Merge pull request #177 from xylusthemes/enhance_xss_protection

Enhanced XSS Protection

Author: support-xylusthemes

includes/class-wp-event-aggregator-admin.php

@@ -393,7 +393,7 @@ function render_dashboard_widget( $posts = 10 ) {
 	 * @return void
 	 */
 	public function add_event_aggregator_credit( $footer_text ){
-		$page = isset( $_GET['page'] ) ? sanitize_text_field( $_GET['page'] ) : '';
+		$page = isset( $_GET['page'] ) ? esc_attr( sanitize_text_field( $_GET['page'] ) ) : '';
 		if ( $page != '' && $page == 'import_events' ) {
 			$rate_url = 'https://wordpress.org/support/plugin/wp-event-aggregator/reviews/?rate=5#new-post';
 
@@ -470,9 +470,9 @@ public function get_wporg_plugin( $slug ){
 	 * @return void
 	 */
 	public function get_selected_tab_submenu( $submenu_file ){
-		if( !empty( $_GET['page'] ) && sanitize_text_field( wp_unslash( $_GET['page'] ) ) == 'import_events' ){
+		if( !empty( $_GET['page'] ) && esc_attr( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) == 'import_events' ){
 			$allowed_tabs = array( 'eventbrite', 'meetup', 'facebook', 'ical', 'scheduled', 'history', 'settings', 'shortcodes', 'support' );
-			$tab = isset( $_GET['tab'] ) ? sanitize_text_field( $_GET['tab'] ) : 'eventbrite';
+			$tab = isset( $_GET['tab'] ) ? esc_attr( sanitize_text_field( $_GET['tab'] ) ) : 'eventbrite';
 			if( in_array( $tab, $allowed_tabs ) ){
 				$submenu_file = admin_url( 'admin.php?page=import_events&tab='.$tab );
 			}

includes/class-wp-event-aggregator-list-table.php

@@ -57,7 +57,7 @@ function column_default( $item, $column_name ) {
 	function column_title( $item ) {
 		global $importevents;
 		$wpea_url_delete_args = array(
-			'page'   => sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ),
+			'page'   => esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ),
 			'wpea_action' => 'wpea_simport_delete',
 			'import_id'  => absint( $item['ID'] ),
 		);
@@ -118,7 +118,7 @@ function column_title( $item ) {
 	function column_action( $item ) {
 
 		$xtmi_run_import_args = array(
-			'page'   => sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ),
+			'page'   => esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ),
 			'wpea_action' => 'wpea_run_import',
 			'import_id'  => $item['ID'],
 		);
@@ -441,8 +441,8 @@ function column_default( $item, $column_name ) {
 	function column_title( $item ) {
 
 		$wpea_url_delete_args = array(
-			'page'   => sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ),
-			'tab'   => sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ),
+			'page'   => esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ),
+			'tab'    => esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ),
 			'wpea_action' => 'wpea_history_delete',
 			'history_id'  => absint( $item['ID'] ),
 		);
@@ -574,8 +574,8 @@ public function extra_tablenav( $which ) {
 			return;
 		}	
 		$wpea_url_all_delete_args = array(
-			'page'       => wp_unslash( $_REQUEST['page'] ),
-			'tab'        => wp_unslash( $_REQUEST['tab'] ),
+			'page'       => esc_attr( wp_unslash( $_REQUEST['page'] ) ),
+			'tab'        => esc_attr( wp_unslash( $_REQUEST['tab'] ) ),
 			'wpea_action' => 'wpea_all_history_delete',
 		);
 

includes/class-wp-event-aggregator-manage-import.php

@@ -117,8 +117,8 @@ public function handle_listtable_oprations() {
 		global $wpea_success_msg;
 		if ( isset( $_GET['wpea_action'] ) && $_GET['wpea_action'] == 'wpea_simport_delete' && isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'wpea_delete_import_nonce') ) {
 			$import_id = $_GET['import_id'];
-			$page = isset($_GET['page'] ) ? sanitize_text_field( wp_unslash( $_GET['page'] ) ) : 'import_events';
-			$tab = isset($_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'scheduled';
+			$page = isset($_GET['page'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) : 'import_events';
+			$tab = isset($_GET['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) : 'scheduled';
 			$wp_redirect = admin_url( 'admin.php?page='.$page );
 			if ( $import_id > 0 ) {
 				$post_type = get_post_type( $import_id );
@@ -133,8 +133,8 @@ public function handle_listtable_oprations() {
 
 		if ( isset( $_GET['wpea_action'] ) && $_GET['wpea_action'] == 'wpea_history_delete' && isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'wpea_delete_history_nonce' ) ) {
 			$history_id = (int)sanitize_text_field( wp_unslash( $_GET['history_id'] ) );
-			$page = isset($_GET['page'] ) ? sanitize_text_field( wp_unslash( $_GET['page'] ) ) : 'import_events';
-			$tab = isset($_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'history';
+			$page = isset($_GET['page'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) : 'import_events';
+			$tab = isset($_GET['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) : 'history';
 			$wp_redirect = admin_url( 'admin.php?page='.$page );
 			if ( $history_id > 0 ) {
 				wp_delete_post( $history_id, true );
@@ -146,8 +146,8 @@ public function handle_listtable_oprations() {
 
 		if ( isset( $_GET['wpea_action'] ) && $_GET['wpea_action'] == 'wpea_run_import' && isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'wpea_run_import_nonce') ) {
 			$import_id = (int)$_GET['import_id'];
-			$page = isset($_GET['page'] ) ? sanitize_text_field( wp_unslash( $_GET['page'] ) ) : 'import_events';
-			$tab = isset($_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'scheduled';
+			$page = isset($_GET['page'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) : 'import_events';
+			$tab = isset($_GET['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) : 'scheduled';
 			$wp_redirect = admin_url( 'admin.php?page='.$page );
 			if ( $import_id > 0 ) {
 				do_action( 'xt_run_scheduled_import', $import_id );
@@ -160,7 +160,7 @@ public function handle_listtable_oprations() {
 		$is_bulk_delete = ( ( isset( $_GET['action'] ) && sanitize_text_field( wp_unslash( $_GET['action'] ) ) == 'delete' ) || ( isset( $_GET['action2'] ) && sanitize_text_field( wp_unslash( $_GET['action2'] ) ) == 'delete' ) );
 
 		if ( $is_bulk_delete && isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'bulk-xt_scheduled_imports') ) {
-			$tab = isset($_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'scheduled';
+			$tab = isset($_GET['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) : 'scheduled';
 			$wp_redirect = get_site_url() . urldecode( sanitize_text_field( $_REQUEST['_wp_http_referer'] ) );
         	$delete_ids = array_map( 'sanitize_text_field', $_REQUEST['xt_scheduled_import'] );
         	if( !empty( $delete_ids ) ){
@@ -178,7 +178,7 @@ public function handle_listtable_oprations() {
 		}
 
 		if ( $is_bulk_delete && isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'bulk-import_histories') ) {
-			$tab = isset($_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'history';
+			$tab = isset( $_GET['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) : 'history';
 			$wp_redirect = get_site_url() . urldecode( sanitize_text_field( $_REQUEST['_wp_http_referer'] ) );        	$delete_ids = array_map( 'sanitize_text_field', $_REQUEST['import_history'] );
         	if( !empty( $delete_ids ) ){
         		foreach ($delete_ids as $delete_id ) {
@@ -192,8 +192,8 @@ public function handle_listtable_oprations() {
 
 		// Delete All History Data 
 		if ( isset( $_GET['wpea_action'] ) && $_GET['wpea_action'] === 'wpea_all_history_delete' && isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'wpea_delete_all_history_nonce' ) ) {
-			$page        = isset( $_GET['page'] ) ? $_GET['page'] : 'import_events';
-			$tab         = isset( $_GET['tab'] ) ? $_GET['tab'] : 'history';
+			$page        = isset( $_GET['page'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) : 'import_events';
+			$tab         = isset( $_GET['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) : 'history';
 			$wp_redirect = admin_url( 'admin.php?page=' . $page );
 			$delete_ids  = get_posts( array( 'numberposts' => -1,'fields' => 'ids', 'post_type' => 'wpea_import_history' ) );
 

languages/wp-event-aggregator.pot

@@ -9,7 +9,7 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2025-01-09T07:03:50+00:00\n"
+"POT-Creation-Date: 2025-01-09T07:05:13+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.11.0\n"
 "X-Domain: wp-event-aggregator\n"

templates/admin/eventbrite-import-events.php

@@ -110,9 +110,9 @@
 			<?php } elseif( $ntab == 'scheduled_import' ){
 				?>
 				<form id="scheduled-import" method="get">
-				<input type="hidden" name="page" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ); ?>" />
-				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'eventbrite' ?>" />
-				<input type="hidden" name="ntab" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ); ?>" />
+				<input type="hidden" name="page" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ); ?>" />
+				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ) : 'eventbrite' ?>" />
+				<input type="hidden" name="ntab" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ) ); ?>" />
 				<?php
 				if( wpea_is_pro() ){
 					$listtable = new WP_Event_Aggregator_List_Table();

templates/admin/facebook-import-events.php

@@ -120,9 +120,9 @@
 			<?php } elseif( $ntab == 'scheduled_import' ){
 				?>
 				<form id="scheduled-import" method="get">
-				<input type="hidden" name="page" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ); ?>" />
-				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'eventbrite' ?>" />
-				<input type="hidden" name="ntab" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ); ?>" />
+				<input type="hidden" name="page" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ); ?>" />
+				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ) : 'eventbrite' ?>" />
+				<input type="hidden" name="ntab" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ) ); ?>" />
 				<?php
 				if( wpea_is_pro() ){
 					$listtable = new WP_Event_Aggregator_List_Table();

templates/admin/ical-import-events.php

@@ -113,9 +113,9 @@
 			<?php } elseif( $ntab == 'scheduled_import' ){
 				?>
 				<form id="scheduled-import" method="get">
-				<input type="hidden" name="page" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ); ?>" />
-				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'ical' ?>" />
-				<input type="hidden" name="ntab" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ); ?>" />
+				<input type="hidden" name="page" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ); ?>" />
+				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ) : 'ical' ?>" />
+				<input type="hidden" name="ntab" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ) ); ?>" />
 				<?php 
 				if( wpea_is_pro() ){
 					$listtable = new WP_Event_Aggregator_List_Table();

templates/admin/meetup-import-events.php

@@ -102,9 +102,9 @@
 			<?php } elseif( $ntab == 'scheduled_import' ){
 				?>
 				<form id="scheduled-import" method="get">
-				<input type="hidden" name="page" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ); ?>" />
-				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'eventbrite' ?>" />
-				<input type="hidden" name="ntab" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ); ?>" />
+				<input type="hidden" name="page" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ); ?>" />
+				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ) : 'eventbrite' ?>" />
+				<input type="hidden" name="ntab" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['ntab'] ) ) ); ?>" />
 				<?php 
 				if( wpea_is_pro() ){
 					$listtable = new WP_Event_Aggregator_List_Table();

templates/admin/wp-event-aggregator-history.php

@@ -11,8 +11,8 @@
     <div class="wpea_row">
         <div class="">
 			<form id="import-history" method="get">
-				<input type="hidden" name="page" value="<?php echo sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ); ?>" />
-				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'history' ?>" />
+				<input type="hidden" name="page" value="<?php echo esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ); ?>" />
+				<input type="hidden" name="tab" value="<?php echo $tab = isset($_REQUEST['tab'])? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ) : 'history' ?>" />
 				<input type="hidden" name="ntab" value="" />
         		<?php
 				$listtable->display();