Changeset 3423629
- Timestamp:
- 12/19/2025 12:09:05 PM (3 months ago)
- Location:
- wp-google-map-plugin
- Files:
-
- 8 deleted
- 3 edited
-
tags/4.8.8/classes/wpgmp-maps-importer.php (deleted)
-
tags/4.8.8/classes/wpgmp-visual-composer.php (deleted)
-
tags/4.8.8/core/class.plugin-overview.php (deleted)
-
tags/4.8.8/import_sample_file (deleted)
-
trunk/classes/wpgmp-maps-importer.php (deleted)
-
trunk/classes/wpgmp-security.php (modified) (8 diffs)
-
trunk/classes/wpgmp-visual-composer.php (deleted)
-
trunk/core/class.plugin-overview.php (deleted)
-
trunk/import_sample_file (deleted)
-
trunk/readme.txt (modified) (3 diffs)
-
trunk/wp-google-map-plugin.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
wp-google-map-plugin/trunk/classes/wpgmp-security.php
r3418060 r3423629 2 2 /** 3 3 * Security Class for WP Google Map Plugin 4 * Handles sanitization and validation of shortcode attributes 4 * Handles validation, sanitization, and escaping of shortcode attributes 5 * Using core WordPress functions. 5 6 */ 6 7 … … 10 11 11 12 /** 12 * Sanitize shortcode attributes 13 * Sanitize and validate shortcode attributes. 14 * Replaces custom regex with WordPress's sanitize_key() and type-specific functions. 13 15 * 14 * @param array $atts Shortcode attributes 15 * @return array Sanitized a ttributes16 * @param array $atts Shortcode attributes. 17 * @return array Sanitized and validated attributes. 16 18 */ 17 19 public static function wpgmp_sanitize_shortcode_atts( $atts ) { 18 20 21 // Return empty array if input is not an array 19 22 if ( ! is_array( $atts ) ) { 20 23 return array(); … … 24 27 25 28 foreach ( $atts as $key => $value ) { 26 // Clean the attribute name - remove any non-alphanumeric except underscore and hyphen 27 $key = preg_replace( '/[^a-zA-Z0-9_-]/', '', $key ); 29 30 // Validate/Sanitize the shortcode attribute NAME using WordPress's sanitize_key() 31 $clean_key = sanitize_key( $key ); 28 32 29 if ( empty( $ key ) ) {30 continue; // Skip i nvalid keys33 if ( empty( $clean_key ) ) { 34 continue; // Skip if the key becomes empty after sanitization 31 35 } 32 36 33 // Clean the value based onexpected type34 switch ( $ key ) {37 // Validate or Sanitize the attribute VALUE based on its expected type 38 switch ( $clean_key ) { 35 39 case 'id': 36 40 case 'limit': 37 41 case 'perpage': 38 42 case 'zoom': 39 $sanitized[ $key ] = absint( $value ); 43 // VALIDATION & SANITIZATION: Use absint() to convert to a non-negative integer. 44 $sanitized[ $clean_key ] = absint( $value ); 40 45 break; 41 46 42 47 case 'width': 43 48 case 'height': 44 $sanitized[ $key ] = self::wpgmp_sanitize_css_unit( $value ); 49 // SANITIZATION: Delegate to a dedicated CSS sanitizer. 50 $sanitized[ $clean_key ] = self::wpgmp_sanitize_css_unit( $value ); 45 51 break; 46 52 … … 48 54 case 'hide_map': 49 55 case 'maps_only': 50 $sanitized[ $key ] = self::wpgmp_sanitize_boolean_like( $value ); 56 // SANITIZATION: Use a WordPress-aware boolean sanitizer. 57 $sanitized[ $clean_key ] = self::wpgmp_sanitize_boolean_value( $value ); 51 58 break; 52 59 53 60 case 'show': 54 61 case 'category': 55 case 'test': // For your example attribute56 62 default: 57 $sanitized[ $key ] = self::wpgmp_sanitize_text_attribute( $value ); 63 // SANITIZATION: For general text, use sanitize_text_field(). 64 // This core function checks for invalid UTF-8, strips tags, and removes extra whitespace. 65 $sanitized[ $clean_key ] = sanitize_text_field( $value ); 58 66 break; 59 67 } … … 64 72 65 73 /** 66 * Sanitize CSS units (width, height, etc.) 74 * Sanitize CSS units (width, height, etc.). 75 * Uses sanitize_text_field() as a base and adds strict regex validation for units allowed by shortcode. 67 76 * 68 * @param string $value CSS value 69 * @return string Sanitized CSS value 77 * @param string $value CSS value. 78 * @return string Sanitized CSS value or empty string. 70 79 */ 71 80 private static function wpgmp_sanitize_css_unit( $value ) { … … 75 84 } 76 85 77 // First, remove any JavaScript or malicious content 78 $value = self::wpgmp_remove_malicious_content( $value ); 79 80 // Remove any characters that are not allowed in CSS values 81 // Allowed: digits, decimal point, percentage, spaces, and common CSS units 82 $value = preg_replace( '/[^a-zA-Z0-9%.\s-]/', '', $value ); 83 84 // Trim whitespace 86 // Initial sanitization by WordPress : Remove tags, invalid UTF-8, etc. 87 $value = sanitize_text_field( $value ); 85 88 $value = trim( $value ); 86 89 87 // Validate CSS units pattern 88 if ( preg_match( '/^(\d+(\.\d+)?)\s*(px|em|rem|%|vh|vw|vmin|vmax|cm|mm|in|pt|pc)?$/', $value ) ) { 90 // Once the received value is sanitised by WordPress, check for allowed pattern for CSS units by shortcode. 91 $pattern = '/^(\d+(\.\d+)?)\s*(px|em|rem|%|vh|vw|vmin|vmax|cm|mm|in|pt|pc)?$/'; 92 93 if ( preg_match( $pattern, $value ) ) { 89 94 return $value; 90 95 } 91 96 92 // If it's just a number, assume pixels97 // If it's just a plain number. 93 98 if ( is_numeric( $value ) ) { 94 return $value. 'px';99 return absint( $value ) . 'px'; 95 100 } 96 101 102 // If the format is unrecognized, return a safe empty string. 97 103 return ''; 98 104 } 99 105 100 106 /** 101 * Sanitize boolean-like values 107 * Sanitize boolean-like values. 108 * Replaces custom array checking with wp_validate_boolean() for consistency. 102 109 * 103 * @param string $value Boolean-like string104 * @return string Sanitized boolean string110 * @param mixed $value Boolean-like input. 111 * @return string 'true', 'false', or empty string. 105 112 */ 106 private static function wpgmp_sanitize_boolean_ like( $value ) {113 private static function wpgmp_sanitize_boolean_value( $value ) { 107 114 115 // Use WordPress's boolean validator which understands 'true', 'false', '0', '1', etc. 116 $bool = wp_validate_boolean( $value ); 117 118 // Return a string representation for shortcode attribute context. 119 return $bool ? 'true' : 'false'; 120 } 121 122 /** 123 * Remove malicious content from strings. 124 * REPLACED by core functions. This method is kept for backward compatibility 125 * but now acts as a wrapper for wp_kses_post(), which is the WordPress standard 126 * for stripping unsafe HTML. 127 * 128 * @param string $value Input string. 129 * @return string Cleaned string. 130 */ 131 private static function wpgmp_remove_malicious_content( $value ) { 108 132 if ( empty( $value ) ) { 109 133 return ''; 110 134 } 111 112 $value = strtolower( trim( $value ) ); 113 $valid_values = array( 'true', 'false', '1', '0', 'yes', 'no', 'on', 'off' ); 114 115 return in_array( $value, $valid_values ) ? $value : ''; 135 // Use wp_kses_post() to allow only HTML tags permitted in post content. 136 return wp_kses_post( $value ); 116 137 } 117 138 118 139 /** 119 * Sanitize text attributes with strict filtering 140 * Escape output for display. 141 * Uses wp_kses_post() as in the original, which is the correct function for 142 * outputting HTML that should be safe for post content. 120 143 * 121 * @param string $value Text value 122 * @return string Sanitized text 123 */ 124 private static function wpgmp_sanitize_text_attribute( $value ) { 125 126 if ( empty( $value ) ) { 127 return ''; 128 } 129 130 // Remove malicious content 131 $value = self::wpgmp_remove_malicious_content( $value ); 132 133 // Use WordPress core sanitization 134 $value = sanitize_text_field( $value ); 135 136 return $value; 137 } 138 139 /** 140 * Remove malicious content from strings 141 * 142 * @param string $value Input string 143 * @return string Cleaned string 144 */ 145 private static function wpgmp_remove_malicious_content( $value ) { 146 147 if ( empty( $value ) ) { 148 return ''; 149 } 150 151 // Remove JavaScript event handlers (onclick, onfocus, etc.) 152 $value = preg_replace( '/\s*on\w+\s*=\s*["\'][^"\']*["\']/i', '', $value ); 153 $value = preg_replace( '/\s*on\w+\s*=\s*[^"\'][^\s>]*/i', '', $value ); 154 155 // Remove JavaScript protocol 156 $value = preg_replace( '/javascript\s*:/i', '', $value ); 157 158 // Remove data protocol 159 $value = preg_replace( '/data\s*:/i', '', $value ); 160 161 // Remove VBScript 162 $value = preg_replace( '/vbscript\s*:/i', '', $value ); 163 164 // Remove script tags and their content 165 $value = preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is', '', $value ); 166 167 // Remove iframe tags 168 $value = preg_replace( '/<iframe\b[^>]*>(.*?)<\/iframe>/is', '', $value ); 169 170 // Remove object tags 171 $value = preg_replace( '/<object\b[^>]*>(.*?)<\/object>/is', '', $value ); 172 173 // Remove embed tags 174 $value = preg_replace( '/<embed\b[^>]*>/is', '', $value ); 175 176 // Remove CSS expressions 177 $value = preg_replace( '/expression\s*\([^)]*\)/i', '', $value ); 178 179 // Remove CSS url() with javascript 180 $value = preg_replace( '/url\s*\(\s*javascript\s*:/i', '', $value ); 181 182 return $value; 183 } 184 185 /** 186 * Escape output for display 187 * 188 * @param string $output Output to escape 189 * @return string Escaped output 144 * @param string $output Output to escape. 145 * @return string Escaped output. 190 146 */ 191 147 public static function wpgmp_escape_output( $output ) { … … 194 150 195 151 /** 196 * Validate map ID 152 * Validate map ID. 153 * Uses absint() for validation, which is the WordPress standard. 197 154 * 198 * @param mixed $id Map ID 199 * @return int Validated map ID or 0 155 * @param mixed $id Map ID. 156 * @return int Validated map ID or 0. 200 157 */ 201 158 public static function wpgmp_validate_map_id( $id ) { 202 203 $id = absint( $id ); 204 return $id > 0 ? $id : 0; 159 return absint( $id ); 205 160 } 206 161 207 162 /** 208 * Sanitize array values recursively 163 * Sanitize array values recursively. 164 * Now uses sanitize_text_field() for all leaf values, ensuring consistency. 209 165 * 210 * @param array $array Array to sanitize211 * @return array Sanitized array166 * @param mixed $array Array or string to sanitize. 167 * @return array|string Sanitized array or string. 212 168 */ 213 169 public static function wpgmp_sanitize_array( $array ) { 214 170 // If it's not an array, treat it as a single text field. 215 171 if ( ! is_array( $array ) ) { 216 return s elf::wpgmp_sanitize_text_attribute( $array );172 return sanitize_text_field( $array ); 217 173 } 218 174 219 175 $sanitized = array(); 220 176 foreach ( $array as $key => $value ) { 221 $clean_key = self::wpgmp_sanitize_text_attribute( $key ); 222 $sanitized[ $clean_key ] = is_array( $value ) ? self::wpgmp_sanitize_array( $value ) : self::wpgmp_sanitize_text_attribute( $value ); 177 // Sanitize the key itself. 178 $clean_key = sanitize_key( $key ); 179 // Recursively sanitize the value. 180 $sanitized[ $clean_key ] = is_array( $value ) 181 ? self::wpgmp_sanitize_array( $value ) 182 : sanitize_text_field( $value ); 223 183 } 224 184 … … 226 186 } 227 187 } 228 229 188 } 230 -
wp-google-map-plugin/trunk/readme.txt
r3418060 r3423629 8 8 Requires at least: 3.4 9 9 Tested up to: 6.9 10 Stable tag: 4.8. 810 Stable tag: 4.8.9 11 11 Requires PHP: 5.3 12 12 License: GPLv2 or later … … 233 233 == Changelog == 234 234 235 = 4.8.9 = 236 * Fix : Applying WordPress's native security and escaping functions in the security class. 237 235 238 = 4.8.8 = 236 239 * Fix : Reported security issue related to shortcode attribute fixed. … … 318 321 319 322 == Upgrade Notice == 323 324 = 4.8.9 = 325 – Upgrade for more stable release 320 326 321 327 = 4.8.8 = -
wp-google-map-plugin/trunk/wp-google-map-plugin.php
r3418060 r3423629 8 8 * License: GPL v2 or later 9 9 * License URI: https://www.gnu.org/licenses/gpl-2.0.html 10 * Version: 4.8. 810 * Version: 4.8.9 11 11 * Text Domain: wp-google-map-plugin 12 12 * Domain Path: /lang
Note: See TracChangeset
for help on using the changeset viewer.