Plugin Directory

Changeset 2804020 for simplepress


Ignore:
Timestamp:
10/25/2022 03:40:01 PM (2 years ago)
Author:
simplepress
Message:

6.8.1

Location:
simplepress/trunk
Files:
23 edited

Legend:

Unmodified
Added
Removed
  • simplepress/trunk/admin/help/admin/tooltips/admin-permissions-tips-en.php

    r1972405 r2804020  
    4343$tooltips['can_use_smileys'] = $t.'Can use smileys in posts';
    4444$tooltips['can_use_iframes'] = $t.'Can use iframes in posts';
     45$tooltips['can_use_object_tag'] = $t.'Can use the OBJECT and EMBED tags in posts';
    4546$tooltips['view_own_admin_posts'] = $t.'Can view only own posts and admin/mod posts';
    4647$tooltips['create_links'] = $t.'Can create links in posts';
  • simplepress/trunk/admin/library/ajax/spa-ajax-help.php

    r2794238 r2804020  
    1515if (!isset($_GET['file'])) die();
    1616
    17 $file = SP()->filters->str($_GET['file']);
     17$file = SP()->filters->filename($_GET['file']);
     18
     19if (empty($file)) die();
     20
    1821$tag = SP()->filters->str($_GET['item']);
    1922$tag = '['.$tag.']';
  • simplepress/trunk/admin/library/spa-support.php

    r2794238 r2804020  
    528528    SP()->auths->add('can_use_smileys', SP()->filters->esc_sql(SP()->primitives->admin_text_noesc('Can use smileys in posts')), 1, 0, 0, 0, 3, '');
    529529    SP()->auths->add('can_use_iframes', SP()->filters->esc_sql(SP()->primitives->admin_text_noesc('Can use iframes in posts')), 1, 1, 0, 0, 3, SP()->primitives->admin_text('*** WARNING *** The use of iframes is dangerous. Allowing users to create iframes enables them to launch a potential security threat against your website. Enabling iframes requires your trust in your users. Turn on with care.'));
     530    SP()->auths->add('can_use_object_tag', SP()->filters->esc_sql(SP()->primitives->admin_text_noesc('Can use OBJECT and EMBED tags in posts')), 1, 1, 0, 0, 3, SP()->primitives->admin_text('*** WARNING *** The use of the OBJECT and EMBEG tags is dangerous. Allowing users to embed objects enables them to launch a potential security threat against your website. Enabling the OBJECT and EMBED tags requires your trust in your users. Turn on with care.'));
    530531    SP()->auths->add('edit_own_topic_titles', SP()->filters->esc_sql(SP()->primitives->admin_text_noesc('Can edit own topic titles')), 1, 1, 0, 0, 4, '');
    531532    SP()->auths->add('edit_any_topic_titles', SP()->filters->esc_sql(SP()->primitives->admin_text_noesc('Can edit any topic title')), 1, 1, 0, 0, 4, '');
  • simplepress/trunk/admin/library/spa-tab-support.php

    r2378390 r2804020  
    440440function spa_paint_css_editor($label, $name, $value, $submessage='', $rows=10) {
    441441    if(floatval(get_bloginfo('version')) >= 4.9) {
    442 error_log( 'blog version passed ok');       
    443442        spa_paint_code_editor('text/css', $label, $name, $value, $submessage, $rows);
    444443    } else {
  • simplepress/trunk/admin/panel-components/ajax/spa-ajax-components.php

    r1972405 r2804020  
    6262
    6363if ($action == 'delsmiley') {
    64     $file = SP()->filters->str($_GET['file']);
     64    $file = SP()->filters->filename($_GET['file']);
    6565    $path = SP_STORE_DIR.'/'.SP()->plugin->storage['smileys'].'/'.$file;
    6666    @unlink($path);
     
    8888
    8989if ($action == 'delbadge') {
    90     $file = SP()->filters->str($_GET['file']);
     90    $file = SP()->filters->filename($_GET['file']);
    9191    $path = SP_STORE_DIR.'/'.SP()->plugin->storage['ranks'].'/'.$file;
    9292    @unlink($path);
  • simplepress/trunk/admin/panel-forums/ajax/spa-ajax-forums.php

    r1972405 r2804020  
    3333
    3434if ($action == 'delicon') {
    35     $file = SP()->filters->str($_GET['file']);
     35    $file = SP()->filters->filename($_GET['file']);
    3636    $path = SP_STORE_DIR.'/'.SP()->plugin->storage['custom-icons'].'/'.$file;
    3737    @unlink($path);
     
    3939
    4040if ($action == 'delimage') {
    41     $file = SP()->filters->str($_GET['file']);
     41    $file = SP()->filters->filename($_GET['file']);
    4242    $path = SP_STORE_DIR.'/'.SP()->plugin->storage['forum-images'].'/'.$file;
    4343    @unlink($path);
  • simplepress/trunk/admin/panel-plugins/ajax/spa-ajax-plugins-help.php

    r1972405 r2804020  
    1515if (!isset($_GET['file'])) die();
    1616
    17 $file = SP()->filters->str($_GET['file']);
     17$file = SP()->filters->filename($_GET['file']);
    1818
    1919# Formatting and Display of Help Panel
  • simplepress/trunk/admin/panel-profiles/ajax/spa-ajax-profiles.php

    r1972405 r2804020  
    1919
    2020if ($action == 'delavatar') {
    21     $file = SP()->filters->str($_GET['file']);
     21    $file = SP()->filters->filename($_GET['file']);
    2222    $path = SP_STORE_DIR.'/'.SP()->plugin->storage['avatar-pool'].'/'.$file;
    2323    @unlink($path);
     
    2626
    2727if ($action == 'deldefault') {
    28     $file = SP()->filters->str($_GET['file']);
     28    $file = SP()->filters->filename($_GET['file']);
    2929    $path = SP_STORE_DIR.'/'.SP()->plugin->storage['avatars'].'/defaults/'.$file;
    3030    @unlink($path);
  • simplepress/trunk/admin/panel-themes/forms/spa-themes-editor-form.php

    r2215409 r2804020  
    1414
    1515    $themedir = SPTHEMEBASEDIR.$curTheme['theme'];
    16     $file = (isset($_GET['file'])) ? SP()->filters->str($_GET['file']) : '';
     16    $file = (isset($_GET['file'])) ? SP()->filters->filename($_GET['file']) : '';
    1717    $type = (isset($_GET['type'])) ? SP()->filters->str($_GET['type']) : 'style';
    1818    if (empty($file)) {
  • simplepress/trunk/admin/panel-themes/support/spa-themes-save.php

    r2794238 r2804020  
    232232
    233233function spa_save_editor_data() {
     234   
     235    # This function should only be called if a wp-config.php constant is defined.
     236    # if it's not defined, bail immediately with an error.
     237    if ( ( ! defined('SP_ALLOW_THEME_EDITOR') ) || (defined('SP_ALLOW_THEME_EDITOR') && ! SP_ALLOW_THEME_EDITOR)) {
     238        $msg = SP()->primitives->admin_text('Security warning - you do not have permission to edit themes.');
     239        return $msg;
     240    }
     241   
    234242    check_admin_referer('forum-adminform_theme-editor', 'forum-adminform_theme-editor');
    235243
    236     $file = SP()->filters->str($_POST['file']);
     244    $file = SP()->filters->filename($_POST['file']);
    237245    $newcontent = stripslashes($_POST['spnewcontent']);
    238246    if (is_writeable($file)) {
  • simplepress/trunk/forum/resources/jscript/sp-forum.js

    r2757478 r2804020  
    6262            reason += "<strong>" + sp_forum_vars.iframe + "</strong><br />";
    6363        }
     64        if (thisPost.match('<object') && sp_platform_vars.checkiframe == 'yes') {
     65            reason += "<strong>" + sp_forum_vars.object_tag + "</strong><br />";
     66        }
     67        if (thisPost.match('<embed') && sp_platform_vars.checkiframe == 'yes') {
     68            reason += "<strong>" + sp_forum_vars.embed_tag + "</strong><br />";
     69        }           
    6470
    6571        if (sp_platform_vars.postvalue != undefined) {
  • simplepress/trunk/forum/resources/jscript/sp-forum.min.js

    r2757478 r2804020  
    6262            reason += "<strong>" + sp_forum_vars.iframe + "</strong><br />";
    6363        }
     64        if (thisPost.match('<object') && sp_platform_vars.checkiframe == 'yes') {
     65            reason += "<strong>" + sp_forum_vars.object_tag + "</strong><br />";
     66        }
     67        if (thisPost.match('<embed') && sp_platform_vars.checkiframe == 'yes') {
     68            reason += "<strong>" + sp_forum_vars.embed_tag + "</strong><br />";
     69        }           
    6470
    6571        if (sp_platform_vars.postvalue != undefined) {
  • simplepress/trunk/readme.txt

    r2794238 r2804020  
    77Tested up to: 6.1
    88Requires PHP: 7.0
    9 Stable tag: 6.8.0
     9Stable tag: 6.8.1
    1010License: GPLv2 or later
    1111License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    323323== Changelog ==
    324324
     325= 6.8.1 =
     326* Fix
     327    * G00000: Various security related fixes.
     328
    325329= 6.8.0 =
    326330* New
  • simplepress/trunk/sp-api/sp-api-class-spcdisplayfilters.php

    r2794238 r2804020  
    112112        $content = $this->chars($content);
    113113
    114         # 2: remove escape slashes
     114        # 2: Remove escape slashes
    115115        $content = $this->stripslashes($content);
     116       
     117        # 3: Run it through the wp_kses_post function.
     118        $content = wp_kses_post($content);
    116119
    117120        $content = apply_filters('sph_display_title_filter', $content, $original);
     
    127130        $content = $this->chars($content);
    128131
    129         # 2: remove escape slashes
     132        # 2: Remove escape slashes
    130133        $content = $this->stripslashes($content);
     134       
     135        # 3: Sanitize text field.
     136        $content = sanitize_text_field($content);
    131137
    132138        $content = apply_filters('sph_display_name_filter', $content, $original);
     
    142148        $email = $this->chars($email);
    143149
    144         # 2: remove escape slashes
     150        # 2: Remove escape slashes
    145151        $email = $this->stripslashes($email);
     152       
     153        # 3: Run it through the native WP sanitize_email function.
     154        # Warning: This function uses a smaller allowable character set than the set defined by RFC 5322. Some legal email addresses may be changed.
     155        $email = sanitize_email($email);
    146156
    147157        $email = apply_filters('sph_display_email_filter', $email, $original);
  • simplepress/trunk/sp-api/sp-api-class-spcfilters.php

    r2794238 r2804020  
    5353        $string = wp_kses($string, array());
    5454
     55        return $string;
     56    }
     57   
     58    public function filename($string) {
     59       
     60        # 1. Remove slashes.
     61        $string = str_replace ( '/' , "", $string);
     62       
     63        #2. Remove backslashes (note use of double back-slash - str_replace needs it as an escape mechanism since back-slash has special meaning for it.)
     64        $string = str_replace ( '\\' , "", $string);
     65       
     66        #3. Run it through the wp file sanitization function to remove everything else
     67        $string = sanitize_file_name($string);
     68   
    5569        return $string;
    5670    }
  • simplepress/trunk/sp-api/sp-api-class-spcsavefilters.php

    r1995259 r2804020  
    9696        $original = $content;
    9797
    98         # 1: strip mb4 chars if unsuppofrted
     98        # 1: strip mb4 chars if unsupported
    9999        $content = $this->utf8mb4($content, $table, $column);
    100100
     
    118118        $original = $content;
    119119
    120         #1: Remobe control chars
     120        #1: Remove control chars
    121121        $content = $this->nocontrolchars($content);
    122122
     
    597597
    598598        $allowedforumprotocols = apply_filters('sph_allowed_protocols', array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'clsid', 'data'));
    599         $allowedforumtags      = array('address' => array('class' => true), 'a' => array('class' => true, 'href' => true, 'id' => true, 'title' => true, 'rel' => true, 'rev' => true, 'name' => true, 'target' => true, 'style' => true), 'abbr' => array('class' => true, 'title' => true), 'acronym' => array('title' => true, 'class' => true), 'article' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'aside' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'audio' => array('autoplay' => true, 'class' => true, 'controls' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true), 'b' => array('class' => true), 'big' => array('class' => true), 'blockquote' => array('id' => true, 'cite' => true, 'class' => true, 'lang' => true, 'xml:lang' => true, 'style' => true), 'br' => array('class' => true), 'caption' => array('align' => true, 'class' => true), 'cite' => array('class' => true, 'dir' => true, 'lang' => true, 'title' => true), 'code' => array('class' => true, 'style' => true), 'dd' => array('class' => true), 'del' => array('datetime' => true), 'details' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'open' => true, 'style' => true, 'xml:lang' => true), 'div' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'dl' => array('class' => true), 'dt' => array('class' => true), 'em' => array('class' => true), 'embed' => array('height' => true, 'name' => true, 'pallette' => true, 'src' => true, 'type' => true, 'width' => true), 'figure' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'figcaption' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'font' => array('color' => true, 'face' => true, 'size' => true), 'footer' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'header' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'hgroup' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'h1' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h2' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h3' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h4' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h5' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h6' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'hr' => array('align' => true, 'class' => true, 'noshade' => true, 'size' => true, 'width' => true), 'i' => array('class' => true), 'img' => array('alt' => true, 'title' => true, 'align' => true, 'border' => true, 'class' => true, 'height' => true, 'hspace' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'style' => true, 'width' => true, 'data-upload' => true, 'data-width' => true, 'data-height' => true), 'ins' => array('datetime' => true, 'cite' => true), 'kbd' => array('class' => true), 'label' => array('for' => true), 'legend' => array('align' => true), 'li' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'menu' => array('class' => true, 'style' => true, 'type' => true), 'nav' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'object' => array('classid' => true, 'codebase' => true, 'codetype' => true, 'data' => true, 'declare' => true, 'height' => true, 'name' => true, 'param' => true, 'standby' => true, 'type' => true, 'usemap' => true, 'width' => true), 'param' => array('id' => true, 'name' => true, 'type' => true, 'value' => true, 'valuetype' => true), 'p' => array('class' => true, 'align' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'pre' => array('class' => true, 'style' => true, 'width' => true), 'q' => array('cite' => true), 's' => array('class' => true), 'section' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'small' => array('class' => true), 'source' => array('class' => true, 'id' => true, 'media' => true, 'src' => true, 'style' => true, 'type' => true), 'span' => array('class' => true, 'dir' => true, 'align' => true, 'lang' => true, 'style' => true, 'title' => true, 'xml:lang' => true, 'id' => true), 'strike' => array('class' => true), 'strong' => array('class' => true), 'sub' => array('class' => true), 'summary' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'sup' => array('class' => true), 'table' => array('align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'class' => true, 'dir' => true, 'id' => true, 'rules' => true, 'style' => true, 'summary' => true, 'width' => true), 'tbody' => array('align' => true, 'char' => true, 'charoff' => true, 'valign' => true), 'td' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'dir' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'style' => true, 'valign' => true, 'width' => true), 'tfoot' => array('align' => true, 'char' => true, 'class' => true, 'charoff' => true, 'valign' => true), 'th' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true), 'thead' => array('align' => true, 'char' => true, 'charoff' => true, 'class' => true, 'valign' => true), 'title' => array('class' => true), 'tr' => array('align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'style' => true, 'valign' => true), 'tt' => array('class' => true), 'u' => array('class' => true), 'ul' => array('class' => true, 'style' => true, 'type' => true), 'ol' => array('class' => true, 'start' => true, 'style' => true, 'type' => true), 'var' => array('class' => true), 'video' => array('autoplay' => true, 'class' => true, 'controls' => true, 'height' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true, 'width' => true));
     599        $allowedforumtags      = array('address' => array('class' => true),
     600                                        'a' => array('class' => true, 'href' => true, 'id' => true, 'title' => true, 'rel' => true, 'rev' => true, 'name' => true, 'target' => true, 'style' => true),
     601                                        'abbr' => array('class' => true, 'title' => true),
     602                                        'acronym' => array('title' => true, 'class' => true),
     603                                        'article' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     604                                        'aside' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     605                                        'audio' => array('autoplay' => true, 'class' => true, 'controls' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true),
     606                                        'b' => array('class' => true),
     607                                        'big' => array('class' => true),
     608                                        'blockquote' => array('id' => true, 'cite' => true, 'class' => true, 'lang' => true, 'xml:lang' => true, 'style' => true),
     609                                        'br' => array('class' => true),
     610                                        'caption' => array('align' => true, 'class' => true),
     611                                        'cite' => array('class' => true, 'dir' => true, 'lang' => true, 'title' => true),
     612                                        'code' => array('class' => true, 'style' => true), 'dd' => array('class' => true),
     613                                        'del' => array('datetime' => true),
     614                                        'details' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'open' => true, 'style' => true, 'xml:lang' => true),
     615                                        'div' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     616                                        'dl' => array('class' => true),
     617                                        'dt' => array('class' => true),
     618                                        'em' => array('class' => true),                                         
     619                                        'figure' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     620                                        'figcaption' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     621                                        'font' => array('color' => true, 'face' => true, 'size' => true),
     622                                        'footer' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     623                                        'header' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     624                                        'hgroup' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     625                                        'h1' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     626                                        'h2' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     627                                        'h3' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     628                                        'h4' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     629                                        'h5' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     630                                        'h6' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     631                                        'hr' => array('align' => true, 'class' => true, 'noshade' => true, 'size' => true, 'width' => true),
     632                                        'i' => array('class' => true),
     633                                        'img' => array('alt' => true, 'title' => true, 'align' => true, 'border' => true, 'class' => true, 'height' => true, 'hspace' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'style' => true, 'width' => true, 'data-upload' => true, 'data-width' => true, 'data-height' => true),
     634                                        'ins' => array('datetime' => true, 'cite' => true),
     635                                        'kbd' => array('class' => true),
     636                                        'label' => array('for' => true),
     637                                        'legend' => array('align' => true),
     638                                        'li' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),
     639                                        'menu' => array('class' => true, 'style' => true, 'type' => true),
     640                                        'nav' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     641                                        'param' => array('id' => true, 'name' => true, 'type' => true, 'value' => true, 'valuetype' => true),
     642                                        'p' => array('class' => true, 'align' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     643                                        'pre' => array('class' => true, 'style' => true, 'width' => true), 'q' => array('cite' => true),
     644                                        's' => array('class' => true),
     645                                        'section' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     646                                        'small' => array('class' => true),
     647                                        'source' => array('class' => true, 'id' => true, 'media' => true, 'src' => true, 'style' => true, 'type' => true),
     648                                        'span' => array('class' => true, 'dir' => true, 'align' => true, 'lang' => true, 'style' => true, 'title' => true, 'xml:lang' => true, 'id' => true),
     649                                        'strike' => array('class' => true),
     650                                        'strong' => array('class' => true),
     651                                        'sub' => array('class' => true),
     652                                        'summary' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),
     653                                        'sup' => array('class' => true),
     654                                        'table' => array('align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'class' => true, 'dir' => true, 'id' => true, 'rules' => true, 'style' => true, 'summary' => true, 'width' => true),
     655                                        'tbody' => array('align' => true, 'char' => true, 'charoff' => true, 'valign' => true),
     656                                        'td' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'dir' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'style' => true, 'valign' => true, 'width' => true),
     657                                        'tfoot' => array('align' => true, 'char' => true, 'class' => true, 'charoff' => true, 'valign' => true),
     658                                        'th' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true),
     659                                        'thead' => array('align' => true, 'char' => true, 'charoff' => true, 'class' => true, 'valign' => true),
     660                                        'title' => array('class' => true),
     661                                        'tr' => array('align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'style' => true, 'valign' => true),
     662                                        'tt' => array('class' => true),
     663                                        'u' => array('class' => true),
     664                                        'ul' => array('class' => true, 'style' => true, 'type' => true),
     665                                        'ol' => array('class' => true, 'start' => true, 'style' => true, 'type' => true),
     666                                        'var' => array('class' => true),
     667                                        'video' => array('autoplay' => true, 'class' => true, 'controls' => true, 'height' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true, 'width' => true)
     668                                    );
    600669
    601670        $target = (isset(SP()->rewrites->pageData['forumid'])) ? SP()->rewrites->pageData['forumid'] : 'global';
     671
    602672        if (isset(SP()->user->thisUser) && SP()->auths->get('can_use_iframes', $target, SP()->user->thisUser->ID)) {
    603673            $allowedforumtags['iframe'] = array('width' => true, 'height' => true, 'frameborder' => true, 'src' => true, 'marginwidth' => true, 'marginheight' => true);
    604674        }
     675        if (isset(SP()->user->thisUser) && SP()->auths->get('can_use_object_tag', $target, SP()->user->thisUser->ID)) {
     676            $allowedforumtags['object'] = array('classid' => true, 'codebase' => true, 'codetype' => true, 'data' => true, 'declare' => true, 'height' => true, 'name' => true, 'param' => true, 'standby' => true, 'type' => true, 'usemap' => true, 'width' => true);
     677            $allowedforumtags['embed']  = array('height' => true, 'name' => true, 'pallette' => true, 'src' => true, 'type' => true, 'width' => true);
     678        }
    605679
    606680        $allowedforumtags = apply_filters('sph_kses_allowed_tags', $allowedforumtags);
  • simplepress/trunk/sp-api/sp-api-class-spcuser.php

    r2450100 r2804020  
    408408        $sfmemberopts = SP()->options->get('sfmemberopts');
    409409        if (isset($_COOKIE['sforum_'.COOKIEHASH]) && $sfmemberopts['sfcheckformember']) {
    410             # Yes it is - a user not logged in
    411             $username = $_COOKIE['sforum_'.COOKIEHASH];
    412 
     410            # Yes it is - a user not logged in.  So grab the user name but sanitize it in case its used for anything other than a display.
     411            $username = SP()->displayFilters->name($_COOKIE['sforum_'.COOKIEHASH]);
    413412            return $username;
    414413        }
  • simplepress/trunk/sp-control.php

    r2794238 r2804020  
    1010 * Plugin Name:         Simple:Press
    1111 * Plugin URI:          https://simple-press.com
    12  * Version:             6.8.0
     12 * Version:             6.8.1
    1313 * Description:         The most versatile and feature-rich forums plugin for WordPress
    1414 * Author:              The Simple:Press Team
     
    341341            # version and system control constants
    342342            define('SPPLUGNAME', 'Simple:Press');
    343             define('SPVERSION', '6.8.0');
     343            define('SPVERSION', '6.8.1');
    344344                       
    345345            # Define a variable that can be used for versioning scripts - required to force multisite to use different version numbers for each site.
     
    358358            }           
    359359                       
    360             define('SPBUILD', 15877);
    361             define('SPSILENT', 15865);
     360            define('SPBUILD', 15878);
     361            define('SPSILENT', 15878);
    362362            define('SPRELEASE', 'Release');
    363363
  • simplepress/trunk/sp-startup/admin/spa-admin-menu.php

    r2794238 r2804020  
    374374            'tablet' => 'sfreloadtablist'));
    375375    if (!is_multisite() || is_super_admin()) {
    376         $forms[SP()->primitives->admin_text('Theme Editor')] = array(
    377             'editor' => 'sfreloadttedit');
     376        # Only allow the theme editor if defined in the wp-config.php file.
     377        # Note that allowing this option allows the admin to write to ANY file in the wp installation folder.
     378        # And, if the web server or php configuration is insecure, potentially write to any file on the server.
     379        if (defined('SP_ALLOW_THEME_EDITOR') && SP_ALLOW_THEME_EDITOR) {
     380            $forms[SP()->primitives->admin_text('Theme Editor')] = array(
     381                'editor' => 'sfreloadttedit');
     382        }
    378383        $forms[SP()->primitives->admin_text('Custom CSS')] = array(
    379384            'css' => 'sfreloadcss');
     
    390395    }   
    391396    if (spa_saas_check()) {
    392         unset($forms[SP()->primitives->admin_text('Theme Editor')]);
     397        # The theme editor menu option is only allowed sometimes so check to make sure it's even in the array before attempting to unset it.
     398        if (isset($forms[SP()->primitives->admin_text('Theme Editor')])) {
     399            unset($forms[SP()->primitives->admin_text('Theme Editor')]);
     400        }
    393401    }
    394402    if (spa_saas_check()) {
  • simplepress/trunk/sp-startup/core/sp-core-support-functions.php

    r2794238 r2804020  
    5757        # first check that an uograde is actually necessary or whether we can do it silently
    5858        if (SP()->options->get('sfforceupgrade') == false && $current_build >= SPSILENT) {
    59             # we can do it sliently...
     59            # we can do it silently...
    6060            require_once SP_PLUGIN_DIR.'/sp-startup/install/sp-upgrade-support.php';
    6161            require_once SP_PLUGIN_DIR.'/sp-startup/install/sp-install-support.php';
  • simplepress/trunk/sp-startup/forum/sp-forum-framework.php

    r2215409 r2804020  
    2020function sp_load_forum_scripts() {
    2121    # Older themes (Unified) define a constant SP_MOBILE_THEME now being deprecated.
    22     # if this constant exists (custom Unfied theme) swap for theme cap registration
     22    # if this constant exists (custom Unified theme) swap for theme cap registration
    2323    if (defined('SP_MOBILE_THEME') && SP_MOBILE_THEME) add_theme_support('sp-theme-responsive');
    2424
     
    6262        'rejected'       => SP()->primitives->front_text('This post is rejected because it contains embedded formatting, probably pasted in form MS Word or other WYSIWYG editor'),
    6363        'iframe'         => SP()->primitives->front_text('This post contains an iframe which are disallowed'),
     64        'object_tag'     => SP()->primitives->front_text('This post contains an OBJECT tag which are disallowed'),
     65        'embed_tag'      => SP()->primitives->front_text('This post contains an EMBED tag which are disallowed'),
    6466        'savingpost'     => SP()->primitives->front_text('Saving post'),
    6567        'nosearch'       => SP()->primitives->front_text('No search text entered'),
     
    107109    do_action('sph_print_plugin_scripts', $footer);
    108110
    109     # either enqueue the combines js script cache (checks for udpates first) )or enqueue individual scripts
     111    # either enqueue the combines js script cache (checks for updates first) )or enqueue individual scripts
    110112    $combine_js = SP()->options->get('combinejs');
    111113    if ($combine_js) { # use compressed scripts
  • simplepress/trunk/sp-startup/install/sp-upgrade-support.php

    r1972405 r2804020  
    123123    sp_log_event(SPRELEASE, SPVERSION, SPBUILD, 0);
    124124
    125     # and some final cleanuop tasks
     125    # and some final cleanup tasks
    126126    SP()->auths->reset_cache();
    127127
  • simplepress/trunk/sp-startup/install/sp-upgrade.php

    r2794238 r2804020  
    486486}
    487487
     488# Start of Upgrade Routines - 6.8.1 ============================================================
     489$section = 15878;
     490if ($build < $section) {
     491   
     492    // Add new AUTHS.
     493    SP()->auths->add('can_use_object_tag', SP()->filters->esc_sql(SP()->primitives->admin_text_noesc('Can use OBJECT and EMBED tags in posts')), 1, 1, 0, 0, 3, SP()->primitives->admin_text('*** WARNING *** The use of the OBJECT and EMBEG tags is dangerous. Allowing users to embed objects enables them to launch a potential security threat against your website. Enabling the OBJECT and EMBED tags requires your trust in your users. Turn on with care.'));
     494    sp_response($section);
     495}
     496
    488497# ****** IMPORTANT: THE FINAL $section values MUST be the same as the SPBUILD constant
    489498# ******            for the Upgrade to complete correctly
Note: See TracChangeset for help on using the changeset viewer.