WordPress.org

Plugin Directory

Changeset 586255


Ignore:
Timestamp:
08/16/12 15:14:16 (20 months ago)
Author:
simonwheatley
Message:
  • Escape attributes in INPUT values
  • Use wp_kses to restrict the HTML elements and attributes allowed in the preamble and html_after
  • Use wp_kses to remove HTML from the title, class, mandatory_hash, username, title
Location:
twitter-tracker/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • twitter-tracker/trunk/class-TwitterTracker_Profile_Widget.php

    r582222 r586255  
    5757        // Delete the cache 
    5858        delete_option( 'twitter-tracker-profile' ); 
     59        $allowed_html =  array( 
     60            'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
     61            'em' => array( 'class' => true, 'id' => true ), 
     62            'strong' => array( 'class' => true, 'id' => true ), 
     63            'p' => array( 'class' => true, 'id' => true ), 
     64            'br' => true, 
     65        ); 
     66        $new_instance[ 'title' ] = wp_kses( $new_instance[ 'title' ] ); 
     67        $new_instance[ 'preamble' ] = wp_kses( $new_instance[ 'preamble' ], $allowed_html ); 
     68        $new_instance[ 'username' ] = wp_kses( $new_instance[ 'username' ] ); 
     69        $new_instance[ 'hide_replies' ] = (bool) $new_instance[ 'hide_replies' ]; 
     70        $new_instance[ 'max_tweets' ] = absint( $new_instance[ 'max_tweets' ] ); 
     71        $new_instance[ 'include_retweets' ] = (bool) $new_instance[ 'include_retweets' ]; 
     72        $new_instance[ 'mandatory_hash' ] = wp_kses( $new_instance[ 'mandatory_hash' ] ); 
     73        $new_instance[ 'html_after' ] = wp_kses( $new_instance[ 'html_after' ], $allowed_html ); 
     74        $new_instance[ 'class' ] = wp_kses( $new_instance[ 'class' ] ); 
    5975        return $new_instance; 
    6076    } 
  • twitter-tracker/trunk/class-TwitterTracker_SW_Widget.php

    r124922 r586255  
    3434        <p> 
    3535            <label for="<?php echo $this->get_field_id( $var ); ?>"><?php echo $label; ?>  
    36                 <input class="widefat" id="<?php echo $this->get_field_id( $var ); ?>" name="<?php echo $this->get_field_name( $var ); ?>" type="text" value="<?php echo $value; ?>" /> 
     36                <input class="widefat" id="<?php echo $this->get_field_id( $var ); ?>" name="<?php echo $this->get_field_name( $var ); ?>" type="text" value="<?php echo esc_attr( $value ); ?>" /> 
    3737            </label> 
    3838            <?php if ( $note ) { ?> 
     
    4747        ?> 
    4848        <p><label for="<?php echo $this->get_field_id( $var ); ?>"><?php echo $label; ?></label> 
    49             <input size="3" id="<?php echo $this->get_field_id( $var ); ?>" name="<?php echo $this->get_field_name( $var ); ?>" type="text" value="<?php echo $value; ?>" /><br/> 
     49            <input size="3" id="<?php echo $this->get_field_id( $var ); ?>" name="<?php echo $this->get_field_name( $var ); ?>" type="text" value="<?php echo esc_attr( $value ); ?>" /><br/> 
    5050            <?php if ( $note ) { ?> 
    5151                <br /><small><?php echo $note; ?></small> 
     
    5959        $checked = ( $value ) ? ' checked="checked" ' : ''; 
    6060        ?> 
    61         <p><input class="checkbox" type="checkbox" id="<?php echo $this->get_field_id( $var ); ?>" name="<?php echo $this->get_field_name( $var ); ?>" <?php echo $checked; ?> /> 
    62             <label for="<?php echo $this->get_field_id( $var ); ?>"><?php echo $label; ?></label> 
     61        <p><input class="checkbox" type="checkbox" id="<?php echo $this->get_field_id( $var ); ?>" name="<?php echo $this->get_field_name( $var ); ?>" <?php echo $checked; ?> value="1" /> 
     62            <label for="<?php echo $this->get_field_id( $var ); ?>"><?php echo esc_html( $label ); ?></label> 
    6363            <?php if ( $note ) { ?> 
    6464                <br /><small><?php echo $note; ?></small> 
  • twitter-tracker/trunk/class-TwitterTracker_Widget.php

    r582223 r586255  
    5757        // Delete the old widget options 
    5858        delete_option( 'widget_config_twitter-tracker-1' ); 
     59        $allowed_html =  array( 
     60            'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
     61            'em' => array( 'class' => true, 'id' => true ), 
     62            'strong' => array( 'class' => true, 'id' => true ), 
     63            'p' => array( 'class' => true, 'id' => true ), 
     64            'br' => true, 
     65        ); 
     66        $new_instance[ 'title' ] = wp_kses( $new_instance[ 'title' ] ); 
     67        $new_instance[ 'preamble' ] = wp_kses( $new_instance[ 'preamble' ], $allowed_html ); 
     68        $new_instance[ 'hide_replies' ] = (bool) $new_instance[ 'hide_replies' ]; 
     69        $new_instance[ 'max_tweets' ] = absint( $new_instance[ 'max_tweets' ] ); 
     70        $new_instance[ 'mandatory_hash' ] = wp_kses( $new_instance[ 'mandatory_hash' ] ); 
     71        $new_instance[ 'html_after' ] = wp_kses( $new_instance[ 'html_after' ], $allowed_html ); 
     72        $new_instance[ 'class' ] = wp_kses( $new_instance[ 'class' ] ); 
    5973        return $new_instance; 
    6074    } 
     
    87101        // Now show the input fields 
    88102        $this->input_text( __( 'Title:', 'twitter-tracker' ), 'title', $title ); 
    89         $this->input_text( __( 'Preamble:', 'twitter-tracker' ), 'preamble', $preamble ); 
     103        $this->input_text( __( 'Preamble (HTML limited to <kbd>&lt;a&gt;</kbd>, <kbd>&lt;em&gt;</kbd>, <kbd>&lt;strong&gt;</kbd>, <kbd>&lt;p&gt;</kbd>, <kbd>&lt;br&gt;</kbd>):', 'twitter-tracker' ), 'preamble', $preamble ); 
    90104        $search_note = __( 'Enter any search term that works on <a href="http://search.twitter.com/" target="_blank">Twitter Search</a>, here&apos;s some <a href="http://search.twitter.com/operators" target="_blank">help with the syntax</a>.', 'twitter-tracker' ); 
    91105        $this->input_text( __( 'Twitter search:', 'twitter-tracker' ), 'twitter_search', $twitter_search, $search_note ); 
     
    95109        $hashtag_note = __( 'Include the "#". Tweets without this #hashtag will not be shown.', 'twitter-tracker' ); 
    96110        $this->input_text( __( 'Mandatory hashtag:', 'twitter-tracker' ), 'mandatory_hash', $mandatory_hash, $hashtag_note ); 
    97         $this->input_text( __( 'HTML to put after the results:', 'twitter-tracker' ), 'html_after', $html_after, __( 'Optional, use for things like a link to this Twitter search, etc.', 'twitter-tracker' ) ); 
     111        $this->input_text( __( 'HTML to put after the results (limited to <kbd>&lt;a&gt;</kbd>, <kbd>&lt;em&gt;</kbd>, <kbd>&lt;strong&gt;</kbd>, <kbd>&lt;p&gt;</kbd>, <kbd>&lt;br&gt;</kbd>):', 'twitter-tracker' ), 'html_after', $html_after, __( 'Optional, use for things like a link to this Twitter search, etc.', 'twitter-tracker' ) ); 
    98112        $class_note = __( 'You can put an individual class, or classes (separate with spaces), on each instance of the Twitter Tracker to enable you to style them differently.', 'twitter-tracker' ); 
    99113        $this->input_text( __( 'HTML Class:', 'twitter-tracker' ), 'class', $class, $class_note ); 
Note: See TracChangeset for help on using the changeset viewer.