From 1709b7dd6c3d0d6d21c448ad4561d03b846cbad1 Mon Sep 17 00:00:00 2001
From: lucha <lucha@paranoici.org>
Date: Sat, 26 Aug 2017 17:41:15 +0200
Subject: [PATCH] [auto] plugin: event-list 0.7.9
---
.../admin/includes/admin-categories.php | 5 +--
.../event-list/admin/includes/admin-main.php | 12 ++++---
.../event-list/admin/includes/admin-new.php | 8 ++---
.../event-list/admin/includes/event_table.php | 7 +---
.../plugins/event-list/admin/js/admin_new.js | 2 +-
wp-content/plugins/event-list/event-list.php | 4 +--
.../event-list/includes/categories.php | 5 ++-
wp-content/plugins/event-list/includes/db.php | 34 ++++++++++++++++---
.../event-list/includes/js/filterbar.js | 5 +--
.../event-list/includes/sc_event-list.php | 16 +++------
wp-content/plugins/event-list/readme.txt | 11 ++++--
11 files changed, 69 insertions(+), 40 deletions(-)
diff --git a/wp-content/plugins/event-list/admin/includes/admin-categories.php b/wp-content/plugins/event-list/admin/includes/admin-categories.php
index 51b8b1e35..fbc85cec6 100644
--- a/wp-content/plugins/event-list/admin/includes/admin-categories.php
+++ b/wp-content/plugins/event-list/admin/includes/admin-categories.php
@@ -78,10 +78,11 @@ class EL_Admin_Categories {
if(!$is_disabled) {
// delete categories
$slug_array = explode(', ', $_GET['slug']);
+ $slug_array = array_map('sanitize_title_for_query', $slug_array);
$num_affected_events = $this->db->remove_category_in_events($slug_array);
if($this->categories->remove_categories($slug_array, false)) {
$out .= '<div id="message" class="updated">
- <p><strong>'.sprintf(__('Category "%s" deleted.','event-list'), $_GET['slug']);
+ <p><strong>'.sprintf(__('Category "%s" deleted.','event-list'), implode(', ', $slug_array));
if($num_affected_events > 0) {
$out .= '<br />'.sprintf(__('This Category was also removed from %d events.','event-list'), $num_affected_events);
}
@@ -89,7 +90,7 @@ class EL_Admin_Categories {
</div>';
}
else {
- $out .= '<div id="message" class="error below-h2"><p><strong>'.sprintf(__('Error while deleting category "%s"','event-list'), $_GET['slug']).'.</strong></p></div>';
+ $out .= '<div id="message" class="error below-h2"><p><strong>'.sprintf(__('Error while deleting category "%s"','event-list'), implode(', ', $slug_array)).'.</strong></p></div>';
}
}
}
diff --git a/wp-content/plugins/event-list/admin/includes/admin-main.php b/wp-content/plugins/event-list/admin/includes/admin-main.php
index 562fa6dd7..b76ef476d 100644
--- a/wp-content/plugins/event-list/admin/includes/admin-main.php
+++ b/wp-content/plugins/event-list/admin/includes/admin-main.php
@@ -48,8 +48,10 @@ class EL_Admin_Main {
break;
case 'delete':
if(isset($_GET['id'])) {
- $error = !$this->db->delete_events(explode(',', $_GET['id']));
- $this->redirect('deleted', $error, array('id' => $_GET['id']));
+ $id_array = explode(',', $_GET['id']);
+ $id_array = array_map('absint', $id_array);
+ $error = !$this->db->delete_events($id_array);
+ $this->redirect('deleted', $error, array('id' => implode(',', $id_array)));
}
break;
// proceed with header if a bulk action was triggered (required due to "noheader" attribute for all action above)
@@ -110,7 +112,7 @@ class EL_Admin_Main {
private function show_page_header($action, $editview=false) {
if($editview) {
- $duplicate_link = add_query_arg(array('id'=>$_GET['id'], 'action'=>'copy'), '?page=el_admin_new');
+ $duplicate_link = add_query_arg(array('id'=>absint($_GET['id']), 'action'=>'copy'), '?page=el_admin_new');
$header = __('Edit Event','event-list').' <a href="'.$duplicate_link.'" class="add-new-h2">'.__('Duplicate','event-list').'</a>';
}
else {
@@ -188,9 +190,9 @@ class EL_Admin_Main {
$num_deleted = count(explode(',', $_GET['id']));
$plural = ($num_deleted > 1) ? 's' : '';
if(!$error)
- $this->show_update_message($num_deleted.' Event'.$plural.' deleted (id'.$plural.': '.$_GET['id'].').');
+ $this->show_update_message($num_deleted.' Event'.$plural.' deleted (id'.$plural.': '.htmlentities($_GET['id']).').');
else
- $this->show_error_message('Error while deleting '.$num_deleted.' Event'.$plural.'.');
+ $this->show_error_message('Error: Deleting failed (Event id'.$plural.': '.htmlentities($_GET['id']).')!');
break;
}
}
diff --git a/wp-content/plugins/event-list/admin/includes/admin-new.php b/wp-content/plugins/event-list/admin/includes/admin-new.php
index 7af47b000..44af157af 100644
--- a/wp-content/plugins/event-list/admin/includes/admin-new.php
+++ b/wp-content/plugins/event-list/admin/includes/admin-new.php
@@ -30,7 +30,7 @@ class EL_Admin_New {
$this->options = &EL_Options::get_instance();
$this->categories = &EL_Categories::get_instance();
$this->is_new = !(isset($_GET['action']) && ('edit' === $_GET['action'] || 'added' === $_GET['action'] || 'modified' === $_GET['action']));
- $this->is_duplicate = $this->is_new && isset($_GET['id']) && is_numeric($_GET['id']);
+ $this->is_duplicate = $this->is_new && isset($_GET['id']) && intval($_GET['id']) > 0;
}
public function show_new() {
@@ -40,7 +40,7 @@ class EL_Admin_New {
$out = '<div class="wrap">
<div id="icon-edit-pages" class="icon32"><br /></div><h2>'.__('Add New Event','event-list').'</h2>';
if($this->is_duplicate) {
- $out .= '<span style="color:silver">('.sprintf(__('Duplicate of event id:%d','event-list'), $_GET['id']).')</span>';
+ $out .= '<span style="color:silver">('.sprintf(__('Duplicate of event id:%d','event-list'), absint($_GET['id'])).')</span>';
}
$out .= $this->edit_event();
$out .= '</div>';
@@ -72,7 +72,7 @@ class EL_Admin_New {
}
else {
// set event data and existing date
- $event = $this->db->get_event($_GET['id']);
+ $event = $this->db->get_event(absint($_GET['id']));
$start_date = strtotime($event->start_date);
$end_date = strtotime($event->end_date);
}
@@ -98,7 +98,7 @@ class EL_Admin_New {
else {
$out .= '
<input type="hidden" name="action" value="edited" />
- <input type="hidden" name="id" value="'.$_GET['id'].'" />';
+ <input type="hidden" name="id" value="'.absint($_GET['id']).'" />';
}
$out .= '
<table class="form-table">
diff --git a/wp-content/plugins/event-list/admin/includes/event_table.php b/wp-content/plugins/event-list/admin/includes/event_table.php
index a2ee5756b..f75991196 100644
--- a/wp-content/plugins/event-list/admin/includes/event_table.php
+++ b/wp-content/plugins/event-list/admin/includes/event_table.php
@@ -45,7 +45,7 @@ class EL_Event_Table extends WP_List_Table {
case 'date' :
return $this->format_event_date($item->start_date, $item->end_date, $item->time);
case 'details' :
- return $this->db->truncate(wpautop('<div>'.$item->details.'</div>'), 100);
+ return $this->db->truncate('<div>'.wpautop($item->details).'</div>', 100);
case 'pub_user' :
return get_userdata($item->pub_user)->user_login;
case 'pub_date' :
@@ -277,11 +277,6 @@ class EL_Event_Table extends WP_List_Table {
}
// event time
if('' !== $start_time) {
- // set time format if a known format is available, else only show the text
- $date_array = date_parse($start_time);
- if(empty($date_array['errors']) && is_numeric($date_array['hour']) && is_numeric($date_array['minute'])) {
- $start_time = mysql2date(get_option('time_format'), $start_time);
- }
$out .= '<br />
<span class="time">'.esc_html($start_time).'</span>';
}
diff --git a/wp-content/plugins/event-list/admin/js/admin_new.js b/wp-content/plugins/event-list/admin/js/admin_new.js
index b4131a57f..e87c87455 100644
--- a/wp-content/plugins/event-list/admin/js/admin_new.js
+++ b/wp-content/plugins/event-list/admin/js/admin_new.js
@@ -4,7 +4,7 @@
jQuery(document).ready(function($) {
// Read required config data from hidden field json_for_js
var json = $("#json_for_js").val();
- var conf = eval('(' + json + ')');
+ var conf = JSON.parse(json);
// Show or hide end_date
if ($("#start_date").val() == $("#end_date").val()) {
diff --git a/wp-content/plugins/event-list/event-list.php b/wp-content/plugins/event-list/event-list.php
index bf84127ac..a8faf4bb9 100644
--- a/wp-content/plugins/event-list/event-list.php
+++ b/wp-content/plugins/event-list/event-list.php
@@ -3,7 +3,7 @@
Plugin Name: Event List
Plugin URI: http://wordpress.org/extend/plugins/event-list/
Description: Manage your events and show them in a list view on your site.
-Version: 0.7.8
+Version: 0.7.9
Author: mibuthu
Author URI: http://wordpress.org/extend/plugins/event-list/
Text Domain: event-list
@@ -84,7 +84,7 @@ class Event_List {
}
else {
// use fork of wordpress function load_plugin_textdomain (see wp-includes/l10n.php) to prefer language files included in plugin (wp-content/plugins/event-list/languages/) and additionally from language dir
- $locale = apply_filters('plugin_locale', is_admin() ? get_user_locale() : get_locale(), $domain);
+ $locale = apply_filters('plugin_locale', is_callable('get_user_locale') ? get_user_locale() : get_locale(), $domain);
$mofile = $domain.'-'.$locale.'.mo';
load_textdomain($domain, WP_PLUGIN_DIR.'/'.$el_lang_path.'/'.$mofile);
load_textdomain($domain, WP_LANG_DIR.'/plugins/'.$mofile);
diff --git a/wp-content/plugins/event-list/includes/categories.php b/wp-content/plugins/event-list/includes/categories.php
index b4cafbf57..8ff278e9f 100644
--- a/wp-content/plugins/event-list/includes/categories.php
+++ b/wp-content/plugins/event-list/includes/categories.php
@@ -316,7 +316,10 @@ class EL_Categories {
}
public function get_category_data($slug) {
- return $this->cat_array[$slug];
+ if(isset($this->cat_array[$slug])) {
+ return $this->cat_array[$slug];
+ }
+ return false;
}
/**
diff --git a/wp-content/plugins/event-list/includes/db.php b/wp-content/plugins/event-list/includes/db.php
index fe0934529..a6d402286 100644
--- a/wp-content/plugins/event-list/includes/db.php
+++ b/wp-content/plugins/event-list/includes/db.php
@@ -61,13 +61,13 @@ class EL_Db {
if('upcoming' === $date_filter && is_numeric($num_events) && 0 < $num_events) {
$sql .= ' LIMIT '.$num_events;
}
- return $wpdb->get_results($sql);
+ return $this->convert_events_timeformat($wpdb->get_results($sql));
}
public function get_event( $id ) {
global $wpdb;
$sql = 'SELECT * FROM '.$this->table.' WHERE id = '.$id.' LIMIT 1';
- return $wpdb->get_row( $sql );
+ return $this->convert_event_timeformat($wpdb->get_row($sql));
}
public function get_distinct_event_data($search_string, $date_filter, $cat_filter, $order='asc') {
@@ -113,7 +113,7 @@ class EL_Db {
}
//time
if( !isset( $event_data['time'] ) ) { $sqldata['time'] = ''; }
- else { $sqldata['time'] = stripslashes($event_data['time']); }
+ else { $sqldata['time'] = $this->validate_time($event_data['time']); }
//title
if( !isset( $event_data['title'] ) || $event_data['title'] === '' ) { return false; }
$sqldata['title'] = stripslashes( $event_data['title'] );
@@ -205,6 +205,32 @@ class EL_Db {
return false;
}
+ private function validate_time($timestring) {
+ // Try to extract a correct time from the provided text
+ $timestamp = strtotime(stripslashes($timestring));
+ // Return a standard time format if the conversion was successful
+ if($timestamp) {
+ return date('H:i:s', $timestamp);
+ }
+ // Else return the given text
+ return $timestring;
+ }
+
+ private function convert_events_timeformat($events) {
+ foreach($events as $event) {
+ $this->convert_event_timeformat($event);
+ }
+ return $events;
+ }
+
+ private function convert_event_timeformat($event) {
+ $timestamp = strtotime($event->time);
+ if($timestamp) {
+ $event->time = date_i18n(get_option('time_format'), $timestamp);
+ }
+ return $event;
+ }
+
private function get_sql_filter_string($date_filter=null, $cat_filter=null) {
$sql_filter_string = '';
// date filter
@@ -332,7 +358,7 @@ class EL_Db {
$openingTag = array_pop($tags);
if($openingTag != $tagName) {
// Not properly nested tag found: trigger a warning and add the not matching opening tag again
- trigger_error('Not properly nested tag found (last opening tag: '.$openingTag.', closing tag: '.$tagName.')', E_USER_WARNING);
+ trigger_error('Not properly nested tag found (last opening tag: '.$openingTag.', closing tag: '.$tagName.')', E_USER_NOTICE);
$tags[] = $openingTag;
}
else {
diff --git a/wp-content/plugins/event-list/includes/js/filterbar.js b/wp-content/plugins/event-list/includes/js/filterbar.js
index daa83bb06..323f5405b 100644
--- a/wp-content/plugins/event-list/includes/js/filterbar.js
+++ b/wp-content/plugins/event-list/includes/js/filterbar.js
@@ -21,9 +21,10 @@ function updateUrlParameter(url, paramName, paramVal, sc_id) {
urlArray = oldParams.split("&");
for(i=0; i<urlArray.length; i++) {
if(urlArray[i].split("=")[0] == "event_id"+sc_id) {
- // do nothing
+ // do nothing:
+ continue;
}
- else if(urlArray[i].split("=")[0] == paramName) {
+ if(urlArray[i].split("=")[0] == paramName) {
newParams += seperator + paramName + "=" + paramVal;
paramNameAdded = true;
}
diff --git a/wp-content/plugins/event-list/includes/sc_event-list.php b/wp-content/plugins/event-list/includes/sc_event-list.php
index c34ddbef3..538b31c91 100644
--- a/wp-content/plugins/event-list/includes/sc_event-list.php
+++ b/wp-content/plugins/event-list/includes/sc_event-list.php
@@ -101,17 +101,17 @@ class SC_Event_List {
$a['actual_date'] = $this->get_actual_date($a);
$a['actual_cat'] = $this->get_actual_cat($a);
if(isset($_GET['event_id'.$a['sc_id']])) {
- $a['event_id'] = (int)$_GET['event_id'.$a['sc_id']];
+ $a['event_id'] = absint($_GET['event_id'.$a['sc_id']]);
}
elseif('all' != $a['initial_event_id'] && !isset($_GET['date'.$a['sc_id']]) && !isset($_GET['cat'.$a['sc_id']])) {
- $a['event_id'] = (int)$a['initial_event_id'];
+ $a['event_id'] = intval($a['initial_event_id']);
}
else {
$a['event_id'] = null;
}
// fix sc_id_for_url if required
if(!is_numeric($a['sc_id_for_url'])) {
- $a['sc_id_for_url'] = $a['sc_id'];
+ $a['sc_id_for_url'] = intval($a['sc_id']);
}
$out = '
@@ -215,16 +215,10 @@ class SC_Event_List {
$out .= '</h3></div>';
// event time
if('' != $event->time && $this->is_visible($a['show_starttime'])) {
- // set time format if a known format is available, else only show the text
- $date_array = date_parse($event->time);
- $time = $event->time;
- if(empty($date_array['errors']) && is_numeric($date_array['hour']) && is_numeric($date_array['minute'])) {
- $time = mysql2date(get_option('time_format'), $event->time);
- }
if('' == $this->options->get('el_html_tags_in_time')) {
- $time = esc_attr($time);
+ $event->time = esc_attr($event->time);
}
- $out .= '<span class="event-time">'.$time.'</span>';
+ $out .= '<span class="event-time">'.$event->time.'</span>';
}
// event location
if('' != $event->location && $this->is_visible($a['show_location'])) {
diff --git a/wp-content/plugins/event-list/readme.txt b/wp-content/plugins/event-list/readme.txt
index afb84bda4..16a3c755f 100644
--- a/wp-content/plugins/event-list/readme.txt
+++ b/wp-content/plugins/event-list/readme.txt
@@ -3,8 +3,8 @@ Contributors: mibuthu, clhunsen
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W54LNZMWF9KW2
Tags: event, events, list, listview, calendar, schedule, shortcode, page, category, categories, filter, admin, attribute, widget, sidebar, feed, rss
Requires at least: 3.8
-Tested up to: 4.7
-Stable tag: 0.7.8
+Tested up to: 4.8
+Stable tag: 0.7.9
Plugin URI: http://wordpress.org/extend/plugins/event-list
Licence: GPLv2
License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -82,6 +82,13 @@ Another possibility would be to call the wordpress function "do_shortcode()".
== Changelog ==
+= 0.7.9 (2017-06-12) =
+* fixed security vulnerability reported by wordpress
+* fixed / improved time handling and sorting according to time (fixed sorting will only work in new or modified events)
+* fixed problem with locale handling in older wordpress versions
+* fixed url when going back from event details page to event list page with a drowdown filter
+* fixed HTML format issue in admin event table (with not properly nested tag warning)
+
= 0.7.8 (2017-03-17) =
* improved datepicker style in new/edit event view
* show datepicker in correct language
--
GitLab