From b31497a54d1cdcdb92dd70a1482aa507be4efc6d Mon Sep 17 00:00:00 2001 From: John Paul Balagolan Date: Wed, 15 Jun 2022 21:37:30 +0800 Subject: [PATCH 1/2] WP-268 implement further escaping and sanitizing of data --- blocks/subject-resources-block-v2/init.php | 18 ++++++------ includes/init.php | 3 +- includes/oer-functions.php | 16 +++++------ includes/related-resources.php | 2 +- includes/resources-importer.php | 2 +- oer_template/resource-subject-area.php | 23 ++++++++-------- oer_template/search-layout.php | 8 +++--- oer_template/single-resource-audio.php | 4 +-- oer_template/single-resource-pdf.php | 10 +++---- oer_template/single-resource-standard.php | 10 +++---- oer_template/single-resource-video.php | 6 ++-- oer_template/single-resource-website.php | 4 +-- oer_template/single-resource-youtube.php | 4 +-- open-educational-resources.php | 32 +++++++++++----------- widgets/class-subject-area-widget.php | 4 +-- 15 files changed, 72 insertions(+), 74 deletions(-) diff --git a/blocks/subject-resources-block-v2/init.php b/blocks/subject-resources-block-v2/init.php index a4f5ecd..445f41e 100644 --- a/blocks/subject-resources-block-v2/init.php +++ b/blocks/subject-resources-block-v2/init.php @@ -591,16 +591,14 @@ function oer_ajax_get_subject_resources(){ // Sanitize POST parameters $params = array(); $params['action'] = sanitize_text_field($_POST['action']); - $attributes = $_POST['attributes']; - foreach($attributes as $attribute){ - $attribute['displayCount'] = sanitize_text_field($attribute['displayCount']); - $attribute['selectedSubject'] = sanitize_text_field($attribute['selectedSubject']); - $attribute['sort'] = sanitize_text_field($attribute['sort']); - $attribute['isChanged'] = sanitize_text_field($attribute['isChanged']); - $attribute['blockId'] = sanitize_text_field($attribute['blockId']); - $attribute['firstLoad'] = sanitize_text_field($attribute['firstLoad']); - } - $params['attributes'] = $attributes; + $params['attributes'] = $_POST['attributes']; + array_walk($params['attributes'], function(&$value, &$key){ + $value['displayCount'] = sanitize_text_field($value['displayCount']); + $value['sort'] = sanitize_text_field($value['sort']); + $value['isChanged'] = sanitize_text_field($value['isChanged']); + $value['blockId'] = sanitize_text_field($value['blockId']); + $value['firstLoad'] = sanitize_text_field($value['firstLoad']); + }); $resources = oer_get_subject_resources($params, true); echo wp_kses($resources,$allowed_tags); diff --git a/includes/init.php b/includes/init.php index c1123c7..b001602 100644 --- a/includes/init.php +++ b/includes/init.php @@ -697,9 +697,8 @@ function oer_save_customfields() // Save Related Resource if(isset($_POST['oer_related_resource'])) { - update_post_meta( $post->ID , 'oer_related_resource' , addslashes($_POST['oer_related_resource'])); + update_post_meta( $post->ID , 'oer_related_resource' , sanitize_text_field($_POST['oer_related_resource'])); } - } } } diff --git a/includes/oer-functions.php b/includes/oer-functions.php index 8c4be98..f8d45ea 100644 --- a/includes/oer-functions.php +++ b/includes/oer-functions.php @@ -36,7 +36,7 @@ function oer_get_sub_standard($id, $oer_standard) $subchildren = oer_get_substandard_children($id); $child = oer_check_child($id); - echo "
  • + echo "
  • "; if(!empty($subchildren) || !empty($child)) @@ -44,8 +44,8 @@ function oer_get_sub_standard($id, $oer_standard) echo ""; } - echo " - ".$result['standard_title']." + echo " + ".esc_html($result['standard_title'])."
    "; $id = 'sub_standards-'.$result['id']; @@ -91,17 +91,17 @@ function oer_get_standard_notation($id, $oer_standard) } } - echo "
  • + echo "
  • "; if(!empty($child)) { echo ""; } - echo " - ". $result['standard_notation']." + echo " + ". esc_html($result['standard_notation'])."
    -
    ". $result['description']."
    "; +
    ". wp_kses_post($result['description'])."
    "; oer_get_standard_notation($id, $oer_standard); @@ -1997,7 +1997,7 @@ function oer_get_sort_box($subjects=array()){
  • class="cs-selected">Z-A
    • - diff --git a/includes/related-resources.php b/includes/related-resources.php index 868dc8b..f805fbf 100644 --- a/includes/related-resources.php +++ b/includes/related-resources.php @@ -39,7 +39,7 @@
    -
    +
    post_content, 60); ?>
    diff --git a/includes/resources-importer.php b/includes/resources-importer.php index d09d3ed..2c7335f 100644 --- a/includes/resources-importer.php +++ b/includes/resources-importer.php @@ -2,7 +2,7 @@
    -
    +
    diff --git a/oer_template/resource-subject-area.php b/oer_template/resource-subject-area.php index 4f3484a..32806ed 100644 --- a/oer_template/resource-subject-area.php +++ b/oer_template/resource-subject-area.php @@ -19,6 +19,7 @@ wp_localize_script( "ajax-script", "oer_ajax_object", array("ajaxurl" => admin_url( 'admin-ajax.php' ))); //Add this hack to display top nav and head section on Eleganto theme +$_rsort = ""; $cur_theme = wp_get_theme(); $theme = $cur_theme->get('Name'); if ($theme == "Eleganto"){ @@ -435,18 +436,18 @@ $content = substr($content, 0, 180).$ellipsis; - $img_path = $new_img_path = parse_url($img_url[0]); - $image_path = $img_path['path']; - - $pos = strpos($image_path,$site_dir_path); - if ($pos==0){ - $image_path = substr_replace($image_path, "", $pos, strlen($site_dir_path)); - } - - $img_path = sanitize_url($site_path . $image_path); - if(!empty($img_url)) { + $img_path = $new_img_path = parse_url($img_url[0]); + $image_path = $img_path['path']; + + $pos = strpos($image_path,$site_dir_path); + if ($pos==0){ + $image_path = substr_replace($image_path, "", $pos, strlen($site_dir_path)); + } + + $img_path = sanitize_url($site_path . $image_path); + //Resize Image using WP_Image_Editor $image_editor = wp_get_image_editor($img_path); if ( !is_wp_error($image_editor) ) { @@ -555,7 +556,7 @@ if (strpos($base_url,"page")) $base_url = substr($base_url,0,strpos($base_url, "page")-1); - echo '
    Load More
    '; + echo '
    Load More
    '; } ?>
    diff --git a/oer_template/search-layout.php b/oer_template/search-layout.php index 2ea4910..e39626b 100644 --- a/oer_template/search-layout.php +++ b/oer_template/search-layout.php @@ -67,7 +67,7 @@ } ?>
    -
    +
    @@ -238,7 +238,7 @@ settings->get( 'search_featured_images' ) ) || ( ! is_search() && Avada()->settings->get( 'featured_images' ) ) ) && 'large-alternate' !== $blog_layout ) : ?> settings->get( 'post_meta_read' ) ) : ?> ID ) || 'yes' === fusion_get_page_option( 'post_links_target', $post->ID ) ) ? ' target="_blank" rel="noopener noreferrer"' : ''; ?> - > + > @@ -388,7 +388,7 @@
    settings->get( 'post_meta_read' ) ) : ?> ID ) || 'yes' === fusion_get_page_option( 'post_links_target', $post->ID ) ) ? ' target="_blank" rel="noopener noreferrer"' : ''; ?> - > + > diff --git a/oer_template/single-resource-audio.php b/oer_template/single-resource-audio.php index 9d4b2f3..cd21f94 100644 --- a/oer_template/single-resource-audio.php +++ b/oer_template/single-resource-audio.php @@ -126,7 +126,7 @@ else echo '
  • '.wp_kses($subject,$allowed_tags).'
    • '; if (($i==2) && ($cnt>2)) - echo '
  • SEE '.$moreCnt.' MORE +
    • '; + echo '
  • SEE '.esc_html($moreCnt).' MORE +
    • '; $i++; } ?> @@ -157,7 +157,7 @@ else echo "
  • ".esc_html($curriculum['post_title'])."
    • "; if (($i==2) && ($cnt>2)) - echo '
  • SEE '.$moreCnt.' MORE +
    • '; + echo '
  • SEE '.esc_html($moreCnt).' MORE +
    • '; $i++; } ?> diff --git a/oer_template/single-resource-pdf.php b/oer_template/single-resource-pdf.php index 4235c7d..3d6ea87 100644 --- a/oer_template/single-resource-pdf.php +++ b/oer_template/single-resource-pdf.php @@ -8,7 +8,7 @@ if ($isExternal) { $external_option = get_option("oer_external_pdf_viewer"); if ($external_option==1) { - $pdf_url = "https://docs.google.com/gview?url=".$url."&embedded=true"; + $pdf_url = "https://docs.google.com/gview?url=".esc_url_raw($url)."&embedded=true"; echo oer_get_embed_code_frame($pdf_url); } elseif($external_option==0) { $embed_disabled = true; @@ -20,7 +20,7 @@ $embed_disabled = true; break; case 1: - $pdf_url = "https://docs.google.com/gview?url=".$url."&embedded=true"; + $pdf_url = "https://docs.google.com/gview?url=".esc_url_raw($url)."&embedded=true"; echo oer_get_embed_code_frame($pdf_url); break; case 2: @@ -46,7 +46,7 @@ break; case 5: if(shortcode_exists('pdfviewer')){ - $embed_code = "[pdfviewer width='100%']".$url."[/pdfviewer]"; + $embed_code = "[pdfviewer width='100%']".esc_url_raw($url)."[/pdfviewer]"; echo do_shortcode($embed_code); } else { $embed_disabled = true; @@ -170,7 +170,7 @@ else echo '
  • '.wp_kses($subject,$allowed_tags).'
    • '; if (($i==2) && ($cnt>2)) - echo '
  • SEE '.$moreCnt.' MORE +
    • '; + echo '
  • SEE '.esc_html($moreCnt).' MORE +
    • '; $i++; } ?> @@ -201,7 +201,7 @@ else echo "
  • ".esc_html($curriculum['post_title'])."
    • "; if (($i==2) && ($cnt>2)) - echo '
  • SEE '.$moreCnt.' MORE +
    • '; + echo '
  • SEE '.esc_html($moreCnt).' MORE +
    • '; $i++; } ?> diff --git a/oer_template/single-resource-standard.php b/oer_template/single-resource-standard.php index f358a13..a8fcf7f 100644 --- a/oer_template/single-resource-standard.php +++ b/oer_template/single-resource-standard.php @@ -33,7 +33,7 @@ if ($isExternal) { $external_option = get_option("oer_external_pdf_viewer"); if ($external_option==1) { - $pdf_url = "https://docs.google.com/gview?url=".$url."&embedded=true"; + $pdf_url = "https://docs.google.com/gview?url=".esc_url_raw($url)."&embedded=true"; echo oer_get_embed_code_frame($pdf_url); } elseif($external_option==0) { $embed_disabled = true; @@ -45,7 +45,7 @@ $embed_disabled = true; break; case 1: - $pdf_url = "https://docs.google.com/gview?url=".$url."&embedded=true"; + $pdf_url = "https://docs.google.com/gview?url=".esc_url_raw($url)."&embedded=true"; echo oer_get_embed_code_frame($pdf_url); break; case 2: @@ -71,7 +71,7 @@ break; case 5: if(shortcode_exists('pdfviewer')){ - $embed_code = "[pdfviewer width='100%']".$url."[/pdfviewer]"; + $embed_code = "[pdfviewer width='100%']".esc_url_raw($url)."[/pdfviewer]"; echo do_shortcode($embed_code); } else { $embed_disabled = true; @@ -206,7 +206,7 @@ else echo '
  • '.wp_kses($subject,$allowed_tags).'
    • '; if (($i==2) && ($cnt>2)) - echo '
  • SEE '.$moreCnt.' MORE +
    • '; + echo '
  • SEE '.esc_html($moreCnt).' MORE +
    • '; $i++; } ?> @@ -237,7 +237,7 @@ else echo "
  • ".esc_html($curriculum['post_title'])."
    • "; if (($i==2) && ($cnt>2)) - echo '
  • SEE '.$moreCnt.' MORE +
    • '; + echo '
  • SEE '.esc_html($moreCnt).' MORE +
    • '; $i++; } ?> diff --git a/oer_template/single-resource-video.php b/oer_template/single-resource-video.php index ea01f57..1d0e9bf 100644 --- a/oer_template/single-resource-video.php +++ b/oer_template/single-resource-video.php @@ -114,7 +114,7 @@ ?>

    - +

      @@ -130,7 +130,7 @@ else echo '
    • '.wp_kses($subject,$allowed_tags).'
      • '; if (($i==2) && ($cnt>2)) - echo '
    • SEE '.$moreCnt.' MORE +
      • '; + echo '
    • SEE '.esc_html($moreCnt).' MORE +
      • '; $i++; } ?> @@ -161,7 +161,7 @@ else echo "
    • ".esc_html($curriculum['post_title'])."
      • "; if (($i==2) && ($cnt>2)) - echo '
    • SEE '.$moreCnt.' MORE +
      • '; + echo '
    • SEE '.esc_html($moreCnt).' MORE +
      • '; $i++; } ?> diff --git a/oer_template/single-resource-website.php b/oer_template/single-resource-website.php index 5d623c8..e31bbc5 100644 --- a/oer_template/single-resource-website.php +++ b/oer_template/single-resource-website.php @@ -121,7 +121,7 @@ else echo '
    • '.wp_kses($subject,$allowed_tags).'
      • '; if (($i==2) && ($cnt>2)) - echo '
    • SEE '.$moreCnt.' MORE +
      • '; + echo '
    • SEE '.esc_html($moreCnt).' MORE +
      • '; $i++; } ?> @@ -152,7 +152,7 @@ else echo "
    • ".esc_html($curriculum['post_title'])."
      • "; if (($i==2) && ($cnt>2)) - echo '
    • SEE '.$moreCnt.' MORE +
      • '; + echo '
    • SEE '.esc_html($moreCnt).' MORE +
      • '; $i++; } ?> diff --git a/oer_template/single-resource-youtube.php b/oer_template/single-resource-youtube.php index 5cbecc1..b19a672 100644 --- a/oer_template/single-resource-youtube.php +++ b/oer_template/single-resource-youtube.php @@ -142,7 +142,7 @@ else echo '
    • '.wp_kses($subject,$allowed_tags).'
      • '; if (($i==2) && ($cnt>2)) - echo '
    • SEE '.$moreCnt.' MORE +
      • '; + echo '
    • SEE '.esc_html($moreCnt).' MORE +
      • '; $i++; } ?> @@ -173,7 +173,7 @@ else echo "
    • ".esc_html($curriculum['post_title'])."
      • "; if (($i==2) && ($cnt>2)) - echo '
    • SEE '.$moreCnt.' MORE +
      • '; + echo '
    • SEE '.esc_html($moreCnt).' MORE +
      • '; $i++; } ?> diff --git a/open-educational-resources.php b/open-educational-resources.php index 1b69e50..09d92e8 100644 --- a/open-educational-resources.php +++ b/open-educational-resources.php @@ -1241,7 +1241,7 @@ function oer_setup_settings_field( $arguments ) { $size = 'size="50"'; if (isset($arguments['title'])) $title = $arguments['title']; - echo ''; + echo ''; break; case "checkbox": $display_value = ""; @@ -1266,7 +1266,7 @@ function oer_setup_settings_field( $arguments ) { $disabled = " disabled"; } - echo ''; + echo ''; break; case "select": if (isset($arguments['name'])) @@ -1303,7 +1303,7 @@ function oer_setup_settings_field( $arguments ) { default: break; } - echo ''; + echo ''; } echo ''; + echo ''; } /** Initialize Subject Area Sidebar widget **/ @@ -1377,8 +1377,8 @@ function oer_load_more_resources() { $root_path = oer_get_root_path(); if (isset($_POST["post_var"])) { - $page_num = intval($_POST["post_var"]); - $terms = json_decode($_POST["subjects"]); + $page_num = intval(sanitize_text_field($_POST["post_var"])); + $terms = json_decode(sanitize_text_field($_POST["subjects"])); if (is_array($terms)){ $terms = array_map("oer_sanitize_subject", $terms); @@ -1473,9 +1473,9 @@ function oer_sort_resources(){ if (isset($_POST["sort"])) { - $oer_session['resource_sort'] = intval($_POST['sort']); + $oer_session['resource_sort'] = intval(sanitize_text_field($_POST['sort'])); - $terms = json_decode($_POST["subjects"]); + $terms = json_decode(sanitize_text_field($_POST["subjects"])); if (is_array($terms)){ $terms = array_map("oer_sanitize_subject",$terms); @@ -1505,7 +1505,7 @@ function oer_sort_resources(){ $paged = 1; if ($_POST['post_var']){ - $paged = intval($_POST['post_var']); + $paged = intval(sanitize_text_field($_POST['post_var'])); } if ($_REQUEST['page']) @@ -1597,9 +1597,9 @@ function oer_load_more_highlights() { global $wpdb, $wp_query; if (isset($_POST["post_var"])) { - $page_num = intval(["post_var"]); + $page_num = intval(sanitize_text_field(["post_var"])); $items_per_load = 4; - $term_id = intval($_POST['term_id']); + $term_id = intval(sanitize_text_field($_POST['term_id'])); $args = array( 'meta_key' => 'oer_highlight', @@ -1633,7 +1633,7 @@ function oer_load_more_highlights() { if (isset($_POST['style'])) $style = ' style="'.esc_attr($_POST['style']).'"'; ?> - > + >
      <?php echo esc_html($title);?>
       -
      +
      @@ -1660,7 +1660,7 @@ function oer_load_highlight() { global $wpdb, $wp_query; if (isset($_POST["post_var"])) { - $resource_id = intval(["post_var"]); + $resource_id = intval(sanitize_text_field(["post_var"])); $args = array( 'p' => $resource_id, @@ -1702,8 +1702,8 @@ function oer_load_highlight() { } $new_image_url = oer_resize_image( $image, 220, 180, true ); ?> -
      <?php echo $title;?>
       -
      +
      <?php echo esc_html($title);?>
       +
    '. $category->name .''; + echo '
  • '. esc_html($category->name) .''; } else { - echo '
  • '. $category->name .''; + echo '
  • '. esc_html($category->name) .''; } echo oer_get_category_child( $category->term_id, $rsltdata['term_id']); From bece93662f8dcd10763d3626c2e50cbe6526cf6a Mon Sep 17 00:00:00 2001 From: John Paul Balagolan Date: Wed, 15 Jun 2022 21:40:29 +0800 Subject: [PATCH 2/2] WP-268 bump plugin version to 0.9.0 --- open-educational-resources.php | 4 ++-- readme.txt | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/open-educational-resources.php b/open-educational-resources.php index 09d92e8..6e4e32a 100644 --- a/open-educational-resources.php +++ b/open-educational-resources.php @@ -3,7 +3,7 @@ Plugin Name: WP OER Plugin URI: https://www.wp-oer.com Description: Open Educational Resource management and curation, metadata publishing, and alignment to Common Core State Standards. - Version: 0.8.9 + Version: 0.9.0 Requires at least: 4.4 Requires PHP: 7.0 Author: Navigation North @@ -38,7 +38,7 @@ // Plugin Name and Version define( 'OER_PLUGIN_NAME', 'WP OER Plugin' ); define( 'OER_ADMIN_PLUGIN_NAME', 'WP OER Plugin'); -define( 'OER_VERSION', '0.8.9' ); +define( 'OER_VERSION', '0.9.0' ); define( 'OER_SITE_PATH', ABSPATH ); include_once(OER_PATH.'includes/oer-functions.php'); diff --git a/readme.txt b/readme.txt index 73b1672..6c1e97c 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: OER, Open Educational Resources, Education, Teaching, Learning Requires at least: 4.4 Tested up to: 6.0 Requires PHP: 7.0 -Stable tag: 0.8.9 +Stable tag: 0.9.0 License: GPLv3 License URI: https://www.gnu.org/licenses/gpl-3.0.html @@ -41,6 +41,9 @@ No frequently asked questions. 3. Display educational resources on your WordPress website! == Changelog == += 0.9.0 = +* Implement further sanitizing of input and escaping of displayed data + = 0.8.9 = * Upgrade Bootstrap library to 5.1.3 * Applied proper sanitizing of server variables when saving resources and subject areas