From f23b4e2a68e4bcc8a06368a0307b4a5605199a5e Mon Sep 17 00:00:00 2001 From: joedolson Date: Mon, 6 Jan 2025 20:53:19 +0000 Subject: [PATCH] deploy: aefbbe5e6bcda0dfaa667263f605f015d81210f2 --- includes_general-utilities.php.html | 6 +++--- mc_after_settings.html | 2 +- mc_save_settings.html | 2 +- mc_settings_section_links.html | 2 +- my-calendar-api.php.html | 2 +- my-calendar-navigation.php.html | 20 ++++++++++---------- my-calendar-print.php.html | 16 ++++++++-------- my-calendar-settings.php.html | 8 +++++--- 8 files changed, 30 insertions(+), 28 deletions(-) diff --git a/includes_general-utilities.php.html b/includes_general-utilities.php.html index b98030db..069dad35 100644 --- a/includes_general-utilities.php.html +++ b/includes_general-utilities.php.html @@ -69,9 +69,9 @@ * @return void */ function mc_tweet_approval( $previous_status, $new_status ) { - if ( function_exists( 'wpt_post_to_service' ) && isset( $_POST['mc_twitter'] ) && trim( $_POST['mc_twitter'] ) !== '' ) { + if ( function_exists( 'wpt_post_to_service' ) && isset( $_POST['mc_twitter'] ) ) { if ( ( 0 === (int) $previous_status || 2 === (int) $previous_status ) && 1 === (int) $new_status ) { - wpt_post_to_service( esc_html( stripslashes( $_POST['mc_twitter'] ) ) ); + wpt_post_to_service( sanitize_textarea_field( wp_unslash( $_POST['mc_twitter'] ) ) ); } } } @@ -396,7 +396,7 @@ $email = get_option( 'admin_email' ); } if ( defined( 'MC_DEBUG_METHOD' ) && 'email' === MC_DEBUG_METHOD ) { - wp_mail( get_option( 'admin_email' ), $subject, print_r( $body ) ); + wp_mail( get_option( 'admin_email' ), $subject, print_r( $body, 1 ) ); } else { /** * Execute a custom debug action during an mc_debug call. Runs if MC_DEBUG_METHOD is not 'email'. diff --git a/mc_after_settings.html b/mc_after_settings.html index 6f9b6305..a271a98a 100644 --- a/mc_after_settings.html +++ b/mc_after_settings.html @@ -134,7 +134,7 @@
Parameters:
Source:
diff --git a/mc_save_settings.html b/mc_save_settings.html index 9292d7d9..c20c6c38 100644 --- a/mc_save_settings.html +++ b/mc_save_settings.html @@ -157,7 +157,7 @@
Parameters:
Source:
diff --git a/mc_settings_section_links.html b/mc_settings_section_links.html index 0fd0adc4..ecb6bf02 100644 --- a/mc_settings_section_links.html +++ b/mc_settings_section_links.html @@ -134,7 +134,7 @@
Parameters:
Source:
diff --git a/my-calendar-api.php.html b/my-calendar-api.php.html index 82385c48..6531e0ca 100644 --- a/my-calendar-api.php.html +++ b/my-calendar-api.php.html @@ -244,7 +244,7 @@ */ function mc_generate_vcal( $event_id ) { $output = ''; - $mc_id = ( isset( $_GET['vcal'] ) ) ? (int) str_replace( 'mc_', '', $_GET['vcal'] ) : $event_id; + $mc_id = ( isset( $_GET['vcal'] ) ) ? absint( str_replace( 'mc_', '', wp_unslash( $_GET['vcal'] ) ) ) : $event_id; if ( $mc_id ) { $event = mc_get_event( $mc_id ); $output = mc_generate_ical( array( $event ) ); diff --git a/my-calendar-navigation.php.html b/my-calendar-navigation.php.html index b3de8f9a..6b87f119 100644 --- a/my-calendar-navigation.php.html +++ b/my-calendar-navigation.php.html @@ -423,7 +423,7 @@ $hex = ( 0 !== strpos( $cat->category_color, '#' ) ) ? '#' : ''; $class = mc_category_class( $cat, '' ); - $selected_categories = ( empty( $_GET['mcat'] ) ) ? array() : map_deep( explode( ',', $_GET['mcat'] ), 'absint' ); + $selected_categories = ( empty( $_GET['mcat'] ) ) ? array() : map_deep( explode( ',', wp_unslash( $_GET['mcat'] ) ), 'absint' ); $category_id = (int) $cat->category_id; if ( in_array( $category_id, $selected_categories, true ) || $category === $category_id ) { @@ -808,17 +808,17 @@ <form action='" . esc_url( $current_url ) . "' method='get' class='$class'>\n"; $qsa = array(); if ( isset( $_SERVER['QUERY_STRING'] ) ) { - parse_str( $_SERVER['QUERY_STRING'], $qsa ); + parse_str( map_deep( wp_unslash( $_SERVER['QUERY_STRING'] ), 'sanitize_text_field' ), $qsa ); } if ( ! isset( $_GET['cid'] ) ) { $form .= '<input type="hidden" name="cid" value="all" />'; } foreach ( $qsa as $name => $argument ) { - $name = esc_attr( strip_tags( $name ) ); + $name = wp_strip_all_tags( $name ); if ( ! ( 'access' === $name || 'mcat' === $name || 'loc' === $name || 'ltype' === $name || 'mc_id' === $name || 'legacy-widget-preview' === $name ) ) { $argument = ( ! is_string( $argument ) ) ? (string) $argument : $argument; - $argument = esc_attr( strip_tags( $argument ) ); - $form .= '<input type="hidden" name="' . $name . '" value="' . $argument . '" />' . "\n"; + $argument = wp_strip_all_tags( $argument ); + $form .= '<input type="hidden" name="' . esc_attr( $name ) . '" value="' . esc_attr( $argument ) . '" />' . "\n"; } } $multiple = __( 'Events', 'my-calendar' ); @@ -883,14 +883,14 @@ if ( 'single' === $group ) { $qsa = array(); if ( isset( $_SERVER['QUERY_STRING'] ) ) { - parse_str( $_SERVER['QUERY_STRING'], $qsa ); + parse_str( map_deep( wp_unslash( $_SERVER['QUERY_STRING'] ), 'sanitize_text_field' ), $qsa ); } if ( ! isset( $_GET['cid'] ) ) { $form .= '<input type="hidden" name="cid" value="all" />'; } foreach ( $qsa as $name => $argument ) { if ( ! ( 'mcat' === $name || 'mc_id' === $name ) ) { - $form .= '<input type="hidden" name="' . esc_attr( strip_tags( $name ) ) . '" value="' . esc_attr( strip_tags( $argument ) ) . '" />' . "\n"; + $form .= '<input type="hidden" name="' . esc_attr( wp_strip_all_tags( $name ) ) . '" value="' . esc_attr( wp_strip_all_tags( $argument ) ) . '" />' . "\n"; } } } @@ -978,7 +978,7 @@ } foreach ( $qsa as $name => $argument ) { if ( ! ( 'access' === $name || 'mc_id' === $name ) ) { - $form .= '<input type="hidden" name="' . esc_attr( strip_tags( $name ) ) . '" value="' . esc_attr( strip_tags( $argument ) ) . '" />' . "\n"; + $form .= '<input type="hidden" name="' . esc_attr( wp_strip_all_tags( $name ) ) . '" value="' . esc_attr( wp_strip_all_tags( $argument ) ) . '" />' . "\n"; } } } @@ -1058,11 +1058,11 @@ } $data_href = $current_url; foreach ( $qsa as $name => $argument ) { - $name = esc_attr( strip_tags( $name ) ); + $name = esc_attr( wp_strip_all_tags( $name ) ); if ( is_array( $argument ) ) { $argument = ''; } else { - $argument = esc_attr( strip_tags( $argument ) ); + $argument = esc_attr( wp_strip_all_tags( $argument ) ); } if ( 'month' !== $name && 'yr' !== $name && 'dy' !== $name ) { $date_switcher .= '<input type="hidden" name="' . $name . '" value="' . $argument . '" />'; diff --git a/my-calendar-print.php.html b/my-calendar-print.php.html index a8c9dc31..1434f39d 100644 --- a/my-calendar-print.php.html +++ b/my-calendar-print.php.html @@ -58,10 +58,10 @@ $mc_version .= ( SCRIPT_DEBUG ) ? '-' . wp_rand( 10000, 99999 ) : ''; $url = plugin_dir_url( __FILE__ ); // The time string can contain a plus literal, which needs to be re-encoded. - $time = ( isset( $_GET['time'] ) ) ? sanitize_text_field( urlencode( $_GET['time'] ) ) : 'month'; - $category = ( isset( $_GET['mcat'] ) ) ? sanitize_text_field( $_GET['mcat'] ) : ''; - $ltype = ( isset( $_GET['ltype'] ) ) ? sanitize_text_field( $_GET['ltype'] ) : ''; - $lvalue = ( isset( $_GET['lvalue'] ) ) ? sanitize_text_field( $_GET['lvalue'] ) : ''; + $time = ( isset( $_GET['time'] ) ) ? sanitize_text_field( urlencode( wp_unslash( $_GET['time'] ) ) ) : 'month'; + $category = ( isset( $_GET['mcat'] ) ) ? sanitize_text_field( wp_unslash( $_GET['mcat'] ) ) : ''; + $ltype = ( isset( $_GET['ltype'] ) ) ? sanitize_text_field( wp_unslash( $_GET['ltype'] ) ) : ''; + $lvalue = ( isset( $_GET['lvalue'] ) ) ? sanitize_text_field( wp_unslash( $_GET['lvalue'] ) ) : ''; header( 'Content-Type: ' . get_bloginfo( 'html_type' ) . '; charset=' . get_bloginfo( 'charset' ) ); if ( mc_file_exists( 'mc-print.css' ) ) { $stylesheet = mc_get_file( 'mc-print.css', 'url' ); @@ -93,9 +93,9 @@ if ( isset( $_GET['href'] ) ) { // Only support URLs on the same home_url(). - $ref_url = esc_url( urldecode( $_GET['href'] ) ); - $ref_root = parse_url( $ref_url )['host']; - $root = parse_url( home_url() )['host']; + $ref_url = sanitize_text_field( urldecode( wp_unslash( $_GET['href'] ) ) ); + $ref_root = wp_parse_url( $ref_url )['host']; + $root = wp_parse_url( home_url() )['host']; $local = ( false !== stripos( $ref_url, home_url() ) && false !== stripos( $root, $ref_root ) ) ? true : false; if ( $ref_url && $local ) { $return_url = $ref_url; @@ -144,7 +144,7 @@ echo wp_kses_post( my_calendar( $calendar ) ); - $add = array_map( 'esc_html', $_GET ); + $add = map_deep( wp_unslash( $_GET ), 'sanitize_text_field' ); unset( $add['cid'] ); unset( $add['feed'] ); unset( $add['href'] ); diff --git a/my-calendar-settings.php.html b/my-calendar-settings.php.html index 83289205..0edb4302 100644 --- a/my-calendar-settings.php.html +++ b/my-calendar-settings.php.html @@ -464,7 +464,7 @@ $options['event_title_template'] = $post['mc_event_title_template']; foreach ( $post as $key => $value ) { // If POST is set, change the sanitizing for settings in this group. - $post[ $key ] = isset( $_POST[ $key ] ) ? wp_kses_post( $_POST[ $key ] ) : $value; + $post[ $key ] = isset( $_POST[ $key ] ) ? wp_kses_post( wp_unslash( $_POST[ $key ] ) ) : $value; } $options['heading_text'] = isset( $_POST['mc_heading_text'] ) ? wp_kses_post( wp_unslash( $_POST['mc_heading_text'] ) ) : $post['mc_heading_text']; $options['notime_text'] = $post['mc_notime_text']; @@ -505,7 +505,7 @@ $options['event_mail_to'] = $post['mc_event_mail_to']; $options['event_mail_from'] = $post['mc_event_mail_from']; $options['event_mail_subject'] = $post['mc_event_mail_subject']; - $options['event_mail_message'] = ( 'true' === $options['html_email'] && isset( wp_unslash( $_POST['mc_event_mail_message'] ) ) ) ? wp_kses_post( $_POST['mc_event_mail_message'] ) : $post['mc_event_mail_message']; + $options['event_mail_message'] = ( 'true' === $options['html_email'] && isset( $_POST['mc_event_mail_message'] ) ) ? wp_kses_post( wp_unslash( $_POST['mc_event_mail_message'] ) ) : $post['mc_event_mail_message']; $options['event_mail_bcc'] = $post['mc_event_mail_bcc']; mc_update_options( $options ); @@ -546,7 +546,9 @@ if ( isset( $_FILES['mc-import-settings'] ) ) { $nonce = wp_verify_nonce( $_POST['_wpnonce'], 'my-calendar-nonce' ); if ( $nonce ) { - $settings = ( 0 !== (int) $_FILES['mc-import-settings']['size'] ) ? file_get_contents( $_FILES['mc-import-settings']['tmp_name'] ) : false; + $size = isset( $_FILES['mc-import-settings']['size'] ) ? absint( $_FILES['mc-import-settings']['size'] ) : 0; + $name = isset( $_FILES['mc-import-settings']['tmp_name'] ) ? sanitize_text_field( $_FILES['mc-import-settings']['tmp_name'] ) : ''; + $settings = ( 0 !== $size ) ? file_get_contents( $name ) : false; if ( ! $settings ) { $return = __( 'No settings file provided.', 'my-calendar' ); } else {