From 8b8bc812f85497eb9900f8430a8f40ec5ba40322 Mon Sep 17 00:00:00 2001 From: Brett Shumaker Date: Sat, 8 Aug 2020 14:20:06 -0400 Subject: [PATCH 1/6] Updating version and tested up to --- trunk/README.txt | 8 ++++++-- trunk/includes/class-simple-staff-list.php | 2 +- trunk/simple-staff-list.php | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/trunk/README.txt b/trunk/README.txt index 9b9277a..e3a1b9f 100755 --- a/trunk/README.txt +++ b/trunk/README.txt @@ -2,8 +2,8 @@ Contributors: brettshumaker Tags: staff list, staff directory, employee list, staff, employee, employees Requires at least: 3.0 -Tested up to: 5.2.1 -Stable tag: 2.2.0 +Tested up to: 5.5 +Stable tag: 2.2.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -46,6 +46,10 @@ Alright, here's a few things to try: == Changelog == += 2.2.1 = +* FIXED: Removed extra spacing on default values +* CLEANED UP: + = 2.2.0 = * FEATURE: Use the `id` shortcode parameter to show a single Staff Member block * FEATURE: Use the `sslp_enable_staff_member_archive` filter to disable the `/staff-member` archive page. This filter defaults to `true` - pass `false` to turn off the archive page. You will need to [flush the permalinks](https://typerocket.com/flushing-permalinks-in-wordpress/) for this to take effect. diff --git a/trunk/includes/class-simple-staff-list.php b/trunk/includes/class-simple-staff-list.php index 2a39d64..08acaad 100644 --- a/trunk/includes/class-simple-staff-list.php +++ b/trunk/includes/class-simple-staff-list.php @@ -68,7 +68,7 @@ class Simple_Staff_List { public function __construct() { $this->plugin_name = 'simple-staff-list'; - $this->version = '2.2.0'; + $this->version = '2.2.1'; $this->load_dependencies(); $this->set_locale(); diff --git a/trunk/simple-staff-list.php b/trunk/simple-staff-list.php index 09429ea..c9c298c 100755 --- a/trunk/simple-staff-list.php +++ b/trunk/simple-staff-list.php @@ -15,7 +15,7 @@ * Plugin Name: Simple Staff List * Plugin URI: https://wordpress.org/plugins/simple-staff-list/ * Description: A simple plugin to build and display a staff listing for your website. - * Version: 2.2.0 + * Version: 2.2.1 * Author: Brett Shumaker * Author URI: http://www.brettshumaker.com * License: GPL-2.0+ From 62358d37e68b7083cd5a7ff5b4b6fca203ffcc39 Mon Sep 17 00:00:00 2001 From: Brett Shumaker Date: Sat, 8 Aug 2020 14:59:00 -0400 Subject: [PATCH 2/6] Removed extra spacing in default template and CSS --- .../class-simple-staff-list-activator.php | 71 +------------------ 1 file changed, 2 insertions(+), 69 deletions(-) diff --git a/trunk/includes/class-simple-staff-list-activator.php b/trunk/includes/class-simple-staff-list-activator.php index d273e89..79ac69c 100644 --- a/trunk/includes/class-simple-staff-list-activator.php +++ b/trunk/includes/class-simple-staff-list-activator.php @@ -31,76 +31,9 @@ class Simple_Staff_List_Activator { * @param bool $is_forced Whether or not the "activation" function was forced to run. */ public static function activate( $is_forced = false ) { - $default_template = ' - [staff_loop] - [staff-name] : [staff-position] -
- [staff-name-formatted] - [staff-position-formatted] - [staff-bio-formatted] - [staff-email-link] -
- [/staff_loop]'; + $default_template = "[staff_loop]\n \"[staff-name]\n
\n [staff-name-formatted]\n [staff-position-formatted]\n [staff-bio-formatted]\n [staff-email-link]\n
\n[/staff_loop]"; - $default_css = ' - /* div wrapped around entire staff list */ - div.staff-member-listing { - } - /* div wrapped around each staff member */ - div.staff-member { - padding-bottom: 2em; - border-bottom: thin dotted #aaa; - } - /* "Even" staff member */ - div.staff-member.even { - } - /* "Odd" staff member */ - div.staff-member.odd { - margin-top: 2em; - } - /* Last staff member */ - div.staff-member.last { - padding-bottom: 0; - border: none; - } - /* Wrap around staff info */ - .staff-member-info-wrap { - float: left; - width: 70%; - margin-left: 3%; - } - /* [staff-bio-formatted] */ - div.staff-member-bio { - } - /* p tags within [staff-bio-formatted] */ - div.staff-member-bio p { - } - /* [staff-photo] */ - img.staff-member-photo { - float: left; - } - /* [staff-email-link] */ - .staff-member-email { - } - /* [staff-name-formatted] */ - div.staff-member-listing h3.staff-member-name { - margin: 0; - } - /* [staff-position-formatted] */ - div.staff-member-listing h4.staff-member-position { - margin: 0; - font-style: italic; - } - /* Clearfix for div.staff-member */ - div.staff-member:after { - content: ""; - display: block; - clear: both; - } - /* Clearfix for <= IE7 */ - * html div.staff-member { height: 1%; } - div.staff-member { display: block; } - '; + $default_css = "/* div wrapped around entire staff list */\n div.staff-member-listing {\n}\n/* div wrapped around each staff member */\ndiv.staff-member {\n padding-bottom: 2em;\n border-bottom: thin dotted #aaa;\n}\n/* Even staff member */\ndiv.staff-member.even {\n}\n/* Odd staff member */\ndiv.staff-member.odd {\n margin-top: 2em;\n}\n/* Last staff member */\ndiv.staff-member.last {\n padding-bottom: 0;\n border: none;\n}\n/* Wrap around staff info */\n.staff-member-info-wrap {\n float: left;\n width: 70%;\n margin-left: 3%;\n}\n/* [staff-bio-formatted] */\ndiv.staff-member-bio {\n}\n/* p tags within [staff-bio-formatted] */\ndiv.staff-member-bio p {\n}\n/* [staff-photo] */\nimg.staff-member-photo {\n float: left;\n}\n/* [staff-email-link] */\n.staff-member-email {\n}\n/* [staff-name-formatted] */\ndiv.staff-member-listing h3.staff-member-name {\n margin: 0;\n}\n/* [staff-position-formatted] */\ndiv.staff-member-listing h4.staff-member-position {\n margin: 0;\n font-style: italic;\n}\n/* Clearfix for div.staff-member */\ndiv.staff-member:after {\n content: \"\";\n display: block;\n clear: both;\n}\n/* Clearfix for <= IE7 */\n* html div.staff-member { height: 1%; }\ndiv.staff-member { display: block; }\n"; $default_tags = array( '[staff-name]', From ccf688be0896444d75d43433c466e460dfa0f739 Mon Sep 17 00:00:00 2001 From: Brett Shumaker Date: Sat, 8 Aug 2020 14:59:10 -0400 Subject: [PATCH 3/6] Removed commented out debugging code --- trunk/includes/sslp-core-functions.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/trunk/includes/sslp-core-functions.php b/trunk/includes/sslp-core-functions.php index 5feb244..5aaff3d 100644 --- a/trunk/includes/sslp-core-functions.php +++ b/trunk/includes/sslp-core-functions.php @@ -33,8 +33,6 @@ function sslp_get_template_part( $slug = '' ) { // Allow 3rd party plugins to filter template file from their plugin. $template = apply_filters( 'sslp_get_template_part', $template, $slug ); - //wp_die( $template ); - if ( $template ) { load_template( $template, false ); } From 0fa306fd188edf12bb3b6efb35ad779e1db69f93 Mon Sep 17 00:00:00 2001 From: Brett Shumaker Date: Mon, 10 Aug 2020 07:18:40 -0400 Subject: [PATCH 4/6] Adding sanitization and escaping. Added some sanitization (while saving post meta) and escaping (while printing post meta to the screen). Also added a new filter: `sslp_staff_member_bio_kses_allowed_html` This filter determines the allowed html tags for the Staff Member bio field. By default it uses the `post` context. --- trunk/admin/class-simple-staff-list-admin.php | 15 +++++++-------- .../simple-staff-list-shortcode-display.php | 16 ++++++++-------- .../templates/single-staff-member/staff-bio.php | 2 +- .../single-staff-member/staff-facebook.php | 2 +- .../single-staff-member/staff-image.php | 2 +- 5 files changed, 18 insertions(+), 19 deletions(-) diff --git a/trunk/admin/class-simple-staff-list-admin.php b/trunk/admin/class-simple-staff-list-admin.php index fc86bdd..6697130 100644 --- a/trunk/admin/class-simple-staff-list-admin.php +++ b/trunk/admin/class-simple-staff-list-admin.php @@ -474,7 +474,7 @@ public function staff_member_display_custom_columns( $column ) { switch ( $column ) { case 'id': - echo $post->ID; + echo esc_html( $post->ID ); break; case 'photo': if ( has_post_thumbnail() ) { @@ -517,32 +517,32 @@ public function save_staff_member_details() { update_post_meta( $post->ID, '_staff_member_bio', - isset( $_POST['_staff_member_bio'] ) ? $_POST['_staff_member_bio'] : '' + isset( $_POST['_staff_member_bio'] ) ? wp_kses( $_POST['_staff_member_bio'], apply_filters( 'sslp_staff_member_bio_kses_allowed_html', 'post' ) ) : '' ); update_post_meta( $post->ID, '_staff_member_title', - isset( $_POST['_staff_member_title'] ) ? $_POST['_staff_member_title'] : '' + isset( $_POST['_staff_member_title'] ) ? sanitize_text_field( $_POST['_staff_member_title'] ) : '' ); update_post_meta( $post->ID, '_staff_member_email', - isset( $_POST['_staff_member_email'] ) ? $_POST['_staff_member_email'] : '' + isset( $_POST['_staff_member_email'] ) ? sanitize_email( $_POST['_staff_member_email'] ) : '' ); update_post_meta( $post->ID, '_staff_member_phone', - isset( $_POST['_staff_member_phone'] ) ? $_POST['_staff_member_phone'] : '' + isset( $_POST['_staff_member_phone'] ) ? sanitize_text_field( $_POST['_staff_member_phone'] ) : '' ); update_post_meta( $post->ID, '_staff_member_fb', - isset( $_POST['_staff_member_fb'] ) ? $_POST['_staff_member_fb'] : '' + isset( $_POST['_staff_member_fb'] ) ? sanitize_text_field( $_POST['_staff_member_fb'] ) : '' ); update_post_meta( $post->ID, '_staff_member_tw', - isset( $_POST['_staff_member_tw'] ) ? $_POST['_staff_member_tw'] : '' + isset( $_POST['_staff_member_tw'] ) ? sanitize_text_field( $_POST['_staff_member_tw'] ) : '' ); } @@ -591,7 +591,6 @@ public function update_staff_member_order() { wp_send_json_error( "Cheatin' uh?" ); } - $post_type = $_POST['postType']; $order = $_POST['order']; /** diff --git a/trunk/public/partials/simple-staff-list-shortcode-display.php b/trunk/public/partials/simple-staff-list-shortcode-display.php index 037e49d..a4745f9 100644 --- a/trunk/public/partials/simple-staff-list-shortcode-display.php +++ b/trunk/public/partials/simple-staff-list-shortcode-display.php @@ -91,7 +91,7 @@ // Prepare to output styles if not using external style sheet. if ( 'no' === $use_external_css ) { - $style_output = ''; + $style_output = ''; } else { $style_output = ''; } @@ -120,16 +120,16 @@ $custom = get_post_custom(); $name = get_the_title(); - $name_formatted = '

' . $name . '

'; + $name_formatted = '

' . esc_html( $name ) . '

'; $name_slug = basename( get_permalink() ); $title = isset( $custom['_staff_member_title'][0] ) ? $custom['_staff_member_title'][0] : ''; - $title_formatted = '' !== $title ? '

' . $title . '

' : ''; + $title_formatted = '' !== $title ? '

' . esc_html( $title ) . '

' : ''; $email = isset( $custom['_staff_member_email'][0] ) ? $custom['_staff_member_email'][0] : ''; $phone = isset( $custom['_staff_member_phone'][0] ) ? $custom['_staff_member_phone'][0] : ''; $bio = isset( $custom['_staff_member_bio'][0] ) ? $custom['_staff_member_bio'][0] : ''; $fb_url = isset( $custom['_staff_member_fb'][0] ) ? $custom['_staff_member_fb'][0] : ''; $tw_url = isset( $custom['_staff_member_tw'][0] ) ? 'http://www.twitter.com/' . $custom['_staff_member_tw'][0] : ''; - $email_mailto = '' !== $email ? '' . antispambot( $email ) . '' : ''; + $email_mailto = '' !== $email ? '' . esc_html( antispambot( $email ) ) . '' : ''; $email_nolink = '' !== $email ? antispambot( $email ) : ''; if ( has_post_thumbnail() ) { @@ -140,7 +140,7 @@ $src = $image_obj[0]; $photo_url = $src; - $photo = '' . $title . ''; + $photo = '' . esc_attr( $title ) . ''; } else { @@ -151,16 +151,16 @@ if ( function_exists( 'wpautop' ) ) { - $bio_format = '' !== $bio ? '
' . wpautop( $bio ) . '
' : ''; + $bio_format = '' !== $bio ? '
' . wp_kses( wpautop( $bio ), apply_filters( 'sslp_staff_member_bio_kses_allowed_html', 'post' ) ) . '
' : ''; } else { - $bio_format = $bio; + $bio_format = wp_kses( $bio, apply_filters( 'sslp_staff_member_bio_kses_allowed_html', 'post' ) ); } $accepted_single_tags = $default_tags; - $replace_single_values = apply_filters( 'sslp_replace_single_values_filter', array( $name, $name_slug, $photo_url, $title, $email_nolink, $phone, $bio, $fb_url, $tw_url ), $post->ID ); + $replace_single_values = apply_filters( 'sslp_replace_single_values_filter', array( esc_html( $name ), esc_attr( $name_slug ), esc_url( $photo_url ), esc_html( $title ), esc_html( $email_nolink ), esc_html( $phone ), wp_kses( $bio, apply_filters( 'sslp_staff_member_bio_kses_allowed_html', 'post' ) ), esc_html( $fb_url ), esc_url( $tw_url ) ), $post->ID ); $accepted_formatted_tags = $default_formatted_tags; $replace_formatted_values = apply_filters( 'sslp_replace_formatted_values_filter', array( $name_formatted, $title_formatted, $photo, $email_mailto, $bio_format ), $post->ID ); diff --git a/trunk/public/templates/single-staff-member/staff-bio.php b/trunk/public/templates/single-staff-member/staff-bio.php index 29ab10d..3a885a0 100644 --- a/trunk/public/templates/single-staff-member/staff-bio.php +++ b/trunk/public/templates/single-staff-member/staff-bio.php @@ -13,4 +13,4 @@ $bio = get_post_meta( $post->ID, '_staff_member_bio', true ); -echo wpautop( $bio ); +echo wp_kses( wpautop( $bio ), apply_filters( 'sslp_staff_member_bio_kses_allowed_html', 'post' ) ); diff --git a/trunk/public/templates/single-staff-member/staff-facebook.php b/trunk/public/templates/single-staff-member/staff-facebook.php index bb36b51..ae8820b 100644 --- a/trunk/public/templates/single-staff-member/staff-facebook.php +++ b/trunk/public/templates/single-staff-member/staff-facebook.php @@ -24,6 +24,6 @@ $icon = $svg['body']; } - echo ''; + echo ''; } diff --git a/trunk/public/templates/single-staff-member/staff-image.php b/trunk/public/templates/single-staff-member/staff-image.php index 2e0c4ac..b513e5c 100644 --- a/trunk/public/templates/single-staff-member/staff-image.php +++ b/trunk/public/templates/single-staff-member/staff-image.php @@ -18,4 +18,4 @@ $image_obj = wp_get_attachment_image_src( get_post_thumbnail_id(), 'medium', false ); $src = $image_obj[0]; ?> -<?php echo esc_attr( get_the_title() ); ?> +<?php echo esc_attr( get_the_title() ); ?> From 5c4926b086d1201f3901939cb3eedc257b687105 Mon Sep 17 00:00:00 2001 From: Brett Shumaker Date: Mon, 10 Aug 2020 07:23:09 -0400 Subject: [PATCH 5/6] Update changelog --- trunk/README.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/trunk/README.txt b/trunk/README.txt index e3a1b9f..a3f191c 100755 --- a/trunk/README.txt +++ b/trunk/README.txt @@ -47,8 +47,10 @@ Alright, here's a few things to try: == Changelog == = 2.2.1 = +* ADDED: Use the filter `sslp_staff_member_bio_kses_allowed_html` to change which HTML tags are allowed in the Staff Member bio field - it currently defaults to the `post` context. [Learn more](https://developer.wordpress.org/reference/functions/wp_kses/). +* FIXED: Added some data sanitization and escaping * FIXED: Removed extra spacing on default values -* CLEANED UP: +* CLEANED UP: Removed some old debugging code = 2.2.0 = * FEATURE: Use the `id` shortcode parameter to show a single Staff Member block From 5b1900fc0a2d3ada5d83a2e32e7eeb4668a130b0 Mon Sep 17 00:00:00 2001 From: Brett Shumaker Date: Tue, 16 Mar 2021 07:27:25 -0400 Subject: [PATCH 6/6] Updated Tested up to version. --- trunk/README.txt | 2 +- trunk/trunk | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 120000 trunk/trunk diff --git a/trunk/README.txt b/trunk/README.txt index a3f191c..139f9cd 100755 --- a/trunk/README.txt +++ b/trunk/README.txt @@ -2,7 +2,7 @@ Contributors: brettshumaker Tags: staff list, staff directory, employee list, staff, employee, employees Requires at least: 3.0 -Tested up to: 5.5 +Tested up to: 5.7 Stable tag: 2.2.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html diff --git a/trunk/trunk b/trunk/trunk new file mode 120000 index 0000000..afb0b12 --- /dev/null +++ b/trunk/trunk @@ -0,0 +1 @@ +/vagrant/simple-staff-list/trunk \ No newline at end of file