Plugin Directory

Changeset 690038 for wp-funeral-press


Ignore:
Timestamp:
04/01/2013 01:39:44 PM (12 years ago)
Author:
smartypants
Message:

1.1.7

  • Fixed XSS Issues brough up by wordpress
Location:
wp-funeral-press/trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • wp-funeral-press/trunk/admin/_notes/dwsync.xml

    r685664 r690038  
    1212<file name="settings.php" server="dlg360.com//public_html/wp-content/" local="130063703814054668" remote="130069864200000000" Dst="1" />
    1313<file name="settings.php" server="dlg360.com//public_html/new4/wp-content/" local="130084329581948488" remote="130084329600000000" Dst="2" />
    14 <file name="obits.php" server="dlg360.com//public_html/new4/wp-content/" local="130083707129336235" remote="130083706800000000" Dst="2" />
     14<file name="obits.php" server="dlg360.com//public_html/new4/wp-content/" local="130092971103695302" remote="130092970800000000" Dst="2" />
    1515<file name="guestbook.php" server="dlg360.com//public_html/new4/wp-content/" local="130081950126381414" remote="130081950000000000" Dst="2" />
    1616<file name="guestbook.php" server="dlg360.com//public_html/new5/wp-content/" local="130063759150129711" remote="130063770600000000" Dst="1" />
  • wp-funeral-press/trunk/admin/obits.php

    r683833 r690038  
    3939
    4040       
    41             $query = "SELECT * FROM  " . $wpdb->prefix . "wpfh_posts  WHERE oid = ".$id." order by date desc";
     41            $query = "SELECT * FROM  " . $wpdb->prefix . "wpfh_posts  WHERE oid = ".$wpdb->escape($id)." order by date desc";
    4242            $pagination = new Pagination();
    4343            if (isset($_GET['pagenum'])){   $page = (int) $_GET['pagenum'];}else{ $page = 1; }
  • wp-funeral-press/trunk/css/smoothness/_notes/dwsync.xml

    r683833 r690038  
    1111<file name="jquery-ui-1.9.0.custom.css" server="dlg360.com//public_html/wp-content/" local="129945228709120830" remote="130069864200000000" Dst="1" />
    1212<file name="jquery-ui-1.9.0.custom.min.css" server="dlg360.com//public_html/wp-content/" local="129945228709430848" remote="130069864200000000" Dst="1" />
    13 <file name="jquery-ui-1.9.0.custom.css" server="dlg360.com//public_html/new4/wp-content/" local="130081020186941920" remote="130081020000000000" Dst="2" />
     13<file name="jquery-ui-1.9.0.custom.css" server="dlg360.com//public_html/new4/wp-content/" local="130081026263219464" remote="130092963600000000" Dst="2" />
     14<file name="jquery-ui-1.9.0.custom.min.css" server="dlg360.com//public_html/new4/wp-content/" local="129945228709430848" remote="130092963600000000" Dst="2" />
    1415</dwsync>
  • wp-funeral-press/trunk/css/smoothness/images/_notes/dwsync.xml

    r681240 r690038  
    6666<file name="ui-icons_454545_256x240.png" server="dlg360.com//public_html/wp-content/" local="129945228710640917" remote="130069864200000000" Dst="1" />
    6767<file name="ui-icons_cd0a0a_256x240.png" server="dlg360.com//public_html/wp-content/" local="129945228711110944" remote="130069864200000000" Dst="1" />
     68<file name="ui-bg_flat_0_aaaaaa_40x100.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710560913" remote="130092963600000000" Dst="2" />
     69<file name="ui-bg_glass_65_ffffff_1x400.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228709770868" remote="130092963600000000" Dst="2" />
     70<file name="ui-bg_glass_75_dadada_1x400.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710470908" remote="130092963600000000" Dst="2" />
     71<file name="ui-bg_glass_75_e6e6e6_1x400.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710080885" remote="130092963600000000" Dst="2" />
     72<file name="ui-bg_glass_95_fef1ec_1x400.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710150889" remote="130092963600000000" Dst="2" />
     73<file name="ui-bg_glass_55_fbf9ee_1x400.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710380902" remote="130092963600000000" Dst="2" />
     74<file name="ui-bg_highlight-soft_75_cccccc_1x100.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710240894" remote="130092963600000000" Dst="2" />
     75<file name="ui-bg_flat_75_ffffff_40x100.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228709860873" remote="130092963600000000" Dst="2" />
     76<file name="ui-icons_222222_256x240.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710800926" remote="130092963600000000" Dst="2" />
     77<file name="ui-icons_2e83ff_256x240.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228711200949" remote="130092963600000000" Dst="2" />
     78<file name="ui-icons_888888_256x240.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228711010938" remote="130092963600000000" Dst="2" />
     79<file name="ui-icons_cd0a0a_256x240.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228711110944" remote="130092963600000000" Dst="2" />
     80<file name="ui-icons_454545_256x240.png" server="dlg360.com//public_html/new4/wp-content/" local="129945228710640917" remote="130092963600000000" Dst="2" />
    6881</dwsync>
  • wp-funeral-press/trunk/index.php

    r685664 r690038  
    55Description: An Obituary Plugin For Funeral Homes and Cemeteries
    66Author: Anthony Brown
    7 Version: 1.1.6
     7Version: 1.1.7
    88Author URI: http://www.wpfuneralpress.com
    99*/
     
    1212
    1313global $wpfh_version;
    14 $wpfh_version = "1.1.6";
     14$wpfh_version = "1.1.7";
    1515
    1616//includes
     
    8888   
    8989      wp_enqueue_style( 'wpfh-tabs' );
     90      wp_register_style( 'jqueryui-smoothness-fp',plugins_url('/css/smoothness/jquery-ui-1.9.0.custom.css', __FILE__) );
     91  wp_enqueue_style( 'jqueryui-smoothness-fp' );
    9092}
    9193
  • wp-funeral-press/trunk/readme.txt

    r685664 r690038  
    55Requires at least: 2.0.2
    66Tested up to: 3.5.1
    7 Stable tag: 1.1.6
     7Stable tag: 1.1.7
    88
    99FuneralPress is an online website obituary management and guest book program for funeral homes and cemeteries.
     
    272272* Restuctured some of the menus for new filters and hooks
    273273* If you are using premium please update both premium and free versions to avoid any errors.
     274
     275= 1.1.7 =
     276
     277* Fixed XSS Issues brough up by wordpress
  • wp-funeral-press/trunk/user/_notes/dwsync.xml

    r684385 r690038  
    1313<file name="shortcodes.php" server="dlg360.com//public_html/new2/wp-content/" local="130057732055889490" remote="130057732800000000" Dst="1" />
    1414<file name="widgets.php" server="dlg360.com//public_html/new2/wp-content/" local="130057732653103649" remote="130057732800000000" Dst="1" />
    15 <file name="obits.php" server="dlg360.com//public_html/new4/wp-content/" local="130081948666417909" remote="130081948800000000" Dst="2" />
     15<file name="obits.php" server="dlg360.com//public_html/new4/wp-content/" local="130092963052774815" remote="130092963000000000" Dst="2" />
    1616<file name="obits.php" server="dlg360.com//public_html/new5/wp-content/" local="130063721703467884" remote="130063770600000000" Dst="1" />
    1717<file name="shortcodes.php" server="dlg360.com//public_html/new5/wp-content/" local="130057732055889490" remote="130063770600000000" Dst="1" />
  • wp-funeral-press/trunk/user/obits.php

    r684385 r690038  
    182182                   
    183183                    if($_POST['first_name'] != ""){
    184                         $search .=' AND first_name like "%'.$_POST['first_name'].'%" ';
     184                        $search .=' AND first_name like "%'. $wpdb->escape($_POST['first_name']).'%" ';
    185185                    }
    186186                    if($_POST['last_name'] != ""){
    187                         $search .=' AND last_name like "%'.$_POST['last_name'].'%" ';   
     187                        $search .=' AND last_name like "%'. $wpdb->escape($_POST['last_name']).'%" ';   
    188188                    }
    189189                    if($_POST['date'] != ""){
    190                     $picked_date = strtotime($_POST['date']);
    191                    
    192                
    193                        
    194                        
    195                         $search .=' AND YEAR(death_date) = YEAR("'.$_POST['date'].'") AND MONTH(death_date) = MONTH("'.$_POST['date'].'")  ';   
     190                    $picked_date = strtotime( $wpdb->escape($_POST['date']));
     191                   
     192               
     193                       
     194                       
     195                        $search .=' AND YEAR(death_date) = YEAR("'. $wpdb->escape($_POST['date']).'") AND MONTH(death_date) = MONTH("'. $wpdb->escape($_POST['date']).'")  ';   
    196196                    }   
    197197            }
     
    383383                            case"guestbook":
    384384                            $insert['type'] = 'guestbook';
    385                             $insert['content']   = $_POST['message'];
     385                            $insert['content']   = sanitize_text_field( $_POST['message']);
    386386                            break;
    387387                           
     
    391391                                if($_FILES['photo']['name'] != ""){         
    392392                                $photo = wp_upload_bits($_FILES['photo']["name"], null, file_get_contents($_FILES['photo']["tmp_name"]));       
    393                                 $photo['desc'] = $_POST['photo-message'];                               
     393                                $photo['desc'] = sanitize_text_field($_POST['photo-message']);                             
    394394                                $insert['content'] =    serialize($photo); 
    395395                                }   
     
    399399                            case"youtube":
    400400                            $insert['type'] = 'youtube';
    401                                 $youtube['url'] = $_POST['youtube'];
    402                                 $youtube['desc'] = $_POST['youtube-message'];
     401                                $youtube['url'] = sanitize_text_field($_POST['youtube']);
     402                                $youtube['desc'] = sanitize_text_field($_POST['youtube-message']);
    403403                            $insert['content']   = serialize($youtube);
    404404                            break;
     
    406406                       
    407407                        if($_POST['guest-name'] != ''){
    408                             $insert['name'] = $_POST['guest-name'];
    409                             $insert['email'] = $_POST['guest-email'];
     408                            $insert['name'] = sanitize_text_field($_POST['guest-name']);
     409                            $insert['email'] = sanitize_email($_POST['guest-email']);
    410410                            $insert['uid'] = 0;
    411411                        }else{
    412412                        $insert['uid']       = $current_user->ID;
    413413                        }
    414                         $insert['oid']       = $_GET['id'];
     414                        $insert['oid']       = intval( $_GET['id']);
    415415                       
    416416                        $insert['date']      = time();
    417417                        $insert['approved']  = 0;
    418                         $insert['anonymous'] = $_POST['anonymous'];
     418                        $insert['anonymous'] =  intval($_POST['anonymous']);
    419419                       
    420420                        $wpdb->insert("" . $wpdb->prefix . "wpfh_posts", $insert);
Note: See TracChangeset for help on using the changeset viewer.