WP Simple Booking Calendar

Version Description

Security hardening (added a unique identifier to all urls in a form of a hash)

Release Info

Developer	bryght
Plugin	WP Simple Booking Calendar
Version	1.4
Comparing to
See all releases

Code changes from version 1.3 to 1.4

Files changed (5) hide show

library/WpSimpleBookingCalendar/Controller.php +33 -8
readme.txt +8 -2
views/controller/edit.phtml +2 -3
views/controller/index.phtml +4 -4
wp-simple-booking-calendar.php +1 -1

library/WpSimpleBookingCalendar/Controller.php CHANGED Viewed

	@@ -179,6 +179,18 @@ class WpSimpleBookingCalendar_Controller
179	);
180	}
181












182	/**
183	* Action: list of calendars
184	* @return void
	@@ -186,9 +198,14 @@ class WpSimpleBookingCalendar_Controller
186	public function indexAction()
187	{
188	$searchQuery = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);



189
190	$this->_view->setTemplate('controller/index')
191	- ->assign('~~controllerUrl~~', $~~this->getControllerUrl(~~))


192	->assign('calendar', $this->_model->getCalendar())
193	->assign('dateFormat', get_option('date_format'))
194	->assign('timeFormat', get_option('time_format'))
	@@ -203,10 +220,12 @@ class WpSimpleBookingCalendar_Controller
203	public function addAction()
204	{
205	$formData = $this->_processFormData();


206
207	- if (!empty($_POST))
208	{
209	- if ($this->_model->insertCalendar($formData))
210	{
211	$this->_view->messageHelper(__('Calendar Added', 'sbc'));
212	$this->indexAction();
	@@ -223,7 +242,7 @@ class WpSimpleBookingCalendar_Controller
223	->assign('calendarName', $formData['calendarName'])
224	->assign('calendarData', json_decode($formData['calendarJson']))
225	->assign('actionName', __('Add New Calendar', 'sbc'))
226	- ->assign('~~onceAction~~', ~~self::HOOK~~)
227	->render();
228	}
229
	@@ -233,10 +252,13 @@ class WpSimpleBookingCalendar_Controller
233	*/
234	public function editAction()
235	{
236	- if (~~!empty($_POST~~))



237	{
238	$formData = $this->_processFormData();
239	- if ($this->_model->updateCalendar($formData))
240	{
241	$this->_view->messageHelper(__('Calendar Updated', 'sbc'));
242	$this->indexAction();
	@@ -263,7 +285,7 @@ class WpSimpleBookingCalendar_Controller
263	->assign('calendarName', $formData['calendarName'])
264	->assign('calendarData', json_decode($formData['calendarJson']))
265	->assign('actionName', __('Edit Calendar', 'sbc'))
266	- ->assign('~~onceAction~~', ~~self::HOOK~~)
267	->render();
268	}
269
	@@ -273,7 +295,10 @@ class WpSimpleBookingCalendar_Controller
273	*/
274	public function deleteAction()
275	{
276	- if ~~(!$~~this->~~_model->getCalendar~~())



277	{
278	$message = __('No calendar found', 'sbc');
279	}


179	);
180	}
181
182	+ /**
183	+ * Generate Nonce to protect users from CSRF attacks
184	+ *
185	+ * @param string $action Name of the action
186	+ * @param integer $id Optional identifier
187	+ * @return string
188	+ */
189	+ protected function _generateNonceAction($action, $id = 0) {
190	+ global $wp_version;
191	+ return implode('-', array(get_home_url(), $wp_version, self::HOOK, $action, get_current_user_id(), $id));
192	+ }
193	+
194	/**
195	* Action: list of calendars
196	* @return void

198	public function indexAction()
199	{
200	$searchQuery = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_STRING);
201	+ $addControllerUrl = wp_nonce_url( $this->getControllerUrl() . '&action=add', $this->_generateNonceAction('add') );
202	+ $editControllerUrl = wp_nonce_url( $this->getControllerUrl() . '&action=edit', $this->_generateNonceAction('edit') );
203	+ $deleteControllerUrl = wp_nonce_url( $this->getControllerUrl() . '&action=delete', $this->_generateNonceAction('delete') );
204
205	$this->_view->setTemplate('controller/index')
206	+ ->assign('addControllerUrl', $addControllerUrl)
207	+ ->assign('editControllerUrl', $editControllerUrl)
208	+ ->assign('deleteControllerUrl', $deleteControllerUrl)
209	->assign('calendar', $this->_model->getCalendar())
210	->assign('dateFormat', get_option('date_format'))
211	->assign('timeFormat', get_option('time_format'))

220	public function addAction()
221	{
222	$formData = $this->_processFormData();
223	+ $nonceAction = $this->_generateNonceAction('add');
224	+ check_admin_referer( $nonceAction );
225
226	+ if (!empty($_POST['_wpnonce']))
227	{
228	+ if (wp_verify_nonce( $_POST['_wpnonce'], $nonceAction) && $this->_model->insertCalendar($formData))
229	{
230	$this->_view->messageHelper(__('Calendar Added', 'sbc'));
231	$this->indexAction();

242	->assign('calendarName', $formData['calendarName'])
243	->assign('calendarData', json_decode($formData['calendarJson']))
244	->assign('actionName', __('Add New Calendar', 'sbc'))
245	+ ->assign('nonceAction', $nonceAction)
246	->render();
247	}
248

252	*/
253	public function editAction()
254	{
255	+ $nonceAction = $this->_generateNonceAction('edit');
256	+ check_admin_referer( $nonceAction );
257	+
258	+ if (!empty($_POST['_wpnonce']))
259	{
260	$formData = $this->_processFormData();
261	+ if (wp_verify_nonce( $_POST['_wpnonce'], $nonceAction) && $this->_model->updateCalendar($formData))
262	{
263	$this->_view->messageHelper(__('Calendar Updated', 'sbc'));
264	$this->indexAction();

285	->assign('calendarName', $formData['calendarName'])
286	->assign('calendarData', json_decode($formData['calendarJson']))
287	->assign('actionName', __('Edit Calendar', 'sbc'))
288	+ ->assign('nonceAction', $nonceAction)
289	->render();
290	}
291

295	*/
296	public function deleteAction()
297	{
298	+ $nonceAction = $this->_generateNonceAction('delete');
299	+ check_admin_referer( $nonceAction );
300	+
301	+ if (!isset($_GET['_wpnonce']) \|\| !wp_verify_nonce( $_GET['_wpnonce'], $nonceAction) \|\| !$this->_model->getCalendar())
302	{
303	$message = __('No calendar found', 'sbc');
304	}

readme.txt CHANGED Viewed

	@@ -2,8 +2,8 @@
2	Contributors: Bryght, BestWebSoft
3	Tags: booking calendar, bookings, booking, bookable, calendar, availability calendar, availability, reservation calendar, reservations, scheduling, schedule, rooms, hotel, holiday home, accommodations, dateblocker, date blocker, bed and breakfast, belegungsplan, beschikbaarheidskalender
4	Requires at least: 3.0
5	- Tested up to: 3.9.1
6	- Stable tag: 1.3
7
8	This booking calendar shows when something is booked or available. Use it to show when your holiday home is available for rent, for example.
9
	@@ -79,6 +79,9 @@ Please see http://www.wpsimplebookingcalendar.com for more information and ask y
79
80	== Changelog ==
81



82	= 1.3 =
83	* Small CSS tweaks for WordPress 3.8
84
	@@ -94,6 +97,9 @@ Please see http://www.wpsimplebookingcalendar.com for more information and ask y
94
95	== Upgrade Notice ==
96



97	= 1.3 =
98	* Small CSS tweaks
99


2	Contributors: Bryght, BestWebSoft
3	Tags: booking calendar, bookings, booking, bookable, calendar, availability calendar, availability, reservation calendar, reservations, scheduling, schedule, rooms, hotel, holiday home, accommodations, dateblocker, date blocker, bed and breakfast, belegungsplan, beschikbaarheidskalender
4	Requires at least: 3.0
5	+ Tested up to: 3.9.2
6	+ Stable tag: 1.4
7
8	This booking calendar shows when something is booked or available. Use it to show when your holiday home is available for rent, for example.
9

79
80	== Changelog ==
81
82	+ = 1.4 =
83	+ * Security hardening (added a unique identifier to all urls in a form of a hash)
84	+
85	= 1.3 =
86	* Small CSS tweaks for WordPress 3.8
87

97
98	== Upgrade Notice ==
99
100	+ = 1.4 =
101	+ * Security hardening (added a unique identifier to all urls in a form of a hash)
102	+
103	= 1.3 =
104	* Small CSS tweaks
105

views/controller/edit.phtml CHANGED Viewed

	@@ -8,7 +8,7 @@
8
9	<div id="sbc-wrapper" class="wrap">
10	<div id="icon-options-general" class="icon32"><br /></div>
11	- <h2><a href="<?php echo ~~esc_url(~~$this->controllerUrl) ?>"><?php esc_html_e('WP Simple Booking Calendar', 'sbc') ?></a></h2>
12
13	<div class="postbox-container">
14	<div class="metabox-holder">
	@@ -31,8 +31,7 @@
31	</div>
32
33	<p class="submit">
34	- <?php wp_nonce_field($this->~~onceAction~~) ?>
35	- <input type="hidden" name="action" value="save" />
36	<input type="hidden" name="calendarData" value="" />
37	<input class="button-primary" type="submit" name="submit" value="<?php esc_attr_e('Save Changes', 'sbc') ?>" />
38	</p>


8
9	<div id="sbc-wrapper" class="wrap">
10	<div id="icon-options-general" class="icon32"><br /></div>
11	+ <h2><a href="<?php echo $this->controllerUrl ?>"><?php esc_html_e('WP Simple Booking Calendar', 'sbc') ?></a></h2>
12
13	<div class="postbox-container">
14	<div class="metabox-holder">

31	</div>
32
33	<p class="submit">
34	+ <?php wp_nonce_field($this->nonceAction) ?>

35	<input type="hidden" name="calendarData" value="" />
36	<input class="button-primary" type="submit" name="submit" value="<?php esc_attr_e('Save Changes', 'sbc') ?>" />
37	</p>

views/controller/index.phtml CHANGED Viewed

	@@ -10,7 +10,7 @@
10	<div id="icon-options-general" class="icon32"><br /></div>
11	<h2><?php esc_html_e('WP Simple Booking Calendar', 'sbc') ?>
12	<?php if (!is_array($this->calendar) \|\| count($this->calendar) == 0): ?>
13	- <a class="button add-new-h2" href="<?php echo ~~esc_url(~~$this->~~controllerUrl)~~ ~~?>&action=add~~"><?php esc_html_e('Add New', 'sbc') ?></a>
14	<?php endif; ?>
15	</h2>
16
	@@ -26,10 +26,10 @@
26	<tbody>
27	<tr valign="top">
28	<td class="post-title column-title">
29	- <strong><a title="<?php esc_attr_e('Edit', 'sbc') ?> ~~‟<?~~php echo esc_attr($this->calendar['calendarName']) ~~?>”~~" href="<?php echo ~~esc_url(~~$this->~~controllerUrl)~~ ~~?>&action=edit~~" class="row-title"><?php echo esc_html($this->calendar['calendarName']) ?></a></strong>
30	<div class="row-actions">
31	- <span class="edit"><a title="<?php esc_attr_e('Edit this calendar', 'sbc') ?>" href="<?php echo ~~esc_url(~~$this->~~controllerUrl)~~ ~~?>&action=edit~~"><?php esc_html_e('Edit', 'sbc') ?></a> \| </span>
32	- <span class="trash"><a title="<?php esc_attr_e('Are you sure you want to delete this calendar?', 'sbc') ?>" href="<?php echo ~~esc_url(~~$this->~~controllerUrl)~~ ~~?>&action=delete~~" class="submitdelete"><?php esc_html_e('Delete', 'sbc') ?></a></span>
33	</div>
34	</td>
35	<td class="street column-created">


10	<div id="icon-options-general" class="icon32"><br /></div>
11	<h2><?php esc_html_e('WP Simple Booking Calendar', 'sbc') ?>
12	<?php if (!is_array($this->calendar) \|\| count($this->calendar) == 0): ?>
13	+ <a class="button add-new-h2" href="<?php echo $this->addControllerUrl ?>"><?php esc_html_e('Add New', 'sbc') ?></a>
14	<?php endif; ?>
15	</h2>
16

26	<tbody>
27	<tr valign="top">
28	<td class="post-title column-title">
29	+ <strong><a title="<?php esc_attr_e('Edit', 'sbc') ?> <?php echo esc_attr('‟' . $this->calendar['calendarName'] . '”') ?>" href="<?php echo $this->editControllerUrl ?>" class="row-title"><?php echo esc_html($this->calendar['calendarName']) ?></a></strong>
30	<div class="row-actions">
31	+ <span class="edit"><a title="<?php esc_attr_e('Edit this calendar', 'sbc') ?>" href="<?php echo $this->editControllerUrl ?>"><?php esc_html_e('Edit', 'sbc') ?></a> \| </span>
32	+ <span class="trash"><a title="<?php esc_attr_e('Are you sure you want to delete this calendar?', 'sbc') ?>" href="<?php echo $this->deleteControllerUrl ?>" class="submitdelete"><?php esc_html_e('Delete', 'sbc') ?></a></span>
33	</div>
34	</td>
35	<td class="street column-created">

wp-simple-booking-calendar.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: WP Simple Booking Calendar
4	* Plugin URI: http://www.wpsimplebookingcalendar.com
5	* Description: WP Simple Booking Calendar - Free Version.
6	- * Version: 1.3
7	* Author: WP Simple Booking Calendar
8	* Author URI: http://www.wpsimplebookingcalendar.com
9	* License: GPL2


3	* Plugin Name: WP Simple Booking Calendar
4	* Plugin URI: http://www.wpsimplebookingcalendar.com
5	* Description: WP Simple Booking Calendar - Free Version.
6	+ * Version: 1.4
7	* Author: WP Simple Booking Calendar
8	* Author URI: http://www.wpsimplebookingcalendar.com
9	* License: GPL2

WP Simple Booking Calendar - Version 1.4

Version Description

Release Info

Code changes from version 1.3 to 1.4