Release new version 2.5.2

* This maintenance release contains more code security hardening updates – please run it now.
* Security - Define new esc_attribute_array_e function to escape attribute array late for echo
* Security - Escape $default_color late for echo
* Security - Put $-variable additional with html include into wp_kses_post
* Security - Turn off display_errors to prevent malformed JSON from API for when WP_DEBUG is set to off OR WP_DEBUG_DISPLAY is set to off
* Framework - Allow filters output of CSS are generated from plugin framework
* Framework - Upgrade Plugin Framework to version 2.6.0

Author: alextuan

admin/admin-init.php

@@ -281,7 +281,7 @@ public function admin_settings_tab( $current_page = '', $tab_data = array()  ) {
 			$separate_text = '';
 			$activated_first_subtab = false;
 			foreach ( $subtabs as $subtab ) {
-				echo '<li>' . $separate_text . '<a href="#' . trim( esc_attr( $subtab['name'] ) ) . '" class="';
+				echo '<li>' . esc_html( $separate_text ) . '<a href="#' . trim( esc_attr( $subtab['name'] ) ) . '" class="';
 				if ( $current_subtab == '' && $activated_first_subtab === false ) {
 					echo 'current';
 					$activated_first_subtab = true;

admin/admin-interface.php

@@ -33,7 +33,7 @@ class Admin_UI
 	 * You must change to correct plugin name that you are working
 	 */
 
-	public $framework_version      = '2.5.0';
+	public $framework_version      = '2.6.0';
 	public $plugin_name            = A3_PVC_KEY;
 	public $plugin_path            = A3_PVC_PLUGIN_NAME;
 	public $google_api_key_option  = '';
@@ -259,7 +259,7 @@ public function plugin_premium_video_box( $echo = true ) {
 		$output = apply_filters( $this->plugin_name . '_plugin_premium_video', $output );
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -280,7 +280,7 @@ public function plugin_premium_video( $echo = false ) {
 		$output .= '</div>';
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -298,7 +298,7 @@ public function plugin_premium_video_text( $echo = false ) {
 		}
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -332,7 +332,7 @@ public function plugin_extension_boxes( $echo = false ) {
 		}
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -353,7 +353,7 @@ public function plugin_extension_start( $echo = true ) {
 		$output = apply_filters( $this->plugin_name . '_plugin_extension_start', $output );
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -369,7 +369,7 @@ public function plugin_extension_end( $echo = true ) {
 		$output = apply_filters( $this->plugin_name . '_plugin_extension_end', $output );
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 
@@ -389,7 +389,7 @@ public function upgrade_top_message( $echo = false, $setting_id = '' ) {
 
 		$upgrade_top_message = apply_filters( $this->plugin_name . '_upgrade_top_message', $upgrade_top_message, $setting_id );
 
-		if ( $echo ) echo $upgrade_top_message;
+		if ( $echo ) echo wp_kses_post( $upgrade_top_message );
 		else return $upgrade_top_message;
 
 	}

admin/admin-ui.php

@@ -620,10 +620,14 @@ public function generate_font_css( $option, $em = '1.2' ) {
             $line_height = $option['line_height'];
         }
 
+        $font_css = '';
+
 		if ( !@$option['style'] && !@$option['size'] && !@$option['color'] )
-			return 'font-family: '.stripslashes($option["face"]).' !important;';
+			$font_css = 'font-family: '.stripslashes($option["face"]).' !important;';
 		else
-			return 'font:'.$option['style'].' '.$option['size'].'/' . $line_height . ' ' .stripslashes($option['face']).' !important; color:'.$option['color'].' !important;';
+			$font_css = 'font:'.$option['style'].' '.$option['size'].'/' . $line_height . ' ' .stripslashes($option['face']).' !important; color:'.$option['color'].' !important;';
+
+		return apply_filters( $this->plugin_name . '_generate_font_css', $font_css, $option, $em );
 	}
 
 

admin/includes/fonts_face.php

@@ -2,7 +2,7 @@
 /*
 Plugin Name: Page Views Count
 Description: Show front end users all time views and views today on posts, pages, index pages and custom post types with the Page Views Count Plugin. Use the Page Views Count function to add page views to any content type or object created by your theme or plugins.
-Version: 2.5.1
+Version: 2.5.2
 Requires at least: 5.6
 Tested up to: 5.9.1
 Author: a3rev Software
@@ -23,7 +23,7 @@
 
 define( 'A3_PVC_KEY', 'a3_page_view_count' );
 define( 'A3_PVC_PREFIX', 'wp_pvc_' );
-define( 'A3_PVC_VERSION', '2.5.1' );
+define( 'A3_PVC_VERSION', '2.5.2' );
 define( 'A3_PVC_G_FONTS', false );
 
 use \A3Rev\PageViewsCount\FrameWork;

page-views-count.php

@@ -3,7 +3,7 @@ Contributors: a3rev, a3rev Software, nguyencongtuan
 Tags: wordpress page view, page view count , post views, post view count, gutenberg
 Requires at least: 5.6
 Tested up to: 5.9.1
-Stable tag: 2.5.1
+Stable tag: 2.5.2
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -102,6 +102,15 @@ The manual installation method involves down loading our plugin and uploading it
 
 == Changelog ==
 
+= 2.5.2 - 2022/03/07 =
+* This maintenance release contains more code security hardening updates � please run it now.
+* Security - Define new esc_attribute_array_e function to escape attribute array late for echo
+* Security - Escape $default_color late for echo
+* Security - Put $-variable additional with html include into wp_kses_post
+* Security - Turn off display_errors to prevent malformed JSON from API for when WP_DEBUG is set to off OR WP_DEBUG_DISPLAY is set to off
+* Framework - Allow filters output of CSS are generated from plugin framework
+* Framework - Upgrade Plugin Framework to version 2.6.0
+
 = 2.5.1 - 2022/02/25 =
 * This maintenance release contains security hardening updates - please run it now.
 * Security - Apply wp_kses_post for $-variables that include html before output
@@ -501,6 +510,9 @@ The manual installation method involves down loading our plugin and uploading it
 
 == Upgrade Notice ==
 
+= 2.5.2 =
+This maintenance release contains more code security hardening updates � please run it now.
+
 = 2.5.1 =
 This maintenance release contains security hardening updates - please run it now.
 

readme.txt

@@ -63,7 +63,9 @@ public function get_stats( $ids = array() ) {
     }
 
     public function increase_stats( \WP_REST_Request $request ) {
-        @ini_set( 'display_errors', false );
+        if ( ! WP_DEBUG || ( WP_DEBUG && ! WP_DEBUG_DISPLAY ) ) {
+            @ini_set( 'display_errors', false ); // Turn off display_errors to prevent malformed JSON.
+        }
 
         $post_ids_text = $request->get_param( 'post_ids' );
 
@@ -102,7 +104,9 @@ public function increase_stats( \WP_REST_Request $request ) {
     }
 
     public function view_stats( \WP_REST_Request $request ) {
-        @ini_set( 'display_errors', false );
+        if ( ! WP_DEBUG || ( WP_DEBUG && ! WP_DEBUG_DISPLAY ) ) {
+            @ini_set( 'display_errors', false ); // Turn off display_errors to prevent malformed JSON.
+        }
 
         $post_ids_text = $request->get_param( 'post_ids' );
 

src/api/pvc-api.php

@@ -26,7 +26,7 @@ public function parse_shortcode( $attr = array() ) {
 				'show_views_today' => 1,
 			), $attr );
 
-		$postid           = esc_attr( $attr['postid'] ); // XSS ok
+		$postid           = esc_attr( $attr['postid'] );
 		$increase         = intval( $attr['increase'] );
 		$show_views_today = intval( $attr['show_views_today'] );