WordPress Button Plugin MaxButtons - Version 9.3

Version Description

Fixed minor CSRF issue on settings page
Fixed XSS issue with shortcode handling

Release Info

Developer	basszje
Plugin	WordPress Button Plugin MaxButtons
Version	9.3
Comparing to
See all releases

Code changes from version 9.2 to 9.3

Files changed (10) hide show

blocks/advanced.php +1 -1
blocks/basic.php +2 -2
blocks/meta.php +1 -1
blocks/text.php +6 -1
classes/button.php +1 -1
classes/controllers/settingsController.php +5 -0
classes/installation.php +5 -5
includes/maxbuttons-settings.php +7 -0
maxbuttons.php +3 -3
readme.txt +6 -1

blocks/advanced.php CHANGED Viewed

	@@ -91,7 +91,7 @@ class advancedBlock extends maxBlock
91	if (isset($data["extra_classes"]) && trim($data["extra_classes"]) != '')
92	{
93	$extra = trim($data["extra_classes"]);
94	- $anchor->class .= ' ' . $extra;
95	}
96
97	return $domObj;


91	if (isset($data["extra_classes"]) && trim($data["extra_classes"]) != '')
92	{
93	$extra = trim($data["extra_classes"]);
94	+ $anchor->class .= esc_attr(' ' . $extra);
95	}
96
97	return $domObj;

blocks/basic.php CHANGED Viewed

	@@ -175,13 +175,13 @@ class basicBlock extends maxBlock
175	$rels[] = 'noopener';
176	}
177	if (isset($data['link_title']) && strlen($data['link_title']) > 0)
178	- $anchor->title = $data['link_title'];
179
180	$rels = apply_filters('mb/button/rel', $rels);
181
182	if (count($rels) > 0)
183	{
184	- $anchor->rel = implode(' ', $rels);
185	}
186
187	if (isset($data["url"]) && $data["url"] != '')


175	$rels[] = 'noopener';
176	}
177	if (isset($data['link_title']) && strlen($data['link_title']) > 0)
178	+ $anchor->title = esc_attr($data['link_title']);
179
180	$rels = apply_filters('mb/button/rel', $rels);
181
182	if (count($rels) > 0)
183	{
184	+ $anchor->rel = esc_attr(implode(' ', $rels));
185	}
186
187	if (isset($data["url"]) && $data["url"] != '')

blocks/meta.php CHANGED Viewed

	@@ -82,7 +82,7 @@ class metaBlock extends maxBlock
82	if (defined("MAXBUTTONS_DEBUG") && MAXBUTTONS_DEBUG):
83
84	?>
85	- <div class="option-container mb_tab">
86	<div class="title"><?php _e('Meta', 'maxbuttons') ?></div>
87	<div class="inside">
88	<?php foreach($data as $key => $val) {


82	if (defined("MAXBUTTONS_DEBUG") && MAXBUTTONS_DEBUG):
83
84	?>
85	+ <div class="option-container mb_tab meta">
86	<div class="title"><?php _e('Meta', 'maxbuttons') ?></div>
87	<div class="inside">
88	<?php foreach($data as $key => $val) {

blocks/text.php CHANGED Viewed

	@@ -124,7 +124,12 @@ class textBlock extends maxBlock
124
125	if (isset($data["text"]) && $data["text"] != '' \|\| $mode == 'preview')
126	{
127	- $~~text~~ = ~~$data['text']~~;





128	$anchor->innertext = "<span class='mb-text'>" . $text . "</span>";
129	}
130	return $domObj;


124
125	if (isset($data["text"]) && $data["text"] != '' \|\| $mode == 'preview')
126	{
127	+ /* $allowed = allowed_tags();
128	+ $allowed .= ' <br> ';
129	+ $text = strip_tags($data['text'], $allowed); */
130	+ $text = (isset($data["text"])) ? $data["text"] : "";
131	+ $text = esc_html($text);
132	+ $text = str_replace('\n', '<br>', $text);
133	$anchor->innertext = "<span class='mb-text'>" . $text . "</span>";
134	}
135	return $domObj;

classes/button.php CHANGED Viewed

	@@ -163,7 +163,7 @@ class maxButton
163	if (array_key_exists($block_name, $data)) // strangely isset doesn't work
164	{
165	$this->data[$block_name] = maybe_unserialize($data[$block_name]); // allow to feed unserialized stuff not from dbase
166	- if (! is_array($this->data[$block_name]))
167	{
168	$this->data[$block_name] = json_decode($data[$block_name], true);
169	}


163	if (array_key_exists($block_name, $data)) // strangely isset doesn't work
164	{
165	$this->data[$block_name] = maybe_unserialize($data[$block_name]); // allow to feed unserialized stuff not from dbase
166	+ if (! is_array($this->data[$block_name]) && ! is_null($this->data[$block_name]))
167	{
168	$this->data[$block_name] = json_decode($data[$block_name], true);
169	}

classes/controllers/settingsController.php CHANGED Viewed

	@@ -21,6 +21,10 @@ class settingsController extends MaxController
21
22	public function handlePost()
23	{




24	if(isset($_POST['alter_charset'])) {
25
26	global $maxbuttons_installed_version;
	@@ -40,6 +44,7 @@ class settingsController extends MaxController
40	{
41	$button = MB()->getClass('button');
42	$button->reset_cache();

43
44	}
45


21
22	public function handlePost()
23	{
24	+ if (! check_admin_referer('action-settings-form', 'maxbuttons-settings-nonce'))
25	+ {
26	+ exit('Invalid Nonce');
27	+ }
28	if(isset($_POST['alter_charset'])) {
29
30	global $maxbuttons_installed_version;

44	{
45	$button = MB()->getClass('button');
46	$button->reset_cache();
47	+ MB()->add_notice('', __('Cache reset', 'maxbuttons'));
48
49	}
50

classes/installation.php CHANGED Viewed

	@@ -100,8 +100,9 @@ class maxInstall
100	{ continue; }
101	// procedure from setupdata by button class
102	$icondata = maybe_unserialize($item['icon']);
103	- if (! is_array($icondata) )
104	{

105	$icondata = json_decode($icondata, true);
106	if (isset($icondata['fa_icon_value']) && strlen($icondata['fa_icon_value']) > 0)
107	{
	@@ -535,12 +536,11 @@ class maxInstall
535
536	$collection_trans_table = maxUtils::get_coltrans_table_name();
537	$sql = "CREATE TABLE " . $collection_trans_table . " (
538	- id int(11) NOT NULL ~~PRIMARY KEY~~ AUTO_INCREMENT,
539	name varchar(1000),
540	value varchar(255),
541	- expire int(11)
542	- );
543	- ";
544
545	$res = dbDelta($sql);
546	}


100	{ continue; }
101	// procedure from setupdata by button class
102	$icondata = maybe_unserialize($item['icon']);
103	+ if (! is_array($icondata) && ! is_null($icondata) )
104	{
105	+
106	$icondata = json_decode($icondata, true);
107	if (isset($icondata['fa_icon_value']) && strlen($icondata['fa_icon_value']) > 0)
108	{

536
537	$collection_trans_table = maxUtils::get_coltrans_table_name();
538	$sql = "CREATE TABLE " . $collection_trans_table . " (
539	+ id int(11) NOT NULL AUTO_INCREMENT,
540	name varchar(1000),
541	value varchar(255),
542	+ expire int(11),
543	+ PRIMARY KEY (id) )";

544
545	$res = dbDelta($sql);
546	}

includes/maxbuttons-settings.php CHANGED Viewed

	@@ -9,6 +9,8 @@ $button = MB()->getClass('button'); // To load maxfield templates
9	$admin = MB()->getClass('admin');
10	$page_title = __("Settings","maxbuttons");
11	$admin->get_header(array("tabs_active" => true, "title" => $page_title) );


12	?>
13
14	<?php maxInstall::migrateResponsive(); ?>
	@@ -186,6 +188,7 @@ $admin->get_header(array("tabs_active" => true, "title" => $page_title) );
186
187	<form method="POST">
188	<input type="hidden" name="reset_cache" value="true" />

189	<div class="option-container">
190	<div class="title"><?php _e("Clear button cache","maxbuttons"); ?></div>
191	<div class="inside">
	@@ -204,6 +207,7 @@ $admin->get_header(array("tabs_active" => true, "title" => $page_title) );
204	</div>
205
206	<form method="POST">

207	<div class="option-container">
208
209	<input type="hidden" name="remigrate" value="true" />
	@@ -217,6 +221,7 @@ $admin->get_header(array("tabs_active" => true, "title" => $page_title) );
217	</form>
218
219	<form method="POST">

220	<div class="option-container">
221
222	<input type="hidden" name="remigrateresponsive" value="true" />
	@@ -240,6 +245,7 @@ $admin->get_header(array("tabs_active" => true, "title" => $page_title) );
240	<h3><?php _e('The button below should help fix the "foreign character issue" some people experience when using MaxButtons. If you use foreign characters in your buttons and after saving see ????, use this button.', 'maxbuttons') ?></h3>
241
242	<form action="" method="POST">

243	<input type="submit" name="alter_charset" class="button-primary" value="<?php _e('Change MaxButtons Table To UTF8', 'maxbuttons') ?>" />
244	<?php echo (property_exists($view, 'response')) ? $view->response : ''; ?>
245	</form>
	@@ -252,6 +258,7 @@ $admin->get_header(array("tabs_active" => true, "title" => $page_title) );
252
253	<?php if (isset($_GET["show_replace"])): ?>
254	<form method="POST">

255	<div class="option-container">
256	<?php
257	$button = MB()->getClass('button');


9	$admin = MB()->getClass('admin');
10	$page_title = __("Settings","maxbuttons");
11	$admin->get_header(array("tabs_active" => true, "title" => $page_title) );
12	+
13	+ $post_nonce_field = wp_nonce_field('action-settings-form', 'maxbuttons-settings-nonce', true, false);
14	?>
15
16	<?php maxInstall::migrateResponsive(); ?>

188
189	<form method="POST">
190	<input type="hidden" name="reset_cache" value="true" />
191	+ <?php echo $post_nonce_field ?>
192	<div class="option-container">
193	<div class="title"><?php _e("Clear button cache","maxbuttons"); ?></div>
194	<div class="inside">

207	</div>
208
209	<form method="POST">
210	+ <?php echo $post_nonce_field ?>
211	<div class="option-container">
212
213	<input type="hidden" name="remigrate" value="true" />

221	</form>
222
223	<form method="POST">
224	+ <?php echo $post_nonce_field ?>
225	<div class="option-container">
226
227	<input type="hidden" name="remigrateresponsive" value="true" />

245	<h3><?php _e('The button below should help fix the "foreign character issue" some people experience when using MaxButtons. If you use foreign characters in your buttons and after saving see ????, use this button.', 'maxbuttons') ?></h3>
246
247	<form action="" method="POST">
248	+ <?php echo $post_nonce_field ?>
249	<input type="submit" name="alter_charset" class="button-primary" value="<?php _e('Change MaxButtons Table To UTF8', 'maxbuttons') ?>" />
250	<?php echo (property_exists($view, 'response')) ? $view->response : ''; ?>
251	</form>

258
259	<?php if (isset($_GET["show_replace"])): ?>
260	<form method="POST">
261	+ <?php echo $post_nonce_field ?>
262	<div class="option-container">
263	<?php
264	$button = MB()->getClass('button');

maxbuttons.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: MaxButtons
4	Plugin URI: http://maxbuttons.com
5	Description: The best WordPress button generator. This is the free version; the Pro version <a href="http://maxbuttons.com/?ref=mbfree">can be found here</a>.
6	- Version: 9.2
7	Author: Max Foundry
8	Author URI: http://maxfoundry.com
9	Text Domain: maxbuttons
	@@ -16,9 +16,9 @@ namespace MaxButtons;
16	if (! defined('MAXBUTTONS_ROOT_FILE'))
17	define("MAXBUTTONS_ROOT_FILE", __FILE__);
18	if (! defined('MAXBUTTONS_VERSION_NUM'))
19	- define('MAXBUTTONS_VERSION_NUM', '9.2');
20
21	- define('MAXBUTTONS_RELEASE',"1 ~~May~~ 2022");
22
23	if (! function_exists('MaxButtons\maxbutton_double_load'))
24	{


3	Plugin Name: MaxButtons
4	Plugin URI: http://maxbuttons.com
5	Description: The best WordPress button generator. This is the free version; the Pro version <a href="http://maxbuttons.com/?ref=mbfree">can be found here</a>.
6	+ Version: 9.3
7	Author: Max Foundry
8	Author URI: http://maxfoundry.com
9	Text Domain: maxbuttons

16	if (! defined('MAXBUTTONS_ROOT_FILE'))
17	define("MAXBUTTONS_ROOT_FILE", __FILE__);
18	if (! defined('MAXBUTTONS_VERSION_NUM'))
19	+ define('MAXBUTTONS_VERSION_NUM', '9.3');
20
21	+ define('MAXBUTTONS_RELEASE',"25 July 2022");
22
23	if (! function_exists('MaxButtons\maxbutton_double_load'))
24	{

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Tags: wordpress button plugin, share button, wordpress buttons, css3 button gene
4	Requires at least: 4.8
5	Tested up to: 6.0
6	Requires PHP: 7.0
7	- Stable tag: 9.2
8	WordPress button plugin so powerful and easy to use anyone can create beautiful buttons, share buttons and social icons.
9
10	== Description ==
	@@ -276,6 +276,11 @@ Upgrading to the PRO version is quite simple. Obtain a license key via our [site
276
277	== Changelog ==
278





279	= 9.2 =
280
281	* Works with PHP 8.1 / WordPress 5.9.3+


4	Requires at least: 4.8
5	Tested up to: 6.0
6	Requires PHP: 7.0
7	+ Stable tag: 9.3
8	WordPress button plugin so powerful and easy to use anyone can create beautiful buttons, share buttons and social icons.
9
10	== Description ==

276
277	== Changelog ==
278
279	+ = 9.3 =
280	+
281	+ * Fixed minor CSRF issue on settings page
282	+ * Fixed XSS issue with shortcode handling
283	+
284	= 9.2 =
285
286	* Works with PHP 8.1 / WordPress 5.9.3+