Merge pull request #889 from yikesinc/fix/audit

Fix Reflected Cross-Site Scripting issue
EvanHerman · Dec 17, 2021 · 3662c65 · 3662c65
2 parents d9bef41 + 5c4e709
commit 3662c65
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 15 deletions.
diff --git a/admin/partials/ajax/add_field_to_form.php b/admin/partials/ajax/add_field_to_form.php
@@ -1,9 +1,9 @@
 <?php
 $form_data = array(
-	'field_name' => $_POST['field_name'],
-	'merge_tag'  => $_POST['merge_tag'],
-	'field_type' => $_POST['field_type'],
-	'list_id'    => $_POST['list_id'],
+	'field_name' => isset( $_POST['field_name'] ) ? sanitize_text_field($_POST['field_name']) : '',
+	'merge_tag'  => isset( $_POST['merge_tag'] ) ? sanitize_text_field($_POST['merge_tag']) : '',
+	'field_type' => isset( $_POST['field_type'] ) ? sanitize_text_field($_POST['field_type']) : '',
+	'list_id'    => isset( $_POST['list_id'] ) ? sanitize_text_field($_POST['list_id']) : '',
 );
 
 // Grab our list handler.
@@ -33,21 +33,21 @@
 // store it and use it to pre-populate field data (only on initial add to form)
 $merge_field_data = $available_merge_variables['merge_fields'][ $index ];
 ?>
-<section class="draggable" id="<?php echo $form_data['field_name']; ?>">
+<section class="draggable" id="<?php echo esc_attr( $form_data['field_name'] ); ?>">
 	<!-- top -->
 	<a href="#" class="expansion-section-title settings-sidebar">
 		<span class="dashicons dashicons-plus yikes-mc-expansion-toggle" title="<?php _e( 'Expand Field' , 'yikes-inc-easy-mailchimp-extender' ); ?>"></span>
-		<?php echo stripslashes( $form_data['field_name'] ); ?>
-		<span class="field-type-text"><small><?php echo __( 'type' , 'yikes-inc-easy-mailchimp-extender' ) . ' : ' . $form_data['field_type']; ?></small></span>
+		<?php echo wp_kses_post( stripslashes( $form_data['field_name'] ) ); ?>
+		<span class="field-type-text"><small><?php echo __( 'type' , 'yikes-inc-easy-mailchimp-extender' ) . ' : ' . esc_html( $form_data['field_type'] ); ?></small></span>
 	</a>
 	<!-- expansion section -->
 	<div class="yikes-mc-settings-expansion-section">
 
 		<!-- Single or Double Opt-in -->
 		<p class="type-container form-field-container"><!-- necessary to prevent skipping on slideToggle(); -->
 			<!-- store the label -->
-			<input type="hidden" name="field[<?php echo $merge_field_data['tag']; ?>][label]" value="<?php echo htmlspecialchars( $form_data['field_name'] ); ?>" />
-			<input type="hidden" name="field[<?php echo $merge_field_data['tag']; ?>][type]" value="<?php echo $form_data['field_type']; ?>" />
+			<input type="hidden" name="field[<?php echo $merge_field_data['tag']; ?>][label]" value="<?php echo esc_attr( htmlspecialchars( $form_data['field_name'] ) ); ?>" />
+			<input type="hidden" name="field[<?php echo $merge_field_data['tag']; ?>][type]" value="<?php echo esc_attr( $form_data['field_type'] ); ?>" />
 			<input type="hidden" name="field[<?php echo $merge_field_data['tag']; ?>][merge]" value="<?php echo $merge_field_data['tag']; ?>" />
 			<input type="hidden" class="field-<?php echo $merge_field_data['tag']; ?>-position position-input" name="field[<?php echo $merge_field_data['tag']; ?>][position]" value="" />
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "yikes-inc-easy-mailchimp-extender",
-	"version": "6.8.5",
+	"version": "6.8.6",
 	"devDependencies": {
 		"@wordpress/scripts": "^11.0.0",
 		"braces": ">=2.3.1",

diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags: Mailchimp, Mailchimp forms, Mailchimp lists, opt-in forms, sign up form, M
 Requires at least: 4.0
 Tested up to: 5.8
 Requires PHP: 5.2.13
-Stable tag: 6.8.5
+Stable tag: 6.8.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -172,6 +172,9 @@ For information and code examples on how to implement the hooks and filters prov
 
 == Changelog ==
 
+= 6.8.6 - December 17, 2021 =
+* Addressed potential XSS vulnerability
+
 = 6.8.5 - September 2, 2021 =
 * Deprecated filter block_categories is replaced by block_categories_all in WP 5.8
 

diff --git a/yikes-inc-easy-mailchimp-extender.php b/yikes-inc-easy-mailchimp-extender.php
@@ -3,7 +3,7 @@
  * Plugin Name: Easy Forms for Mailchimp
  * Plugin URI:  https://yikesplugins.com/plugin/easy-forms-for-mailchimp/
  * Description: The ultimate Mailchimp WordPress plugin. Easily build <strong>unlimited forms for your Mailchimp lists</strong>, add them to your site and track subscriber activity. To get started, go to the settings page and enter your <a href="https://yikesplugins.com/support/knowledge-base/finding-your-mailchimp-api-key/" target="_blank">Mailchimp API key</a>.
- * Version:     6.8.5
+ * Version:     6.8.6
  * Author:      YIKES, Inc.
  * Author URI:  https://www.yikesplugins.com/
  * License:     GPL-3.0+
@@ -42,7 +42,7 @@
  *  @since 6.1.3
  */
 if ( ! defined( 'YIKES_MC_VERSION' ) ) {
-	define( 'YIKES_MC_VERSION', '6.8.5' );
+	define( 'YIKES_MC_VERSION', '6.8.6' );
 }
 
 /**