WordPress File Upload - Version 4.3.3

Version Description

all shortcode attributes sanitized correctly to close a serious security hole

Release Info

Developer	nickboss
Plugin	WordPress File Upload
Version	4.3.3
Comparing to
See all releases

Code changes from version 4.3.2 to 4.3.3

Files changed (7) hide show

lib/wfu_ajaxactions.php +5 -3
lib/wfu_attributes.php +68 -0
lib/wfu_functions.php +83 -0
lib/wfu_processfiles.php +1 -0
readme.txt +6 -0
release_notes.txt +1 -1
wordpress_file_upload.php +1 -1

lib/wfu_ajaxactions.php CHANGED Viewed

	@@ -74,7 +74,7 @@ function wfu_ajax_action_send_email_notification() {
74	foreach ( $userdata_fields as $userdata_key => $userdata_field )
75	$userdata_fields[$userdata_key]["value"] = "";
76	//then retrieve userdata from session if files exist
77	- if ( $all_files_count > 0 ) {
78	foreach ( WFU_USVAR("filedata_".$uniqueid) as $file ) {
79	if ( isset($file["user_data"]) ) {
80	$userdata_fields = array();
	@@ -308,6 +308,8 @@ function wfu_ajax_action_save_shortcode() {
308	$shortcode_position = wfu_sanitize_int($_POST['shortcode_position']);
309	$shortcode_tag = wfu_sanitize_tag($_POST['shortcode_tag']);
310	$widget_id = sanitize_text_field($_POST['widget_id']);


311
312	if ( $post_id == "" && $widget_id == "" ) {
313	die();
	@@ -320,7 +322,7 @@ function wfu_ajax_action_save_shortcode() {
320	if ( $post_id != "" && !wfu_check_edit_shortcode($data) ) $echo_str = "wfu_save_shortcode:fail:post_modified";
321	else {
322	if ( $widget_id == "" ) {
323	- $new_shortcode = "[".$shortcode_tag." "~~.wfu_plugin_decode_string($~~shortcode)."]";
324	if ( wfu_replace_shortcode($data, $new_shortcode) ) {
325	$post = get_post($post_id);
326	$hash = hash('md5', $post->post_content);
	@@ -335,7 +337,7 @@ function wfu_ajax_action_save_shortcode() {
335	$widget_sidebar = is_active_widget(false, $widget_id, "wordpress_file_upload_widget");
336	if ( !$widget_sidebar ) $echo_str = "wfu_save_shortcode:fail:post_update_failed";
337	else {
338	- $widget_obj->update_external(~~wfu_plugin_decode_string(~~$shortcode));
339	$hash = $data['post_hash'];
340	$echo_str = "wfu_save_shortcode:success:".$hash;
341	}


74	foreach ( $userdata_fields as $userdata_key => $userdata_field )
75	$userdata_fields[$userdata_key]["value"] = "";
76	//then retrieve userdata from session if files exist
77	+ if ( $all_files_count > 0 && WFU_USVAR_exists("filedata_".$uniqueid) && is_array(WFU_USVAR("filedata_".$uniqueid)) ) {
78	foreach ( WFU_USVAR("filedata_".$uniqueid) as $file ) {
79	if ( isset($file["user_data"]) ) {
80	$userdata_fields = array();

308	$shortcode_position = wfu_sanitize_int($_POST['shortcode_position']);
309	$shortcode_tag = wfu_sanitize_tag($_POST['shortcode_tag']);
310	$widget_id = sanitize_text_field($_POST['widget_id']);
311	+
312	+ $shortcode = wfu_sanitize_shortcode(wfu_plugin_decode_string($shortcode), $shortcode_tag);
313
314	if ( $post_id == "" && $widget_id == "" ) {
315	die();

322	if ( $post_id != "" && !wfu_check_edit_shortcode($data) ) $echo_str = "wfu_save_shortcode:fail:post_modified";
323	else {
324	if ( $widget_id == "" ) {
325	+ $new_shortcode = "[".$shortcode_tag." ".$shortcode."]";
326	if ( wfu_replace_shortcode($data, $new_shortcode) ) {
327	$post = get_post($post_id);
328	$hash = hash('md5', $post->post_content);

337	$widget_sidebar = is_active_widget(false, $widget_id, "wordpress_file_upload_widget");
338	if ( !$widget_sidebar ) $echo_str = "wfu_save_shortcode:fail:post_update_failed";
339	else {
340	+ $widget_obj->update_external($shortcode);
341	$hash = $data['post_hash'];
342	$echo_str = "wfu_save_shortcode:success:".$hash;
343	}

lib/wfu_attributes.php CHANGED Viewed

	@@ -711,6 +711,7 @@ function wfu_attribute_definitions() {
711	"name" => "Widget ID",
712	"attribute" => "widgetid",
713	"type" => "hidden",

714	"listitems" => null,
715	"value" => "",
716	"mode" => "free",
	@@ -725,6 +726,7 @@ function wfu_attribute_definitions() {
725	"name" => "Plugin ID",
726	"attribute" => "uploadid",
727	"type" => "integer",

728	"listitems" => null,
729	"value" => WFU_VAR("WFU_UPLOADID"),
730	"mode" => "free",
	@@ -739,6 +741,7 @@ function wfu_attribute_definitions() {
739	"name" => "Single Button Operation",
740	"attribute" => "singlebutton",
741	"type" => "onoff",

742	"listitems" => null,
743	"value" => WFU_VAR("WFU_SINGLEBUTTON"),
744	"mode" => "free",
	@@ -753,6 +756,7 @@ function wfu_attribute_definitions() {
753	"name" => "Upload Path",
754	"attribute" => "uploadpath",
755	"type" => "ltext",

756	"listitems" => null,
757	"value" => WFU_VAR("WFU_UPLOADPATH"),
758	"mode" => "free",
	@@ -767,6 +771,7 @@ function wfu_attribute_definitions() {
767	"name" => "Plugin Fit Mode",
768	"attribute" => "fitmode",
769	"type" => "radio",

770	"listitems" => array("fixed", "responsive"),
771	"value" => WFU_VAR("WFU_FITMODE"),
772	"mode" => "free",
	@@ -781,6 +786,7 @@ function wfu_attribute_definitions() {
781	"name" => "Allow No File",
782	"attribute" => "allownofile",
783	"type" => "onoff",

784	"listitems" => null,
785	"value" => WFU_VAR("WFU_ALLOWNOFILE"),
786	"mode" => "free",
	@@ -795,6 +801,7 @@ function wfu_attribute_definitions() {
795	"name" => "Upload Roles",
796	"attribute" => "uploadrole",
797	"type" => "rolelist",

798	"listitems" => array("default_administrator"),
799	"value" => WFU_VAR("WFU_UPLOADROLE"),
800	"mode" => "free",
	@@ -809,6 +816,7 @@ function wfu_attribute_definitions() {
809	"name" => "Allowed File Extensions",
810	"attribute" => "uploadpatterns",
811	"type" => "text",

812	"listitems" => null,
813	"value" => WFU_VAR("WFU_UPLOADPATTERNS"),
814	"mode" => "free",
	@@ -823,6 +831,7 @@ function wfu_attribute_definitions() {
823	"name" => "Allowed File Size",
824	"attribute" => "maxsize",
825	"type" => "float",

826	"listitems" => null,
827	"value" => WFU_VAR("WFU_MAXSIZE"),
828	"mode" => "free",
	@@ -837,6 +846,7 @@ function wfu_attribute_definitions() {
837	"name" => "Create Upload Path",
838	"attribute" => "createpath",
839	"type" => "onoff",

840	"listitems" => null,
841	"value" => WFU_VAR("WFU_CREATEPATH"),
842	"mode" => "free",
	@@ -851,6 +861,7 @@ function wfu_attribute_definitions() {
851	"name" => "Do Not Change Filename",
852	"attribute" => "forcefilename",
853	"type" => "onoff",

854	"listitems" => null,
855	"value" => WFU_VAR("WFU_FORCEFILENAME"),
856	"mode" => "free",
	@@ -865,6 +876,7 @@ function wfu_attribute_definitions() {
865	"name" => "Folder Access Method",
866	"attribute" => "accessmethod",
867	"type" => "radio",

868	"listitems" => array("normal", "*ftp"),
869	"value" => WFU_VAR("WFU_ACCESSMETHOD"),
870	"mode" => "free",
	@@ -879,6 +891,7 @@ function wfu_attribute_definitions() {
879	"name" => "FTP Access Credentials",
880	"attribute" => "ftpinfo",
881	"type" => "ltext",

882	"listitems" => null,
883	"value" => WFU_VAR("WFU_FTPINFO"),
884	"mode" => "free",
	@@ -893,6 +906,7 @@ function wfu_attribute_definitions() {
893	"name" => "Use FTP Domain",
894	"attribute" => "useftpdomain",
895	"type" => "onoff",

896	"listitems" => null,
897	"value" => WFU_VAR("WFU_USEFTPDOMAIN"),
898	"mode" => "free",
	@@ -907,6 +921,7 @@ function wfu_attribute_definitions() {
907	"name" => "FTP Passive Mode",
908	"attribute" => "ftppassivemode",
909	"type" => "onoff",

910	"listitems" => null,
911	"value" => WFU_VAR("WFU_FTPPASSIVEMODE"),
912	"mode" => "free",
	@@ -921,6 +936,7 @@ function wfu_attribute_definitions() {
921	"name" => "Permissions of Uploaded File",
922	"attribute" => "ftpfilepermissions",
923	"type" => "text",

924	"listitems" => null,
925	"value" => WFU_VAR("WFU_FTPFILEPERMISSIONS"),
926	"mode" => "free",
	@@ -935,6 +951,7 @@ function wfu_attribute_definitions() {
935	"name" => "Show Upload Folder Path",
936	"attribute" => "showtargetfolder",
937	"type" => "onoff",

938	"listitems" => null,
939	"value" => WFU_VAR("WFU_SHOWTARGETFOLDER"),
940	"mode" => "free",
	@@ -949,6 +966,7 @@ function wfu_attribute_definitions() {
949	"name" => "Select Subfolder",
950	"attribute" => "askforsubfolders",
951	"type" => "onoff",

952	"listitems" => null,
953	"value" => WFU_VAR("WFU_ASKFORSUBFOLDERS"),
954	"mode" => "free",
	@@ -963,6 +981,7 @@ function wfu_attribute_definitions() {
963	"name" => "List of Subfolders",
964	"attribute" => "subfoldertree",
965	"type" => "folderlist",

966	"listitems" => null,
967	"value" => WFU_VAR("WFU_SUBFOLDERTREE"),
968	"mode" => "free",
	@@ -977,6 +996,7 @@ function wfu_attribute_definitions() {
977	"name" => "File Duplicates Policy",
978	"attribute" => "duplicatespolicy",
979	"type" => "radio",

980	"listitems" => array("overwrite", "reject", "*maintain both"),
981	"value" => WFU_VAR("WFU_DUBLICATESPOLICY"),
982	"mode" => "free",
	@@ -991,6 +1011,7 @@ function wfu_attribute_definitions() {
991	"name" => "File Rename Rule",
992	"attribute" => "uniquepattern",
993	"type" => "radio",

994	"listitems" => array("index", "datetimestamp"),
995	"value" => WFU_VAR("WFU_UNIQUEPATTERN"),
996	"mode" => "free",
	@@ -1005,6 +1026,7 @@ function wfu_attribute_definitions() {
1005	"name" => "Redirect after Upload",
1006	"attribute" => "redirect",
1007	"type" => "onoff",

1008	"listitems" => null,
1009	"value" => WFU_VAR("WFU_REDIRECT"),
1010	"mode" => "free",
	@@ -1019,6 +1041,7 @@ function wfu_attribute_definitions() {
1019	"name" => "Redirection URL",
1020	"attribute" => "redirectlink",
1021	"type" => "ltext",

1022	"listitems" => null,
1023	"value" => WFU_VAR("WFU_REDIRECTLINK"),
1024	"mode" => "free",
	@@ -1033,6 +1056,7 @@ function wfu_attribute_definitions() {
1033	"name" => "Show Detailed Admin Messages",
1034	"attribute" => "adminmessages",
1035	"type" => "onoff",

1036	"listitems" => null,
1037	"value" => WFU_VAR("WFU_ADMINMESSAGES"),
1038	"mode" => "free",
	@@ -1047,6 +1071,7 @@ function wfu_attribute_definitions() {
1047	"name" => "Disable AJAX",
1048	"attribute" => "forceclassic",
1049	"type" => "onoff",

1050	"listitems" => null,
1051	"value" => WFU_VAR("WFU_FORCECLASSIC"),
1052	"mode" => "free",
	@@ -1061,6 +1086,7 @@ function wfu_attribute_definitions() {
1061	"name" => "Test Mode",
1062	"attribute" => "testmode",
1063	"type" => "onoff",

1064	"listitems" => null,
1065	"value" => WFU_VAR("WFU_TESTMODE"),
1066	"mode" => "free",
	@@ -1075,6 +1101,7 @@ function wfu_attribute_definitions() {
1075	"name" => "Debug Mode",
1076	"attribute" => "debugmode",
1077	"type" => "onoff",

1078	"listitems" => null,
1079	"value" => WFU_VAR("WFU_DEBUGMODE"),
1080	"mode" => "free",
	@@ -1089,6 +1116,7 @@ function wfu_attribute_definitions() {
1089	"name" => "Plugin Component Positions",
1090	"attribute" => "placements",
1091	"type" => "placements",

1092	"listitems" => null,
1093	"value" => WFU_VAR("WFU_PLACEMENTS"),
1094	"mode" => "free",
	@@ -1103,6 +1131,7 @@ function wfu_attribute_definitions() {
1103	"name" => "Plugin Title",
1104	"attribute" => "uploadtitle",
1105	"type" => "text",

1106	"listitems" => null,
1107	"value" => WFU_UPLOADTITLE,
1108	"mode" => "free",
	@@ -1117,6 +1146,7 @@ function wfu_attribute_definitions() {
1117	"name" => "Select Button Caption",
1118	"attribute" => "selectbutton",
1119	"type" => "text",

1120	"listitems" => null,
1121	"value" => WFU_SELECTBUTTON,
1122	"mode" => "free",
	@@ -1131,6 +1161,7 @@ function wfu_attribute_definitions() {
1131	"name" => "Upload Button Caption",
1132	"attribute" => "uploadbutton",
1133	"type" => "text",

1134	"listitems" => null,
1135	"value" => WFU_UPLOADBUTTON,
1136	"mode" => "free",
	@@ -1145,6 +1176,7 @@ function wfu_attribute_definitions() {
1145	"name" => "Upload Folder Label",
1146	"attribute" => "targetfolderlabel",
1147	"type" => "text",

1148	"listitems" => null,
1149	"value" => WFU_VAR("WFU_TARGETFOLDERLABEL"),
1150	"mode" => "free",
	@@ -1159,6 +1191,7 @@ function wfu_attribute_definitions() {
1159	"name" => "Select Subfolder Label",
1160	"attribute" => "subfolderlabel",
1161	"type" => "text",

1162	"listitems" => null,
1163	"value" => WFU_VAR("WFU_SUBFOLDERLABEL"),
1164	"mode" => "free",
	@@ -1173,6 +1206,7 @@ function wfu_attribute_definitions() {
1173	"name" => "Success Upload Message",
1174	"attribute" => "successmessage",
1175	"type" => "ltext",

1176	"listitems" => null,
1177	"value" => WFU_SUCCESSMESSAGE,
1178	"mode" => "free",
	@@ -1187,6 +1221,7 @@ function wfu_attribute_definitions() {
1187	"name" => "Warning Upload Message",
1188	"attribute" => "warningmessage",
1189	"type" => "ltext",

1190	"listitems" => null,
1191	"value" => WFU_WARNINGMESSAGE,
1192	"mode" => "free",
	@@ -1201,6 +1236,7 @@ function wfu_attribute_definitions() {
1201	"name" => "Error Upload Message",
1202	"attribute" => "errormessage",
1203	"type" => "ltext",

1204	"listitems" => null,
1205	"value" => WFU_ERRORMESSAGE,
1206	"mode" => "free",
	@@ -1215,6 +1251,7 @@ function wfu_attribute_definitions() {
1215	"name" => "Wait Upload Message",
1216	"attribute" => "waitmessage",
1217	"type" => "ltext",

1218	"listitems" => null,
1219	"value" => WFU_WAITMESSAGE,
1220	"mode" => "free",
	@@ -1229,6 +1266,7 @@ function wfu_attribute_definitions() {
1229	"name" => "Upload Media Button Caption",
1230	"attribute" => "uploadmediabutton",
1231	"type" => "text",

1232	"listitems" => null,
1233	"value" => WFU_UPLOADMEDIABUTTON,
1234	"mode" => "free",
	@@ -1243,6 +1281,7 @@ function wfu_attribute_definitions() {
1243	"name" => "Video Filename",
1244	"attribute" => "videoname",
1245	"type" => "text",

1246	"listitems" => null,
1247	"value" => WFU_VIDEONAME,
1248	"mode" => "free",
	@@ -1257,6 +1296,7 @@ function wfu_attribute_definitions() {
1257	"name" => "Image Filename",
1258	"attribute" => "imagename",
1259	"type" => "text",

1260	"listitems" => null,
1261	"value" => WFU_IMAGENAME,
1262	"mode" => "free",
	@@ -1271,6 +1311,7 @@ function wfu_attribute_definitions() {
1271	"name" => "Required Fields Suffix",
1272	"attribute" => "requiredlabel",
1273	"type" => "text",

1274	"listitems" => null,
1275	"value" => WFU_USERDATA_REQUIREDLABEL,
1276	"mode" => "free",
	@@ -1285,6 +1326,7 @@ function wfu_attribute_definitions() {
1285	"name" => "Notify by Email",
1286	"attribute" => "notify",
1287	"type" => "onoff",

1288	"listitems" => null,
1289	"value" => WFU_VAR("WFU_NOTIFY"),
1290	"mode" => "free",
	@@ -1299,6 +1341,7 @@ function wfu_attribute_definitions() {
1299	"name" => "Email Recipients",
1300	"attribute" => "notifyrecipients",
1301	"type" => "mtext",

1302	"listitems" => null,
1303	"value" => WFU_VAR("WFU_NOTIFYRECIPIENTS"),
1304	"mode" => "free",
	@@ -1313,6 +1356,7 @@ function wfu_attribute_definitions() {
1313	"name" => "Email Headers",
1314	"attribute" => "notifyheaders",
1315	"type" => "mtext",

1316	"listitems" => null,
1317	"value" => WFU_VAR("WFU_NOTIFYHEADERS"),
1318	"mode" => "free",
	@@ -1327,6 +1371,7 @@ function wfu_attribute_definitions() {
1327	"name" => "Email Subject",
1328	"attribute" => "notifysubject",
1329	"type" => "ltext",

1330	"listitems" => null,
1331	"value" => WFU_NOTIFYSUBJECT,
1332	"mode" => "free",
	@@ -1341,6 +1386,7 @@ function wfu_attribute_definitions() {
1341	"name" => "Email Body",
1342	"attribute" => "notifymessage",
1343	"type" => "mtext",

1344	"listitems" => null,
1345	"value" => WFU_NOTIFYMESSAGE,
1346	"mode" => "free",
	@@ -1355,6 +1401,7 @@ function wfu_attribute_definitions() {
1355	"name" => "Attach Uploaded Files",
1356	"attribute" => "attachfile",
1357	"type" => "onoff",

1358	"listitems" => null,
1359	"value" => WFU_VAR("WFU_ATTACHFILE"),
1360	"mode" => "free",
	@@ -1369,6 +1416,7 @@ function wfu_attribute_definitions() {
1369	"name" => "Success Upload Message Color",
1370	"attribute" => "successmessagecolor",
1371	"type" => "hidden",

1372	"listitems" => null,
1373	"value" => WFU_SUCCESSMESSAGECOLOR,
1374	"mode" => "free",
	@@ -1383,6 +1431,7 @@ function wfu_attribute_definitions() {
1383	"name" => "Success Message Colors",
1384	"attribute" => "successmessagecolors",
1385	"type" => "color-triplet",

1386	"listitems" => null,
1387	"value" => WFU_VAR("WFU_SUCCESSMESSAGECOLORS"),
1388	"mode" => "free",
	@@ -1397,6 +1446,7 @@ function wfu_attribute_definitions() {
1397	"name" => "Warning Message Colors",
1398	"attribute" => "warningmessagecolors",
1399	"type" => "color-triplet",

1400	"listitems" => null,
1401	"value" => WFU_VAR("WFU_WARNINGMESSAGECOLORS"),
1402	"mode" => "free",
	@@ -1411,6 +1461,7 @@ function wfu_attribute_definitions() {
1411	"name" => "Fail Message Colors",
1412	"attribute" => "failmessagecolors",
1413	"type" => "color-triplet",

1414	"listitems" => null,
1415	"value" => WFU_VAR("WFU_FAILMESSAGECOLORS"),
1416	"mode" => "free",
	@@ -1425,6 +1476,7 @@ function wfu_attribute_definitions() {
1425	"name" => "Wait Message Colors",
1426	"attribute" => "waitmessagecolors",
1427	"type" => "hidden",

1428	"listitems" => null,
1429	"value" => WFU_VAR("WFU_WAITMESSAGECOLORS"),
1430	"mode" => "free",
	@@ -1439,6 +1491,7 @@ function wfu_attribute_definitions() {
1439	"name" => "Plugin Component Widths",
1440	"attribute" => "widths",
1441	"type" => "dimensions",

1442	"listitems" => null,
1443	"value" => WFU_VAR("WFU_WIDTHS"),
1444	"mode" => "free",
	@@ -1453,6 +1506,7 @@ function wfu_attribute_definitions() {
1453	"name" => "Plugin Component Heights",
1454	"attribute" => "heights",
1455	"type" => "dimensions",

1456	"listitems" => null,
1457	"value" => WFU_VAR("WFU_HEIGHTS"),
1458	"mode" => "free",
	@@ -1467,6 +1521,7 @@ function wfu_attribute_definitions() {
1467	"name" => "Include Additional Data Fields",
1468	"attribute" => "userdata",
1469	"type" => "onoff",

1470	"listitems" => null,
1471	"value" => WFU_VAR("WFU_USERDATA"),
1472	"mode" => "free",
	@@ -1481,6 +1536,7 @@ function wfu_attribute_definitions() {
1481	"name" => "Additional Data Fields",
1482	"attribute" => "userdatalabel",
1483	"type" => "formfields",

1484	"listitems" => wfu_formfield_definitions(),
1485	"value" => WFU_USERDATALABEL,
1486	"mode" => "free",
	@@ -1495,6 +1551,7 @@ function wfu_attribute_definitions() {
1495	"name" => "WP Filebase Plugin Connection",
1496	"attribute" => "filebaselink",
1497	"type" => "onoff",

1498	"listitems" => null,
1499	"value" => WFU_VAR("WFU_FILEBASELINK"),
1500	"mode" => "free",
	@@ -1509,6 +1566,7 @@ function wfu_attribute_definitions() {
1509	"name" => "Add Uploaded Files To Media",
1510	"attribute" => "medialink",
1511	"type" => "onoff",

1512	"listitems" => null,
1513	"value" => WFU_VAR("WFU_MEDIALINK"),
1514	"mode" => "free",
	@@ -1523,6 +1581,7 @@ function wfu_attribute_definitions() {
1523	"name" => "Attach Uploaded Files To Post",
1524	"attribute" => "postlink",
1525	"type" => "onoff",

1526	"listitems" => null,
1527	"value" => WFU_VAR("WFU_POSTLINK"),
1528	"mode" => "free",
	@@ -1537,6 +1596,7 @@ function wfu_attribute_definitions() {
1537	"name" => "Enable Webcam",
1538	"attribute" => "webcam",
1539	"type" => "onoff",

1540	"listitems" => null,
1541	"value" => WFU_VAR("WFU_WEBCAM"),
1542	"mode" => "free",
	@@ -1551,6 +1611,7 @@ function wfu_attribute_definitions() {
1551	"name" => "Capture Mode",
1552	"attribute" => "webcammode",
1553	"type" => "radio",

1554	"listitems" => array("capture video", "take photos", "both"),
1555	"value" => WFU_VAR("WFU_WEBCAMMODE"),
1556	"mode" => "free",
	@@ -1565,6 +1626,7 @@ function wfu_attribute_definitions() {
1565	"name" => "Capture Audio",
1566	"attribute" => "audiocapture",
1567	"type" => "onoff",

1568	"listitems" => null,
1569	"value" => WFU_VAR("WFU_AUDIOCAPTURE"),
1570	"mode" => "free",
	@@ -1579,6 +1641,7 @@ function wfu_attribute_definitions() {
1579	"name" => "Video Width",
1580	"attribute" => "videowidth",
1581	"type" => "text",

1582	"listitems" => null,
1583	"value" => WFU_VAR("WFU_VIDEOWIDTH"),
1584	"mode" => "free",
	@@ -1593,6 +1656,7 @@ function wfu_attribute_definitions() {
1593	"name" => "Video Height",
1594	"attribute" => "videoheight",
1595	"type" => "text",

1596	"listitems" => null,
1597	"value" => WFU_VAR("WFU_VIDEOHEIGHT"),
1598	"mode" => "free",
	@@ -1607,6 +1671,7 @@ function wfu_attribute_definitions() {
1607	"name" => "Video Aspect Ratio",
1608	"attribute" => "videoaspectratio",
1609	"type" => "text",

1610	"listitems" => null,
1611	"value" => WFU_VAR("WFU_VIDEOASPECTRATIO"),
1612	"mode" => "free",
	@@ -1621,6 +1686,7 @@ function wfu_attribute_definitions() {
1621	"name" => "Video Frame Rate",
1622	"attribute" => "videoframerate",
1623	"type" => "text",

1624	"listitems" => null,
1625	"value" => WFU_VAR("WFU_VIDEOFRAMERATE"),
1626	"mode" => "free",
	@@ -1635,6 +1701,7 @@ function wfu_attribute_definitions() {
1635	"name" => "Camera Facing Mode",
1636	"attribute" => "camerafacing",
1637	"type" => "radio",

1638	"listitems" => array("any", "front", "back"),
1639	"value" => WFU_VAR("WFU_CAMERAFACING"),
1640	"mode" => "free",
	@@ -1649,6 +1716,7 @@ function wfu_attribute_definitions() {
1649	"name" => "Max Record Time",
1650	"attribute" => "maxrecordtime",
1651	"type" => "integer",

1652	"listitems" => null,
1653	"value" => WFU_VAR("WFU_MAXRECORDTIME"),
1654	"mode" => "free",


711	"name" => "Widget ID",
712	"attribute" => "widgetid",
713	"type" => "hidden",
714	+ "validator" => "text",
715	"listitems" => null,
716	"value" => "",
717	"mode" => "free",

726	"name" => "Plugin ID",
727	"attribute" => "uploadid",
728	"type" => "integer",
729	+ "validator" => "text",
730	"listitems" => null,
731	"value" => WFU_VAR("WFU_UPLOADID"),
732	"mode" => "free",

741	"name" => "Single Button Operation",
742	"attribute" => "singlebutton",
743	"type" => "onoff",
744	+ "validator" => "text",
745	"listitems" => null,
746	"value" => WFU_VAR("WFU_SINGLEBUTTON"),
747	"mode" => "free",

756	"name" => "Upload Path",
757	"attribute" => "uploadpath",
758	"type" => "ltext",
759	+ "validator" => "path",
760	"listitems" => null,
761	"value" => WFU_VAR("WFU_UPLOADPATH"),
762	"mode" => "free",

771	"name" => "Plugin Fit Mode",
772	"attribute" => "fitmode",
773	"type" => "radio",
774	+ "validator" => "text",
775	"listitems" => array("fixed", "responsive"),
776	"value" => WFU_VAR("WFU_FITMODE"),
777	"mode" => "free",

786	"name" => "Allow No File",
787	"attribute" => "allownofile",
788	"type" => "onoff",
789	+ "validator" => "text",
790	"listitems" => null,
791	"value" => WFU_VAR("WFU_ALLOWNOFILE"),
792	"mode" => "free",

801	"name" => "Upload Roles",
802	"attribute" => "uploadrole",
803	"type" => "rolelist",
804	+ "validator" => "text",
805	"listitems" => array("default_administrator"),
806	"value" => WFU_VAR("WFU_UPLOADROLE"),
807	"mode" => "free",

816	"name" => "Allowed File Extensions",
817	"attribute" => "uploadpatterns",
818	"type" => "text",
819	+ "validator" => "text",
820	"listitems" => null,
821	"value" => WFU_VAR("WFU_UPLOADPATTERNS"),
822	"mode" => "free",

831	"name" => "Allowed File Size",
832	"attribute" => "maxsize",
833	"type" => "float",
834	+ "validator" => "float",
835	"listitems" => null,
836	"value" => WFU_VAR("WFU_MAXSIZE"),
837	"mode" => "free",

846	"name" => "Create Upload Path",
847	"attribute" => "createpath",
848	"type" => "onoff",
849	+ "validator" => "text",
850	"listitems" => null,
851	"value" => WFU_VAR("WFU_CREATEPATH"),
852	"mode" => "free",

861	"name" => "Do Not Change Filename",
862	"attribute" => "forcefilename",
863	"type" => "onoff",
864	+ "validator" => "text",
865	"listitems" => null,
866	"value" => WFU_VAR("WFU_FORCEFILENAME"),
867	"mode" => "free",

876	"name" => "Folder Access Method",
877	"attribute" => "accessmethod",
878	"type" => "radio",
879	+ "validator" => "text",
880	"listitems" => array("normal", "*ftp"),
881	"value" => WFU_VAR("WFU_ACCESSMETHOD"),
882	"mode" => "free",

891	"name" => "FTP Access Credentials",
892	"attribute" => "ftpinfo",
893	"type" => "ltext",
894	+ "validator" => "text",
895	"listitems" => null,
896	"value" => WFU_VAR("WFU_FTPINFO"),
897	"mode" => "free",

906	"name" => "Use FTP Domain",
907	"attribute" => "useftpdomain",
908	"type" => "onoff",
909	+ "validator" => "text",
910	"listitems" => null,
911	"value" => WFU_VAR("WFU_USEFTPDOMAIN"),
912	"mode" => "free",

921	"name" => "FTP Passive Mode",
922	"attribute" => "ftppassivemode",
923	"type" => "onoff",
924	+ "validator" => "text",
925	"listitems" => null,
926	"value" => WFU_VAR("WFU_FTPPASSIVEMODE"),
927	"mode" => "free",

936	"name" => "Permissions of Uploaded File",
937	"attribute" => "ftpfilepermissions",
938	"type" => "text",
939	+ "validator" => "integer",
940	"listitems" => null,
941	"value" => WFU_VAR("WFU_FTPFILEPERMISSIONS"),
942	"mode" => "free",

951	"name" => "Show Upload Folder Path",
952	"attribute" => "showtargetfolder",
953	"type" => "onoff",
954	+ "validator" => "text",
955	"listitems" => null,
956	"value" => WFU_VAR("WFU_SHOWTARGETFOLDER"),
957	"mode" => "free",

966	"name" => "Select Subfolder",
967	"attribute" => "askforsubfolders",
968	"type" => "onoff",
969	+ "validator" => "text",
970	"listitems" => null,
971	"value" => WFU_VAR("WFU_ASKFORSUBFOLDERS"),
972	"mode" => "free",

981	"name" => "List of Subfolders",
982	"attribute" => "subfoldertree",
983	"type" => "folderlist",
984	+ "validator" => "text",
985	"listitems" => null,
986	"value" => WFU_VAR("WFU_SUBFOLDERTREE"),
987	"mode" => "free",

996	"name" => "File Duplicates Policy",
997	"attribute" => "duplicatespolicy",
998	"type" => "radio",
999	+ "validator" => "text",
1000	"listitems" => array("overwrite", "reject", "*maintain both"),
1001	"value" => WFU_VAR("WFU_DUBLICATESPOLICY"),
1002	"mode" => "free",

1011	"name" => "File Rename Rule",
1012	"attribute" => "uniquepattern",
1013	"type" => "radio",
1014	+ "validator" => "text",
1015	"listitems" => array("index", "datetimestamp"),
1016	"value" => WFU_VAR("WFU_UNIQUEPATTERN"),
1017	"mode" => "free",

1026	"name" => "Redirect after Upload",
1027	"attribute" => "redirect",
1028	"type" => "onoff",
1029	+ "validator" => "text",
1030	"listitems" => null,
1031	"value" => WFU_VAR("WFU_REDIRECT"),
1032	"mode" => "free",

1041	"name" => "Redirection URL",
1042	"attribute" => "redirectlink",
1043	"type" => "ltext",
1044	+ "validator" => "link",
1045	"listitems" => null,
1046	"value" => WFU_VAR("WFU_REDIRECTLINK"),
1047	"mode" => "free",

1056	"name" => "Show Detailed Admin Messages",
1057	"attribute" => "adminmessages",
1058	"type" => "onoff",
1059	+ "validator" => "text",
1060	"listitems" => null,
1061	"value" => WFU_VAR("WFU_ADMINMESSAGES"),
1062	"mode" => "free",

1071	"name" => "Disable AJAX",
1072	"attribute" => "forceclassic",
1073	"type" => "onoff",
1074	+ "validator" => "text",
1075	"listitems" => null,
1076	"value" => WFU_VAR("WFU_FORCECLASSIC"),
1077	"mode" => "free",

1086	"name" => "Test Mode",
1087	"attribute" => "testmode",
1088	"type" => "onoff",
1089	+ "validator" => "text",
1090	"listitems" => null,
1091	"value" => WFU_VAR("WFU_TESTMODE"),
1092	"mode" => "free",

1101	"name" => "Debug Mode",
1102	"attribute" => "debugmode",
1103	"type" => "onoff",
1104	+ "validator" => "text",
1105	"listitems" => null,
1106	"value" => WFU_VAR("WFU_DEBUGMODE"),
1107	"mode" => "free",

1116	"name" => "Plugin Component Positions",
1117	"attribute" => "placements",
1118	"type" => "placements",
1119	+ "validator" => "text",
1120	"listitems" => null,
1121	"value" => WFU_VAR("WFU_PLACEMENTS"),
1122	"mode" => "free",

1131	"name" => "Plugin Title",
1132	"attribute" => "uploadtitle",
1133	"type" => "text",
1134	+ "validator" => "text",
1135	"listitems" => null,
1136	"value" => WFU_UPLOADTITLE,
1137	"mode" => "free",

1146	"name" => "Select Button Caption",
1147	"attribute" => "selectbutton",
1148	"type" => "text",
1149	+ "validator" => "text",
1150	"listitems" => null,
1151	"value" => WFU_SELECTBUTTON,
1152	"mode" => "free",

1161	"name" => "Upload Button Caption",
1162	"attribute" => "uploadbutton",
1163	"type" => "text",
1164	+ "validator" => "text",
1165	"listitems" => null,
1166	"value" => WFU_UPLOADBUTTON,
1167	"mode" => "free",

1176	"name" => "Upload Folder Label",
1177	"attribute" => "targetfolderlabel",
1178	"type" => "text",
1179	+ "validator" => "text",
1180	"listitems" => null,
1181	"value" => WFU_VAR("WFU_TARGETFOLDERLABEL"),
1182	"mode" => "free",

1191	"name" => "Select Subfolder Label",
1192	"attribute" => "subfolderlabel",
1193	"type" => "text",
1194	+ "validator" => "text",
1195	"listitems" => null,
1196	"value" => WFU_VAR("WFU_SUBFOLDERLABEL"),
1197	"mode" => "free",

1206	"name" => "Success Upload Message",
1207	"attribute" => "successmessage",
1208	"type" => "ltext",
1209	+ "validator" => "text",
1210	"listitems" => null,
1211	"value" => WFU_SUCCESSMESSAGE,
1212	"mode" => "free",

1221	"name" => "Warning Upload Message",
1222	"attribute" => "warningmessage",
1223	"type" => "ltext",
1224	+ "validator" => "text",
1225	"listitems" => null,
1226	"value" => WFU_WARNINGMESSAGE,
1227	"mode" => "free",

1236	"name" => "Error Upload Message",
1237	"attribute" => "errormessage",
1238	"type" => "ltext",
1239	+ "validator" => "text",
1240	"listitems" => null,
1241	"value" => WFU_ERRORMESSAGE,
1242	"mode" => "free",

1251	"name" => "Wait Upload Message",
1252	"attribute" => "waitmessage",
1253	"type" => "ltext",
1254	+ "validator" => "text",
1255	"listitems" => null,
1256	"value" => WFU_WAITMESSAGE,
1257	"mode" => "free",

1266	"name" => "Upload Media Button Caption",
1267	"attribute" => "uploadmediabutton",
1268	"type" => "text",
1269	+ "validator" => "text",
1270	"listitems" => null,
1271	"value" => WFU_UPLOADMEDIABUTTON,
1272	"mode" => "free",

1281	"name" => "Video Filename",
1282	"attribute" => "videoname",
1283	"type" => "text",
1284	+ "validator" => "text",
1285	"listitems" => null,
1286	"value" => WFU_VIDEONAME,
1287	"mode" => "free",

1296	"name" => "Image Filename",
1297	"attribute" => "imagename",
1298	"type" => "text",
1299	+ "validator" => "text",
1300	"listitems" => null,
1301	"value" => WFU_IMAGENAME,
1302	"mode" => "free",

1311	"name" => "Required Fields Suffix",
1312	"attribute" => "requiredlabel",
1313	"type" => "text",
1314	+ "validator" => "text",
1315	"listitems" => null,
1316	"value" => WFU_USERDATA_REQUIREDLABEL,
1317	"mode" => "free",

1326	"name" => "Notify by Email",
1327	"attribute" => "notify",
1328	"type" => "onoff",
1329	+ "validator" => "text",
1330	"listitems" => null,
1331	"value" => WFU_VAR("WFU_NOTIFY"),
1332	"mode" => "free",

1341	"name" => "Email Recipients",
1342	"attribute" => "notifyrecipients",
1343	"type" => "mtext",
1344	+ "validator" => "text",
1345	"listitems" => null,
1346	"value" => WFU_VAR("WFU_NOTIFYRECIPIENTS"),
1347	"mode" => "free",

1356	"name" => "Email Headers",
1357	"attribute" => "notifyheaders",
1358	"type" => "mtext",
1359	+ "validator" => "emailheaders",
1360	"listitems" => null,
1361	"value" => WFU_VAR("WFU_NOTIFYHEADERS"),
1362	"mode" => "free",

1371	"name" => "Email Subject",
1372	"attribute" => "notifysubject",
1373	"type" => "ltext",
1374	+ "validator" => "emailsubject",
1375	"listitems" => null,
1376	"value" => WFU_NOTIFYSUBJECT,
1377	"mode" => "free",

1386	"name" => "Email Body",
1387	"attribute" => "notifymessage",
1388	"type" => "mtext",
1389	+ "validator" => "emailbody",
1390	"listitems" => null,
1391	"value" => WFU_NOTIFYMESSAGE,
1392	"mode" => "free",

1401	"name" => "Attach Uploaded Files",
1402	"attribute" => "attachfile",
1403	"type" => "onoff",
1404	+ "validator" => "text",
1405	"listitems" => null,
1406	"value" => WFU_VAR("WFU_ATTACHFILE"),
1407	"mode" => "free",

1416	"name" => "Success Upload Message Color",
1417	"attribute" => "successmessagecolor",
1418	"type" => "hidden",
1419	+ "validator" => "colors",
1420	"listitems" => null,
1421	"value" => WFU_SUCCESSMESSAGECOLOR,
1422	"mode" => "free",

1431	"name" => "Success Message Colors",
1432	"attribute" => "successmessagecolors",
1433	"type" => "color-triplet",
1434	+ "validator" => "colors",
1435	"listitems" => null,
1436	"value" => WFU_VAR("WFU_SUCCESSMESSAGECOLORS"),
1437	"mode" => "free",

1446	"name" => "Warning Message Colors",
1447	"attribute" => "warningmessagecolors",
1448	"type" => "color-triplet",
1449	+ "validator" => "colors",
1450	"listitems" => null,
1451	"value" => WFU_VAR("WFU_WARNINGMESSAGECOLORS"),
1452	"mode" => "free",

1461	"name" => "Fail Message Colors",
1462	"attribute" => "failmessagecolors",
1463	"type" => "color-triplet",
1464	+ "validator" => "colors",
1465	"listitems" => null,
1466	"value" => WFU_VAR("WFU_FAILMESSAGECOLORS"),
1467	"mode" => "free",

1476	"name" => "Wait Message Colors",
1477	"attribute" => "waitmessagecolors",
1478	"type" => "hidden",
1479	+ "validator" => "colors",
1480	"listitems" => null,
1481	"value" => WFU_VAR("WFU_WAITMESSAGECOLORS"),
1482	"mode" => "free",

1491	"name" => "Plugin Component Widths",
1492	"attribute" => "widths",
1493	"type" => "dimensions",
1494	+ "validator" => "text",
1495	"listitems" => null,
1496	"value" => WFU_VAR("WFU_WIDTHS"),
1497	"mode" => "free",

1506	"name" => "Plugin Component Heights",
1507	"attribute" => "heights",
1508	"type" => "dimensions",
1509	+ "validator" => "text",
1510	"listitems" => null,
1511	"value" => WFU_VAR("WFU_HEIGHTS"),
1512	"mode" => "free",

1521	"name" => "Include Additional Data Fields",
1522	"attribute" => "userdata",
1523	"type" => "onoff",
1524	+ "validator" => "text",
1525	"listitems" => null,
1526	"value" => WFU_VAR("WFU_USERDATA"),
1527	"mode" => "free",

1536	"name" => "Additional Data Fields",
1537	"attribute" => "userdatalabel",
1538	"type" => "formfields",
1539	+ "validator" => "text",
1540	"listitems" => wfu_formfield_definitions(),
1541	"value" => WFU_USERDATALABEL,
1542	"mode" => "free",

1551	"name" => "WP Filebase Plugin Connection",
1552	"attribute" => "filebaselink",
1553	"type" => "onoff",
1554	+ "validator" => "text",
1555	"listitems" => null,
1556	"value" => WFU_VAR("WFU_FILEBASELINK"),
1557	"mode" => "free",

1566	"name" => "Add Uploaded Files To Media",
1567	"attribute" => "medialink",
1568	"type" => "onoff",
1569	+ "validator" => "text",
1570	"listitems" => null,
1571	"value" => WFU_VAR("WFU_MEDIALINK"),
1572	"mode" => "free",

1581	"name" => "Attach Uploaded Files To Post",
1582	"attribute" => "postlink",
1583	"type" => "onoff",
1584	+ "validator" => "text",
1585	"listitems" => null,
1586	"value" => WFU_VAR("WFU_POSTLINK"),
1587	"mode" => "free",

1596	"name" => "Enable Webcam",
1597	"attribute" => "webcam",
1598	"type" => "onoff",
1599	+ "validator" => "text",
1600	"listitems" => null,
1601	"value" => WFU_VAR("WFU_WEBCAM"),
1602	"mode" => "free",

1611	"name" => "Capture Mode",
1612	"attribute" => "webcammode",
1613	"type" => "radio",
1614	+ "validator" => "text",
1615	"listitems" => array("capture video", "take photos", "both"),
1616	"value" => WFU_VAR("WFU_WEBCAMMODE"),
1617	"mode" => "free",

1626	"name" => "Capture Audio",
1627	"attribute" => "audiocapture",
1628	"type" => "onoff",
1629	+ "validator" => "text",
1630	"listitems" => null,
1631	"value" => WFU_VAR("WFU_AUDIOCAPTURE"),
1632	"mode" => "free",

1641	"name" => "Video Width",
1642	"attribute" => "videowidth",
1643	"type" => "text",
1644	+ "validator" => "text",
1645	"listitems" => null,
1646	"value" => WFU_VAR("WFU_VIDEOWIDTH"),
1647	"mode" => "free",

1656	"name" => "Video Height",
1657	"attribute" => "videoheight",
1658	"type" => "text",
1659	+ "validator" => "text",
1660	"listitems" => null,
1661	"value" => WFU_VAR("WFU_VIDEOHEIGHT"),
1662	"mode" => "free",

1671	"name" => "Video Aspect Ratio",
1672	"attribute" => "videoaspectratio",
1673	"type" => "text",
1674	+ "validator" => "text",
1675	"listitems" => null,
1676	"value" => WFU_VAR("WFU_VIDEOASPECTRATIO"),
1677	"mode" => "free",

1686	"name" => "Video Frame Rate",
1687	"attribute" => "videoframerate",
1688	"type" => "text",
1689	+ "validator" => "text",
1690	"listitems" => null,
1691	"value" => WFU_VAR("WFU_VIDEOFRAMERATE"),
1692	"mode" => "free",

1701	"name" => "Camera Facing Mode",
1702	"attribute" => "camerafacing",
1703	"type" => "radio",
1704	+ "validator" => "text",
1705	"listitems" => array("any", "front", "back"),
1706	"value" => WFU_VAR("WFU_CAMERAFACING"),
1707	"mode" => "free",

1716	"name" => "Max Record Time",
1717	"attribute" => "maxrecordtime",
1718	"type" => "integer",
1719	+ "validator" => "integer",
1720	"listitems" => null,
1721	"value" => WFU_VAR("WFU_MAXRECORDTIME"),
1722	"mode" => "free",

lib/wfu_functions.php CHANGED Viewed

@@ -165,6 +165,14 @@ function wfu_sanitize_int($code) {
             	return preg_replace("/[^0-9+\-]/", "", $code);
+            }
             function wfu_sanitize_tag($code) {
             	return preg_replace("/[^A-Za-z0-9_]/", "", $code);
+            }
@@ -179,6 +187,81 @@ function wfu_sanitize_urls($urls, $separator) {
             	return implode($separator, $urls_arr);
+            }
             function wfu_slash( $value ) {
             	if ( is_array( $value ) ) {
             		foreach ( $value as $k => $v ) {


165	return preg_replace("/[^0-9+\-]/", "", $code);
166	}
167
168	+ function wfu_sanitize_float($code) {
169	+ return preg_replace("/[^0-9+\-\.,]/", "", $code);
170	+ }
171	+
172	+ function wfu_sanitize_colors($code) {
173	+ return preg_replace("/[^A-Fa-f0-9#,]/", "", $code);
174	+ }
175	+
176	function wfu_sanitize_tag($code) {
177	return preg_replace("/[^A-Za-z0-9_]/", "", $code);
178	}

187	return implode($separator, $urls_arr);
188	}
189
190	+ function wfu_sanitize_shortcode($shortcode, $shortcode_tag) {
191	+ $attrs = wfu_shortcode_string_to_array($shortcode);
192	+ $sanitized_attrs = array();
193	+ if ( $shortcode_tag == 'wordpress_file_upload' ) $defs = wfu_attribute_definitions();
194	+ else $defs = wfu_browser_attribute_definitions();
195	+ // get validator types for defs
196	+ $def_validators = array();
197	+ foreach ( $defs as $def ) $def_validators[$def['attribute']] = $def['validator'];
198	+ // sanitize each attribute
199	+ foreach ( $attrs as $attr => $value ) {
200	+ //first sanitize the attribute name
201	+ $sanitized = sanitize_text_field($attr);
202	+ //continue only for attributes that sanitization did not crop any
203	+ //characters
204	+ if ( $sanitized == $attr && $attr != "" ) {
205	+ //flatten attributes that have many occurencies
206	+ $flat = preg_replace("/^(.?)[0-9]$/", "$1", $attr);
207	+ //get validator type
208	+ $validator = "text";
209	+ if ( isset($def_validators[$flat]) ) $validator = $def_validators[$flat];
210	+ //sanitize value based on validator type
211	+ $new_value = $value;
212	+ switch( $validator ) {
213	+ case "text":
214	+ $new_value = wp_strip_all_tags($value);
215	+ break;
216	+ case "integer":
217	+ $new_value = wfu_sanitize_int($value);
218	+ break;
219	+ case "float":
220	+ $new_value = wfu_sanitize_float($value);
221	+ break;
222	+ case "path":
223	+ $new_value = wp_strip_all_tags($value);
224	+ break;
225	+ case "link":
226	+ $new_value = wp_strip_all_tags($value);
227	+ break;
228	+ case "emailheaders":
229	+ if ( strpos(strtolower($value), "<script") !== false ) $new_value = "";
230	+ break;
231	+ case "emailsubject":
232	+ if ( strpos(strtolower($value), "<script") !== false ) $new_value = "";
233	+ break;
234	+ case "emailbody":
235	+ if ( strpos(strtolower($value), "<script") !== false ) $new_value = "";
236	+ break;
237	+ case "colors":
238	+ $new_value = wfu_sanitize_colors($value);
239	+ break;
240	+ case "css":
241	+ $new_value = wp_strip_all_tags($value);
242	+ break;
243	+ case "datetime":
244	+ $new_value = wp_strip_all_tags($value);
245	+ break;
246	+ case "pattern":
247	+ if ( substr_count($value, "'") > 0 && substr_count($value, "'") > substr_count($value, "\\'") ) $new_value = "";
248	+ break;
249	+ default:
250	+ $new_value = wp_strip_all_tags($value);
251	+ }
252	+ //allow custom filters to change the sanitization result
253	+ $new_value = apply_filters("_wfu_sanitize_shortcode", $new_value, $attr, $validator, $value);
254	+ $sanitized_attrs[$attr] = $new_value;
255	+ }
256	+ }
257	+ //reconstruct sanitized shortcode string from array
258	+ $sanitized_shortcode = "";
259	+ foreach ( $sanitized_attrs as $attr => $value )
260	+ $sanitized_shortcode .= ( $sanitized_shortcode == "" ? "" : " " ).$attr.'="'.$value.'"';
261	+
262	+ return $sanitized_shortcode;
263	+ }
264	+
265	function wfu_slash( $value ) {
266	if ( is_array( $value ) ) {
267	foreach ( $value as $k => $v ) {

lib/wfu_processfiles.php CHANGED Viewed

	@@ -240,6 +240,7 @@ function wfu_process_files($params, $method) {
240	// filters again, so we store the changable data to session
241	// variables for this specific file
242	if ( $only_check && !$nofileupload ) {

243	$file_map_arr = WFU_USVAR($file_map);
244	$file_map_arr['file_unique_id'] = $file_unique_id;
245	$file_map_arr['filepath'] = $target_path;


240	// filters again, so we store the changable data to session
241	// variables for this specific file
242	if ( $only_check && !$nofileupload ) {
243	+ if ( !WFU_USVAR_exists($file_map) ) WFU_USVAR_store($file_map, array());
244	$file_map_arr = WFU_USVAR($file_map);
245	$file_map_arr['file_unique_id'] = $file_unique_id;
246	$file_map_arr['filepath'] = $target_path;

readme.txt CHANGED Viewed

	@@ -146,6 +146,9 @@ There is an option in plugin's settings in Dashboard to relax the CSS rules, so
146
147	== Changelog ==
148



149	= 4.3.2 =
150	* fixed bug in wfu_before_upload and wfu_after_upload filters that was breaking JS scripts if they contained a closing bracket ']' symbol
151
	@@ -732,6 +735,9 @@ Initial version.
732
733	== Upgrade Notice ==
734



735	= 4.3.2 =
736	Minor update to fix some bugs.
737


146
147	== Changelog ==
148
149	+ = 4.3.3 =
150	+ * all shortcode attributes sanitized correctly to close a serious security hole
151	+
152	= 4.3.2 =
153	* fixed bug in wfu_before_upload and wfu_after_upload filters that was breaking JS scripts if they contained a closing bracket ']' symbol
154

735
736	== Upgrade Notice ==
737
738	+ = 4.3.3 =
739	+ Minor update to fix a serious security hole.
740	+
741	= 4.3.2 =
742	Minor update to fix some bugs.
743

release_notes.txt CHANGED Viewed

	@@ -1,2 +1,2 @@
1	- <!-- --><span>Version 4.3.2 is a minor update that fixes ~~some~~ ~~bugs.<~~br/><br/>For details about this version's changes please visit the Release Notes of the plugin's </span><a href="http://www.iptanus.com/wordpress-plugins/wordpress-file-upload/">support page</a><span>.</span><!-- -->
2	<!-- -->


1	+ <!-- --><span>Version 4.3.3 is a minor update that fixes a serious <strong>security hole</strong> in shortcode attributes. </span><span style="font-weight:bold; color:red;">You are strongly encouraged to upgrade to the current version</span><span>. If you notice any problems with the shortcode, please </span><a href="https://www.iptanus.com/contact/">contact</a><span> <strong>Iptanus</strong>.<br/><br/>For details about this version's changes please visit the Release Notes of the plugin's </span><a href="http://www.iptanus.com/wordpress-plugins/wordpress-file-upload/">support page</a><span>.</span><!-- -->
2	<!-- -->

wordpress_file_upload.php CHANGED Viewed

	@@ -4,7 +4,7 @@ if( !session_id() ) { session_start(); }
4	/*
5	Plugin URI: http://www.iptanus.com/support/wordpress-file-upload
6	Description: Simple interface to upload files from a page.
7	- Version: 4.3.2
8	Author: Nickolas Bossinas
9	Author URI: http://www.iptanus.com
10	*/


4	/*
5	Plugin URI: http://www.iptanus.com/support/wordpress-file-upload
6	Description: Simple interface to upload files from a page.
7	+ Version: 4.3.3
8	Author: Nickolas Bossinas
9	Author URI: http://www.iptanus.com
10	*/