WordPress.org

Plugin Directory

Changeset 586261


Ignore:
Timestamp:
08/16/12 15:33:40 (21 months ago)
Author:
simonwheatley
Message:
  • Move allowed_html values into a method, called every time it's needed (rather than defining in 4 separate locations)
  • Add a filter to allow devs to amend the allowed_html values
  • Amended readme to include upgrade notice, changelog, etc
  • Amended plugin version
  • Did not amend stable tag
  • Escape values in plugin output as per updates in plugin form (so people don't need to resave their widgets to benefit from the HTML filtering in preamble, and html_after)
Location:
twitter-tracker/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • twitter-tracker/trunk/class-TwitterTracker_Profile_Widget.php

    r586255 r586261  
    5757        // Delete the cache 
    5858        delete_option( 'twitter-tracker-profile' ); 
    59         $allowed_html =  array( 
    60             'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
    61             'em' => array( 'class' => true, 'id' => true ), 
    62             'strong' => array( 'class' => true, 'id' => true ), 
    63             'p' => array( 'class' => true, 'id' => true ), 
    64             'br' => true, 
    65         ); 
    6659        $new_instance[ 'title' ] = wp_kses( $new_instance[ 'title' ] ); 
    67         $new_instance[ 'preamble' ] = wp_kses( $new_instance[ 'preamble' ], $allowed_html ); 
     60        $new_instance[ 'preamble' ] = wp_kses( $new_instance[ 'preamble' ], $GLOBALS[ 'TwitterTracker' ]->allowed_html( 'preamble' ) ); 
    6861        $new_instance[ 'username' ] = wp_kses( $new_instance[ 'username' ] ); 
    6962        $new_instance[ 'hide_replies' ] = (bool) $new_instance[ 'hide_replies' ]; 
     
    7164        $new_instance[ 'include_retweets' ] = (bool) $new_instance[ 'include_retweets' ]; 
    7265        $new_instance[ 'mandatory_hash' ] = wp_kses( $new_instance[ 'mandatory_hash' ] ); 
    73         $new_instance[ 'html_after' ] = wp_kses( $new_instance[ 'html_after' ], $allowed_html ); 
    74         $new_instance[ 'class' ] = wp_kses( $new_instance[ 'class' ] ); 
     66        $new_instance[ 'html_after' ] = wp_kses( $new_instance[ 'html_after' ], $GLOBALS[ 'TwitterTracker' ]->allowed_html( 'html_after' ) ); 
     67        $new_instance[ 'class' ] = esc_attr( $new_instance[ 'class' ] ); 
    7568        return $new_instance; 
    7669    } 
  • twitter-tracker/trunk/class-TwitterTracker_Widget.php

    r586255 r586261  
    5757        // Delete the old widget options 
    5858        delete_option( 'widget_config_twitter-tracker-1' ); 
    59         $allowed_html =  array( 
    60             'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
    61             'em' => array( 'class' => true, 'id' => true ), 
    62             'strong' => array( 'class' => true, 'id' => true ), 
    63             'p' => array( 'class' => true, 'id' => true ), 
    64             'br' => true, 
    65         ); 
    6659        $new_instance[ 'title' ] = wp_kses( $new_instance[ 'title' ] ); 
    67         $new_instance[ 'preamble' ] = wp_kses( $new_instance[ 'preamble' ], $allowed_html ); 
     60        $new_instance[ 'preamble' ] = wp_kses( $new_instance[ 'preamble' ], $GLOBALS[ 'TwitterTracker' ]->allowed_html( 'preamble' ) ); 
    6861        $new_instance[ 'hide_replies' ] = (bool) $new_instance[ 'hide_replies' ]; 
    6962        $new_instance[ 'max_tweets' ] = absint( $new_instance[ 'max_tweets' ] ); 
    7063        $new_instance[ 'mandatory_hash' ] = wp_kses( $new_instance[ 'mandatory_hash' ] ); 
    71         $new_instance[ 'html_after' ] = wp_kses( $new_instance[ 'html_after' ], $allowed_html ); 
    72         $new_instance[ 'class' ] = wp_kses( $new_instance[ 'class' ] ); 
     64        $new_instance[ 'html_after' ] = wp_kses( $new_instance[ 'html_after' ], $GLOBALS[ 'TwitterTracker' ]->allowed_html( 'html_after' ) ); 
     65        $new_instance[ 'class' ] = esc_attr( $new_instance[ 'class' ] ); 
    7366        return $new_instance; 
    7467    } 
  • twitter-tracker/trunk/readme.txt

    r582339 r586261  
    33Tags: twitter, tweet, twitter search, hashtag, summize, twitter profile, tweet stream, tweet feed 
    44Requires at least: 3.1.0 
    5 Tested up to: 3.3.2 
     5Tested up to: 3.4.1 
    66Stable tag: 2.8.2 
    77 
     
    3030`tt_post_types_with_override` filter – Add or remove post types which can override the search query in a search widget. 
    3131 
     32`tt_allowed_html` filter – WARNING – incorrect use of this filter could make your website vulnerable to cross-site scripting attacks; if in doubt, do not use it. Amend the HTML elements and attributes allowed in the preamble and HTML after values. This filter passes a second param specifying the context the allowed HTML is for. 
     33 
    3234== Provenance and plans == 
    3335 
     
    5052== Upgrade Notice == 
    5153 
    52 = v2.8.2 = 
     54= v2.9 = 
    5355 
    54 Text in retweets was getting truncated for the Profile widget. Fixed bug with custom classes from 2.8.1. Also some code cleanup. 
    55  
    56 = v2.7 = 
    57  
    58 Adds an option to Profile widget to include retweets. 
    59  
    60 = v2.6 = 
    61  
    62 To avoid the cookies when Twitter serves the avatar images, download and activate the partner plugin, [Twitter Tracker Avatar Cache](http://wordpress.org/extend/plugins/twitter-tracker-avatar-cache/). 
     56Tightened up security. Upgrade recommended. 
    6357 
    6458== Change Log == 
     59 
     60= v2.9 = 
     61 
     62* Properly escape values in widget form 
     63* Remove HTML from most fields 
     64* Limit HTML elements available in preamble and html_after 
    6565 
    6666= v2.8.2 = 
  • twitter-tracker/trunk/twitter-tracker.php

    r582243 r586261  
    55Description: Tracks the search results on Twitter search or Twitter profile in a sidebar widget. 
    66Author: Simon Wheatley (Code for the People) 
    7 Version: 2.8.2 
     7Version: 2.9 
    88Author URI: http://codeforthepeople.com/ 
    99*/ 
     
    181181        $vars = array(  
    182182            'tweets' => $search->tweets(),  
    183             'preamble' => $preamble, 
    184             'html_after' => $html_after 
    185              ); 
     183            'preamble' => wp_kses( $preamble, $this->allowed_html( 'preamble' ) ), 
     184            'html_after' => wp_kses( $html_after, $this->allowed_html( 'html_after' ) ), 
     185        ); 
    186186        $vars[ 'datef' ] = _x( 'M j, Y @ G:i', 'Publish box date format', 'twitter-tracker' ); 
    187187        $this->render( 'widget-contents', $vars ); 
     
    213213        $vars = array(  
    214214            'tweets' => $search->tweets(),  
    215             'preamble' => $preamble, 
    216             'html_after' => $html_after 
    217              ); 
     215            'preamble' => wp_kses( $preamble, $this->allowed_html( 'preamble' ) ), 
     216            'html_after' => wp_kses( $html_after, $this->allowed_html( 'html_after' ) ), 
     217        ); 
    218218        $vars[ 'datef' ] = _x( 'M j, Y @ G:i', 'Publish box date format', 'twitter-tracker' ); 
    219219        $this->render( 'widget-contents', $vars ); 
     
    230230 
    231231        return $instance; 
     232    } 
     233     
     234    public function get_allowed_html( $context ) { 
     235        return apply_filters( 'tt_allowed_html', array( 
     236            'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
     237            'em' => array( 'class' => true, 'id' => true ), 
     238            'strong' => array( 'class' => true, 'id' => true ), 
     239            'p' => array( 'class' => true, 'id' => true ), 
     240            'br' => true, 
     241        ), $context ); 
    232242    } 
    233243 
     
    253263 **/ 
    254264 
    255 $TwitterTracker = new TwitterTracker(); 
     265$GLOBALS[ 'TwitterTracker' ] = new TwitterTracker(); 
    256266 
    257267?> 
Note: See TracChangeset for help on using the changeset viewer.