' . "\r\n";
echo '
' . esc_html__( 'Add/Remove Subscribers', 'subscribe2-for-cp' ) . ' ' . "\r\n";
echo '
' . esc_html__( 'Add Registered User', 'subscribe2-for-cp' ) . '
' . "\r\n";
@@ -254,8 +262,8 @@
s2cp()->display_subscriber_dropdown( $what, __( 'Filter', 'subscribe2-for-cp' ), $exclude );
echo '' . "\r\n";
if ( $reminderform ) {
- echo '
' . "\r\n";
- echo '' . "\r\n";
+ echo '
' . "\r\n";
+ echo '' . "\r\n";
} else {
echo '
';
}
@@ -268,8 +276,9 @@
( '' === $exportcsv ) ? $exportcsv = $subscriber['user_email'] : $exportcsv .= ",\r\n" . $subscriber['user_email'];
}
}
- echo '
' . "\r\n";
- echo '' . "\r\n";
+ echo '
' . "\r\n";
+ wp_nonce_field( 's2_export_csv', '_s2_export_csv' );
+ echo '' . "\r\n";
} else {
echo '
';
}
diff --git a/classes/class-s2-admin.php b/classes/class-s2-admin.php
index b427da1..0b5d561 100644
--- a/classes/class-s2-admin.php
+++ b/classes/class-s2-admin.php
@@ -60,7 +60,7 @@ public function admin_hooks() {
register_uninstall_hook( S2PLUGIN, array( 'S2_Admin', 's2_uninstall' ) );
// capture CSV export
- if ( isset( $_POST['s2_admin'] ) && isset( $_POST['csv'] ) ) {
+ if ( isset( $_POST['s2_admin'] ) && isset( $_POST['csv'] ) && false !== wp_verify_nonce( $_POST['_s2_export_csv'], 's2_export_csv' ) ) {
$date = gmdate( 'Y-m-d' );
header( 'Content-Description: File Transfer' );
header( 'Content-type: application/octet-stream' );
@@ -265,7 +265,9 @@ public function user_admin_css() {
public function option_form_js() {
wp_register_script( 's2_edit', S2URL . 'include/s2-edit' . $this->script_debug . '.js', array( 'jquery' ), '1.3', true );
wp_enqueue_script( 's2_edit' );
- if ( 'never' !== $this->subscribe2_options['email_freq'] || ( isset( $_POST['email_freq'] ) && 'never' !== $_POST['email_freq'] ) ) {
+ if ( 'never' !== $this->subscribe2_options['email_freq'] ||
+ ( isset( $_POST['email_freq'] ) && 'never' !== $_POST['email_freq'] && false !== wp_verify_nonce( $_REQUEST['_wpnonce'], 'subscribe2-options_subscribers' . S2VERSION ) )
+ ) {
wp_enqueue_script( 'jquery-ui-datepicker' );
wp_enqueue_style( 'jquery-style', 'https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/themes/smoothness/jquery-ui.css', array(), '1.12.1' );
wp_register_script( 's2_date_time', S2URL . 'include/s2-date-time' . $this->script_debug . '.js', array( 'jquery-ui-datepicker' ), '1.1', true );
@@ -455,13 +457,13 @@ public function s2_meta_init( $post_type, $post ) {
public function s2_override_meta() {
global $post_ID;
$s2mail = get_post_meta( $post_ID, '_s2mail', true );
- echo '
';
+ echo '
';
echo esc_html__( 'Check here to disable sending of an email notification for this post/page', 'subscribe2-for-cp' );
echo '
subscribe2_options['s2meta_default'] && '' === $s2mail ) ) {
echo ' checked="checked"';
}
- echo ' />';
+ echo '>';
}
/**
@@ -494,22 +496,19 @@ public function s2_meta_handler( $post_id ) {
*/
public function s2_preview_meta() {
echo '
' . esc_html__( 'Send preview email of this post to currently logged in user:', 'subscribe2-for-cp' ) . '
' . "\r\n";
- echo '
' . "\r\n";
+ echo '
' . "\r\n";
}
/**
* Meta preview box handler
*/
public function s2_preview_handler() {
- if ( isset( $_POST['s2_preview'] ) ) {
- if ( defined( 'DOING_CRON' ) && DOING_CRON ) {
- return;
- }
+ if ( isset( $_POST['s2_preview'] ) && false !== check_admin_referer( 'update-post_' . (int) $_POST['post_ID'] ) ) {
global $post, $current_user;
- if ( 'never' !== $this->subscribe2_options['email_freq'] ) {
- $this->subscribe2_cron( $current_user->user_email );
+ if ( 'never' !== s2cp()->subscribe2_options['email_freq'] ) {
+ s2cp()->subscribe2_cron( $current_user->user_email );
} else {
- $this->publish( $post, $current_user->user_email );
+ s2cp()->publish( $post, $current_user->user_email );
}
add_filter( 'redirect_post_location', array( $this, 's2_preview_redirect' ) );
}
@@ -527,19 +526,16 @@ public function s2_preview_redirect( $location ) {
*/
public function s2_resend_meta() {
echo '
' . esc_html__( 'Resend the notification email of this post to current subscribers:', 'subscribe2-for-cp' ) . '
' . "\r\n";
- echo '
' . "\r\n";
+ echo '
' . "\r\n";
}
/**
* Meta resend box handler
*/
public function s2_resend_handler() {
- if ( isset( $_POST['s2_resend'] ) ) {
- if ( defined( 'DOING_CRON' ) && DOING_CRON ) {
- return;
- }
+ if ( isset( $_POST['s2_resend'] ) && false !== check_admin_referer( 'update-post_' . (int) $_POST['post_ID'] ) ) {
global $post;
- $this->publish( $post );
+ s2cp()->publish( $post );
add_filter( 'redirect_post_location', array( $this, 's2_resend_redirect' ) );
}
}
@@ -555,16 +551,18 @@ public function s2_resend_redirect( $location ) {
* Admin notice after resend called
*/
public function s2_meta_notices() {
+ // phpcs:disable WordPress.Security.NonceVerification
if ( isset( $_GET['s2'] ) && 'resend' === $_GET['s2'] ) {
$class = 'notice notice-success is-dismissible';
- $message = __( 'Attempt made to resend email notification.', 'subscribe2-for-cp' );
+ $message = __( 'Attempt made to resend email notification.', 'subscribe2' );
echo '
' . esc_html( $message ) . '
';
}
if ( isset( $_GET['s2'] ) && 'preview' === $_GET['s2'] ) {
$class = 'notice notice-success is-dismissible';
- $message = __( 'Attempt made to send email preview.', 'subscribe2-for-cp' );
+ $message = __( 'Attempt made to send email preview.', 'subscribe2' );
echo '
' . esc_html( $message ) . '
';
}
+ // phpcs:enable WordPress.Security.NonceVerification
}
/* ===== WordPress menu helper functions ===== */
@@ -690,7 +688,7 @@ public function display_format_form( $formats, $selected = array() ) {
$colspan = 1;
}
echo '
' . "\r\n";
- echo ' ' . esc_html__( 'Select / Unselect All', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Select / Unselect All', 'subscribe2-for-cp' ) . ' ' . "\r\n";
echo ' ' . "\r\n";
echo '
' . "\r\n";
foreach ( $formats[0] as $format ) {
@@ -704,13 +702,13 @@ public function display_format_form( $formats, $selected = array() ) {
if ( in_array( $format, $selected, true ) ) {
echo ' checked="checked"';
}
- echo ' /> ' . esc_html( ucwords( $format ) ) . ' ' . "\r\n";
+ echo '> ' . esc_html( ucwords( $format ) ) . ' ' . "\r\n";
} else {
echo ' ' . esc_html( ucwords( $format ) ) . ' ' . "\r\n";
+ echo '> ' . esc_html( ucwords( $format ) ) . ' ' . "\r\n";
}
$i++;
}
@@ -827,7 +825,7 @@ public function display_subscriber_dropdown( $selected = 'registered', $submit =
echo '';
if ( false !== $submit ) {
- echo ' ' . "\r\n";
+ echo ' ' . "\r\n";
}
}
@@ -923,7 +921,7 @@ public function display_digest_choices() {
$schedule_sorted[ $key ] = $schedule[ $key ];
}
foreach ( $schedule_sorted as $key => $value ) {
- echo ' subscribe2_options['email_freq'], $key, false ) . ' />';
+ echo ' subscribe2_options['email_freq'], $key, false ) . '>';
echo ' ' . esc_html( $value['display'] ) . ' ' . "\r\n";
}
if ( $scheduled_time ) {
@@ -934,8 +932,8 @@ public function display_digest_choices() {
echo '' . esc_html__( 'Current blog time is', 'subscribe2-for-cp' ) . ': ' . "\r\n";
echo '' . esc_html( date_i18n( $date_format . ' @ ' . $time_format ) ) . '
' . "\r\n";
echo '' . esc_html__( 'Next email notification will be sent when your blog time is after', 'subscribe2-for-cp' ) . ': ' . "\r\n";
- echo ' ';
- echo ' ';
+ echo ' ';
+ echo ' ';
echo '' . esc_html( date_i18n( $date_format, $scheduled_time + $offset ) ) . ' ';
echo ' @ ' . esc_html( date_i18n( $time_format, $scheduled_time + $offset ) ) . ' ';
echo '' . esc_html__( 'Edit', 'subscribe2-for-cp' ) . ' ' . "\r\n";
@@ -956,7 +954,7 @@ public function display_digest_choices() {
echo '' . esc_html__( 'Revert', 'subscribe2-for-cp' ) . ' ' . "\r\n";
if ( ! empty( $this->subscribe2_options['last_s2cron'] ) ) {
echo '
' . esc_html__( 'Attempt to resend the last Digest Notification email', 'subscribe2-for-cp' ) . ': ';
- echo '
' . "\r\n";
+ echo ' ' . "\r\n";
}
} else {
echo ' ';
@@ -1255,7 +1253,7 @@ public function one_click_profile_form( $user ) {
echo '' . esc_html__( 'Email subscription', 'subscribe2-for-cp' ) . ' ' . "\r\n";
echo '' . "\r\n";
}
@@ -1264,7 +1262,7 @@ public function one_click_profile_form( $user ) {
* Handle submission from profile one-click subscription
*/
public function one_click_profile_form_save( $user_id ) {
- if ( current_user_can( 'edit_user', $user_id ) ) {
+ if ( current_user_can( 'edit_user', $user_id ) && false !== wp_verify_nonce( $_POST['_s2_one_click_profile'], 's2_one_click_profile' ) ) {
if ( isset( $_POST['sub2-one-click-subscribe'] ) && 1 === (int) $_POST['sub2-one-click-subscribe'] ) {
$this->one_click_handler( $user_id, 'subscribe' );
} else {
diff --git a/classes/class-s2-ajax.php b/classes/class-s2-ajax.php
index 6effc21..6eca5c0 100755
--- a/classes/class-s2-ajax.php
+++ b/classes/class-s2-ajax.php
@@ -52,8 +52,10 @@ public function add_ajax() {
public function s2_ajax_form_handler() {
require_once ABSPATH . '/wp-includes/shortcodes.php';
+ // phpcs:disable WordPress.Security.NonceVerification
$response = str_replace( ':', '&', $_POST['data'] );
$response = str_replace( '-', '=', $response );
+ // phpcs:enable WordPress.Security.NonceVerification
$atts = array();
wp_parse_str( $response, $atts );
diff --git a/classes/class-s2-core.php b/classes/class-s2-core.php
index 1983112..8fff6c1 100644
--- a/classes/class-s2-core.php
+++ b/classes/class-s2-core.php
@@ -68,7 +68,7 @@ public function mail( $recipients = array(), $subject = '', $message = '', $type
remove_all_filters( 'wp_mail_content_type' );
add_filter( 'wp_mail_content_type', array( $this, 'html_email' ) );
if ( 'yes' === $this->subscribe2_options['stylesheet'] ) {
- $mailtext = (string) apply_filters( 's2_html_email', '' . $subject . ' ' . $message . '', $subject, $message ); // phpcs:ignore WordPress.WP.EnqueuedResources
+ $mailtext = (string) apply_filters( 's2_html_email', '' . $subject . ' ' . $message . '', $subject, $message ); // phpcs:ignore WordPress.WP.EnqueuedResources
} else {
$mailtext = (string) apply_filters( 's2_html_email', '' . $subject . ' ' . $message . '', $subject, $message );
}
@@ -276,7 +276,10 @@ public function publish( $post, $preview = '' ) {
if ( '' === $preview ) {
// we aren't sending a Preview to the current user so carry out checks
$s2mail = get_post_meta( $post->ID, '_s2mail', true );
- if ( ( isset( $_POST['s2_meta_field'] ) && 'no' === $_POST['s2_meta_field'] ) || 'no' === strtolower( trim( $s2mail ) ) ) {
+
+ if ( 'no' === strtolower( trim( $s2mail ) ) ||
+ ( isset( $_POST['s2_meta_field'] ) && 'no' === $_POST['s2_meta_field'] && false !== wp_verify_nonce( $_POST['_s2meta_nonce'], 's2meta_nonce' ) )
+ ) {
return $post;
}
@@ -1247,7 +1250,7 @@ public function register_form() {
}
if ( 'wpreg' === $this->subscribe2_options['autosub'] ) {
echo '';
- echo ' subscribe2_options['wpregdef'], 'yes', false ) . ' /> ';
+ echo ' subscribe2_options['wpregdef'], 'yes', false ) . '> ';
echo esc_html__( 'Check here to Subscribe to email notifications for new posts', 'subscribe2-for-cp' ) . "\r\n";
echo '
' . "\r\n";
} elseif ( 'yes' === $this->subscribe2_options['autosub'] ) {
@@ -1264,7 +1267,10 @@ public function register_post( $user_ID = 0 ) {
if ( 0 === $user_ID ) {
return;
}
- if ( 'yes' === $this->subscribe2_options['autosub'] || ( isset( $_POST['reg_subscribe'] ) && 'on' === $_POST['reg_subscribe'] && 'wpreg' === $this->subscribe2_options['autosub'] ) ) {
+
+ if ( 'yes' === $this->subscribe2_options['autosub'] ||
+ ( isset( $_POST['reg_subscribe'] ) && 'on' === $_POST['reg_subscribe'] && 'wpreg' === $this->subscribe2_options['autosub'] && false !== wp_verify_nonce( $_POST['_s2_register'], 's2_register' ) )
+ ) {
$this->register( $user_ID, true );
} else {
$this->register( $user_ID, false );
@@ -1279,7 +1285,7 @@ public function s2_comment_meta_form( $submit_field ) {
if ( is_user_logged_in() ) {
$comment_meta_form = $this->profile;
} else {
- $comment_meta_form = ' subscribe2_options['comment_def'], 'yes', false ) . '/> ' . __( 'Check here to Subscribe to notifications for new posts', 'subscribe2-for-cp' ) . '
';
+ $comment_meta_form = ' subscribe2_options['comment_def'], 'yes', false ) . '> ' . __( 'Check here to Subscribe to notifications for new posts', 'subscribe2-for-cp' ) . '
';
}
if ( 'before' === $this->subscribe2_options['comment_subs'] ) {
return $comment_meta_form . $submit_field;
@@ -1293,6 +1299,7 @@ public function s2_comment_meta_form( $submit_field ) {
*/
public function s2_comment_meta( $comment_id, $approved = 0 ) {
// return if email is empty - can happen if setting to require name and email for comments is disabled
+ // phpcs:disable WordPress.Security.NonceVerification
if ( isset( $_POST['email'] ) && empty( $_POST['email'] ) ) {
return;
}
@@ -1318,6 +1325,7 @@ public function s2_comment_meta( $comment_id, $approved = 0 ) {
break;
}
}
+ // phpcs:enable WordPress.Security.NonceVerification
}
/**
@@ -1848,6 +1856,7 @@ public function s2hooks() {
require_once S2PATH . 'classes/class-s2-multisite.php';
global $s2class_multisite;
$s2class_multisite = new S2_Multisite();
+ // phpcs:ignore WordPress.Security.NonceVerification
if ( isset( $_GET['s2mu_subscribe'] ) || isset( $_GET['s2mu_unsubscribe'] ) ) {
add_action( 'init', array( &$s2class_multisite, 'wpmu_subscribe' ) );
}
diff --git a/classes/class-s2-counter-widget.php b/classes/class-s2-counter-widget.php
index 2d992fe..b7d2e8e 100755
--- a/classes/class-s2-counter-widget.php
+++ b/classes/class-s2-counter-widget.php
@@ -92,27 +92,27 @@ public function form( $instance ) {
$s2w_font = htmlspecialchars( $instance['s2w_font'], ENT_QUOTES );
echo '' . "\r\n";
}
}
diff --git a/classes/class-s2-form-widget.php b/classes/class-s2-form-widget.php
index b89f131..2b00689 100755
--- a/classes/class-s2-form-widget.php
+++ b/classes/class-s2-form-widget.php
@@ -138,21 +138,21 @@ public function form( $instance ) {
echo '' . "\r\n";
echo '
' . esc_html__( 'Title', 'subscribe2-for-cp' ) . ':' . "\r\n";
- echo '
' . "\r\n";
+ echo '
' . "\r\n";
echo '
' . esc_html__( 'Div class name', 'subscribe2-for-cp' ) . ':' . "\r\n";
- echo '
' . "\r\n";
+ echo '
' . "\r\n";
echo '
' . esc_html__( 'Pre-Content', 'subscribe2-for-cp' ) . ':' . "\r\n";
echo '
' . "\r\n";
echo '
' . esc_html__( 'Post-Content', 'subscribe2-for-cp' ) . ':' . "\r\n";
echo '
' . "\r\n";
echo '
' . esc_html__( 'Text Box Size', 'subscribe2-for-cp' ) . ':' . "\r\n";
- echo '
' . "\r\n";
+ echo '
' . "\r\n";
echo '
' . esc_html__( 'Display options', 'subscribe2-for-cp' ) . ': ' . "\r\n";
- echo ' ' . esc_html__( 'Show complete form', 'subscribe2-for-cp' ) . ' ' . "\r\n";
- echo ' ' . esc_html__( 'Hide Subscribe button', 'subscribe2-for-cp' ) . ' ' . "\r\n";
- echo ' ' . esc_html__( 'Hide Unsubscribe button', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Show complete form', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Hide Subscribe button', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Hide Unsubscribe button', 'subscribe2-for-cp' ) . ' ' . "\r\n";
if ( '1' === s2cp()->subscribe2_options['ajax'] ) {
- echo ' ' . esc_html__( 'Show as link', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Show as link', 'subscribe2-for-cp' ) . ' ' . "\r\n";
}
echo '
' . "\r\n";
echo '
' . esc_html__( 'Post form content to page', 'subscribe2-for-cp' ) . ':' . "\r\n";
@@ -171,13 +171,13 @@ public function form( $instance ) {
s2cp()->pages_dropdown( $postto, true );
echo '
' . "\r\n";
echo '
' . esc_html__( 'Disable JavaScript', 'subscribe2-for-cp' ) . ':' . "\r\n";
- echo ' ';
+ echo ' ';
echo '
' . "\r\n";
echo '
' . esc_html__( 'Disable Anti-spam measures', 'subscribe2-for-cp' ) . ':' . "\r\n";
- echo ' ';
+ echo ' ';
echo '
' . "\r\n";
echo '
' . esc_html__( 'Disable wrapping of form buttons', 'subscribe2-for-cp' ) . ':' . "\r\n";
- echo ' ';
+ echo ' ';
echo '
' . "\r\n";
echo '
' . "\r\n";
}
diff --git a/classes/class-s2-forms.php b/classes/class-s2-forms.php
index 7e065f2..a109ae8 100755
--- a/classes/class-s2-forms.php
+++ b/classes/class-s2-forms.php
@@ -12,6 +12,10 @@ public function init() {
* Return appropriate user ID if user can edit other users subscriptions
*/
public function get_userid() {
+ if ( isset( $_GET['_wpnonce'] ) && false === wp_verify_nonce( $_GET['_wpnonce'], '_s2_edit_registered' ) ) {
+ die( '' . esc_html__( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '
' );
+ }
+
if ( isset( $_GET['id'] ) ) {
if ( ! current_user_can( (string) apply_filters( 's2_capability', 'manage_options', 'manage' ) ) ) {
die( '' . esc_html__( 'Permission error! Your request cannot be completed.', 'subscribe2-for-cp' ) . '
' );
@@ -40,23 +44,23 @@ public function s2_your_subscription_form( $userid ) {
return false;
}
- echo ' ';
+ echo ' ';
if ( 'never' === s2cp()->subscribe2_options['email_freq'] ) {
echo esc_html__( 'Receive email as', 'subscribe2-for-cp' ) . ': ';
- echo ' get_usermeta_keyname( 's2_format' ), true ), 'html', false ) . ' />';
+ echo ' get_usermeta_keyname( 's2_format' ), true ), 'html', false ) . '>';
echo ' ' . esc_html__( 'HTML - Full', 'subscribe2-for-cp' ) . ' ';
- echo ' get_usermeta_keyname( 's2_format' ), true ), 'html_excerpt', false ) . ' />';
+ echo ' get_usermeta_keyname( 's2_format' ), true ), 'html_excerpt', false ) . '>';
echo ' ' . esc_html__( 'HTML - Excerpt', 'subscribe2-for-cp' ) . ' ';
- echo ' get_usermeta_keyname( 's2_format' ), true ), 'post', false ) . ' />';
+ echo ' get_usermeta_keyname( 's2_format' ), true ), 'post', false ) . '>';
echo ' ' . esc_html__( 'Plain Text - Full', 'subscribe2-for-cp' ) . ' ';
- echo ' get_usermeta_keyname( 's2_format' ), true ), 'excerpt', false ) . ' />';
+ echo ' get_usermeta_keyname( 's2_format' ), true ), 'excerpt', false ) . '>';
echo ' ' . esc_html__( 'Plain Text - Excerpt', 'subscribe2-for-cp' ) . ' ' . "\r\n";
if ( 'yes' === s2cp()->subscribe2_options['show_autosub'] ) {
echo esc_html__( 'Automatically subscribe me to newly created categories', 'subscribe2-for-cp' ) . ': ';
- echo ' get_usermeta_keyname( 's2_autosub' ), true ), 'yes', false ) . ' />';
+ echo ' get_usermeta_keyname( 's2_autosub' ), true ), 'yes', false ) . '>';
echo ' ' . esc_html__( 'Yes', 'subscribe2-for-cp' ) . ' ';
- echo ' get_usermeta_keyname( 's2_autosub' ), true ), 'no', false ) . ' />';
+ echo ' get_usermeta_keyname( 's2_autosub' ), true ), 'no', false ) . '>';
echo ' ' . esc_html__( 'No', 'subscribe2-for-cp' ) . ' ';
echo '';
}
@@ -64,8 +68,8 @@ public function s2_your_subscription_form( $userid ) {
if ( 'yes' === s2cp()->subscribe2_options['one_click_profile'] ) {
// One-click subscribe and unsubscribe buttons
echo '' . esc_html__( 'One Click Subscription / Unsubscription', 'subscribe2-for-cp' ) . " \r\n";
- echo ' ';
- echo '
';
+ echo ' ';
+ echo '
';
}
// subscribed categories
@@ -96,11 +100,11 @@ public function s2_your_subscription_form( $userid ) {
if ( get_user_meta( $userid, s2cp()->get_usermeta_keyname( 's2_subscribed' ), true ) ) {
echo ' checked="checked"';
}
- echo ' /> ' . esc_html__( 'Yes', 'subscribe2-for-cp' ) . ' ' . esc_html__( 'Yes', 'subscribe2-for-cp' ) . ' get_usermeta_keyname( 's2_subscribed' ), true ) ) {
echo ' checked="checked"';
}
- echo ' /> ' . esc_html__( 'No', 'subscribe2-for-cp' );
+ echo '> ' . esc_html__( 'No', 'subscribe2-for-cp' );
echo ' ';
}
@@ -112,6 +116,7 @@ public function s2_your_subscription_form( $userid ) {
}
// list of subscribed blogs on Multisite installs
+ // phpcs:ignore WordPress.Security.NonceVerification
if ( s2cp()->s2_mu && ! isset( $_GET['email'] ) ) {
global $s2class_multisite;
$s2blog_id = $blog_id;
@@ -208,6 +213,10 @@ public function s2_your_subscription_form( $userid ) {
public function s2_your_subscription_submit() {
$userid = $this->get_userid();
+ if ( false === wp_verify_nonce( $_REQUEST['_wpnonce'], 'subscribe2-user_subscribers' . S2VERSION ) ) {
+ die( '' . esc_html__( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '
' );
+ }
+
if ( isset( $_POST['submit'] ) ) {
if ( isset( $_POST['s2_format'] ) ) {
update_user_meta( $userid, s2cp()->get_usermeta_keyname( 's2_format' ), $_POST['s2_format'] );
@@ -303,7 +312,7 @@ public function display_category_form( $selected = array(), $override = 1, $comp
$colspan = 1;
}
echo '' . "\r\n";
- echo ' ' . esc_html__( 'Select / Unselect All', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Select / Unselect All', 'subscribe2-for-cp' ) . ' ' . "\r\n";
echo ' ' . "\r\n";
foreach ( $all_cats as $cat ) {
$cat_name = '';
@@ -324,7 +333,7 @@ public function display_category_form( $selected = array(), $override = 1, $comp
if ( in_array( (string) $cat->term_id, $compulsory, true ) && 'category' === $name ) {
echo ' DISABLED';
}
- echo ' /> ' . esc_html( $cat_name ) . ' ' . "\r\n";
+ echo '> ' . esc_html( $cat_name ) . ' ' . "\r\n";
$col++;
} else {
echo ' term_id, $compulsory, true ) && 'category' === $name ) {
echo ' DISABLED';
}
- echo ' /> ' . esc_html( $cat_name ) . ' ' . "\r\n";
+ echo '>
' . esc_html( $cat_name ) . ' ' . "\r\n";
$col = 1;
}
}
@@ -367,7 +376,7 @@ public function display_author_form( $selected = array() ) {
$colspan = 1;
}
echo '
' . "\r\n";
- echo ' ' . esc_html__( 'Select / Unselect All', 'subscribe2-for-cp' ) . ' ' . "\r\n";
+ echo ' ' . esc_html__( 'Select / Unselect All', 'subscribe2-for-cp' ) . ' ' . "\r\n";
echo ' ' . "\r\n";
echo '
' . "\r\n";
foreach ( $all_authors as $author ) {
@@ -380,13 +389,13 @@ public function display_author_form( $selected = array() ) {
if ( in_array( $author->ID, $selected, true ) ) {
echo ' checked="checked"';
}
- echo ' /> ' . esc_html( $author->display_name ) . '' . "\r\n";
+ echo '> ' . esc_html( $author->display_name ) . '' . "\r\n";
} else {
echo ' ID, $selected, true ) ) {
echo ' checked="checked"';
}
- echo ' /> ' . esc_html( $author->display_name ) . ' ' . "\r\n";
+ echo '> ' . esc_html( $author->display_name ) . '' . "\r\n";
}
}
echo ' ' . "\r\n";
diff --git a/classes/class-s2-frontend.php b/classes/class-s2-frontend.php
index 9d2aafa..49a1551 100644
--- a/classes/class-s2-frontend.php
+++ b/classes/class-s2-frontend.php
@@ -12,6 +12,8 @@ public function frontend_hooks() {
// load strings later on frontend for polylang plugin compatibility
add_action( 'wp', array( &$this, 'load_strings' ) );
+ // Frontend check and hook functions
+ // phpcs:ignore WordPress.Security.NonceVerification
if ( isset( $_REQUEST['s2'] ) ) {
// someone is confirming a request
add_filter( 'request', array( &$this, 'query_filter' ) );
@@ -23,6 +25,10 @@ public function frontend_hooks() {
add_shortcode( 'subscribe2', array( &$this, 'shortcode' ) );
add_filter( 'the_content', array( &$this, 'filter' ), 10 );
+ // amended kses allowed tags so form displays
+ add_filter( 'wp_kses_allowed_html', array( $this, 'extend_allowed_tags' ), 10, 2 );
+ add_filter( 'safe_style_css', array( $this, 'extend_allowed_styles' ) );
+
// add frontend actions for comment subscribers
if ( 'no' !== $this->subscribe2_options['comment_subs'] ) {
add_filter( 'comment_form_submit_field', array( &$this, 's2_comment_meta_form' ) );
@@ -128,12 +134,12 @@ public function shortcode( $atts ) {
// if a button is hidden, show only other
$hide = strtolower( $args['hide'] );
if ( 'subscribe' === $hide ) {
- $this->input_form_action = '
';
+ $this->input_form_action = '
';
} elseif ( 'unsubscribe' === $hide ) {
- $this->input_form_action = '
';
+ $this->input_form_action = '
';
} else {
// both form input actions
- $this->input_form_action = '
';
+ $this->input_form_action = '
';
}
// if ID is provided, get permalink
@@ -154,17 +160,21 @@ public function shortcode( $atts ) {
$action = ' action="' . get_permalink( $this->subscribe2_options['s2page'] ) . '"';
}
- // allow remote setting of email in form
+ $value = __( 'Enter email address...', 'subscribe2' );
+
+ if ( 'true' === strtolower( $args['nojs'] ) ) {
+ $value = '';
+ }
+
+ // allow remote setting of email in frontend form
+ // phpcs:disable WordPress.Security.NonceVerification
if ( isset( $_REQUEST['email'] ) ) {
$email = $this->sanitize_email( $_REQUEST['email'] );
+ if ( false !== $this->validate_email( $email ) ) {
+ $value = $email;
+ }
}
- if ( isset( $_REQUEST['email'] ) && false !== $this->validate_email( $email ) ) {
- $value = $email;
- } elseif ( 'true' === strtolower( $args['nojs'] ) ) {
- $value = '';
- } else {
- $value = __( 'Enter email address...', 'subscribe2-for-cp' );
- }
+ // phpcs:enable WordPress.Security.NonceVerification
// if wrap is true add paragraph html tags
$wrap_text = '';
@@ -176,9 +186,9 @@ public function shortcode( $atts ) {
$antispam_text = '';
if ( 'true' !== strtolower( $args['noantispam'] ) ) {
$antispam_text = '
';
- $antispam_text .= 'Leave This Blank: ';
- $antispam_text .= 'Leave This Blank Too: ';
- $antispam_text .= 'Do Not Change This: ';
+ $antispam_text .= 'Leave This Blank: ';
+ $antispam_text .= 'Leave This Blank Too: ';
+ $antispam_text .= 'Do Not Change This: ';
$antispam_text .= ' ';
}
@@ -192,13 +202,15 @@ public function shortcode( $atts ) {
$form_name = 's2form';
}
+ $s2_form_nonce = wp_nonce_field( 's2_form', '_wpnonce', true, false );
+
// build default form
if ( 'true' === strtolower( $args['nojs'] ) ) {
- $this->form = '
';
+ $this->form = '
';
} else {
- $this->form = '
' . "\r\n";
+ $this->form = '
' . "\r\n";
}
- $this->s2form = apply_filters( 's2_form', $this->form, $args );
+ $this->s2form = (string) apply_filters( 's2_form', $this->form, $args );
global $user_ID;
if ( 0 !== $user_ID ) {
@@ -206,6 +218,10 @@ public function shortcode( $atts ) {
}
if ( isset( $_POST['subscribe'] ) || isset( $_POST['unsubscribe'] ) ) {
+ if ( false === wp_verify_nonce( $_POST['_wpnonce'], 's2_form' ) ) {
+ return '
' . esc_html__( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '
';
+ }
+
// anti spam sign up measure
if ( ( isset( $_POST['firstname'] ) && '' !== $_POST['firstname'] ) || ( isset( $_POST['lastname'] ) && '' !== $_POST['lastname'] ) || ( isset( $_POST['uri'] ) && 'http://' !== $_POST['uri'] ) ) {
// looks like some invisible-to-user fields were changed; falsely report success
@@ -276,6 +292,7 @@ public function shortcode( $atts ) {
}
}
}
+
return $this->s2form;
}
@@ -332,6 +349,7 @@ public function query_filter() {
*/
public function title_filter( $title ) {
if ( in_the_loop() ) {
+ // phpcs:ignore WordPress.Security.NonceVerification
$code = $_GET['s2'];
$action = intval( substr( $code, 0, 1 ) );
if ( 1 === $action ) {
@@ -354,6 +372,7 @@ public function confirm( $content = '' ) {
return $content;
}
+ // phpcs:disable WordPress.Security.NonceVerification
$code = $_GET['s2'];
$action = substr( $code, 0, 1 );
$hash = substr( $code, 1, 32 );
@@ -393,6 +412,7 @@ public function confirm( $content = '' ) {
if ( '' !== $this->message ) {
return $this->message;
}
+ // phpcs:enable WordPress.Security.NonceVerification
}
/**
@@ -577,6 +597,46 @@ public function tag_replace_ampersand( $tag ) {
return $tag;
}
+ /**
+ * Extend core html tags allow in wp_kses_post()
+ */
+ public function extend_allowed_tags( $allowedtags, $context ) {
+ if ( 'post' === $context ) {
+ $form_tags = array(
+ 'form' => array(
+ 'action' => true,
+ 'method' => true,
+ 'name' => true,
+ ),
+ 'input' => array(
+ 'id' => true,
+ 'name' => true,
+ 'onblur' => true,
+ 'onfocus' => true,
+ 'required' => true,
+ 'size' => true,
+ 'type' => true,
+ 'value' => true,
+ ),
+ 'label' => array(
+ 'for' => true,
+ ),
+ );
+
+ $allowedtags = array_merge( $allowedtags, $form_tags );
+ }
+
+ return $allowedtags;
+ }
+
+ /**
+ * Extend allowed CSS in wp_kses_post()
+ */
+ public function extend_allowed_styles( $styles ) {
+ $styles[] = 'display';
+ return $styles;
+ }
+
/* ===== define some variables ===== */
public $profile = '';
}
diff --git a/classes/class-s2-list-table.php b/classes/class-s2-list-table.php
index 44d8969..f99d118 100644
--- a/classes/class-s2-list-table.php
+++ b/classes/class-s2-list-table.php
@@ -29,8 +29,9 @@ public function column_default( $item, $column_name ) {
public function column_email( $item ) {
global $current_tab;
if ( 'registered' === $current_tab ) {
+ $url = wp_nonce_url( sprintf( '?page=s2&id=%d', rawurlencode( $item['id'] ) ), '_s2_edit_registered' );
$actions = array(
- 'edit' => sprintf( '
%s ', 's2', rawurlencode( $item['id'] ), __( 'Edit', 'subscribe2-for-cp' ) ),
+ 'edit' => sprintf( '
%s ', $url, __( 'Edit', 'subscribe2' ) ),
);
return sprintf( '%1$s %2$s', $item['email'], $this->row_actions( $actions ) );
} else {
@@ -54,13 +55,13 @@ public function column_date( $item ) {
}
public function column_cb( $item ) {
- $column = '
' . __( 'Checkbox for:', 'subscribe2-for-cp' ) . ' %1$s ';
+ $column = '
' . __( 'Checkbox for:', 'subscribe2-for-cp' ) . ' %1$s ';
return sprintf( $column, $item['email'], $this->_args['singular'], $item['email'] );
}
public function get_columns() {
$columns = array(
- 'cb' => '
',
+ 'cb' => '
',
'email' => _x( 'Email', 'column name', 'subscribe2-for-cp' ),
'date' => _x( 'Date', 'column name', 'subscribe2-for-cp' ),
);
@@ -78,9 +79,14 @@ public function get_sortable_columns() {
public function print_column_headers( $with_id = true ) {
list( $columns, $hidden, $sortable, $primary ) = $this->get_column_info();
+ // phpcs:ignore WordPress.Security.NonceVerification
$current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
$current_url = remove_query_arg( 'paged', $current_url );
+ if ( isset( $_GET['_wpnonce'] ) && false === wp_verify_nonce( $_GET['_wpnonce'], 's2_subscriber_tab' ) ) {
+ die( '
' . esc_html__( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '
' );
+ }
+
if ( isset( $_REQUEST['what'] ) ) {
$current_url = add_query_arg(
array(
@@ -105,7 +111,7 @@ public function print_column_headers( $with_id = true ) {
if ( ! empty( $columns['cb'] ) ) {
static $cb_counter = 1;
$columns['cb'] = '
' . __( 'Select All', 'subscribe2-for-cp' ) . ' '
- . '
';
+ . '
';
$cb_counter++;
}
@@ -148,7 +154,7 @@ public function print_column_headers( $with_id = true ) {
$class = "class='" . join( ' ', $class ) . "'";
}
- echo "<$tag $scope $id $class>$column_display_name$tag>"; // phpcs:ignore WordPress.Security.EscapeOutput
+ echo wp_kses_post( "<$tag $scope $id $class>$column_display_name$tag>" );
}
}
@@ -173,6 +179,11 @@ public function get_bulk_actions() {
public function process_bulk_action() {
global $current_user, $subscribers;
+
+ if ( isset( $_GET['_wpnonce'] ) && false === wp_verify_nonce( $_GET['_wpnonce'], 's2_subscriber_tab' ) ) {
+ die( '
' . esc_html__( 'Security error! Your request cannot be completed.', 'subscribe2' ) . '
' );
+ }
+
if ( in_array( $this->current_action(), array( 'delete', 'toggle' ), true ) ) {
if ( ! isset( $_REQUEST['subscriber'] ) ) {
echo '
' . esc_html__( 'No users were selected.', 'subscribe2-for-cp' ) . '
';
@@ -241,14 +252,16 @@ public function pagination( $which ) {
// Translators: Pagination
$output = '
' . sprintf( _n( '%s item', '%s items', $total_items, 'subscribe2-for-cp' ), number_format_i18n( $total_items ) ) . ' ';
- if ( isset( $_POST['what'] ) ) {
- if ( isset( $_POST['paged'] ) ) {
- $current = intval( $_POST['paged'] );
- } else {
- $current = 1;
+ $current = intval( $this->get_pagenum() );
+
+ if ( isset( $_POST['_wpnonce'] ) && false !== wp_verify_nonce( $_POST['_wpnonce'], 'bulk-' . $this->_args['plural'] ) ) {
+ if ( isset( $_POST['what'] ) ) {
+ if ( isset( $_POST['paged'] ) ) {
+ $current = intval( $_POST['paged'] );
+ } else {
+ $current = 1;
+ }
}
- } else {
- $current = intval( $this->get_pagenum() );
}
$current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
@@ -325,7 +338,7 @@ public function pagination( $which ) {
$total_pages_before = '
' . __( 'Current Page', 'subscribe2-for-cp' ) . ' ';
} else {
$html_current_page = sprintf(
- "%s ",
+ "%s ",
'' . __( 'Current Page', 'subscribe2-for-cp' ) . ' ',
$current,
strlen( $total_pages )
@@ -415,22 +428,33 @@ public function prepare_items() {
}
function usort_reorder( $a, $b ) {
- $orderby = ( ! empty( $_REQUEST['orderby'] ) ) ? $_REQUEST['orderby'] : 'email';
- $order = ( ! empty( $_REQUEST['order'] ) ) ? $_REQUEST['order'] : 'asc';
- $result = strcasecmp( $a[ $orderby ], $b[ $orderby ] );
+ $orderby = 'email';
+ $order = 'asc';
+
+ if ( isset( $_GET['_s2_order_nonce'] ) && false !== wp_verify_nonce( $_GET['_s2_order_nonce'], 's2_subscriber_order' ) ) {
+ $orderby = ( ! empty( $_REQUEST['orderby'] ) ) ? $_REQUEST['orderby'] : $orderby;
+ $order = ( ! empty( $_REQUEST['order'] ) ) ? $_REQUEST['order'] : $order;
+ }
+
+ $result = strcasecmp( $a[ $orderby ], $b[ $orderby ] );
+
return ( 'asc' === $order ) ? $result : -$result;
}
+
usort( $data, 'usort_reorder' );
- if ( isset( $_POST['what'] ) ) {
- if ( isset( $_POST['paged'] ) ) {
- $current_page = intval( $_POST['paged'] );
- } else {
- $current_page = 1;
+ $current_page = (int) $this->get_pagenum();
+
+ if ( isset( $_POST['_wpnonce'] ) && false !== wp_verify_nonce( $_POST['_wpnonce'], 'bulk-' . $this->_args['plural'] ) ) {
+ if ( isset( $_POST['what'] ) ) {
+ if ( isset( $_POST['paged'] ) ) {
+ $current_page = intval( $_POST['paged'] );
+ } else {
+ $current_page = 1;
+ }
}
- } else {
- $current_page = $this->get_pagenum();
}
+
$total_items = count( $data );
$data = array_slice( $data, ( $current_page - 1 ) * $per_page, $per_page );
$this->items = $data;
diff --git a/classes/class-s2-multisite.php b/classes/class-s2-multisite.php
index fbd0517..4a85bc7 100644
--- a/classes/class-s2-multisite.php
+++ b/classes/class-s2-multisite.php
@@ -6,7 +6,7 @@ class S2_Multisite {
*/
public function wpmu_subscribe() {
// subscribe to new blog
- if ( ! empty( $_GET['s2mu_subscribe'] ) ) {
+ if ( ! empty( $_GET['s2mu_subscribe'] ) && false !== wp_verify_nonce( $_GET['_s2mu_subscribe'], 's2mu_subscribe' ) ) {
$sub_id = intval( $_GET['s2mu_subscribe'] );
if ( $sub_id >= 0 ) {
switch_to_blog( $sub_id );
@@ -39,7 +39,7 @@ public function wpmu_subscribe() {
update_user_meta( $user_ID, s2cp()->get_usermeta_keyname( 's2_subscribed' ), $cats_string );
}
}
- } elseif ( ! empty( $_GET['s2mu_unsubscribe'] ) ) {
+ } elseif ( ! empty( $_GET['s2mu_unsubscribe'] ) && false !== wp_verify_nonce( $_GET['_s2mu_unsubscribe'], 's2mu_unsubscribe' ) ) {
// unsubscribe from a blog
$unsub_id = intval( $_GET['s2mu_unsubscribe'] );
if ( $unsub_id >= 0 ) {
diff --git a/include/s2-colorpicker.js b/include/s2-colorpicker.js
index 145899e..9ef9523 100755
--- a/include/s2-colorpicker.js
+++ b/include/s2-colorpicker.js
@@ -7,12 +7,12 @@
( function( jQuery ){
function initColorPicker( widget ) {
widget.find( '.colorpickerField' ).not( '[id*="__i__"]' ).wpColorPicker( {
- change: function( e, ui ) {
- jQuery( e.target ).val( ui.color.toString() );
- jQuery( e.target ).trigger( 'change' );
+ change: function( event, ui ) {
+ jQuery( event.target ).val( ui.color.toString() );
+ jQuery( event.target ).trigger( 'change' );
},
- clear: function( e ) {
- jQuery( e.target ).trigger( 'change' );
+ clear: function( event ) {
+ jQuery( event.target ).trigger( 'change' );
}
} );
}
diff --git a/include/s2-dismiss.js b/include/s2-dismiss.js
index 8f12fcf..9581d58 100755
--- a/include/s2-dismiss.js
+++ b/include/s2-dismiss.js
@@ -10,7 +10,6 @@ jQuery( document ).on(
var data = {
'action': 's2_dismiss_notice',
'nonce': s2DismissScriptStrings.nonce
-
};
jQuery.post( ajaxurl, data );
}
diff --git a/include/s2-user-admin.css b/include/s2-user-admin.css
index 83842c6..d6b33dc 100755
--- a/include/s2-user-admin.css
+++ b/include/s2-user-admin.css
@@ -1,92 +1,83 @@
-ul.s2_blogs
-{
- float: left;
+ul.s2_blogs {
+ float: left;
- width: 99%;
+ width: 99%;
}
-ul.s2_blogs li
-{
- position: relative;
+ul.s2_blogs li {
+ position: relative;
- display: block;
- float: left;
+ display: block;
+ float: left;
- width: 47%;
- margin: 3px;
- padding: .5em;
+ width: 47%;
+ margin: 3px;
+ padding: .5em;
- white-space: nowrap;
+ white-space: nowrap;
- border: 1px solid #e0e0e0;
- background-color: #e3e3e3;
+ border: 1px solid #e0e0e0;
+ background-color: #e3e3e3;
}
-ul.s2_blogs li:hover
-{
- border-color: #666;
+ul.s2_blogs li:hover {
+ border-color: #666;
}
-ul.s2_blogs li .name
-{
- display: block;
- float: left;
+ul.s2_blogs li .name {
+ display: block;
+ float: left;
}
-ul.s2_blogs li .buttons
-{
- font-size: .8em;
+ul.s2_blogs li .buttons {
+ font-size: .8em;
- display: block;
- float: right;
+ display: block;
+ float: right;
- margin-left: -6px;
+ margin-left: -6px;
- white-space: nowrap;
+ white-space: nowrap;
}
-ul.s2_blogs li .buttons a
-{
- display: block;
- float: left;
+ul.s2_blogs li .buttons a {
+ display: block;
+ float: left;
- margin: 0 0 0 1em;
- padding: .1em .5em;
+ margin: 0 0 0 1em;
+ padding: .1em .5em;
- color: white;
- background-color: #666;
+ color: white;
+ background-color: #666;
}
-ul.s2_blogs li .buttons a:hover
-{
- color: #666;
- background-color: whitesmoke;
+ul.s2_blogs li .buttons a:hover {
+ color: #666;
+ background-color: whitesmoke;
}
-ul.s2_blogs div.additional_info
-{
- font-style: italic;
+ul.s2_blogs div.additional_info {
+ font-style: italic;
- position: absolute;
- z-index: 9;
- bottom: 2.4em;
- left: -2px;
+ position: absolute;
+ z-index: 9;
+ bottom: 2.4em;
+ left: -2px;
- display: none;
+ display: none;
- width: 75%;
- margin-bottom: 2px;
- padding: .5em 1em;
+ width: 75%;
+ margin-bottom: 2px;
+ padding: .5em 1em;
- color: #fff;
- border: 1px solid white;
- border-bottom: medium none;
- -moz-border-radius-topleft: .5em;
- -moz-border-radius-topright: .5em;
- background-color: #666;
+ color: #fff;
+ border: 1px solid white;
+ border-bottom: medium none;
+ -moz-border-radius-topleft: .5em;
+ -moz-border-radius-topright: .5em;
+ background-color: #666;
}
-ul.s2_blogs li:hover div.additional_info
-{
- display: block;
+ul.s2_blogs li:hover div.additional_info {
+ display: block;
}
diff --git a/subscribe2.php b/subscribe2.php
index 3f29edf..878bfdd 100644
--- a/subscribe2.php
+++ b/subscribe2.php
@@ -6,6 +6,7 @@
Version: 11.7
Author: Matthew Robinson
Author URI: https://subscribe2.wordpress.com/
+Premium URI: https://checkout.freemius.com/mode/dialog/plugin/5502/plan/8921/
Licence: GPLv3
Requires at least: 4.4
Requires CP: 1.0
diff --git a/tinymce/css/content.css b/tinymce/css/content.css
index 24fbe51..174eb8e 100644
--- a/tinymce/css/content.css
+++ b/tinymce/css/content.css
@@ -1,12 +1,11 @@
-.mceSubscribe2
-{
- display: block;
+.mceSubscribe2 {
+ display: block;
- width: 100%;
- height: 12px;
- margin-top: 15px;
+ width: 100%;
+ height: 12px;
+ margin-top: 15px;
- border: 0;
- border-top: 1px;
- background: url(../../include/s2-marker.png) center top no-repeat #fff;
+ border: 0;
+ border-top: 1px;
+ background: url(../../include/s2-marker.png) center top no-repeat #fff;
}
diff --git a/tinymce/editor-plugin4.js b/tinymce/editor-plugin4.js
index b879534..f7e593a 100755
--- a/tinymce/editor-plugin4.js
+++ b/tinymce/editor-plugin4.js
@@ -5,7 +5,7 @@
'tinymce.plugins.Subscribe2Plugin',
{
init: function( ed, url ) {
- var i = 0,
+ var i = 0,
pb = '
',
cls = 'mceSubscribe2',
shortcode = '[subscribe2]',
@@ -105,4 +105,4 @@
// Register plugin
tinymce.PluginManager.add( 'subscribe2', tinymce.plugins.Subscribe2Plugin );
-}() );
+} )();