Merge pull request #60 from xylusthemes/Enhanced_plugin_security

Enhanced the plugin security by addressing Cross-Site Scripting (XSS)
xylusthemes · Sep 25, 2024 · 8ce5094 · 8ce5094
2 parents 102f5df + a8867c5
commit 8ce5094
Show file tree

Hide file tree

Showing 18 changed files with 409 additions and 375 deletions.
diff --git a/includes/admin/admin-pages.php b/includes/admin/admin-pages.php
@@ -50,7 +50,7 @@ function wpbd_add_menu_pages(){
 function get_selected_tab_submenu( $submenu_file ){
 	if( !empty( $_GET['page'] ) && sanitize_text_field( wp_unslash( $_GET['page'] ) ) == 'delete_all_actions' ){
 		$allowed_tabs = array( 'by_posts', 'by_comments', 'by_users', 'by_terms', 'by_cleanup', 'by_support_help', 'by_schedule-delete', 'by_schedule-delete-history', 'wpbdpro-license' );
-		$tab = isset( $_GET['tab'] ) ? sanitize_text_field( $_GET['tab'] ) : 'by_cleanup';
+		$tab = isset( $_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'by_cleanup';
 
 		if( $tab == 'by_schedule-delete-history' ){
 			$tab = 'by_schedule-delete';

diff --git a/includes/admin/comments/display-delete-comments.php b/includes/admin/comments/display-delete-comments.php
@@ -36,7 +36,7 @@ function wpbd_delete_comments_page(){
 								</div>
 							</div>
 							<?php
-							echo wp_nonce_field('delete_comments_nonce', '_delete_comments_wpnonce' );
+							esc_attr__( wp_nonce_field('delete_comments_nonce', '_delete_comments_wpnonce' ) );
 							?>
 
 							<p class="submit">

diff --git a/includes/admin/posts/display-delete-posts.php b/includes/admin/posts/display-delete-posts.php
@@ -23,7 +23,7 @@
 function wpbd_delete_posts_page(){
 	global $wpdb;
 	// Set Default Tab to Posts
-	$active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'by_posts';
+	$active_tab = isset( $_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) )  : 'by_posts';
 	$gettab     = str_replace( 'by_', '', $active_tab );
 	$gettab     = ucwords( str_replace( '_', ' & ', $gettab ) );
 	if( $active_tab == 'by_schedule-delete' ){
@@ -39,15 +39,15 @@ function wpbd_delete_posts_page(){
 		$page_title = "Delete " . $gettab;
 	}
 	$posts_header_result = wpdb_render_common_header( $page_title );
-	echo $posts_header_result;
+	echo esc_attr_e( $posts_header_result );
 	?>
 
 	<div class="wpbd-container" style="margin-top: 60px;">
 		<div class="wpbd-wrap" >
 			<div id="poststuff">
 				<div id="post-body" class="metabox-holder columns-2">
 					<div class="notice notice-warning">
-						<p><strong><?php _e( 'WARNING: Before you delete any data, please take a backup; and the deletion operation is irreversible. Please use it with caution!', 'wp-bulk-delete' ); ?></strong></p>
+						<p><strong><?php esc_html_e( 'WARNING: Before you delete any data, please take a backup; and the deletion operation is irreversible. Please use it with caution!', 'wp-bulk-delete' ); ?></strong></p>
 					</div>
 					<?php 
 						do_action( 'timeout_memory_is_enough'); 
@@ -81,9 +81,6 @@ function wpbd_delete_posts_page(){
 											<a href="?page=delete_all_actions&tab=by_users" class="var-tab <?php echo $active_tab == 'by_users' ? 'var-tab--active' : 'var-tab--inactive'; ?>">
 												<span class="tab-label"><?php esc_attr_e( 'Delete Users', 'wp-bulk-delete' ); ?></span>
 											</a>
-											<!-- <a href="?page=delete_all_actions&tab=by_meta_fields" class="var-tab <?php //echo $active_tab == 'by_meta_fields' ? 'var-tab--active' : 'var-tab--inactive'; ?>">
-												<span class="tab-label"><?php //esc_attr_e( 'Delete Meta Fields', 'wp-bulk-delete' ); ?></span>
-											</a> -->
 											<a href="?page=delete_all_actions&tab=by_terms" class="var-tab <?php echo $active_tab == 'by_terms' ? 'var-tab--active' : 'var-tab--inactive'; ?>">
 												<span class="tab-label"><?php esc_attr_e( 'Delete Category', 'wp-bulk-delete' ); ?></span>
 											</a>
@@ -145,7 +142,7 @@ function wpbd_delete_posts_page(){
 																</div>
 															</div>
 															<div class="wpbd-blur-filter-cta" style="top: 40px;" >
-																<span style="color: red"><?php echo _e( 'Available in Pro version.', 'wp-bulk-delete' ); ?>  </span><a href="<?php echo esc_url( WPBD_PLUGIN_BUY_NOW_URL ); ?>"><?php echo _e( 'Buy Now', 'wp-bulk-delete' ); ?></a>
+																<span style="color: red"><?php echo esc_html_e( 'Available in Pro version.', 'wp-bulk-delete' ); ?>  </span><a href="<?php echo esc_url( WPBD_PLUGIN_BUY_NOW_URL ); ?>"><?php echo esc_html_e( 'Buy Now', 'wp-bulk-delete' ); ?></a>
 															</div>
 														</div>
 													</div>
@@ -171,5 +168,5 @@ function wpbd_delete_posts_page(){
 	</div>
 	<?php
 	$posts_footer_result = wpdb_render_common_footer();
-	echo $posts_footer_result;
+	echo esc_attr_e( $posts_footer_result );
 }
diff --git a/includes/admin/posts/wp-bulk-delete-posts.php b/includes/admin/posts/wp-bulk-delete-posts.php
@@ -11,7 +11,7 @@
 // Exit if accessed directly
 if ( ! defined( 'ABSPATH' ) ) exit;
 
-$post_by_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'by_posts';
+$post_by_tab = isset( $_GET['tab'] ) ? sanitize_text_field( wp_unslash( $_GET['tab'] ) ) : 'by_posts';
 ?>
 <form method="post" id="delete_posts_form">
     <div class="form-table">

diff --git a/includes/admin/support-page.php b/includes/admin/support-page.php
@@ -86,7 +86,7 @@ function wpbd_render_support_page(){
                             $plugin_list = wpbulkdelete()->api->get_xyuls_themes_plugins();
                         ?>
                         <div class="" style="margin-top: 20px;">
-                            <h3 class="setting_bar"><?php _e( 'Plugins you should try','wp-bulk-delete' ); ?></h3>
+                            <h3 class="setting_bar"><?php esc_html_e( 'Plugins you should try','wp-bulk-delete' ); ?></h3>
                             <div class="wpbd-about-us-plugins">
                                 <!-- <div class="wpbd-row"> -->
                                 <div class="wpbd-support-features2">
@@ -126,19 +126,19 @@ function wpbd_render_support_page(){
                                                 <div class="wpbd-support-features-card2 wpbd-plugin">
                                                     <div class="wpbd-plugin-main">
                                                         <div>
-                                                            <img alt="<?php _e( $plugin_slug . ' Image', 'wp-bulk-delete' ); ?>" src="<?php echo esc_url( $plugin_icon ); ?>">
+                                                            <img alt="<?php esc_html_e( $plugin_slug . ' Image', 'wp-bulk-delete' ); ?>" src="<?php echo esc_url( $plugin_icon ); ?>">
                                                         </div>
                                                         <div>
-                                                            <div class="wpbd-main-name"><?php _e( $plugin_slug, 'wp-bulk-delete' ); ?></div>
-                                                            <div><?php _e( $plugin_description, 'wp-bulk-delete' ); ?></div>
+                                                            <div class="wpbd-main-name"><?php esc_html_e( $plugin_slug, 'wp-bulk-delete' ); ?></div>
+                                                            <div><?php esc_html_e( $plugin_description, 'wp-bulk-delete' ); ?></div>
                                                         </div>
                                                     </div>
                                                     <div class="wpbd-plugin-footer">
                                                         <div class="wpbd-footer-status">
-                                                            <div class="wpbd-footer-status-label"><?php _e( 'Status : ', 'wp-bulk-delete' ); ?></div>
-                                                            <div class="wpbd-footer-status wpbd-footer-status-<?php echo strtolower(str_replace(' ', '-', $status_text)); ?>">
+                                                            <div class="wpbd-footer-status-label"><?php esc_html_e( 'Status : ', 'wp-bulk-delete' ); ?></div>
+                                                            <div class="wpbd-footer-status wpbd-footer-status-<?php echo esc_attr__( strtolower(str_replace(' ', '-', $status_text) ) ); ?>">
                                                                 <span <?php echo ( $status_text == 'Active' ) ? 'style="color:green;"' : ''; ?>>
-                                                                    <?php echo $status_text; ?>
+                                                                    <?php echo esc_attr__( $status_text ); ?>
                                                                 </span>
                                                             </div>
                                                         </div>

diff --git a/includes/admin/terms/display-delete-terms.php b/includes/admin/terms/display-delete-terms.php
@@ -34,7 +34,7 @@ function wpbd_delete_terms_page(){
 								</div>
 							</div>
 							<?php
-								echo wp_nonce_field('delete_terms_nonce', '_delete_terms_wpnonce' );
+								esc_attr__( wp_nonce_field('delete_terms_nonce', '_delete_terms_wpnonce' ) );
 							?>
 							<p class="submit">
 								<input name="delete_terms_submit" id="delete_terms_submit" class="wpbd_button" value="<?php esc_html_e('Delete Terms', 'wp-bulk-delete');?>" type="button">

diff --git a/includes/admin/users/display-delete-users.php b/includes/admin/users/display-delete-users.php
@@ -35,7 +35,7 @@ function wpbd_delete_users_page(){
 										<div class="text" >
 											<div class="header-icon" ></div>
 											<div class="header-title" >
-												<span><?php _e('Users Filter ','wp-bulk-delete'); ?></span>
+												<span><?php esc_html_e('Users Filter ','wp-bulk-delete'); ?></span>
 											</div>
 											<div class="header-extra" ></div>
 										</div>
@@ -56,7 +56,7 @@ function wpbd_delete_users_page(){
 										<div class="text" >
 											<div class="header-icon" ></div>
 											<div class="header-title" >
-												<span><?php _e('Date Filter ','wp-bulk-delete'); ?></span>
+												<span><?php esc_html_e('Date Filter ','wp-bulk-delete'); ?></span>
 											</div>
 											<div class="header-extra" ></div>
 										</div>
@@ -77,7 +77,7 @@ function wpbd_delete_users_page(){
 										<div class="text" >
 											<div class="header-icon" ></div>
 											<div class="header-title" >
-												<span><?php _e('Advance Users Filter ','wp-bulk-delete'); if( !wpbd_is_pro() ){ echo '<div class="wpbd-pro-badge"> PRO </div>'; } ?></span>
+												<span><?php esc_html_e('Advance Users Filter ','wp-bulk-delete'); if( !wpbd_is_pro() ){ echo '<div class="wpbd-pro-badge"> PRO </div>'; } ?></span>
 											</div>
 											<div class="header-extra" ></div>
 										</div>
@@ -100,7 +100,7 @@ function wpbd_delete_users_page(){
 														</div>
 													</div>
 													<div class="wpbd-blur-filter-cta" >
-													<span style="color: red"><?php echo _e( 'Available in Pro version.', 'wp-bulk-delete' ); ?>  </span><a href="<?php echo esc_url(WPBD_PLUGIN_BUY_NOW_URL); ?>"><?php echo _e( 'Buy Now', 'wp-bulk-delete' ); ?></a>
+													<span style="color: red"><?php echo esc_html_e( 'Available in Pro version.', 'wp-bulk-delete' ); ?>  </span><a href="<?php echo esc_url(WPBD_PLUGIN_BUY_NOW_URL); ?>"><?php echo esc_html_e( 'Buy Now', 'wp-bulk-delete' ); ?></a>
 													</div>
 												</div>
 												<?php
@@ -118,7 +118,7 @@ function wpbd_delete_users_page(){
 											<div class="header-title" >
 												<span>
 													<?php 
-														_e('WooCommerce Filter ','wp-bulk-delete'); 
+														esc_html_e('WooCommerce Filter ','wp-bulk-delete'); 
 														if( !wpbd_is_pro() ){ echo '<div class="wpbd-pro-badge"> PRO </div>'; } 
 														echo wp_kses_post( check_wc_is_activated() );
 													?>
@@ -144,7 +144,7 @@ function wpbd_delete_users_page(){
 														</div>
 													</div>
 													<div class="wpbd-blur-filter-cta" >
-													<span style="color: red"><?php echo _e( 'Available in Pro version.', 'wp-bulk-delete' ); ?>  </span><a href="<?php echo esc_url(WPBD_PLUGIN_BUY_NOW_URL); ?>"><?php echo _e( 'Buy Now', 'wp-bulk-delete' ); ?></a>
+													<span style="color: red"><?php echo esc_html_e( 'Available in Pro version.', 'wp-bulk-delete' ); ?>  </span><a href="<?php echo esc_url(WPBD_PLUGIN_BUY_NOW_URL); ?>"><?php echo esc_html_e( 'Buy Now', 'wp-bulk-delete' ); ?></a>
 													</div>
 												</div>
 												<?php
@@ -160,7 +160,7 @@ function wpbd_delete_users_page(){
 										<div class="text" >
 											<div class="header-icon" ></div>
 											<div class="header-title" >
-												<span><?php _e('Action ','wp-bulk-delete'); ?></span>
+												<span><?php esc_html_e('Action ','wp-bulk-delete'); ?></span>
 											</div>
 											<div class="header-extra" ></div>
 										</div>
@@ -179,7 +179,7 @@ function wpbd_delete_users_page(){
 
 							</div>
 							<?php
-							echo wp_nonce_field('delete_users_nonce', '_delete_users_wpnonce' );
+							esc_attr__( wp_nonce_field('delete_users_nonce', '_delete_users_wpnonce' ) );
 							?>
 							<p class="submit">
 								<input type="hidden" name="action" value="wpbd_delete_post">

diff --git a/includes/ajax-functions.php b/includes/ajax-functions.php
@@ -83,7 +83,7 @@ function wpbd_render_taxonomy_by_posttype() {
 	if( ! empty( $taxonomies ) ){
 		foreach ($taxonomies as $slug => $name ) {
 			?>
-			<input type="radio" name="post_taxonomy" value="<?php echo $slug;?>" class="post_taxonomy_radio" title="<?php echo $name; ?>"><?php echo $name; ?> <br />
+			<input type="radio" name="post_taxonomy" value="<?php echo esc_attr__( $slug ); ?>" class="post_taxonomy_radio" title="<?php echo esc_attr__( $name ); ?>"><?php echo esc_attr__( $name ); ?> <br />
 			<?php	
 		}		
 	}
@@ -113,7 +113,7 @@ function wpbd_render_terms_by_taxonomy() {
 			<?php
 			foreach ($terms as $term ) {
 				?>
-				<option value="<?php echo $term->term_id ?>"><?php echo $term->name; ?></option>
+				<option value="<?php echo esc_attr__( $term->term_id ); ?>"><?php echo esc_attr__( $term->name ); ?></option>
 				<?php	
 			} ?>
 		</select>
@@ -412,7 +412,7 @@ function wpbd_render_postdropdown_by_posttype() {
 			<?php
 			foreach ($posts as $post ) {
 				?>
-				<option value="<?php echo $post->ID; ?>"><?php echo $post->post_title; ?></option>
+				<option value="<?php echo esc_attr__( $post->ID ); ?>"><?php echo esc_attr__( $post->post_title ); ?></option>
 				<?php	
 			} ?>
 		</select>
-Original file line number
+Diff line change
@@ Expand Up / @@ -36,7 +36,7 @@ function wpbd_delete_comments_page(){ @@
     								</div>
     							</div>
     							<?php
-    							echo wp_nonce_field('delete_comments_nonce', '_delete_comments_wpnonce' );
+    							esc_attr__( wp_nonce_field('delete_comments_nonce', '_delete_comments_wpnonce' ) );
     							?>
     							<p class="submit">
@@ Expand Down @@