Merge pull request #85 from WPChill/master

security, sanitisations and escapes

.gitignore

@@ -3,5 +3,4 @@ node_modules/*
 .DS_Store
 .standard.json
 package-lock.json
-colorlib-coming-soon-maintenance.zip
-colorlib-coming-soon-and-maintenance-mode.zip
+**.zip

Gruntfile.js

@@ -113,7 +113,7 @@ module.exports = function( grunt ) {
 			build: {
 				options: {
 					pretty: true,                           // Pretty print file sizes when logging.
-					archive: '<%= pkg.name %>.zip'
+					archive: '<%= pkg.name %>-<%= pkg.version %>.zip'
 				},
 				expand: true,
 				cwd: 'build/',

assets/js/customizer-preview.js

@@ -1,26 +1,4 @@
 (function ($) {
-
-    //Page heading preview
-    wp.customize('ccsm_settings[colorlib_coming_soon_page_heading]', function (text) {
-        text.bind(function (textValue) {
-            jQuery('#colorlib_coming_soon_page_heading').html(str.replace('@<(script|style)[^>]*?>.*?</\\1>@si', textValue ) );
-        });
-    });
-
-    //Page content preview
-    wp.customize('ccsm_settings[colorlib_coming_soon_page_content]', function (text) {
-        text.bind(function (textValue) {
-            jQuery('#colorlib_coming_soon_page_content').html(str.replace('@<(script|style)[^>]*?>.*?</\\1>@si', textValue ) );
-        });
-    });
-
-    //Page footer preview
-    wp.customize('ccsm_settings[colorlib_coming_soon_page_footer]', function (text) {
-        text.bind(function (textValue) {
-            jQuery('#colorlib_coming_soon_page_footer').html(str.replace('@<(script|style)[^>]*?>.*?</\\1>@si', textValue ) );
-        });
-    });
-
     //social links preview
     jQuery('#sub-accordion-section-colorlib_coming_soon_section_social_settings').find('input').each(function () {
         var controllerID = jQuery(this).attr('data-customize-setting-link');
@@ -31,6 +9,5 @@
         });
     });
 
-
 })(jQuery);
 

colorlib-coming-soon-and-maintenance-mode.php

@@ -3,10 +3,10 @@
 * Plugin Name: Coming Soon and Maintenance by Colorlib
 * Plugin URI: https://colorlib.com/
 * Description: Colorlib Coming Soon and Maintenance is a responsive coming soon WordPress plugin that comes with well designed coming soon page and lots of useful features including customization via Live Customizer, MailChimp integration, custom forms, and more.
-* Version: 1.0.98
+* Version: 1.1.0
 * Author: Colorlib
 * Author URI: https://colorlib.com/
-* Tested up to: 5.6
+* Tested up to: 6.5
 * Requires: 4.6 or higher
 * License: GPLv3 or later
 * License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -50,6 +50,7 @@
 add_action( 'ccsm_header', 'wp_print_scripts' );
 add_filter( 'ccsm_skip_redirect', 'ccsm_skip_redirect' );
 add_filter( 'ccsm_force_redirect', 'ccsm_force_redirect' );
+add_filter( 'rest_authentication_errors', 'ccsm_rest_restrict' );
 
 //loads the text domain for translation
 function ccsm_load_plugin_textdomain() {
@@ -119,6 +120,27 @@ function ccsm_template_redirect() {
     }
 }
 
+/**
+ * Restrict REST API access to non-logged-in users
+ *
+ * @param  WP_Error|mixed  $response  Result to send to the client. Usually a WP_REST_Response.
+ *
+ * @return WP_Error|mixed
+ */
+function ccsm_rest_restrict( $response ) {
+	// If user is logged in, don't restrict content
+	if ( is_user_logged_in() ) {
+		return $response;
+	}
+	$ccsm_options = get_option( 'ccsm_settings' );
+
+	if ( "1" === $ccsm_options['colorlib_coming_soon_activation'] ) {
+		return new WP_Error('403', __( 'Sorry, this content is restricted!', 'colorlib-coming-soon-maintenance' ));
+	}
+
+	return $response;
+}
+
 // enqueue template styles
 function ccsm_style_enqueue( $template_name ) {
 
@@ -913,5 +935,69 @@ function ccsm_check_for_review() {
 
 ccsm_check_for_review();
 
+/**
+ * Notice for Google Analytics
+ *
+ * @return void
+ */
+function ccsm_google_analytics_notice() {
+    $options = get_option( 'ccsm_settings' );
+	if ( ! get_option( 'ccsm_ga_notice' ) && isset( $options['colorlib_coming_soon_google_analytics'] ) && '' !== $options['colorlib_coming_soon_google_analytics'] ) {
+		$message = sprintf( __('For security reasons we have changed the Google Analytics setting. Please update your settings <a href="%s">here</a> in order to correctly use the Google Analytics script.', 'colorlib-coming-soon-maintenance'), esc_url( admin_url( 'customize.php?autofocus[panel]=colorlib_coming_soon_general_panel' ) ));
+		printf('<div id="ccsm-ga-notice" class="notice notice-warning is-dismissible"><p>%1$s</p></div>', wp_kses_post( $message ) );
+	}
+}
+add_action( 'admin_notices', 'ccsm_google_analytics_notice' );
+
+/**
+ * AJAX script
+ *
+ * @since 1.0.99
+ */
+function ccsm_ajax_dismiss_script() {
+
+	$ajax_nonce = wp_create_nonce( 'ccsm-ga-notice' );
+
+	?>
+
+	<script type="text/javascript">
+        jQuery( document ).ready( function( $ ){
+
+            $(document).on('click','#ccsm-ga-notice .notice-dismiss', function( ){
+                var data = {
+                    action: 'ccsm-ga-notice_dismiss',
+                    security: '<?php echo $ajax_nonce; ?>',
+                };
+
+                $.post( '<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>', data, function( response ) {
+                    $( '#ccsm-ga-notice' ).slideUp( 'fast', function() {
+                        $( this ).remove();
+                    } );
+                });
+
+            } );
+
+        });
+	</script>
+
+	<?php
+}
+add_action( 'admin_print_footer_scripts', 'ccsm_ajax_dismiss_script' );
+
+/**
+ * Dismiss and update option for notice
+ *
+ * @return void
+ * @since 1.0.99
+ */
+function ccsm_ajax_dismiss_ga() {
+
+	check_ajax_referer( 'ccsm-ga-notice', 'security' );
+	update_option('ccsm_ga_notice', true );
+	wp_die( 'ok' );
+
+}
+add_action( 'wp_ajax_ccsm-ga-notice_dismiss', 'ccsm_ajax_dismiss_ga' );
+
 //Loading Plugin Theme Customizer Options
 require_once( 'includes/class-ccsm-customizer.php' );

includes/class-ccsm-customizer.php

@@ -289,13 +289,13 @@ public function ccsm_customizer_controls( $wp_customize ) {
 
 		/* Setting - Coming Soon - Google Analytics */
 
-		$wp_customize->add_setting( 'ccsm_settings[colorlib_coming_soon_google_analytics]', array(
+		$wp_customize->add_setting( 'ccsm_settings[colorlib_coming_soon_google_analytics_id]', array(
 				'sanitize_callback' => 'ccsm_sanitize_google_analytics',
 				'type'              => 'option'
 
 			) );
 
-		$wp_customize->add_control( 'ccsm_settings[colorlib_coming_soon_google_analytics]', array(
+		$wp_customize->add_control( 'ccsm_settings[colorlib_coming_soon_google_analytics_id]', array(
 			'label'           => esc_html__( 'Google Analytics tracking code ID', 'colorlib-coming-soon-maintenance' ),
 			'section'         => 'colorlib_coming_soon_section_general',
 			'priority'        => 30,

includes/class-ccsm-review.php

@@ -102,7 +102,7 @@ public function five_star_wp_rate_notice() {
 
 		?>
         <div id="<?php echo esc_attr($this->slug); ?>-epsilon-review-notice" class="notice notice-success is-dismissible">
-            <p><?php echo sprintf( wp_kses_post( $this->messages['notice'] ), $this->value ); ?></p>
+            <p><?php echo sprintf( wp_kses_post( $this->messages['notice'] ), wp_kses_post( $this->value ) ); ?></p>
             <p class="actions">
                 <a id="epsilon-rate" href="<?php echo esc_url( $url ) ?>"
                    class="button button-primary epsilon-review-button"><?php echo esc_html( $this->messages['rate'] ); ?></a>
@@ -154,15 +154,15 @@ public function ajax_script() {
 
                     var data = {
                         action: 'ccsm_epsilon_review',
-                        security: '<?php echo $ajax_nonce; ?>',
+                        security: '<?php echo esc_html( $ajax_nonce ); ?>',
                     };
 
                     if ('epsilon-rated' === id || 'epsilon-rate' === id) {
                         data['epsilon-review'] = 1;
                     }
 
-                    $.post('<?php echo admin_url( 'admin-ajax.php' ) ?>', data, function (response) {
-                        $('#<?php echo $this->slug ?>-epsilon-review-notice').slideUp('fast', function () {
+                    $.post('<?php echo esc_url( admin_url( 'admin-ajax.php' ) ) ?>', data, function (response) {
+                        $('#<?php echo esc_html( $this->slug ) ?>-epsilon-review-notice').slideUp('fast', function () {
                             $(this).remove();
                         });
 
@@ -178,11 +178,11 @@ public function ajax_script() {
 
 		            var data = {
 			            action: 'ccsm_epsilon_review',
-			            security: '<?php echo $ajax_nonce; ?>',
+			            security: '<?php echo esc_html( $ajax_nonce ); ?>',
 		            };
 
-		            $.post('<?php echo admin_url( 'admin-ajax.php' ) ?>', data, function (response) {
-			            $('#<?php echo $this->slug ?>-epsilon-review-notice').slideUp('fast', function () {
+		            $.post('<?php echo esc_url( admin_url( 'admin-ajax.php' ) ) ?>', data, function (response) {
+			            $('#<?php echo esc_html( $this->slug ) ?>-epsilon-review-notice').slideUp('fast', function () {
 				            $(this).remove();
 			            });
 

includes/colorlib-template.php

@@ -7,15 +7,15 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
 	<?php
 	$ccsm_options = get_option( 'ccsm_settings' );
-    if ( isset( $ccsm_options['colorlib_coming_soon_google_analytics'] ) && '' != $ccsm_options['colorlib_coming_soon_google_analytics'] ) {
+    if ( isset( $ccsm_options['colorlib_coming_soon_google_analytics_id'] ) && '' != $ccsm_options['colorlib_coming_soon_google_analytics_id'] ) {
      ?>
-        <script async src="https://www.googletagmanager.com/gtag/js?id=<?php echo esc_html( str_replace(array('\'', '"'), '', $ccsm_options['colorlib_coming_soon_google_analytics']) ); ?>"></script>
+        <script async src="https://www.googletagmanager.com/gtag/js?id=<?php echo esc_html( str_replace(array('\'', '"'), '', $ccsm_options['colorlib_coming_soon_google_analytics_id']) ); ?>"></script>
         <script>
         window.dataLayer = window.dataLayer || [];
         function gtag(){dataLayer.push(arguments);}
         gtag('js', new Date());
 
-        gtag('config', '<?php echo esc_html( str_replace(array('\'', '"'), '', $ccsm_options['colorlib_coming_soon_google_analytics']) ); ?>');
+        gtag('config', '<?php echo esc_html( str_replace(array('\'', '"'), '', $ccsm_options['colorlib_coming_soon_google_analytics_id']) ); ?>');
         </script>
      <?php
     }
@@ -40,14 +40,14 @@ function gtag(){dataLayer.push(arguments);}
     if(ccsm_template_has_background_color()){
         ?>
         body {
-            background-color: <?php echo $ccsm_options['colorlib_coming_soon_background_color']; ?> !important;
+            background-color: <?php echo wp_kses_post( $ccsm_options['colorlib_coming_soon_background_color'] ); ?> !important;
         }
 
         <?php
     }
 	?>
 
-        <?php  echo $ccsm_options['colorlib_coming_soon_page_custom_css']; ?>
+        <?php  echo wp_kses_post( $ccsm_options['colorlib_coming_soon_page_custom_css'] ); ?>
         .colorlib-copyright {
             text-align: center;
             left: 0;

includes/controls/class-ccsm-control-text-editor.php

@@ -17,7 +17,7 @@ function render_content() {
                 <span class="description customize-control-description"><?php echo wp_kses_post($this->description); ?></span>
                 </span>
                 <textarea id="<?php echo esc_attr($id); ?>"
-                          class="widefat text wp-editor-area js-ccsm-editor" <?php echo $this->link(); ?><?php echo esc_textarea($this->value()); ?></textarea>
+                          class="widefat text wp-editor-area js-ccsm-editor" <?php echo esc_attr( $this->link() ); ?>><?php echo esc_textarea($this->value()); ?> </textarea>
 				<?php
 			}
 		}

includes/controls/class-ccsm-template-selection.php

@@ -25,9 +25,9 @@ public function render_content() {
 								$active = '';
 							}
 							?>
-                            <label class="colorlib-single-template-wrapper <?php echo $active; ?>">
+                            <label class="colorlib-single-template-wrapper <?php echo esc_attr( $active ); ?>">
                             	<input class="colorlib-template-radio" type="radio" name="<?php echo esc_attr( $this->id ); ?>" value="<?php echo esc_attr( $key ); ?>" <?php $this->link(); ?> <?php checked( esc_attr( $key ), $this->value() ); ?>/>
-                                <img src="<?php echo CCSM_URL . 'templates/' . esc_attr( $key ) . '/' . esc_attr( $key ) . '.jpg' ?>">
+                                <img src="<?php echo esc_url( CCSM_URL ) . 'templates/' . esc_attr( $key ) . '/' . esc_attr( $key ) . '.jpg' ?>">
                             </label>
 						<?php } ?>
                     </div>