From 5fed60196e2d52d1880469f283a750b0d3ac6386 Mon Sep 17 00:00:00 2001
From: Thomas W <netzberufler@googlemail.com>
Date: Wed, 23 Nov 2016 10:49:27 +0100
Subject: [PATCH] improved escaping and sanitizing of widget settings and
 slider options

---
 functions.php                                 | 127 +++++++++---------
 inc/slider.php                                |  32 ++---
 inc/theme-info.php                            |  14 +-
 inc/widgets/widget-magazine-posts-boxed.php   |   2 +-
 inc/widgets/widget-magazine-posts-columns.php |   8 +-
 inc/widgets/widget-magazine-posts-grid.php    |   4 +-
 readme.txt                                    |   3 +
 style.css                                     |   2 +-
 8 files changed, 98 insertions(+), 94 deletions(-)

diff --git a/functions.php b/functions.php
index a2ec5fc..bbba151 100644
--- a/functions.php
+++ b/functions.php
@@ -14,71 +14,70 @@
 
 
 if ( ! function_exists( 'tortuga_setup' ) ) :
-/**
- * Sets up theme defaults and registers support for various WordPress features.
- *
- * Note that this function is hooked into the after_setup_theme hook, which
- * runs before the init hook. The init hook is too late for some features, such
- * as indicating support for post thumbnails.
- */
-function tortuga_setup() {
-
-	// Make theme available for translation. Translations can be filed in the /languages/ directory.
-	load_theme_textdomain( 'tortuga', get_template_directory() . '/languages' );
-
-	// Add default posts and comments RSS feed links to head.
-	add_theme_support( 'automatic-feed-links' );
-
-	// Let WordPress manage the document title.
-	add_theme_support( 'title-tag' );
-
-	// Enable support for Post Thumbnails on posts and pages.
-	add_theme_support( 'post-thumbnails' );
-
-	// Set detfault Post Thumbnail size.
-	set_post_thumbnail_size( 900, 400, true );
-
-	// Register Navigation Menu.
-	register_nav_menu( 'primary', esc_html__( 'Main Navigation', 'tortuga' ) );
+	/**
+	 * Sets up theme defaults and registers support for various WordPress features.
+	 *
+	 * Note that this function is hooked into the after_setup_theme hook, which
+	 * runs before the init hook. The init hook is too late for some features, such
+	 * as indicating support for post thumbnails.
+	 */
+	function tortuga_setup() {
+
+		// Make theme available for translation. Translations can be filed in the /languages/ directory.
+		load_theme_textdomain( 'tortuga', get_template_directory() . '/languages' );
+
+		// Add default posts and comments RSS feed links to head.
+		add_theme_support( 'automatic-feed-links' );
+
+		// Let WordPress manage the document title.
+		add_theme_support( 'title-tag' );
+
+		// Enable support for Post Thumbnails on posts and pages.
+		add_theme_support( 'post-thumbnails' );
+
+		// Set detfault Post Thumbnail size.
+		set_post_thumbnail_size( 900, 400, true );
+
+		// Register Navigation Menu.
+		register_nav_menu( 'primary', esc_html__( 'Main Navigation', 'tortuga' ) );
+
+		// Switch default core markup for search form, comment form, and comments to output valid HTML5.
+		add_theme_support( 'html5', array(
+			'comment-form',
+			'comment-list',
+			'gallery',
+			'caption',
+		) );
+
+		// Set up the WordPress core custom background feature.
+		add_theme_support( 'custom-background', apply_filters( 'tortuga_custom_background_args', array( 'default-color' => 'dddddd' ) ) );
+
+		// Set up the WordPress core custom logo feature.
+		add_theme_support( 'custom-logo', apply_filters( 'tortuga_custom_logo_args', array(
+			'height' => 50,
+			'width' => 250,
+			'flex-height' => true,
+			'flex-width' => true,
+		) ) );
+
+		// Set up the WordPress core custom header feature.
+		add_theme_support( 'custom-header', apply_filters( 'tortuga_custom_header_args', array(
+			'header-text' => false,
+			'width'	=> 1920,
+			'height' => 480,
+			'flex-height' => true,
+		) ) );
+
+		// Add Theme Support for wooCommerce.
+		add_theme_support( 'woocommerce' );
+
+		// Add extra theme styling to the visual editor.
+		add_editor_style( array( 'css/editor-style.css', tortuga_google_fonts_url() ) );
+
+		// Add Theme Support for Selective Refresh in Customizer.
+		add_theme_support( 'customize-selective-refresh-widgets' );
 
-	// Switch default core markup for search form, comment form, and comments to output valid HTML5.
-	add_theme_support( 'html5', array(
-		'search-form',
-		'comment-form',
-		'comment-list',
-		'gallery',
-		'caption',
-	) );
-
-	// Set up the WordPress core custom background feature.
-	add_theme_support( 'custom-background', apply_filters( 'tortuga_custom_background_args', array( 'default-color' => 'dddddd' ) ) );
-
-	// Set up the WordPress core custom logo feature.
-	add_theme_support( 'custom-logo', apply_filters( 'tortuga_custom_logo_args', array(
-		'height' => 50,
-		'width' => 250,
-		'flex-height' => true,
-		'flex-width' => true,
-	) ) );
-
-	// Set up the WordPress core custom header feature.
-	add_theme_support( 'custom-header', apply_filters( 'tortuga_custom_header_args', array(
-		'header-text' => false,
-		'width'	=> 1920,
-		'height' => 480,
-		'flex-height' => true,
-	) ) );
-
-	// Add Theme Support for wooCommerce.
-	add_theme_support( 'woocommerce' );
-
-	// Add extra theme styling to the visual editor.
-	add_editor_style( array( 'css/editor-style.css', tortuga_google_fonts_url() ) );
-
-	// Add Theme Support for Selective Refresh in Customizer.
-	add_theme_support( 'customize-selective-refresh-widgets' );
-
-}
+	}
 endif;
 add_action( 'after_setup_theme', 'tortuga_setup' );
 
diff --git a/inc/slider.php b/inc/slider.php
index 6de9bec..f1a8015 100644
--- a/inc/slider.php
+++ b/inc/slider.php
@@ -21,14 +21,14 @@ function tortuga_slider_scripts() {
 	// Register and enqueue FlexSlider JS and CSS if necessary.
 	if ( true === $theme_options['slider_blog'] or true === $theme_options['slider_magazine'] or is_page_template( 'template-slider.php' ) ) :
 
-		// FlexSlider CSS.
-		wp_enqueue_style( 'tortuga-flexslider', get_template_directory_uri() . '/css/flexslider.css' );
-
 		// FlexSlider JS.
-		wp_enqueue_script( 'flexslider', get_template_directory_uri() .'/js/jquery.flexslider-min.js', array( 'jquery' ), '2.6.0' );
+		wp_enqueue_script( 'jquery-flexslider', get_template_directory_uri() . '/js/jquery.flexslider-min.js', array( 'jquery' ), '2.6.0' );
 
 		// Register and enqueue slider setup.
-		wp_enqueue_script( 'tortuga-post-slider', get_template_directory_uri() .'/js/slider.js', array( 'flexslider' ) );
+		wp_enqueue_script( 'tortuga-slider', get_template_directory_uri() . '/js/slider.js', array( 'jquery-flexslider' ) );
+
+		// Register and enqueue slider CSS.
+		wp_enqueue_style( 'tortuga-slider', get_template_directory_uri() . '/css/flexslider.css' );
 
 	endif;
 
@@ -48,17 +48,17 @@ function tortuga_slider_excerpt_length( $length ) {
 
 
 if ( ! function_exists( 'tortuga_slider_meta' ) ) :
-/**
- * Displays the date and author on slider posts
- */
-function tortuga_slider_meta() {
+	/**
+	 * Displays the date and author on slider posts
+	 */
+	function tortuga_slider_meta() {
 
-	$postmeta = tortuga_meta_date();
-	$postmeta .= tortuga_meta_author();
+		$postmeta = tortuga_meta_date();
+		$postmeta .= tortuga_meta_author();
 
-	echo '<div class="entry-meta clearfix">' . $postmeta . '</div>';
+		echo '<div class="entry-meta clearfix">' . $postmeta . '</div>';
 
-}
+	}
 endif;
 
 
@@ -76,13 +76,13 @@ function tortuga_slider_options() {
 	$params = array();
 
 	// Set slider animation.
-	$params['animation'] = $theme_options['slider_animation'];
+	$params['animation'] = ( 'fade' === $theme_options['slider_animation'] ) ? 'fade' : 'slide';
 
 	// Set slider speed.
-	$params['speed'] = $theme_options['slider_speed'];
+	$params['speed'] = absint( $theme_options['slider_speed'] );
 
 	// Passing parameters to Flexslider.
-	wp_localize_script( 'tortuga-post-slider', 'tortuga_slider_params', $params );
+	wp_localize_script( 'tortuga-slider', 'tortuga_slider_params', $params );
 
 }
 add_action( 'wp_enqueue_scripts', 'tortuga_slider_options' );
diff --git a/inc/theme-info.php b/inc/theme-info.php
index 89ee521..c75d997 100644
--- a/inc/theme-info.php
+++ b/inc/theme-info.php
@@ -80,7 +80,7 @@ function tortuga_theme_info_page() {
 							<?php printf( esc_html__( '%s makes use of the Customizer for all theme settings. Click on "Customize Theme" to open the Customizer now.', 'tortuga' ), $theme->get( 'Name' ) ); ?>
 						</p>
 						<p>
-							<a href="<?php echo admin_url( 'customize.php' ); ?>" class="button button-primary"><?php esc_html_e( 'Customize Theme', 'tortuga' ); ?></a>
+							<a href="<?php echo wp_customize_url(); ?>" class="button button-primary"><?php esc_html_e( 'Customize Theme', 'tortuga' ); ?></a>
 						</p>
 					</div>
 
@@ -146,10 +146,12 @@ function tortuga_theme_info_page() {
 
 		<div id="theme-author">
 
-			<p><?php printf( esc_html__( '%1$s is proudly brought to you by %2$s. If you like this theme, %3$s :)', 'tortuga' ),
-				$theme->get( 'Name' ),
-				'<a target="_blank" href="' . __( 'https://themezee.com/', 'tortuga' ) . '?utm_source=theme-info&utm_medium=footer&utm_campaign=tortuga" title="ThemeZee">ThemeZee</a>',
-				'<a target="_blank" href="' . __( 'https://wordpress.org/support/theme/tortuga/reviews/?filter=5', 'tortuga' ) . '" title="' . esc_attr__( 'Review Tortuga', 'tortuga' ) . '">' . esc_html__( 'rate it', 'tortuga' ) . '</a>'); ?>
+			<p>
+				<?php printf( esc_html__( '%1$s is proudly brought to you by %2$s. If you like this theme, %3$s :)', 'tortuga' ),
+					$theme->get( 'Name' ),
+					'<a target="_blank" href="' . __( 'https://themezee.com/', 'tortuga' ) . '?utm_source=theme-info&utm_medium=footer&utm_campaign=tortuga" title="ThemeZee">ThemeZee</a>',
+					'<a target="_blank" href="' . __( 'https://wordpress.org/support/theme/tortuga/reviews/?filter=5', 'tortuga' ) . '" title="' . esc_attr__( 'Review Tortuga', 'tortuga' ) . '">' . esc_html__( 'rate it', 'tortuga' ) . '</a>'
+				); ?>
 			</p>
 
 		</div>
@@ -172,7 +174,7 @@ function tortuga_theme_info_page_css( $hook ) {
 	}
 
 	// Embed theme info css style.
-	wp_enqueue_style( 'tortuga-theme-info-css', get_template_directory_uri() .'/css/theme-info.css' );
+	wp_enqueue_style( 'tortuga-theme-info-css', get_template_directory_uri() . '/css/theme-info.css' );
 
 }
 add_action( 'admin_enqueue_scripts', 'tortuga_theme_info_page_css' );
diff --git a/inc/widgets/widget-magazine-posts-boxed.php b/inc/widgets/widget-magazine-posts-boxed.php
index 8ac0a95..e7bd84e 100644
--- a/inc/widgets/widget-magazine-posts-boxed.php
+++ b/inc/widgets/widget-magazine-posts-boxed.php
@@ -433,7 +433,7 @@ function form( $instance ) {
 ?>
 		<p>
 			<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php esc_html_e( 'Title:', 'tortuga' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo $settings['title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $settings['title'] ); ?>" />
 			</label>
 		</p>
 
diff --git a/inc/widgets/widget-magazine-posts-columns.php b/inc/widgets/widget-magazine-posts-columns.php
index bafbfb7..35a2cb4 100644
--- a/inc/widgets/widget-magazine-posts-columns.php
+++ b/inc/widgets/widget-magazine-posts-columns.php
@@ -304,7 +304,7 @@ function category_title( $args, $settings, $category_id, $category_title ) {
 
 				// Display Widget Title with link to category archive.
 				echo '<div class="widget-header">';
-				echo '<h3 class="widget-title"><a class="category-archive-link" href="'. $link_url .'" title="'. $link_title . '">'. $widget_title . '</a></h3>';
+				echo '<h3 class="widget-title"><a class="category-archive-link" href="' . $link_url . '" title="' . $link_title . '">' . $widget_title . '</a></h3>';
 				echo '</div>';
 
 			else :
@@ -357,7 +357,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'category_one_title' ); ?>"><?php esc_html_e( 'Left Category Title:', 'tortuga' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'category_one_title' ); ?>" name="<?php echo $this->get_field_name( 'category_one_title' ); ?>" type="text" value="<?php echo $settings['category_one_title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'category_one_title' ); ?>" name="<?php echo $this->get_field_name( 'category_one_title' ); ?>" type="text" value="<?php echo esc_attr( $settings['category_one_title'] ); ?>" />
 			</label>
 		</p>
 
@@ -378,7 +378,7 @@ function form( $instance ) {
 
 				<p>
 			<label for="<?php echo $this->get_field_id( 'category_two_title' ); ?>"><?php esc_html_e( 'Right Category Title:', 'tortuga' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'category_two_title' ); ?>" name="<?php echo $this->get_field_name( 'category_two_title' ); ?>" type="text" value="<?php echo $settings['category_two_title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'category_two_title' ); ?>" name="<?php echo $this->get_field_name( 'category_two_title' ); ?>" type="text" value="<?php echo esc_attr( $settings['category_two_title'] ); ?>" />
 			</label>
 		</p>
 
@@ -399,7 +399,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'number' ); ?>"><?php esc_html_e( 'Number of posts:', 'tortuga' ); ?>
-				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo (int) $settings['number']; ?>" size="3" />
+				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo absint( $settings['number'] ); ?>" size="3" />
 			</label>
 		</p>
 
diff --git a/inc/widgets/widget-magazine-posts-grid.php b/inc/widgets/widget-magazine-posts-grid.php
index 43e9798..247f237 100644
--- a/inc/widgets/widget-magazine-posts-grid.php
+++ b/inc/widgets/widget-magazine-posts-grid.php
@@ -411,7 +411,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php esc_html_e( 'Title:', 'tortuga' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo $settings['title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $settings['title'] ); ?>" />
 			</label>
 		</p>
 
@@ -440,7 +440,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'number' ); ?>"><?php esc_html_e( 'Number of posts:', 'tortuga' ); ?>
-				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo $settings['number']; ?>" size="3" />
+				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo absint( $settings['number'] ); ?>" size="3" />
 			</label>
 		</p>
 
diff --git a/readme.txt b/readme.txt
index 870a39c..e842a4a 100644
--- a/readme.txt
+++ b/readme.txt
@@ -26,6 +26,9 @@ For more information about Tortuga please go to https://themezee.com/themes/tort
 
 == Changelog ==
 
+= 1.1.4 =
+* improved escaping and sanitizing of widget settings and slider options
+
 = 1.1.3 =
 * fixed mobile menus on RTL language sites
 * moved Theme Links to Theme Options panel dropdown
diff --git a/style.css b/style.css
index 6ab3e33..386bb63 100644
--- a/style.css
+++ b/style.css
@@ -4,7 +4,7 @@ Theme URI: https://themezee.com/themes/tortuga/
 Author: ThemeZee
 Author URI: https://themezee.com
 Description: Tortuga is a highly flexible and adventurous WordPress theme for your pirate magazine or any news related website. It supports three different post layouts, two sidebar schemes and a Magazine Homepage template based on widgets. Other highlights of Tortuga are the beautiful post slider and header widgets area. Arrr!
-Version: 1.1.3
+Version: 1.1.4
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Text Domain: tortuga