Changeset 299860

Timestamp:

11/24/2025 03:29:15 AM (3 hours ago)

Author:

themedropbox

Message:

New version of OnePress - 2.3.16

Location:

onepress/2.3.16

Files:

• . (copied) (copied from onepress/2.3.15)
• assets/css/customizer.css (modified) (1 diff)
• assets/sass/style.scss (modified) (1 diff)
• changelog.md (modified) (1 diff)
• inc/admin/dashboard.php (modified) (5 diffs)
• inc/customize-controls/control-repeater.php (modified) (3 diffs)
• inc/customize-controls/section-plus.php (modified) (2 diffs)
• inc/sanitize.php (modified) (1 diff)
• inc/template-tags.php (modified) (2 diffs)
• style.css (modified) (1 diff)

onepress/2.3.16/assets/css/customizer.css

@@ -2 +2 @@
 li#accordion-panel-onepress_typo > .accordion-section-title
 {
-    padding-left: 14px;
+    /* padding-left: 14px; */
 }
 

onepress/2.3.16/assets/sass/style.scss

@@ -5 +5 @@
 Author URI: http://www.famethemes.com
 Description: OnePress is an outstanding creative and flexible WordPress one page theme well suited for business website, portfolio, digital agency, product showcase, freelancers and everyone else who appreciate good design. The theme overall is an elegant and classic one, a fine example of Bootstrap 4 WordPress theme which compatibility with latest version of WooCommerce. (Live preview : https://demos.famethemes.com/onepress)
-Version: 2.3.15
+Version: 2.3.16
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html

onepress/2.3.16/changelog.md

@@ -1 +1 @@
 # CHANGELOG
+
+# 2.3.16
+- FIXED: Fix security issues.
+- FIXED: Alert copy text.
 
 # 2.3.15

onepress/2.3.16/inc/admin/dashboard.php

@@ -180 +180 @@
                     </label>
                     <?php if ($see_only) { ?>
-                        <span class="note-bubble"><?php esc_html('Plus Feature', 'onepress'); ?></span>
+                        <span class="note-bubble"><?php esc_html_e('Plus Feature', 'onepress'); ?></span>
                     <?php } ?>
                 </div>
@@ -236 +236 @@
 
         if (isset($_GET['onepress_action_dismiss'])) {
+            $key = sanitize_text_field($_GET['onepress_action_dismiss']);
             $actions_dismiss =  get_option('onepress_actions_dismiss');
             if (!is_array($actions_dismiss)) {
                 $actions_dismiss = array();
             }
-            $actions_dismiss[sanitize_text_field($_GET['onepress_action_dismiss'])] = 'dismiss';
+            $actions_dismiss[$key] = 'dismiss';
             update_option('onepress_actions_dismiss', $actions_dismiss);
         }
@@ -352 +353 @@
                                 <input type="submit" class="button button-secondary" value="<?php esc_attr_e('Copy now', 'onepress'); ?>">
                             </p>
-                            <?php if (isset($_GET['copied']) && $_GET['copied'] == 1) { ?>
+                            <?php if (isset($_GET['copied']) && absint($_GET['copied']) == 1) { ?>
                                 <p><?php esc_html_e('Your settings were copied.', 'onepress'); ?></p>
                             <?php } ?>
@@ -433 +434 @@
                         <?php do_action('onepress_more_required_details', $actions); ?>
                     <?php  } else { ?>
-                        <h3><?php esc_html(sprintf(__('Keep %s updated', 'onepress'), $theme_data->Name)); ?></h3>
+                        <h3><?php echo esc_html(sprintf(__('Keep %s updated', 'onepress'), $theme_data->Name)); ?></h3>
                         <p><?php esc_html_e('Hooray! There are no required actions for you right now.', 'onepress'); ?></p>
                     <?php } ?>
@@ -721 +722 @@
                 $('body').addClass('about-php');
 
-                $('.copy-settings-form').on('submit', function() {
-                    var c = confirm('<?php echo esc_attr_e('Are you sure want to copy ?', 'onepress'); ?>');
-                    if (!c) {
-                        return false;
-                    }
-                });
+            $('.copy-settings-form').on('submit', function() {
+                var c = confirm(<?php echo wp_json_encode(__('Are you sure you want to copy?', 'onepress')); ?>);
+                if (!c) {
+                    return false;
+                }
+            });
             });
         </script>

onepress/2.3.16/inc/customize-controls/control-repeater.php

@@ -150 +150 @@
         $this->json['value']         = $value;
         $this->json['id_key']        = $this->id_key;
-        $this->json['fields']        = $this->fields;
+        
+        // Sanitize fields data before passing to JavaScript
+        $sanitized_fields = array();
+        foreach ($this->fields as $key => $field) {
+            $sanitized_fields[$key] = $field;
+            if (isset($field['title'])) {
+                // Allow safe HTML tags in title (like <strong>, <em>, etc.)
+                $sanitized_fields[$key]['title'] = wp_kses_post($field['title']);
+            }
+            if (isset($field['desc'])) {
+                // Allow safe HTML tags in description (like <strong>, <em>, <a>, <p>, etc.)
+                // wp_kses_post() removes dangerous tags like <script>, <iframe> while keeping safe ones
+                $sanitized_fields[$key]['desc'] = wp_kses_post($field['desc']);
+            }
+        }
+        $this->json['fields'] = $sanitized_fields;
 
     }
@@ -230 +245 @@
                                     <# if ( field.type !== 'checkbox' ) { #>
                                     <# if ( field.title ) { #>
-                                    <label class="field-label">{{ field.title }}</label>
+                                    <label class="field-label">{{{ field.title }}}</label>
                                     <# } #>
 
@@ -249 +264 @@
                                     <label class="checkbox-label">
                                         <input data-live-id="{{ field.id }}" type="checkbox" <# if ( field.value ) { #> checked="checked" <# } #> value="1" data-repeat-name="_items[__i__][{{ field.id }}]" class="">
-                                        {{ field.title }}</label>
+                                        {{{ field.title }}}</label>
                                     <# } #>
 
                                     <# if ( field.desc ) { #>
-                                    <p class="field-desc description">{{ field.desc }}</p>
+                                    <p class="field-desc description">{{{ field.desc }}}</p>
                                     <# } #>
 

onepress/2.3.16/inc/customize-controls/section-plus.php

@@ -49 +49 @@
         $json = parent::json();
         $json['plus_text'] = $this->plus_text;
-        $json['plus_url']  = $this->plus_url;
-        $json['id'] = $this->id;
+        $json['plus_url']  = esc_url($this->plus_url);
+        $json['id'] = sanitize_text_field($this->id);
         return $json;
     }
@@ -64 +64 @@
         <li id="accordion-section-{{ data.id }}" class="accordion-section control-section control-section-{{ data.type }} cannot-expand">
 
-            <h3><a href="{{ data.plus_url }}" target="_blank">{{{ data.plus_text }}}</a></h3>
+            <h3><a href="{{ data.plus_url }}" target="_blank" rel="noopener noreferrer">{{ data.plus_text }}</a></h3>
         </li>
     <?php }

onepress/2.3.16/inc/sanitize.php

@@ -134 +134 @@
                         $data[$i][$id] = sanitize_text_field($value);
                         break;
-                    case 'media':
-                        $value = wp_parse_args(
-                            $value,
-                            array(
-                                'url' => '',
-                                'id' => false,
-                            )
-                        );
-                        $value['id'] = absint($value['id']);
-                        $data[$i][$id]['url'] = sanitize_text_field($value['url']);
-
-                        if ($url = wp_get_attachment_url($value['id'])) {
-                            $data[$i][$id]['id']   = $value['id'];
-                            $data[$i][$id]['url']  = $url;
+                case 'media':
+                    $value = wp_parse_args(
+                        $value,
+                        array(
+                            'url' => '',
+                            'id' => false,
+                        )
+                    );
+                    $value['id'] = absint($value['id']);
+                    
+                    // Validate and sanitize URL
+                    $url = sanitize_text_field($value['url']);
+                    // Only allow http/https URLs for security
+                    if (!empty($url) && !preg_match('/^https?:\/\//', $url)) {
+                        $url = '';
+                    }
+                    $url = esc_url_raw($url);
+                    $data[$i][$id]['url'] = $url;
+
+                    if ($url && $value['id'] && ($attachment_url = wp_get_attachment_url($value['id']))) {
+                        $data[$i][$id]['id']   = $value['id'];
+                        $data[$i][$id]['url']  = esc_url_raw($attachment_url);
+                    } else {
+                        if (empty($url)) {
+                            $data[$i][$id]['id'] = '';
                         } else {
-                            $data[$i][$id]['id'] = '';
+                            $data[$i][$id]['id'] = $value['id'];
                         }
-
-                        break;
+                    }
+
+                    break;
                     default:
                         $data[$i][$id] = wp_kses_post($value);

onepress/2.3.16/inc/template-tags.php

@@ -130 +130 @@
             $classes['title'] = 'has-title';
             if (is_front_page() && ! is_home()) {
-                $html .= '<h1 class="site-title"><a class="site-text-logo" href="' . esc_url(home_url('/')) . '" rel="home">' . get_bloginfo('name') . '</a></h1>';
+                $html .= '<h1 class="site-title"><a class="site-text-logo" href="' . esc_url(home_url('/')) . '" rel="home">' . esc_html(get_bloginfo('name')) . '</a></h1>';
             } else {
-                $html .= '<p class="site-title"><a class="site-text-logo" href="' . esc_url(home_url('/')) . '" rel="home">' . get_bloginfo('name') . '</a></p>';
+                $html .= '<p class="site-title"><a class="site-text-logo" href="' . esc_url(home_url('/')) . '" rel="home">' . esc_html(get_bloginfo('name')) . '</a></p>';
             }
         }
@@ -140 +140 @@
             if ($description || is_customize_preview()) {
                 $classes['desc'] = 'has-desc';
-                $html .= '<p class="site-description">' . $description . '</p>';
+                $html .= '<p class="site-description">' . esc_html($description) . '</p>';
             }
         } else {

onepress/2.3.16/style.css

@@ -5 +5 @@
 Author URI: http://www.famethemes.com
 Description: OnePress is an outstanding creative and flexible WordPress one page theme well suited for business website, portfolio, digital agency, product showcase, freelancers and everyone else who appreciate good design. The theme overall is an elegant and classic one, a fine example of Bootstrap 4 WordPress theme which compatibility with latest version of WooCommerce. (Live preview : https://demos.famethemes.com/onepress)
-Version: 2.3.15
+Version: 2.3.16
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html