WordPress.org
Get WordPress

Plugin Directory

Changeset 2770067


Ignore:
Timestamp:
08/13/2022 08:34:21 AM (4 years ago)
Author:
fastflow
Message:

Further fix for potential admin XSS

Location:
fast-flow-dashboard/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • fast-flow-dashboard/trunk/fastflow.php

    r2769680 r2770067  
    55 * Plugin URI: https://fastflow.io
    66 * Description: User tagging and dashboard plugin for Fast Flow system
    7  * Version: 1.2.12
     7 * Version: 1.2.13
    88 * Author: FastFlow.io
    99 * Author URI: https://fastflow.io

  • fast-flow-dashboard/trunk/lib/class.fastflow-addons.php

    r2769680 r2770067  
    241241          $params = self::get_param_data();
    242242          $params['_ff_data_action'] = 'get_prod';
    243           $params['_ff_data_source'] = esc_html($_POST['value']);
     243          $params['_ff_data_source'] = esc_attr($_POST['value']);
    244244          $request_param = array(
    245245            'timeout' => 90,

  • fast-flow-dashboard/trunk/lib/class.fastflow.widgets.interface.php

    r2769680 r2770067  
    267267                                $title = ' ';
    268268                            } else {
    269                                 $title = $widget[$widgetnumber]["title"];
     269                                $title = esc_attr($widget[$widgetnumber]["title"]);
    270270                            }
    271271

  • fast-flow-dashboard/trunk/lib/widgets/fast_flow_html_widget_class.php

    r2023961 r2770067  
    6262    public function widget( $args, $instance ) {
    6363        $widget_id = $args['widget_id'];
    64         $editor_content = $instance[ 'wp_editor_html' ];
     64        $editor_content = esc_attr($instance[ 'wp_editor_html' ]);
    6565        echo '<div id="'.$widget_id.'">';
    6666        echo $editor_content;
     
    8585        // outputs the options form on admin
    8686
    87         $title = ! empty( $instance['title'] ) ? $instance['title'] : __( 'HTML', 'text_domain' );
    88         $wp_editor_html = ! empty( $instance['wp_editor_html'] ) ? $instance['wp_editor_html'] : __( '', 'text_domain' );
     87        $title = ! empty( $instance['title'] ) ? esc_attr($instance['title']) : __( 'HTML', 'text_domain' );
     88        $wp_editor_html = ! empty( $instance['wp_editor_html'] ) ? esc_attr($instance['wp_editor_html']) : __( '', 'text_domain' );
    8989
    9090        //$ff_from = ! empty( $instance['ff_from'] ) ? $instance['ff_from'] :'';
     
    106106                <label for="<?php echo $this->get_field_id( 'wp_editor_html' ); ?>"><?php _e( 'Description:' ); ?></label>
    107107
    108                 <textarea class="widefat" id="<?php echo $this->get_field_id( 'wp_editor_html' ); ?>" name="<?php echo $this->get_field_name( 'wp_editor_html' ); ?>" rows="5" cols="5"><?php echo ( $wp_editor_html ); ?></textarea>
     108                <textarea class="widefat" id="<?php echo $this->get_field_id( 'wp_editor_html' ); ?>" name="<?php echo $this->get_field_name( 'wp_editor_html' ); ?>" rows="5" cols="5"><?php echo esc_attr( $wp_editor_html ); ?></textarea>
    109109
    110110            </p>

  • fast-flow-dashboard/trunk/readme.txt

    r2769680 r2770067  
    6565== Changelog ==
    6666
     67
     68= 1.2.13 =
     69
     70Further fix for potential admin XSS
     71
    6772= 1.2.12 =
    6873
Note: See TracChangeset for help on using the changeset viewer.