Better Click To Tweet - Version 5.3.1

Version Description

Security Fix potential XSS vulnerability on settings page. (mild security risk only affecting logged-in administrator accounts previously compromised). Thanks Robbie at DXW @robbiepaul on Github for the responsible disclosure.
If the last point didn't make any sense, please translate it to "UPDATE NOW. Previous versions of the plugin are mildly vulnerable to enterprising attackers."

Files changed (3) hide show

bctt_options.php CHANGED Viewed

	@@ -38,7 +38,7 @@ function bctt_register_settings() {
38	}
39
40	function bctt_validate_settings( $input ) {
41	- return ~~str_replace~~( '@', '', ~~strip_tags( stripslashes(~~ $input ) ~~) )~~;
42	}
43
44	function bctt_validate_checkbox( $input ) {
	@@ -123,7 +123,7 @@ function bctt_settings_page() {
123	<label><?php _ex( 'Your Twitter Handle', 'label for text input on settings screen', 'better-click-to-tweet' ); ?></label>
124	</th>
125	<td><input type="text" name="bctt-twitter-handle"
126	- value="<?php echo get_option( 'bctt-twitter-handle' ); ?>"/>
127	</td>
128	<tr valign="top">
129	<th style="width: 200px;">


38	}
39
40	function bctt_validate_settings( $input ) {
41	+ return preg_replace('/[^0-9a-zA-Z_]/', '', $input);
42	}
43
44	function bctt_validate_checkbox( $input ) {

123	<label><?php _ex( 'Your Twitter Handle', 'label for text input on settings screen', 'better-click-to-tweet' ); ?></label>
124	</th>
125	<td><input type="text" name="bctt-twitter-handle"
126	+ value="<?php echo esc_attr( get_option( 'bctt-twitter-handle' ) ); ?>"/>
127	</td>
128	<tr valign="top">
129	<th style="width: 200px;">

better-click-to-tweet.php CHANGED Viewed

	@@ -2,7 +2,7 @@
2	/*
3	Plugin Name: Better Click To Tweet
4	Description: Add Click to Tweet boxes simply and elegantly to your posts or pages. All the features of a premium plugin, for FREE!
5	- Version: 5.3
6	Author: Ben Meredith
7	Author URI: https://www.wpsteward.com
8	Plugin URI: https://wordpress.org/plugins/better-click-to-tweet/
	@@ -156,11 +156,11 @@ function bctt_shortcode( $atts ) {
156
157	if ( $atts['url'] != 'no' ) {
158
159	- $short = bctt_shorten( $text, ( ~~117~~ - ( $handle_length ) ) );
160
161	} else {
162
163	- $short = bctt_shorten( $text, ( ~~140~~ - ( $handle_length ) ) );
164
165	}
166


2	/*
3	Plugin Name: Better Click To Tweet
4	Description: Add Click to Tweet boxes simply and elegantly to your posts or pages. All the features of a premium plugin, for FREE!
5	+ Version: 5.3.1
6	Author: Ben Meredith
7	Author URI: https://www.wpsteward.com
8	Plugin URI: https://wordpress.org/plugins/better-click-to-tweet/

156
157	if ( $atts['url'] != 'no' ) {
158
159	+ $short = bctt_shorten( $text, ( 253 - ( $handle_length ) ) );
160
161	} else {
162
163	+ $short = bctt_shorten( $text, ( 280 - ( $handle_length ) ) );
164
165	}
166

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: https://www.wpsteward.com/donations/plugin-support/
4	Tags: click to tweet, twitter, tweet,
5	Requires at least: 3.8
6	Tested up to: 4.8
7	- Stable tag: 5.3
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
	@@ -101,6 +101,10 @@ Donations: http://benlikes.us/donate
101
102	== Changelog ==
103




104	= 5.3 =
105	* enhancement — cleaned up the various options checks that were happening on the front end (thanks @igmoweb on GitHub!)
106	* Readme changes. I also celebrated a milestone of 20K active installs, which was cause for great celebration, and at least one undocumented happy dance.


4	Tags: click to tweet, twitter, tweet,
5	Requires at least: 3.8
6	Tested up to: 4.8
7	+ Stable tag: 5.3.1
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10

101
102	== Changelog ==
103
104	+ = 5.3.1 =
105	+ * Security Fix — potential XSS vulnerability on settings page. (mild security risk only affecting logged-in administrator accounts previously compromised). Thanks Robbie at DXW @robbiepaul on Github for the responsible disclosure.
106	+ * If the last point didn't make any sense, please translate it to "UPDATE NOW. Previous versions of the plugin are mildly vulnerable to enterprising attackers."
107	+
108	= 5.3 =
109	* enhancement — cleaned up the various options checks that were happening on the front end (thanks @igmoweb on GitHub!)
110	* Readme changes. I also celebrated a milestone of 20K active installs, which was cause for great celebration, and at least one undocumented happy dance.