Release new version 2.4.11

= 2.4.11 - 2021/07/13 =
* This maintenance release has more code security hardening
* Security - Add more variable, options and html escaping
* Tweak - Skipped version 2.4.10 to avoid PHP misread

Author: alextuan

admin/admin-init.php

@@ -228,7 +228,7 @@ public function admin_settings_page( $page_data = array() ) {
 							$tab_data = $tab;
 						}
 						echo ' ' . esc_attr( sanitize_title( $tab['name'] ) );
-						echo '">' . $tab['label'] . '</a>';
+						echo '">' . esc_html( $tab['label'] ) . '</a>';
 					}
 
 					do_action( $this->plugin_name . '-' . $current_page . '_settings_tabs' );
@@ -281,15 +281,15 @@ public function admin_settings_tab( $current_page = '', $tab_data = array()  ) {
 			$separate_text = '';
 			$activated_first_subtab = false;
 			foreach ( $subtabs as $subtab ) {
-				echo '<li>' . $separate_text . '<a href="#' . trim( $subtab['name'] ) . '" class="';
+				echo '<li>' . $separate_text . '<a href="#' . trim( esc_attr( $subtab['name'] ) ) . '" class="';
 				if ( $current_subtab == '' && $activated_first_subtab === false ) {
 					echo 'current';
 					$activated_first_subtab = true;
 					$current_subtab = $subtab['name'];
 				} elseif ( $current_subtab == $subtab['name'] ) {
 					echo 'current';
 				}
-				echo '">' . $subtab['label'] . '</a></li>' . "\n";
+				echo '">' . esc_html( $subtab['label'] ) . '</a></li>' . "\n";
 
 				$separate_text = ' | ';
 			}

admin/admin-interface.php

@@ -310,7 +310,7 @@ public function init_form_fields() {
 	 										'default'	=> '',
 									),
 									array(  'id' 		=> 'total_text_after',
-	 										'name' 		=> ' <span class="description"> ' .__( 'Empty Field = Nothing Shows', 'page-views-count' ) . '</span>',
+	 										'name' 		=> __( 'Empty Field = Nothing Shows', 'page-views-count' ),
 	 										'css'		=> 'width:200px;',
 	 										'default'	=> __( 'total views', 'page-views-count' ) 
 									),
@@ -327,7 +327,7 @@ public function init_form_fields() {
 	 										'default'	=> '',
 									),
 									array(  'id' 		=> 'today_text_after',
-	 										'name' 		=> ' <span class="description"> ' .__( 'Empty Field = Nothing Shows', 'page-views-count' ) . '</span>', 
+	 										'name' 		=> __( 'Empty Field = Nothing Shows', 'page-views-count' ), 
 	 										'css'		=> 'width:200px;',
 	 										'default'	=> __( 'views today', 'page-views-count' ) 
 									),

admin/settings/general-settings.php

@@ -3,7 +3,7 @@ Contributors: a3rev, a3rev Software, nguyencongtuan
 Tags: wordpress page view, page view count , post views, post view count, gutenberg
 Requires at least: 5.0
 Tested up to: 5.8
-Stable tag: 2.4.9
+Stable tag: 2.4.11
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -103,6 +103,11 @@ The manual installation method involves down loading our plugin and uploading it
 
 == Changelog ==
 
+= 2.4.11 - 2021/07/13 =
+* This maintenance release has more code security hardening 
+* Security - Add more variable, options and html escaping
+* Tweak - Skipped version 2.4.10 to avoid PHP misread
+
 = 2.4.9 - 2021/07/10 =
 * This maintenance release has code rewrites for WordPress 5.8 compatibility plus a Security patch
 * Tweak - Test for compatibility with WordPress 5.8
@@ -463,6 +468,9 @@ The manual installation method involves down loading our plugin and uploading it
 
 == Upgrade Notice ==
 
+= 2.4.11 =
+This maintenance release has more code security hardening.
+
 = 2.4.9 =
 This maintenance release has code rewrites for WordPress 5.8 compatibility plus a Security patch
 

readme.txt

@@ -69,11 +69,11 @@ class="a3_pvc_activated"
 	    		<div class="a3_pvc_activated_container">
 		    		<p>
 		    			<label for="a3_pvc_total_views" style="display: inline-block; width: 100px;"><?php _e( 'All Time Views', 'page-views-count' ) ?></label>
-		    			<input type="text" name="a3_pvc_total_views" id="a3_pvc_total_views" value="<?php echo $total_views; ?>" style="width: 100px;" />
+		    			<input type="text" name="a3_pvc_total_views" id="a3_pvc_total_views" value="<?php echo esc_attr( $total_views ); ?>" style="width: 100px;" />
 		    		</p>
 		    		<p>
 		    			<label for="a3_pvc_today_views" style="display: inline-block; width: 100px;"><?php _e( 'Today Views', 'page-views-count' ) ?></label>
-		    			<input type="text" name="a3_pvc_today_views" id="a3_pvc_today_views" value="<?php echo $today_views; ?>" style="width: 100px;" />
+		    			<input type="text" name="a3_pvc_today_views" id="a3_pvc_today_views" value="<?php echo esc_attr( $today_views ); ?>" style="width: 100px;" />
 		    		</p>
 	    		</div>
 	    	</div>

src/metabox/class-pvc-metabox.php

@@ -230,10 +230,10 @@ public static function register_plugin_scripts() {
 	<?php // phpcs:disable ?>
     <!-- PVC Template -->
     <script type="text/template" id="pvc-stats-view-template">
-    <i class="pvc-stats-icon <?php echo $pvc_settings['icon_size']; ?>" aria-hidden="true"><?php echo ( 'eye' == $pvc_settings['icon'] ? self::$eye_icon : self::$chart_icon ); ?></i> 
-	<?php echo $pvc_settings['total_text_before']; ?> <%= total_view %> <?php echo $pvc_settings['total_text_after']; ?>
+    <i class="pvc-stats-icon <?php echo esc_attr( $pvc_settings['icon_size'] ); ?>" aria-hidden="true"><?php echo ( 'eye' == $pvc_settings['icon'] ? self::$eye_icon : self::$chart_icon ); ?></i> 
+	<?php echo esc_html( $pvc_settings['total_text_before'] ); ?> <%= total_view %> <?php echo esc_html( $pvc_settings['total_text_after'] ); ?>
 	<% if ( today_view > 0 ) { %>
-		<span class="views_today">, <?php echo $pvc_settings['today_text_before']; ?> <%= today_view %> <?php echo $pvc_settings['today_text_after']; ?></span>
+		<span class="views_today">, <?php echo esc_html( $pvc_settings['today_text_before'] ); ?> <%= today_view %> <?php echo esc_html( $pvc_settings['today_text_after'] ); ?></span>
 	<% } %>
 	</span>
 	</script>

src/pvc_class.php

@@ -97,21 +97,21 @@ function form( $instance ) {
 		$show_views_today = intval( $instance['show_views_today'] );
 ?>
 		<p>
-			<label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title', 'page-views-count' ); ?>:</label>
-			<input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo $title; ?>" />
+			<label for="<?php echo esc_attr( $this->get_field_id('title') ); ?>"><?php _e('Title', 'page-views-count' ); ?>:</label>
+			<input class="widefat" id="<?php echo esc_attr( $this->get_field_id('title') ); ?>" name="<?php echo esc_attr( $this->get_field_name('title') ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" />
 		</p>
         <p>
-			<label for="<?php echo $this->get_field_id('postid'); ?>"><?php _e('Post/Page ID', 'page-views-count' ); ?>:</label>
-			<input style="width:50px;" id="<?php echo $this->get_field_id('postid'); ?>" name="<?php echo $this->get_field_name('postid'); ?>" type="text" value="<?php echo $postid; ?>" /> <br />
+			<label for="<?php echo esc_attr( $this->get_field_id('postid') ); ?>"><?php _e('Post/Page ID', 'page-views-count' ); ?>:</label>
+			<input style="width:50px;" id="<?php echo esc_attr( $this->get_field_id('postid') ); ?>" name="<?php echo esc_attr( $this->get_field_name('postid') ); ?>" type="text" value="<?php echo esc_attr( $postid ); ?>" /> <br />
 			<span class="description"><?php _e( 'Post/Page ID want to show stats, leave empty for use ID of current post.', 'page-views-count' ); ?></span>
 		</p>
         <p>
-        	<input type="checkbox" <?php checked( $increase, 1 ); ?> id="<?php echo $this->get_field_id('increase'); ?>" name="<?php echo $this->get_field_name('increase'); ?>" value="1" />
-        	<label for="<?php echo $this->get_field_id('increase'); ?>"><?php _e( 'Increase count', 'page-views-count' ); ?></label>
+        	<input type="checkbox" <?php checked( $increase, 1 ); ?> id="<?php echo esc_attr( $this->get_field_id('increase') ); ?>" name="<?php echo esc_attr( $this->get_field_name('increase') ); ?>" value="1" />
+        	<label for="<?php echo esc_attr( $this->get_field_id('increase') ); ?>"><?php _e( 'Increase count', 'page-views-count' ); ?></label>
         </p>
         <p>
-        	<input type="checkbox" <?php checked( $show_views_today, 1 ); ?> id="<?php echo $this->get_field_id('show_views_today'); ?>" name="<?php echo $this->get_field_name('show_views_today'); ?>" value="1" />
-        	<label for="<?php echo $this->get_field_id('show_views_today'); ?>"><?php _e( 'Show Views Today', 'page-views-count' ); ?></label>
+        	<input type="checkbox" <?php checked( $show_views_today, 1 ); ?> id="<?php echo esc_attr( $this->get_field_id('show_views_today') ); ?>" name="<?php echo esc_attr( $this->get_field_name('show_views_today') ); ?>" value="1" />
+        	<label for="<?php echo esc_attr( $this->get_field_id('show_views_today') ); ?>"><?php _e( 'Show Views Today', 'page-views-count' ); ?></label>
         </p>
 <?php
 	}