Release new version 2.5.3

* This security release follows a full security audit with code refactoring, security hardening including additional escaping and sanitizing.
* Security - Define new esc_attribute_name_e function to escape attribute name late for echo
* Security - Define new esc_description_e function to escape description late for echo
* Security - Escape all $-variable
* Security - Sanitize all $_REQUEST, $_GET, $_POST
* Security - Apply wp_unslash before sanitize

Author: alextuan

admin/admin-init.php

@@ -199,7 +199,7 @@ public function admin_settings_page( $page_data = array() ) {
 			<?php
 					if ( $page_data !== false) {
 						echo esc_html( $page_data['page_title'] );
-						if ( isset( $page_data['view_doc'] ) ) echo $page_data['view_doc'];
+						if ( isset( $page_data['view_doc'] ) ) echo wp_kses_post( $page_data['view_doc'] );
 					}
 			?>
 			</h1>

admin/admin-interface.php

@@ -193,7 +193,7 @@ public function update_google_map_api_key() {
 
 			update_option( $this->google_map_api_key_option . '_enable', 1 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_map_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_map_api_key_option ] ) ) );
 			update_option( $this->google_map_api_key_option, $option_value );
 
 			if ( 1 != $old_google_map_api_key_enable ) {
@@ -208,7 +208,7 @@ public function update_google_map_api_key() {
 
 			update_option( $this->google_map_api_key_option . '_enable', 0 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_map_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_map_api_key_option ] ) ) );
 			update_option( $this->google_map_api_key_option, $option_value );
 
 			if ( 0 != $old_google_map_api_key_enable ) {

admin/admin-ui.php

@@ -403,7 +403,7 @@ public function update_google_font_api_key() {
 
 			update_option( $this->google_api_key_option . '_enable', 1 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_api_key_option ] ) ) );
 
 			$old_google_api_key_option = get_option( $this->google_api_key_option );
 
@@ -421,7 +421,7 @@ public function update_google_font_api_key() {
 
 			update_option( $this->google_api_key_option . '_enable', 0 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_api_key_option ] ) ) );
 			update_option( $this->google_api_key_option, $option_value );
 
 			if ( 0 != $old_google_api_key_enable ) {
@@ -657,14 +657,20 @@ public function generate_google_webfonts( $my_google_fonts = array(), $echo = tr
 			// Output google font css in header
 			if ( trim( $fonts ) != '' ) {
 				$fonts = str_replace( " ","+",$fonts);
-				$output .= "\n<!-- Google Webfonts -->\n";
-				$output .= '<link href="http'. ( is_ssl() ? 's' : '' ) .'://fonts.googleapis.com/css?family=' . $fonts .'" rel="stylesheet" type="text/css" />'."\n";
-				$output = str_replace( '|"','"',$output);
+
+				if ( $echo ) {
+					echo "\n<!-- Google Webfonts -->\n";
+					echo '<link href="http'. ( is_ssl() ? 's' : '' ) .'://fonts.googleapis.com/css?family=' . esc_attr( $fonts ) .'" rel="stylesheet" type="text/css" />'."\n";
+				} else {
+					$output .= "\n<!-- Google Webfonts -->\n";
+					$output .= '<link href="http'. ( is_ssl() ? 's' : '' ) .'://fonts.googleapis.com/css?family=' . esc_attr( $fonts ) .'" rel="stylesheet" type="text/css" />'."\n";
+					$output = str_replace( '|"','"',$output);
+				}
 			}
 		}
 
 		if ( $echo )
-			echo $output;
+			echo '';
 		else
 			return $output;
 

admin/includes/fonts_face.php

@@ -164,7 +164,7 @@ function add_view_count()
 
            if (function_exists('pvc_stats_update'))
                $html .= '<div class="add_view_count' . $class . '">' . pvc_stats_update($postid, 0) . '</div>';
-           echo $html;
+           echo wp_kses_post( $html );
        }
    }
 
@@ -192,7 +192,7 @@ function pvc_ict_t_e( $name, $string ) {
 	global $pvc_wpml;
 	$string = ( function_exists('icl_t') ? icl_t( $pvc_wpml->plugin_wpml_name, $name, $string ) : $string );
 
-	echo $string;
+	echo wp_kses_post( $string );
 }
 
 function pvc_ict_t__( $name, $string ) {

admin/plugin-init.php

@@ -7,8 +7,8 @@
 }
 /* Stats Icon */
 body .pvc-stats-icon, body .pvc-stats-icon svg {
-	color: <?php echo $pvc_settings['icon_color']; ?> !important;
-	fill: <?php echo $pvc_settings['icon_color']; ?> !important;
+	color: <?php echo esc_html( $pvc_settings['icon_color'] ); ?> !important;
+	fill: <?php echo esc_html( $pvc_settings['icon_color'] ); ?> !important;
 }
 body .pvc_stats {
 <?php if ( 'centre' == $pvc_settings['aligment'] ) { ?>

includes/customized_style.php

@@ -2,7 +2,7 @@
 /*
 Plugin Name: Page Views Count
 Description: Show front end users all time views and views today on posts, pages, index pages and custom post types with the Page Views Count Plugin. Use the Page Views Count function to add page views to any content type or object created by your theme or plugins.
-Version: 2.5.2
+Version: 2.5.3
 Requires at least: 5.6
 Tested up to: 5.9.1
 Author: a3rev Software
@@ -23,7 +23,7 @@
 
 define( 'A3_PVC_KEY', 'a3_page_view_count' );
 define( 'A3_PVC_PREFIX', 'wp_pvc_' );
-define( 'A3_PVC_VERSION', '2.5.2' );
+define( 'A3_PVC_VERSION', '2.5.3' );
 define( 'A3_PVC_G_FONTS', false );
 
 use \A3Rev\PageViewsCount\FrameWork;

page-views-count.php

@@ -3,7 +3,7 @@ Contributors: a3rev, a3rev Software, nguyencongtuan
 Tags: wordpress page view, page view count , post views, post view count, gutenberg
 Requires at least: 5.6
 Tested up to: 5.9.1
-Stable tag: 2.5.2
+Stable tag: 2.5.3
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -102,6 +102,14 @@ The manual installation method involves down loading our plugin and uploading it
 
 == Changelog ==
 
+= 2.5.3 - 2022/03/12 =
+* This security release follows a full security audit with code refactoring, security hardening including additional escaping and sanitizing. 
+* Security - Define new esc_attribute_name_e function to escape attribute name late for echo
+* Security - Define new esc_description_e function to escape description late for echo
+* Security - Escape all $-variable 
+* Security - Sanitize all $_REQUEST, $_GET, $_POST 
+* Security - Apply wp_unslash before sanitize
+
 = 2.5.2 - 2022/03/07 =
 * This maintenance release contains more code security hardening updates � please run it now.
 * Security - Define new esc_attribute_array_e function to escape attribute array late for echo
@@ -510,6 +518,9 @@ The manual installation method involves down loading our plugin and uploading it
 
 == Upgrade Notice ==
 
+= 2.5.3 =
+This security release follows a full security audit with code refactoring, security hardening including additional escaping and sanitizing.
+
 = 2.5.2 =
 This maintenance release contains more code security hardening updates � please run it now.
 

readme.txt

@@ -60,19 +60,19 @@ public function render_meta_box_content( $post ) {
 		    			class="a3_pvc_activated"
 		    			type="checkbox"
 		    			value="true"
-		    			checked_label="<?php _e( 'ON', 'page-views-count' ); ?>"
-						unchecked_label="<?php _e( 'OFF', 'page-views-count' ); ?>"
+		    			checked_label="<?php esc_attr_e( 'ON', 'page-views-count' ); ?>"
+						unchecked_label="<?php esc_attr_e( 'OFF', 'page-views-count' ); ?>"
 		    			<?php checked( $is_activated ); ?> />
-		    		<label for="a3_pvc_activated"><?php _e( 'Activate on this item', 'page-views-count' ) ?></label>
+		    		<label for="a3_pvc_activated"><?php esc_html_e( 'Activate on this item', 'page-views-count' ) ?></label>
 	    		</div>
 	    		<div style="clear:both;"></div>
 	    		<div class="a3_pvc_activated_container">
 		    		<p>
-		    			<label for="a3_pvc_total_views" style="display: inline-block; width: 100px;"><?php _e( 'All Time Views', 'page-views-count' ) ?></label>
+		    			<label for="a3_pvc_total_views" style="display: inline-block; width: 100px;"><?php esc_html_e( 'All Time Views', 'page-views-count' ) ?></label>
 		    			<input type="text" name="a3_pvc_total_views" id="a3_pvc_total_views" value="<?php echo esc_attr( $total_views ); ?>" style="width: 100px;" />
 		    		</p>
 		    		<p>
-		    			<label for="a3_pvc_today_views" style="display: inline-block; width: 100px;"><?php _e( 'Today Views', 'page-views-count' ) ?></label>
+		    			<label for="a3_pvc_today_views" style="display: inline-block; width: 100px;"><?php esc_html_e( 'Today Views', 'page-views-count' ) ?></label>
 		    			<input type="text" name="a3_pvc_today_views" id="a3_pvc_today_views" value="<?php echo esc_attr( $today_views ); ?>" style="width: 100px;" />
 		    		</p>
 	    		</div>
@@ -114,7 +114,7 @@ public function save( $post_id ) {
 		if ( ! isset( $_POST['a3_pvc_activation_custom_box_nonce'] ) )
 			return $post_id;
 
-		$nonce = $_POST['a3_pvc_activation_custom_box_nonce'];
+		$nonce = sanitize_text_field( wp_unslash( $_POST['a3_pvc_activation_custom_box_nonce'] ) );
 
 		// Verify that the nonce is valid.
 		if ( ! wp_verify_nonce( $nonce, 'a3_pvc_activation_custom_box' ) )
@@ -126,7 +126,7 @@ public function save( $post_id ) {
 			return $post_id;
 
 		// Check the user's permissions.
-		if ( 'page' == $_POST['post_type'] ) {
+		if ( isset( $_POST['post_type'] ) && 'page' == $_POST['post_type'] ) {
 
 			if ( ! current_user_can( 'edit_page', $post_id ) )
 				return $post_id;
@@ -149,8 +149,8 @@ public function save( $post_id ) {
 
 		// Manual change Total Views and Today Views
 		if ( isset( $_POST['a3_pvc_total_views'] ) && isset( $_POST['a3_pvc_today_views'] ) ) {
-			$total_views = absint( trim( $_POST['a3_pvc_total_views'] ) );
-			$today_views = absint( trim( $_POST['a3_pvc_today_views'] ) );
+			$total_views = sanitize_text_field( absint( $_POST['a3_pvc_total_views'] ) );
+			$today_views = sanitize_text_field( absint( $_POST['a3_pvc_today_views'] ) );
 
 			A3_PVC::pvc_stats_manual_update( $post_id, $total_views, $today_views );
 		}

src/metabox/class-pvc-metabox.php

@@ -323,7 +323,7 @@ public static function pvc_stats_echo(){
 			$pvc_settings = get_option('pvc_settings', array() );
 		}
 		if ( self::pvc_is_activated( $post->ID ) && 'no' != $pvc_settings['show_on_excerpt_content'] ) {
-			echo self::pvc_stats_counter($post->ID);
+			echo wp_kses_post( self::pvc_stats_counter($post->ID) );
 		}
 	}
 
@@ -335,13 +335,13 @@ public static function genesis_pvc_stats_echo(){
 			$pvc_settings = get_option('pvc_settings', array() );
 		}
 		if ( self::pvc_is_activated( $post->ID ) && 'no' != $pvc_settings['show_on_excerpt_content'] ) {
-			echo self::pvc_stats_counter($post->ID);
+			echo wp_kses_post( self::pvc_stats_counter($post->ID) );
 		}
 	}
 
 	public static function custom_stats_echo($postid=0, $have_echo = 1, $attributes = array() ){
 		if($have_echo == 1)
-			echo self::pvc_stats_counter($postid, false, $attributes );
+			echo wp_kses_post( self::pvc_stats_counter($postid, false, $attributes ) );
 		else
 			return self::pvc_stats_counter($postid, false, $attributes );
 	}
@@ -359,7 +359,7 @@ public static function custom_stats_update_echo($postid=0, $have_echo=1, $attrib
 		$output .= self::pvc_stats_counter($postid, true, $attributes );
 
 		if ( $have_echo == 1 )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}

src/pvc_class.php

@@ -36,7 +36,7 @@ function widget( $args, $instance ) {
 			echo wp_kses_post( $args['before_title'] . $title . $args['after_title'] );
 		}
 
-		echo $pvc_stats_output;
+		echo wp_kses_post( $pvc_stats_output );
 
 		echo wp_kses_post( $args['after_widget'] );
 	}
@@ -96,21 +96,21 @@ function form( $instance ) {
 		$show_views_today = intval( $instance['show_views_today'] );
 ?>
 		<p>
-			<label for="<?php echo esc_attr( $this->get_field_id('title') ); ?>"><?php _e('Title', 'page-views-count' ); ?>:</label>
+			<label for="<?php echo esc_attr( $this->get_field_id('title') ); ?>"><?php esc_html_e('Title', 'page-views-count' ); ?>:</label>
 			<input class="widefat" id="<?php echo esc_attr( $this->get_field_id('title') ); ?>" name="<?php echo esc_attr( $this->get_field_name('title') ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" />
 		</p>
         <p>
-			<label for="<?php echo esc_attr( $this->get_field_id('postid') ); ?>"><?php _e('Post/Page ID', 'page-views-count' ); ?>:</label>
+			<label for="<?php echo esc_attr( $this->get_field_id('postid') ); ?>"><?php esc_html_e('Post/Page ID', 'page-views-count' ); ?>:</label>
 			<input style="width:50px;" id="<?php echo esc_attr( $this->get_field_id('postid') ); ?>" name="<?php echo esc_attr( $this->get_field_name('postid') ); ?>" type="text" value="<?php echo esc_attr( $postid ); ?>" /> <br />
-			<span class="description"><?php _e( 'Post/Page ID want to show stats, leave empty for use ID of current post.', 'page-views-count' ); ?></span>
+			<span class="description"><?php esc_html_e( 'Post/Page ID want to show stats, leave empty for use ID of current post.', 'page-views-count' ); ?></span>
 		</p>
         <p>
         	<input type="checkbox" <?php checked( $increase, 1 ); ?> id="<?php echo esc_attr( $this->get_field_id('increase') ); ?>" name="<?php echo esc_attr( $this->get_field_name('increase') ); ?>" value="1" />
-        	<label for="<?php echo esc_attr( $this->get_field_id('increase') ); ?>"><?php _e( 'Increase count', 'page-views-count' ); ?></label>
+        	<label for="<?php echo esc_attr( $this->get_field_id('increase') ); ?>"><?php esc_html_e( 'Increase count', 'page-views-count' ); ?></label>
         </p>
         <p>
         	<input type="checkbox" <?php checked( $show_views_today, 1 ); ?> id="<?php echo esc_attr( $this->get_field_id('show_views_today') ); ?>" name="<?php echo esc_attr( $this->get_field_name('show_views_today') ); ?>" value="1" />
-        	<label for="<?php echo esc_attr( $this->get_field_id('show_views_today') ); ?>"><?php _e( 'Show Views Today', 'page-views-count' ); ?></label>
+        	<label for="<?php echo esc_attr( $this->get_field_id('show_views_today') ); ?>"><?php esc_html_e( 'Show Views Today', 'page-views-count' ); ?></label>
         </p>
 <?php
 	}

src/pvc_widget.php

@@ -0,0 +1,26 @@
+<?php
+
+// platform_check.php @generated by Composer
+
+$issues = array();
+
+if (!(PHP_VERSION_ID >= 50600)) {
+    $issues[] = 'Your Composer dependencies require a PHP version ">= 5.6.0". You are running ' . PHP_VERSION . '.';
+}
+
+if ($issues) {
+    if (!headers_sent()) {
+        header('HTTP/1.1 500 Internal Server Error');
+    }
+    if (!ini_get('display_errors')) {
+        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
+            fwrite(STDERR, 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . implode(PHP_EOL, $issues) . PHP_EOL.PHP_EOL);
+        } elseif (!headers_sent()) {
+            echo 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . str_replace('You are running '.PHP_VERSION.'.', '', implode(PHP_EOL, $issues)) . PHP_EOL.PHP_EOL;
+        }
+    }
+    trigger_error(
+        'Composer detected issues in your platform: ' . implode(' ', $issues),
+        E_USER_ERROR
+    );
+}