WordPress.org
Get WordPress

Plugin Directory

Changeset 3147599


Ignore:
Timestamp:
09/06/2024 02:17:57 PM (19 months ago)
Author:
rightmessage
Message:

Version 0.9.6 update: proper escaping, no direct file access, reimported icon

Location:
rightmessage/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • rightmessage/trunk/includes/class-rightmessage.php

    r2183848 r3147599  
    11<?php
     2// Prevent direct access to this file
     3if (!defined('ABSPATH')) {
     4    exit;
     5}
    26
    37/**
     
    3943    public static function shortcode_area( $attributes, $content = null ) {
    4044        if (isset($attributes['name'])) {
    41             return '<div class="rm-area-'.$attributes['name'].'"></div>';
     45            return '<div class="rm-area-' . esc_attr($attributes['name']) . '"></div>';
    4246        }
    4347    }
     
    4549    public static function shortcode_trigger( $attributes, $content = null ) {
    4650        if (isset($attributes['widget'])) {
    47             return '<a href="#" data-rm-show="'.$attributes['widget'].'">'.$content.'</a>';
     51            return '<a href="#" data-rm-show="' . esc_attr($attributes['widget']) . '">' . esc_html($content) . '</a>';
    4852        }
    4953    }
     
    5559            $area_id = self::_get_settings( 'default_area' );
    5660            if (isset($area_id)) {
    57                 $content .= "[rm_area name='".$area_id."']";
     61                $content .= "[rm_area name='" . esc_attr($area_id) . "']";
    5862            }
    5963
     
    9296        if (isset($rmpanda_cmsdata)) {
    9397            ob_start();
    94             include( RIGHTMESSAGE_PLUGIN_PATH . "/views/rm-variables.php" );
    95             $content .= ob_get_clean();
     98            include(RIGHTMESSAGE_PLUGIN_PATH . "/views/rm-variables.php");
     99            $included_content = ob_get_clean();
     100            $content .= wp_kses_post($included_content);
    96101        }
    97102
     
    101106    public static function rm_tracking_code($obj) {
    102107        if ( self::_get_settings( 'account_id' ) ) {
    103             $account_id = self::_get_settings( 'account_id' );
     108            $account_id = esc_js(self::_get_settings( 'account_id' ));
    104109            include( RIGHTMESSAGE_PLUGIN_PATH . "/views/tracking-code.php" );
    105110        } else {

  • rightmessage/trunk/readme.txt

    r3147533 r3147599  
    44Requires at least: 3.6
    55Tested up to: 6.6.1
    6 Stable tag: trunk
     6Stable tag: 0.9.6
    77Requires PHP: 5.2.0
    88License: GPL2
     
    2222* automatically appending a personalized opt-in form at the bottom of all your blog posts, if you want
    2323
     24== Privacy ==
     25This plugin relies on the third-party service RightMessage to integrate personalized calls-to-action into your website. Data is sent to RightMessage when the plugin is activated and configured. For more information, please review [RightMessage's Privacy Policy](https://rightmessage.com/privacy) and [Terms of Service](https://rightmessage.com/terms).
     26
     27== Changelog ==
     28
     29= 0.9.6 =
     30* Fixed: Issue with incorrect stable tag.
     31* Updated: All variables are now properly escaped before being echoed.
     32* Added: Documentation for third-party service usage (RightMessage).
     33* Improved: Security by preventing direct file access.
     34
    2435== Frequently Asked Questions ==
    2536

  • rightmessage/trunk/views/rm-variables.php

    r2128728 r3147599  
     1<?php
     2// Prevent direct access to this file
     3if (!defined('ABSPATH')) {
     4    exit;
     5}
     6?>
    17<!-- RightMessage WP -->
    28<script type="text/javascript">
    39    <?php if(isset($rmpanda_cmsdata)) { ?>
    410    window.rmpanda = window.rmpanda || {};
    5     window.rmpanda.cmsdata = <?php echo json_encode($rmpanda_cmsdata) ?>;
     11    window.rmpanda.cmsdata = <?php echo wp_json_encode($rmpanda_cmsdata); ?>;
    612    <?php } ?>
    713</script>

  • rightmessage/trunk/views/tracking-code.php

    r3147435 r3147599  
     1<?php
     2// Prevent direct access to this file
     3if (!defined('ABSPATH')) {
     4    exit;
     5}
     6?>
    17<!-- RightMessage WP embed -->
    28<script type="text/javascript">
     
    814        b.parentNode.insertBefore(o, b); return o; }; o = d('', '-hidden', ''); d('-stay-invisible', '-stay-hidden', '-stay');
    915    setTimeout(function() { o.parentNode && o.parentNode.removeChild(o); }, a);
    10 })('<?php echo $account_id ?>', 20000, document);
     16})('<?php echo esc_js($account_id); ?>', 20000, document);
    1117</script>

  • rightmessage/trunk/wp-rightmessage.php

    r3147533 r3147599  
    11<?php
     2// Prevent direct access to this file
     3if (!defined('ABSPATH')) {
     4    exit;
     5}
    26/**
    37 * Plugin Name: RightMessage Wordpress Plugin
     
    1014 * Text Domain: rightmessage
    1115 */
     16
     17 
     18
    1219
    1320if ( class_exists( 'WP_RightMessage' ) ) {
Note: See TracChangeset for help on using the changeset viewer.