WordPress.org

Plugin Directory

Changeset 589246


Ignore:
Timestamp:
08/23/12 10:53:38 (20 months ago)
Author:
simonwheatley
Message:

Better sanitisation.

Location:
twitter-tracker/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • twitter-tracker/trunk/class-TwitterTracker_Profile_Widget.php

    r586307 r589246  
    5757        // Delete the cache 
    5858        delete_option( 'twitter-tracker-profile' ); 
    59         $new_instance[ 'title' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_strip_tags( $new_instance[ 'title' ] ); 
    60         $new_instance[ 'preamble' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_wp_kses( $new_instance[ 'preamble' ], 'preamble' ); 
    61         $new_instance[ 'username' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_strip_tags( $new_instance[ 'username' ] ); 
     59        $new_instance[ 'title' ] = $this->maybe_strip_tags( $new_instance[ 'title' ] ); 
     60        $new_instance[ 'preamble' ] = $this->maybe_wp_kses( $new_instance[ 'preamble' ], 'preamble' ); 
     61        $new_instance[ 'username' ] = strip_tags( $new_instance[ 'username' ] ); 
    6262        $new_instance[ 'hide_replies' ] = isset( $new_instance[ 'hide_replies' ] ) ? (bool) $new_instance[ 'hide_replies' ] : false; 
    6363        $new_instance[ 'max_tweets' ] = absint( $new_instance[ 'max_tweets' ] ); 
    6464        $new_instance[ 'include_retweets' ] = isset( $new_instance[ 'include_retweets' ] ) ? (bool) $new_instance[ 'include_retweets' ] : false; 
    65         $new_instance[ 'mandatory_hash' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_strip_tags( $new_instance[ 'mandatory_hash' ] ); 
    66         $new_instance[ 'html_after' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_wp_kses( $new_instance[ 'html_after' ], 'html_after' ); 
    67         $new_instance[ 'class' ] = $new_instance[ 'class' ]; // Escaped on output, no sanitisation needed here 
     65        $new_instance[ 'mandatory_hash' ] = strip_tags( $new_instance[ 'mandatory_hash' ] ); 
     66        $new_instance[ 'html_after' ] = $this->maybe_wp_kses( $new_instance[ 'html_after' ], 'html_after' ); 
     67        $new_instance[ 'class' ] = strip_tags( $new_instance[ 'class' ] ); 
    6868        return $new_instance; 
    6969    } 
  • twitter-tracker/trunk/class-TwitterTracker_SW_Widget.php

    r586255 r589246  
    6868    } 
    6969 
     70    function maybe_wp_kses( $value, $context ) { 
     71        if ( current_user_can( 'unfiltered_html' ) ) 
     72            return $value; 
     73        $allowed_html = apply_filters( 'tt_allowed_html', array( 
     74            'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
     75            'em' => array( 'class' => true, 'id' => true ), 
     76            'strong' => array( 'class' => true, 'id' => true ), 
     77            'p' => array( 'class' => true, 'id' => true ), 
     78            'br' => true, 
     79        ), $context ); 
     80        return wp_kses( $value, $allowed_html ); 
     81    } 
     82 
     83    function maybe_strip_tags( $value ) { 
     84        if ( current_user_can( 'unfiltered_html' ) ) 
     85            return $value; 
     86        return strip_tags( $value ); 
     87    } 
     88 
    7089} 
    7190 
  • twitter-tracker/trunk/class-TwitterTracker_Widget.php

    r586307 r589246  
    5757        // Delete the old widget options 
    5858        delete_option( 'widget_config_twitter-tracker-1' ); 
    59         $new_instance[ 'title' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_strip_tags( $new_instance[ 'title' ] ); 
    60         $new_instance[ 'preamble' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_wp_kses( $new_instance[ 'preamble' ], 'preamble' ); 
     59        $new_instance[ 'title' ] = $this->maybe_strip_tags( $new_instance[ 'title' ] ); 
     60        $new_instance[ 'preamble' ] = $this->maybe_wp_kses( $new_instance[ 'preamble' ], 'preamble' ); 
    6161        $new_instance[ 'hide_replies' ] = isset( $new_instance[ 'hide_replies' ] ) ? (bool) $new_instance[ 'hide_replies' ] : false; 
    6262        $new_instance[ 'max_tweets' ] = absint( $new_instance[ 'max_tweets' ] ); 
    63         $new_instance[ 'mandatory_hash' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_strip_tags( $new_instance[ 'mandatory_hash' ] ); 
    64         $new_instance[ 'html_after' ] = $GLOBALS[ 'TwitterTracker' ]->maybe_wp_kses( $new_instance[ 'html_after' ], 'html_after' ); 
    65         $new_instance[ 'class' ] = $new_instance[ 'class' ]; // Escaped on output, no sanitisation needed here 
     63        $new_instance[ 'mandatory_hash' ] = strip_tags( $new_instance[ 'mandatory_hash' ] ); 
     64        $new_instance[ 'html_after' ] = $this->maybe_wp_kses( $new_instance[ 'html_after' ], 'html_after' ); 
     65        $new_instance[ 'class' ] = strip_tags( $new_instance[ 'class' ] ); 
    6666        return $new_instance; 
    6767    } 
  • twitter-tracker/trunk/readme.txt

    r586261 r589246  
    3636Plugin initially produced on behalf of [WordCamp UK, 2009](http://wordcamp.org.uk). Initial version 2 development funded by SamFry Ltd. 
    3737 
    38 Is this plugin lacking a feature you want? I'm happy to accept offers of feature sponsorship: [contact me](http://www.simonwheatley.co.uk/contact-me/) and we can discuss your ideas. 
    39  
    4038Any issues: [contact me](http://www.simonwheatley.co.uk/contact-me/). 
    4139 
     
    5452= v2.9 = 
    5553 
    56 Tightened up security. Upgrade recommended. 
     54Tightened up security for users on WordPress multisite, upgrade recommended. 
    5755 
    5856== Change Log == 
     
    6058= v2.9 = 
    6159 
    62 * Properly escape values in widget form 
    63 * Remove HTML from most fields 
    64 * Limit HTML elements available in preamble and html_after 
     60* Properly escape values in widget form for users who can't use unfiltered_html 
     61* Limit HTML elements available in preamble and html_after for users who can't use unfiltered_html 
    6562 
    6663= v2.8.2 = 
  • twitter-tracker/trunk/twitter-tracker.php

    r586307 r589246  
    181181        $vars = array(  
    182182            'tweets' => $search->tweets(),  
    183             'preamble' => wp_kses( $preamble, $this->allowed_html( 'preamble' ) ), 
    184             'html_after' => wp_kses( $html_after, $this->allowed_html( 'html_after' ) ), 
     183            'preamble' => $preamble, 
     184            'html_after' => $html_after, 
    185185        ); 
    186186        $vars[ 'datef' ] = _x( 'M j, Y @ G:i', 'Publish box date format', 'twitter-tracker' ); 
     
    213213        $vars = array(  
    214214            'tweets' => $search->tweets(),  
    215             'preamble' => $this->maybe_wp_kses( $preamble, $this->allowed_html( 'preamble' ) ), 
    216             'html_after' => $this->maybe_wp_kses( $html_after, $this->allowed_html( 'html_after' ) ), 
     215            'preamble' => $preamble, 
     216            'html_after' => $html_after, 
    217217        ); 
    218218        $vars[ 'datef' ] = _x( 'M j, Y @ G:i', 'Publish box date format', 'twitter-tracker' ); 
     
    230230 
    231231        return $instance; 
    232     } 
    233  
    234     function maybe_wp_kses( $value, $context ) { 
    235         if ( current_user_can( 'unfiltered_html' ) ) 
    236             return $value; 
    237         $allowed_html = apply_filters( 'tt_allowed_html', array( 
    238             'a' => array( 'href' => true, 'title' => true, 'target' => true, 'class' => true, 'id' => true ), 
    239             'em' => array( 'class' => true, 'id' => true ), 
    240             'strong' => array( 'class' => true, 'id' => true ), 
    241             'p' => array( 'class' => true, 'id' => true ), 
    242             'br' => true, 
    243         ), $context ); 
    244         return wp_kses( $value, $allowed_html ); 
    245     } 
    246  
    247     function maybe_strip_tags( $value, $context ) { 
    248         if ( current_user_can( 'unfiltered_html' ) ) 
    249             return $value; 
    250         return strip_tags( $value ); 
    251232    } 
    252233 
Note: See TracChangeset for help on using the changeset viewer.