Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3287964

Timestamp:

05/05/2025 05:36:18 PM (9 months ago)

Author:

jazzs3quence

Message:

tagging version 2.2.4

Location:

Files:

: 10 edited
: 1 copied

tags/2.2.4 (copied) (copied from progress-bar/trunk)
tags/2.2.4/functions.php (modified) (8 diffs)
tags/2.2.4/phpcs.ruleset.xml (modified) (1 diff)
tags/2.2.4/readme.txt (modified) (4 diffs)
tags/2.2.4/wp-progress-bar.php (modified) (6 diffs)
tags/2.2.4/wppb-widget.php (modified) (3 diffs)
trunk/functions.php (modified) (8 diffs)
trunk/phpcs.ruleset.xml (modified) (1 diff)
trunk/readme.txt (modified) (4 diffs)
trunk/wp-progress-bar.php (modified) (6 diffs)
trunk/wppb-widget.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

progress-bar/tags/2.2.4/functions.php

-                      r2914360
+                      r3287964
             $progress = str_replace( $currency, '', $progress );
+        }
         $xofy = explode( '/', $progress );
+        if ( ! $xofy[1] ) {
+            $xofy[1] = 100;
+        }
+        $percentage = $xofy[0] / $xofy[1] * 100;
+        // Validate that both sides of the fraction are numeric.
+        $x = ( isset( $xofy[0] ) ) && is_numeric( $xofy[0] ) ? $xofy[0] : 0;
+        $y = ( isset( $xofy[1] ) ) && is_numeric( $xofy[1] ) ? $xofy[1] : 100;
+        $percentage = floatval( $x ) / floatval( $y ) * 100;
         $width = $percentage . '%';
         if ( $has_currency_symbol === false ) {
             $progress = number_format_i18n( $xofy[0] ) . ' / ' . number_format_i18n( $xofy[1] );
+            $progress = number_format_i18n( $x ) . ' / ' . number_format_i18n( $y );
         } else {
             // If there's a currency symbol in the progress, display it manually.
             $progress = $currency . number_format_i18n( $xofy[0] ) . ' / ' . $currency . number_format_i18n( $xofy[1] );
+            $progress = $currency . number_format_i18n( $x ) . ' / ' . $currency . number_format_i18n( $y );
+        }
+    }
 …
  */
 function wppb_get_progress_bar( $location = false, $text = false, $progress = '', $option = false, $width = '', $fullwidth = false, $color = false, $gradient = false, $gradient_end = false ) {
+    // Sanitize user input.
+    $location = sanitize_html_class( esc_attr( $location ) );
+    $text = sanitize_text_field( esc_attr( $text ) );
+    $width = floatval( $width );
+    $fullwidth = sanitize_html_class( esc_attr( $fullwidth ) );
+    $color = esc_attr( wppb_sanitize_color( $color ) );
+    $gradient = esc_attr( wppb_sanitize_color( $gradient ) );
+    $gradient_end = esc_attr( wppb_sanitize_color( $gradient_end ) );
+    $option = esc_attr( wppb_sanitize_option( $option ) );
+    /*
+     * Sanitize user input.
+     * This would be better handled as we're outputting the variables. We're pre-escaping here for convenience, but need to remember to not escape again later inside the strings.
+     */
+    $location = isset( $location ) ? esc_attr( sanitize_html_class( $location ) ) : $location;
+    $text_exists = ! is_bool( $text ) && trim( $text ) !== '';
+    $text = $text_exists ? esc_html( sanitize_text_field( $text ) ) : $text;
+    $width = isset( $width ) ? floatval( $width ) : $width;
+    $fullwidth = isset( $fullwidth ) ? esc_attr( $fullwidth ) : $fullwidth;
+    $color = is_string( $color ) ? esc_attr( wppb_sanitize_color( $color ) ) : '';
+    $gradient = isset( $gradient ) ? esc_attr( floatval( $gradient ) ) : $gradient;
+    $gradient_end = is_string( $gradient_end ) ? esc_attr( wppb_sanitize_color( $gradient_end ) ) : '';
+    $option = isset( $option ) ? esc_attr( wppb_sanitize_option( $option ) ) : $option;
+    $progress = isset( $progress ) ? esc_html( sanitize_text_field( $progress ) ) : $progress;
+    // Calculate $gradient_end if missing.
+    if ( $gradient && $color && ! $gradient_end ) {
+        $gradient_end = wppb_brightness( $color, floatval( $gradient ) );
+    }
     // Throw an exception if $progress or $width are empty.
 …
         $wppb_output .= $progress;
         $wppb_output .= '</div>';
     } elseif ( ! $location && $text ) { // If the location is not set, but there is custom text.
+    } elseif ( ! $location && $text_exists ) { // If the location is not set, but there is custom text.
         $wppb_output .= "<div class=\"inside\">$text</div>";
+    }
 …
         $wppb_output .= " style=\"width: $width%; background: {$color};";
         if ( $gradient_end ) {
+            $wppb_output .= "background: -moz-linear-gradient(top, {$color} 0%, $gradient_end 100%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,{$color}), color-stop(100%,$gradient_end)); background: -webkit-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -o-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -ms-linear-gradient(top, {$gradient} 0%,$gradient_end 100%); background: linear-gradient(top, {$color} 0%,$gradient_end 100%); \"";
+        }
+            $wppb_output .= "background: -moz-linear-gradient(top, {$color} 0%, $gradient_end 100%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,{$color}), color-stop(100%,$gradient_end)); background: -webkit-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -o-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -ms-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: linear-gradient(top, {$color} 0%,$gradient_end 100%); \"";
+        }
+        $wppb_output .= '"';
     } else {
+        $wppb_output .= " style=\"width: $width%;";
+    }
+    if ( $gradient && $color ) {
+        $wppb_output .= "background: -moz-linear-gradient(top, {$color} 0%, $gradient_end 100%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,{$color}), color-stop(100%,$gradient_end)); background: -webkit-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -o-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -ms-linear-gradient(top, {$gradient} 0%,$gradient_end 100%); background: linear-gradient(top, {$color} 0%,$gradient_end 100%); \"";
+    } else {
+        $wppb_output .= '"';
+        $wppb_output .= " style=\"width: $width%;\"";
+    }
     $wppb_output .= '><span></span></span>';
 …
  */
 function wppb_sanitize_color( $color = '' ) {
     if ( '' === $color ) {
         return $color;
+    if ( ! is_string( $color ) ) {
+        return '';
+    }
 …
     // Check if $color contains a hexadecimal or rgb value. If neither, return an empty string..
+    if ( false === strpos( $color, '#' ) && false === strpos( $color, 'rgb(' ) && false === strpos( $color, 'rgba(' ) ) {
+    if ( false === strpos( $color, '#' ) &&
+        false === strpos( $color, 'rgb(' ) &&
+        false === strpos( $color, 'rgba(' )
+    ) {
         // If the string is not a valid hexadecimal value, return an empty string.
         if ( ! ctype_xdigit( $color ) && ( strlen( $color ) !== 3 || strlen( $color ) !== 6 ) ) {
+        if ( ! ctype_xdigit( $color ) || ( strlen( $color ) !== 3 && strlen( $color ) !== 6 ) ) {
             return '';
+        }
 …
     if ( false !== strpos( $color, '#' ) ) {
         $color = sanitize_hex_color( $color );
+    }
     // If $color contains an rgb/rgba value, sanitize it.
     if ( false !== strpos( $color, 'rgb(' ) || false !== strpos( $color, 'rgba(' ) ) {
         $color = sanitize_text_field( $color );
+        // If sanitize_hex_color() failed, return early.
+        if ( ! is_string( $color ) || $color === '' ) {
+            return '';
+        }
+    }
 …
         'honeydew',
         'hotpink',
         'indianred ',
         'indigo ',
+        'indianred',
+        'indigo',
         'ivory',
         'khaki',

progress-bar/tags/2.2.4/phpcs.ruleset.xml

r2914360	r3287964
4	4	<exclude-pattern>vendor/</exclude-pattern>
5	5	<exclude-pattern>tests/</exclude-pattern>
	6	<ini name="error_reporting" value="E_ALL & ~E_DEPRECATED" />
6	7	<rule ref="Pantheon-WP">
7	8	<exclude name="WordPress.Files.FileName.InvalidClassFileName" />

progress-bar/tags/2.2.4/readme.txt

-                      r2914360
+                      r3287964
 Tags: progress bar, css3, progress, shortcode
 Requires at least: 2.8
 Tested up to: 6.2.1
 Stable tag: 2.2.3
+Tested up to: 6.7.2
+Stable tag: 2.2.4
 A simple progress bar shortcode that can be styled with CSS
 …
 Makes the progress bar take up 100% of the container. (Good for responsive layouts.) *Not* recommended for progress bars that exceed their goal.
 *Note:* `fullwidth` will actually take any value. If `fullwidth` is present at all, it will display a progress bar that is 100% wide. For example `fullwidth=foo` would output the same as `fullwidth=true`.
+*Note:* As of 2.2.4, `fullwidth` will _only take truthy_ values. Previously, it would accept any value, e.g. `fullwidth=foo` would output the same as `fullwidth=true`. This is no longer the case.
 Supported value: true
 …
 == Upgrade Notice ==
+** 2.2.4 **
+* Previously, the `fullwidth` parameter would accept any value. This has been updated to use the PHP `FILTER_VALIDATE_BOOLEAN` constant so that only "truthy" values (1, true, "true", "yes", etc.) are supported.
 ** 2.2.0 **
 …
 == Changelog ==
+** 2.2.4 **
+* Fixed XSS vulnerability reported by muhammad yudha for [Patchstack](https://patchstack.com)
+* Cleaned up and refactored some possibly buggy code and sanitization/escaping issues.
 ** 2.2.3 **

progress-bar/tags/2.2.4/wp-progress-bar.php

-                      r2914360
+                      r3287964
  * Plugin URI: https://github.com/jazzsequence/progress-bar
  * Description: A simple progress bar shortcode that can be styled with CSS.
  * Version: 2.2.3
+ * Version: 2.2.4
  * Author: Chris Reynolds
  * Author URI: https://progressbar.jazzsequence.com/
 …
  * @return string
  */
 function wppb_version() : string {
     return '2.2.3';
+function wppb_version(): string {
+    return '2.2.4';
+}
 …
+}
 add_action( 'init', 'wppb_init' );
+/**
+ * Register the widget.
+ *
+ * @author Chris Reynolds
+ * @since 2.0.1
+ * @uses WP_Widget
+ */
+function wppb_register_widget() {
+    register_widget( 'WPPB_Widget' );
+}
+add_action( 'widgets_init', 'wppb_register_widget' );
 /**
 …
     // Get the values of the shortcode attributes.
     $progress = isset( $atts['progress'] ) ? $atts['progress'] : '';
     $option = isset( $atts['option'] ) ? $atts['option'] : '';
     $percent = isset( $atts['percent'] ) ? $atts['percent'] : '';
     $location = isset( $atts['location'] ) ? $atts['location'] : '';
     $fullwidth = isset( $atts['fullwidth'] ) ? $atts['fullwidth'] : '';
     $color = isset( $atts['color'] ) ? $atts['color'] : '';
     $gradient = isset( $atts['gradient'] ) ? $atts['gradient'] : '';
     $endcolor = isset( $atts['endcolor'] ) ? $atts['endcolor'] : '';
     $text = isset( $atts['text'] ) ? $atts['text'] : '';
+    $progress = isset( $atts['progress'] ) ? sanitize_text_field( $atts['progress'] ) : '';
+    $option = isset( $atts['option'] ) ? wppb_sanitize_option( $atts['option'] ) : '';
+    $percent = isset( $atts['percent'] ) ? sanitize_text_field( $atts['percent'] ) : '';
+    $location = isset( $atts['location'] ) ? $atts['location'] : ''; // Sanitization handled in wppb_get_progress_bar.
+    $fullwidth = isset( $atts['fullwidth'] ) ? filter_var( $atts['fullwidth'], FILTER_VALIDATE_BOOLEAN ) : '';
+    $color = isset( $atts['color'] ) ? wppb_sanitize_color( $atts['color'] ) : '';
+    $gradient = isset( $atts['gradient'] ) ? sanitize_text_field( $atts['gradient'] ) : '';
+    $endcolor = isset( $atts['endcolor'] ) ? wppb_sanitize_color( $atts['endcolor'] ) : '';
+    $text = isset( $atts['text'] ) ? sanitize_text_field( $atts['text'] ) : '';
     // Check the progress for a slash, indicating a fraction instead of a percent.
 …
+    }
-    // Sanitize any text content.
-    if ( $text !== '' ) {
-        $text = wp_strip_all_tags( $text );
+    }
     // Figure out gradient stuff.
     $gradient_end = null;
 …
+    }
-    if ( $fullwidth !== '' ) {
-        $fullwidth = true;
+    }
     $progress = $wppb_check_results[0];

progress-bar/tags/2.2.4/wppb-widget.php

-                      r2909774
+                      r3287964
  * @package WP_Progress_Bar
  */
-/**
- * Register the widget.
+ *
- * @author Chris Reynolds
- * @since 2.0.1
- * @uses WP_Widget
- */
-function wppb_register_widget() {
-    register_widget( 'WPPB_Widget' );
+}
-add_action( 'widgets_init', 'wppb_register_widget' );
 /**
 …
+        }
+        $option = null;
+        if ( $color ) {
+            $option .= $color;
+        }
+        if ( $candystripe ) {
+            $option .= ' ' . $candystripe;
+        }
+        $option = wppb_sanitize_option( trim( "$color $candystripe" ) );
         echo wp_kses_post( wppb_get_progress_bar( $location, $text, $percent, $option, $width, 'true' ) );
         echo wp_kses_post( wpautop( $description ) );
         echo wp_kses_post( $args['after_widget'] );
+    }
 …
         <p>
             <label for="<?php echo esc_attr( $this->get_field_name( 'text' ) ); ?>"><strong><?php esc_html_e( 'Text', 'wp-progress-bar' ); ?></strong></label>
             <input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'text' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'text' ) ); ?>" type="text" value="<?php wp_kses_post( $text ); ?>" /><br />
+            <input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'text' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'text' ) ); ?>" type="text" value="<?php echo esc_attr( $text ); ?>" /><br />
             <span class="description"><?php esc_html_e( 'Custom text to display (instead of the progress value). (optional).', 'wp-progress-bar' ); ?></span>
         </p>

progress-bar/trunk/functions.php

-                      r2914360
+                      r3287964
             $progress = str_replace( $currency, '', $progress );
+        }
         $xofy = explode( '/', $progress );
+        if ( ! $xofy[1] ) {
+            $xofy[1] = 100;
+        }
+        $percentage = $xofy[0] / $xofy[1] * 100;
+        // Validate that both sides of the fraction are numeric.
+        $x = ( isset( $xofy[0] ) ) && is_numeric( $xofy[0] ) ? $xofy[0] : 0;
+        $y = ( isset( $xofy[1] ) ) && is_numeric( $xofy[1] ) ? $xofy[1] : 100;
+        $percentage = floatval( $x ) / floatval( $y ) * 100;
         $width = $percentage . '%';
         if ( $has_currency_symbol === false ) {
             $progress = number_format_i18n( $xofy[0] ) . ' / ' . number_format_i18n( $xofy[1] );
+            $progress = number_format_i18n( $x ) . ' / ' . number_format_i18n( $y );
         } else {
             // If there's a currency symbol in the progress, display it manually.
             $progress = $currency . number_format_i18n( $xofy[0] ) . ' / ' . $currency . number_format_i18n( $xofy[1] );
+            $progress = $currency . number_format_i18n( $x ) . ' / ' . $currency . number_format_i18n( $y );
+        }
+    }
 …
  */
 function wppb_get_progress_bar( $location = false, $text = false, $progress = '', $option = false, $width = '', $fullwidth = false, $color = false, $gradient = false, $gradient_end = false ) {
+    // Sanitize user input.
+    $location = sanitize_html_class( esc_attr( $location ) );
+    $text = sanitize_text_field( esc_attr( $text ) );
+    $width = floatval( $width );
+    $fullwidth = sanitize_html_class( esc_attr( $fullwidth ) );
+    $color = esc_attr( wppb_sanitize_color( $color ) );
+    $gradient = esc_attr( wppb_sanitize_color( $gradient ) );
+    $gradient_end = esc_attr( wppb_sanitize_color( $gradient_end ) );
+    $option = esc_attr( wppb_sanitize_option( $option ) );
+    /*
+     * Sanitize user input.
+     * This would be better handled as we're outputting the variables. We're pre-escaping here for convenience, but need to remember to not escape again later inside the strings.
+     */
+    $location = isset( $location ) ? esc_attr( sanitize_html_class( $location ) ) : $location;
+    $text_exists = ! is_bool( $text ) && trim( $text ) !== '';
+    $text = $text_exists ? esc_html( sanitize_text_field( $text ) ) : $text;
+    $width = isset( $width ) ? floatval( $width ) : $width;
+    $fullwidth = isset( $fullwidth ) ? esc_attr( $fullwidth ) : $fullwidth;
+    $color = is_string( $color ) ? esc_attr( wppb_sanitize_color( $color ) ) : '';
+    $gradient = isset( $gradient ) ? esc_attr( floatval( $gradient ) ) : $gradient;
+    $gradient_end = is_string( $gradient_end ) ? esc_attr( wppb_sanitize_color( $gradient_end ) ) : '';
+    $option = isset( $option ) ? esc_attr( wppb_sanitize_option( $option ) ) : $option;
+    $progress = isset( $progress ) ? esc_html( sanitize_text_field( $progress ) ) : $progress;
+    // Calculate $gradient_end if missing.
+    if ( $gradient && $color && ! $gradient_end ) {
+        $gradient_end = wppb_brightness( $color, floatval( $gradient ) );
+    }
     // Throw an exception if $progress or $width are empty.
 …
         $wppb_output .= $progress;
         $wppb_output .= '</div>';
     } elseif ( ! $location && $text ) { // If the location is not set, but there is custom text.
+    } elseif ( ! $location && $text_exists ) { // If the location is not set, but there is custom text.
         $wppb_output .= "<div class=\"inside\">$text</div>";
+    }
 …
         $wppb_output .= " style=\"width: $width%; background: {$color};";
         if ( $gradient_end ) {
+            $wppb_output .= "background: -moz-linear-gradient(top, {$color} 0%, $gradient_end 100%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,{$color}), color-stop(100%,$gradient_end)); background: -webkit-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -o-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -ms-linear-gradient(top, {$gradient} 0%,$gradient_end 100%); background: linear-gradient(top, {$color} 0%,$gradient_end 100%); \"";
+        }
+            $wppb_output .= "background: -moz-linear-gradient(top, {$color} 0%, $gradient_end 100%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,{$color}), color-stop(100%,$gradient_end)); background: -webkit-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -o-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -ms-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: linear-gradient(top, {$color} 0%,$gradient_end 100%); \"";
+        }
+        $wppb_output .= '"';
     } else {
+        $wppb_output .= " style=\"width: $width%;";
+    }
+    if ( $gradient && $color ) {
+        $wppb_output .= "background: -moz-linear-gradient(top, {$color} 0%, $gradient_end 100%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,{$color}), color-stop(100%,$gradient_end)); background: -webkit-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -o-linear-gradient(top, {$color} 0%,$gradient_end 100%); background: -ms-linear-gradient(top, {$gradient} 0%,$gradient_end 100%); background: linear-gradient(top, {$color} 0%,$gradient_end 100%); \"";
+    } else {
+        $wppb_output .= '"';
+        $wppb_output .= " style=\"width: $width%;\"";
+    }
     $wppb_output .= '><span></span></span>';
 …
  */
 function wppb_sanitize_color( $color = '' ) {
     if ( '' === $color ) {
         return $color;
+    if ( ! is_string( $color ) ) {
+        return '';
+    }
 …
     // Check if $color contains a hexadecimal or rgb value. If neither, return an empty string..
+    if ( false === strpos( $color, '#' ) && false === strpos( $color, 'rgb(' ) && false === strpos( $color, 'rgba(' ) ) {
+    if ( false === strpos( $color, '#' ) &&
+        false === strpos( $color, 'rgb(' ) &&
+        false === strpos( $color, 'rgba(' )
+    ) {
         // If the string is not a valid hexadecimal value, return an empty string.
         if ( ! ctype_xdigit( $color ) && ( strlen( $color ) !== 3 || strlen( $color ) !== 6 ) ) {
+        if ( ! ctype_xdigit( $color ) || ( strlen( $color ) !== 3 && strlen( $color ) !== 6 ) ) {
             return '';
+        }
 …
     if ( false !== strpos( $color, '#' ) ) {
         $color = sanitize_hex_color( $color );
+    }
     // If $color contains an rgb/rgba value, sanitize it.
     if ( false !== strpos( $color, 'rgb(' ) || false !== strpos( $color, 'rgba(' ) ) {
         $color = sanitize_text_field( $color );
+        // If sanitize_hex_color() failed, return early.
+        if ( ! is_string( $color ) || $color === '' ) {
+            return '';
+        }
+    }
 …
         'honeydew',
         'hotpink',
         'indianred ',
         'indigo ',
+        'indianred',
+        'indigo',
         'ivory',
         'khaki',

progress-bar/trunk/phpcs.ruleset.xml

r2914360	r3287964
4	4	<exclude-pattern>vendor/</exclude-pattern>
5	5	<exclude-pattern>tests/</exclude-pattern>
	6	<ini name="error_reporting" value="E_ALL & ~E_DEPRECATED" />
6	7	<rule ref="Pantheon-WP">
7	8	<exclude name="WordPress.Files.FileName.InvalidClassFileName" />

progress-bar/trunk/readme.txt

-                      r2914360
+                      r3287964
 Tags: progress bar, css3, progress, shortcode
 Requires at least: 2.8
 Tested up to: 6.2.1
 Stable tag: 2.2.3
+Tested up to: 6.7.2
+Stable tag: 2.2.4
 A simple progress bar shortcode that can be styled with CSS
 …
 Makes the progress bar take up 100% of the container. (Good for responsive layouts.) *Not* recommended for progress bars that exceed their goal.
 *Note:* `fullwidth` will actually take any value. If `fullwidth` is present at all, it will display a progress bar that is 100% wide. For example `fullwidth=foo` would output the same as `fullwidth=true`.
+*Note:* As of 2.2.4, `fullwidth` will _only take truthy_ values. Previously, it would accept any value, e.g. `fullwidth=foo` would output the same as `fullwidth=true`. This is no longer the case.
 Supported value: true
 …
 == Upgrade Notice ==
+** 2.2.4 **
+* Previously, the `fullwidth` parameter would accept any value. This has been updated to use the PHP `FILTER_VALIDATE_BOOLEAN` constant so that only "truthy" values (1, true, "true", "yes", etc.) are supported.
 ** 2.2.0 **
 …
 == Changelog ==
+** 2.2.4 **
+* Fixed XSS vulnerability reported by muhammad yudha for [Patchstack](https://patchstack.com)
+* Cleaned up and refactored some possibly buggy code and sanitization/escaping issues.
 ** 2.2.3 **

progress-bar/trunk/wp-progress-bar.php

-                      r2914360
+                      r3287964
  * Plugin URI: https://github.com/jazzsequence/progress-bar
  * Description: A simple progress bar shortcode that can be styled with CSS.
  * Version: 2.2.3
+ * Version: 2.2.4
  * Author: Chris Reynolds
  * Author URI: https://progressbar.jazzsequence.com/
 …
  * @return string
  */
 function wppb_version() : string {
     return '2.2.3';
+function wppb_version(): string {
+    return '2.2.4';
+}
 …
+}
 add_action( 'init', 'wppb_init' );
+/**
+ * Register the widget.
+ *
+ * @author Chris Reynolds
+ * @since 2.0.1
+ * @uses WP_Widget
+ */
+function wppb_register_widget() {
+    register_widget( 'WPPB_Widget' );
+}
+add_action( 'widgets_init', 'wppb_register_widget' );
 /**
 …
     // Get the values of the shortcode attributes.
     $progress = isset( $atts['progress'] ) ? $atts['progress'] : '';
     $option = isset( $atts['option'] ) ? $atts['option'] : '';
     $percent = isset( $atts['percent'] ) ? $atts['percent'] : '';
     $location = isset( $atts['location'] ) ? $atts['location'] : '';
     $fullwidth = isset( $atts['fullwidth'] ) ? $atts['fullwidth'] : '';
     $color = isset( $atts['color'] ) ? $atts['color'] : '';
     $gradient = isset( $atts['gradient'] ) ? $atts['gradient'] : '';
     $endcolor = isset( $atts['endcolor'] ) ? $atts['endcolor'] : '';
     $text = isset( $atts['text'] ) ? $atts['text'] : '';
+    $progress = isset( $atts['progress'] ) ? sanitize_text_field( $atts['progress'] ) : '';
+    $option = isset( $atts['option'] ) ? wppb_sanitize_option( $atts['option'] ) : '';
+    $percent = isset( $atts['percent'] ) ? sanitize_text_field( $atts['percent'] ) : '';
+    $location = isset( $atts['location'] ) ? $atts['location'] : ''; // Sanitization handled in wppb_get_progress_bar.
+    $fullwidth = isset( $atts['fullwidth'] ) ? filter_var( $atts['fullwidth'], FILTER_VALIDATE_BOOLEAN ) : '';
+    $color = isset( $atts['color'] ) ? wppb_sanitize_color( $atts['color'] ) : '';
+    $gradient = isset( $atts['gradient'] ) ? sanitize_text_field( $atts['gradient'] ) : '';
+    $endcolor = isset( $atts['endcolor'] ) ? wppb_sanitize_color( $atts['endcolor'] ) : '';
+    $text = isset( $atts['text'] ) ? sanitize_text_field( $atts['text'] ) : '';
     // Check the progress for a slash, indicating a fraction instead of a percent.
 …
+    }
-    // Sanitize any text content.
-    if ( $text !== '' ) {
-        $text = wp_strip_all_tags( $text );
+    }
     // Figure out gradient stuff.
     $gradient_end = null;
 …
+    }
-    if ( $fullwidth !== '' ) {
-        $fullwidth = true;
+    }
     $progress = $wppb_check_results[0];

progress-bar/trunk/wppb-widget.php

-                      r2909774
+                      r3287964
  * @package WP_Progress_Bar
  */
-/**
- * Register the widget.
+ *
- * @author Chris Reynolds
- * @since 2.0.1
- * @uses WP_Widget
- */
-function wppb_register_widget() {
-    register_widget( 'WPPB_Widget' );
+}
-add_action( 'widgets_init', 'wppb_register_widget' );
 /**
 …
+        }
+        $option = null;
+        if ( $color ) {
+            $option .= $color;
+        }
+        if ( $candystripe ) {
+            $option .= ' ' . $candystripe;
+        }
+        $option = wppb_sanitize_option( trim( "$color $candystripe" ) );
         echo wp_kses_post( wppb_get_progress_bar( $location, $text, $percent, $option, $width, 'true' ) );
         echo wp_kses_post( wpautop( $description ) );
         echo wp_kses_post( $args['after_widget'] );
+    }
 …
         <p>
             <label for="<?php echo esc_attr( $this->get_field_name( 'text' ) ); ?>"><strong><?php esc_html_e( 'Text', 'wp-progress-bar' ); ?></strong></label>
             <input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'text' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'text' ) ); ?>" type="text" value="<?php wp_kses_post( $text ); ?>" /><br />
+            <input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'text' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'text' ) ); ?>" type="text" value="<?php echo esc_attr( $text ); ?>" /><br />
             <span class="description"><?php esc_html_e( 'Custom text to display (instead of the progress value). (optional).', 'wp-progress-bar' ); ?></span>
         </p>

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: