Merge branch 'flatpressblog:master' into master

2022-12-29 22:16:49 +01:00 · 2022-12-29 22:16:49 +01:00 · 8ac157cc1b
commit 8ac157cc1b
parent becd7e569a b6a185f90f
3 changed files with 166 additions and 107 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -53,7 +53,7 @@
 - Possible XSS in setup prevented ([#176](https://github.com/flatpressblog/flatpress/issues/176))
 - Possible XSS in Media Manager plugin prevented ([#177](https://github.com/flatpressblog/flatpress/issues/177))
 - Possible path traversal in Media Manager plugin prevented ([#179](https://github.com/flatpressblog/flatpress/issues/179))
- Possible XSS in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180))
+- Possible XSSs in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180), [#183](https://github.com/flatpressblog/flatpress/issues/183))

 # 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
 ## Bugfixes
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@ -38,3 +38,4 @@ FlatPress utilizes the following free frameworks and libraries. Thanks to their
 ## Other contributions
 - [Julian Rademacher](https://moortaube.de/) generously donated his Twitter account [@FlatPress](https://twitter.com/FlatPress). Also thanks for your useful pull requests!
 - [Fraenkiman](https://github.com/Fraenkiman) tests FlatPress to its very core and creates a metric ton of very helpful [issues](https://github.com/flatpressblog/flatpress/issues).
+- And last but not least: A big shout out to all the security researchers voluntarily reporting possible vulnerabilities in the FlatPress code on platforms like https://huntr.dev, or by opening [issues](https://github.com/flatpressblog/flatpress/issues). You make FlatPress a lot more secure for everyone!
--- a/admin/panels/config/admin.config.php
+++ b/admin/panels/config/admin.config.php
@ -1,7 +1,9 @@
 <?php

 class admin_config extends AdminPanel {
+
 	var $panelname = 'config';
+
 }

 class admin_config_default extends AdminPanelActionValidated {
@ -9,27 +11,96 @@
 	var $validators = array(
 		// not needed anymore !
 		// array('blog_root', 'blog_root', 'notEmpty', false, false, 'trim'),
-			array('www', 'www', 'notEmpty', false, false, 'trim'),
+		array(
+			'www',
+			'www',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		),
 		// ...
-			array('title', 'title', 'notEmpty', false, false, 'trim'),
+		array(
+			'title',
+			'title',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		),
 		// array('subtitle', 'subtitle', 'notEmpty', false, false, 'trim'),
 		// array('blogfooter', 'blogfooter', 'notEmpty', false, false, 'trim'),
-			array('email', 'email', 'isEmail', false, false, 'trim'),
-			array('maxentries', 'maxentries', 'isInt', false, false, 'trim'),
-			
-			array('timeoffset', 'timeoffset', 'isNumber', false, false, 'trim'),
-			array('timeformat', 'timeformat', 'notEmpty', false, false, 'trim'),
-			array('dateformat', 'dateformat', 'notEmpty', false, false, 'trim'),
-			array('dateformatshort', 'dateformatshort', 'notEmpty', false, false, 'trim'),
-			
-			array('lang', 'lang', 'notEmpty', false, false, 'trim'),
-			array('charset', 'charset', 'notEmpty', false, false, 'trim'),
+		array(
+			'email',
+			'email',
+			'isEmail',
+			false,
+			false,
+			'trim'
+		),
+		array(
+			'maxentries',
+			'maxentries',
+			'isInt',
+			false,
+			false,
+			'trim'
+		),

+		array(
+			'timeoffset',
+			'timeoffset',
+			'isNumber',
+			false,
+			false,
+			'trim'
+		),
+		array(
+			'timeformat',
+			'timeformat',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		),
+		array(
+			'dateformat',
+			'dateformat',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		),
+		array(
+			'dateformatshort',
+			'dateformatshort',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		),

+		array(
+			'lang',
+			'lang',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		),
+		array(
+			'charset',
+			'charset',
+			'notEmpty',
+			false,
+			false,
+			'trim'
+		)
 	);

-		 var $events = array('save');
-		
+	var $events = array(
+		'save'
+	);

 	function setup() {
 		$this->smarty->assign('themes', theme_list());
@ -42,20 +113,17 @@
 		}

 		$this->smarty->assign('static_list', $static_list);
-			
 	}

-		
 	function onsave() {
-		
 		global $fp_config;
 		$l = explode(',', $_POST ['lang']);
 		$fp_config ['general'] = array(
 			// 'BLOG_ROOT' => $_POST['blog_root'],
 			'www' => $_POST ['www'],
-				'title' => html_entity_decode(stripslashes($_POST['title'])),
-				'subtitle' => html_entity_decode(stripslashes($_POST['subtitle'])),
-				'footer' => html_entity_decode(stripslashes($_POST['blogfooter'])),
+			'title' => wp_specialchars(stripslashes($_POST ['title'])),
+			'subtitle' => wp_specialchars(stripslashes($_POST ['subtitle'])),
+			'footer' => wp_specialchars(stripslashes($_POST ['blogfooter'])),
 			'author' => $_POST ['author'],
 			'email' => $_POST ['email'],
 			'startpage' => ($_POST ['startpage'] == ':NULL:') ? null : $_POST ['startpage'],
@ -66,8 +134,7 @@
 				'theme' => $fp_config ['general'] ['theme'],
 			'style' => @$fp_config ['general'] ['style'],
 			'blogid' => $fp_config ['general'] ['blogid'],
-				'charset'=> 'utf-8',
-	
+			'charset' => 'utf-8'
 		);

 		$fp_config ['locale'] = array(
@ -79,20 +146,14 @@
 			'lang' => $_POST ['lang']
 		);

-
 		// 'LANG' => $l[0],
 		// 'CHARSET'=> $l[1],

-			
-				
-
-			
 		$success = config_save() ? 1 : -1;

 		$this->smarty->assign('success', $success);

 		return 1;
-			
 	}

 	function onerror() {
@ -102,12 +163,9 @@

 	function cleartplcache() {
 		// if theme was switched, clear tpl cache
-			
 		$tpl = new tpl_deleter();

 		$tpl->getList();
-				
-				
 	}

 }