All-in-One Event Calendar - Version 2.5.39

Version Description

Download this release

Release Info

Developer calvinyeh
Plugin Icon 128x128 All-in-One Event Calendar
Version 2.5.39
Comparing to
See all releases

Code changes from version 2.5.38 to 2.5.39

Files changed (7) hide show
  1. all-in-one-event-calendar.php +1 -1
  2. app/config/constants.php +1 -1
  3. app/model/event/creating.php +37 -34
  4. language/all-in-one-event-calendar.mo +0 -0
  5. language/all-in-one-event-calendar.po +3 -3
  6. language/all-in-one-event-calendar.pot +2 -2
  7. readme.txt +5 -2
all-in-one-event-calendar.php CHANGED
@@ -5,7 +5,7 @@
5
  * Description: A calendar system with month, week, day, agenda views, upcoming events widget, color-coded categories, recurrence, and import/export of .ics feeds.
6
  * Author: Time.ly Network Inc.
7
  * Author URI: https://time.ly/
8
- * Version: 2.5.38
9
  * Text Domain: all-in-one-event-calendar
10
  * Domain Path: /language
11
  */
5
  * Description: A calendar system with month, week, day, agenda views, upcoming events widget, color-coded categories, recurrence, and import/export of .ics feeds.
6
  * Author: Time.ly Network Inc.
7
  * Author URI: https://time.ly/
8
+ * Version: 2.5.39
9
  * Text Domain: all-in-one-event-calendar
10
  * Domain Path: /language
11
  */
app/config/constants.php CHANGED
@@ -50,7 +50,7 @@ function ai1ec_initiate_constants( $ai1ec_base_dir, $ai1ec_base_url ) {
50
  // = Plugin Version =
51
  // ==================
52
  if ( ! defined( 'AI1EC_VERSION' ) ) {
53
- define( 'AI1EC_VERSION', '2.5.38' );
54
  }
55
 
56
  // ================
50
  // = Plugin Version =
51
  // ==================
52
  if ( ! defined( 'AI1EC_VERSION' ) ) {
53
+ define( 'AI1EC_VERSION', '2.5.39' );
54
  }
55
 
56
  // ================
app/model/event/creating.php CHANGED
@@ -49,7 +49,7 @@ class Ai1ec_Event_Creating extends Ai1ec_Base {
49
  /**
50
  * =====================================================================
51
  *
52
- * CHANGE CODE BELLOW TO HAVE FOLLOWING PROPERTIES:
53
  * - be initializiable from model;
54
  * - have sane defaults;
55
  * - avoid that cluster of isset and ternary operator.
@@ -57,33 +57,33 @@ class Ai1ec_Event_Creating extends Ai1ec_Base {
57
  * =====================================================================
58
  */
59
 
60
- $all_day = isset( $_POST['ai1ec_all_day_event'] ) ? 1 : 0;
61
- $instant_event = isset( $_POST['ai1ec_instant_event'] ) ? 1 : 0;
62
- $timezone_name = isset( $_POST['ai1ec_timezone_name'] ) ? $_POST['ai1ec_timezone_name'] : 'sys.default';
63
- $start_time = isset( $_POST['ai1ec_start_time'] ) ? $_POST['ai1ec_start_time'] : '';
64
- $end_time = isset( $_POST['ai1ec_end_time'] ) ? $_POST['ai1ec_end_time'] : '';
65
- $venue = isset( $_POST['ai1ec_venue'] ) ? $_POST['ai1ec_venue'] : '';
66
- $address = isset( $_POST['ai1ec_address'] ) ? $_POST['ai1ec_address'] : '';
67
- $city = isset( $_POST['ai1ec_city'] ) ? $_POST['ai1ec_city'] : '';
68
- $province = isset( $_POST['ai1ec_province'] ) ? $_POST['ai1ec_province'] : '';
69
- $postal_code = isset( $_POST['ai1ec_postal_code'] ) ? $_POST['ai1ec_postal_code'] : '';
70
- $country = isset( $_POST['ai1ec_country'] ) ? $_POST['ai1ec_country'] : '';
71
- $google_map = isset( $_POST['ai1ec_google_map'] ) ? 1 : 0;
72
- $cost = isset( $_POST['ai1ec_cost'] ) ? $_POST['ai1ec_cost'] : '';
73
- $is_free = isset( $_POST['ai1ec_is_free'] ) ? (bool)$_POST['ai1ec_is_free'] : false;
74
- $ticket_url = isset( $_POST['ai1ec_ticket_url'] ) ? $_POST['ai1ec_ticket_url'] : '';
75
- $contact_name = isset( $_POST['ai1ec_contact_name'] ) ? $_POST['ai1ec_contact_name'] : '';
76
- $contact_phone = isset( $_POST['ai1ec_contact_phone'] ) ? $_POST['ai1ec_contact_phone'] : '';
77
- $contact_email = isset( $_POST['ai1ec_contact_email'] ) ? $_POST['ai1ec_contact_email'] : '';
78
- $contact_url = isset( $_POST['ai1ec_contact_url'] ) ? $_POST['ai1ec_contact_url'] : '';
79
- $show_coordinates = isset( $_POST['ai1ec_input_coordinates'] )? 1 : 0;
80
- $longitude = isset( $_POST['ai1ec_longitude'] ) ? $_POST['ai1ec_longitude'] : '';
81
- $latitude = isset( $_POST['ai1ec_latitude'] ) ? $_POST['ai1ec_latitude'] : '';
82
- $cost_type = isset( $_POST['ai1ec_cost_type'] ) ? $_POST['ai1ec_cost_type'] : '';
83
- $rrule = null;
84
- $exrule = null;
85
- $exdate = null;
86
- $rdate = null;
87
 
88
  if ( 'external' !== $cost_type ) {
89
  $ticket_url = '';
@@ -218,10 +218,10 @@ class Ai1ec_Event_Creating extends Ai1ec_Base {
218
  return null;
219
  }
220
  $event = $data['event'];
221
- $is_new = $data[ 'is_new'];
222
 
223
- $banner_image = isset( $_POST['ai1ec_banner_image'] ) ? $_POST['ai1ec_banner_image'] : '';
224
- $cost_type = isset( $_POST['ai1ec_cost_type'] ) ? $_POST['ai1ec_cost_type'] : '';
225
 
226
  update_post_meta( $post_id, 'ai1ec_banner_image', $banner_image );
227
  if ( $cost_type ) {
@@ -300,7 +300,7 @@ class Ai1ec_Event_Creating extends Ai1ec_Base {
300
  case 'inline-save': //quick edit from edit page
301
  $fields = array();
302
  if ( false === ai1ec_is_blank( $_REQUEST['post_title'] ) ) {
303
- $fields['title'] = $_REQUEST['post_title'];
304
  }
305
  if ( false === ai1ec_is_blank( $_REQUEST['_status'] ) ) {
306
  $fields['status'] = $_REQUEST['_status'];
@@ -425,8 +425,11 @@ class Ai1ec_Event_Creating extends Ai1ec_Base {
425
  $_POST[$field] = $to_value;
426
  }
427
  }
428
- $_POST = _wp_translate_postdata( false, $_POST );
429
- $_POST['post_parent'] = $old_post_id;
 
 
 
430
  $post_id = wp_insert_post( $_POST );
431
  $this->_registry->get( 'model.event.parent' )->event_parent(
432
  $post_id,
49
  /**
50
  * =====================================================================
51
  *
52
+ * CHANGE CODE BELOW TO HAVE FOLLOWING PROPERTIES:
53
  * - be initializiable from model;
54
  * - have sane defaults;
55
  * - avoid that cluster of isset and ternary operator.
57
  * =====================================================================
58
  */
59
 
60
+ $all_day = isset( $_POST['ai1ec_all_day_event'] ) ? 1 : 0;
61
+ $instant_event = isset( $_POST['ai1ec_instant_event'] ) ? 1 : 0;
62
+ $timezone_name = isset( $_POST['ai1ec_timezone_name'] ) ? sanitize_text_field( $_POST['ai1ec_timezone_name'] ) : 'sys.default';
63
+ $start_time = isset( $_POST['ai1ec_start_time'] ) ? sanitize_text_field( $_POST['ai1ec_start_time'] ) : '';
64
+ $end_time = isset( $_POST['ai1ec_end_time'] ) ? sanitize_text_field( $_POST['ai1ec_end_time'] ) : '';
65
+ $venue = isset( $_POST['ai1ec_venue'] ) ? sanitize_text_field( $_POST['ai1ec_venue'] ) : '';
66
+ $address = isset( $_POST['ai1ec_address'] ) ? sanitize_text_field( $_POST['ai1ec_address'] ) : '';
67
+ $city = isset( $_POST['ai1ec_city'] ) ? sanitize_text_field( $_POST['ai1ec_city'] ) : '';
68
+ $province = isset( $_POST['ai1ec_province'] ) ? sanitize_text_field( $_POST['ai1ec_province'] ) : '';
69
+ $postal_code = isset( $_POST['ai1ec_postal_code'] ) ? sanitize_text_field( $_POST['ai1ec_postal_code'] ) : '';
70
+ $country = isset( $_POST['ai1ec_country'] ) ? sanitize_text_field( $_POST['ai1ec_country'] ) : '';
71
+ $google_map = isset( $_POST['ai1ec_google_map'] ) ? 1 : 0;
72
+ $cost = isset( $_POST['ai1ec_cost'] ) ? sanitize_text_field( $_POST['ai1ec_cost'] ) : '';
73
+ $is_free = isset( $_POST['ai1ec_is_free'] ) ? (bool)$_POST['ai1ec_is_free'] : false;
74
+ $ticket_url = isset( $_POST['ai1ec_ticket_url'] ) ? sanitize_text_field( $_POST['ai1ec_ticket_url'] ) : '';
75
+ $contact_name = isset( $_POST['ai1ec_contact_name'] ) ? sanitize_text_field( $_POST['ai1ec_contact_name'] ) : '';
76
+ $contact_phone = isset( $_POST['ai1ec_contact_phone'] ) ? sanitize_text_field( $_POST['ai1ec_contact_phone'] ) : '';
77
+ $contact_email = isset( $_POST['ai1ec_contact_email'] ) ? sanitize_text_field( $_POST['ai1ec_contact_email'] ) : '';
78
+ $contact_url = isset( $_POST['ai1ec_contact_url'] ) ? sanitize_text_field( $_POST['ai1ec_contact_url'] ) : '';
79
+ $show_coordinates = isset( $_POST['ai1ec_input_coordinates'] )? 1 : 0;
80
+ $longitude = isset( $_POST['ai1ec_longitude'] ) ? sanitize_text_field( $_POST['ai1ec_longitude'] ) : '';
81
+ $latitude = isset( $_POST['ai1ec_latitude'] ) ? sanitize_text_field( $_POST['ai1ec_latitude'] ) : '';
82
+ $cost_type = isset( $_POST['ai1ec_cost_type'] ) ? sanitize_text_field( $_POST['ai1ec_cost_type'] ) : '';
83
+ $rrule = null;
84
+ $exrule = null;
85
+ $exdate = null;
86
+ $rdate = null;
87
 
88
  if ( 'external' !== $cost_type ) {
89
  $ticket_url = '';
218
  return null;
219
  }
220
  $event = $data['event'];
221
+ $is_new = $data['is_new'];
222
 
223
+ $banner_image = isset( $_POST['ai1ec_banner_image'] ) ? sanitize_text_field( $_POST['ai1ec_banner_image'] ) : '';
224
+ $cost_type = isset( $_POST['ai1ec_cost_type'] ) ? sanitize_text_field( $_POST['ai1ec_cost_type'] ) : '';
225
 
226
  update_post_meta( $post_id, 'ai1ec_banner_image', $banner_image );
227
  if ( $cost_type ) {
300
  case 'inline-save': //quick edit from edit page
301
  $fields = array();
302
  if ( false === ai1ec_is_blank( $_REQUEST['post_title'] ) ) {
303
+ $fields['title'] = sanitize_text_field( $_REQUEST['post_title'] );
304
  }
305
  if ( false === ai1ec_is_blank( $_REQUEST['_status'] ) ) {
306
  $fields['status'] = $_REQUEST['_status'];
425
  $_POST[$field] = $to_value;
426
  }
427
  }
428
+ $_POST = _wp_translate_postdata( false, $_POST );
429
+ $_POST['post_parent'] = $old_post_id;
430
+ if ( isset( $_POST['post_title'] ) ) {
431
+ $_POST['post_title'] = sanitize_text_field( $_POST['post_title'] );
432
+ }
433
  $post_id = wp_insert_post( $_POST );
434
  $this->_registry->get( 'model.event.parent' )->event_parent(
435
  $post_id,
language/all-in-one-event-calendar.mo CHANGED
Binary file
language/all-in-one-event-calendar.po CHANGED
@@ -2,13 +2,13 @@
2
  # This file is distributed under the same license as the All-in-One Event Calendar by Time.ly package.
3
  msgid ""
4
  msgstr ""
5
- "Project-Id-Version: All-in-One Event Calendar by Time.ly 2.5.38\n"
6
  "Report-Msgid-Bugs-To: http://wordpress.org/tag/all-in-one-event-calendar\n"
7
- "POT-Creation-Date: 2019-04-01 20:00:09+00:00\n"
8
  "MIME-Version: 1.0\n"
9
  "Content-Type: text/plain; charset=UTF-8\n"
10
  "Content-Transfer-Encoding: 8bit\n"
11
- "PO-Revision-Date: 2019-04-01 20:00+0000\n"
12
  "Last-Translator: Timely <support@time.ly>\n"
13
  "Language-Team:\n"
14
 
2
  # This file is distributed under the same license as the All-in-One Event Calendar by Time.ly package.
3
  msgid ""
4
  msgstr ""
5
+ "Project-Id-Version: All-in-One Event Calendar by Time.ly 2.5.39\n"
6
  "Report-Msgid-Bugs-To: http://wordpress.org/tag/all-in-one-event-calendar\n"
7
+ "POT-Creation-Date: 2019-05-02 19:09:33+00:00\n"
8
  "MIME-Version: 1.0\n"
9
  "Content-Type: text/plain; charset=UTF-8\n"
10
  "Content-Transfer-Encoding: 8bit\n"
11
+ "PO-Revision-Date: 2019-05-02 19:09+0000\n"
12
  "Last-Translator: Timely <support@time.ly>\n"
13
  "Language-Team:\n"
14
 
language/all-in-one-event-calendar.pot CHANGED
@@ -2,9 +2,9 @@
2
  # This file is distributed under the same license as the All-in-One Event Calendar by Time.ly package.
3
  msgid ""
4
  msgstr ""
5
- "Project-Id-Version: All-in-One Event Calendar by Time.ly 2.5.38\n"
6
  "Report-Msgid-Bugs-To: http://wordpress.org/tag/all-in-one-event-calendar\n"
7
- "POT-Creation-Date: 2019-04-01 20:00:09+00:00\n"
8
  "MIME-Version: 1.0\n"
9
  "Content-Type: text/plain; charset=UTF-8\n"
10
  "Content-Transfer-Encoding: 8bit\n"
2
  # This file is distributed under the same license as the All-in-One Event Calendar by Time.ly package.
3
  msgid ""
4
  msgstr ""
5
+ "Project-Id-Version: All-in-One Event Calendar by Time.ly 2.5.39\n"
6
  "Report-Msgid-Bugs-To: http://wordpress.org/tag/all-in-one-event-calendar\n"
7
+ "POT-Creation-Date: 2019-05-02 19:09:33+00:00\n"
8
  "MIME-Version: 1.0\n"
9
  "Content-Type: text/plain; charset=UTF-8\n"
10
  "Content-Transfer-Encoding: 8bit\n"
readme.txt CHANGED
@@ -2,8 +2,8 @@
2
  Contributors: uchu, calvinyeh, raquelleira, renatotbueno, domanb, elirenato, hubrik, vtowel, yani.iliev, nicolapeluchetti, jbutkus, lpawlik, bangelov
3
  Tags: calendar, event, ical, feed, ics, icalendar, sync, aggregator, google, venue, calendar widget, events widget
4
  Requires at least: 3.5
5
- Tested up to: 5.1.1
6
- Stable tag: 2.5.38
7
  Requires PHP: 5.4
8
  License: GNU General Public License, version 3 (GPL-3.0)
9
 
@@ -124,6 +124,9 @@ You can help translate by going to [https://translate.time.ly](https://translate
124
 
125
  == Changelog ==
126
 
 
 
 
127
  = Version 2.5.38 =
128
  * Fixed: Invalid file location for the current theme options would throw HTTP 500 error on specific server environments.
129
 
2
  Contributors: uchu, calvinyeh, raquelleira, renatotbueno, domanb, elirenato, hubrik, vtowel, yani.iliev, nicolapeluchetti, jbutkus, lpawlik, bangelov
3
  Tags: calendar, event, ical, feed, ics, icalendar, sync, aggregator, google, venue, calendar widget, events widget
4
  Requires at least: 3.5
5
+ Tested up to: 5.2
6
+ Stable tag: 2.5.39
7
  Requires PHP: 5.4
8
  License: GNU General Public License, version 3 (GPL-3.0)
9
 
124
 
125
  == Changelog ==
126
 
127
+ = Version 2.5.39 =
128
+ * Fixed XSS Security vulnerability by sanitizing the event input.
129
+
130
  = Version 2.5.38 =
131
  * Fixed: Invalid file location for the current theme options would throw HTTP 500 error on specific server environments.
132