security issue fixed

delower186 · Feb 12, 2024 · 23915ac · 23915ac
1 parent acb67ad
commit 23915ac
Show file tree

Hide file tree

Showing 63 changed files with 36,383 additions and 8 deletions.
diff --git a/inc/Base/Model.php b/inc/Base/Model.php
@@ -191,7 +191,7 @@ public static function wptodo_notice($raw_notice) {
 	public static function wptodo_addtask(array $newdata) {
 		$wptodo_table = self::$wpdb->prefix . "wptodo";
 		$today_date = gmdate('Y-m-d');
-		$wptodo_query = "INSERT INTO `".$wptodo_table."` (`id`, `date`, `title`, `desc`, `from`, `for`, `until`,`status`,`priority`,`notify`)VALUES (NULL , '$today_date', '".$newdata['wptodo_title']."','".$newdata['wptodo_description']."','".$newdata['wptodo_from']."','".$newdata['wptodo_for']."','".$newdata['wptodo_deadline']."','".$newdata['wptodo_status']."','".$newdata['wptodo_priority']."','".!empty($newdata['wptodo_notify'])."')";
+		$wptodo_query = "INSERT INTO `".$wptodo_table."` (`id`, `date`, `title`, `desc`, `from`, `for`, `until`,`status`,`priority`,`notify`)VALUES (NULL , '$today_date', '".htmlentities(strip_tags($newdata['wptodo_title']))."','".htmlentities($newdata['wptodo_description'])."','".$newdata['wptodo_from']."','".$newdata['wptodo_for']."','".$newdata['wptodo_deadline']."','".$newdata['wptodo_status']."','".$newdata['wptodo_priority']."','".!empty($newdata['wptodo_notify'])."')";
 		self::$wpdb->query($wptodo_query);
 		self::wptodo_email();
 	}
@@ -201,7 +201,7 @@ public static function wptodo_addtask(array $newdata) {
 	 */
 	public static function wptodo_updatetask(array $newdata) {
 		$wptodo_table = self::$wpdb->prefix . "wptodo";
-		$wptodo_query = "UPDATE `".$wptodo_table."` SET `title`='".$newdata['wptodo_title']."', `desc`='".$newdata['wptodo_description']."', `for`='".$newdata['wptodo_for']."', `until`='".$newdata['wptodo_deadline']."', `status`='".$newdata['wptodo_status']."', `priority`='".$newdata['wptodo_priority']."', `notify`='".!empty($newdata['wptodo_notify'])."' WHERE `id`='".$newdata['wptodo_taskid']."'";
+		$wptodo_query = "UPDATE `".$wptodo_table."` SET `title`='".htmlentities(strip_tags($newdata['wptodo_title']))."', `desc`='".htmlentities($newdata['wptodo_description'])."', `for`='".$newdata['wptodo_for']."', `until`='".$newdata['wptodo_deadline']."', `status`='".$newdata['wptodo_status']."', `priority`='".$newdata['wptodo_priority']."', `notify`='".!empty($newdata['wptodo_notify'])."' WHERE `id`='".$newdata['wptodo_taskid']."'";
 		self::$wpdb->query($wptodo_query);
 		self::wptodo_email();
 
@@ -349,5 +349,7 @@ public static function wptodo_tasks(){
 				  	echo "";
 				  	$num++;
 				}
-	}	
+	}
+
+
 }
diff --git a/readme.txt b/readme.txt
@@ -2,8 +2,8 @@
 Contributors: delower186
 Tags: todo, task, project management, to do list, todo list, project management, todo, todo list, task, basecamp, milestone, message, file, comment, client, team, tracking, planning, lists, reporting, project management plugin for wordpress, project manager, project manager plugin for wordpress, wordpress project management
 Requires at least: 5.4 or higher
-Tested up to: 6.2.2
-Stable tag: 1.2.8
+Tested up to: 6.4.3
+Stable tag: 1.3.0
 Requires PHP: 6.8
 License: GPLv2
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -64,6 +64,10 @@ A. Found any bugs? Please create an [issue](https://github.com/delower186/wp-tod
 
 == Changelog ==
 
+= 1.2.9 =
+
+* Security issue fixed
+
 = 1.2.8 =
 
 * Bug Fixed

diff --git a/vendor/composer.json b/vendor/composer.json
@@ -0,0 +1,17 @@
+{
+    "name": "WP To Do",
+    "description": "Wordpress To Do list for users",
+    "type": "project",
+    "license": "GPLv2 or later",
+    "authors": [
+        {
+            "name": "Delower",
+            "email": "admin@247-assistant.com"
+        }
+    ],
+    "minimum-stability": "dev",
+    "require": {},
+    "autoload":{
+        "psr-4": {"Inc\\": "./inc"}
+    }
+}
diff --git a/vendor/inc/Api/SettingsApi.php b/vendor/inc/Api/SettingsApi.php
@@ -0,0 +1,46 @@
+<?php
+/**
+* @package wptodo
+*/
+namespace Inc\Api;
+
+class SettingsApi
+{
+	public $admin_pages = array();
+	public $admin_subpages = array();
+
+	public function register(){
+		if ( ! empty($this->admin_pages ) ){
+			add_action( 'admin_menu', array( $this, 'AddAdminMenu') );
+			if(! empty($this->admin_subpages)){
+				add_action( 'admin_menu', array( $this, 'AddAdminSubMenu') );
+			}
+		}
+	}
+
+	public function AddPage( array $pages)	{
+
+		$this->admin_pages = $pages;
+
+		return $this;
+	}
+
+	public function AddSubPage( array $subpages)	{
+
+		$this->admin_subpages = $subpages;
+
+		return $this;
+	}
+
+	public function AddAdminMenu(){
+		foreach( $this->admin_pages as $page ){
+			add_menu_page( $page['page_title'], $page['menu_title'], $page['capability'], $page['menu_slug'], $page['callback'], $page['icon_url'], $page['position'] );
+		}
+	}
+
+	public function AddAdminSubMenu(){
+		foreach( $this->admin_subpages as $subpage ){
+			add_submenu_page( $subpage['parent_slug'], $subpage['page_title'], $subpage['menu_title'], $subpage['capability'], $subpage['menu_slug'], $subpage['function'] );
+		}
+	}
+}
diff --git a/vendor/inc/Base/Activate.php b/vendor/inc/Base/Activate.php
@@ -0,0 +1,11 @@
+<?php
+/**
+* @package wptodo
+*/
+namespace Inc\Base;
+class Activate{
+	public static function activate(){
+		flush_rewrite_rules();
+		Model::wptodo_install();
+	}
+}
diff --git a/vendor/inc/Base/BaseController.php b/vendor/inc/Base/BaseController.php
@@ -0,0 +1,19 @@
+<?php
+/**
+* @package wptodo
+*/
+namespace Inc\Base;
+
+
+class BaseController
+{
+	public static $plugin_path;
+	public static $plugin_url;
+	public static $plugin;
+
+	public function __construct(){
+		self::$plugin_path = plugin_dir_path( dirname( __FILE__ , 2 ) );
+		self::$plugin_url = plugin_dir_url( dirname( __FILE__ , 2 ) );
+		self::$plugin = plugin_basename( dirname( __FILE__ , 3 ) ) . '/wp-todo.php';
+	}
+}
diff --git a/vendor/inc/Base/Deactivate.php b/vendor/inc/Base/Deactivate.php
@@ -0,0 +1,10 @@
+<?php
+/**
+*@package wptodo
+*/
+namespace Inc\Base;
+class Deactivate{
+	public static function deactivate(){
+		flush_rewrite_rules();
+	}
+}
diff --git a/vendor/inc/Base/Enqueue.php b/vendor/inc/Base/Enqueue.php
@@ -0,0 +1,33 @@
+<?php
+/**
+* @package wptodo
+*/
+namespace Inc\Base;
+
+use \Inc\Base\BaseController;
+
+class Enqueue extends BaseController
+{
+
+	public function register(){
+		//enqueue scripts in the admin panel
+		add_action('admin_enqueue_scripts', array($this, 'enqueue'),9999);
+
+		//enqueue scripts in the frontend
+		add_action('wp_enqueue_scripts', array($this, 'enqueue'),9999);
+	}
+
+	public function enqueue(){
+		//css stylesheets
+		wp_enqueue_style('datatable', parent::$plugin_url . 'scripts/DataTables/datatables.min.css');
+		wp_enqueue_style('style', parent::$plugin_url . 'scripts/css/style.css');
+		wp_enqueue_style('jquery-ui', parent::$plugin_url . 'scripts/jquery-ui-1.12.1/jquery-ui.min.css');
+		wp_enqueue_style('flipclock', parent::$plugin_url . 'scripts/css/flipclock.css');
+		//js scripts
+		wp_enqueue_script('jquery-3.6.0', parent::$plugin_url . 'scripts/js/jquery-3.6.0.min.js',false,array(), false, false);
+		wp_enqueue_script('datatable', parent::$plugin_url . 'scripts/DataTables/datatables.min.js', array(), false, true);
+		wp_enqueue_script('flipclock', parent::$plugin_url . 'scripts/js/flipclock.min.js', array(), false, true);
+		wp_enqueue_script('jquery-ui', parent::$plugin_url . 'scripts/jquery-ui-1.12.1/jquery-ui.min.js', array(), false, true);
+	}
+
+}