Version Description
- Another security fix. WPScan notified me of a potential security vunerability where high privilege users (with a role of 'Editor' and above) could perform Cross-Site Scripting attacks by inserting malicious scripts within slide content. Fixed by using 'wp_kses_post()' function to sanitise slide content before updating sliders.
Download this release
Release Info
| Developer | simonpedge |
| Plugin |  Slide Anything – Responsive Content / HTML Slider and Carousel |
| Version | 2.3.44 |
| Comparing to | |
| See all releases | |
Code changes from version 2.3.43 to 2.3.44
- php/slide-anything-admin.php +5 -2
- readme.txt +6 -0
- slide-anything.php +1 -1
php/slide-anything-admin.php
CHANGED
|
@@ -2177,6 +2177,7 @@ function cpt_slider_style_content($post) {
|
|
| 2177 |
echo "</div>\n";
|
| 2178 |
|
| 2179 |
// Strip JavaScript from Content
|
|
|
|
| 2180 |
$tooltip = 'Remove JavaScript (<script> tags) from slide content for extra security.';
|
| 2181 |
echo "<div class='sa_window_onload_line'>";
|
| 2182 |
echo "<span class='sa_tooltip' title='".$tooltip."'></span><span style='min-width:160px;'>Remove JavaScript Content:</span>";
|
|
@@ -2186,6 +2187,7 @@ function cpt_slider_style_content($post) {
|
|
| 2186 |
echo "<input type='checkbox' id='sa_strip_javascript' name='sa_strip_javascript' value='1'/>";
|
| 2187 |
}
|
| 2188 |
echo "</div>\n";
|
|
|
|
| 2189 |
|
| 2190 |
// Enable Lazy Load Images
|
| 2191 |
// ##### REMOVE LAZY LOAD IMAGES FEATURE (WHICH IS NOW INCLUDED IN WP 5.5) #####
|
|
@@ -2555,8 +2557,8 @@ function cpt_slider_save_postdata() {
|
|
| 2555 |
$slide_popup_bgcol = "sa_slide".$i."_popup_bgcol";
|
| 2556 |
$slide_popup_width = "sa_slide".$i."_popup_width";
|
| 2557 |
}
|
| 2558 |
-
|
| 2559 |
-
$slide_content =
|
| 2560 |
$slide_image_id_val = abs(intval($_POST[$slide_image_id])); // SANATIZE
|
| 2561 |
$slide_image_pos_val = sanitize_text_field($_POST[$slide_image_pos]); // SANATIZE
|
| 2562 |
$slide_image_size_val = sanitize_text_field($_POST[$slide_image_size]); // SANATIZE
|
|
@@ -2925,6 +2927,7 @@ function cpt_slider_save_postdata() {
|
|
| 2925 |
} else {
|
| 2926 |
$other_settings .= "0";
|
| 2927 |
}
|
|
|
|
| 2928 |
if (isset($_POST['sa_strip_javascript']) && ($_POST['sa_strip_javascript'] == '1')) {
|
| 2929 |
$other_settings .= "|1";
|
| 2930 |
} else {
|
| 2177 |
echo "</div>\n";
|
| 2178 |
|
| 2179 |
// Strip JavaScript from Content
|
| 2180 |
+
/*
|
| 2181 |
$tooltip = 'Remove JavaScript (<script> tags) from slide content for extra security.';
|
| 2182 |
echo "<div class='sa_window_onload_line'>";
|
| 2183 |
echo "<span class='sa_tooltip' title='".$tooltip."'></span><span style='min-width:160px;'>Remove JavaScript Content:</span>";
|
| 2187 |
echo "<input type='checkbox' id='sa_strip_javascript' name='sa_strip_javascript' value='1'/>";
|
| 2188 |
}
|
| 2189 |
echo "</div>\n";
|
| 2190 |
+
*/
|
| 2191 |
|
| 2192 |
// Enable Lazy Load Images
|
| 2193 |
// ##### REMOVE LAZY LOAD IMAGES FEATURE (WHICH IS NOW INCLUDED IN WP 5.5) #####
|
| 2557 |
$slide_popup_bgcol = "sa_slide".$i."_popup_bgcol";
|
| 2558 |
$slide_popup_width = "sa_slide".$i."_popup_width";
|
| 2559 |
}
|
| 2560 |
+
$slide_content = wp_kses_post($_POST[$slide_edit_id]); // SANATIZE
|
| 2561 |
+
$slide_content = $slide_content; // FIX MISSING CLOSING TAGS
|
| 2562 |
$slide_image_id_val = abs(intval($_POST[$slide_image_id])); // SANATIZE
|
| 2563 |
$slide_image_pos_val = sanitize_text_field($_POST[$slide_image_pos]); // SANATIZE
|
| 2564 |
$slide_image_size_val = sanitize_text_field($_POST[$slide_image_size]); // SANATIZE
|
| 2927 |
} else {
|
| 2928 |
$other_settings .= "0";
|
| 2929 |
}
|
| 2930 |
+
$_POST['sa_strip_javascript'] = 0;
|
| 2931 |
if (isset($_POST['sa_strip_javascript']) && ($_POST['sa_strip_javascript'] == '1')) {
|
| 2932 |
$other_settings .= "|1";
|
| 2933 |
} else {
|
readme.txt
CHANGED
|
@@ -98,6 +98,9 @@ Adding a SLIDE ANYTHING slider using the WordPress 5.0 'Block Editor' is pretty
|
|
| 98 |
|
| 99 |
== Changelog ==
|
| 100 |
|
|
|
|
|
|
|
|
|
|
| 101 |
= 2.3.43 =
|
| 102 |
* Fixed a code syntax error in the security fix I did in release 2.3.41 (oops!)
|
| 103 |
|
|
@@ -752,3 +755,6 @@ Adding a SLIDE ANYTHING slider using the WordPress 5.0 'Block Editor' is pretty
|
|
| 752 |
|
| 753 |
= 2.3.43 =
|
| 754 |
* Fixed a code syntax error in the security fix I did in release 2.3.41 (oops!)
|
|
|
|
|
|
|
|
|
| 98 |
|
| 99 |
== Changelog ==
|
| 100 |
|
| 101 |
+
= 2.3.44 =
|
| 102 |
+
* Another security fix. WPScan notified me of a potential security vunerability where high privilege users (with a role of 'Editor' and above) could perform Cross-Site Scripting attacks by inserting malicious scripts within slide content. Fixed by using 'wp_kses_post()' function to sanitise slide content before updating sliders.
|
| 103 |
+
|
| 104 |
= 2.3.43 =
|
| 105 |
* Fixed a code syntax error in the security fix I did in release 2.3.41 (oops!)
|
| 106 |
|
| 755 |
|
| 756 |
= 2.3.43 =
|
| 757 |
* Fixed a code syntax error in the security fix I did in release 2.3.41 (oops!)
|
| 758 |
+
|
| 759 |
+
= 2.3.44 =
|
| 760 |
+
* Another security fix. WPScan notified me of a potential security vunerability where high privilege users (with a role of 'Editor' and above) could perform Cross-Site Scripting attacks by inserting malicious scripts within slide content. Fixed by using 'wp_kses_post()' function to sanitise slide content before updating sliders.
|
slide-anything.php
CHANGED
|
@@ -4,7 +4,7 @@
|
|
| 4 |
* Plugin URI: https://wordpress.org/plugins/slide-anything/
|
| 5 |
* Description: Slide Anything allows you to create a carousel/slider where the content for each slide can be anything you want - images, text, HTML, and even shortcodes. This plugin uses the Owl Carousel jQuery plugin, and lets you create beautiful, touch enabled, responsive carousels and sliders.
|
| 6 |
* Author: Simon Edge
|
| 7 |
-
* Version: 2.3.
|
| 8 |
* License: GPLv2 or later
|
| 9 |
*/
|
| 10 |
|
| 4 |
* Plugin URI: https://wordpress.org/plugins/slide-anything/
|
| 5 |
* Description: Slide Anything allows you to create a carousel/slider where the content for each slide can be anything you want - images, text, HTML, and even shortcodes. This plugin uses the Owl Carousel jQuery plugin, and lets you create beautiful, touch enabled, responsive carousels and sliders.
|
| 6 |
* Author: Simon Edge
|
| 7 |
+
* Version: 2.3.44
|
| 8 |
* License: GPLv2 or later
|
| 9 |
*/
|
| 10 |
|
