diff --git a/CHANGELOG.md b/CHANGELOG.md index b237b964b..1cf5c123f 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +##### [Version 3.9.5](https://github.com/Codeinwp/visualizer/compare/v3.9.4...v3.9.5) (2023-01-30) + +- Improved security by escaping shortcode attribute before render +- Compatibility with PHP 8.2 + ##### [Version 3.9.4](https://github.com/Codeinwp/visualizer/compare/v3.9.3...v3.9.4) (2023-01-12) - Fixed the lock of PRO features bypass diff --git a/classes/Visualizer/Module.php b/classes/Visualizer/Module.php index ec746e12d..c338ee07d 100644 --- a/classes/Visualizer/Module.php +++ b/classes/Visualizer/Module.php @@ -270,7 +270,7 @@ private function _getCSV( $rows, $filename, $enclose ) { $bom = chr( 0xEF ) . chr( 0xBB ) . chr( 0xBF ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged - $fp = @tmpfile(); + $fp = function_exists( 'tmpfile' ) ? @tmpfile() : null; if ( null === $fp ) { $fp = fopen( wp_tempnam(), 'w+' ); } diff --git a/classes/Visualizer/Module/Admin.php b/classes/Visualizer/Module/Admin.php index 9e606f717..e6b965b1f 100644 --- a/classes/Visualizer/Module/Admin.php +++ b/classes/Visualizer/Module/Admin.php @@ -883,7 +883,7 @@ private function getQuery() { $this->getDisplayFilters( $query_args ); // Added by Ash/Upwork - $filterByMeta = filter_input( INPUT_GET, 's', FILTER_SANITIZE_STRING ); + $filterByMeta = ! empty( $_GET['s'] ) ? sanitize_text_field( wp_unslash( $_GET['s'] ) ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended if ( $filterByMeta ) { $query = array( 'key' => Visualizer_Plugin::CF_SETTINGS, diff --git a/classes/Visualizer/Module/Frontend.php b/classes/Visualizer/Module/Frontend.php index 412635a22..71be54932 100644 --- a/classes/Visualizer/Module/Frontend.php +++ b/classes/Visualizer/Module/Frontend.php @@ -305,6 +305,11 @@ public function renderChart( $atts ) { $atts ); + $atts['id'] = (int) $atts['id']; + $atts['class'] = esc_attr( $atts['class'] ); + $atts['lazy'] = esc_attr( $atts['lazy'] ); + $atts['use_image'] = esc_attr( $atts['use_image'] ); + global $sitepress; if ( Visualizer_Module::is_pro() && ( function_exists( 'icl_get_languages' ) && $sitepress instanceof \SitePress ) ) { global $sitepress; diff --git a/classes/Visualizer/Plugin.php b/classes/Visualizer/Plugin.php index 581e191c5..782ecc386 100644 --- a/classes/Visualizer/Plugin.php +++ b/classes/Visualizer/Plugin.php @@ -28,7 +28,7 @@ class Visualizer_Plugin { const NAME = 'visualizer'; - const VERSION = '3.9.4'; + const VERSION = '3.9.5'; // custom post types const CPT_VISUALIZER = 'visualizer'; diff --git a/classes/Visualizer/Render/Library.php b/classes/Visualizer/Render/Library.php index 7a3c90724..a83ded4f2 100644 --- a/classes/Visualizer/Render/Library.php +++ b/classes/Visualizer/Render/Library.php @@ -216,10 +216,7 @@ private function getDisplayForm() { */ private function _renderLibrary() { // Added by Ash/Upwork - $filterBy = null; - if ( isset( $_GET['s'] ) && strlen( $_GET['s'] ) > 0 ) { - $filterBy = filter_input( INPUT_GET, 's', FILTER_SANITIZE_STRING ); - } + $filterBy = ! empty( $_GET['s'] ) ? sanitize_text_field( wp_unslash( $_GET['s'] ) ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended // Added by Ash/Upwork echo $this->custom_css; echo '
'; diff --git a/classes/Visualizer/Source/Csv.php b/classes/Visualizer/Source/Csv.php index 4798c73de..383839b7b 100644 --- a/classes/Visualizer/Source/Csv.php +++ b/classes/Visualizer/Source/Csv.php @@ -47,8 +47,8 @@ class Visualizer_Source_Csv extends Visualizer_Source { * @access public * @param string $filename The path to the file. */ - public function __construct( $filename = null ) { - $this->_filename = trim( $filename ); + public function __construct( $filename = '' ) { + $this->_filename = trim( (string) $filename ); } /** diff --git a/css/media.css b/css/media.css index 6ae70efc0..f922fddcd 100644 --- a/css/media.css +++ b/css/media.css @@ -1,5 +1,5 @@ /* - Version: 3.9.4 + Version: 3.9.5 */ #visualizer-library-view { padding: 30px 10px 10px 30px; diff --git a/index.php b/index.php index 3a56a5c39..ccf4a9653 100644 --- a/index.php +++ b/index.php @@ -3,7 +3,7 @@ Plugin Name: Visualizer: Tables and Charts for WordPress Plugin URI: https://themeisle.com/plugins/visualizer-charts-and-graphs/ Description: A simple, easy to use and quite powerful tool to create, manage and embed interactive charts into your WordPress posts and pages. The plugin uses Google Visualization API to render charts, which supports cross-browser compatibility (adopting VML for older IE versions) and cross-platform portability to iOS and new Android releases. - Version: 3.9.4 + Version: 3.9.5 Author: Themeisle Author URI: http://themeisle.com Requires at least: 3.5 diff --git a/package.json b/package.json index c0dff94a0..4c703eae8 100755 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "visualizer", - "version": "3.9.4", + "version": "3.9.5", "description": "Visualizer Lite", "repository": { "type": "git", diff --git a/readme.txt b/readme.txt index ec0da8914..fab94b9e1 100755 --- a/readme.txt +++ b/readme.txt @@ -163,6 +163,14 @@ Pay attention that to turn your shortcodes into graphs, your theme has to have ` == Changelog == +##### [Version 3.9.5](https://github.com/Codeinwp/visualizer/compare/v3.9.4...v3.9.5) (2023-01-30) + +- Improved security by escaping shortcode attribute before render +- Compatibility with PHP 8.2 + + + + ##### [Version 3.9.4](https://github.com/Codeinwp/visualizer/compare/v3.9.3...v3.9.4) (2023-01-12) - Fixed the lock of PRO features bypass