WordPress.org
Get WordPress

Plugin Directory

Changeset 2548059


Ignore:
Timestamp:
06/15/2021 10:20:14 AM (5 years ago)
Author:
WPGMaps
Message:

8.1.13

Location:
wp-google-maps/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • wp-google-maps/trunk/includes/class.crud.php

    r2458784 r2548059  
    556556        $this->assert_not_trashed();
    557557       
    558         if(is_string($arg))
    559         {
     558        if(is_string($arg)){
     559            if(is_string($val)){
     560                $val = wp_kses_post($val);
     561            }
    560562            $this->__set($arg, $val);
    561         }
    562         else if(is_array($arg) || is_object($arg))
    563         {
    564             foreach($arg as $key => $value)
    565             {
    566                 if($this->is_read_only($key))
     563        } else if(is_array($arg) || is_object($arg)){
     564            foreach($arg as $key => $value){
     565                if($this->is_read_only($key)){
    567566                    throw new \Exception('Property is read only');
     567                }
    568568               
     569                if(is_string($value)){
     570                    $value = wp_kses_post($value);
     571                }
    569572                $this->fields[$key] = $value;
    570573            }
    571574           
    572575            $this->update();
    573         }
    574         else
     576        } else{
    575577            throw new \Exception('Invalid argument');
     578        }
    576579       
    577580        return $this;
     
    675678            throw new \Exception('Property is read only');
    676679       
     680        if(is_string($value)){
     681            $value = wp_kses_post($value);
     682        }
     683       
    677684        $this->fields[$name] = $value;
    678685       

  • wp-google-maps/trunk/includes/class.settings-page.php

    r2476807 r2548059  
    4545            // NB: Prevent slashes accumulating in paths on Windows machines
    4646            $data           = array_map('stripslashes', $_POST);
     47
     48            // KSES to stop Authenticated XSS, and just generally to improve the safety of the stored data
     49            $data           = array_map('wp_kses_post', $data);
    4750           
    4851            $this->document->populate($data);

  • wp-google-maps/trunk/readme.txt

    r2541907 r2548059  
    197197== Upgrade Notice ==
    198198
     199= 8.1.13 =
     200Please update to 8.1.13 or above to ensure you are using the latest security enhancements.
     201
    199202= 8.1.12 =
    200203Please update to 8.1.12 for PHP8 compatibility.
     
    214217== Changelog ==
    215218
     219= 8.1.13 - 2021-06-15 =
     220* Fixed issue where Authenticated Persistent XSS could be executed on any CRUD module. Uses wp_kses_post for cleanup. Applies to Markers, Polygons, Polylines and Shapes (Thanks to Visse)
     221* Fixed issue where Authenticated Persistent XSS could be executed on GDPR settings fields. This was resolved by adding wp_kses_post to all settings fields (Thanks to Visse)
     222* Updated security report credit for 8.1.12 withi changlog and readme files
     223
    216224= 8.1.12 - 2021-06-03 =
    217 * Fixed issue where authenticated Stored Cross-Site Scripting could be executed in the map list (Thanks to wpscan.com - Erwan)
     225* Fixed issue where authenticated Stored Cross-Site Scripting could be executed in the map list (Thanks to Mohammed Adam)
    218226* Fixed issue with translation file name for no_NO. Changed to nb_NO
    219227* Fixed issue where some OpenLayers tilesets were loaded via http instead of https

  • wp-google-maps/trunk/wpGoogleMaps.php

    r2541907 r2548059  
    44Plugin URI: https://www.wpgmaps.com
    55Description: The easiest to use Google Maps plugin! Create custom Google Maps with high quality markers containing locations, descriptions, images and links. Add your customized map to your WordPress posts and/or pages quickly and easily with the supplied shortcode. No fuss.
    6 Version: 8.1.12
     6Version: 8.1.13
    77Author: WP Google Maps
    88Author URI: https://www.wpgmaps.com
     
    1313
    1414/*
     15 * 8.1.13 - 2021-06-15
     16 * Fixed issue where Authenticated Persistent XSS could be executed on any CRUD module. Uses wp_kses_post for cleanup. Applies to Markers, Polygons, Polylines and Shapes (Thanks to Visse)
     17 * Fixed issue where Authenticated Persistent XSS could be executed on GDPR settings fields. This was resolved by adding wp_kses_post to all settings fields (Thanks to Visse)
     18 * Updated security report credit for 8.1.12 withi changlog and readme files
     19 *
    1520 * 8.1.12 - 2021-06-03
    16  * Fixed issue where authenticated Stored Cross-Site Scripting could be executed in the map list (Thanks to wpscan.com - Erwan)
     21 * Fixed issue where authenticated Stored Cross-Site Scripting could be executed in the map list (Thanks to Mohammed Adam)
    1722 * Fixed issue with translation file name for no_NO. Changed to nb_NO
    1823 * Fixed issue where some OpenLayers tilesets were loaded via http instead of https
Note: See TracChangeset for help on using the changeset viewer.