diff --git a/includes/admin/core/class-admin-enqueue.php b/includes/admin/core/class-admin-enqueue.php index 104ebee6..133230e7 100644 --- a/includes/admin/core/class-admin-enqueue.php +++ b/includes/admin/core/class-admin-enqueue.php @@ -96,7 +96,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Enqueue' ) ) { * */ function enqueue_cpt_scripts() { - if ( ( isset( $_GET['post_type'] ) && 'um_form' == $_GET['post_type'] ) || ( isset( $_GET['post'] ) && 'um_form' == get_post_type( $_GET['post'] ) ) ) { + if ( ( isset( $_GET['post_type'] ) && 'um_form' == sanitize_key( $_GET['post_type'] ) ) || + ( isset( $_GET['post'] ) && 'um_form' == get_post_type( absint( $_GET['post'] ) ) ) ) { $this->um_cpt_form_screen = true; add_action( 'admin_footer', array( $this, 'admin_footer_scripts' ), 20 ); } @@ -105,6 +106,9 @@ if ( ! class_exists( 'um\admin\core\Admin_Enqueue' ) ) { } + /** + * + */ function enqueue_frontend_preview_assets() { //scripts for FRONTEND PREVIEW if ( class_exists( 'WooCommerce' ) ) { @@ -293,7 +297,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Enqueue' ) ) { $hide_footer = false; global $pagenow, $post; if ( ( 'post.php' == $pagenow || 'post-new.php' == $pagenow ) && - ( ( isset( $_GET['post_type'] ) && 'um_form' == $_GET['post_type'] ) || + ( ( isset( $_GET['post_type'] ) && 'um_form' == sanitize_key( $_GET['post_type'] ) ) || ( isset( $post->post_type ) && 'um_form' == $post->post_type ) ) ) { $hide_footer = true; } diff --git a/includes/admin/core/class-admin-menu.php b/includes/admin/core/class-admin-menu.php index 482ce92e..0a98018e 100644 --- a/includes/admin/core/class-admin-menu.php +++ b/includes/admin/core/class-admin-menu.php @@ -191,7 +191,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Menu' ) ) { function um_roles_pages() { if ( empty( $_GET['tab'] ) ) { include_once um_path . 'includes/admin/core/list-tables/roles-list-table.php'; - } elseif ( $_GET['tab'] == 'add' || $_GET['tab'] == 'edit' ) { + } elseif ( sanitize_key( $_GET['tab'] ) == 'add' || sanitize_key( $_GET['tab'] ) == 'edit' ) { include_once um_path . 'includes/admin/templates/role/role-edit.php'; } else { um_js_redirect( add_query_arg( array( 'page' => 'um_roles' ), get_admin_url( 'admin.php' ) ) ); diff --git a/includes/admin/core/class-admin-metabox.php b/includes/admin/core/class-admin-metabox.php index a066b7f9..7e8d5297 100644 --- a/includes/admin/core/class-admin-metabox.php +++ b/includes/admin/core/class-admin-metabox.php @@ -55,7 +55,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) { */ function hide_metabox_restrict_content_shop( $hide ) { if ( function_exists( 'wc_get_page_id' ) && ! empty( $_GET['post'] ) && - $_GET['post'] == wc_get_page_id( 'shop' ) ) { + absint( $_GET['post'] ) == wc_get_page_id( 'shop' ) ) { return true; } @@ -838,7 +838,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) { ) ); - if ( ! isset( $_GET['id'] ) || 'administrator' != $_GET['id'] ) { + if ( ! isset( $_GET['id'] ) || 'administrator' != sanitize_key( $_GET['id'] ) ) { $roles_metaboxes[] = array( 'id' => 'um-admin-form-home', 'title' => __( 'Homepage Options', 'ultimate-member' ), @@ -925,11 +925,12 @@ if ( ! class_exists( 'um\admin\core\Admin_Metabox' ) ) { $wp_caps_metabox = false; if ( ! empty( $_GET['id'] ) ) { - $data = get_option( "um_role_{$_GET['id']}_meta" ); - if ( ! empty( $data['_um_is_custom'] ) ) + $data = get_option( 'um_role_' . sanitize_key( $_GET['id'] ) . '_meta' ); + if ( ! empty( $data['_um_is_custom'] ) ) { $wp_caps_metabox = true; + } } - if ( 'add' == $_GET['tab'] || $wp_caps_metabox ) { + if ( 'add' == sanitize_key( $_GET['tab'] ) || $wp_caps_metabox ) { $roles_metaboxes[] = array( 'id' => 'um-admin-form-wp-capabilities', 'title' => __( 'WP Capabilities', 'ultimate-member' ), diff --git a/includes/admin/core/class-admin-notices.php b/includes/admin/core/class-admin-notices.php index 996e6aa2..b0ebe136 100644 --- a/includes/admin/core/class-admin-notices.php +++ b/includes/admin/core/class-admin-notices.php @@ -578,8 +578,8 @@ if ( ! class_exists( 'um\admin\core\Admin_Notices' ) ) { 'message' => $message, ), 4 ); } else { - if ( isset( $_GET['msg'] ) && 'updated' == $_GET['msg'] ) { - if ( isset( $_GET['page'] ) && 'um_options' == $_GET['page'] ) { + if ( isset( $_GET['msg'] ) && 'updated' == sanitize_key( $_GET['msg'] ) ) { + if ( isset( $_GET['page'] ) && 'um_options' == sanitize_key( $_GET['page'] ) ) { $this->add_notice( 'settings_upgrade', array( 'class' => 'updated', 'message' => '
' . __( 'Settings successfully upgraded', 'ultimate-member' ) . '
', diff --git a/includes/admin/core/class-admin-settings.php b/includes/admin/core/class-admin-settings.php index 05d301ff..b3050f3c 100644 --- a/includes/admin/core/class-admin-settings.php +++ b/includes/admin/core/class-admin-settings.php @@ -1415,7 +1415,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) { $current_tab = empty( $_GET['tab'] ) ? '' : urldecode( $_GET['tab'] ); $current_subtab = empty( $_GET['section'] ) ? '' : urldecode( $_GET['section'] ); - $settings_struct = $this->settings_structure[$current_tab]; + $settings_struct = $this->settings_structure[ $current_tab ]; //remove not option hidden fields if ( ! empty( $settings_struct['fields'] ) ) { diff --git a/includes/admin/core/list-tables/emails-list-table.php b/includes/admin/core/list-tables/emails-list-table.php index c5ace34e..087a31c2 100644 --- a/includes/admin/core/list-tables/emails-list-table.php +++ b/includes/admin/core/list-tables/emails-list-table.php @@ -1,19 +1,19 @@ -wpc_set_pagination_args( array( 'total_items' => count( $emails ), ' - - - display(); ?> + display(); ?> \ No newline at end of file diff --git a/includes/admin/core/list-tables/roles-list-table.php b/includes/admin/core/list-tables/roles-list-table.php index c5b87d18..58170b62 100644 --- a/includes/admin/core/list-tables/roles-list-table.php +++ b/includes/admin/core/list-tables/roles-list-table.php @@ -3,7 +3,7 @@ global $wpdb; if ( isset( $_REQUEST['_wp_http_referer'] ) ) { - $redirect = remove_query_arg(array('_wp_http_referer' ), wp_unslash( $_REQUEST['_wp_http_referer'] ) ); + $redirect = remove_query_arg( array( '_wp_http_referer' ), wp_unslash( $_REQUEST['_wp_http_referer'] ) ); } else { $redirect = get_admin_url(). 'admin.php?page=um_roles'; } @@ -11,7 +11,7 @@ if ( isset( $_REQUEST['_wp_http_referer'] ) ) { global $wp_roles; if ( isset( $_GET['action'] ) ) { - switch ( $_GET['action'] ) { + switch ( sanitize_key( $_GET['action'] ) ) { /* delete action */ case 'delete': { $role_keys = array(); @@ -117,7 +117,7 @@ if ( ! empty( $_GET['_wp_http_referer'] ) ) { } $order_by = 'name'; -$order = ( isset( $_GET['order'] ) && 'asc' == strtolower( $_GET['order'] ) ) ? 'ASC' : 'DESC'; +$order = ( isset( $_GET['order'] ) && 'asc' == strtolower( sanitize_key( $_GET['order'] ) ) ) ? 'ASC' : 'DESC'; if ( ! class_exists( 'WP_List_Table' ) ) { require_once( ABSPATH . 'wp-admin/includes/class-wp-list-table.php' ); @@ -487,7 +487,7 @@ $ListTable->um_set_pagination_args( array( 'total_items' => count( $roles ), 'pe' . __( 'User Role Deleted Successfully.', 'ultimate-member' ) . '
'; break; diff --git a/includes/admin/templates/directory/profile.php b/includes/admin/templates/directory/profile.php index 9cfbddf1..c2bffda0 100644 --- a/includes/admin/templates/directory/profile.php +++ b/includes/admin/templates/directory/profile.php @@ -5,7 +5,7 @@ builtin()->all_user_fields() as $key => $arr ) { - $user_fields[$key] = isset( $arr['title'] ) ? $arr['title'] : ''; + $user_fields[ $key ] = isset( $arr['title'] ) ? $arr['title'] : ''; } $post_id = get_the_ID(); diff --git a/includes/admin/templates/role/role-edit.php b/includes/admin/templates/role/role-edit.php index adfad4a0..c451303f 100644 --- a/includes/admin/templates/role/role-edit.php +++ b/includes/admin/templates/role/role-edit.php @@ -47,10 +47,13 @@ $option = array(); global $wp_roles; if ( ! empty( $_GET['id'] ) ) { - $data = get_option( "um_role_{$_GET['id']}_meta" ); + + $role_id = sanitize_key( $_GET['id'] ); + + $data = get_option( "um_role_{$role_id}_meta" ); if ( empty( $data['_um_is_custom'] ) ) { - $data['name'] = $wp_roles->roles[ $_GET['id'] ]['name']; + $data['name'] = $wp_roles->roles[ $role_id ]['name']; } } @@ -61,7 +64,7 @@ if ( ! empty( $_POST['role'] ) ) { $redirect = ''; $error = ''; - if ( 'add' == $_GET['tab'] ) { + if ( 'add' == sanitize_key( $_GET['tab'] ) ) { if ( ! wp_verify_nonce( $_POST['um_nonce'], 'um-add-role' ) ) { $error = __( 'Security Issue', 'ultimate-member' ) . '