WordPress.org
Get WordPress

Plugin Directory

Changeset 2882995


Ignore:
Timestamp:
03/19/2023 08:06:19 PM (3 years ago)
Author:
buntegiraffe
Message:

Enhanced plugin security

Location:
show-hidecollapse-expand/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • show-hidecollapse-expand/trunk/Tab_help.php

    r2843664 r2882995  
    2222        $this->_html .= "<li> Inline CSS: <br><b>inline_css</b>=\"any css rule, e.g. font-size: 21px; font-weight: normal; \"</li>";
    2323        $this->_html .= "<li> Custom class: <br><b>custom_class</b>=\"any class name you will later use for CSS styling \"</li>";
    24         $this->_html .= "<li> Onclick JS function: <br><b>onclick</b>=\"your custom JS function name or inline js, e.g. alert('Hello World!'); \"</li>";
     24        $this->_html .= "<li> Onclick JS function (available for roles Editor and above): <br><b>onclick</b>=\"your custom JS function name or inline js, e.g. alert('Hello World!'); \"</li>";
    2525        $this->_html .= "</ul>";
    2626        $this->_html .= "<h2>[bg_collapse] Button Examples</h2>";

  • show-hidecollapse-expand/trunk/Tab_settings.php

    r2843664 r2882995  
    5454            <input type=\"submit\" class=\"button button-primary\" id=\"save_plugin_settings\" name=\"save_plugin_settings\" value=\"Save Plugin Settings\">
    5555            <input type=\"hidden\" name=\"action\" value=\"bg_show_hide_save_plugin_settings\">
     56            %%WP_NONCE%%
    5657        </form>";
    5758       
     
    8384            $this->getPluginContext()->getStickToBottom() === '1' ? 'checked' : '',
    8485            $this->_html );
    85            
    86         wp_localize_script( "bg-show-hide-script", 'BG_SHCE_USE_EFFECTS', array($this->getPluginContext()->getEffectsEnabledOption()));
    87         wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_SPEED', array($this->getPluginContext()->getAnimationSpeed()));
    88         wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_OPTIONS', array('none'));
    89         wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_EFFECT', array($this->getPluginContext()->getAnimationEffect()));   
    90        
     86
     87        $this->_html = str_replace( "%%WP_NONCE%%",
     88            wp_nonce_field( 'bgshce_settings'),
     89            $this->_html );
     90                   
    9191        return $this->_html;
    9292       

  • show-hidecollapse-expand/trunk/bg_show_hide.php

    r2843696 r2882995  
    55  Plugin URI: http://showhide.bunte-giraffe.de
    66  Description: Save space on your pages, posts, sidebars. Hide the content before user clicks to see it. Collapse long lists, create FAQs & more.
    7   Version: 1.2.6
     7  Version: 1.3.0
    88  Author: Bunte Giraffe
    99  Author URI: http://bunte-giraffe.de
     
    125125
    126126function bg_show_hide_save_plugin_settings() {
    127     if ( isset ( $_POST["save_plugin_settings"] ) ) {
     127    if ( isset ( $_POST["save_plugin_settings"] ) && check_admin_referer( 'bgshce_settings' ) ) {
    128128        if ( isset( $_POST["enable_effects"] ) ) {
    129129            update_option( "bg_shce_effectsEnabled", "1" );         
     
    133133        }
    134134        if ( isset( $_POST["bg_shce_speed"] ) ) {                   
    135             update_option( "bg_shce_animationSpeed", intval($_POST["bg_shce_speed"] ));         
     135            update_option( "bg_shce_animationSpeed", intval(sanitize_text_field($_POST["bg_shce_speed"] )));           
    136136        }
    137137       
     
    144144
    145145        if ( isset( $_POST["bg_shce_effect"] ) ) {
    146             update_option( "bg_shce_animationEffect", $_POST["bg_shce_effect"] );           
     146            update_option( "bg_shce_animationEffect", sanitize_text_field($_POST["bg_shce_effect"]) );         
    147147        }                       
    148148    }
     
    188188    $bg_showmore_extra_attributes = "";
    189189    $bg_text_color = esc_attr($a["color"]);
    190     $bg_expand_text = $a["expand_text"];
    191     $bg_collapse_text = $a["collapse_text"];
     190    $bg_expand_text = esc_html($a["expand_text"]);
     191    $bg_collapse_text = esc_html($a["collapse_text"]);
    192192    $bg_btn_icon_class = $a["icon"] ? "bg-" . esc_attr($a["icon"]) : "";
    193     $bg_onclick = $a["onclick"] === '' ? '' : 'onclick="'.$a["onclick"].'"';
     193
     194    // check author role to allow/deny execution of js
     195    global $post;
     196    $aid = $post->post_author;
     197    if ( user_can($aid, 'edit_others_posts') && user_can($aid, 'edit_others_pages') ) {
     198        $bg_onclick = $a["onclick"] === '' ? '' : 'onclick="'.esc_js($a["onclick"]).'"';
     199    } else {
     200        $bg_onclick = '';
     201    }
     202
    194203    $bg_inline_css = esc_attr($a["inline_css"]);
    195204    $bg_custom_class = esc_attr($a["custom_class"]);
     
    251260               $bg_list_end .
    252261               "<" . $bg_showmore_content_tag . $bg_showmore_extra_attributes . " id='bg-showmore-hidden-$bg_uniq_id' >" .
    253                $content .
     262               wp_kses_post($content) .
    254263               "</" . $bg_showmore_content_tag . ">" .
    255264               $bg_hidden_content_end .
     
    258267    $content = do_shortcode($content);
    259268   
    260     wp_localize_script( "bg-show-hide-script", 'BG_SHCE_USE_EFFECTS', array(get_option('bg_shce_effectsEnabled','0')));
    261     wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_SPEED', array(get_option('bg_shce_animationSpeed','400')));
    262     wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_OPTIONS', array('none'));
    263     wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_EFFECT', array(get_option('bg_shce_animationEffect','blind'))); 
    264 
    265269    // always return
    266270    return $content;
     
    287291        plugins_url( "assets/js/bg-show-hide.js", __FILE__ ), array('jquery', 'jquery-effects-core', 'jquery-effects-slide', 'jquery-effects-highlight', 'jquery-effects-fold', 'jquery-effects-blind'), false, true
    288292    );
     293
     294    wp_localize_script( "bg-show-hide-script", 'BG_SHCE_USE_EFFECTS', get_option('bg_shce_effectsEnabled','0'));
     295    wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_SPEED', get_option('bg_shce_animationSpeed','400'));
     296    wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_OPTIONS', 'none');
     297    wp_localize_script( "bg-show-hide-script", 'BG_SHCE_TOGGLE_EFFECT', get_option('bg_shce_animationEffect','blind'));
    289298   
    290299}
     
    340349    $activeTabName = "settings";
    341350    if( isset( $_GET["tab"] ) ) {
    342         $activeTabName = $_GET["tab"];
     351        $activeTabName = sanitize_text_field($_GET["tab"]);
    343352    }
    344353       
     
    392401    global $typenow;
    393402   
    394     if ( !current_user_can('edit_posts') && !current_user_can('edit_pages') ) {
    395         return;
    396     }
    397 
    398403    if( !in_array( $typenow, array( 'post', 'page' ) ) ) {
    399404        return;
    400405    }
     406
    401407}
    402408

  • show-hidecollapse-expand/trunk/readme.txt

    r2843664 r2882995  
    55Requires at least: 4.2
    66Tested up to: 6.1.1
    7 Stable tag: 1.2.6
     7Stable tag: 1.3.0
    88License: GPLv2
    99License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    8989
    9090== Changelog ==
     91= 1.3.0 =
     92* Enhanced plugin security
     93
    9194= 1.2.6 =
    9295* Fixed a vulnerability issue. Please update as soon as possible.
Note: See TracChangeset for help on using the changeset viewer.