Context Navigation

Changeset 3424572

Timestamp:

12/21/2025 10:41:48 AM (3 months ago)

Author:

mkernel

Message:

update 2.3.2

Location:

grid/trunk

Files:

-                      r3351302
+                      r3424572
     public Storage $storage;
+    public string $url;
+    public string $url;
+    private iHook $hook;
     /**
 …
      * @param string $urlBasePath url path to library dir
      */
     public function __construct( Storage $storage, string $urlBasePath ) {
+    public function __construct( Storage $storage, string $urlBasePath, iHook $hook ) {
         $this->storage = $storage;
         $this->url = $urlBasePath;
+        $this->hook=$hook;
+    }
 …
     public function getStyleEditor() {
         return new StyleEditor( $this->storage );
+        return new StyleEditor( $this->storage,$this->hook );
+    }

-                      r3351302
+                      r3424572
     public Storage $storage;
+    public function __construct(Storage $storage){
+        $this->storage = $storage;
+    private iHook $hook;
+    public function __construct(Storage $storage, iHook $hook){
+    $this->storage = $storage;
+    $this->hook = $hook;
+    }
 …
         if(isset($_POST) && !empty($_POST))
+        {
+            $this->hook->fire('styles_editor_post',$_POST);
             foreach($_POST['container_styles'] as $idx=>$data)
+            {
 …
 </style>
 <div class="grid-style-editor">
+<form method="post">
+    <form method="post">
+        <?php $this->hook->fire('grid_editor_styles_get',null); ?>
 <p>Container Styles</p>
 <table>

-                      r3351302
+                      r3424572
 Requires at least: 4.0
 Tested up to: 5.9.3
 Stable tag: 2.3.1
+Stable tag: 2.3.2
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl
 …
 == Changelog ==
+= 2.3.2 =
+* Fix: prevents XSS attack on styles editor form
 = 2.3.1 =
+* Fixed a XSS vulnerability
+* fixed some deprecation warnings
+* Fix: prevented injection of JavaScript on the styles form into the database
 = 2.3.0 =

-                      r3351302
+                      r3424572
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
         'reference' => '5f58f47222ffcd2b294d0a018ca7872794142929',
+        'reference' => '9bdb1dc2022cba13d5bc75b92ab1502e693b0a33',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
 …
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
             'reference' => '5f58f47222ffcd2b294d0a018ca7872794142929',
+            'reference' => '9bdb1dc2022cba13d5bc75b92ab1502e693b0a33',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',

-                      r3351302
+                      r3424572
  * Plugin URI: https://github.com/palasthotel/grid-wordpress
  * Description: Helps layouting pages with containerist.
  * Version: 2.3.1
+ * Version: 2.3.2
  * Author: Palasthotel <rezeption@palasthotel.de> (in person: Benjamin Birkenhake, Edward Bock, Enno Welbers, Jana Marie Eggebrecht)
  * Author URI: http://www.palasthotel.de
 …
         $this->gridEditor   = new Editor(
             $this->gridCore->storage,
+            $this->url."/lib/grid/"
+            $this->url."/lib/grid/",
+            $this->gridHook
         );
 …
         add_action( 'pre_get_posts', 'grid_enable_front_page_landing_page' );
+        add_action( 'grid_grid_editor_styles_get',array($this,'styles_nonce'));
+        add_action( 'grid_styles_editor_post', array($this,'styles_checknonce'));
         // ------------------------------------
         // uninstall
         // ------------------------------------
         register_uninstall_hook( __FILE__, array( __CLASS__, 'uninstall' ) );
+    }
+    public function styles_checknonce($data) {
+        if(!isset($data['_wpnonce']) || ! wp_verify_nonce($data['_wpnonce'])) {
+            die("invalid nonce.");
+        }
+    }
+    public function styles_nonce() {
+        echo wp_nonce_field();
+    }

Note: See TracChangeset for help on using the changeset viewer.