Skip to content

Commit d60fce9

Browse files
selulselul
authored
release: fixes
* Harden security by enforcing unescaped urls.
2 parents 207f4d4 + 53702dc commit d60fce9

File tree

8 files changed

+122
-95
lines changed

8 files changed

+122
-95
lines changed

classes/Visualizer/Module/Admin.php

Lines changed: 23 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -365,7 +365,7 @@ public function setupMediaViewStrings( $strings ) {
365365
'types' => array_keys( $chart_types ),
366366
),
367367
'nonce' => wp_create_nonce(),
368-
'buildurl' => add_query_arg( 'action', Visualizer_Plugin::ACTION_CREATE_CHART, admin_url( 'admin-ajax.php' ) ),
368+
'buildurl' => esc_url( add_query_arg( 'action', Visualizer_Plugin::ACTION_CREATE_CHART, admin_url( 'admin-ajax.php' ) ) ),
369369
);
370370

371371
return $strings;
@@ -988,24 +988,28 @@ public function renderLibraryPage() {
988988
'map_api_key' => get_option( 'visualizer-map-api-key' ),
989989
'charts' => $charts,
990990
'urls' => array(
991-
'base' => add_query_arg( array( 'vpage' => false, 'vaction' => false ) ),
992-
'create' => add_query_arg(
993-
array(
994-
'action' => Visualizer_Plugin::ACTION_CREATE_CHART,
995-
'library' => 'yes',
996-
'type' => isset( $_GET['type'] ) ? $_GET['type'] : '',
997-
'chart-library' => isset( $_GET['chart-library'] ) ? $_GET['chart-library'] : '',
998-
'vaction' => false,
999-
),
1000-
$ajaxurl
991+
'base' => esc_url( add_query_arg( array( 'vpage' => false, 'vaction' => false ) ) ),
992+
'create' => esc_url(
993+
add_query_arg(
994+
array(
995+
'action' => Visualizer_Plugin::ACTION_CREATE_CHART,
996+
'library' => 'yes',
997+
'type' => isset( $_GET['type'] ) ? $_GET['type'] : '',
998+
'chart-library' => isset( $_GET['chart-library'] ) ? $_GET['chart-library'] : '',
999+
'vaction' => false,
1000+
),
1001+
$ajaxurl
1002+
)
10011003
),
1002-
'edit' => add_query_arg(
1003-
array(
1004-
'action' => Visualizer_Plugin::ACTION_EDIT_CHART,
1005-
'library' => 'yes',
1006-
'vaction' => false,
1007-
),
1008-
$ajaxurl
1004+
'edit' => esc_url(
1005+
add_query_arg(
1006+
array(
1007+
'action' => Visualizer_Plugin::ACTION_EDIT_CHART,
1008+
'library' => 'yes',
1009+
'vaction' => false,
1010+
),
1011+
$ajaxurl
1012+
)
10091013
),
10101014
),
10111015
'page_type' => 'library',
@@ -1024,7 +1028,7 @@ public function renderLibraryPage() {
10241028
$render->custom_css = $css;
10251029
$render->pagination = paginate_links(
10261030
array(
1027-
'base' => add_query_arg( array( 'vpage' => '%#%', 'vaction' => false ) ),
1031+
'base' => esc_url( add_query_arg( array( 'vpage' => '%#%', 'vaction' => false ) ) ),
10281032
'format' => '',
10291033
'current' => $page,
10301034
'total' => $query->max_num_pages,

classes/Visualizer/Module/Chart.php

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -526,7 +526,7 @@ public function renderChartPages() {
526526
);
527527
do_action( 'visualizer_pro_new_chart_defaults', $chart_id );
528528
}
529-
wp_redirect( add_query_arg( 'chart', (int) $chart_id ) );
529+
wp_redirect( esc_url_raw( add_query_arg( 'chart', (int) $chart_id ) ) );
530530

531531
if ( defined( 'WP_TESTS_DOMAIN' ) ) {
532532
wp_die();
@@ -891,7 +891,7 @@ private function _handleTypesPage() {
891891

892892
// redirect to next tab
893893
// changed by Ash/Upwork
894-
wp_redirect( add_query_arg( 'tab', 'settings' ) );
894+
wp_redirect( esc_url_raw( add_query_arg( 'tab', 'settings' ) ) );
895895

896896
return;
897897
}
@@ -1226,13 +1226,15 @@ public function cloneChart() {
12261226
add_post_meta( $new_chart_id, $key, maybe_unserialize( $value[0] ) );
12271227
}
12281228
}
1229-
$redirect = add_query_arg(
1230-
array(
1231-
'page' => 'visualizer',
1232-
'type' => filter_input( INPUT_GET, 'type' ),
1233-
'vaction' => false,
1234-
),
1235-
admin_url( 'admin.php' )
1229+
$redirect = esc_url(
1230+
add_query_arg(
1231+
array(
1232+
'page' => 'visualizer',
1233+
'type' => filter_input( INPUT_GET, 'type' ),
1234+
'vaction' => false,
1235+
),
1236+
admin_url( 'admin.php' )
1237+
)
12361238
);
12371239
}
12381240
}

classes/Visualizer/Module/Setup.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -251,7 +251,7 @@ public function adminInit() {
251251
delete_option( 'visualizer-activated' );
252252
if ( ! headers_sent() ) {
253253
$page_name = Visualizer_Module::numberOfCharts() > 0 ? Visualizer_Plugin::NAME : 'viz-support';
254-
wp_redirect( add_query_arg( 'page', $page_name, admin_url( 'admin.php' ) ) );
254+
wp_redirect( esc_url_raw( add_query_arg( 'page', $page_name, admin_url( 'admin.php' ) ) ) );
255255
exit();
256256
}
257257
}

classes/Visualizer/Render/Layout.php

Lines changed: 53 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -128,13 +128,15 @@ public static function _renderDbWizardResults( $args ) {
128128
*/
129129
public static function _renderJsonScreen( $args ) {
130130
$id = $args[1];
131-
$action = add_query_arg(
132-
array(
133-
'action' => Visualizer_Plugin::ACTION_JSON_SET_DATA,
134-
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_JSON_SET_DATA . Visualizer_Plugin::VERSION ),
135-
'chart' => $id,
136-
),
137-
admin_url( 'admin-ajax.php' )
131+
$action = esc_url(
132+
add_query_arg(
133+
array(
134+
'action' => Visualizer_Plugin::ACTION_JSON_SET_DATA,
135+
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_JSON_SET_DATA . Visualizer_Plugin::VERSION ),
136+
'chart' => $id,
137+
),
138+
admin_url( 'admin-ajax.php' )
139+
)
138140
);
139141

140142
$url = get_post_meta( $id, Visualizer_Plugin::CF_JSON_URL, true );
@@ -306,13 +308,15 @@ class="visualizer-input json-form-element">
306308
*/
307309
public static function _renderSimpleEditorScreen( $args ) {
308310
$chart_id = $args[1];
309-
$action = add_query_arg(
310-
array(
311-
'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
312-
'nonce' => wp_create_nonce(),
313-
'chart' => $chart_id,
314-
),
315-
admin_url( 'admin-ajax.php' )
311+
$action = esc_url(
312+
add_query_arg(
313+
array(
314+
'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
315+
'nonce' => wp_create_nonce(),
316+
'chart' => $chart_id,
317+
),
318+
admin_url( 'admin-ajax.php' )
319+
)
316320
);
317321
?>
318322
<div class="viz-simple-editor">
@@ -582,13 +586,13 @@ public static function _renderTabAdvanced( $args ) {
582586
<li class="viz-group open" id="vz-chart-settings">
583587
<ul class="viz-group-content">
584588
<ul class="viz-group-wrapper">
585-
<form id="settings-form" action="<?php echo add_query_arg( 'nonce', wp_create_nonce() ); ?>" method="post">
589+
<form id="settings-form" action="<?php echo esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ); ?>" method="post">
586590
<input type="hidden" id="chart-img" name="chart-img">
587591
<?php echo $sidebar; ?>
588592
<?php self::_renderPermissions( $args ); ?>
589593
<input type="hidden" name="save" value="1">
590594
</form>
591-
<form id="cancel-form" action="<?php echo add_query_arg( 'nonce', wp_create_nonce() ); ?>" method="post">
595+
<form id="cancel-form" action="<?php echo esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ); ?>" method="post">
592596
<input type="hidden" name="cancel" value="1">
593597
</form>
594598
</ul>
@@ -654,13 +658,15 @@ public static function _renderTabHelp( $args ) {
654658
public static function _renderTabBasic( $args ) {
655659
$chart_id = $args[1];
656660

657-
$upload_link = add_query_arg(
658-
array(
659-
'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
660-
'nonce' => wp_create_nonce(),
661-
'chart' => $chart_id,
662-
),
663-
admin_url( 'admin-ajax.php' )
661+
$upload_link = esc_url(
662+
add_query_arg(
663+
array(
664+
'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
665+
'nonce' => wp_create_nonce(),
666+
'chart' => $chart_id,
667+
),
668+
admin_url( 'admin-ajax.php' )
669+
)
664670
);
665671

666672
// this will allow us to open the correct source tab by default.
@@ -815,12 +821,14 @@ class="dashicons dashicons-lock"></span></h2>
815821
<form>
816822
<select name="vz-import-from-chart" id="chart-id" class="visualizer-select">
817823
<?php
818-
$fetch_link = add_query_arg(
819-
array(
820-
'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
821-
'nonce' => wp_create_nonce(),
822-
),
823-
admin_url( 'admin-ajax.php' )
824+
$fetch_link = esc_url(
825+
add_query_arg(
826+
array(
827+
'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
828+
'nonce' => wp_create_nonce(),
829+
),
830+
admin_url( 'admin-ajax.php' )
831+
)
824832
);
825833
$query_args_charts = array(
826834
'post_type' => Visualizer_Plugin::CPT_VISUALIZER,
@@ -862,12 +870,14 @@ class="dashicons dashicons-lock"></span></h2>
862870
</li>
863871

864872
<?php
865-
$save_filter = add_query_arg(
866-
array(
867-
'action' => Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY,
868-
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY . Visualizer_Plugin::VERSION ),
869-
'chart' => $chart_id,
870-
), admin_url( 'admin-ajax.php' )
873+
$save_filter = esc_url(
874+
add_query_arg(
875+
array(
876+
'action' => Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY,
877+
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY . Visualizer_Plugin::VERSION ),
878+
'chart' => $chart_id,
879+
), admin_url( 'admin-ajax.php' )
880+
)
871881
);
872882
?>
873883
<!-- import from WordPress -->
@@ -911,12 +921,14 @@ class="dashicons dashicons-lock"></span></h2>
911921
</li>
912922

913923
<?php
914-
$save_query = add_query_arg(
915-
array(
916-
'action' => Visualizer_Plugin::ACTION_SAVE_DB_QUERY,
917-
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION ),
918-
'chart' => $chart_id,
919-
), admin_url( 'admin-ajax.php' )
924+
$save_query = esc_url(
925+
add_query_arg(
926+
array(
927+
'action' => Visualizer_Plugin::ACTION_SAVE_DB_QUERY,
928+
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION ),
929+
'chart' => $chart_id,
930+
), admin_url( 'admin-ajax.php' )
931+
)
920932
);
921933
?>
922934
<!-- import from db -->

classes/Visualizer/Render/Library.php

Lines changed: 28 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -297,30 +297,36 @@ private function _renderChartBox( $placeholder_id, $chart_id ) {
297297
}
298298

299299
$ajax_url = admin_url( 'admin-ajax.php' );
300-
$delete_url = add_query_arg(
301-
array(
302-
'action' => Visualizer_Plugin::ACTION_DELETE_CHART,
303-
'nonce' => wp_create_nonce(),
304-
'chart' => $chart_id,
305-
),
306-
$ajax_url
300+
$delete_url = esc_url(
301+
add_query_arg(
302+
array(
303+
'action' => Visualizer_Plugin::ACTION_DELETE_CHART,
304+
'nonce' => wp_create_nonce(),
305+
'chart' => $chart_id,
306+
),
307+
$ajax_url
308+
)
307309
);
308-
$clone_url = add_query_arg(
309-
array(
310-
'action' => Visualizer_Plugin::ACTION_CLONE_CHART,
311-
'nonce' => wp_create_nonce( Visualizer_Plugin::ACTION_CLONE_CHART ),
312-
'chart' => $chart_id,
313-
'type' => $this->type,
314-
),
315-
$ajax_url
310+
$clone_url = esc_url(
311+
add_query_arg(
312+
array(
313+
'action' => Visualizer_Plugin::ACTION_CLONE_CHART,
314+
'nonce' => wp_create_nonce( Visualizer_Plugin::ACTION_CLONE_CHART ),
315+
'chart' => $chart_id,
316+
'type' => $this->type,
317+
),
318+
$ajax_url
319+
)
316320
);
317-
$export_link = add_query_arg(
318-
array(
319-
'action' => Visualizer_Plugin::ACTION_EXPORT_DATA,
320-
'chart' => $chart_id,
321-
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_EXPORT_DATA . Visualizer_Plugin::VERSION ),
322-
),
323-
admin_url( 'admin-ajax.php' )
321+
$export_link = esc_url(
322+
add_query_arg(
323+
array(
324+
'action' => Visualizer_Plugin::ACTION_EXPORT_DATA,
325+
'chart' => $chart_id,
326+
'security' => wp_create_nonce( Visualizer_Plugin::ACTION_EXPORT_DATA . Visualizer_Plugin::VERSION ),
327+
),
328+
admin_url( 'admin-ajax.php' )
329+
)
324330
);
325331

326332
$chart_status = array( 'date' => get_the_modified_date( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), $chart_id ), 'error' => get_post_meta( $chart_id, Visualizer_Plugin::CF_ERROR, true ), 'icon' => 'dashicons-yes-alt', 'title' => 'A-OK!' );

classes/Visualizer/Render/Page/Data.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@ protected function _renderToolbar() {
107107
// NOTE: We can't be selective on the post_status here because when a new chart reaches the settings screen, its status changes to publish.
108108
if ( ! VISUALIZER_SKIP_CHART_TYPE_PAGE ) {
109109
echo '<div class="toolbar-div">';
110-
echo '<a class="button button-large" href="', add_query_arg( 'tab', 'types' ), '">';
110+
echo '<a class="button button-large" href="', esc_url( add_query_arg( 'tab', 'types' ) ), '">';
111111
esc_html_e( 'Back', 'visualizer' );
112112
echo '</a>';
113113
echo '</div>';

classes/Visualizer/Render/Page/Settings.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ protected function _renderContent() {
5151
* @access protected
5252
*/
5353
protected function _renderToolbar() {
54-
echo '<a class="button button-large" href="', add_query_arg( 'tab', 'data' ), '">';
54+
echo '<a class="button button-large" href="', esc_url( add_query_arg( 'tab', 'data' ) ), '">';
5555
esc_html_e( 'Back', 'visualizer' );
5656
echo '</a>';
5757
echo '<input type="submit" class="button button-primary button-large push-right" value="', $this->button, '">';
@@ -65,7 +65,7 @@ protected function _renderToolbar() {
6565
* @access protected
6666
*/
6767
protected function _toHTML() {
68-
echo '<form id="settings-form" action="', add_query_arg( 'nonce', wp_create_nonce() ), '" method="post">';
68+
echo '<form id="settings-form" action="', esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ), '" method="post">';
6969
parent::_toHTML();
7070
echo '</form>';
7171
}

composer.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@
4141
"optimize-autoloader": true,
4242
"platform": {
4343
"php": "5.6"
44+
},
45+
"allow-plugins": {
46+
"dealerdirect/phpcodesniffer-composer-installer": true
4447
}
4548
},
4649
"require-dev": {

0 commit comments

Comments
 (0)