Merge pull request #154 from xylusthemes/enhanced_xss_protection

Enhanced XSS Protection
xylusthemes · Dec 13, 2024 · eef8ed7 · eef8ed7
2 parents c2eca68 + f9e5acb
commit eef8ed7
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/includes/class-import-eventbrite-events-list-table.php b/includes/class-import-eventbrite-events-list-table.php
@@ -61,12 +61,12 @@ function column_default( $item, $column_name ) {
 	function column_title( $item ) {
 
 		$iee_url_delete_args = array(
-			'page'       => wp_unslash( $_REQUEST['page'] ),
+			'page'       => esc_attr( wp_unslash( $_REQUEST['page'] ) ),
 			'iee_action' => 'iee_simport_delete',
 			'import_id'  => absint( $item['ID'] ),
 		);
 
-		$page              = wp_unslash( $_REQUEST['page'] );
+		$page              = esc_attr( wp_unslash( $_REQUEST['page'] ) );
 		$tab               = 'scheduled';
 		$wp_redirect       = admin_url( 'admin.php?page=' . $page );
 		$iee_url_edit_args = array(
@@ -110,7 +110,7 @@ function column_title( $item ) {
 	function column_action( $item ) {
 
 		$xtmi_run_import_args = array(
-			'page'       => wp_unslash( $_REQUEST['page'] ),
+			'page'       => esc_attr( wp_unslash( $_REQUEST['page'] ) ),
 			'iee_action' => 'iee_run_import',
 			'import_id'  => $item['ID'],
 		);
@@ -435,8 +435,8 @@ function column_default( $item, $column_name ) {
 	function column_title( $item ) {
 
 		$iee_url_delete_args = array(
-			'page'       => wp_unslash( $_REQUEST['page'] ),
-			'tab'        => wp_unslash( $_REQUEST['tab'] ),
+			'page'       => esc_attr( wp_unslash( $_REQUEST['page'] ) ),
+			'tab'        => esc_attr( wp_unslash( $_REQUEST['tab'] ) ),
 			'iee_action' => 'iee_history_delete',
 			'history_id' => absint( $item['ID'] ),
 		);
@@ -555,8 +555,8 @@ public function extra_tablenav( $which ) {
 			return;
 		}	
 		$iee_url_all_delete_args = array(
-			'page'       => wp_unslash( $_REQUEST['page'] ),
-			'tab'        => wp_unslash( $_REQUEST['tab'] ),
+			'page'       => esc_attr( wp_unslash( $_REQUEST['page'] ) ),
+			'tab'        => esc_attr( wp_unslash( $_REQUEST['tab'] ) ),
 			'iee_action' => 'iee_all_history_delete',
 		);
 

diff --git a/languages/import-eventbrite-events.pot b/languages/import-eventbrite-events.pot
@@ -9,7 +9,7 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-11-30T07:42:52+00:00\n"
+"POT-Creation-Date: 2024-12-13T06:31:15+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.11.0\n"
 "X-Domain: import-eventbrite-events\n"

diff --git a/templates/admin/import-eventbrite-events-history.php b/templates/admin/import-eventbrite-events-history.php
@@ -13,8 +13,8 @@
 	<div class="iee_row">
 		<div class="">
 			<form id="import-history" method="get">
-				<input type="hidden" name="page" value="<?php echo isset( $_REQUEST['page'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) : 'eventbrite_event'; ?>" />
-				<input type="hidden" name="tab" value="<?php echo isset( $_REQUEST['tab'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) : 'history'; ?>" />
+				<input type="hidden" name="page" value="<?php echo isset( $_REQUEST['page'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) ) : 'eventbrite_event'; ?>" />
+				<input type="hidden" name="tab" value="<?php echo isset( $_REQUEST['tab'] ) ? esc_attr( sanitize_text_field( wp_unslash( $_REQUEST['tab'] ) ) ) : 'history'; ?>" />
 				<?php
 				$listtable->display();
 				?>