Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1947563

Timestamp:

09/26/2018 06:02:07 PM (8 years ago)

Author:

rveitch

Message:

Updating plugin 3.2.2

Location:

coschedule-by-todaymade

Files:

: 9 added
: 4 edited

tags/3.2.2 (added)
tags/3.2.2/_access-denied.php (added)
tags/3.2.2/_missing-token.php (added)
tags/3.2.2/frame.php (added)
tags/3.2.2/plugin_setup.php (added)
tags/3.2.2/readme.txt (added)
tags/3.2.2/tm-scheduler.php (added)
trunk/_access-denied.php (added)
trunk/_missing-token.php (added)
trunk/frame.php (modified) (3 diffs)
trunk/plugin_setup.php (modified) (1 diff)
trunk/readme.txt (modified) (3 diffs)
trunk/tm-scheduler.php (modified) (43 diffs)

Legend:

: Unmodified
: Added
: Removed

coschedule-by-todaymade/trunk/frame.php

-                      r1733430
+                      r1947563
 if ( get_option( 'tm_coschedule_token' ) ) {
     if ( current_user_can( 'edit_posts' ) ) {
         $url = "https://app.coschedule.com/#/authenticate?calendarID=" . urlencode( get_option( 'tm_coschedule_calendar_id' ) );
         $url .= "&wordpressSiteID=" . urlencode( get_option( 'tm_coschedule_wordpress_site_id' ) );
+        $url = "https://app.coschedule.com/#/authenticate?calendarID=" . rawurlencode( get_option( 'tm_coschedule_calendar_id' ) );
+        $url .= "&wordpressSiteID=" . rawurlencode( get_option( 'tm_coschedule_wordpress_site_id' ) );
         $url .= "&redirect=" . $redirect . "&build=" . $this->build;
         $url .= "&userID=" . $this->current_user_id;
 …
         $userToken = '';
         if ( isset( $_GET['tm_cos_user_token'] ) ) {
             $userToken = $_GET['tm_cos_user_token'];
+            $userToken = sanitize_text_field( $_GET['tm_cos_user_token'] );
+        }
         if ( isset( $userToken ) && ! empty( $userToken ) ) {
             $url .= '&userToken=' . urlencode( $userToken );
+            $url .= '&userToken=' . rawurlencode( $userToken );
+        }
 …
         <?php
     } else {
         include( '_access-denied.html' );
+        include( plugin_dir_path( __FILE__ ) . '_access-denied.php' );
+    }
 } else {
     include( '_missing-token.html' );
+    include( plugin_dir_path( __FILE__ ) . '_missing-token.php' );
+}

coschedule-by-todaymade/trunk/plugin_setup.php

r1920580	r1947563
178	178	<?php
179	179	} else {
180		include( plugin_dir_path( __FILE__ ) . '_access-denied.~~html~~' );
	180	include( plugin_dir_path( __FILE__ ) . '_access-denied.php' );
181	181	}

coschedule-by-todaymade/trunk/readme.txt

-                      r1935815
+                      r1947563
 Requires at least: 3.5
 Tested up to: 4.9.6
 Stable tag: 3.2.1
+Stable tag: 3.2.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 3.2.2 =
+* Updates for WordPress VIP standards
 = 3.2.1 =
 * Removed a legacy fix for Edit Flow timestamps that has been addressed by the Edit Flow plugin.
 …
 == Upgrade Notice ==
+= 3.2.2 =
+* Updates for WordPress VIP standards
 = 3.2.1 =
 * Removed a legacy fix for Edit Flow timestamps that has been addressed by the Edit Flow plugin.

coschedule-by-todaymade/trunk/tm-scheduler.php

-                      r1935815
+                      r1947563
 Plugin Name: CoSchedule
 Description: Plan, organize, and execute every content marketing project in one place with CoSchedule, an all-in-one content marketing editorial calendar solution.
 Version: 3.2.1
+Version: 3.2.2
 Author: CoSchedule
 Author URI: http://coschedule.com/
 …
 if ( ! class_exists( 'tm_coschedule' ) ) {
     // Include Http Class
+    // include the Http Class
     if ( ! class_exists( 'WP_Http' ) ) {
         /** @noinspection PhpIncludeInspection */
 …
         private $app = "https://app.coschedule.com";
         private $assets = "https://assets.coschedule.com";
         private $version = "3.2.1";
+        private $version = "3.2.2";
         private $build;
         private $connected = false;
 …
             // Load variables
             $this->build                  = intval( "81" );
+            $this->build                  = intval( "82" );
             $this->token                  = get_option( 'tm_coschedule_token' );
             $this->calendar_id            = get_option( 'tm_coschedule_calendar_id' );
 …
             $this->synced_build           = get_option( 'tm_coschedule_synced_build' );
             $this->is_wp_vip              = ( defined( 'WPCOM_IS_VIP_ENV' ) && ( true === WPCOM_IS_VIP_ENV ) );
             $this->base64_decode_disabled = in_array( 'base64_decode', explode( ',', str_replace( ' ', '', ini_get( 'disable_functions' ) ) ) );
+            $this->base64_decode_disabled = in_array( 'base64_decode', explode( ',', str_replace( ' ', '', ini_get( 'disable_functions' ) ) ), true );
             $this->use_wp_json_encode     = function_exists( 'wp_json_encode' );
 …
             if ( ! array_key_exists('tm_coschedule_calendar', $submenu) ) {
                 $submenu['tm_coschedule_calendar'] = array();
+                $submenu['tm_coschedule_calendar'] = array(); // WPCS: override ok.
+            }
 …
             if ( true === $this->connected && $submenu['tm_coschedule_calendar'][1] && $submenu['tm_coschedule_calendar'][1][0] === "Open In Web App") {
                 $url = $this->app . '/#/calendar/' . $this->calendar_id . '/schedule';
                 $submenu['tm_coschedule_calendar'][1] = array( '<span class="cos-submenu-new-window">Open In Web App</span>', 'edit_posts', esc_url( $url ) );
+                $submenu['tm_coschedule_calendar'][1] = array( '<span class="cos-submenu-new-window">Open In Web App</span>', 'edit_posts', esc_url( $url ) ); // WPCS: override ok.
+            }
+        }
 …
          */
         public function admin_submenu_new_window_items_jquery() {
             $cache_bust = urlencode( $this->get_cache_bust() );
+            $cache_bust = rawurlencode( $this->get_cache_bust() );
             $url        = $this->assets . '/plugin/js/cos-plugin-new-window.js?cb=' . $cache_bust;
             wp_enqueue_script( 'cos_js_plugin_new_window', $url, false, null, true );
 …
          */
         public function plugin_settings_scripts() {
             $cache_bust = urlencode( $this->get_cache_bust() );
+            $cache_bust = rawurlencode( $this->get_cache_bust() );
             wp_enqueue_style( 'cos_css', $this->assets . '/plugin/css/cos-plugin-setup.css?cb=' . $cache_bust );
             wp_enqueue_script( 'cos_js_config', $this->assets . '/config.js?cb=' . $cache_bust, false, null, true );
 …
         public function plugin_calendar_page() {
             if ( ! current_user_can( 'edit_posts' ) ) {
                 wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
+                wp_die( esc_html( __( 'You do not have sufficient permissions to access this page.' ) ) );
+            }
             // Check if connected
             if ( true === $this->connected ) {
+                $redirect = 'schedule';
+                include( sprintf( "%s/frame.php", dirname( __FILE__ ) ) );
+                include( plugin_dir_path( __FILE__ ) . 'frame.php' );
             } else {
                 $this->plugin_settings_scripts();
                 include( sprintf( "%s/plugin_setup.php", dirname( __FILE__ ) ) );
+                include( plugin_dir_path( __FILE__ ) . 'plugin_setup.php' );
+            }
+        }
 …
          */
         public function meta_box_setup() {
             if ( true == $this->meta_box_enabled() && true === $this->connected ) {
+            if ( true === $this->meta_box_enabled() && true === $this->connected ) {
                 $this->metabox_iframe_styles();
                 $this->metabox_iframe_scripts();
 …
          */
         public function metabox_iframe_styles() {
             $cache_bust = urlencode( $this->get_cache_bust() );
+            $cache_bust = rawurlencode( $this->get_cache_bust() );
             $url        = $this->assets . '/plugin/css/cos-metabox.css?cb=' . $cache_bust;
             wp_enqueue_style( 'cos_metabox_css', $url );
 …
          */
         public function metabox_iframe_scripts() {
             $cache_bust       = urlencode( $this->get_cache_bust() );
+            $cache_bust       = rawurlencode( $this->get_cache_bust() );
             $resizer_url      = $this->assets . '/plugin/js/cos-iframe-resizer.js?cb=' . $cache_bust;
             $resizer_exec_url = $this->assets . '/plugin/js/cos-iframe-resizer-exec.js?cb=' . $cache_bust;
 …
             $wordpress_site_id = get_option( 'tm_coschedule_wordpress_site_id' );
             $query_params      = array(
                 "calendarID"      => urlencode( $calendar_id ),
                 "wordpressSiteID" => urlencode( $wordpress_site_id ),
                 "postID"          => urlencode( $post->ID ),
                 "build"           => urlencode( $this->build ),
                 "userID"          => urlencode( $this->current_user_id ),
                 "isMetabox"       => urlencode( 'true' )
+                "calendarID"      => rawurlencode( $calendar_id ),
+                "wordpressSiteID" => rawurlencode( $wordpress_site_id ),
+                "postID"          => rawurlencode( $post->ID ),
+                "build"           => rawurlencode( $this->build ),
+                "userID"          => rawurlencode( $this->current_user_id ),
+                "isMetabox"       => rawurlencode( 'true' )
             );
             $url               = untrailingslashit( $this->app ) . "/#/authenticate";
 …
             try {
                 if ( isset( $_GET['token'] ) ) {
                     $token = $_GET['token'];
+                    $token = sanitize_text_field( $_GET['token'] );
                 } elseif ( isset( $data_args['token'] ) ) {
                     $token = $data_args['token'];
 …
                 if ( true === $this->valid_token( $token ) ) {
                     if ( is_array( $_GET ) && array_key_exists( 'post_id', $_GET ) ) {
                         $post_id = $_GET['post_id'];
+                    if ( is_array( $_GET ) && array_key_exists( 'post_id', $_GET ) && isset( $_GET['post_id'] )) {
+                        $post_id = sanitize_text_field( $_GET['post_id'] );
                     } elseif ( is_array( $data_args ) && array_key_exists( 'post_id', $data_args ) ) {
                         $post_id = $data_args['post_id'];
 …
                     // if indication is wp_cron not run or disabled, force the issue //
                     if ( false === $wp_cron_response || 'disabled' == $wp_cron_response ) {
+                    if ( false === $wp_cron_response || 'disabled' === $wp_cron_response ) {
                         $publish_missed_schedule_posts_result = $this->publish_missed_schedule_posts( $post_id );
                     } else {
 …
                 $this->sanitize_param( $post_id );
+                // download it to temporary spot //
+                $attachment_pointer = download_url( $url );
+                $file_array         = array(
+                    'name' => basename( $url ),
+                );
+                // track where in process //
+                $stage = 'download';
+                // check for download errors //
+                $attachment_pointer = media_sideload_image( $url, $post_id, null, 'id' );
+                // check for sideload error //
                 if ( ! is_wp_error( $attachment_pointer ) ) {
+                    $file_array['tmp_name'] = $attachment_pointer;
+                    // handle media, $post_id === 0 will not associate media with a post //
+                    $attachment_pointer = media_handle_sideload( $file_array, $post_id );
+                    // track where in process //
+                    $stage = 'sideload';
+                    // check for sideload error //
+                    if ( ! is_wp_error( $attachment_pointer ) ) {
+                        // extract url of attachment //
+                        $response                   = array();
+                        $response['url']            = $url;
+                        $response['attachment_url'] = wp_get_attachment_url( $attachment_pointer );
+                        // respond OK //
+                        $this->respond_json_and_die( $response );
+                        return;
+                    } else {
+                        // failed, remove temporary file //
+                        @unlink( $file_array['tmp_name'] );
+                    }
+                }
+                // report error //
+                if ( is_wp_error( $attachment_pointer ) ) {
+                    throw new Exception( 'Sideload failed during ' . $stage . ' with WP Error: ' . $attachment_pointer->get_error_message() );
+                    // extract url of attachment //
+                    $response                   = array();
+                    $response['url']            = $url;
+                    $response['attachment_url'] = wp_get_attachment_url( $attachment_pointer );
+                    // respond OK //
+                    $this->respond_json_and_die( $response );
+                    return;
                 } else {
                     throw new Exception( 'Sideload failed during ' . $stage . ' for unknown reason.' );
+                    throw new Exception( 'Sideload failed during sideload with WP Error: ' . $attachment_pointer->get_error_message() );
+                }
 …
                 $this->respond_json_and_die( $post );
             } catch ( Exception $e ) {
+                $data          = array();
                 $data['error'] = $e->getMessage();
                 $this->respond_json_and_die( $data );
 …
                 exit;
             } catch ( Exception $e ) {
+                $data          = array();
                 $data['error'] = $e->getMessage();
                 $this->respond_json_and_die( $data );
 …
+            }
             return wp_verify_nonce( $_GET[ 'cos_preview' ], 'coschedule_preview_' . $this->token .' _post_id-' . $posts[0]->ID );
+            return wp_verify_nonce( sanitize_text_field( $_GET[ 'cos_preview' ] ), 'coschedule_preview_' . $this->token .' _post_id-' . $posts[0]->ID );
+        }
 …
                 // Sanitize $_POST or $_GET params
                 if ( isset( $_POST['token'] ) && isset( $_POST['calendar_id'] ) && isset( $_POST['wordpress_site_id'] ) ) {
                     $params['token']             = $_POST['token'];
                     $params['calendar_id']       = $_POST['calendar_id'];
                     $params['wordpress_site_id'] = $_POST['wordpress_site_id'];
+                if ( isset( $_POST['token'] ) && isset( $_POST['calendar_id'] ) && isset( $_POST['wordpress_site_id'] ) ) { // WPCS: CSRF ok.
+                    $params['token']             = sanitize_text_field( $_POST['token'] );
+                    $params['calendar_id']       = sanitize_text_field( $_POST['calendar_id'] );
+                    $params['wordpress_site_id'] = sanitize_text_field( $_POST['wordpress_site_id'] );
                 } elseif ( isset( $_GET['token'] ) && isset( $_GET['calendar_id'] ) && isset( $_GET['wordpress_site_id'] ) ) {
                     $params['token']             = $_GET['token'];
                     $params['calendar_id']       = $_GET['calendar_id'];
                     $params['wordpress_site_id'] = $_GET['wordpress_site_id'];
+                    $params['token']             = sanitize_text_field( $_GET['token'] );
+                    $params['calendar_id']       = sanitize_text_field( $_GET['calendar_id'] );
+                    $params['wordpress_site_id'] = sanitize_text_field( $_GET['wordpress_site_id'] );
                 } elseif ( isset( $data_args['token'] ) && isset( $data_args['calendar_id'] ) && isset( $data_args['wordpress_site_id'] ) ) {
                     $params['token']             = $data_args['token'];
 …
             try {
                 if ( isset( $_GET['token'] ) ) {
                     $token = $_GET['token'];
+                    $token = sanitize_text_field( $_GET['token'] );
                 } else {
                     $token = $data_args['token'];
 …
             try {
                 if ( isset( $_GET['post_types_list'] ) ) {
                     $list = $_GET['post_types_list'];
+                    $list = sanitize_text_field( $_GET['post_types_list'] );
                 } elseif ( isset( $data_args['post_types_list'] ) ) {
                     $list = $data_args['post_types_list'];
 …
         public function tm_aj_action() {
             try {
                 // favor POST values for compatibility  //
                 if ( isset( $_POST['action'] ) ) { // plugin_build > 40 will prefer POST
                     $args = $_POST;
                 } else { // fallback to GET params //
+                // favor POST values for compatibility, fallback to GET params (plugin_build > 40 will prefer POST)
+                if ( isset( $_POST['action'] ) ) {
+                    $args = $_POST; // WPCS: CSRF ok.
+                } else {
                     $args = $_GET;
+                }
 …
                 // do not allow some functions when in WP-VIP environments
                 if ( true === $this->is_wp_vip ) {
                     unset( $defer_token_check[ array_search( 'tm_aj_trigger_cron', $defer_token_check ) ] );
                     unset( $private_functions[ array_search( 'tm_aj_trigger_cron', $private_functions ) ] );
+                    unset( $defer_token_check[ array_search( 'tm_aj_trigger_cron', $defer_token_check, true ) ] );
+                    unset( $private_functions[ array_search( 'tm_aj_trigger_cron', $private_functions, true ) ] );
+                }
 …
                 // Validate allowed
                 if ( ! in_array( $func, $allowed ) ) {
+                if ( ! in_array( $func, $allowed, true ) ) {
                     throw new Exception( 'Invalid API call. Method not allowed.' );
+                }
                 // Only invoke validation for those functions not having it internally
                 if ( ! in_array( $func, $defer_token_check ) ) {
+                if ( ! in_array( $func, $defer_token_check, true ) ) {
                     // Validate 'token' arg
                     if ( ! isset( $args['token'] ) ) {
 …
                 // Is the target function private ?
                 $is_private = in_array( $func, $private_functions );
+                $is_private = in_array( $func, $private_functions, true );
                 // wrap model in order to preserve it through call_user_func_array invocation //
 …
                     /** @noinspection PhpIncludeInspection */
                     /** @noinspection PhpUndefinedMethodInspection */
+                    require_once trailingslashit( $wp_filesystem->wp_plugins_dir() ) . 'jetpack/modules/markdown/easy-markdown.php';
+                    $plugins_path = trailingslashit( $wp_filesystem->wp_plugins_dir() );
+                    require_once( $plugins_path . 'jetpack/modules/markdown/easy-markdown.php' );
                     if ( class_exists( 'WPCom_Markdown' ) ) {
 …
                 // Validate call
                 if ( isset( $_GET['token'] ) ) {
                     $token = $_GET['token'];
+                    $token = sanitize_text_field( $_GET['token'] );
                 } else {
                     $token = $data_args['token'];
 …
             $the_excerpt    = html_entity_decode( $content, ENT_QUOTES, 'UTF-8' );
             $excerpt_length = 35; // Sets excerpt length by word count
             $the_excerpt    = strip_tags( strip_shortcodes( $the_excerpt ) ); //Strips tags and images
+            $the_excerpt    = wp_strip_all_tags( strip_shortcodes( $the_excerpt ) ); //Strips tags and images
             $words          = explode( ' ', $the_excerpt, $excerpt_length + 1 );
 …
             // Check if post type is supported
             return in_array( $post_type, $custom_post_types_list_array );
+            return in_array( $post_type, $custom_post_types_list_array, true );
+        }
 …
             // This exists to ensure that if a user loads an older post in the WordPress dashboard that the metabox properly loads as we only retain the most recent 500 posts.
             if ( isset( $_GET['post'] ) ) {
                 $post_id = $_GET['post'];
+                $post_id = sanitize_text_field( $_GET['post'] );
                 $this->sanitize_param( $post_id );
                 $this->sync_post_callback( $post_id );
 …
         public function save_timezone_callback() {
             if ( true === $this->connected ) {
+                $params = array();
+                if ( $timezone_string = get_option( 'timezone_string' ) ) {
+                $params          = array();
+                $timezone_string = get_option( 'timezone_string' );
+                $gmt_offset      = get_option( 'gmt_offset' );
+                if ( $timezone_string ) {
                     $params['timezone_string'] = $timezone_string;
+                }
                 if ( $gmt_offset = get_option( 'gmt_offset' ) ) {
+                if ( $gmt_offset ) {
                     $params['gmt_offset'] = $gmt_offset;
+                }
 …
         public function save_blogname_callback() {
             if ( true === $this->connected ) {
+                $params = array();
+                if ( $blogname = get_option( 'blogname' ) ) {
+                $params   = array();
+                $blogname = get_option( 'blogname' );
+                if ( $blogname ) {
                     $params['blogname'] = $blogname;
+                }
 …
             } elseif ( isset( $_REQUEST['post_type'] ) ) {
                 //lastly check the post_type querystring
                 $type = $_REQUEST['post_type'];
+                $type = sanitize_text_field( $_REQUEST['post_type'] );
                 $this->sanitize_param( $type );
             } else {
 …
          */
         public function publish_missed_schedule_posts( $post_id ) {
-            global $wpdb;
             $publish_missed_schedule_posts_response = array();
 …
                 if ( is_numeric( $post_id ) ) {
+                    $qry = "SELECT ID FROM {$wpdb->posts} " .
+                           "WHERE ID = %d " .
+                           "AND ( ( post_date > 0 && post_date <= %s ) ) " .
+                           "AND post_status = 'future' " .
+                           "LIMIT 1";
+                    $sql = $wpdb->prepare( $qry, $post_id, $post_date );
+                    $args = array(
+                        'p'                      => $post_id,
+                        'post_status'            => array( 'future' ),
+                        'date_query'             => array(
+                            array(
+                                'before'         => $post_date,
+                            ),
+                        ),
+                    );
                 } else {
+                    $qry = "SELECT ID FROM {$wpdb->posts} " .
+                           "WHERE ( ( post_date > 0 && post_date <= %s ) ) " .
+                           "AND post_status = 'future' " .
+                           "LIMIT 0,10";
+                    $sql = $wpdb->prepare( $qry, $post_date );
+                }
+                $post_ids = $wpdb->get_col( $sql );
+                    $args = array(
+                        'post_status'            => array( 'future' ),
+                        'posts_per_page'         => '10',
+                        'order'                  => 'ASC',
+                        'orderby'                => 'post_date',
+                        'date_query'             => array(
+                            array(
+                                'before'         => $post_date,
+                            ),
+                        ),
+                    );
+                }
+                $query = new WP_Query( $args );
+                $post_ids = wp_list_pluck( $query->posts, 'ID' );
                 $count_missed_schedule                                           = count( $post_ids );
 …
                             continue;
+                        }
-                        // !!! LET THE MAGIC HAPPEN !!! //
                         wp_publish_post( $post_id );
+                    }
 …
                 if ( isset( $data ) ) {
                     if ( true === $is_json ) {
+                        // adapt_json_encode will handle data escape //
+                        $data = $this->adapt_json_encode( $data );
+                        if ( $this->use_wp_json_encode ) {
+                            echo wp_json_encode( $data );
+                        } else {
+                            echo json_encode( $data );
+                        }
                     } else {
                         $this->sanitize_param( $data );
+                        echo esc_html( esc_sql( $data ) );
+                    }
-                    echo $data;
+                }
             } catch ( Exception $e ) {
                 header( 'Content-Type: text/plain' );
                 echo 'Exception in respond_and_die(...): ' . $e->getMessage();
+                echo esc_html( __( 'Exception in respond_and_die(...): ' . $e->getMessage() ) );
+            }
 …
                 $output = $output . chr( (int) $chr1 );
                 if ( $enc3 != 64 ) {
+                if ( $enc3 !== 64 ) {
                     $output = $output . chr( (int) $chr2 );
+                }
                 if ( $enc4 != 64 ) {
+                if ( $enc4 !== 64 ) {
                     $output = $output . chr( (int) $chr3 );
+                }
 …
     // Version guard to avoid blowing up in unsupported versions
     if ( version_compare( $wp_version, $coschedule_min_wp_version, '<' ) ) {
         if ( isset( $_REQUEST['action'] ) && ( 'error_scrape' == $_REQUEST['action'] ) ) {
+        if ( isset( $_REQUEST['action'] ) && ( 'error_scrape' === $_REQUEST['action'] ) ) {
             $plugin_data = get_plugin_data( __FILE__, false );
 …
             $activation_error .= '</div>';
             die( $activation_error );  // die() to stop execution
+            die( esc_html( __( $activation_error ) ) );  // die() to stop execution
         } else {
             trigger_error( $ignore, E_USER_ERROR ); // throw an error, execution flow returns
+            trigger_error( esc_html( __( $ignore ) ), E_USER_ERROR ); // throw an error, execution flow returns
+        }
         // note, no need for return here as error or die will return execution to caller

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: