Changeset 2626593 for shapepress-dsgvo

Timestamp:

11/09/2021 09:58:06 AM (4 years ago)

Author:

legalweb

Message:

3.1.27

• improved sanitation and escaping
• fixed errors at unsubscribe and subject access request

Location:

shapepress-dsgvo/trunk

Files:

• README.txt (modified) (2 diffs)
• admin/js/sp-dsgvo-admin.js (modified) (2 diffs)
• admin/tabs/v3/subject-access-request/page.php (modified) (1 diff)
• admin/tabs/v3/super-unsubscribe/class-sp-dsgvo-dismiss-unsubscribe-action.php (modified) (1 diff)
• admin/tabs/v3/super-unsubscribe/page.php (modified) (1 diff)
• includes/class-sp-dsgvo-ajax-action.php (modified) (2 diffs)
• includes/class-sp-dsgvo-embedding-api-base.php (modified) (1 diff)
• includes/class-sp-dsgvo-integration-api-base.php (modified) (1 diff)
• includes/helpers.php (modified) (1 diff)
• public/shortcodes/subject-access-request/subject-access-request.php (modified) (1 diff)
• public/shortcodes/super-unsubscribe/unsubscribe-form.php (modified) (1 diff)
• sp-dsgvo.php (modified) (2 diffs)

shapepress-dsgvo/trunk/README.txt

@@ -5 +5 @@
 Requires at least: 3.0.1
 Tested up to: 5.8.1
-Stable tag: 3.1.26
+Stable tag: 3.1.27
 Requires PHP: 5.6.0
 License: GPLv2 or later
@@ -204 +204 @@
 
 == Changelog ==
+= 3.1.27 =
+* improved sanitation and escaping
+* fixed errors at unsubscribe and subject access request
+
 = 3.1.26 =
 * improved sanitation and escaping

shapepress-dsgvo/trunk/admin/js/sp-dsgvo-admin.js

@@ -48 +48 @@
         $('.unsubscribe-dismiss').on('click tap', function() {
             var $this = $(this),
-                id = $this.attr('data-id');
+                id = $this.attr('data-id'),
+                wpnonce = $this.attr('data-nonce');
 
             if(confirm(args.dismiss_confirm)) {
@@ -54 +55 @@
                 $.post( args.ajaxurl, {
                     action: 'admin-dismiss-unsubscribe',
-                    id: id
+                    id: id,
+                    _wpnonce: wpnonce
                 },
                 function( data ) {

shapepress-dsgvo/trunk/admin/tabs/v3/subject-access-request/page.php

@@ -195 +195 @@
                         <td class="column-dismiss">
                             <svg class="unsubscribe-dismiss" width="10" height="10"
-                                 data-id="<?php echo esc_attr($pendingRequest->ID); ?>">
+                                 data-id="<?php echo esc_attr($pendingRequest->ID); ?>" data-nonce="<?php echo wp_create_nonce(SPDSGVODismissUnsubscribeAction::getActionName() . '-nonce'); ?>">
                                 <line x1="0" y1="0" x2="10" y2="10"/>
                                 <line x1="0" y1="10" x2="10" y2="0"/>

shapepress-dsgvo/trunk/admin/tabs/v3/super-unsubscribe/class-sp-dsgvo-dismiss-unsubscribe-action.php

@@ -11 +11 @@
 
         $id = $this->get('id');
-        if (is_numeric()) {
+        if (is_numeric($id)) {
             $postType = get_post_type($id );
-            if ($postType == "subjectaccessrequest") {
+            if ($postType == "subjectaccessrequest" || $postType == "spdsgvo_unsubscriber") {
                 wp_delete_post( $id );
             }

shapepress-dsgvo/trunk/admin/tabs/v3/super-unsubscribe/page.php

@@ -319 +319 @@
                             <span class="wpk-services-table-name"><?php _e('Dismiss', 'shapepress-dsgvo') ?></span>
                             <svg class="unsubscribe-dismiss" width="10" height="10"
-                                 data-id="<?php echo esc_attr($confirmedRequest->ID); ?>">
+                                 data-id="<?php echo esc_attr($confirmedRequest->ID); ?>" data-nonce="<?php echo wp_create_nonce(SPDSGVODismissUnsubscribeAction::getActionName() . '-nonce'); ?>">
                                 <line x1="0" y1="0" x2="10" y2="10"/>
                                 <line x1="0" y1="10" x2="10" y2="0"/>

shapepress-dsgvo/trunk/includes/class-sp-dsgvo-ajax-action.php

@@ -178 +178 @@
 
             if(is_array($_REQUEST[$key])){
-                return $this->recursive_sanitize_text_field($_REQUEST[$key]);
+                return spDsgvo_recursive_sanitize_text_field($_REQUEST[$key]);
             }
 
@@ -227 +227 @@
     }
 
-    /**
-    * Recursive sanitation for an array
-    * @param $array
-    * @return mixed
-    */
-    function recursive_sanitize_text_field($array) {
-        foreach ( $array as $key => &$value ) {
-            if ( is_array( $value ) ) {
-                $value = recursive_sanitize_text_field($value);
-            }
-            else {
-                $value = sanitize_text_field( $value );
-            }
-        }
-
-        return $array;
-    }
+
 
     public function returnBack(){

shapepress-dsgvo/trunk/includes/class-sp-dsgvo-embedding-api-base.php

@@ -154 +154 @@
 
         // the settings are stored in an array like  "integration-slug" => '0'
-        $integrationSettings = json_decode(sanitize_text_field(stripslashes($_COOKIE[SPDSGVOConstants::CCOKIE_NAME])));
+        $integrationSettings = (json_decode(stripslashes($_COOKIE[SPDSGVOConstants::CCOKIE_NAME])));
         // check if it is a class and has the property
         if ($integrationSettings instanceof stdClass  == false || !property_exists($integrationSettings, 'integrations')) return false;
 
-        $enabledIntegrations = filter_var_array($integrationSettings->integrations,FILTER_SANITIZE_ENCODED);
+        $integrationSettingsArray = (array)$integrationSettings;
+        $integrationSettingsArray = spDsgvo_recursive_sanitize_text_field($integrationSettingsArray);
+
+        $enabledIntegrations = $integrationSettingsArray['integrations'];//filter_var_array($integrationSettings->integrations,FILTER_SANITIZE_ENCODED);
         $integrationSettings = null; // we only need here the array of enabled integrations, which we sanitze and filter in the above lines. the rest gets nulled
         if ($enabledIntegrations == false || isset($enabledIntegrations) == false) return false;

shapepress-dsgvo/trunk/includes/class-sp-dsgvo-integration-api-base.php

@@ -223 +223 @@
 
         // the settings are stored in an array like  "integration-slug" => '0'
-        $integrationSettings = json_decode(sanitize_text_field(stripslashes($_COOKIE[SPDSGVOConstants::CCOKIE_NAME])));
+        $integrationSettings = sanitize_text_field(json_decode(stripslashes($_COOKIE[SPDSGVOConstants::CCOKIE_NAME])));
         // check if it is a class and has the property
         if ($integrationSettings instanceof stdClass  == false || !property_exists($integrationSettings, 'integrations')) return false;

shapepress-dsgvo/trunk/includes/helpers.php

@@ -237 +237 @@
 }
 
+/**
+ * Recursive sanitation for an array
+ * @param $array
+ * @return mixed
+ */
+if (! function_exists('spDsgvo_recursive_sanitize_text_field')) {
+    function spDsgvo_recursive_sanitize_text_field( $array ) {
+        foreach ( $array as $key => &$value ) {
+            if ( is_array( $value ) ) {
+                $value = recursive_sanitize_text_field( $value );
+            } else {
+                $value = sanitize_text_field( $value );
+            }
+        }
+
+        return $array;
+    }
+}
+
 if (! function_exists('spDsgvoWriteInput')) {
     /**

shapepress-dsgvo/trunk/public/shortcodes/subject-access-request/subject-access-request.php

@@ -14 +14 @@
     ob_start();
     ?>  
-        <?php if(isset($_REQUEST['result']) && santize_text_field($_REQUEST['result']) === 'success'): ?>
+        <?php if(isset($_REQUEST['result']) && (sanitize_text_field($_REQUEST['result'])) === 'success'): ?>
 
             <p class="sp-dsgvo sar-success-message"><?php _e('Your request has been created','shapepress-dsgvo')?> <br> <?php _e('You will receive an email from us with a current extract of your data stored with us.','shapepress-dsgvo')?></p>

shapepress-dsgvo/trunk/public/shortcodes/super-unsubscribe/unsubscribe-form.php

@@ -15 +15 @@
     ob_start();
     ?>  
-        <?php if(isset($_REQUEST['result']) && santize_text_field($_REQUEST['result']) === 'success'): ?>
+        <?php if(isset($_REQUEST['result']) && (sanitize_text_field($_REQUEST['result'])) === 'success'): ?>
 
             <p class="sp-dsgvo us-success-message"><?php _e('Request sent successfully. You will receive an email in a few minutes.','shapepress-dsgvo')?></p>
 
-        <?php elseif(isset($_REQUEST['result']) && santize_text_field($_REQUEST['result']) === 'confirmed'): ?>
+        <?php elseif(isset($_REQUEST['result']) && sanitize_text_field($_REQUEST['result']) === 'confirmed'): ?>
 
             <p class="sp-dsgvo us-success-message"><?php _e('Request successfully completed. Your data has been completely deleted.','shapepress-dsgvo')?></p>

shapepress-dsgvo/trunk/sp-dsgvo.php

@@ -17 +17 @@
  * Plugin URI:        https://legalweb.io
  * Description:       WP DSGVO Tools (GDPR) help you to fulfill the GDPR (DGSVO)  compliance guidance (<a target="_blank" href="https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/">GDPR</a>)
- * Version:           3.1.26
+ * Version:           3.1.27
  * Author:            legalweb
  * Author URI:        https://www.legalweb.io
@@ -29 +29 @@
 }
 
-define('sp_dsgvo_VERSION', '3.1.26');
+define('sp_dsgvo_VERSION', '3.1.27');
 define('sp_dsgvo_NAME', 'sp-dsgvo');
 define('sp_dsgvo_PLUGIN_NAME', 'shapepress-dsgvo');