From fd7e7f077b69cc52ea107f8e15ca1f1eb76c56f3 Mon Sep 17 00:00:00 2001
From: selul <marius.cristea@vertistudio.com>
Date: Tue, 31 May 2022 09:50:11 +0300
Subject: [PATCH 1/3] fix security issues

---
 classes/Visualizer/Module/Admin.php         | 42 ++++-----
 classes/Visualizer/Module/Chart.php         | 20 +++--
 classes/Visualizer/Module/Setup.php         |  2 +-
 classes/Visualizer/Render/Layout.php        | 94 ++++++++++++---------
 classes/Visualizer/Render/Library.php       | 50 ++++++-----
 classes/Visualizer/Render/Page/Data.php     |  2 +-
 classes/Visualizer/Render/Page/Settings.php |  4 +-
 7 files changed, 119 insertions(+), 95 deletions(-)

diff --git a/classes/Visualizer/Module/Admin.php b/classes/Visualizer/Module/Admin.php
index 40c6a44a5..eaf8548ef 100644
--- a/classes/Visualizer/Module/Admin.php
+++ b/classes/Visualizer/Module/Admin.php
@@ -365,7 +365,7 @@ public function setupMediaViewStrings( $strings ) {
 				'types'   => array_keys( $chart_types ),
 			),
 			'nonce'      => wp_create_nonce(),
-			'buildurl'   => add_query_arg( 'action', Visualizer_Plugin::ACTION_CREATE_CHART, admin_url( 'admin-ajax.php' ) ),
+			'buildurl'   => esc_url( add_query_arg( 'action', Visualizer_Plugin::ACTION_CREATE_CHART, admin_url( 'admin-ajax.php' ) ) ),
 		);
 
 		return $strings;
@@ -988,24 +988,28 @@ public function renderLibraryPage() {
 				'map_api_key' => get_option( 'visualizer-map-api-key' ),
 				'charts' => $charts,
 				'urls'   => array(
-					'base'   => add_query_arg( array( 'vpage' => false, 'vaction' => false ) ),
-					'create' => add_query_arg(
-						array(
-							'action'  => Visualizer_Plugin::ACTION_CREATE_CHART,
-							'library' => 'yes',
-							'type'      => isset( $_GET['type'] ) ? $_GET['type'] : '',
-							'chart-library'      => isset( $_GET['chart-library'] ) ? $_GET['chart-library'] : '',
-							'vaction' => false,
-						),
-						$ajaxurl
+					'base'   => esc_url( add_query_arg( array( 'vpage' => false, 'vaction' => false ) ) ),
+					'create' => esc_url(
+						add_query_arg(
+							array(
+								'action'  => Visualizer_Plugin::ACTION_CREATE_CHART,
+								'library' => 'yes',
+								'type'      => isset( $_GET['type'] ) ? $_GET['type'] : '',
+								'chart-library'      => isset( $_GET['chart-library'] ) ? $_GET['chart-library'] : '',
+								'vaction' => false,
+							),
+							$ajaxurl
+						)
 					),
-					'edit'   => add_query_arg(
-						array(
-							'action'  => Visualizer_Plugin::ACTION_EDIT_CHART,
-							'library' => 'yes',
-							'vaction' => false,
-						),
-						$ajaxurl
+					'edit'   => esc_url(
+						add_query_arg(
+							array(
+								'action'  => Visualizer_Plugin::ACTION_EDIT_CHART,
+								'library' => 'yes',
+								'vaction' => false,
+							),
+							$ajaxurl
+						)
 					),
 				),
 				'page_type' => 'library',
@@ -1024,7 +1028,7 @@ public function renderLibraryPage() {
 		$render->custom_css     = $css;
 		$render->pagination = paginate_links(
 			array(
-				'base'    => add_query_arg( array( 'vpage' => '%#%', 'vaction' => false ) ),
+				'base'    => esc_url( add_query_arg( array( 'vpage' => '%#%', 'vaction' => false ) ) ),
 				'format'  => '',
 				'current' => $page,
 				'total'   => $query->max_num_pages,
diff --git a/classes/Visualizer/Module/Chart.php b/classes/Visualizer/Module/Chart.php
index eb04b523c..f7f911602 100644
--- a/classes/Visualizer/Module/Chart.php
+++ b/classes/Visualizer/Module/Chart.php
@@ -526,7 +526,7 @@ public function renderChartPages() {
 				);
 				do_action( 'visualizer_pro_new_chart_defaults', $chart_id );
 			}
-			wp_redirect( add_query_arg( 'chart', (int) $chart_id ) );
+			wp_redirect( esc_url_raw( add_query_arg( 'chart', (int) $chart_id ) ) );
 
 			if ( defined( 'WP_TESTS_DOMAIN' ) ) {
 				wp_die();
@@ -891,7 +891,7 @@ private function _handleTypesPage() {
 
 				// redirect to next tab
 				// changed by Ash/Upwork
-				wp_redirect( add_query_arg( 'tab', 'settings' ) );
+				wp_redirect( esc_url_raw( add_query_arg( 'tab', 'settings' ) ) );
 
 				return;
 			}
@@ -1226,13 +1226,15 @@ public function cloneChart() {
 						add_post_meta( $new_chart_id, $key, maybe_unserialize( $value[0] ) );
 					}
 				}
-				$redirect = add_query_arg(
-					array(
-						'page' => 'visualizer',
-						'type' => filter_input( INPUT_GET, 'type' ),
-						'vaction' => false,
-					),
-					admin_url( 'admin.php' )
+				$redirect = esc_url(
+					add_query_arg(
+						array(
+							'page' => 'visualizer',
+							'type' => filter_input( INPUT_GET, 'type' ),
+							'vaction' => false,
+						),
+						admin_url( 'admin.php' )
+					)
 				);
 			}
 		}
diff --git a/classes/Visualizer/Module/Setup.php b/classes/Visualizer/Module/Setup.php
index 1e5e81bd3..9e7962cc6 100644
--- a/classes/Visualizer/Module/Setup.php
+++ b/classes/Visualizer/Module/Setup.php
@@ -251,7 +251,7 @@ public function adminInit() {
 			delete_option( 'visualizer-activated' );
 			if ( ! headers_sent() ) {
 				$page_name = Visualizer_Module::numberOfCharts() > 0 ? Visualizer_Plugin::NAME : 'viz-support';
-				wp_redirect( add_query_arg( 'page', $page_name, admin_url( 'admin.php' ) ) );
+				wp_redirect( esc_url_raw( add_query_arg( 'page', $page_name, admin_url( 'admin.php' ) ) ) );
 				exit();
 			}
 		}
diff --git a/classes/Visualizer/Render/Layout.php b/classes/Visualizer/Render/Layout.php
index 46d80b6e1..8258f8d10 100644
--- a/classes/Visualizer/Render/Layout.php
+++ b/classes/Visualizer/Render/Layout.php
@@ -128,13 +128,15 @@ public static function _renderDbWizardResults( $args ) {
 	 */
 	public static function _renderJsonScreen( $args ) {
 		$id      = $args[1];
-		$action = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_JSON_SET_DATA,
-				'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_JSON_SET_DATA . Visualizer_Plugin::VERSION ),
-				'chart'  => $id,
-			),
-			admin_url( 'admin-ajax.php' )
+		$action = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_JSON_SET_DATA,
+					'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_JSON_SET_DATA . Visualizer_Plugin::VERSION ),
+					'chart'  => $id,
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 
 		$url = get_post_meta( $id, Visualizer_Plugin::CF_JSON_URL, true );
@@ -306,13 +308,15 @@ class="visualizer-input json-form-element">
 	 */
 	public static function _renderSimpleEditorScreen( $args ) {
 		$chart_id   = $args[1];
-		$action = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-				'nonce'  => wp_create_nonce(),
-				'chart'  => $chart_id,
-			),
-			admin_url( 'admin-ajax.php' )
+		$action = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
+					'nonce'  => wp_create_nonce(),
+					'chart'  => $chart_id,
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 		?>
 			<div class="viz-simple-editor">
@@ -582,13 +586,13 @@ public static function _renderTabAdvanced( $args ) {
 				<li class="viz-group open" id="vz-chart-settings">
 					<ul class="viz-group-content">
 						<ul class="viz-group-wrapper">
-						<form id="settings-form" action="<?php echo add_query_arg( 'nonce', wp_create_nonce() ); ?>" method="post">
+						<form id="settings-form" action="<?php echo esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ); ?>" method="post">
 							<input type="hidden" id="chart-img" name="chart-img">
 							<?php echo $sidebar; ?>
 							<?php self::_renderPermissions( $args ); ?>
 							<input type="hidden" name="save" value="1">
 						</form>
-						<form id="cancel-form" action="<?php echo add_query_arg( 'nonce', wp_create_nonce() ); ?>" method="post">
+						<form id="cancel-form" action="<?php echo esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ); ?>" method="post">
 							<input type="hidden" name="cancel" value="1">
 						</form>
 						</ul>
@@ -654,13 +658,15 @@ public static function _renderTabHelp( $args ) {
 	public static function _renderTabBasic( $args ) {
 		$chart_id = $args[1];
 
-		$upload_link = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-				'nonce'  => wp_create_nonce(),
-				'chart'  => $chart_id,
-			),
-			admin_url( 'admin-ajax.php' )
+		$upload_link = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
+					'nonce'  => wp_create_nonce(),
+					'chart'  => $chart_id,
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 
 		// this will allow us to open the correct source tab by default.
@@ -815,12 +821,14 @@ class="dashicons dashicons-lock"></span></h2>
 										<form>
 											<select name="vz-import-from-chart" id="chart-id" class="visualizer-select">
 												<?php
-												$fetch_link        = add_query_arg(
-													array(
-														'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
-														'nonce'  => wp_create_nonce(),
-													),
-													admin_url( 'admin-ajax.php' )
+												$fetch_link        = esc_url(
+													add_query_arg(
+														array(
+															'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
+															'nonce'  => wp_create_nonce(),
+														),
+														admin_url( 'admin-ajax.php' )
+													)
 												);
 												$query_args_charts = array(
 													'post_type'      => Visualizer_Plugin::CPT_VISUALIZER,
@@ -862,12 +870,14 @@ class="dashicons dashicons-lock"></span></h2>
 							</li>
 
 							<?php
-								$save_filter = add_query_arg(
-									array(
-										'action' => Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY,
-										'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY . Visualizer_Plugin::VERSION ),
-										'chart'  => $chart_id,
-									), admin_url( 'admin-ajax.php' )
+								$save_filter = esc_url(
+									add_query_arg(
+										array(
+											'action' => Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY,
+											'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY . Visualizer_Plugin::VERSION ),
+											'chart'  => $chart_id,
+										), admin_url( 'admin-ajax.php' )
+									)
 								);
 							?>
 							<!-- import from WordPress -->
@@ -911,12 +921,14 @@ class="dashicons dashicons-lock"></span></h2>
 							</li>
 
 							<?php
-								$save_query = add_query_arg(
-									array(
-										'action' => Visualizer_Plugin::ACTION_SAVE_DB_QUERY,
-										'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION ),
-										'chart'  => $chart_id,
-									), admin_url( 'admin-ajax.php' )
+								$save_query = esc_url(
+									add_query_arg(
+										array(
+											'action' => Visualizer_Plugin::ACTION_SAVE_DB_QUERY,
+											'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION ),
+											'chart'  => $chart_id,
+										), admin_url( 'admin-ajax.php' )
+									)
 								);
 							?>
 							<!-- import from db -->
diff --git a/classes/Visualizer/Render/Library.php b/classes/Visualizer/Render/Library.php
index 4261e4ae0..1f741cdb8 100644
--- a/classes/Visualizer/Render/Library.php
+++ b/classes/Visualizer/Render/Library.php
@@ -297,30 +297,36 @@ private function _renderChartBox( $placeholder_id, $chart_id ) {
 		}
 
 		$ajax_url    = admin_url( 'admin-ajax.php' );
-		$delete_url  = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_DELETE_CHART,
-				'nonce'  => wp_create_nonce(),
-				'chart'  => $chart_id,
-			),
-			$ajax_url
+		$delete_url  = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_DELETE_CHART,
+					'nonce'  => wp_create_nonce(),
+					'chart'  => $chart_id,
+				),
+				$ajax_url
+			)
 		);
-		$clone_url   = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_CLONE_CHART,
-				'nonce'  => wp_create_nonce( Visualizer_Plugin::ACTION_CLONE_CHART ),
-				'chart'  => $chart_id,
-				'type'   => $this->type,
-			),
-			$ajax_url
+		$clone_url   = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_CLONE_CHART,
+					'nonce'  => wp_create_nonce( Visualizer_Plugin::ACTION_CLONE_CHART ),
+					'chart'  => $chart_id,
+					'type'   => $this->type,
+				),
+				$ajax_url
+			)
 		);
-		$export_link = add_query_arg(
-			array(
-				'action'   => Visualizer_Plugin::ACTION_EXPORT_DATA,
-				'chart'    => $chart_id,
-				'security' => wp_create_nonce( Visualizer_Plugin::ACTION_EXPORT_DATA . Visualizer_Plugin::VERSION ),
-			),
-			admin_url( 'admin-ajax.php' )
+		$export_link = esc_url(
+			add_query_arg(
+				array(
+					'action'   => Visualizer_Plugin::ACTION_EXPORT_DATA,
+					'chart'    => $chart_id,
+					'security' => wp_create_nonce( Visualizer_Plugin::ACTION_EXPORT_DATA . Visualizer_Plugin::VERSION ),
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 
 		$chart_status   = array( 'date' => get_the_modified_date( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), $chart_id ), 'error' => get_post_meta( $chart_id, Visualizer_Plugin::CF_ERROR, true ), 'icon' => 'dashicons-yes-alt', 'title' => 'A-OK!' );
diff --git a/classes/Visualizer/Render/Page/Data.php b/classes/Visualizer/Render/Page/Data.php
index ca4b6da85..9f4f2f9a3 100644
--- a/classes/Visualizer/Render/Page/Data.php
+++ b/classes/Visualizer/Render/Page/Data.php
@@ -107,7 +107,7 @@ protected function _renderToolbar() {
 		// NOTE: We can't be selective on the post_status here because when a new chart reaches the settings screen, its status changes to publish.
 		if ( ! VISUALIZER_SKIP_CHART_TYPE_PAGE ) {
 			echo '<div class="toolbar-div">';
-			echo '<a class="button button-large" href="', add_query_arg( 'tab', 'types' ), '">';
+			echo '<a class="button button-large" href="', esc_url( add_query_arg( 'tab', 'types' ) ), '">';
 			esc_html_e( 'Back', 'visualizer' );
 			echo '</a>';
 			echo '</div>';
diff --git a/classes/Visualizer/Render/Page/Settings.php b/classes/Visualizer/Render/Page/Settings.php
index 989596998..e3b1d37b0 100644
--- a/classes/Visualizer/Render/Page/Settings.php
+++ b/classes/Visualizer/Render/Page/Settings.php
@@ -51,7 +51,7 @@ protected function _renderContent() {
 	 * @access protected
 	 */
 	protected function _renderToolbar() {
-		echo '<a class="button button-large" href="', add_query_arg( 'tab', 'data' ), '">';
+		echo '<a class="button button-large" href="', esc_url( add_query_arg( 'tab', 'data' ) ), '">';
 			esc_html_e( 'Back', 'visualizer' );
 		echo '</a>';
 		echo '<input type="submit" class="button button-primary button-large push-right" value="', $this->button, '">';
@@ -65,7 +65,7 @@ protected function _renderToolbar() {
 	 * @access protected
 	 */
 	protected function _toHTML() {
-		echo '<form id="settings-form" action="', add_query_arg( 'nonce', wp_create_nonce() ), '" method="post">';
+		echo '<form id="settings-form" action="', esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ), '" method="post">';
 			parent::_toHTML();
 		echo '</form>';
 	}

From 53702dc7867d37b8c854abac36d65725687c89cc Mon Sep 17 00:00:00 2001
From: selul <marius.cristea@vertistudio.com>
Date: Tue, 31 May 2022 09:50:31 +0300
Subject: [PATCH 2/3] migrate to composer v2

---
 composer.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/composer.json b/composer.json
index ef89c5b39..e6fe1c3ea 100755
--- a/composer.json
+++ b/composer.json
@@ -41,6 +41,9 @@
     "optimize-autoloader": true,
     "platform": {
       "php": "5.6"
+    },
+    "allow-plugins": {
+      "dealerdirect/phpcodesniffer-composer-installer": true
     }
   },
   "require-dev": {

From 6e0a050537e304b048b3149f9465cc5a89fb2fe3 Mon Sep 17 00:00:00 2001
From: "themeisle[bot]" <>
Date: Tue, 31 May 2022 07:06:42 +0000
Subject: [PATCH 3/3] chore(release): 3.7.7

##### [Version 3.7.7](https://github.com/Codeinwp/visualizer/compare/v3.7.6...v3.7.7) (2022-05-31)

* Harden security by enforcing unescaped urls.
---
 CHANGELOG.md                  | 4 ++++
 classes/Visualizer/Plugin.php | 2 +-
 css/media.css                 | 2 +-
 index.php                     | 2 +-
 package.json                  | 2 +-
 readme.txt                    | 7 +++++++
 6 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9321018f3..709d357f7 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+##### [Version 3.7.7](https://github.com/Codeinwp/visualizer/compare/v3.7.6...v3.7.7) (2022-05-31)
+
+* Harden security by enforcing unescaped urls.
+
 ##### [Version 3.7.6](https://github.com/Codeinwp/visualizer/compare/v3.7.5...v3.7.6) (2022-05-26)
 
 - Fix PHP 8.0 or above compatibility issue
diff --git a/classes/Visualizer/Plugin.php b/classes/Visualizer/Plugin.php
index 12c004b6b..4849e3f7f 100644
--- a/classes/Visualizer/Plugin.php
+++ b/classes/Visualizer/Plugin.php
@@ -28,7 +28,7 @@
 class Visualizer_Plugin {
 
 	const NAME = 'visualizer';
-	const VERSION = '3.7.6';
+	const VERSION = '3.7.7';
 
 	// custom post types
 	const CPT_VISUALIZER = 'visualizer';
diff --git a/css/media.css b/css/media.css
index ab73c9c09..13267bd8d 100644
--- a/css/media.css
+++ b/css/media.css
@@ -1,5 +1,5 @@
 /*
-	Version: 3.7.6
+	Version: 3.7.7
 */
 #visualizer-library-view {
 	padding: 30px 10px 10px 30px;
diff --git a/index.php b/index.php
index aecdccc0a..6aea3234d 100644
--- a/index.php
+++ b/index.php
@@ -3,7 +3,7 @@
 	Plugin Name: Visualizer: Tables and Charts for WordPress
 	Plugin URI: https://themeisle.com/plugins/visualizer-charts-and-graphs-lite/
 	Description: A simple, easy to use and quite powerful tool to create, manage and embed interactive charts into your WordPress posts and pages. The plugin uses Google Visualization API to render charts, which supports cross-browser compatibility (adopting VML for older IE versions) and cross-platform portability to iOS and new Android releases.
-	Version: 3.7.6
+	Version: 3.7.7
 	Author: Themeisle
 	Author URI: http://themeisle.com
 	Requires at least: 3.5
diff --git a/package.json b/package.json
index 0a2d28a1e..86bf68b99 100755
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "visualizer",
-  "version": "3.7.6",
+  "version": "3.7.7",
   "description": "Visualizer Lite",
   "repository": {
     "type": "git",
diff --git a/readme.txt b/readme.txt
index 444a62ab6..3db4ac784 100755
--- a/readme.txt
+++ b/readme.txt
@@ -163,6 +163,13 @@ Pay attention that to turn your shortcodes into graphs, your theme has to have `
 
 == Changelog ==
 
+##### [Version 3.7.7](https://github.com/Codeinwp/visualizer/compare/v3.7.6...v3.7.7) (2022-05-31)
+
+* Harden security by enforcing unescaped urls.
+
+
+
+
 ##### [Version 3.7.6](https://github.com/Codeinwp/visualizer/compare/v3.7.5...v3.7.6) (2022-05-26)
 
 - Fix PHP 8.0 or above compatibility issue