From ee9dc3307fbe299894fced9ede6f6c13c3cfb7d7 Mon Sep 17 00:00:00 2001 From: reedyseth Date: Sun, 11 Feb 2018 23:26:18 -0700 Subject: [PATCH] Improve data validation. * Improve data validation to have a better and sanitize information save and read. --- .../options/index.php | 26 +++++++++++++------ .../options/panel2.php | 12 ++++----- .../options/panel3.php | 14 +++++----- .../options/panel4.php | 16 ++++++------ 4 files changed, 39 insertions(+), 29 deletions(-) diff --git a/subscribe-to-comments-reloaded/options/index.php b/subscribe-to-comments-reloaded/options/index.php index 2a74ef5..30dc1e4 100755 --- a/subscribe-to-comments-reloaded/options/index.php +++ b/subscribe-to-comments-reloaded/options/index.php @@ -12,28 +12,38 @@ function subscribe_reloaded_update_option( $_option = '', $_value = '', $_type = // Prevent XSS/CSRF attacks $_value = stripslashes( $_value ); - $_value = esc_attr( $_value ); // esc_attr Will encode all the text. switch ( $_type ) { case 'yesno': if ( $_value == 'yes' || $_value == 'no' ) { - update_option( 'subscribe_reloaded_' . $_option, $_value ); + update_option( 'subscribe_reloaded_' . $_option, esc_attr( $_value ) ); return true; } break; case 'integer': - update_option( 'subscribe_reloaded_' . $_option, abs( intval( $_value ) ) ); + update_option( 'subscribe_reloaded_' . $_option, abs( intval( esc_attr( $_value ) ) ) ); return true; break; - case 'text-html-encode': - update_option( 'subscribe_reloaded_' . $_option, htmlentities( $_value, ENT_QUOTES, 'UTF-8' ) ); + case 'text': + update_option( 'subscribe_reloaded_' . $_option, sanitize_text_field( $_value ) ); - return true; - break; + return true; + case 'text-html': + update_option( 'subscribe_reloaded_' . $_option, esc_html( $_value ) ); + + return true; + case 'email': + update_option( 'subscribe_reloaded_' . $_option, sanitize_email( esc_attr( $_value ) ) ); + + return true; + case 'url': + update_option( 'subscribe_reloaded_' . $_option, esc_url( $_value ) ); + + return true; default: - update_option( 'subscribe_reloaded_' . $_option, $_value ); + update_option( 'subscribe_reloaded_' . $_option, esc_attr( $_value ) ); return true; break; diff --git a/subscribe-to-comments-reloaded/options/panel2.php b/subscribe-to-comments-reloaded/options/panel2.php index 7849071..1c57c39 100755 --- a/subscribe-to-comments-reloaded/options/panel2.php +++ b/subscribe-to-comments-reloaded/options/panel2.php @@ -23,23 +23,23 @@ if ( isset( $_POST['options']['default_subscription_type'] ) && ! subscribe_reloaded_update_option( 'default_subscription_type', $_POST['options']['default_subscription_type'], 'integer' ) ) { $faulty_fields = __( 'Advanced subscription', 'subscribe-reloaded' ) . ', '; } - if ( isset( $_POST['options']['checkbox_inline_style'] ) && ! subscribe_reloaded_update_option( 'checkbox_inline_style', $_POST['options']['checkbox_inline_style'], 'text-no-encode' ) ) { + if ( isset( $_POST['options']['checkbox_inline_style'] ) && ! subscribe_reloaded_update_option( 'checkbox_inline_style', $_POST['options']['checkbox_inline_style'], 'text-html' ) ) { $faulty_fields = __( 'Custom inline style', 'subscribe-reloaded' ) . ', '; } - if ( isset( $_POST['options']['checkbox_html'] ) && ! subscribe_reloaded_update_option( 'checkbox_html', $_POST['options']['checkbox_html'], 'text-no-encode' ) ) { + if ( isset( $_POST['options']['checkbox_html'] ) && ! subscribe_reloaded_update_option( 'checkbox_html', $_POST['options']['checkbox_html'], 'text-html' ) ) { $faulty_fields = __( 'Custom HTML', 'subscribe-reloaded' ) . ', '; } // default_subscription_type - if ( isset( $_POST['options']['checkbox_label'] ) && ! subscribe_reloaded_update_option( 'checkbox_label', $_POST['options']['checkbox_label'], 'text-no-encode' ) ) { + if ( isset( $_POST['options']['checkbox_label'] ) && ! subscribe_reloaded_update_option( 'checkbox_label', $_POST['options']['checkbox_label'], 'text-html' ) ) { $faulty_fields = __( 'Checkbox label', 'subscribe-reloaded' ) . ', '; } - if ( isset( $_POST['options']['subscribed_label'] ) && ! subscribe_reloaded_update_option( 'subscribed_label', $_POST['options']['subscribed_label'], 'text-no-encode' ) ) { + if ( isset( $_POST['options']['subscribed_label'] ) && ! subscribe_reloaded_update_option( 'subscribed_label', $_POST['options']['subscribed_label'], 'text-html' ) ) { $faulty_fields = __( 'Subscribed label', 'subscribe-reloaded' ) . ', '; } - if ( isset( $_POST['options']['subscribed_waiting_label'] ) && ! subscribe_reloaded_update_option( 'subscribed_waiting_label', $_POST['options']['subscribed_waiting_label'], 'text-no-encode' ) ) { + if ( isset( $_POST['options']['subscribed_waiting_label'] ) && ! subscribe_reloaded_update_option( 'subscribed_waiting_label', $_POST['options']['subscribed_waiting_label'], 'text-html' ) ) { $faulty_fields = __( 'Awaiting label', 'subscribe-reloaded' ) . ', '; } - if ( isset( $_POST['options']['author_label'] ) && ! subscribe_reloaded_update_option( 'author_label', $_POST['options']['author_label'], 'text-no-encode' ) ) { + if ( isset( $_POST['options']['author_label'] ) && ! subscribe_reloaded_update_option( 'author_label', $_POST['options']['author_label'], 'text-html' ) ) { $faulty_fields = __( 'Author label', 'subscribe-reloaded' ) . ', '; } diff --git a/subscribe-to-comments-reloaded/options/panel3.php b/subscribe-to-comments-reloaded/options/panel3.php index 22a16dd..db9e35e 100755 --- a/subscribe-to-comments-reloaded/options/panel3.php +++ b/subscribe-to-comments-reloaded/options/panel3.php @@ -18,38 +18,38 @@ $faulty_fields = __( 'Page title', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['manager_page'] ) - && ! subscribe_reloaded_update_option( 'manager_page', $_POST['options']['manager_page'], 'text-no-encode' ) + && ! subscribe_reloaded_update_option( 'manager_page', $_POST['options']['manager_page'], 'url' ) ) { $faulty_fields = __( 'Management URL', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['custom_header_meta'] ) - && ! subscribe_reloaded_update_option( 'custom_header_meta', $_POST['options']['custom_header_meta'], 'text-no-encode' ) + && ! subscribe_reloaded_update_option( 'custom_header_meta', $_POST['options']['custom_header_meta'], 'text-html' ) ) { $faulty_fields = __( 'Custom HEAD meta', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['request_mgmt_link'] ) - && ! subscribe_reloaded_update_option( 'request_mgmt_link', $_POST['options']['request_mgmt_link'], 'text' ) + && ! subscribe_reloaded_update_option( 'request_mgmt_link', $_POST['options']['request_mgmt_link'], 'text-html' ) ) { $faulty_fields = __( 'Request link', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['request_mgmt_link_thankyou'] ) - && ! subscribe_reloaded_update_option( 'request_mgmt_link_thankyou', $_POST['options']['request_mgmt_link_thankyou'], 'text' ) + && ! subscribe_reloaded_update_option( 'request_mgmt_link_thankyou', $_POST['options']['request_mgmt_link_thankyou'], 'text-html' ) ) { $faulty_fields = __( 'Request submitted', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['subscribe_without_commenting'] ) - && ! subscribe_reloaded_update_option( 'subscribe_without_commenting', $_POST['options']['subscribe_without_commenting'], 'text' ) + && ! subscribe_reloaded_update_option( 'subscribe_without_commenting', $_POST['options']['subscribe_without_commenting'], 'text-html' ) ) { $faulty_fields = __( 'Subscribe without commenting', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['subscription_confirmed'] ) - && ! subscribe_reloaded_update_option( 'subscription_confirmed', $_POST['options']['subscription_confirmed'], 'text' ) + && ! subscribe_reloaded_update_option( 'subscription_confirmed', $_POST['options']['subscription_confirmed'], 'text-html' ) ) { $faulty_fields = __( 'Subscription processed', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['subscription_confirmed_dci'] ) - && ! subscribe_reloaded_update_option( 'subscription_confirmed_dci', $_POST['options']['subscription_confirmed_dci'], 'text' ) + && ! subscribe_reloaded_update_option( 'subscription_confirmed_dci', $_POST['options']['subscription_confirmed_dci'], 'text-html' ) ) { $faulty_fields = __( 'Subscription processed (DCI)', 'subscribe-reloaded' ) . ', '; } diff --git a/subscribe-to-comments-reloaded/options/panel4.php b/subscribe-to-comments-reloaded/options/panel4.php index 315f05f..f023cb1 100755 --- a/subscribe-to-comments-reloaded/options/panel4.php +++ b/subscribe-to-comments-reloaded/options/panel4.php @@ -15,12 +15,12 @@ $faulty_fields = __( 'Sender name', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['from_email'] ) && - ! subscribe_reloaded_update_option( 'from_email', $_POST['options']['from_email'], 'text' ) + ! subscribe_reloaded_update_option( 'from_email', $_POST['options']['from_email'], 'email' ) ) { $faulty_fields = __( 'Sender email address', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['reply_to'] ) && - ! subscribe_reloaded_update_option( 'reply_to', $_POST['options']['reply_to'], 'text' ) + ! subscribe_reloaded_update_option( 'reply_to', $_POST['options']['reply_to'], 'email' ) ) { $faulty_fields = __( 'Sender email address', 'subscribe-reloaded' ) . ', '; } @@ -31,13 +31,13 @@ } if ( isset( $_POST['options']['notification_content'] ) && trim( $_POST['options']['notification_content'] ) == false && - ! subscribe_reloaded_update_option( 'notification_content', "

There is a new comment on [post_title].

Comment link: [comment_permalink] 
Author: [comment_author]

Comment:
[comment_content]

Permalink: [post_permalink]
Manage your subscriptions | One click unsubscribe
", 'text-no-encode' ) + ! subscribe_reloaded_update_option( 'notification_content', "

There is a new comment on [post_title].

Comment link: [comment_permalink] 
Author: [comment_author]

Comment:
[comment_content]

Permalink: [post_permalink]
Manage your subscriptions | One click unsubscribe
", 'text-html' ) ) { $faulty_fields = __( 'Notification message', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['notification_content'] ) && trim( $_POST['options']['notification_content'] ) && - ! subscribe_reloaded_update_option( 'notification_content', $_POST['options']['notification_content'], 'text-no-encode' ) + ! subscribe_reloaded_update_option( 'notification_content', $_POST['options']['notification_content'], 'text-html' ) ) { $faulty_fields = __( 'Notification message', 'subscribe-reloaded' ) . ', '; } @@ -47,7 +47,7 @@ $faulty_fields = __( 'Double check subject', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['double_check_content'] ) && - ! subscribe_reloaded_update_option( 'double_check_content', $_POST['options']['double_check_content'], 'text' ) + ! subscribe_reloaded_update_option( 'double_check_content', $_POST['options']['double_check_content'], 'text-html' ) ) { $faulty_fields = __( 'Double check message', 'subscribe-reloaded' ) . ', '; } @@ -57,17 +57,17 @@ $faulty_fields = __( 'Management subject', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['management_content'] ) && - ! subscribe_reloaded_update_option( 'management_content', $_POST['options']['management_content'], 'text' ) + ! subscribe_reloaded_update_option( 'management_content', $_POST['options']['management_content'], 'text-html' ) ) { $faulty_fields = __( 'Management message', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['oneclick_text'] ) && - ! subscribe_reloaded_update_option( 'oneclick_text', $_POST['options']['oneclick_text'], 'text' ) + ! subscribe_reloaded_update_option( 'oneclick_text', $_POST['options']['oneclick_text'], 'text-html' ) ) { $faulty_fields = __( 'Management message', 'subscribe-reloaded' ) . ', '; } if ( isset( $_POST['options']['management_email_content'] ) && - ! subscribe_reloaded_update_option( 'management_email_content', $_POST['options']['management_email_content'], 'text' ) + ! subscribe_reloaded_update_option( 'management_email_content', $_POST['options']['management_email_content'], 'text-html' ) ) { $faulty_fields = __( 'Management Email message', 'subscribe-reloaded' ) . ', '; }