pocketurl-reports.php (modified) (5 diffs)
• trunk/wp-pocketurl.php (modified) (7 diffs)

wp-pocket-urls/trunk/README.txt

@@ -4 +4 @@
 Tags: : affiliate link, link shortener, short link, short url, hide affiliate link, link cloak, cloak links, affiliate links, pretty link, redirect link, forward link, shorturl, hoplink, shortlink, tinyurl, url shrinking, 301 redirect, 307 redirect, 302 redirect, affiliate link management, affiliate link manager, affiliate link redirect, affiliate links, link cloak, link cloaking, link redirect, manage affiliate links, click counting, visitor information, link masking, link cloacking, link cloacker, url cloacker
 Requires at least: 4.0.0
-Tested up to: 6.1
+Tested up to: 6.2
 Stable tag: trunk
 Requires PHP: 5.2.4
@@ -96 +96 @@
 = 1.0.0 =
 Initial release.
-= 1.0.1 =
-Fixed reported bugs.

wp-pocket-urls/trunk/assets/views/reports.php

@@ -114 +114 @@
     <!--end gchart-->
     <div class="total-clicks">
-      <h4><?php echo esc_html__('Total:', 'wp_pocketurl');?> <?php echo $total_clicks; ?> <?php echo esc_html__('clicks', 'wp_pocketurl');?></h4>
+      <h4><?php echo esc_html__('Total:', 'wp_pocketurl');?> <?php echo esc_html($total_clicks); ?> <?php echo esc_html__('clicks', 'wp_pocketurl');?></h4>
     </div>
     <div id="chart_container" style="width:800px;"></div>

wp-pocket-urls/trunk/classes/class-wp-pocketurl-admin.php

@@ -213 +213 @@
     // change wp pocketurl link post slug if the option changed
     public function wp_pocketurl_link_slug_change($new_value,$old_value ){
-        if($new_value !== $old_value ){
+        if($new_value !== $old_value )
+        {
+            $registered = FALSE;
             //check if the old value is empty
             if(empty($old_value)) $old_value = 'go';
@@ -222 +224 @@
                 // that replaces 'go' with 'option value' and give it a higher
                 // priority than the existing rule.
-                foreach($current_rules as $key => $val) {
-                    if(strpos($key, $old_value ) !== false) {
-                        add_rewrite_rule(str_ireplace($old_value, $new_value, $key), $val, 'top');
+                if(is_array($current_rules))
+                {
+                    foreach($current_rules as $key => $val) {
+                        if(strpos($key, $old_value ) !== false) {
+                            $registered = TRUE;
+                            add_rewrite_rule(str_ireplace($old_value, $new_value, $key), $val, 'top');
+                        }
                     }
                 }
             }
-            flush_rewrite_rules();
+            if($registered)
+            {
+                flush_rewrite_rules();
+            }
         }
         return $new_value;

wp-pocket-urls/trunk/classes/class-wp-pocketurl-reports.php

@@ -20 +20 @@
     foreach ($links as $key => $link) {
       $lselected = ($clink == $link->ID) ? 'selected' :'';
-      $output[] ="<option value='{$link->ID}' {$lselected}>{$link->post_title}</option>";
+      $output[] ="<option value='" . esc_attr($link->ID) . "' " . esc_attr($lselected) . ">" . esc_attr($link->post_title) . "</option>";
     }
     $output[]='</select></label>';
@@ -30 +30 @@
     foreach ($months as $key => $month) {
       $mselected = ($cmonth == $month) ? 'selected' :'';
-      $output[] = '<option value="'.$month.'" '.$mselected.'>'.$month.'</option>';
+      $output[] = '<option value="'.esc_attr($month).'" '.esc_attr($mselected).'>'.esc_attr($month).'</option>';
     }
     $output[]='</select></label>';
@@ -41 +41 @@
     foreach ($terms as $key => $term) {
       $cselected = ($cat == $term->term_id) ? 'selected' :'';
-      $output[] = '<option value="'.$term->term_id.'" '.$cselected.'>'.$term->name.'</option>';
+      $output[] = '<option value="'.esc_attr($term->term_id).'" '.esc_attr($cselected).'>'.esc_attr($term->name).'</option>';
     }
     $output[]='</select></label>';
@@ -52 +52 @@
     foreach ($countries as $key => $country) {
       $coselected = ($ccountry == $country->code) ? 'selected' :'';
-      $output[] = '<option value="'.$country->code.'" '.$coselected.'>'.$country->name.'</option>';
+      $output[] = '<option value="'.esc_attr($country->code).'" '.esc_attr($coselected).'>'.esc_attr($country->name).'</option>';
     }
     $output[]='</select></label>';
     $output[]='<input type="submit" class="button button-primary" value="'.__('Update').'" />';
     
-    echo implode($output);
+    echo implode('',$output);
   }
   /*
@@ -151 +151 @@
   * get clicks count grouped by date
   */
-  public function wp_pocketurl_get_clicks_report($cmonth=null, $cat=null, $country=null,$link ){
+  public function wp_pocketurl_get_clicks_report($cmonth=null, $cat=null, $country=null,$link=null ){
     global $wpdb;$and=0;
     $sql = "SELECT count(1) as clicks, DATE(click_date) as date  FROM {$wpdb->wp_pocketurl_clicks_table}";

wp-pocket-urls/trunk/wp-pocketurl.php

@@ -4 +4 @@
 Plugin URI: https://www.coderevolution.ro/wp-pocketurl
 Description: WP Pocket URLs gives you the ability to shorten your affiliate links and keep track of clicks for each link.
-Version: 1.0.1
+Version: 1.0.2
 Author: CodeRevolution
 Author URI: https://www.coderevolution.ro
@@ -78 +78 @@
 function wp_poketurl_isExternal($href, $base)
 {
+    if(empty($href) || empty($base))
+    {
+        return 1;
+    }
     $components = parse_url($href); 
     $comp_base = parse_url($base);
     if(!isset($components['host']) || !isset($comp_base['host']))
     {
+        if(stristr($href, $base) !== false)
+        {
+            return 0;
+        }
         return 1;
     }
@@ -151 +159 @@
         ini_set('max_execution_time', $timeout);
         ini_set('ignore_user_abort', 1);
-        ignore_user_abort(true);
-        set_time_limit($timeout);
+        if(function_exists('ignore_user_abort'))
+{
+    ignore_user_abort(true);
+}
+        if(function_exists('set_time_limit'))
+{
+    set_time_limit($timeout);
+}
         
         $content = $post->post_content;
@@ -200 +214 @@
                 $url_str = str_replace(array('/', '-', '_', ':'), ' ', $url_str);
                 $keyword_class = new WP_poketurl_keywords();
-                if ( ! function_exists( 'get_page_by_title' ) ) 
-                {
-                    include_once( ABSPATH . 'wp-includes/post.php' );
-                }
                 $query_words = $keyword_class->keywords($url_str, 1);
                 $feed_id = sanitize_title($query_words);
-                if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                 {
                     $query_words = $keyword_class->keywords($url_str, 2);
                     $feed_id = sanitize_title($query_words);
-                    if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                    if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                     {
                         $query_words = $keyword_class->keywords($url_str, 3);
                         $feed_id = sanitize_title($query_words);
-                        if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                        if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                         {
                             $query_words = $keyword_class->keywords($url_str, 4);
                             $feed_id = sanitize_title($query_words);
-                            if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                            if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                             {
                                 $query_words = $keyword_class->keywords($url_str, 5);
                                 $feed_id = sanitize_title($query_words);
-                                if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                                if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                                 {
                                     $query_words = $keyword_class->keywords($url_str, 6);
                                     $feed_id = sanitize_title($query_words);
-                                    if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                                    if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                                     {
                                         $query_words = $keyword_class->keywords($url_str, 7);
                                         $feed_id = sanitize_title($query_words);
-                                        if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                                        if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                                         {
                                             $query_words = $keyword_class->keywords($url_str, 8);
                                             $feed_id = sanitize_title($query_words);
-                                            if (get_page_by_title($feed_id, OBJECT, 'wp_pocketurl_link') !== NULL)
+                                            if (wp_pocketurl_get_page_by_title(html_entity_decode($feed_id), OBJECT, 'wp_pocketurl_link') !== NULL)
                                             {
                                                 $feed_id .= '-' . uniqid();
@@ -250 +260 @@
                 $post_id = wp_insert_post($my_post, true);
                 if (!is_wp_error($post_id)) {
-                    $cusOption = '0';
-                    $linkRedirection = get_option('wp_pocketurl_link_redirection', '301');
-                    update_post_meta($post_id,'wp_pocketurl_link', $href);
-                    update_post_meta($post_id,'wp_pocketurl_link_custom_options', $cusOption);
-                    update_post_meta($post_id,'wp_pocketurl_link_redirection', $linkRedirection);
-                    $new_link = get_permalink($post_id);
-                    $content = str_replace($href, $new_link, $content);
-                    $need_update = true;
+                    if($post_id === 0)
+                    {
+                        wp_pocketurl_log_to_file('Error occurred while inserting new redirect rule!');
+                    }
+                    else
+                    {
+                        $cusOption = '0';
+                        $linkRedirection = get_option('wp_pocketurl_link_redirection', '301');
+                        update_post_meta($post_id,'wp_pocketurl_link', $href);
+                        update_post_meta($post_id,'wp_pocketurl_link_custom_options', $cusOption);
+                        update_post_meta($post_id,'wp_pocketurl_link_redirection', $linkRedirection);
+                        $new_link = get_permalink($post_id);
+                        $content = str_replace($href, $new_link, $content);
+                        $need_update = true;
+                    }
                 }
                 else
@@ -274 +291 @@
             $args['ID'] = $post->ID;
             $args['post_content'] = $content;
+            remove_filter('content_save_pre', 'wp_filter_post_kses');
+            remove_filter('content_filtered_save_pre', 'wp_filter_post_kses');
+            remove_filter('title_save_pre', 'wp_filter_kses');
             $post_updated = wp_update_post($args);
+            add_filter('content_save_pre', 'wp_filter_post_kses');
+            add_filter('content_filtered_save_pre', 'wp_filter_post_kses');
+            add_filter('title_save_pre', 'wp_filter_kses');
             if (is_wp_error($post_updated)) {
                 $errors = $post_updated->get_error_messages();
@@ -284 +307 @@
     }
 }
+function wp_pocketurl_get_page_by_title($title, $ret_type, $post_type)
+{
+    $xposts = get_posts(
+        array(
+            'post_type'              => $post_type,
+            'title'                  => $title,
+            'post_status'            => 'all',
+            'numberposts'            => 1,
+            'update_post_term_cache' => false,
+            'update_post_meta_cache' => false,           
+            'orderby'                => 'post_date ID',
+            'order'                  => 'ASC',
+        )
+    );
+    if ( ! empty( $xposts ) ) {
+        $zap = $xposts[0];
+    } else {
+        $zap = null;
+    }
+    return $zap;
+}
 function wp_pocketurl_log_to_file($str)
 {