FV Flowplayer Video Player - Version 7.3.15.727

Version Description

  • 2019/05/16 =

  • Security - fix for SQL injection vulnerability in email subscription

  • Security - fix for email subscription CSV export capability available to guest users

Download this release

Release Info

Developer FolioVision
Plugin Icon 128x128 FV Flowplayer Video Player
Version 7.3.15.727
Comparing to
See all releases

Code changes from version 7.3.13.727 to 7.3.15.727

Files changed (17) hide show
  1. controller/editor.php +0 -0
  2. controller/frontend.php +0 -0
  3. controller/shortcodes.php +0 -0
  4. css/flowplayer.css +1 -0
  5. css/img/flowplayer.png +0 -0
  6. css/img/no_play_white-x2.png +0 -0
  7. css/img/no_play_white.png +0 -0
  8. flowplayer.php +2 -2
  9. flowplayer/fv-flowplayer.min.js +0 -0
  10. js/shortcode-editor.js +0 -0
  11. models/checker.php +0 -0
  12. models/custom-videos.php +0 -0
  13. models/email-subscription.php +5 -4
  14. models/flowplayer-frontend.php +0 -0
  15. models/flowplayer.php +15 -6
  16. models/system-info.php +1 -2
  17. readme.txt +11 -0
controller/editor.php CHANGED
File without changes
controller/frontend.php CHANGED
File without changes
controller/shortcodes.php CHANGED
File without changes
css/flowplayer.css CHANGED
@@ -341,6 +341,7 @@
341
  font-size: 16px;
342
  position: relative;
343
  max-height: 100%;
 
344
  border-radius: .24em;
345
  background-position: center;
346
  background-repeat: no-repeat;
341
  font-size: 16px;
342
  position: relative;
343
  max-height: 100%;
344
+ overflow: visible;
345
  border-radius: .24em;
346
  background-position: center;
347
  background-repeat: no-repeat;
css/img/flowplayer.png CHANGED
File without changes
css/img/no_play_white-x2.png CHANGED
File without changes
css/img/no_play_white.png CHANGED
File without changes
flowplayer.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: FV Player
4
  Plugin URI: http://foliovision.com/wordpress/plugins/fv-wordpress-flowplayer
5
  Description: Formerly FV WordPress Flowplayer. Supports MP4, HLS, MPEG-DASH, WebM and OGV. Advanced features such as overlay ads or popups. Uses Flowplayer 7.2.7.
6
- Version: 7.3.13.727
7
  Author URI: http://foliovision.com/
8
  License: GPL-3.0
9
  License URI: http://www.gnu.org/licenses/gpl-3.0.txt
@@ -27,7 +27,7 @@ License URI: http://www.gnu.org/licenses/gpl-3.0.txt
27
  */
28
 
29
  global $fv_wp_flowplayer_ver;
30
- $fv_wp_flowplayer_ver = '7.3.13.727';
31
  $fv_wp_flowplayer_core_ver = '7.2.7.1';
32
 
33
  include_once( dirname( __FILE__ ) . '/includes/extra-functions.php' );
3
  Plugin Name: FV Player
4
  Plugin URI: http://foliovision.com/wordpress/plugins/fv-wordpress-flowplayer
5
  Description: Formerly FV WordPress Flowplayer. Supports MP4, HLS, MPEG-DASH, WebM and OGV. Advanced features such as overlay ads or popups. Uses Flowplayer 7.2.7.
6
+ Version: 7.3.15.727
7
  Author URI: http://foliovision.com/
8
  License: GPL-3.0
9
  License URI: http://www.gnu.org/licenses/gpl-3.0.txt
27
  */
28
 
29
  global $fv_wp_flowplayer_ver;
30
+ $fv_wp_flowplayer_ver = '7.3.15.727';
31
  $fv_wp_flowplayer_core_ver = '7.2.7.1';
32
 
33
  include_once( dirname( __FILE__ ) . '/includes/extra-functions.php' );
flowplayer/fv-flowplayer.min.js CHANGED
File without changes
js/shortcode-editor.js CHANGED
File without changes
models/checker.php CHANGED
File without changes
models/custom-videos.php CHANGED
File without changes
models/email-subscription.php CHANGED
@@ -506,9 +506,8 @@ class FV_Player_Email_Subscription {
506
  $result['text'] = __('Malformed Email Address.', 'fv-wordpress-flowplayer');
507
  die(json_encode($result));
508
  };
509
-
510
- $count = $wpdb->get_var('SELECT COUNT(*) FROM ' . $wpdb->prefix . 'fv_player_emails WHERE email="' . addslashes($data['email']) . '" AND id_list = "'. addslashes($list_id) .'"' );
511
-
512
 
513
  if(intval($count) === 0){
514
  $wpdb->insert($table_name, array(
@@ -550,6 +549,8 @@ class FV_Player_Email_Subscription {
550
  }
551
 
552
  function csv_export(){
 
 
553
  $list_id = $_GET['fv-email-export'];
554
  $aLists = get_option('fv_player_email_lists');
555
  $list = $aLists[$list_id];
@@ -625,7 +626,7 @@ class FV_Player_Email_Subscription {
625
  $item = $tmp['title'];
626
  }
627
  }
628
- echo '<td>' . $item . '</td>';
629
  }
630
  echo '</tr>';
631
  }
506
  $result['text'] = __('Malformed Email Address.', 'fv-wordpress-flowplayer');
507
  die(json_encode($result));
508
  };
509
+
510
+ $count = $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM ".$wpdb->prefix."fv_player_emails WHERE email = %s AND id_list = %s", strip_tags($data['email']), intval($list_id) ) );
 
511
 
512
  if(intval($count) === 0){
513
  $wpdb->insert($table_name, array(
549
  }
550
 
551
  function csv_export(){
552
+ if( !current_user_can('manage_options') ) return;
553
+
554
  $list_id = $_GET['fv-email-export'];
555
  $aLists = get_option('fv_player_email_lists');
556
  $list = $aLists[$list_id];
626
  $item = $tmp['title'];
627
  }
628
  }
629
+ echo '<td>' . strip_tags($item) . '</td>';
630
  }
631
  echo '</tr>';
632
  }
models/flowplayer-frontend.php CHANGED
File without changes
models/flowplayer.php CHANGED
@@ -1165,7 +1165,7 @@ class flowplayer extends FV_Wordpress_Flowplayer_Plugin_Private {
1165
  $sURL = FV_FP_RELATIVE_PATH.'/css/flowplayer.css';
1166
  $sVer = $fv_wp_flowplayer_ver;
1167
 
1168
- if( apply_filters('fv_flowplayer_css_writeout', true ) && $this->_get_option($this->css_option()) ) {
1169
  if( @file_exists($this->css_path()) ) {
1170
  $sURL = $this->css_path('url');
1171
  $sVer = $this->_get_option($this->css_option());
@@ -1192,7 +1192,7 @@ class flowplayer extends FV_Wordpress_Flowplayer_Plugin_Private {
1192
  }
1193
 
1194
  if( $this->bCSSInline ) {
1195
- add_action( 'wp_head', array( $this, 'css_generate' ) );
1196
  add_action( 'admin_head', array( $this, 'css_generate' ) );
1197
  }
1198
 
@@ -1744,7 +1744,12 @@ class flowplayer extends FV_Wordpress_Flowplayer_Plugin_Private {
1744
 
1745
 
1746
  public function get_playlist_class($aCaptions) {
1747
- $sPlaylistClass = 'fv-playlist-design-'.$this->_get_option('playlist-design');
 
 
 
 
 
1748
 
1749
  if( isset($this->aCurArgs['liststyle']) && in_array($this->aCurArgs['liststyle'], array('horizontal','slider') ) ) {
1750
  $sPlaylistClass .= ' fp-playlist-horizontal';
@@ -1809,16 +1814,20 @@ class flowplayer extends FV_Wordpress_Flowplayer_Plugin_Private {
1809
  }
1810
  if( strpos($media,'http://') !== 0 && strpos($media,'https://') !== 0 && strpos($media,'//') !== 0 ) {
1811
  $http = is_ssl() ? 'https://' : 'http://';
 
 
 
 
1812
  // strip the first / from $media
1813
  if($media[0]=='/') $media = substr($media, 1);
1814
  if((dirname($_SERVER['PHP_SELF'])!='/')&&(file_exists($_SERVER['DOCUMENT_ROOT'].dirname($_SERVER['PHP_SELF']).VIDEO_DIR.$media))){ //if the site does not live in the document root
1815
- $media = $http.$_SERVER['SERVER_NAME'].dirname($_SERVER['PHP_SELF']).VIDEO_DIR.$media;
1816
  }
1817
  else if(file_exists($_SERVER['DOCUMENT_ROOT'].VIDEO_DIR.$media)){ // if the videos folder is in the root
1818
- $media = $http.$_SERVER['SERVER_NAME'].VIDEO_DIR.$media;//VIDEO_PATH.$media;
1819
  }
1820
  else{ // if the videos are not in the videos directory but they are adressed relatively
1821
- $media_path = str_replace('//','/',$_SERVER['SERVER_NAME'].'/'.$media);
1822
  $media = $http.$media_path;
1823
  }
1824
  }
1165
  $sURL = FV_FP_RELATIVE_PATH.'/css/flowplayer.css';
1166
  $sVer = $fv_wp_flowplayer_ver;
1167
 
1168
+ if( !$this->_get_option('css_disable') && $this->_get_option($this->css_option()) ) {
1169
  if( @file_exists($this->css_path()) ) {
1170
  $sURL = $this->css_path('url');
1171
  $sVer = $this->_get_option($this->css_option());
1192
  }
1193
 
1194
  if( $this->bCSSInline ) {
1195
+ add_action( did_action('wp_footer') ? 'wp_footer' : 'wp_head', array( $this, 'css_generate' ) );
1196
  add_action( 'admin_head', array( $this, 'css_generate' ) );
1197
  }
1198
 
1744
 
1745
 
1746
  public function get_playlist_class($aCaptions) {
1747
+ $sPlaylistClass = 'fv-playlist-design-';
1748
+ if( !empty($this->aCurArgs['listdesign']) ) {
1749
+ $sPlaylistClass .= $this->aCurArgs['listdesign'];
1750
+ } else {
1751
+ $sPlaylistClass .= $this->_get_option('playlist-design');
1752
+ }
1753
 
1754
  if( isset($this->aCurArgs['liststyle']) && in_array($this->aCurArgs['liststyle'], array('horizontal','slider') ) ) {
1755
  $sPlaylistClass .= ' fp-playlist-horizontal';
1814
  }
1815
  if( strpos($media,'http://') !== 0 && strpos($media,'https://') !== 0 && strpos($media,'//') !== 0 ) {
1816
  $http = is_ssl() ? 'https://' : 'http://';
1817
+ $server = $_SERVER['SERVER_NAME'];
1818
+ if( !empty($_SERVER['SERVER_PORT']) && intval($_SERVER['SERVER_PORT']) != 80 ) {
1819
+ $server .= ':'.$_SERVER['SERVER_PORT'];
1820
+ }
1821
  // strip the first / from $media
1822
  if($media[0]=='/') $media = substr($media, 1);
1823
  if((dirname($_SERVER['PHP_SELF'])!='/')&&(file_exists($_SERVER['DOCUMENT_ROOT'].dirname($_SERVER['PHP_SELF']).VIDEO_DIR.$media))){ //if the site does not live in the document root
1824
+ $media = $http.$server.dirname($_SERVER['PHP_SELF']).VIDEO_DIR.$media;
1825
  }
1826
  else if(file_exists($_SERVER['DOCUMENT_ROOT'].VIDEO_DIR.$media)){ // if the videos folder is in the root
1827
+ $media = $http.$server.VIDEO_DIR.$media;//VIDEO_PATH.$media;
1828
  }
1829
  else{ // if the videos are not in the videos directory but they are adressed relatively
1830
+ $media_path = str_replace('//','/',$server.'/'.$media);
1831
  $media = $http.$media_path;
1832
  }
1833
  }
models/system-info.php CHANGED
@@ -87,7 +87,7 @@ Host: <?php echo $host . "\n"; ?>
87
  Browser: <?php echo isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'none'; ?>
88
 
89
  PHP Version: <?php echo PHP_VERSION . "\n"; ?>
90
- MySQL Version: <?php $connection = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); echo mysqli_get_server_info($connection) . "\n"; ?>
91
  Web Server Info: <?php echo $_SERVER['SERVER_SOFTWARE'] . "\n"; ?>
92
 
93
  WordPress Memory Limit: <?php echo WP_MEMORY_LIMIT."\n"; ?>
@@ -190,7 +190,6 @@ print_r( $conf );
190
  DATABASE
191
 
192
  <?php
193
- global $wpdb;
194
  foreach( array( 'fv_player_players', 'fv_player_playermeta', 'fv_player_videos', 'fv_player_videometa' ) AS $table) {
195
  $found = false;
196
  $table_name = $wpdb->prefix.$table;
87
  Browser: <?php echo isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'none'; ?>
88
 
89
  PHP Version: <?php echo PHP_VERSION . "\n"; ?>
90
+ MySQL Version: <?php echo $wpdb->db_version() . "\n"; ?>
91
  Web Server Info: <?php echo $_SERVER['SERVER_SOFTWARE'] . "\n"; ?>
92
 
93
  WordPress Memory Limit: <?php echo WP_MEMORY_LIMIT."\n"; ?>
190
  DATABASE
191
 
192
  <?php
 
193
  foreach( array( 'fv_player_players', 'fv_player_playermeta', 'fv_player_videos', 'fv_player_videometa' ) AS $table) {
194
  $found = false;
195
  $table_name = $wpdb->prefix.$table;
readme.txt CHANGED
@@ -357,6 +357,17 @@ Thank you for being part of the HMTL 5 mobile video revolution!
357
 
358
  == Changelog ==
359
 
 
 
 
 
 
 
 
 
 
 
 
360
  = 7.3.13.727 - 2019/04/30 =
361
 
362
  * Ad codes - sensing size of the Google AdSense ad unit, allowing the ad to expand from the player container for maximum ad revenue
357
 
358
  == Changelog ==
359
 
360
+ = 7.3.15.727 - 2019/05/16 =
361
+
362
+ * Security - fix for SQL injection vulnerability in email subscription
363
+ * Security - fix for email subscription CSV export capability available to guest users
364
+
365
+ = 7.3.14.727 - 2019/05/14 =
366
+
367
+ * Security - fix for XSS vulnerability in email subscription
368
+ * Audio player - loading indiciator fix
369
+ * CSS - removing old unused web fonts and graphics
370
+
371
  = 7.3.13.727 - 2019/04/30 =
372
 
373
  * Ad codes - sensing size of the Google AdSense ad unit, allowing the ad to expand from the player container for maximum ad revenue