Restaurant Reservations - Version 1.4.4

Version Description

This update fixes a low-risk XSS security vulnerability. It is low-risk because in order to exploit this vulnerability a user would need to have access to the bookings management panel in the admin area, which only trusted users should have.

Download this release

Release Info

Developer	NateWr
Plugin	Restaurant Reservations
Version	1.4.4
Comparing to
See all releases

Code changes from version 1.4.3 to 1.4.4

Files changed (4) hide show

includes/AdminPageSettingLicenseKey.class.php +2 -2
includes/WP_List_Table.BookingsTable.class.php +9 -9
readme.txt +11 -3
restaurant-reservations.php +1 -1

includes/AdminPageSettingLicenseKey.class.php CHANGED Viewed

	@@ -342,7 +342,7 @@ class rtbAdminPageSettingLicenseKey {
342	if ( is_wp_error( $response ) ) {
343	$url = remove_query_arg( array( 'id', 'action' ) );
344	$url = add_query_arg( 'license_result', 'response_wp_error', $url );
345	- header( 'Location: ' . $url );
346	}
347
348	$license_data = json_decode( wp_remote_retrieve_body( $response ) );
	@@ -369,7 +369,7 @@ class rtbAdminPageSettingLicenseKey {
369	$url = add_query_arg( 'result_error', $license_data->error, $url );
370	}
371
372	- header( 'Location: ' . $url );
373
374	}
375


342	if ( is_wp_error( $response ) ) {
343	$url = remove_query_arg( array( 'id', 'action' ) );
344	$url = add_query_arg( 'license_result', 'response_wp_error', $url );
345	+ header( 'Location: ' . esc_url_raw( $url ) );
346	}
347
348	$license_data = json_decode( wp_remote_retrieve_body( $response ) );

369	$url = add_query_arg( 'result_error', $license_data->error, $url );
370	}
371
372	+ header( 'Location: ' . esc_url_raw( $url ) );
373
374	}
375

includes/WP_List_Table.BookingsTable.class.php CHANGED Viewed

	@@ -183,9 +183,9 @@ class rtbBookingsTable extends WP_List_Table {
183	$date_range_query_string = remove_query_arg( array( 'date_range', 'start_date', 'end_date' ), $this->query_string );
184
185	$views = array(
186	- 'upcoming' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'paged' => FALSE ), remove_query_arg( array( 'date_range' ), $date_range_query_string ) ), $date_range === '' ? ' class="current"' : '', __( 'Upcoming', 'restaurant-reservations' ) ),
187	- 'today' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'date_range' => 'today', 'paged' => FALSE ), $date_range_query_string ), $date_range === 'today' ? ' class="current"' : '', __( 'Today', 'restaurant-reservations' ) ),
188	- 'all' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'date_range' => 'all', 'paged' => FALSE ), $date_range_query_string ), $date_range == 'all' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) ),
189	);
190
191	if ( $date_range == 'custom' ) {
	@@ -207,7 +207,7 @@ class rtbBookingsTable extends WP_List_Table {
207	<input type="text" id="end-date" name="end_date" class="datepicker" value="<?php echo esc_attr( $this->filter_end_date ); ?>" placeholder="<?php _e( 'End Date', 'restaurant-reservations' ); ?>" />
208	<input type="submit" class="button-secondary" value="<?php _e( 'Apply', 'restaurant-reservations' ); ?>"/>
209	<?php if( !empty( $start_date ) \|\| !empty( $end_date ) ) : ?>
210	- <a href="<?php echo add_query_arg( array( 'action' => 'clear_date_filters' ) ); ?>" class="button-secondary"><?php _e( 'Clear Filter', 'restaurant-reservations' ); ?></a>
211	<?php endif; ?>
212	</div>
213
	@@ -243,11 +243,11 @@ class rtbBookingsTable extends WP_List_Table {
243	$current = isset( $_GET['status'] ) ? $_GET['status'] : '';
244
245	$views = array(
246	- 'all' => sprintf( '<a href="%s"%s>%s</a>', remove_query_arg( array( 'status', 'paged' ), $this->query_string ), $current === 'all' \|\| $current == '' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['total'] . ')</span>' ),
247	- 'pending' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'pending', 'paged' => FALSE ), $this->query_string ), $current === 'pending' ? ' class="current"' : '', __( 'Pending', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['pending'] . ')</span>' ),
248	- 'confirmed' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'confirmed', 'paged' => FALSE ), $this->query_string ), $current === 'confirmed' ? ' class="current"' : '', __( 'Confirmed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['confirmed'] . ')</span>' ),
249	- 'closed' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'closed', 'paged' => FALSE ), $this->query_string ), $current === 'closed' ? ' class="current"' : '', __( 'Closed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['closed'] . ')</span>' ),
250	- 'trash' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'trash', 'paged' => FALSE ), $this->query_string ), $current === 'trash' ? ' class="current"' : '', __( 'Trash', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['trash'] . ')</span>' ),
251	);
252
253	return apply_filters( 'rtb_bookings_table_views_status', $views );


183	$date_range_query_string = remove_query_arg( array( 'date_range', 'start_date', 'end_date' ), $this->query_string );
184
185	$views = array(
186	+ 'upcoming' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'paged' => FALSE ), remove_query_arg( array( 'date_range' ), $date_range_query_string ) ) ), $date_range === '' ? ' class="current"' : '', __( 'Upcoming', 'restaurant-reservations' ) ),
187	+ 'today' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'date_range' => 'today', 'paged' => FALSE ), $date_range_query_string ) ), $date_range === 'today' ? ' class="current"' : '', __( 'Today', 'restaurant-reservations' ) ),
188	+ 'all' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'date_range' => 'all', 'paged' => FALSE ), $date_range_query_string ) ), $date_range == 'all' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) ),
189	);
190
191	if ( $date_range == 'custom' ) {

207	<input type="text" id="end-date" name="end_date" class="datepicker" value="<?php echo esc_attr( $this->filter_end_date ); ?>" placeholder="<?php _e( 'End Date', 'restaurant-reservations' ); ?>" />
208	<input type="submit" class="button-secondary" value="<?php _e( 'Apply', 'restaurant-reservations' ); ?>"/>
209	<?php if( !empty( $start_date ) \|\| !empty( $end_date ) ) : ?>
210	+ <a href="<?php echo esc_url( add_query_arg( array( 'action' => 'clear_date_filters' ) ) ); ?>" class="button-secondary"><?php _e( 'Clear Filter', 'restaurant-reservations' ); ?></a>
211	<?php endif; ?>
212	</div>
213

243	$current = isset( $_GET['status'] ) ? $_GET['status'] : '';
244
245	$views = array(
246	+ 'all' => sprintf( '<a href="%s"%s>%s</a>', esc_url( remove_query_arg( array( 'status', 'paged' ), $this->query_string ) ), $current === 'all' \|\| $current == '' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['total'] . ')</span>' ),
247	+ 'pending' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'pending', 'paged' => FALSE ), $this->query_string ) ), $current === 'pending' ? ' class="current"' : '', __( 'Pending', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['pending'] . ')</span>' ),
248	+ 'confirmed' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'confirmed', 'paged' => FALSE ), $this->query_string ) ), $current === 'confirmed' ? ' class="current"' : '', __( 'Confirmed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['confirmed'] . ')</span>' ),
249	+ 'closed' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'closed', 'paged' => FALSE ), $this->query_string ) ), $current === 'closed' ? ' class="current"' : '', __( 'Closed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['closed'] . ')</span>' ),
250	+ 'trash' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'trash', 'paged' => FALSE ), $this->query_string ) ), $current === 'trash' ? ' class="current"' : '', __( 'Trash', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['trash'] . ')</span>' ),
251	);
252
253	return apply_filters( 'rtb_bookings_table_views_status', $views );

readme.txt CHANGED Viewed

	@@ -3,9 +3,9 @@ Contributors: NateWr
3	Author URI: https://github.com/NateWr
4	Plugin URL: http://themeofthecrop.com
5	Requires at Least: 3.8
6	- Tested Up To: 4.1
7	Tags: restaurant, reservations, bookings, table bookings, restaurant reservation, table reservation
8	- Stable tag: 1.4.3
9	License: GPLv2 or later
10	Donate link: http://themeofthecrop.com
11
	@@ -102,6 +102,9 @@ I'm working on an addon that will allow you to customize the booking form and ad
102
103	== Changelog ==
104



105	= 1.4.3 (2015-04-20) =
106	* Add: Datepickers for start/end date filters in admin bookings list
107	* Fix: Disabled weekdays get offset when editing bookings
	@@ -111,7 +114,6 @@ I'm working on an addon that will allow you to customize the booking form and ad
111	* Updated: Dutch and German translations
112	* Updated: pickadate.js lib now at v3.5.6
113
114	-
115	= 1.4.2 (2015-03-31) =
116	* Fix: Speed issue if licensed addon active
117
	@@ -205,6 +207,12 @@ I'm working on an addon that will allow you to customize the booking form and ad
205
206	== Upgrade Notice ==
207






208	= 1.4.2 =
209	This update is a maintenance release that fixes a couple minor issues, adds French and Italian translations, and includes some under-the-hood changes to support upcoming extensions. 1.4.1-1.4.2 fixes a rare but vital performance issue in the admin.
210


3	Author URI: https://github.com/NateWr
4	Plugin URL: http://themeofthecrop.com
5	Requires at Least: 3.8
6	+ Tested Up To: 4.2
7	Tags: restaurant, reservations, bookings, table bookings, restaurant reservation, table reservation
8	+ Stable tag: 1.4.4
9	License: GPLv2 or later
10	Donate link: http://themeofthecrop.com
11

102
103	== Changelog ==
104
105	+ = 1.4.4 (2015-04-20) =
106	+ * Fix: low-risk XSS security vulnerability with escaped URLs on admin bookings page
107	+
108	= 1.4.3 (2015-04-20) =
109	* Add: Datepickers for start/end date filters in admin bookings list
110	* Fix: Disabled weekdays get offset when editing bookings

114	* Updated: Dutch and German translations
115	* Updated: pickadate.js lib now at v3.5.6
116

117	= 1.4.2 (2015-03-31) =
118	* Fix: Speed issue if licensed addon active
119

207
208	== Upgrade Notice ==
209
210	+ = 1.4.4 =
211	+ This update fixes a low-risk XSS security vulnerability. It is low-risk because in order to exploit this vulnerability a user would need to have access to the bookings management panel in the admin area, which only trusted users should have.
212	+
213	+ = 1.4.3 =
214	+ This update adds datepickers to the start/end date filters in the admin bookings list and fixes a small error with the filters. It also fixes an issue with disabled weekdays when editing bookings. Dutch and German translation updates.
215	+
216	= 1.4.2 =
217	This update is a maintenance release that fixes a couple minor issues, adds French and Italian translations, and includes some under-the-hood changes to support upcoming extensions. 1.4.1-1.4.2 fixes a rare but vital performance issue in the admin.
218

restaurant-reservations.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: Restaurant Reservations
4	* Plugin URI: http://themeofthecrop.com
5	* Description: Accept restaurant reservations and bookings online.
6	- * Version: 1.4.3
7	* Author: Theme of the Crop
8	* Author URI: http://themeofthecrop.com
9	* License: GNU General Public License v2.0 or later


3	* Plugin Name: Restaurant Reservations
4	* Plugin URI: http://themeofthecrop.com
5	* Description: Accept restaurant reservations and bookings online.
6	+ * Version: 1.4.4
7	* Author: Theme of the Crop
8	* Author URI: http://themeofthecrop.com
9	* License: GNU General Public License v2.0 or later