deploy: aefbbe5

includes_general-utilities.php.html

@@ -69,9 +69,9 @@
  * @return void
  */
 function mc_tweet_approval( $previous_status, $new_status ) {
-	if ( function_exists( 'wpt_post_to_service' ) && isset( $_POST['mc_twitter'] ) && trim( $_POST['mc_twitter'] ) !== '' ) {
+	if ( function_exists( 'wpt_post_to_service' ) && isset( $_POST['mc_twitter'] ) ) {
 		if ( ( 0 === (int) $previous_status || 2 === (int) $previous_status ) && 1 === (int) $new_status ) {
-			wpt_post_to_service( esc_html( stripslashes( $_POST['mc_twitter'] ) ) );
+			wpt_post_to_service( sanitize_textarea_field( wp_unslash( $_POST['mc_twitter'] ) ) );
 		}
 	}
 }
@@ -396,7 +396,7 @@
 			$email = get_option( 'admin_email' );
 		}
 		if ( defined( 'MC_DEBUG_METHOD' ) && 'email' === MC_DEBUG_METHOD ) {
-			wp_mail( get_option( 'admin_email' ), $subject, print_r( $body ) );
+			wp_mail( get_option( 'admin_email' ), $subject, print_r( $body, 1 ) );
 		} else {
 			/**
 			 * Execute a custom debug action during an mc_debug call. Runs if MC_DEBUG_METHOD is not 'email'.

mc_after_settings.html

@@ -134,7 +134,7 @@ <h5>Parameters:</h5>
 
     <dt class="tag-source">Source:</dt>
     <dd class="tag-source"><ul class="dummy"><li>
-        <a href="my-calendar-settings.php.html">my-calendar-settings.php</a>, <a href="my-calendar-settings.php.html#line2058">line 2058</a>
+        <a href="my-calendar-settings.php.html">my-calendar-settings.php</a>, <a href="my-calendar-settings.php.html#line2060">line 2060</a>
     </li></ul></dd>
 
 

mc_save_settings.html

@@ -157,7 +157,7 @@ <h5>Parameters:</h5>
 
     <dt class="tag-source">Source:</dt>
     <dd class="tag-source"><ul class="dummy"><li>
-        <a href="my-calendar-settings.php.html">my-calendar-settings.php</a>, <a href="my-calendar-settings.php.html#line641">line 641</a>
+        <a href="my-calendar-settings.php.html">my-calendar-settings.php</a>, <a href="my-calendar-settings.php.html#line643">line 643</a>
     </li></ul></dd>
 
 

mc_settings_section_links.html

@@ -134,7 +134,7 @@ <h5>Parameters:</h5>
 
     <dt class="tag-source">Source:</dt>
     <dd class="tag-source"><ul class="dummy"><li>
-        <a href="my-calendar-settings.php.html">my-calendar-settings.php</a>, <a href="my-calendar-settings.php.html#line689">line 689</a>
+        <a href="my-calendar-settings.php.html">my-calendar-settings.php</a>, <a href="my-calendar-settings.php.html#line691">line 691</a>
     </li></ul></dd>
 
 

my-calendar-api.php.html

@@ -244,7 +244,7 @@
  */
 function mc_generate_vcal( $event_id ) {
 	$output = '';
-	$mc_id  = ( isset( $_GET['vcal'] ) ) ? (int) str_replace( 'mc_', '', $_GET['vcal'] ) : $event_id;
+	$mc_id  = ( isset( $_GET['vcal'] ) ) ? absint( str_replace( 'mc_', '', wp_unslash( $_GET['vcal'] ) ) ) : $event_id;
 	if ( $mc_id ) {
 		$event  = mc_get_event( $mc_id );
 		$output = mc_generate_ical( array( $event ) );

my-calendar-navigation.php.html

@@ -423,7 +423,7 @@
 		$hex   = ( 0 !== strpos( $cat->category_color, '#' ) ) ? '#' : '';
 		$class = mc_category_class( $cat, '' );
 
-		$selected_categories = ( empty( $_GET['mcat'] ) ) ? array() : map_deep( explode( ',', $_GET['mcat'] ), 'absint' );
+		$selected_categories = ( empty( $_GET['mcat'] ) ) ? array() : map_deep( explode( ',', wp_unslash( $_GET['mcat'] ) ), 'absint' );
 		$category_id         = (int) $cat->category_id;
 
 		if ( in_array( $category_id, $selected_categories, true ) || $category === $category_id ) {
@@ -808,17 +808,17 @@
 		<form action='" . esc_url( $current_url ) . "' method='get' class='$class'>\n";
 	$qsa         = array();
 	if ( isset( $_SERVER['QUERY_STRING'] ) ) {
-		parse_str( $_SERVER['QUERY_STRING'], $qsa );
+		parse_str( map_deep( wp_unslash( $_SERVER['QUERY_STRING'] ), 'sanitize_text_field' ), $qsa );
 	}
 	if ( ! isset( $_GET['cid'] ) ) {
 		$form .= '<input type="hidden" name="cid" value="all" />';
 	}
 	foreach ( $qsa as $name => $argument ) {
-		$name = esc_attr( strip_tags( $name ) );
+		$name = wp_strip_all_tags( $name );
 		if ( ! ( 'access' === $name || 'mcat' === $name || 'loc' === $name || 'ltype' === $name || 'mc_id' === $name || 'legacy-widget-preview' === $name ) ) {
 			$argument = ( ! is_string( $argument ) ) ? (string) $argument : $argument;
-			$argument = esc_attr( strip_tags( $argument ) );
-			$form    .= '<input type="hidden" name="' . $name . '" value="' . $argument . '" />' . "\n";
+			$argument = wp_strip_all_tags( $argument );
+			$form    .= '<input type="hidden" name="' . esc_attr( $name ) . '" value="' . esc_attr( $argument ) . '" />' . "\n";
 		}
 	}
 	$multiple = __( 'Events', 'my-calendar' );
@@ -883,14 +883,14 @@
 	if ( 'single' === $group ) {
 		$qsa = array();
 		if ( isset( $_SERVER['QUERY_STRING'] ) ) {
-			parse_str( $_SERVER['QUERY_STRING'], $qsa );
+			parse_str( map_deep( wp_unslash( $_SERVER['QUERY_STRING'] ), 'sanitize_text_field' ), $qsa );
 		}
 		if ( ! isset( $_GET['cid'] ) ) {
 			$form .= '<input type="hidden" name="cid" value="all" />';
 		}
 		foreach ( $qsa as $name => $argument ) {
 			if ( ! ( 'mcat' === $name || 'mc_id' === $name ) ) {
-				$form .= '<input type="hidden" name="' . esc_attr( strip_tags( $name ) ) . '" value="' . esc_attr( strip_tags( $argument ) ) . '" />' . "\n";
+				$form .= '<input type="hidden" name="' . esc_attr( wp_strip_all_tags( $name ) ) . '" value="' . esc_attr( wp_strip_all_tags( $argument ) ) . '" />' . "\n";
 			}
 		}
 	}
@@ -978,7 +978,7 @@
 		}
 		foreach ( $qsa as $name => $argument ) {
 			if ( ! ( 'access' === $name || 'mc_id' === $name ) ) {
-				$form .= '<input type="hidden" name="' . esc_attr( strip_tags( $name ) ) . '" value="' . esc_attr( strip_tags( $argument ) ) . '" />' . "\n";
+				$form .= '<input type="hidden" name="' . esc_attr( wp_strip_all_tags( $name ) ) . '" value="' . esc_attr( wp_strip_all_tags( $argument ) ) . '" />' . "\n";
 			}
 		}
 	}
@@ -1058,11 +1058,11 @@
 	}
 	$data_href = $current_url;
 	foreach ( $qsa as $name => $argument ) {
-		$name = esc_attr( strip_tags( $name ) );
+		$name = esc_attr( wp_strip_all_tags( $name ) );
 		if ( is_array( $argument ) ) {
 			$argument = '';
 		} else {
-			$argument = esc_attr( strip_tags( $argument ) );
+			$argument = esc_attr( wp_strip_all_tags( $argument ) );
 		}
 		if ( 'month' !== $name && 'yr' !== $name && 'dy' !== $name ) {
 			$date_switcher .= '<input type="hidden" name="' . $name . '" value="' . $argument . '" />';

my-calendar-print.php.html

@@ -58,10 +58,10 @@
 	$mc_version .= ( SCRIPT_DEBUG ) ? '-' . wp_rand( 10000, 99999 ) : '';
 	$url         = plugin_dir_url( __FILE__ );
 	// The time string can contain a plus literal, which needs to be re-encoded.
-	$time     = ( isset( $_GET['time'] ) ) ? sanitize_text_field( urlencode( $_GET['time'] ) ) : 'month';
-	$category = ( isset( $_GET['mcat'] ) ) ? sanitize_text_field( $_GET['mcat'] ) : '';
-	$ltype    = ( isset( $_GET['ltype'] ) ) ? sanitize_text_field( $_GET['ltype'] ) : '';
-	$lvalue   = ( isset( $_GET['lvalue'] ) ) ? sanitize_text_field( $_GET['lvalue'] ) : '';
+	$time     = ( isset( $_GET['time'] ) ) ? sanitize_text_field( urlencode( wp_unslash( $_GET['time'] ) ) ) : 'month';
+	$category = ( isset( $_GET['mcat'] ) ) ? sanitize_text_field( wp_unslash( $_GET['mcat'] ) ) : '';
+	$ltype    = ( isset( $_GET['ltype'] ) ) ? sanitize_text_field( wp_unslash( $_GET['ltype'] ) ) : '';
+	$lvalue   = ( isset( $_GET['lvalue'] ) ) ? sanitize_text_field( wp_unslash( $_GET['lvalue'] ) ) : '';
 	header( 'Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) );
 	if ( mc_file_exists( 'mc-print.css' ) ) {
 		$stylesheet = mc_get_file( 'mc-print.css', 'url' );
@@ -93,9 +93,9 @@
 
 	if ( isset( $_GET['href'] ) ) {
 		// Only support URLs on the same home_url().
-		$ref_url  = esc_url( urldecode( $_GET['href'] ) );
-		$ref_root = parse_url( $ref_url )['host'];
-		$root     = parse_url( home_url() )['host'];
+		$ref_url  = sanitize_text_field( urldecode( wp_unslash( $_GET['href'] ) ) );
+		$ref_root = wp_parse_url( $ref_url )['host'];
+		$root     = wp_parse_url( home_url() )['host'];
 		$local    = ( false !== stripos( $ref_url, home_url() ) && false !== stripos( $root, $ref_root ) ) ? true : false;
 		if ( $ref_url && $local ) {
 			$return_url = $ref_url;
@@ -144,7 +144,7 @@
 
 	echo wp_kses_post( my_calendar( $calendar ) );
 
-	$add = array_map( 'esc_html', $_GET );
+	$add = map_deep( wp_unslash( $_GET ), 'sanitize_text_field' );
 	unset( $add['cid'] );
 	unset( $add['feed'] );
 	unset( $add['href'] );

my-calendar-settings.php.html

@@ -464,7 +464,7 @@
 	$options['event_title_template'] = $post['mc_event_title_template'];
 	foreach ( $post as $key => $value ) {
 		// If POST is set, change the sanitizing for settings in this group.
-		$post[ $key ] = isset( $_POST[ $key ] ) ? wp_kses_post( $_POST[ $key ] ) : $value;
+		$post[ $key ] = isset( $_POST[ $key ] ) ? wp_kses_post( wp_unslash( $_POST[ $key ] ) ) : $value;
 	}
 	$options['heading_text']        = isset( $_POST['mc_heading_text'] ) ? wp_kses_post( wp_unslash( $_POST['mc_heading_text'] ) ) : $post['mc_heading_text'];
 	$options['notime_text']         = $post['mc_notime_text'];
@@ -505,7 +505,7 @@
 	$options['event_mail_to']      = $post['mc_event_mail_to'];
 	$options['event_mail_from']    = $post['mc_event_mail_from'];
 	$options['event_mail_subject'] = $post['mc_event_mail_subject'];
-	$options['event_mail_message'] = ( 'true' === $options['html_email'] && isset( wp_unslash( $_POST['mc_event_mail_message'] ) ) ) ? wp_kses_post( $_POST['mc_event_mail_message'] ) : $post['mc_event_mail_message'];
+	$options['event_mail_message'] = ( 'true' === $options['html_email'] && isset( $_POST['mc_event_mail_message'] ) ) ? wp_kses_post( wp_unslash( $_POST['mc_event_mail_message'] ) ) : $post['mc_event_mail_message'];
 	$options['event_mail_bcc']     = $post['mc_event_mail_bcc'];
 
 	mc_update_options( $options );
@@ -546,7 +546,9 @@
 	if ( isset( $_FILES['mc-import-settings'] ) ) {
 		$nonce = wp_verify_nonce( $_POST['_wpnonce'], 'my-calendar-nonce' );
 		if ( $nonce ) {
-			$settings = ( 0 !== (int) $_FILES['mc-import-settings']['size'] ) ? file_get_contents( $_FILES['mc-import-settings']['tmp_name'] ) : false;
+			$size     = isset( $_FILES['mc-import-settings']['size'] ) ? absint( $_FILES['mc-import-settings']['size'] ) : 0;
+			$name     = isset( $_FILES['mc-import-settings']['tmp_name'] ) ? sanitize_text_field( $_FILES['mc-import-settings']['tmp_name'] ) : '';
+			$settings = ( 0 !== $size ) ? file_get_contents( $name ) : false;
 			if ( ! $settings ) {
 				$return = __( 'No settings file provided.', 'my-calendar' );
 			} else {