Commit 6a561172 authored by shammash's avatar shammash Committed by lechuck

updated events-calendar to 6.7.13

parent 4845f467
......@@ -45,10 +45,10 @@ $ecoptions = get_option('optionsEventsCalendar');
$ec_hide = $ecoptions['hidesponsor'] == 'true' ? 'display:none;' : '';
$widget_sponsor_message = '';
$large_sponsor_message = '';
if(!$ec_hide) {
$widget_sponsor_message = '<span style="font-size:.75em;">WPEC is proudly sponsored by <br /><a href="http://www.truemediaconcepts.com">True Media Concepts</a></span>' . "\n";
$large_sponsor_message = '<span style="font-size:.7em;">WP Events Calendar is proudly sponsored by <a href="http://www.truemediaconcepts.com">True Media Concepts</a></span>' . "\n";
}
// if(!$ec_hide) {
// $widget_sponsor_message = '<span style="font-size:.75em;">WPEC is proudly sponsored by <br /><a href="http://www.truemediaconcepts.com">True Media Concepts</a></span>' . "\n";
// $large_sponsor_message = '<span style="font-size:.7em;">WP Events Calendar is proudly sponsored by <a href="http://www.truemediaconcepts.com">True Media Concepts</a></span>' . "\n";
// }
/**
* Displays the events list and the calendars
*
......
......@@ -225,7 +225,8 @@ class EC_DB {
* @param int $postId post id if use activated it
*/
function addEvent($title, $location, $linkout, $description, $startDate, $startTime, $endDate, $endTime, $accessLevel, $postID) {
$postID = is_null($postID) ? "NULL" : "'$postID'";
global $wpdb;
/*$postID = is_null($postID) ? "NULL" : "'$postID'";
$location = is_null($location) ? "NULL" : "'$location'";
$description = is_null($description) ? "NULL" : "'$description'";
$startDate = is_null($startDate) ? "NULL" : "'$startDate'";
......@@ -234,13 +235,41 @@ class EC_DB {
$startTime = is_null($startTime) ? "NULL" : "'$startTime'";
$accessLevel = is_null($accessLevel) ? "NULL" : "'$accessLevel'";
$endTime = is_null($endTime) ? "NULL" : "'$endTime'";
*/
$sql = "INSERT INTO `$this->mainTable` ("
/*$sql = "INSERT INTO `$this->mainTable` ("
."`id`, `eventTitle`, `eventDescription`, `eventLocation`, `eventLinkout`,`eventStartDate`, `eventStartTime`, `eventEndDate`, `eventEndTime`, `accessLevel`, `postID`) "
."VALUES ("
."NULL , '$title', $description, $location, $linkout, $startDate, $startTime, $endDate, $endTime , $accessLevel, $postID);";
$this->db->query($sql);
$this->db->query($sql);*/
// Fix for sql injection possibility by @zap1989
$postID = is_null($postID) ? null : "$postID";
$location = is_null($location) ? null : "$location";
$description = is_null($description) ? null : "$description";
$startDate = is_null($startDate) ? null : "$startDate";
$endDate = is_null($endDate) ? null : "$endDate";
$linkout = is_null($linkout) ? null : "$linkout";
$startTime = is_null($startTime) ? null : "$startTime";
$accessLevel = is_null($accessLevel) ? null : "$accessLevel";
$endTime = is_null($endTime) ? null : "$endTime";
$wpdb->insert(
$this->mainTable,
array(
'eventTitle' => $title,
'eventDescription' => $description,
'eventLocation' => $location,
'eventLinkout' => $linkout,
'eventStartDate' => $startDate,
'eventStartTime' => $startTime,
'eventEndDate' => $endDate,
'eventEndTime' => $endTime,
'accessLevel' => $accessLevel,
'postID' => $postID
)
);
}
/**
......@@ -259,11 +288,11 @@ class EC_DB {
* @param int $postId post id if use activated it
*/
function editEvent($id, $title, $location, $linkout, $description, $startDate, $startTime, $endDate, $endTime, $accessLevel, $postID) {
global $wpdb;
// just to make sure
if (empty($id))
return;
/*
// todo get rid of the quotes here. don't need them anymore
// since we are using wpdb->prepare()
$postID = is_null($postID) ? "NULL" : "'$postID'";
......@@ -276,7 +305,8 @@ class EC_DB {
$startTime = is_null($startTime) ? "NULL" : "'$startTime'";
$accessLevel = is_null($accessLevel) ? "NULL" : "'$accessLevel'";
$endTime = is_null($endTime) ? "NULL" : "'$endTime'";
*/
/*
$sql = "UPDATE `$this->mainTable` SET "
."`eventTitle` = '$title', "
."`eventDescription` = $description, "
......@@ -291,6 +321,38 @@ class EC_DB {
." WHERE `id` = $id LIMIT 1;";
$this->db->query($sql);
*/
// Fix for sql injection possibility by @zap1989
$postID = is_null($postID) ? null : "$postID";
$location = is_null($location) ? null : "$location";
$description = is_null($description) ? null : "$description";
$startDate = is_null($startDate) ? null : "$startDate";
$endDate = is_null($endDate) ? null : "$endDate";
$linkout = is_null($linkout) ? null : "$linkout";
$startTime = is_null($startTime) ? null : "$startTime";
$accessLevel = is_null($accessLevel) ? null : "$accessLevel";
$endTime = is_null($endTime) ? null : "$endTime";
$wpdb->update(
$this->mainTable,
array(
'eventTitle' => $title,
'eventDescription' => $description,
'eventLocation' => $location,
'eventLinkout' => $linkout,
'eventStartDate' => $startDate,
'eventStartTime' => $startTime,
'eventEndDate' => $endDate,
'eventEndTime' => $endTime,
'accessLevel' => $accessLevel,
'postID' => $postID
),
array(
'id' => $id
)
);
}
/**
......
......@@ -120,10 +120,10 @@ class EC_Management {
// adds a new event to database
if(isset($_POST['EC_addEventFormSubmitted'])) {
// all the strings are escaped.
$title = $wpdb->escape($_POST['EC_title']);
$location = isset($_POST['EC_location']) && !empty($_POST['EC_location']) ? $wpdb->escape($_POST['EC_location']) : null;
$linkout = isset($_POST['EC_linkout']) && !empty($_POST['EC_linkout']) && ($_POST['EC_linkout'] != $this->deflinkout) ? $wpdb->escape($_POST['EC_linkout']) : null;
$description = $wpdb->escape($_POST['EC_description']);
$title = $_POST['EC_title'];
$location = isset($_POST['EC_location']) && !empty($_POST['EC_location']) ? $_POST['EC_location'] : null;
$linkout = isset($_POST['EC_linkout']) && !empty($_POST['EC_linkout']) && ($_POST['EC_linkout'] != $this->deflinkout) ? $_POST['EC_linkout'] : null;
$description = $_POST['EC_description'];
$startDate = isset($_POST['EC_startDate']) && !empty($_POST['EC_startDate'])? $_POST['EC_startDate'] : date('Y-m-d');
$startTime = isset($_POST['EC_startTime']) && !empty($_POST['EC_startTime']) ? $_POST['EC_startTime'] : null;
$endDate = isset($_POST['EC_endDate']) && !empty($_POST['EC_endDate']) ? $_POST['EC_endDate'] : $startDate;
......@@ -266,7 +266,7 @@ class EC_Management {
* @param int $postID associated post id if available.
*/
function editEvent($id, $title, $location, $linkout, $description, $startDate, $startTime, $endDate, $endTime, $accessLevel, $postID) {
$this->db->editEvent($id, addslashes($title), $location, $linkout, $description, $startDate, $startTime, $endDate, $endTime, $accessLevel, $postID);
$this->db->editEvent($id, $title, $location, $linkout, $description, $startDate, $startTime, $endDate, $endTime, $accessLevel, $postID);
}
/**
......@@ -430,6 +430,8 @@ class EC_Management {
* @param int $id the event id.
*/
function editEventForm($id) {
if( !is_numeric( $id ) )
die( 'You should not be here.' );
$event = $this->db->getEvent($id);
$event = $event[0];
$linkout = !is_null($event->eventLinkout) ? stripslashes($event->eventLinkout) : $this->deflinkout;
......@@ -657,7 +659,7 @@ class EC_Management {
$options['daynamelength'] = '3';
$options['daynamelengthLarge'] = '3';
$options['jqueryextremstatus'] = 'false';
$options['hidesponsor'] = 'false';
//$options['hidesponsor'] = 'false';
}
if (isset($_POST['optionsEventsCalendarSubmitted']) && $_POST['optionsEventsCalendarSubmitted']) {
//echo var_dump($_POST);
......@@ -673,7 +675,7 @@ class EC_Management {
$options['daynamelength'] = isset($_POST['daynamelength']) && !empty($_POST['daynamelength']) ? $_POST['daynamelength'] : '3';
$options['daynamelengthLarge'] = isset($_POST['daynamelengthLarge']) && !empty($_POST['daynamelengthLarge']) ? $_POST['daynamelengthLarge'] : '3';
$options['jqueryextremstatus'] = isset($_POST['jqxstatus']) ? $_POST['jqxstatus'] : 'false';
$options['hidesponsor'] = isset($_POST['hidesponsor']) ? $_POST['hidesponsor'] : 'false';
// $options['hidesponsor'] = isset($_POST['hidesponsor']) ? $_POST['hidesponsor'] : 'false';
$options['accessLevel'] = $_POST['EC_accessLevel'];
update_option('optionsEventsCalendar', $options);
......@@ -756,10 +758,10 @@ class EC_Management {
<th width="33%" scope="row" valign="top" style="text-align:right;"><label for="jqxstatus"><?php _e('jQuery Extrem Protection (checked = yes)','events-calendar'); ?></label></th>
<td width="67%"><input type="checkbox" <?php echo ($options['jqueryextremstatus']=="true") ? " checked" : "";?> name="jqxstatus" id="EC_jqxstatus" value="true" /> <?php _e('(Check if you don\'t see the Tooltips)','events-calendar'); ?></td>
</tr>
<tr>
<?php /*<tr>
<th width="33%" scope="row" valign="top" style="text-align:right;"><label for="hidesponsor"><?php _e('Hide sponsor message?','events-calendar'); ?></label></th>
<td width="67%"><input type="checkbox" <?php echo ($options['hidesponsor']=="true") ? " checked" : "";?> name="hidesponsor" id="EC_hidesponsor" value="true" /> <?php _e('(Hides the sponsor message. Please don\'t, but if you do please donate.)','events-calendar'); ?></td>
</tr>
</tr>*/?>
</table>
<input type="hidden" name="optionsEventsCalendarSubmitted" value="1" />
<p class="submit">
......
......@@ -3,7 +3,7 @@
Plugin Name: WP Events Calendar
Plugin URI: http://www.wp-eventscalendar.com
Description: There are options under the widget options to specify the view of the calendar in the sidebar. The widget can be a list for upcoming events or a calendar. If you do not have a widget ready theme then you can place `&lt;?php SidebarEventsCalendar();?&gt;`, or `&lt;?php SidebarEventsList();?&gt;` for an event list, in the sidebar.php file of your theme. If you want to display a large calendar in a post or a page, simply place `[events-calendar-large]` in the html of the post or page. Make sure to leave off the quotes.
Version: 6.7.9
Version: 6.7.13
Author: Luke Howell
Author URI: http://www.lukehowell.com
*/
......
......@@ -2,11 +2,11 @@
Contributors: snumb130
Donate link: http://www.wp-eventscalendar.com/donate
Version: 6.7.9
Version: 6.7.13
Tags: event, calendar, date, time, widget, admin, sidebar, plugin, javascript, thickbox, jquery, tooltip, ajax
Requires at least: 2.7.1
Tested up to: 3.0
Stable tag: 6.7.9
Tested up to: 3.1.3
Stable tag: 6.7.13
Events-Calendar is a versatile replacement for the original WordPress calendar adding many useful functions to keep track of your events.
......@@ -20,15 +20,13 @@ If you are not using a widget ready theme, you can still have the calendar on yo
The ability to add a large public calendar is available by posting a page and adding `[events-calendar-large]` to the page content to create a stand alone calendar page. Also, when entering an event from the admin section, you can check the box saying "Create Post for Event", which will cause a post to be created with the event information.
Additional features will be added so make sure that you keep up to date on upcoming changes and new features by subscribing to the [RSS feed on the Events Calendar site](http://www.wp-eventscalendar.com/feed). If you have a feature you would like added in future versions, feel free to submit it to our [bug tracker](http://tracker.eventscalendar.com).
Additional features will be added so make sure that you keep up to date on upcoming changes and new features by subscribing to the [RSS feed on the Events Calendar site](http://www.wp-eventscalendar.com/feed).
== Installation ==
1. Upload `events-calendar` folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the Plugins menu in the Dashboard.
3. Set options under Events Calendar/Options on the admin menu.
**When updating, you will need to deactivate and reactivate the plugin.**
== Screenshots ==
......@@ -39,7 +37,26 @@ Additional features will be added so make sure that you keep up to date on upcom
5. Events Calendar as Widget List
6. Events Calendar as Large Calendar
== Upgrade Notice ==
= 6.7.13 =
* This update fixes the issue with slashes in events. This will work on new events, and will be corrected when editing events. Backup before upgrading.
= 6.7.12a =
* This update fixes an XSS injection attack to the Wordpress plugin admin page that allowed for execution of arbitrary HTML code. When updating please backup your CSS file if you have made customizations to the stylesheet.
== Changelog ==
= 6.7.13 =
* This update fixes the issue with slashes in events. This will work on new events, and will be corrected when editing events. Backup before upgrading.
= 6.7.12 =
* This update fixes an XSS injection attack to the Wordpress plugin admin page that allowed for execution of arbitrary HTML code. When updating please backup your CSS file if you have made customizations to the stylesheet.
= 6.7.11 =
* Removing sponsor message
= 6.7.10 =
* Fixed SQL injection vulnerability pointed out by @zap1989
= 6.7.9 =
* Changed the way the sponsor message is shown and hidden to prevent have hidden links that were hurting SEO.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment