WordPress.org
Get WordPress

Plugin Directory

Changeset 1648992


Ignore:
Timestamp:
05/01/2017 01:51:01 PM (9 years ago)
Author:
csixty4
Message:

Fix for cross-site scripting vulnerability JVN#14419145 @props anonymous but appreciated contributor

Location:
daves-wordpress-live-search/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • daves-wordpress-live-search/trunk/admin/admin_header.tpl.php

    r1267016 r1648992  
    1111    'advanced' => 'Advanced',
    1212);
    13 $current_tab = isset( $_REQUEST['tab'] ) ? $_REQUEST['tab'] : 'settings';
     13
     14$current_tab = DWLS_Util::match_array_key_or_default(
     15    $tabs,
     16    isset( $_REQUEST['tab'] ) ? $_REQUEST['tab'] : null,
     17    'settings'
     18);
    1419?>
    1520
     
    3035</ul>
    3136<form method="post" action="">
    32 <input type="hidden" name="tab" value="<?php if(isset($_REQUEST['tab'])) { echo $_REQUEST['tab']; } ?>" />
     37<input type="hidden" name="tab" value="<?php echo esc_attr( $current_tab ); ?>" />
    3338
    3439<?php

  • daves-wordpress-live-search/trunk/daves-wordpress-live-search.php

    r1486085 r1648992  
    44Plugin Name: Dave's WordPress Live Search
    55Description: Adds "live search" functionality to your WordPress site. Uses the built-in search and jQuery.
    6 Version: 4.5
     6Version: 4.6
    77Author: Dave Ross
    88Author URI: http://davidmichaelross.com/
     
    117117    }
    118118
     119    /**
     120     * Match an array key or return a default value.
     121     *
     122     * @param array      $options Associated array of options to match against.
     123     * @param string|int $requested Value to match against $options array keys.
     124     * @param string|int $default Default value if there isn't a match.
     125     * @return string|int Matching key or default.
     126     */
     127    function match_array_key_or_default( $options, $requested, $default = null ) {
     128        return array_key_exists( $requested, $options ) ?
     129            $requested : $default;
     130    }
     131
    119132}
    120133add_action( "save_post", array( "DWLS_Util", "updateFirstImagePostmeta" ), 10, 2 );

  • daves-wordpress-live-search/trunk/readme.txt

    r1486085 r1648992  
    44Tags: search, AJAX, live search
    55Requires at least: 3.6
    6 Tested up to: 4.6
    7 Stable tag: 4.5
     6Tested up to: 4.8
     7Stable tag: 4.6
    88License: MIT
    99License URI: http://daveross.mit-license.org
     
    7171
    7272== Changelog ==
     73
     74= 4.6 =
     75* 2017-05-01 Dave Ross <dave@davidmichaelross.com>
     76* Fixed cross-site scripting vulnerability in unsanitized "tab" parameter on admin pages
    7377
    7478= 4.5 =
     
    385389== Upgrade Notice ==
    386390
     391= 4.6 =
     392
     393IMPORTANT: This release fixes a cross-site scripting vulnerability (JVN#14419145) in the plugin's admin settings screens. It's recommended that you upgrade your plugin to version 4.6 immediately.
     394
    387395= 4.2 =
    388396
Note: See TracChangeset for help on using the changeset viewer.