Fixes security issue #13

callbacks/output.php

@@ -1 +1,2 @@
 <?php
+// Nothing but silence.

class-pixfields.php

@@ -20,7 +20,7 @@ class PixFieldsPlugin {
 	 * @since   1.0.0
 	 * @const   string
 	 */
-	protected $version = '0.7.0';
+	protected $version = '0.7.1';
 
 	/**
 	 * Unique identifier for your plugin.

core/classes/Processor.php

@@ -104,6 +104,8 @@ function run() {
 			}
 
 			if ( $this->form_was_submitted() ) {
+				check_admin_referer( 'pixfields-save-settings' );
+
 				$input  = $this->cleanup_input( $_POST );
 				$errors = $this->validate_input( $input );
 

lang/pixfields.pot

@@ -0,0 +1,118 @@
+# Copyright (C) 2023 Pixelgrade
+# This file is distributed under the GPL-2.0 or later..
+msgid ""
+msgstr ""
+"Project-Id-Version: PixFields 0.7.1\n"
+"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/pixfields-git\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"POT-Creation-Date: 2023-07-27T14:40:41+00:00\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"X-Generator: WP-CLI 2.6.0\n"
+"X-Domain: pixfields_txtd\n"
+
+#. Plugin Name of the plugin
+#: class-pixfields.php:412
+#: views/admin.php:26
+msgid "PixFields"
+msgstr ""
+
+#. Plugin URI of the plugin
+msgid "https://wordpress.org/plugins/pixfields/"
+msgstr ""
+
+#. Description of the plugin
+msgid "WordPress easy custom fields management plugin."
+msgstr ""
+
+#. Author of the plugin
+msgid "Pixelgrade"
+msgstr ""
+
+#. Author URI of the plugin
+msgid "https://pixelgrade.com"
+msgstr ""
+
+#: class-pixfields.php:308
+msgid " fields"
+msgstr ""
+
+#: class-pixfields.php:346
+msgid "Manage fields"
+msgstr ""
+
+#: settings/fields_manager.php:8
+msgid "Manage Fields"
+msgstr ""
+
+#: settings/general.php:8
+msgid "Allow Edit Fields"
+msgstr ""
+
+#: settings/general.php:14
+#: settings/general.php:20
+msgid "Post Types"
+msgstr ""
+
+#: settings/general.php:25
+msgid "Template function"
+msgstr ""
+
+#: settings/general.php:26
+msgid "After Content"
+msgstr ""
+
+#: settings/general.php:27
+msgid "Before Content"
+msgstr ""
+
+#: views/admin.php:33
+msgid "Unable to save settings."
+msgstr ""
+
+#: views/admin.php:34
+msgid "Please check the fields for errors and typos."
+msgstr ""
+
+#: views/admin.php:41
+msgid "Settings have been updated."
+msgstr ""
+
+#: views/admin.php:53
+msgid "Save Changes"
+msgstr ""
+
+#: views/admin.php:60
+msgid "Critical Error"
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:46
+msgid "Post type: "
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:53
+msgid "Name"
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:55
+msgid "Filter"
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:98
+msgid "Delete"
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:110
+msgid "Enter field name .."
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:115
+msgid "Add Field"
+msgstr ""
+
+#: views/form-partials/fields/pixfields.php:120
+msgid "Update"
+msgstr ""

pixfields.php

@@ -1,24 +1,19 @@
 <?php
-/*
-* @package   PixFields
-* @author    PixelGrade <contact@pixelgrade.com>
-* @license   GPL-2.0+
-* @link      http://pixelgrade.com
-* @copyright 2014 PixelGrade
-*
-* @wordpress-plugin
-Plugin Name: PixFields
-Plugin URI:  http://pixelgrade.com
-Description: WordPress easy custom fields management plugin.
-Version: 0.7.0
-Author: PixelGrade
-Author URI: http://pixelgrade.com
-Author Email: contact@pixelgrade.com
-Text Domain: proof
-License:     GPL-2.0+
-License URI: http://www.gnu.org/licenses/gpl-2.0.txt
-Domain Path: /lang
-*/
+/**
+ * Plugin Name: PixFields
+ * Plugin URI: https://wordpress.org/plugins/pixfields/
+ * Description: WordPress easy custom fields management plugin.
+ * Version: 0.7.1
+ * Author: Pixelgrade
+ * Author URI: https://pixelgrade.com
+ * Author Email: contact@pixelgrade.com
+ * Requires at least: 4.9.9
+ * Tested up to: 5.2.2
+ * Text Domain: pixfields_txtd
+ * License:     GPL-2.0 or later.
+ * License URI: http://www.gnu.org/licenses/gpl-2.0.txt
+ * Domain Path: /lang
+ */
 
 // If this file is called directly, abort.
 if ( ! defined( 'WPINC' ) ) {
@@ -108,7 +103,7 @@ function get_pixfields( $post_id = null ) {
 }
 
 /**
- * Get all the filtrable keys
+ * Get all the filterable keys
  * @param $post_type
  *
  * @return array as $key => $label

readme.txt

@@ -23,6 +23,9 @@ The theme should style the output of the metadata.
 
 == Changelog ==
 
+= 0.7.1 =
+* Security fix
+
 = 0.7.0 =
 * Several compatibility checks with Gutenberg were done, so that we can finally say that the plugin is Gutenberg-ready
 

views/admin.php

@@ -47,6 +47,8 @@
 		echo $f->field( 'general' )->render();
 		//echo $f->field( 'fields_manager' )->render(); ?>
 
+		<?php wp_nonce_field( 'pixfields-save-settings' ); ?>
+
 		<button type="submit" class="button button-primary">
 			<?php _e( 'Save Changes', 'pixfields_txtd' ); ?>
 		</button>
@@ -60,4 +62,4 @@
 		<p><?php echo $status['message'] ?></p>
 
 	<?php endif; ?>
-</div>
+</div>