WordPress.org

Plugin Directory

Changeset 1538861


Ignore:
Timestamp:
11/23/16 06:00:42 (6 months ago)
Author:
SriniG
Message:

v2.0.6: Security fixes

Location:
quotes-collection/trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • quotes-collection/trunk/inc/class-quotes-collection-admin-list-table.php

    r1138881 r1538861  
    220220        // Frame the parameters to be passed to fetch the data from the database 
    221221        $db_args = array(); 
    222         $db_args['orderby'] = (!empty($_REQUEST['orderby'])) ? $_REQUEST['orderby'] : 'quote_id'; 
     222        $db_args['orderby'] = (!empty($_REQUEST['orderby'])) ? esc_attr( $_REQUEST['orderby'] ) : 'quote_id'; 
    223223        if( empty($_REQUEST['order']) ) { 
    224224            if( 'quote_id' == $db_args['orderby'] ) 
     
    227227        } 
    228228        else  
    229             $db_args['order'] = $_REQUEST['order']; 
     229            $db_args['order'] = esc_attr( $_REQUEST['order'] ); 
    230230 
    231231        if( isset( $_REQUEST['s'] ) && !empty( $_REQUEST['s'] ) ) { 
    232             $db_args['search'] = (string) $_REQUEST['s']; 
     232            $db_args['search'] = (string) esc_attr( $_REQUEST['s'] ); 
    233233        } 
    234234        else $db_args['search'] = ''; 
  • quotes-collection/trunk/inc/class-quotes-collection-admin.php

    r1385920 r1538861  
    219219        ?> 
    220220        <form id="quotescollection" method="get"> 
    221         <input type="hidden" name="page" value="<?php echo $_REQUEST['page']; ?>" /> 
     221        <input type="hidden" name="page" value="<?php echo esc_attr( $_REQUEST['page'] ); ?>" /> 
    222222            <div class="list-header"> 
    223223                <?php echo $list_meta; ?> 
  • quotes-collection/trunk/inc/class-quotes-collection-shortcode.php

    r1138881 r1538861  
    190190                $next_disabled = $last_disabled = ' disabled'; 
    191191 
    192             $pagenav .= "<a class=\"first-page{$first_disabled}\" title=\"".__('Go to the first page', 'quotes-collection')."\" href=\"{$url}\">&laquo;</a>&nbsp;&nbsp;"; 
    193  
    194             $pagenav .= "<a class=\"prev-page{$prev_disabled}\" title=\"".__('Go to the previous page', 'quotes-collection')."\" href=\"{$url}{$a}{$paged}=".($current - 1)."\">&#139;</a>&nbsp;&nbsp;"; 
     192            $pagenav .= '<a class="first-page' . $first_disabled .'" title="' . __('Go to the first page', 'quotes-collection') . '" href="' . esc_url( $url ) . '">&laquo;</a>&nbsp;&nbsp;'; 
     193 
     194            $pagenav .= '<a class="prev-page' . $prev_disabled . '" title="' . __('Go to the previous page', 'quotes-collection') . '" href="' . esc_url( $url.$a.$paged.'='.($current - 1) ).'">&#139;</a>&nbsp;&nbsp;'; 
    195195 
    196196            $pagenav .= '<span class="paging-input">'.$current.' of <span class="total-pages">'.$total.'</span></span>'; 
    197197 
    198             $pagenav .= "&nbsp;&nbsp;<a class=\"next-page{$next_disabled}\" title=\"".__('Go to the next page', 'quotes-collection')."\" href=\"{$url}{$a}{$paged}=".($current + 1)."\">&#155;</a>"; 
    199  
    200             $pagenav .= "&nbsp;&nbsp;<a class=\"last-page{$last_disabled}\" title=\"".__('Go to the last page', 'quotes-collection')."\" href=\"{$url}{$a}{$paged}={$total}\">&raquo;</a>"; 
     198            $pagenav .= '&nbsp;&nbsp;<a class="next-page' . $next_disabled . '" title="' .__('Go to the next page', 'quotes-collection'). '" href="' . esc_url( $url.$a.$paged.'='.($current + 1) ) . '">&#155;</a>'; 
     199 
     200            $pagenav .= '&nbsp;&nbsp;<a class="last-page' . $last_disabled . '" title="' . __('Go to the last page', 'quotes-collection') .'" href="' . esc_url( $url.$a.$paged.'='.$total ) . '">&raquo;</a>'; 
    201201         
    202202        } 
     
    207207                    $pagenav .= "&nbsp;<strong>{$i}</strong>"; 
    208208                else if($i == 1) 
    209                     $pagenav .= "&nbsp;<a href=\"{$url}\">{$i}</a>"; 
     209                    $pagenav .= "&nbsp;<a href=\"" . esc_url($url) . "\">{$i}</a>"; 
    210210                else  
    211                     $pagenav .= "&nbsp;<a href=\"{$url}{$a}{$paged}={$i}\">{$i}</a>"; 
     211                    $pagenav .= "&nbsp;<a href=\"" . esc_url($url.$a.$paged.'='.$i) . "\">{$i}</a>"; 
    212212            } 
    213213        } 
  • quotes-collection/trunk/inc/class-quotes-collection.php

    r1385920 r1538861  
    1010     
    1111    /** Plugin version **/ 
    12     const PLUGIN_VERSION = '2.0.5'; 
     12    const PLUGIN_VERSION = '2.0.6'; 
    1313 
    1414    public $refresh_link_text; 
     
    129129         
    130130        $char_limit = (isset($_POST['char_limit']) && is_numeric($_POST['char_limit']))?$_POST['char_limit']:''; 
    131         $tags = $_POST['tags']; 
    132         $orderby = $_POST['orderby']; 
     131        $tags = esc_attr( $_POST['tags'] ); 
     132        $orderby = esc_attr( $_POST['orderby'] ); 
    133133        $order = ''; 
    134134        $exclude = ''; 
  • quotes-collection/trunk/quotes-collection.php

    r1385920 r1538861  
    44 * Plugin URI: http://srinig.com/wordpress/plugins/quotes-collection/ 
    55 * Description: Quotes Collection plugin with Ajax powered Random Quote sidebar widget helps you collect and display your favourite quotes in your WordPress blog/website. 
    6  * Version: 2.0.5 
     6 * Version: 2.0.6 
    77 * Author: Srini G 
    88 * Author URI: http://srinig.com/ 
     
    1212 */ 
    1313 
    14 /*  Copyright 2007-2015 Srini G (email : s@srinig.com) 
     14/*  Copyright 2007-2016 Srini G (email : s@srinig.com) 
    1515 
    1616    This program is free software; you can redistribute it and/or modify 
  • quotes-collection/trunk/readme.txt

    r1385920 r1538861  
    44Tags: quotes collection, quotes, quotations, random quote, sidebar, widget, ajax, shortcode 
    55Requires at least: 3.1 
    6 Tested up to: 4.5-RC1 
     6Tested up to: 4.7-beta4 
    77Stable tag: trunk 
    88License: GNU General Public License 
     
    255255==Changelog== 
    256256 
     257* **2016-11-23: Version 2.0.6** 
     258    * Security fixes 
     259 
    257260* **2016-04-04: Version 2.0.5** 
    258261    * Changed footer elements in widget back to div to prevent HTML validation errors 
     
    485488== Upgrade Notice == 
    486489 
     490= 2.0.6 = 
     491Important security fixes. Upgrade highly recommended. If you upgrade from a version prior to 2.0, you will have to re-add the widget and set the widget options once again after upgrading. 
     492 
    487493= 2.0.5 = 
    488494If you upgrade from a version prior to 2.0, you will have to re-add the widget and set the widget options once again after upgrading. Version 2.0 is a major update. 
Note: See TracChangeset for help on using the changeset viewer.