[auto] plugin: event-list 0.7.9

wp-content/plugins/event-list/admin/includes/admin-categories.php

@@ -78,10 +78,11 @@ class EL_Admin_Categories {
 			if(!$is_disabled) {
 				// delete categories
 				$slug_array = explode(', ', $_GET['slug']);
+				$slug_array = array_map('sanitize_title_for_query', $slug_array);
 				$num_affected_events = $this->db->remove_category_in_events($slug_array);
 				if($this->categories->remove_categories($slug_array, false)) {
 					$out .= '<div id="message" class="updated">
-						<p><strong>'.sprintf(__('Category "%s" deleted.','event-list'), $_GET['slug']);
+						<p><strong>'.sprintf(__('Category "%s" deleted.','event-list'), implode(', ', $slug_array));
 					if($num_affected_events > 0) {
 						$out .= '<br />'.sprintf(__('This Category was also removed from %d events.','event-list'), $num_affected_events);
 					}
@@ -89,7 +90,7 @@ class EL_Admin_Categories {
 					</div>';
 				}
 				else {
-					$out .= '<div id="message" class="error below-h2"><p><strong>'.sprintf(__('Error while deleting category "%s"','event-list'), $_GET['slug']).'.</strong></p></div>';
+					$out .= '<div id="message" class="error below-h2"><p><strong>'.sprintf(__('Error while deleting category "%s"','event-list'), implode(', ', $slug_array)).'.</strong></p></div>';
 				}
 			}
 		}

wp-content/plugins/event-list/admin/includes/admin-main.php

@@ -48,8 +48,10 @@ class EL_Admin_Main {
 					break;
 				case 'delete':
 					if(isset($_GET['id'])) {
-						$error = !$this->db->delete_events(explode(',', $_GET['id']));
-						$this->redirect('deleted', $error, array('id' => $_GET['id']));
+						$id_array = explode(',', $_GET['id']);
+						$id_array = array_map('absint', $id_array);
+						$error = !$this->db->delete_events($id_array);
+						$this->redirect('deleted', $error, array('id' => implode(',', $id_array)));
 					}
 					break;
 				// proceed with header if a bulk action was triggered (required due to "noheader" attribute for all action above)
@@ -110,7 +112,7 @@ class EL_Admin_Main {
 
 	private function show_page_header($action, $editview=false) {
 		if($editview) {
-			$duplicate_link = add_query_arg(array('id'=>$_GET['id'], 'action'=>'copy'), '?page=el_admin_new');
+			$duplicate_link = add_query_arg(array('id'=>absint($_GET['id']), 'action'=>'copy'), '?page=el_admin_new');
 			$header = __('Edit Event','event-list').' <a href="'.$duplicate_link.'" class="add-new-h2">'.__('Duplicate','event-list').'</a>';
 		}
 		else {
@@ -188,9 +190,9 @@ class EL_Admin_Main {
 				$num_deleted = count(explode(',', $_GET['id']));
 				$plural = ($num_deleted > 1) ? 's' : '';
 				if(!$error)
-					$this->show_update_message($num_deleted.' Event'.$plural.' deleted (id'.$plural.': '.$_GET['id'].').');
+					$this->show_update_message($num_deleted.' Event'.$plural.' deleted (id'.$plural.': '.htmlentities($_GET['id']).').');
 				else
-					$this->show_error_message('Error while deleting '.$num_deleted.' Event'.$plural.'.');
+					$this->show_error_message('Error: Deleting failed (Event id'.$plural.': '.htmlentities($_GET['id']).')!');
 				break;
 		}
 	}

wp-content/plugins/event-list/admin/includes/admin-new.php

@@ -30,7 +30,7 @@ class EL_Admin_New {
 		$this->options = &EL_Options::get_instance();
 		$this->categories = &EL_Categories::get_instance();
 		$this->is_new = !(isset($_GET['action']) && ('edit' === $_GET['action'] || 'added' === $_GET['action'] || 'modified' === $_GET['action']));
-		$this->is_duplicate = $this->is_new && isset($_GET['id']) && is_numeric($_GET['id']);
+		$this->is_duplicate = $this->is_new && isset($_GET['id']) && intval($_GET['id']) > 0;
 	}
 
 	public function show_new() {
@@ -40,7 +40,7 @@ class EL_Admin_New {
 		$out = '<div class="wrap">
 				<div id="icon-edit-pages" class="icon32"><br /></div><h2>'.__('Add New Event','event-list').'</h2>';
 		if($this->is_duplicate) {
-			$out .= '<span style="color:silver">('.sprintf(__('Duplicate of event id:%d','event-list'), $_GET['id']).')</span>';
+			$out .= '<span style="color:silver">('.sprintf(__('Duplicate of event id:%d','event-list'), absint($_GET['id'])).')</span>';
 		}
 		$out .= $this->edit_event();
 		$out .= '</div>';
@@ -72,7 +72,7 @@ class EL_Admin_New {
 		}
 		else {
 			// set event data and existing date
-			$event = $this->db->get_event($_GET['id']);
+			$event = $this->db->get_event(absint($_GET['id']));
 			$start_date = strtotime($event->start_date);
 			$end_date = strtotime($event->end_date);
 		}
@@ -98,7 +98,7 @@ class EL_Admin_New {
 		else {
 			$out .= '
 					<input type="hidden" name="action" value="edited" />
-					<input type="hidden" name="id" value="'.$_GET['id'].'" />';
+					<input type="hidden" name="id" value="'.absint($_GET['id']).'" />';
 		}
 		$out .= '
 					<table class="form-table">

wp-content/plugins/event-list/admin/includes/event_table.php

@@ -45,7 +45,7 @@ class EL_Event_Table extends WP_List_Table {
 			case 'date' :
 				return $this->format_event_date($item->start_date, $item->end_date, $item->time);
 			case 'details' :
-				return $this->db->truncate(wpautop('<div>'.$item->details.'</div>'), 100);
+				return $this->db->truncate('<div>'.wpautop($item->details).'</div>', 100);
 			case 'pub_user' :
 				return get_userdata($item->pub_user)->user_login;
 			case 'pub_date' :
@@ -277,11 +277,6 @@ class EL_Event_Table extends WP_List_Table {
 		}
 		// event time
 		if('' !== $start_time) {
-			// set time format if a known format is available, else only show the text
-			$date_array = date_parse($start_time);
-			if(empty($date_array['errors']) && is_numeric($date_array['hour']) && is_numeric($date_array['minute'])) {
-				$start_time = mysql2date(get_option('time_format'), $start_time);
-			}
 			$out .= '<br />
 				<span class="time">'.esc_html($start_time).'</span>';
 		}

wp-content/plugins/event-list/admin/js/admin_new.js

@@ -4,7 +4,7 @@
 jQuery(document).ready(function($) {
 	// Read required config data from hidden field json_for_js
 	var json = $("#json_for_js").val();
-	var conf = eval('(' + json + ')');
+	var conf = JSON.parse(json);
 
 	// Show or hide end_date
 	if ($("#start_date").val() == $("#end_date").val()) {

wp-content/plugins/event-list/event-list.php

@@ -3,7 +3,7 @@
 Plugin Name: Event List
 Plugin URI: http://wordpress.org/extend/plugins/event-list/
 Description: Manage your events and show them in a list view on your site.
-Version: 0.7.8
+Version: 0.7.9
 Author: mibuthu
 Author URI: http://wordpress.org/extend/plugins/event-list/
 Text Domain: event-list
@@ -84,7 +84,7 @@ class Event_List {
 		}
 		else {
 			// use fork of wordpress function load_plugin_textdomain (see wp-includes/l10n.php) to prefer language files included in plugin (wp-content/plugins/event-list/languages/) and additionally from language dir
-			$locale = apply_filters('plugin_locale', is_admin() ? get_user_locale() : get_locale(), $domain);
+			$locale = apply_filters('plugin_locale', is_callable('get_user_locale') ? get_user_locale() : get_locale(), $domain);
 			$mofile = $domain.'-'.$locale.'.mo';
 			load_textdomain($domain, WP_PLUGIN_DIR.'/'.$el_lang_path.'/'.$mofile);
 			load_textdomain($domain, WP_LANG_DIR.'/plugins/'.$mofile);

wp-content/plugins/event-list/includes/categories.php

@@ -316,7 +316,10 @@ class EL_Categories {
 	}
 
 	public function get_category_data($slug) {
-		return $this->cat_array[$slug];
+		if(isset($this->cat_array[$slug])) {
+			return $this->cat_array[$slug];
+		}
+		return false;
 	}
 
 	/**

wp-content/plugins/event-list/includes/db.php

@@ -61,13 +61,13 @@ class EL_Db {
 		if('upcoming' === $date_filter && is_numeric($num_events) && 0 < $num_events) {
 			$sql .= ' LIMIT '.$num_events;
 		}
-		return $wpdb->get_results($sql);
+		return $this->convert_events_timeformat($wpdb->get_results($sql));
 	}
 
 	public function get_event( $id ) {
 		global $wpdb;
 		$sql = 'SELECT * FROM '.$this->table.' WHERE id = '.$id.' LIMIT 1';
-		return $wpdb->get_row( $sql );
+		return $this->convert_event_timeformat($wpdb->get_row($sql));
 	}
 
 	public function get_distinct_event_data($search_string, $date_filter, $cat_filter, $order='asc') {
@@ -113,7 +113,7 @@ class EL_Db {
 		}
 		//time
 		if( !isset( $event_data['time'] ) ) { $sqldata['time'] = ''; }
-		else { $sqldata['time'] = stripslashes($event_data['time']); }
+		else { $sqldata['time'] = $this->validate_time($event_data['time']); }
 		//title
 		if( !isset( $event_data['title'] ) || $event_data['title'] === '' ) { return false; }
 		$sqldata['title'] = stripslashes( $event_data['title'] );
@@ -205,6 +205,32 @@ class EL_Db {
 		return false;
 	}
 
+	private function validate_time($timestring) {
+		// Try to extract a correct time from the provided text
+		$timestamp = strtotime(stripslashes($timestring));
+		// Return a standard time format if the conversion was successful
+		if($timestamp) {
+			return date('H:i:s', $timestamp);
+		}
+		// Else return the given text
+		return $timestring;
+	}
+
+	private function convert_events_timeformat($events) {
+		foreach($events as $event) {
+			$this->convert_event_timeformat($event);
+		}
+		return $events;
+	}
+
+	private function convert_event_timeformat($event) {
+		$timestamp = strtotime($event->time);
+		if($timestamp) {
+			$event->time = date_i18n(get_option('time_format'), $timestamp);
+		}
+		return $event;
+	}
+
 	private function get_sql_filter_string($date_filter=null, $cat_filter=null) {
 		$sql_filter_string = '';
 		// date filter
@@ -332,7 +358,7 @@ class EL_Db {
 						$openingTag = array_pop($tags);
 						if($openingTag != $tagName) {
 							// Not properly nested tag found: trigger a warning and add the not matching opening tag again
-							trigger_error('Not properly nested tag found (last opening tag: '.$openingTag.', closing tag: '.$tagName.')', E_USER_WARNING);
+							trigger_error('Not properly nested tag found (last opening tag: '.$openingTag.', closing tag: '.$tagName.')', E_USER_NOTICE);
 							$tags[] = $openingTag;
 						}
 						else {

wp-content/plugins/event-list/includes/js/filterbar.js

@@ -21,9 +21,10 @@ function updateUrlParameter(url, paramName, paramVal, sc_id) {
 		urlArray = oldParams.split("&");
 		for(i=0; i<urlArray.length; i++) {
 			if(urlArray[i].split("=")[0] == "event_id"+sc_id) {
-				// do nothing
+				// do nothing:
+				continue;
 			}
-			else if(urlArray[i].split("=")[0] == paramName) {
+			if(urlArray[i].split("=")[0] == paramName) {
 				newParams += seperator + paramName + "=" + paramVal;
 				paramNameAdded = true;
 			}

wp-content/plugins/event-list/includes/sc_event-list.php

@@ -101,17 +101,17 @@ class SC_Event_List {
 		$a['actual_date'] = $this->get_actual_date($a);
 		$a['actual_cat'] = $this->get_actual_cat($a);
 		if(isset($_GET['event_id'.$a['sc_id']])) {
-			$a['event_id'] = (int)$_GET['event_id'.$a['sc_id']];
+			$a['event_id'] = absint($_GET['event_id'.$a['sc_id']]);
 		}
 		elseif('all' != $a['initial_event_id'] && !isset($_GET['date'.$a['sc_id']]) && !isset($_GET['cat'.$a['sc_id']])) {
-			$a['event_id'] = (int)$a['initial_event_id'];
+			$a['event_id'] = intval($a['initial_event_id']);
 		}
 		else {
 			$a['event_id'] = null;
 		}
 		// fix sc_id_for_url if required
 		if(!is_numeric($a['sc_id_for_url'])) {
-			$a['sc_id_for_url'] = $a['sc_id'];
+			$a['sc_id_for_url'] = intval($a['sc_id']);
 		}
 
 		$out = '
@@ -215,16 +215,10 @@ class SC_Event_List {
 		$out .= '</h3></div>';
 		// event time
 		if('' != $event->time && $this->is_visible($a['show_starttime'])) {
-			// set time format if a known format is available, else only show the text
-			$date_array = date_parse($event->time);
-			$time = $event->time;
-			if(empty($date_array['errors']) && is_numeric($date_array['hour']) && is_numeric($date_array['minute'])) {
-				$time = mysql2date(get_option('time_format'), $event->time);
-			}
 			if('' == $this->options->get('el_html_tags_in_time')) {
-				$time = esc_attr($time);
+				$event->time = esc_attr($event->time);
 			}
-			$out .= '<span class="event-time">'.$time.'</span>';
+			$out .= '<span class="event-time">'.$event->time.'</span>';
 		}
 		// event location
 		if('' != $event->location && $this->is_visible($a['show_location'])) {

wp-content/plugins/event-list/readme.txt

@@ -3,8 +3,8 @@ Contributors: mibuthu, clhunsen
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W54LNZMWF9KW2
 Tags: event, events, list, listview, calendar, schedule, shortcode, page, category, categories, filter, admin, attribute, widget, sidebar, feed, rss
 Requires at least: 3.8
-Tested up to: 4.7
-Stable tag: 0.7.8
+Tested up to: 4.8
+Stable tag: 0.7.9
 Plugin URI: http://wordpress.org/extend/plugins/event-list
 Licence: GPLv2
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -82,6 +82,13 @@ Another possibility would be to call the wordpress function "do_shortcode()".
 
 == Changelog ==
 
+= 0.7.9 (2017-06-12) =
+* fixed security vulnerability reported by wordpress
+* fixed / improved time handling and sorting according to time (fixed sorting will only work in new or modified events)
+* fixed problem with locale handling in older wordpress versions
+* fixed url when going back from event details page to event list page with a drowdown filter
+* fixed HTML format issue in admin event table (with not properly nested tag warning)
+
 = 0.7.8 (2017-03-17) =
 * improved datepicker style in new/edit event view
 * show datepicker in correct language