From bac0e7d361242eb39b00b40fba4beef77c552e0f Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Mon, 16 Jan 2023 18:45:16 +0530 Subject: [PATCH 1/3] Fix fatal error with PHP 8.2 #976 --- classes/Visualizer/Module.php | 2 +- classes/Visualizer/Module/Admin.php | 2 +- classes/Visualizer/Render/Library.php | 5 +---- classes/Visualizer/Source/Csv.php | 4 ++-- 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/classes/Visualizer/Module.php b/classes/Visualizer/Module.php index ec746e12d..c338ee07d 100644 --- a/classes/Visualizer/Module.php +++ b/classes/Visualizer/Module.php @@ -270,7 +270,7 @@ private function _getCSV( $rows, $filename, $enclose ) { $bom = chr( 0xEF ) . chr( 0xBB ) . chr( 0xBF ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged - $fp = @tmpfile(); + $fp = function_exists( 'tmpfile' ) ? @tmpfile() : null; if ( null === $fp ) { $fp = fopen( wp_tempnam(), 'w+' ); } diff --git a/classes/Visualizer/Module/Admin.php b/classes/Visualizer/Module/Admin.php index 9e606f717..e6b965b1f 100644 --- a/classes/Visualizer/Module/Admin.php +++ b/classes/Visualizer/Module/Admin.php @@ -883,7 +883,7 @@ private function getQuery() { $this->getDisplayFilters( $query_args ); // Added by Ash/Upwork - $filterByMeta = filter_input( INPUT_GET, 's', FILTER_SANITIZE_STRING ); + $filterByMeta = ! empty( $_GET['s'] ) ? sanitize_text_field( wp_unslash( $_GET['s'] ) ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended if ( $filterByMeta ) { $query = array( 'key' => Visualizer_Plugin::CF_SETTINGS, diff --git a/classes/Visualizer/Render/Library.php b/classes/Visualizer/Render/Library.php index 7a3c90724..a83ded4f2 100644 --- a/classes/Visualizer/Render/Library.php +++ b/classes/Visualizer/Render/Library.php @@ -216,10 +216,7 @@ private function getDisplayForm() { */ private function _renderLibrary() { // Added by Ash/Upwork - $filterBy = null; - if ( isset( $_GET['s'] ) && strlen( $_GET['s'] ) > 0 ) { - $filterBy = filter_input( INPUT_GET, 's', FILTER_SANITIZE_STRING ); - } + $filterBy = ! empty( $_GET['s'] ) ? sanitize_text_field( wp_unslash( $_GET['s'] ) ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended // Added by Ash/Upwork echo $this->custom_css; echo '
'; diff --git a/classes/Visualizer/Source/Csv.php b/classes/Visualizer/Source/Csv.php index 4798c73de..383839b7b 100644 --- a/classes/Visualizer/Source/Csv.php +++ b/classes/Visualizer/Source/Csv.php @@ -47,8 +47,8 @@ class Visualizer_Source_Csv extends Visualizer_Source { * @access public * @param string $filename The path to the file. */ - public function __construct( $filename = null ) { - $this->_filename = trim( $filename ); + public function __construct( $filename = '' ) { + $this->_filename = trim( (string) $filename ); } /** From 6392561f5cd101ba89f2a0d784c3074f83c38426 Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Wed, 18 Jan 2023 18:19:52 +0530 Subject: [PATCH 2/3] Escape shortcode attribute value Codeinwp/visualizer-pro#365 --- classes/Visualizer/Module/Frontend.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/classes/Visualizer/Module/Frontend.php b/classes/Visualizer/Module/Frontend.php index 412635a22..71be54932 100644 --- a/classes/Visualizer/Module/Frontend.php +++ b/classes/Visualizer/Module/Frontend.php @@ -305,6 +305,11 @@ public function renderChart( $atts ) { $atts ); + $atts['id'] = (int) $atts['id']; + $atts['class'] = esc_attr( $atts['class'] ); + $atts['lazy'] = esc_attr( $atts['lazy'] ); + $atts['use_image'] = esc_attr( $atts['use_image'] ); + global $sitepress; if ( Visualizer_Module::is_pro() && ( function_exists( 'icl_get_languages' ) && $sitepress instanceof \SitePress ) ) { global $sitepress; From f3ffaa91ed10293ba19842f6fefa84b858d688c0 Mon Sep 17 00:00:00 2001 From: "themeisle[bot]" <> Date: Mon, 30 Jan 2023 09:05:56 +0000 Subject: [PATCH 3/3] chore(release): 3.9.5 ##### [Version 3.9.5](https://github.com/Codeinwp/visualizer/compare/v3.9.4...v3.9.5) (2023-01-30) - Improved security by escaping shortcode attribute before render - Compatibility with PHP 8.2 --- CHANGELOG.md | 5 +++++ classes/Visualizer/Plugin.php | 2 +- css/media.css | 2 +- index.php | 2 +- package.json | 2 +- readme.txt | 8 ++++++++ 6 files changed, 17 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b237b964b..1cf5c123f 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +##### [Version 3.9.5](https://github.com/Codeinwp/visualizer/compare/v3.9.4...v3.9.5) (2023-01-30) + +- Improved security by escaping shortcode attribute before render +- Compatibility with PHP 8.2 + ##### [Version 3.9.4](https://github.com/Codeinwp/visualizer/compare/v3.9.3...v3.9.4) (2023-01-12) - Fixed the lock of PRO features bypass diff --git a/classes/Visualizer/Plugin.php b/classes/Visualizer/Plugin.php index 581e191c5..782ecc386 100644 --- a/classes/Visualizer/Plugin.php +++ b/classes/Visualizer/Plugin.php @@ -28,7 +28,7 @@ class Visualizer_Plugin { const NAME = 'visualizer'; - const VERSION = '3.9.4'; + const VERSION = '3.9.5'; // custom post types const CPT_VISUALIZER = 'visualizer'; diff --git a/css/media.css b/css/media.css index 6ae70efc0..f922fddcd 100644 --- a/css/media.css +++ b/css/media.css @@ -1,5 +1,5 @@ /* - Version: 3.9.4 + Version: 3.9.5 */ #visualizer-library-view { padding: 30px 10px 10px 30px; diff --git a/index.php b/index.php index 3a56a5c39..ccf4a9653 100644 --- a/index.php +++ b/index.php @@ -3,7 +3,7 @@ Plugin Name: Visualizer: Tables and Charts for WordPress Plugin URI: https://themeisle.com/plugins/visualizer-charts-and-graphs/ Description: A simple, easy to use and quite powerful tool to create, manage and embed interactive charts into your WordPress posts and pages. The plugin uses Google Visualization API to render charts, which supports cross-browser compatibility (adopting VML for older IE versions) and cross-platform portability to iOS and new Android releases. - Version: 3.9.4 + Version: 3.9.5 Author: Themeisle Author URI: http://themeisle.com Requires at least: 3.5 diff --git a/package.json b/package.json index c0dff94a0..4c703eae8 100755 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "visualizer", - "version": "3.9.4", + "version": "3.9.5", "description": "Visualizer Lite", "repository": { "type": "git", diff --git a/readme.txt b/readme.txt index ec0da8914..fab94b9e1 100755 --- a/readme.txt +++ b/readme.txt @@ -163,6 +163,14 @@ Pay attention that to turn your shortcodes into graphs, your theme has to have ` == Changelog == +##### [Version 3.9.5](https://github.com/Codeinwp/visualizer/compare/v3.9.4...v3.9.5) (2023-01-30) + +- Improved security by escaping shortcode attribute before render +- Compatibility with PHP 8.2 + + + + ##### [Version 3.9.4](https://github.com/Codeinwp/visualizer/compare/v3.9.3...v3.9.4) (2023-01-12) - Fixed the lock of PRO features bypass