Restaurant Reservations - Version 1.4.4

Version Description

This update fixes a low-risk XSS security vulnerability. It is low-risk because in order to exploit this vulnerability a user would need to have access to the bookings management panel in the admin area, which only trusted users should have.

Download this release

Release Info

Developer NateWr
Plugin Icon 128x128 Restaurant Reservations
Version 1.4.4
Comparing to
See all releases

Code changes from version 1.4.3 to 1.4.4

includes/AdminPageSettingLicenseKey.class.php CHANGED
@@ -342,7 +342,7 @@ class rtbAdminPageSettingLicenseKey {
342
if ( is_wp_error( $response ) ) {
343
$url = remove_query_arg( array( 'id', 'action' ) );
344
$url = add_query_arg( 'license_result', 'response_wp_error', $url );
345
- header( 'Location: ' . $url );
346
}
347
348
$license_data = json_decode( wp_remote_retrieve_body( $response ) );
@@ -369,7 +369,7 @@ class rtbAdminPageSettingLicenseKey {
369
$url = add_query_arg( 'result_error', $license_data->error, $url );
370
}
371
372
- header( 'Location: ' . $url );
373
374
}
375
342
if ( is_wp_error( $response ) ) {
343
$url = remove_query_arg( array( 'id', 'action' ) );
344
$url = add_query_arg( 'license_result', 'response_wp_error', $url );
345
+ header( 'Location: ' . esc_url_raw( $url ) );
346
}
347
348
$license_data = json_decode( wp_remote_retrieve_body( $response ) );
369
$url = add_query_arg( 'result_error', $license_data->error, $url );
370
}
371
372
+ header( 'Location: ' . esc_url_raw( $url ) );
373
374
}
375
includes/WP_List_Table.BookingsTable.class.php CHANGED
@@ -183,9 +183,9 @@ class rtbBookingsTable extends WP_List_Table {
183
$date_range_query_string = remove_query_arg( array( 'date_range', 'start_date', 'end_date' ), $this->query_string );
184
185
$views = array(
186
- 'upcoming' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'paged' => FALSE ), remove_query_arg( array( 'date_range' ), $date_range_query_string ) ), $date_range === '' ? ' class="current"' : '', __( 'Upcoming', 'restaurant-reservations' ) ),
187
- 'today' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'date_range' => 'today', 'paged' => FALSE ), $date_range_query_string ), $date_range === 'today' ? ' class="current"' : '', __( 'Today', 'restaurant-reservations' ) ),
188
- 'all' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'date_range' => 'all', 'paged' => FALSE ), $date_range_query_string ), $date_range == 'all' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) ),
189
);
190
191
if ( $date_range == 'custom' ) {
@@ -207,7 +207,7 @@ class rtbBookingsTable extends WP_List_Table {
207
<input type="text" id="end-date" name="end_date" class="datepicker" value="<?php echo esc_attr( $this->filter_end_date ); ?>" placeholder="<?php _e( 'End Date', 'restaurant-reservations' ); ?>" />
208
<input type="submit" class="button-secondary" value="<?php _e( 'Apply', 'restaurant-reservations' ); ?>"/>
209
<?php if( !empty( $start_date ) || !empty( $end_date ) ) : ?>
210
- <a href="<?php echo add_query_arg( array( 'action' => 'clear_date_filters' ) ); ?>" class="button-secondary"><?php _e( 'Clear Filter', 'restaurant-reservations' ); ?></a>
211
<?php endif; ?>
212
</div>
213
@@ -243,11 +243,11 @@ class rtbBookingsTable extends WP_List_Table {
243
$current = isset( $_GET['status'] ) ? $_GET['status'] : '';
244
245
$views = array(
246
- 'all' => sprintf( '<a href="%s"%s>%s</a>', remove_query_arg( array( 'status', 'paged' ), $this->query_string ), $current === 'all' || $current == '' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['total'] . ')</span>' ),
247
- 'pending' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'pending', 'paged' => FALSE ), $this->query_string ), $current === 'pending' ? ' class="current"' : '', __( 'Pending', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['pending'] . ')</span>' ),
248
- 'confirmed' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'confirmed', 'paged' => FALSE ), $this->query_string ), $current === 'confirmed' ? ' class="current"' : '', __( 'Confirmed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['confirmed'] . ')</span>' ),
249
- 'closed' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'closed', 'paged' => FALSE ), $this->query_string ), $current === 'closed' ? ' class="current"' : '', __( 'Closed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['closed'] . ')</span>' ),
250
- 'trash' => sprintf( '<a href="%s"%s>%s</a>', add_query_arg( array( 'status' => 'trash', 'paged' => FALSE ), $this->query_string ), $current === 'trash' ? ' class="current"' : '', __( 'Trash', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['trash'] . ')</span>' ),
251
);
252
253
return apply_filters( 'rtb_bookings_table_views_status', $views );
183
$date_range_query_string = remove_query_arg( array( 'date_range', 'start_date', 'end_date' ), $this->query_string );
184
185
$views = array(
186
+ 'upcoming' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'paged' => FALSE ), remove_query_arg( array( 'date_range' ), $date_range_query_string ) ) ), $date_range === '' ? ' class="current"' : '', __( 'Upcoming', 'restaurant-reservations' ) ),
187
+ 'today' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'date_range' => 'today', 'paged' => FALSE ), $date_range_query_string ) ), $date_range === 'today' ? ' class="current"' : '', __( 'Today', 'restaurant-reservations' ) ),
188
+ 'all' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'date_range' => 'all', 'paged' => FALSE ), $date_range_query_string ) ), $date_range == 'all' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) ),
189
);
190
191
if ( $date_range == 'custom' ) {
207
<input type="text" id="end-date" name="end_date" class="datepicker" value="<?php echo esc_attr( $this->filter_end_date ); ?>" placeholder="<?php _e( 'End Date', 'restaurant-reservations' ); ?>" />
208
<input type="submit" class="button-secondary" value="<?php _e( 'Apply', 'restaurant-reservations' ); ?>"/>
209
<?php if( !empty( $start_date ) || !empty( $end_date ) ) : ?>
210
+ <a href="<?php echo esc_url( add_query_arg( array( 'action' => 'clear_date_filters' ) ) ); ?>" class="button-secondary"><?php _e( 'Clear Filter', 'restaurant-reservations' ); ?></a>
211
<?php endif; ?>
212
</div>
213
243
$current = isset( $_GET['status'] ) ? $_GET['status'] : '';
244
245
$views = array(
246
+ 'all' => sprintf( '<a href="%s"%s>%s</a>', esc_url( remove_query_arg( array( 'status', 'paged' ), $this->query_string ) ), $current === 'all' || $current == '' ? ' class="current"' : '', __( 'All', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['total'] . ')</span>' ),
247
+ 'pending' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'pending', 'paged' => FALSE ), $this->query_string ) ), $current === 'pending' ? ' class="current"' : '', __( 'Pending', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['pending'] . ')</span>' ),
248
+ 'confirmed' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'confirmed', 'paged' => FALSE ), $this->query_string ) ), $current === 'confirmed' ? ' class="current"' : '', __( 'Confirmed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['confirmed'] . ')</span>' ),
249
+ 'closed' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'closed', 'paged' => FALSE ), $this->query_string ) ), $current === 'closed' ? ' class="current"' : '', __( 'Closed', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['closed'] . ')</span>' ),
250
+ 'trash' => sprintf( '<a href="%s"%s>%s</a>', esc_url( add_query_arg( array( 'status' => 'trash', 'paged' => FALSE ), $this->query_string ) ), $current === 'trash' ? ' class="current"' : '', __( 'Trash', 'restaurant-reservations' ) . ' <span class="count">(' . $this->booking_counts['trash'] . ')</span>' ),
251
);
252
253
return apply_filters( 'rtb_bookings_table_views_status', $views );
readme.txt CHANGED
@@ -3,9 +3,9 @@ Contributors: NateWr
3
Author URI: https://github.com/NateWr
4
Plugin URL: http://themeofthecrop.com
5
Requires at Least: 3.8
6
- Tested Up To: 4.1
7
Tags: restaurant, reservations, bookings, table bookings, restaurant reservation, table reservation
8
- Stable tag: 1.4.3
9
License: GPLv2 or later
10
Donate link: http://themeofthecrop.com
11
@@ -102,6 +102,9 @@ I'm working on an addon that will allow you to customize the booking form and ad
102
103
== Changelog ==
104
105
= 1.4.3 (2015-04-20) =
106
* Add: Datepickers for start/end date filters in admin bookings list
107
* Fix: Disabled weekdays get offset when editing bookings
@@ -111,7 +114,6 @@ I'm working on an addon that will allow you to customize the booking form and ad
111
* Updated: Dutch and German translations
112
* Updated: pickadate.js lib now at v3.5.6
113
114
-
115
= 1.4.2 (2015-03-31) =
116
* Fix: Speed issue if licensed addon active
117
@@ -205,6 +207,12 @@ I'm working on an addon that will allow you to customize the booking form and ad
205
206
== Upgrade Notice ==
207
208
= 1.4.2 =
209
This update is a maintenance release that fixes a couple minor issues, adds French and Italian translations, and includes some under-the-hood changes to support upcoming extensions. 1.4.1-1.4.2 fixes a rare but vital performance issue in the admin.
210
3
Author URI: https://github.com/NateWr
4
Plugin URL: http://themeofthecrop.com
5
Requires at Least: 3.8
6
+ Tested Up To: 4.2
7
Tags: restaurant, reservations, bookings, table bookings, restaurant reservation, table reservation
8
+ Stable tag: 1.4.4
9
License: GPLv2 or later
10
Donate link: http://themeofthecrop.com
11
102
103
== Changelog ==
104
105
+ = 1.4.4 (2015-04-20) =
106
+ * Fix: low-risk XSS security vulnerability with escaped URLs on admin bookings page
107
+
108
= 1.4.3 (2015-04-20) =
109
* Add: Datepickers for start/end date filters in admin bookings list
110
* Fix: Disabled weekdays get offset when editing bookings
114
* Updated: Dutch and German translations
115
* Updated: pickadate.js lib now at v3.5.6
116
117
= 1.4.2 (2015-03-31) =
118
* Fix: Speed issue if licensed addon active
119
207
208
== Upgrade Notice ==
209
210
+ = 1.4.4 =
211
+ This update fixes a low-risk XSS security vulnerability. It is low-risk because in order to exploit this vulnerability a user would need to have access to the bookings management panel in the admin area, which only trusted users should have.
212
+
213
+ = 1.4.3 =
214
+ This update adds datepickers to the start/end date filters in the admin bookings list and fixes a small error with the filters. It also fixes an issue with disabled weekdays when editing bookings. Dutch and German translation updates.
215
+
216
= 1.4.2 =
217
This update is a maintenance release that fixes a couple minor issues, adds French and Italian translations, and includes some under-the-hood changes to support upcoming extensions. 1.4.1-1.4.2 fixes a rare but vital performance issue in the admin.
218
restaurant-reservations.php CHANGED
@@ -3,7 +3,7 @@
3
* Plugin Name: Restaurant Reservations
4
* Plugin URI: http://themeofthecrop.com
5
* Description: Accept restaurant reservations and bookings online.
6
- * Version: 1.4.3
7
* Author: Theme of the Crop
8
* Author URI: http://themeofthecrop.com
9
* License: GNU General Public License v2.0 or later
3
* Plugin Name: Restaurant Reservations
4
* Plugin URI: http://themeofthecrop.com
5
* Description: Accept restaurant reservations and bookings online.
6
+ * Version: 1.4.4
7
* Author: Theme of the Crop
8
* Author URI: http://themeofthecrop.com
9
* License: GNU General Public License v2.0 or later