2.4.1

= 2.4.1, Oct 1 2021 =
* Security - Fixed unescaped data output.

admin/customers/overview.php

@@ -25,18 +25,18 @@
 			<p class="mprm-class-email"><label for="mprm-email">
 					<?php _e('Email:', 'mp-restaurant-menu'); ?>
 				</label>
-				<input class="mprm-input large-text" type="email" required name="mprm-email" value="<?php echo $customer->email; ?>">
+				<input class="mprm-input large-text" type="email" required name="mprm-email" value="<?php echo esc_attr( $customer->email ); ?>">
 			</p>
 			<p class="mprm-class-name">
 				<label for="mprm-name">
 					<?php _e('Full name:', 'mp-restaurant-menu'); ?>
 				</label>
-				<input type="text" class="mprm-input large-text" required name="mprm-name" value="<?php echo $customer->name; ?>">
+				<input type="text" class="mprm-input large-text" required name="mprm-name" value="<?php echo esc_attr( $customer->name ); ?>">
 			</p>
 			<p class="mprm-class-telephone"><label for="mprm-telephone">
 					<?php _e('Phone:', 'mp-restaurant-menu'); ?>
 				</label>
-				<input class="mprm-input large-text" type="text" name="mprm-telephone" value="<?php echo $customer->telephone; ?>">
+				<input class="mprm-input large-text" type="text" name="mprm-telephone" value="<?php echo esc_attr( $customer->telephone ); ?>">
 			</p>
 			<p class="mprm-class-wp-user">
 				<label for="mprm-user">
@@ -49,7 +49,7 @@
 					<?php } else { ?>
 						<option value="0"><?php _e('No user selected', 'mp-restaurant-menu') ?></option>
 						<?php foreach ($users as $user) { ?>
-							<option value="<?php echo $user->ID ?>" <?php selected($user->ID, $customer->user_id); ?> ><?php echo $user->user_nicename ?></option>
+							<option value="<?php echo $user->ID ?>" <?php selected($user->ID, $customer->user_id); ?> ><?php echo esc_html( $user->user_nicename );?></option>
 						<?php }
 					} ?>
 				</select>

admin/extensions/extensions-view.php

@@ -9,13 +9,13 @@
 		), $extension->link );
 
 		?><div class="mprm-extension">
-			<a href="<?php echo esc_url($extension_link) ?>" title="<?php echo $extension->title ?>">
+			<a href="<?php echo esc_url($extension_link) ?>" title="<?php echo esc_attr( $extension->title );?>">
 				<?php if ($extension->thumbnail): ?>
-					<img width="320" height="200" src="<?php echo $extension->thumbnail ?>" class="attachment-showcase wp-post-image" alt="<?php echo $extension->title ?>" title="<?php echo $extension->title ?>">
+					<img width="320" height="200" src="<?php echo esc_url( $extension->thumbnail );?>" class="attachment-showcase wp-post-image" alt="<?php echo esc_attr( $extension->title ) ?>" title="<?php echo esc_attr( $extension->title );?>">
 				<?php endif; ?>
 			</a>
 			<h3><?php echo esc_html($extension->title) ?></h3>
 			<p><?php echo esc_html($extension->excerpt); ?></p>
-			<a href="<?php echo esc_url($extension_link) ?>" title="<?php echo $extension->title ?>" class="button button-secondary"><?php _e('Get this Extension', 'mp-restaurant-menu') ?></a>
+			<a href="<?php echo esc_url($extension_link) ?>" title="<?php echo esc_attr( $extension->title );?>" class="button button-secondary"><?php _e('Get this Extension', 'mp-restaurant-menu') ?></a>
 		</div><?php }
 } ?>

admin/metaboxes/order/customer-information.php

@@ -1,8 +1,8 @@
 <?php $customer = mprm_get_customer($customer_id);
 
 if (!empty($customer->telephone)) { ?>
-	<span class="label"><b><?php _e('Phone:', 'mp-restaurant-menu'); ?></b></span> <span> <?php echo apply_filters('mprm_order_phone', $customer->telephone); ?></span>
+	<span class="label"><b><?php _e('Phone:', 'mp-restaurant-menu'); ?></b></span> <span> <?php echo apply_filters('mprm_order_phone', esc_html( $customer->telephone )); ?></span>
 	<br>
 <?php } ?>
-<span class="label"><b><?php _e('Email:', 'mp-restaurant-menu'); ?></b></span> <span><?php echo apply_filters('mprm_order_customer_email', $customer->email); ?></span>
+<span class="label"><b><?php _e('Email:', 'mp-restaurant-menu'); ?></b></span> <span><?php echo apply_filters('mprm_order_customer_email', esc_html( $customer->email )); ?></span>
 

admin/metaboxes/order/customer-notes.php

@@ -4,7 +4,7 @@
 $customer_note = esc_attr($order->customer_note);
 ?>
 <div id="mprm-customer-order-notes" class="">
-	<textarea name="mprm-customer-note" id="mprm-customer-order-note" class="large-text"><?php echo $customer_note ?></textarea>
+	<textarea name="mprm-customer-note" id="mprm-customer-order-note" class="large-text"><?php echo esc_html( $customer_note );?></textarea>
 	<!--	<p>-->
 	<!--		<button id="mprm-edit-order-note" class="button button-secondary right"-->
 	<!--		        data-order-id="--><?php //echo absint($order_id); ?><!--">--><?php //_e('Edit order Note', 'mp-restaurant-menu'); ?><!--</button>-->

admin/metaboxes/order/order-purchased.php

@@ -29,10 +29,10 @@
 						$price = mprm_get_menu_item_final_price($item_id, $user_info, null);
 					}
 					?>
-					<div class="item mprm-columns <?php echo $column ?>">
-							<span class="mprm-<?php echo get_post_type($item_id) ?>">
+					<div class="item mprm-columns <?php echo esc_attr( $column ); ?>">
+							<span class="mprm-<?php echo esc_attr( get_post_type($item_id) );?>">
 								<a href="<?php echo admin_url('post.php?post=' . $item_id . '&action=edit'); ?>">
-									<?php echo get_the_title($item_id);
+									<?php echo esc_html( get_the_title($item_id) );
 									if (isset($cart_items[$key]['item_number']) && isset($cart_items[$key]['item_number']['options'])) {
 										$price_options = $cart_items[$key]['item_number']['options'];
 										if (mprm_has_variable_prices($item_id) && isset($price_id)) {
@@ -51,20 +51,20 @@
 					</div>
 
 					<?php if (mprm_item_quantities_enabled()) : ?>
-						<div class="quantity mprm-columns <?php echo $column ?>">
+						<div class="quantity mprm-columns <?php echo esc_attr( $column ); ?>">
 							<span class="item-price"><?php echo mprm_currency_filter(mprm_format_amount($item_price)); ?></span>
 							&nbsp;&times;&nbsp;<span class="item-quantity"><?php echo $quantity; ?></span>
 						</div>
 					<?php endif; ?>
 
-					<div class="price mprm-columns <?php echo $column ?>">
+					<div class="price mprm-columns <?php echo esc_attr( $column );?>">
 						<?php if (mprm_item_quantities_enabled()) : ?>
 							<?php echo __('Total:', 'mp-restaurant-menu') . '&nbsp;'; ?>
 						<?php endif; ?>
 						<span class="price-text"><?php echo mprm_currency_filter(mprm_format_amount($price), $currency_code); ?></span>
 					</div>
 
-					<div class="actions mprm-columns <?php echo $column ?>">
+					<div class="actions mprm-columns <?php echo esc_attr( $column ); ?>">
 						<input type="hidden" class="mprm-order-detail-has-log" name="mprm-order-details[<?php echo $key; ?>][has_log]" value="1"/>
 						<a href="" class="mprm-order-remove-menu-item mprm-delete" data-key="<?php echo esc_attr($key); ?>"><?php _e('Remove', 'mp-restaurant-menu'); ?></a>
 					</div>
@@ -75,7 +75,7 @@
 			endforeach; ?>
 
 			<div class="mprm-row">
-				<div class="item mprm-columns <?php echo $column ?>">
+				<div class="item mprm-columns <?php echo esc_attr( $column ); ?>">
 					<?php
 					echo mprm_menu_item_dropdown(array(
 						'name' => 'mprm-order-menu-item-select',
@@ -90,7 +90,7 @@
 				</div>
 
 				<?php if (mprm_item_quantities_enabled()) : ?>
-					<div class="quantity mprm-columns <?php echo $column ?>">
+					<div class="quantity mprm-columns <?php echo esc_attr( $column ); ?>">
 						<span><?php _e('Quantity', 'mp-restaurant-menu'); ?>:&nbsp;</span>
 						<input type="number" id="mprm-order-menu-item-quantity" class="small-text" min="1" step="1" value="1"/>
 					</div>
@@ -109,7 +109,7 @@
 					?>
 				</div>
 
-				<div class="actions mprm-columns <?php echo $column ?>">
+				<div class="actions mprm-columns <?php echo esc_attr( $column );?>">
 					<a href="" id="mprm-order-add-menu-item" class="button button-secondary"><?php _e('Add Item', 'mp-restaurant-menu'); ?></a>
 				</div>
 			</div>

admin/metaboxes/order/update-order.php

@@ -60,7 +60,7 @@
 			<ul class="mprm-order-fees">
 				<?php foreach ($fees as $fee) : ?>
 					<li>
-						<span class="fee-label"><?php echo $fee['label'] ?> :</span>
+						<span class="fee-label"><?php echo esc_html( $fee['label'] );?> :</span>
 						<span class="fee-amount" data-fee="<?php echo esc_attr($fee['amount']) ?>"><?php echo mprm_currency_filter($fee['amount'], $currency_code); ?></span>
 					</li>
 				<?php endforeach; ?>

admin/quick-edit/hidden-data.php

@@ -1,16 +1,16 @@
 <div class="hidden mprm-data">
-	<span type="hidden" class="mprm-data-price"><?php echo $price ?></span>
-	<span type="hidden" class="mprm-data-sku"><?php echo $sku ?></span>
+	<span type="hidden" class="mprm-data-price"><?php echo esc_html( $price ); ?></span>
+	<span type="hidden" class="mprm-data-sku"><?php echo esc_html( $sku ); ?></span>
 
-	<span type="hidden" class="mprm-data-calories"><?php echo empty($nutritional['calories']['val']) ? '0' : $nutritional['calories']['val'] ?></span>
-	<span type="hidden" class="mprm-data-cholesterol"><?php echo empty($nutritional['cholesterol']['val']) ? '0' : $nutritional['cholesterol']['val'] ?></span>
-	<span type="hidden" class="mprm-data-fiber"><?php echo empty($nutritional['fiber']['val']) ? '0' : $nutritional['fiber']['val'] ?></span>
-	<span type="hidden" class="mprm-data-sodium"><?php echo empty($nutritional['sodium']['val']) ? '0' : $nutritional['sodium']['val'] ?></span>
-	<span type="hidden" class="mprm-data-carbohydrates"><?php echo empty($nutritional['carbohydrates']['val']) ? '0' : $nutritional['carbohydrates']['val'] ?></span>
-	<span type="hidden" class="mprm-data-fat"><?php echo empty($nutritional['fat']['val']) ? '0' : $nutritional['fat']['val'] ?></span>
-	<span type="hidden" class="mprm-data-protein"><?php echo empty($nutritional['protein']['val']) ? '0' : $nutritional['protein']['val'] ?></span>
+	<span type="hidden" class="mprm-data-calories"><?php echo empty($nutritional['calories']['val']) ? '0' : esc_html( $nutritional['calories']['val'] ); ?></span>
+	<span type="hidden" class="mprm-data-cholesterol"><?php echo empty($nutritional['cholesterol']['val']) ? '0' : esc_html( $nutritional['cholesterol']['val'] );?></span>
+	<span type="hidden" class="mprm-data-fiber"><?php echo empty($nutritional['fiber']['val']) ? '0' : esc_html( $nutritional['fiber']['val'] );?></span>
+	<span type="hidden" class="mprm-data-sodium"><?php echo empty($nutritional['sodium']['val']) ? '0' : esc_html( $nutritional['sodium']['val'] );?></span>
+	<span type="hidden" class="mprm-data-carbohydrates"><?php echo empty($nutritional['carbohydrates']['val']) ? '0' : esc_html( $nutritional['carbohydrates']['val'] );?></span>
+	<span type="hidden" class="mprm-data-fat"><?php echo empty($nutritional['fat']['val']) ? '0' : esc_html( $nutritional['fat']['val'] );?></span>
+	<span type="hidden" class="mprm-data-protein"><?php echo empty($nutritional['protein']['val']) ? '0' : esc_html( $nutritional['protein']['val'] );?></span>
 
-	<span type="hidden" class="mprm-data-weight"><?php echo empty($attributes['weight']['val']) ? '0' : $attributes['weight']['val'] ?></span>
-	<span type="hidden" class="mprm-data-bulk"><?php echo empty($attributes['bulk']['val']) ? '0' : $attributes['bulk']['val'] ?></span>
-	<span type="hidden" class="mprm-data-size"><?php echo empty($attributes['size']['val']) ? '0' : $attributes['size']['val'] ?></span>
+	<span type="hidden" class="mprm-data-weight"><?php echo empty($attributes['weight']['val']) ? '0' : esc_html( $attributes['weight']['val'] );?></span>
+	<span type="hidden" class="mprm-data-bulk"><?php echo empty($attributes['bulk']['val']) ? '0' : esc_html( $attributes['bulk']['val'] );?></span>
+	<span type="hidden" class="mprm-data-size"><?php echo empty($attributes['size']['val']) ? '0' : esc_html( $attributes['size']['val'] );?></span>
 </div>

admin/shop/buy-plugin-form.php

@@ -2,7 +2,7 @@
 	<div class="mprm-add-menu-item mprm-display-inline" style="position: relative;">
 		<?php mprm_get_preloader('small-preloader mprm-hidden'); ?>
 
-		<form id="<?php echo $form_id; ?>" class="mprm_purchase_form mprm_purchase_submit_wrapper mprm_purchase_<?php echo absint($post->ID); ?>" data-id="<?php echo $post->ID ?>" method="post">
+		<form id="<?php echo esc_attr( $form_id ); ?>" class="mprm_purchase_form mprm_purchase_submit_wrapper mprm_purchase_<?php echo absint($post->ID); ?>" data-id="<?php echo $post->ID ?>" method="post">
 			<?php do_action('mprm_purchase_link_top', $post->ID, $args); ?>
 
 			<?php $class = implode(' ', array($args['style'], $args['color'], trim($args['class']), trim($args['padding'])));

admin/shop/buy-theme-form.php

@@ -2,7 +2,7 @@
 	<div class="mprm-add-menu-item mprm-display-inline" style="position: relative;">
 		<?php mprm_get_preloader('small-preloader mprm-hidden'); ?>
 
-		<form id="<?php echo $form_id; ?>" class="mprm_purchase_form mprm_purchase_<?php echo absint($post->ID); ?>" data-id="<?php echo $post->ID ?>" method="post">
+		<form id="<?php echo esc_attr( $form_id ); ?>" class="mprm_purchase_form mprm_purchase_<?php echo absint($post->ID); ?>" data-id="<?php echo $post->ID ?>" method="post">
 			<?php do_action('mprm_purchase_link_top', $post->ID, $args); ?>
 
 			<?php $class = implode(' ', array($args['style'], $args['color'], trim($args['class']), trim($args['padding'])));

classes/models/shop/class-order.php

@@ -740,10 +740,10 @@ public function render_order_columns($column) {
 				}
 				break;
 			case 'order_ship_to':
-				echo apply_filters('mprm_orders_list_delivery', $this->shipping_address);
+				echo apply_filters('mprm_orders_list_delivery', esc_html( $this->shipping_address ));
 				break;
 			case 'order_customer_note':
-				echo empty( $this->customer_note ) ? '—' : '<span title="' . $this->customer_note . '">' . mprm_cut_str( 90, $this->customer_note ) . '</span>';
+				echo empty( $this->customer_note ) ? '—' : '<span title="' . esc_html( $this->customer_note ) . '">' . mprm_cut_str( 90, esc_html( $this->customer_note ) ) . '</span>';
 				break;
 			case 'order_items' :
 				echo apply_filters('mprm_admin_order_item_count', sprintf(_n('%d item', '%d items', count($this->menu_items), 'mp-restaurant-menu'), count($this->menu_items)), $this);

classes/modules/class-post.php

@@ -271,7 +271,7 @@ public function show_menu_columns($column, $post_ID) {
 				$this->get_view()->render_html('../admin/quick-edit/hidden-data', $data);
 
 				if (!empty($post->price)) {
-					echo mprm_currency_filter(mprm_format_amount($post->price));
+					echo esc_html( mprm_currency_filter(mprm_format_amount($post->price)) );
 				} else {
 					echo '—';
 				}

classes/widgets/class-cart-widget.php

@@ -99,7 +99,7 @@ function form($instance) {
 		$instance = wp_parse_args((array)$instance, $defaults); ?>
 		<p>
 			<label for="<?php echo esc_attr($this->get_field_id('title')); ?>"><?php _e('Title:', 'mp-restaurant-menu'); ?></label>
-			<input class="widefat" id="<?php echo esc_attr($this->get_field_id('title')); ?>" name="<?php echo esc_attr($this->get_field_name('title')); ?>" type="text" value="<?php echo $instance['title']; ?>"/>
+			<input class="widefat" id="<?php echo esc_attr($this->get_field_id('title')); ?>" name="<?php echo esc_attr($this->get_field_name('title')); ?>" type="text" value="<?php echo esc_attr( $instance['title'] ); ?>"/>
 		</p>
 
 		<p>

readme.txt

@@ -3,7 +3,7 @@ Contributors: MotoPress
 Donate link: https://motopress.com/
 Tags: restaurant menu, food menu, restaurant, food delivery, cafe menu, food ordering system, online ordering, store, cafe, pizza, pizzeria, food, food order, delivery, toppings, sell, e-commerce, recipe, cooking, ingredients, recipes
 Requires at least: 4.6
-Tested up to: 5.6
+Tested up to: 5.8
 Stable tag: trunk
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -87,6 +87,9 @@ Proud developers of Restaurant Menu plugin and the biggest set of [WordPress Gut
 
 == Changelog ==
 
+= 2.4.1, Oct 1 2021 =
+* Security - Fixed unescaped data output.
+
 = 2.4.0, Jun 2 2020 =
 * Improved compatibility with PHP 7.4.
 * Improved compatibility with WPML plugin.

restaurant-menu.php

@@ -3,7 +3,7 @@
  * Plugin Name: Restaurant Menu
  * Plugin URI: https://motopress.com/products/restaurant-menu/
  * Description: This plugin gives you the power to effectively create, maintain and display online menus for almost any kind of restaurant, cafes and other typical food establishments.
- * Version: 2.4.0
+ * Version: 2.4.1
  * Author: MotoPress
  * Author URI: https://motopress.com
  * License: GPLv2 or later

templates-functions/cart-restaurant-menu-functions.php

@@ -190,7 +190,7 @@ function mprm_update_cart_button() {
 	$padding = mprm_get_option('checkout_padding', 'mprm-inherit');
 	$color = ($color == 'inherit') ? '' : $color;
 	?>
-	<input type="submit" name="mprm_update_cart_submit" class="mprm-submit <?php echo mprm_is_cart_saving_disabled() ? ' mprm-no-js' : ''; ?> button<?php echo ' ' . $color . ' ' . $padding; ?>" style="display: none" value="<?php _e('Update Cart', 'mp-restaurant-menu'); ?>"/>
+	<input type="submit" name="mprm_update_cart_submit" class="mprm-submit <?php echo mprm_is_cart_saving_disabled() ? ' mprm-no-js' : ''; ?> button<?php echo ' ' . esc_attr( $color ) . ' ' . esc_attr( $padding ); ?>" style="display: none" value="<?php _e('Update Cart', 'mp-restaurant-menu'); ?>"/>
 	<input type="hidden" name="mprm_action" value="update_cart"/>
 	<?php
 }
@@ -206,9 +206,9 @@ function mprm_save_cart_button() {
 	$padding = mprm_get_option('checkout_padding', 'mprm-inherit');
 	$color = ($color == 'inherit') ? '' : $color;
 	if (models\Cart::get_instance()->is_cart_saved()) : ?>
-		<a class="mprm-cart-saving-button mprm-submit button<?php echo ' ' . $color . ' ' . $padding; ?>" id="mprm-restore-cart-button" href="<?php echo esc_url(add_query_arg(array('mprm_action' => 'restore_cart', 'mprm_cart_token' => models\Cart::get_instance()->get_cart_token()))); ?>"><?php _e('Restore Previous Cart', 'mp-restaurant-menu'); ?></a>
+		<a class="mprm-cart-saving-button mprm-submit button<?php echo ' ' . esc_attr( $color ) . ' ' . esc_attr( $padding ); ?>" id="mprm-restore-cart-button" href="<?php echo esc_url(add_query_arg(array('mprm_action' => 'restore_cart', 'mprm_cart_token' => models\Cart::get_instance()->get_cart_token()))); ?>"><?php _e('Restore Previous Cart', 'mp-restaurant-menu'); ?></a>
 	<?php endif; ?>
-	<a class="mprm-cart-saving-button mprm-submit button<?php echo ' ' . $color . ' ' . $padding; ?>" id="mprm-save-cart-button" href="<?php echo esc_url(add_query_arg('mprm_action', 'save_cart')); ?>"><?php _e('Save Cart', 'mp-restaurant-menu'); ?></a>
+	<a class="mprm-cart-saving-button mprm-submit button<?php echo ' ' . esc_attr( $color ) . ' ' . esc_attr( $padding ); ?>" id="mprm-save-cart-button" href="<?php echo esc_url(add_query_arg('mprm_action', 'save_cart')); ?>"><?php _e('Save Cart', 'mp-restaurant-menu'); ?></a>
 	<?php
 }
 
@@ -271,7 +271,7 @@ function mprm_success_page_cart_item($item, $order) {
 		<td>
 			<?php $price_id = models\Cart::get_instance()->get_cart_item_price_id($item); ?>
 
-			<div class="mprm_purchase_receipt_product_name mprm-post-<?php echo $post_type ?>">
+			<div class="mprm_purchase_receipt_product_name mprm-post-<?php echo esc_attr( $post_type ) ?>">
 				<?php echo esc_html($item['name']); ?>
 				<?php if (mprm_has_variable_prices($item['id']) && !is_null($price_id)) : ?>
 					<span class="mprm_purchase_receipt_price_name">&nbsp;&ndash;&nbsp;<?php echo mprm_get_price_option_name($item['id'], $price_id, $order->ID); ?></span>