WordPress.org
Get WordPress

Plugin Directory

Changeset 2746542


Ignore:
Timestamp:
06/22/2022 04:29:42 PM (4 years ago)
Author:
grimmdude
Message:

1.4.3 - more output escaping

Location:
sharebar
Files:
44 added
3 edited

Legend:

Unmodified
Added
Removed

  • sharebar/trunk/readme.txt

    r2745551 r2746542  
    44Requires at least: 2.0
    55Tested up to: 6.0
    6 Stable tag: 1.4.2
     6Stable tag: 1.4.3
    77
    88Sharebar adds a dynamic and fully customizable vertical box to the left of a blog post that contains links/buttons to popular social networking sites.
     
    6161
    6262== Changelog ==
     63= 1.4.3 =
     64* Add some output escaping.
     65
    6366= 1.4.2 =
    6467* Add CSRF protection to admin forms.

  • sharebar/trunk/sharebar-admin.php

    r2745551 r2746542  
    2121    }
    2222
    23     $id = sanitize(isset($_REQUEST['id']) ? $_REQUEST['id'] : null);
    24     $pos = sanitize(isset($_REQUEST['pos']) ? $_REQUEST['pos'] : null);
    25     $status = sanitize(isset($_REQUEST['status']) ? $_REQUEST['status'] : null);
    26     $task = sanitize(isset($_REQUEST['t']) ? $_REQUEST['t'] : null);
    27     $do = sanitize(isset($_REQUEST['do']) ? $_REQUEST['do'] : null);
     23    $id = isset($_REQUEST['id']) ? $_REQUEST['id'] : null;
     24    $pos = isset($_REQUEST['pos']) ? $_REQUEST['pos'] : null;
     25    $status = isset($_REQUEST['status']) ? $_REQUEST['status'] : null;
     26    $task = isset($_REQUEST['t']) ? $_REQUEST['t'] : null;
     27    $do = isset($_REQUEST['do']) ? $_REQUEST['do'] : null;
    2828   
    2929    if($id) $item = $wpdb->get_row($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."sharebar WHERE id=%d", $id));
     
    3131    if($do == 'update') {
    3232        check_admin_referer( 'wp_sharebar_add_update' );
    33         $wpdb->query($wpdb->prepare("UPDATE ".$wpdb->prefix."sharebar SET enabled='%d', position='%d', name='%s', big='%s', small='%s' WHERE id='%d'", sanitize($_POST['enabled']), sanitize($_POST['position']), $_POST['name'], $_POST['big'], $_POST['small'], $id));
     33        $wpdb->query($wpdb->prepare("UPDATE ".$wpdb->prefix."sharebar SET enabled='%d', position='%d', name='%s', big='%s', small='%s' WHERE id='%d'", $_POST['enabled'], $_POST['position'], $_POST['name'], $_POST['big'], $_POST['small'], $id));
    3434    }
    3535    elseif($do == 'add') {
    3636        check_admin_referer( 'wp_sharebar_add_update' );
    37         $wpdb->query($wpdb->prepare("INSERT INTO ".$wpdb->prefix."sharebar (position, name, big, small) VALUES('%d','%s', '%s', '%s')", sanitize($_POST['position']), $_POST['name'], $_POST['big'], $_POST['small']));
     37        $wpdb->query($wpdb->prepare("INSERT INTO ".$wpdb->prefix."sharebar (position, name, big, small) VALUES('%d','%s', '%s', '%s')", $_POST['position'], $_POST['name'], $_POST['big'], $_POST['small']));
    3838    }
    3939    elseif($do == 'delete') {
     
    5959            foreach ($buttons as $button)
    6060                sharebar_update_button($button,$uptask);
    61             $status = "Buttons have been ".$uptask."d";
     61            $status = "Buttons have been ".esc_html($uptask)."d";
    6262        }else
    6363            $status = "No buttons selected.";
     
    130130<div class="wrap">
    131131
    132 <?php if($status){?><div id="message" class="updated fade"><?php echo $status; ?></div><?php } ?>
     132<?php if($status){?><div id="message" class="updated fade"><?php echo esc_html($status); ?></div><?php } ?>
    133133
    134134<h2>Custom Sharebar</h2>
     
    154154        if(isset($item) && $item->enabled) $enabled = " checked='true'";
    155155    ?>
    156     <form action="?page=<?php echo $_GET['page']; ?>" method="post">
     156    <form action="?page=<?php echo esc_attr($_GET['page']); ?>" method="post">
    157157        <?php wp_nonce_field( 'wp_sharebar_add_update' ); ?>
    158158        <p class="mediumtext alignleft">

  • sharebar/trunk/sharebar.php

    r2745551 r2746542  
    44Plugin URI: http://devgrow.com/sharebar-wordpress-plugin/
    55Description: Adds a dynamic bar with sharing icons (Facebook, Twitter, etc.) that changes based on browser size and page location.
    6 Version: 1.4.2
     6Version: 1.4.3
    77Author: Monji Dolon
    88Author URI: http://mdolon.com/
     
    227227}
    228228
    229 function cleanInput($input) {
    230 
    231     $search = array(
    232         '@<script[^>]*?>.*?</script>@si',   // Strip out javascript
    233         '@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
    234         '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
    235         '@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
    236     );
    237 
    238     $output = preg_replace($search, '', $input);
    239     return $output;
    240 }
    241 
    242 function sanitize($input) {
    243     if (is_array($input)) {
    244         foreach($input as $var=>$val) {
    245             $output[$var] = sanitize($val);
    246         }
    247     }
    248     else {
    249         /*
    250         if (get_magic_quotes_gpc()) {
    251             $input = stripslashes($input);
    252         }
    253         */
    254         $input  = cleanInput($input);
    255         $output = esc_sql($input);
    256     }
    257     return $output;
    258 }
    259 
    260 
    261229add_filter('the_content', 'sharebar_auto');
    262230add_action('wp_enqueue_scripts', 'sharebar_scripts');
Note: See TracChangeset for help on using the changeset viewer.