WordPress.org
Get WordPress

Plugin Directory

Changeset 3366255


Ignore:
Timestamp:
09/23/2025 07:13:55 AM (6 months ago)
Author:
bmsupport
Message:

*Security Vulnerability Fix

Location:
window-blinds-solution/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • window-blinds-solution/trunk/includes/frontend/class-bmfm-frontend.php

    r3365869 r3366255  
    149149     */
    150150    public static function blindmatrix_shortcode( $attrs, $content = null) {
    151         $attrs = shortcode_atts(
    152             array(
    153                 'title'    => 'true',
    154                 'desc'     => 'true',
    155                 'price'    => 'true',
    156                 'products' => '',
    157                 'style'    => 'layout1',
    158                 'source'   => '',
    159             ),
    160             $attrs,
    161             'BlindMatrix'
    162         );
    163         $buffer = ''; // default output
    164         if ( ! empty( $attrs['source'] ) ) {
    165             // Allow only safe characters (letters, numbers, dashes, underscores)
    166             $source = sanitize_key( $attrs['source'] ); // prevents ../ and special chars
    167             // Build the default plugin template path
    168             $default_file = BMFM_TEMPLATE_PATH . '/shortcodes/' . $source . '.php';
    169             // Optional theme override (still sanitized)
    170             $theme_file = get_stylesheet_directory() . '/' . basename( plugin_dir_path( __FILE__ ) ) . '/' . $source . '.php';
    171             // Pick theme override if it exists
    172             $file = file_exists( $theme_file ) ? $theme_file : $default_file;
    173             // Safety checks
    174             $real_file = realpath( $file );
    175             // Ensure the file exists and is inside the WordPress installation
    176             if ( $real_file && file_exists( $real_file ) && 0 === strpos( $real_file, ABSPATH )) {
    177                 // Allow developers to filter the final safe path if needed
    178                 $file = apply_filters( 'blindmatrix_shortcode_path', $real_file, $attrs );
    179                 ob_start();
    180                 include $file;
    181                 $buffer = ob_get_clean();
    182                 $buffer = do_shortcode( $buffer );
    183             }
    184         }
    185         return $buffer;
     151        return bmfm_get_shortcode_contents($attrs);
    186152    }
    187153   

  • window-blinds-solution/trunk/readme.txt

    r3365869 r3366255  
    44Tested up to: 6.8.2
    55Requires PHP: 7.4
    6 Stable tag: 3.0
     6Stable tag: 3.1
    77License: GPLv3
    88License URI: https://www.gnu.org/licenses/gpl-3.0.html
     
    3434
    3535== Changelog ==
     36
     37= 3.1 =
     38
     39* Security Vulnerability Fix
    3640
    3741= 3.0 =

  • window-blinds-solution/trunk/vendor/class-plugin-functions.php

    r3068307 r3366255  
    194194    wp_enqueue_style('select_country_css', 'https://cdnjs.cloudflare.com/ajax/libs/country-select-js/2.1.1/css/countrySelect.min.css', array(), BMFM_VERSION);
    195195}
     196
     197/**
     198 * Get shortcode contents.
     199 *
     200 * @return HTML
     201 */
     202function bmfm_get_shortcode_contents($attrs){
     203    $attrs = shortcode_atts(
     204            array(
     205                'title'    => 'true',
     206                'desc'     => 'true',
     207                'price'    => 'true',
     208                'products' => '',
     209                'style'    => 'layout1',
     210                'source'   => '',
     211            ),
     212            $attrs,
     213            'BlindMatrix'
     214        );
     215        $buffer = ''; // default output
     216        if ( ! empty( $attrs['source'] ) ) {
     217            // Allow only safe characters (letters, numbers, dashes, underscores)
     218            $source = $attrs['source']; // prevents ../ and special chars
     219            // Build the default plugin template path
     220            $default_file = BMFM_TEMPLATE_PATH . 'shortcodes/' . $source . '.php';
     221            // Optional theme override (still sanitized)
     222            $theme_file = get_stylesheet_directory() . '/' . basename( plugin_dir_path( __FILE__ ) ) . '/' . $source . '.php';
     223            // Pick theme override if it exists
     224            $file = file_exists( $theme_file ) ? $theme_file : $default_file;
     225            // Safety checks
     226            $real_file = realpath( $file );
     227            // Ensure the file exists and is inside the WordPress installation
     228            if ( $real_file && file_exists( $real_file ) && 0 === strpos( $real_file, ABSPATH )) {
     229                // Allow developers to filter the final safe path if needed
     230                $file = apply_filters( 'blindmatrix_shortcode_path', $real_file, $attrs );
     231                ob_start();
     232                include $file;
     233                $buffer = ob_get_clean();
     234                $buffer = do_shortcode( $buffer );
     235            }
     236        }
     237       
     238        return $buffer;
     239}

  • window-blinds-solution/trunk/window-blinds-solution.php

    r3365869 r3366255  
    44 * Plugin Name: BlindMatrix e-Commerce
    55 * Description: Sell window blinds, curtains and shutters online with the BlindMatrix e-commerce plugin, which converts your entire website into an e-commerce store, allowing you to sell products online 24/7. It features a product visualizer that lets your customers see and virtually feel the products on the window frame.
    6  * Version: 3.0
     6 * Version: 3.1
    77 * Author: Blindmatrix
    88 * Requires Plugins: woocommerce
     
    4646     * Plugin version.
    4747     */
    48     public $version = '3.0';
     48    public $version = '3.1';
    4949
    5050    /**
Note: See TracChangeset for help on using the changeset viewer.