WordPress.org
Get WordPress

Plugin Directory

Changeset 1408162


Ignore:
Timestamp:
04/30/2016 05:02:08 PM (10 years ago)
Author:
avdude
Message:

Sanitize event data prior to display

File:
1 edited

Legend:

Unmodified
Added
Removed

  • event-registration/trunk/public/evr_public-process_confirmation.php

    r1396876 r1408162  
    7777    $urlData = new EVR_encryption();
    7878    $url_id = $urlData->encode($reg_id);
    79     $url_to_goto = evr_permalink($company_options['evr_page_id']).'action=show_confirm_mess&event_id='.int($passed_event_id).'&reg_id='.$url_id;
     79    $url_to_goto = evr_permalink($company_options['evr_page_id']).'action=show_confirm_mess&event_id='.intval($passed_event_id).'&reg_id='.$url_id;
    8080   
    8181    //$url_to_goto = evr_permalink($company_options['evr_page_id']).'action=show_confirm_mess&event_id='.$passed_event_id.'&reg_id='.$reg_id;
    82        echo '<meta http-equiv="refresh" content="0;url='.$url_to_goto .'" />';
     82       echo '<meta http-equiv="refresh" content="0;url='.esc_url($url_to_goto) .'" />';
    8383}
    8484}
    8585
    86 function evr_get_event_details($event_id){
    87     global $wpdb;
    88     $event = $wpdb->get_row($wpdb->prepare("SELECT * FROM ". get_option('evr_event') ." WHERE id = %d",$event_id));
    89         $reg_form_defaults = unserialize($event->reg_form_defaults);
    90         if ($reg_form_defaults !=""){
    91             if (in_array("Address", $reg_form_defaults)) {$inc_address = "Y";}
    92             if (in_array("City", $reg_form_defaults)) {$inc_city = "Y";}
    93             if (in_array("State", $reg_form_defaults)) {$inc_state = "Y";}
    94             if (in_array("Zip", $reg_form_defaults)) {$inc_zip = "Y";}
    95             if (in_array("Phone", $reg_form_defaults)) {$inc_phone = "Y";}
    96         }
    97        
    98        
    99         $event_name         =   sanitize_text_field($event->event_name);
    100         $mail_subject       =   sanitize_text_field($event->event_name);
    101         $invoice_event      =   sanitize_text_field($event->event_name);
    102         $event_identifier   =   sanitize_text_field($event->event_identifier);
    103         $display_desc       =   sanitize_text_field($event->display_desc);  // Y or N
    104         $event_desc         =   esc_html(stripslashes($event->event_desc));
    105         $event_category     =   unserialize($event->category_id);
    106         $reg_limit          =   sanitize_text_field($event->reg_limit);
    107         $use_coupon         =   sanitize_text_field($event->use_coupon);
    108         $event_location     =   sanitize_text_field($event->event_location);
    109         $event_address      =   sanitize_text_field($event->event_address);
    110         $event_city         =   sanitize_text_field($event->event_city);
    111         $event_state        =   sanitize_text_field($event->event_state);
    112         $event_postal       =   sanitize_text_field($event->event_postal);
    113         $google_map         =   sanitize_text_field($event->google_map);  // Y or N
    114         $start_month        =   sanitize_text_field($event->start_month);
    115         $start_day          =   sanitize_text_field($event->start_day);
    116         $start_year         =   sanitize_text_field($event->start_year);
    117         $end_month          =   sanitize_text_field($event->end_month);
    118         $end_day            =   sanitize_text_field($event->end_day);
    119         $end_year           =   sanitize_text_field($event->end_year);
    120         $start_time         =   sanitize_text_field($event->start_time);
    121         $end_time           =   sanitize_text_field($event->end_time);
    122         $outside_reg        =   sanitize_text_field($event->outside_reg);  // Yor N
    123         $external_site      =   esc_url($event->external_site);
    124         $more_info          =   sanitize_text_field($event->more_info);
    125         $image_link         =   sanitize_text_field($event->image_link);
    126         $header_image       =   esc_url($event->header_image); //url???
    127         //$event_cost = $event->event_cost;
    128         $allow_checks       = sanitize_text_field($event->allow_checks);
    129         $is_active          = sanitize_text_field($event->is_active);
    130         $send_mail          = sanitize_text_field($event->send_mail);  // Y or N
    131         $conf_mail          = esc_html(stripslashes($event->conf_mail));
    132         $start_date         = sanitize_text_field($event->start_date);
    133         $end_date           = sanitize_text_field($event->end_date);
    134         //added 6.00.13
    135         $send_coord         = sanitize_text_field($event->send_coord);
    136         $coord_email        = sanitize_email($event->coord_email);
    137         $coord_msg          = esc_html(stripcslashes($event->coord_msg));
    138         $coord_pay_msg      = esc_html(stripslashes($event->coord_pay_msg));
    139        
    140         $number_attendees = $wpdb->get_var($wpdb->prepare("SELECT SUM(quantity) FROM " . get_option('evr_attendee') . " WHERE event_id=%d",$event_id));
    141         if ($number_attendees == '' || $number_attendees == 0 || $number_attendees == null){
    142             $number_attendees = '0';
    143             }
    144         if ($reg_limit == "" || $reg_limit == " " || $reg_limit == null){
    145         $reg_limit          =   "Unlimited";}
    146         $available_spaces   =   $reg_limit;
    147    
    148         $filtered_event =array(
    149             'event_id'              =>$event_id,
    150             'event_name'            =>$event_name,
    151             'mail_subject'          =>$event_name,
    152             'invoice_event'         =>$event_name,
    153             'event_identifier'      =>$event_identifier,
    154             'display_description'   =>$display_desc,
    155             'event_description'     =>$event_desc,
    156             'event_category'        =>$event_category,
    157             'reg_limit'             =>$reg_limit,
    158             'use_coupon'            =>$use_coupon,
    159             'event_location'        =>$event_location,
    160             'event_address'         =>$event_address,
    161             'event_city'            =>$event_city,
    162             'event_state'           =>$event_state,
    163             'event_postal'          =>$event_postal,
    164             'google_map'            =>$google_map,
    165             'start_month'           =>$start_month,
    166             'start_day'             =>$start_day,
    167             'start_year'            =>$start_year,
    168             'start_date'            =>$start_date,
    169             'start_time'            =>$start_time,
    170             'end_month'             =>$end_month,
    171             'end_day'               =>$end_day,
    172             'end_year'              =>$end_year,
    173             'end_date'              =>$end_date,
    174             'end_time'              =>$end_time,
    175             'allow_checks'          =>$allow_checks,
    176             'outside_reg'           =>$outside_reg,
    177             'external_site'         =>$external_site,
    178             'more_info'             =>$more_info,
    179             'image_link'            =>$image_link,
    180             'header_image'          =>$header_image,
    181             'is_active'             =>$is_active,
    182             'send_mail'             =>$send_mail,
    183             'conf_mail'             =>$conf_mail,
    184             'send_coord'             =>$send_coord,
    185             'coord_email'           =>$coord_email,
    186             'coord_msg'             =>$coord_msg,
    187             'coord_pay_msg'         =>$coord_pay_msg,
    188             'available_spaces'      =>$available_spaces
    189         );
    190                
    191     return $filtered_event;           
    192 }
     86
    19387function evr_show_confirmation()
    19488{
     
    212106    //put event data into session array for use on ical
    213107    $_SESSION['event_array'] = $event;
    214    
     108    //use santized event array to get data
    215109    $event = evr_get_event_details($event_id);
    216110   
     
    223117            if (in_array("Phone", $reg_form_defaults)) {$inc_phone = "Y";}
    224118        }
    225         $use_coupon = $event->use_coupon;
    226         $reg_limit = $event->reg_limit;
     119        $use_coupon = esc_attr($event->use_coupon);
     120        $reg_limit = esc_attr($event->reg_limit);
    227121        $event_name = htmlspecialchars_decode(html_entity_decode(stripslashes($event->event_name)));
    228122        $mail_subject =  evr_htmlchanger($event->event_name);
    229         $invoice_event = $event->event_name;
    230         $event_identifier = stripslashes($event->event_identifier);
    231         $display_desc = $event->display_desc;  // Y or N
    232         $event_desc = html_entity_decode(stripslashes($event->event_desc));
     123        $invoice_event = esc_attr($event->event_name);
     124        $event_identifier = esc_attr(stripslashes($event->event_identifier));
     125        $display_desc = esc_attr($event->display_desc);  // Y or N
     126        $event_desc = esc_attr(html_entity_decode(stripslashes($event->event_desc)));
    233127        $event_category = unserialize($event->category_id);
    234         $reg_limit = $event->reg_limit;
    235         $event_location = $event->event_location;
    236         $event_address = $event->event_address;
    237         $event_city = $event->event_city;
    238         $event_state =$event->event_state;
    239         $event_postal=$event->event_postal;
    240         $google_map = $event->google_map;  // Y or N
    241         $start_month = $event->start_month;
    242         $start_day = $event->start_day;
    243         $start_year = $event->start_year;
    244         $end_month = $event->end_month;
    245         $end_day = $event->end_day;
    246         $end_year = $event->end_year;
    247         $start_time = $event->start_time;
    248         $end_time = $event->end_time;
    249         $allow_checks = $event->allow_checks;
    250         $outside_reg = $event->outside_reg;  // Yor N
    251         $external_site = $event->external_site;
    252         $more_info = $event->more_info;
    253         $image_link = $event->image_link;
    254         $header_image = $event->header_image;
     128        $event_location = esc_attr($event->event_location);
     129        $event_address = esc_attr($event->event_address);
     130        $event_city = esc_attr($event->event_city);
     131        $event_state = esc_attr($event->event_state);
     132        $event_postal = esc_attr($event->event_postal);
     133        $google_map = esc_attr($event->google_map);  // Y or N
     134        $start_month = esc_attr($event->start_month);
     135        $start_day = esc_attr($event->start_day);
     136        $start_year = esc_attr($event->start_year);
     137        $end_month = esc_attr($event->end_month);
     138        $end_day = esc_attr($event->end_day);
     139        $end_year = esc_attr($event->end_year);
     140        $start_time = esc_attr($event->start_time);
     141        $end_time = esc_attr($event->end_time);
     142        $allow_checks = esc_attr($event->allow_checks);
     143        $outside_reg = esc_attr($event->outside_reg);  // Yor N
     144        $external_site = esc_url($event->external_site);
     145        $more_info = esc_attr($event->more_info);
     146        $image_link = esc_url($event->image_link);
     147        $header_image = esc_url($event->header_image);
    255148        //$event_cost = $event->event_cost;
    256         $allow_checks = $event->allow_checks;
    257         $is_active = $event->is_active;
    258         $send_mail = $event->send_mail;  // Y or N
    259         $conf_mail = stripslashes($event->conf_mail);
    260         $start_date = $event->start_date;
    261         $end_date = $event->end_date;
     149        $allow_checks = esc_attr($event->allow_checks);
     150        $is_active = esc_attr($event->is_active);
     151        $send_mail = esc_attr($event->send_mail);  // Y or N
     152        $conf_mail = esc_attr(stripslashes($event->conf_mail));
     153        $start_date = esc_attr($event->start_date);
     154        $end_date = esc_attr($event->end_date);
    262155        //added 6.00.13
    263         $send_coord = $event->send_coord;
    264         $coord_email = $event->coord_email;
    265         $coord_msg = stripcslashes($event->coord_msg);
    266         $coord_pay_msg = stripslashes($event->coord_pay_msg);
     156        $send_coord = esc_attr($event->send_coord);
     157        $coord_email = esc_attr($event->coord_email);
     158        $coord_msg = esc_attr(stripcslashes($event->coord_msg));
     159        $coord_pay_msg = esc_attr(stripslashes($event->coord_pay_msg));
    267160        $number_attendees = $wpdb->get_var($wpdb->prepare("SELECT SUM(quantity) FROM " . get_option('evr_attendee') . " WHERE event_id=%d",$event_id));
    268161        if ($number_attendees == '' || $number_attendees == 0 || $number_attendees == null){
     
    544437    if (isset($company_options['evr_invoice'])){
    545438        if ($company_options['evr_invoice'] == "Y"){
    546             echo '<form id="invoice" class="evr_regform" method="post" target=_blank action="'.plugins_url('tcpdf/examples/invoice.php').'">';
     439            echo '<form id="invoice" class="evr_regform" method="post" target=_blank action="'.esc_url(plugins_url('tcpdf/examples/invoice.php')).'">';
    547440            ?>
    548441            <input type="hidden" name="reg_form" value="<?php echo $invoice_post;?>" />
Note: See TracChangeset for help on using the changeset viewer.