10h30/wp-strava
1
0
Fork 0
mirror of https://github.com/10h30/wp-strava.git synced 2026-06-05 15:10:01 +09:00
Code Issues Packages Projects Releases Wiki Activity

Added input filtering

Browse Source
This commit is contained in:
Justin Foell
2019-11-01 14:26:57 -05:00
parent 97c034b861
commit bfd142e051
5 changed files with 112 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/WPStrava.php
+2 -1
View File
@@ -154,7 +154,7 @@ class WPStrava {
*/
public function register_scripts() {
// Register a personalized stylesheet.
wp_register_style( 'wp-strava-style', WPSTRAVA_PLUGIN_URL . 'css/wp-strava.css' );
wp_register_style( 'wp-strava-style', WPSTRAVA_PLUGIN_URL . 'css/wp-strava.css', array(), WPSTRAVA_PLUGIN_VERSION );
}
/**
@@ -175,4 +175,5 @@ class WPStrava {
new WPStrava_RouteShortcode();
new WPStrava_LatestMapShortcode();
}
}
includes/WPStrava/Auth.php
+30 -8
View File
@@ -37,15 +37,30 @@ abstract class WPStrava_Auth {
$settings = WPStrava::get_instance()->settings;
// User is clearing to start-over, don't oauth, ignore other errors.
if ( isset( $_POST['strava_id'] ) && $settings->ids_empty( $_POST['strava_id'] ) ) {
$input_args = array(
'strava_id' => array(
'filter' => FILTER_SANITIZE_NUMBER_INT,
'flags' => FILTER_REQUIRE_ARRAY,
),
'strava_client_id' => array(
'filter' => FILTER_SANITIZE_NUMBER_INT,
'flags' => FILTER_REQUIRE_SCALAR,
),
'strava_client_secret' => FILTER_SANITIZE_STRING,
);
$input = filter_input_array( INPUT_POST, $input_args );
if ( $settings->ids_empty( $input['strava_id'] ) ) {
return array();
}
// Redirect only if all the right options are in place.
if ( $settings->is_settings_updated( $value ) && $settings->is_option_page() ) {
// Only re-auth if client ID and secret were saved.
if ( ! empty( $_POST['strava_client_id'] ) && ! empty( $_POST['strava_client_secret'] ) ) {
wp_redirect( $this->get_authorize_url( $_POST['strava_client_id'] ) );
if ( ! empty( $input['strava_client_id'] ) && ! empty( $input['strava_client_secret'] ) ) {
wp_redirect( $this->get_authorize_url( $input['strava_client_id'] ) );
exit();
}
}
@@ -55,10 +70,17 @@ abstract class WPStrava_Auth {
public function init() {
$settings = WPStrava::get_instance()->settings;
$input_args = array(
'settings-updated' => FILTER_SANITIZE_STRING,
'code' => FILTER_SANITIZE_STRING,
);
$input = filter_input_array( INPUT_GET, $input_args );
//only update when redirected back from strava
if ( ! isset( $_GET['settings-updated'] ) && $settings->is_settings_page() ) {
if ( isset( $_GET['code'] ) ) {
$info = $this->token_exchange_initial( $_GET['code'] );
if ( ! isset( $input['settings-updated'] ) && $settings->is_settings_page() ) {
if ( isset( $input['code'] ) ) {
$info = $this->token_exchange_initial( $input['code'] );
if ( isset( $info->access_token ) ) {
// Translators: New strava token
add_settings_error( 'strava_token', 'strava_token', sprintf( __( 'New Strava token retrieved. %s', 'wp-strava' ), $this->feedback ), 'updated' );
@@ -80,7 +102,7 @@ abstract class WPStrava_Auth {
// Was fetch_token();
private function token_exchange_initial( $code ) {
$settings = WPStrava::get_instance()->settings;
$settings = WPStrava::get_instance()->settings;
$client_id = $settings->client_id;
$client_secret = $settings->client_secret;
@@ -117,7 +139,7 @@ abstract class WPStrava_Auth {
}
protected function token_request( $data ) {
$api = new WPStrava_API();
$api = new WPStrava_API();
return $api->post( 'oauth/token', $data );
}
includes/WPStrava/LatestActivitiesWidget.php
+11 -9
View File
@@ -30,12 +30,14 @@ class WPStrava_LatestActivitiesWidget extends WP_Widget {
'quantity' => isset( $instance['quantity'] ) ? $instance['quantity'] : null,
);
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped -- Widget OK.
echo $args['before_widget'];
if ( $title ) {
echo $args['before_title'] . $title . $args['after_title'];
}
echo WPStrava_LatestActivities::get_activities_html( $activities_args );
echo $args['after_widget'];
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
}
/** @see WP_Widget::update */
@@ -59,24 +61,24 @@ class WPStrava_LatestActivitiesWidget extends WP_Widget {
?>
<p>
<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:', 'wp-strava' ); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo $title; ?>" />
<label for="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>"><?php esc_html_e( 'Title:', 'wp-strava' ); ?></label>
<input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'title' ) ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" />
</p>
<p>
<label for="<?php echo $this->get_field_id( 'client_id' ); ?>"><?php _e( 'Athlete:', 'wp-strava' ); ?></label>
<select name="<?php echo $this->get_field_name( 'client_id' ); ?>">
<label for="<?php echo esc_attr( $this->get_field_id( 'client_id' ) ); ?>"><?php esc_html_e( 'Athlete:', 'wp-strava' ); ?></label>
<select name="<?php echo esc_attr( $this->get_field_name( 'client_id' ) ); ?>">
<?php foreach ( $all_ids as $id => $nickname ) : ?>
<option value="<?php echo $id; ?>"<?php selected( $id, $client_id ); ?>><?php echo $nickname; ?></option>
<option value="<?php echo esc_attr( $id ); ?>"<?php selected( $id, $client_id ); ?>><?php echo esc_html( $nickname ); ?></option>
<?php endforeach; ?>
</select>
</p>
<p>
<label for="<?php echo $this->get_field_id( 'strava_club_id' ); ?>"><?php esc_html_e( 'Club ID (leave blank to show single Athlete):', 'wp-strava' ); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id( 'strava_club_id' ); ?>" name="<?php echo $this->get_field_name( 'strava_club_id' ); ?>" type="text" value="<?php echo $strava_club_id; ?>" />
<label for="<?php echo esc_attr( $this->get_field_id( 'strava_club_id' ) ); ?>"><?php esc_html_e( 'Club ID (leave blank to show single Athlete):', 'wp-strava' ); ?></label>
<input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'strava_club_id' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'strava_club_id' ) ); ?>" type="text" value="<?php echo esc_attr( $strava_club_id ); ?>" />
</p>
<p>
<label for="<?php echo $this->get_field_id( 'quantity' ); ?>"><?php esc_html_e( 'Quantity:', 'wp-strava' ); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id( 'quantity' ); ?>" name="<?php echo $this->get_field_name( 'quantity' ); ?>" type="text" value="<?php echo $quantity; ?>" />
<label for="<?php echo esc_attr( $this->get_field_id( 'quantity' ) ); ?>"><?php esc_html_e( 'Quantity:', 'wp-strava' ); ?></label>
<input class="widefat" id="<?php echo esc_attr( $this->get_field_id( 'quantity' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'quantity' ) ); ?>" type="text" value="<?php echo esc_html( $quantity ); ?>" />
</p>
<?php
}
includes/WPStrava/Settings.php
+67 -41
View File
@@ -121,29 +121,35 @@ class WPStrava_Settings {
// Translators: Strava "app" description
$description = sprintf( __( 'WP-Strava for %s', 'wp-strava' ), $blog_name );
printf( __( "<p>Steps:</p>
<ol>
<li>Create your free API Application/Connection here: <a href='%1\$s'>%2\$s</a> using the following information:</li>
<ul>
<li>App Icon: <strong>upload <a href='%3\$s'>this image</a></strong></li>
<li>Application Name: <strong>%4\$s</strong></li>
<li>Category: OK to leave at default 'other'</li>
<li>Club: OK to leave blank</li>
<li>Website: <strong>%5\$s</strong></li>
<li>Application Description: <strong>%6\$s</strong></li>
<li>Authorization Callback Domain: <strong>%7\$s</strong></li>
</ul>
<li>Once you've created your API Application at strava.com, enter the <strong>Client ID</strong> and <strong>Client Secret</strong> below, which can now be found on that same strava API Settings page.
<li>After saving your Client ID and Secret, you'll be redirected to strava to authorize your API Application. If successful, your Strava ID will display in a table, next to your nickname.</li>
<li>If you need to re-authorize your API Application, erase your Strava ID next to your nickname and click 'Save Changes' to start over.</li>
</ol>", 'wp-strava' ),
$settings_url,
$settings_url,
$icon_url,
$app_name,
$site_url,
$description,
wp_parse_url( $site_url, PHP_URL_HOST )
echo wp_kses_post(
sprintf(
__(
"<p>Steps:</p>
<ol>
<li>Create your free API Application/Connection here: <a href='%1\$s'>%2\$s</a> using the following information:</li>
<ul>
<li>App Icon: <strong>upload <a href='%3\$s'>this image</a></strong></li>
<li>Application Name: <strong>%4\$s</strong></li>
<li>Category: OK to leave at default 'other'</li>
<li>Club: OK to leave blank</li>
<li>Website: <strong>%5\$s</strong></li>
<li>Application Description: <strong>%6\$s</strong></li>
<li>Authorization Callback Domain: <strong>%7\$s</strong></li>
</ul>
<li>Once you've created your API Application at strava.com, enter the <strong>Client ID</strong> and <strong>Client Secret</strong> below, which can now be found on that same strava API Settings page.
<li>After saving your Client ID and Secret, you'll be redirected to strava to authorize your API Application. If successful, your Strava ID will display in a table, next to your nickname.</li>
<li>If you need to re-authorize your API Application, erase your Strava ID next to your nickname and click 'Save Changes' to start over.</li>
</ol>",
'wp-strava'
),
$settings_url,
$settings_url,
$icon_url,
$app_name,
$site_url,
$description,
wp_parse_url( $site_url, PHP_URL_HOST )
)
);
}
@@ -155,11 +161,20 @@ class WPStrava_Settings {
*/
public function print_gmaps_instructions() {
$maps_url = 'https://developers.google.com/maps/documentation/static-maps/';
printf( __( "<p>Steps:</p>
<ol>
<li>To use Google map images, you must create a Static Maps API Key. Create a free key by going here: <a href='%1\$s'>%2\$s</a> and clicking <strong>Get a Key</strong></li>
<li>Once you've created your Google Static Maps API Key, enter the key below.
</ol>", 'wp-strava' ), $maps_url, $maps_url );
echo wp_kses_post(
sprintf(
__(
"<p>Steps:</p>
<ol>
<li>To use Google map images, you must create a Static Maps API Key. Create a free key by going here: <a href='%1\$s'>%2\$s</a> and clicking <strong>Get a Key</strong></li>
<li>Once you've created your Google Static Maps API Key, enter the key below.
</ol>",
'wp-strava'
),
$maps_url,
$maps_url
)
);
}
/**
@@ -205,7 +220,7 @@ class WPStrava_Settings {
public function print_nickname_input() {
$nickname = $this->ids_empty( $this->ids ) ? __( 'Default', 'wp-strava' ) : '';
?>
<input type="text" name="strava_nickname[]" value="<?php echo $nickname; ?>" />
<input type="text" name="strava_nickname[]" value="<?php echo esc_attr( $nickname ); ?>" />
<?php
}
@@ -268,7 +283,7 @@ class WPStrava_Settings {
}
/**
* Sanitize the nicknames - make sure we've got the same number of nicknames sa IDs.
* Sanitize the nicknames - make sure we've got the same number of nicknames and IDs.
*
* @param array $nicknames Nicknames for the athletes saved.
* @return array
@@ -278,11 +293,20 @@ class WPStrava_Settings {
public function sanitize_nickname( $nicknames ) {
if ( ! $this->adding_athlete ) {
$input_args = array(
'strava_id' => array(
'filter' => FILTER_SANITIZE_NUMBER_INT,
'flags' => FILTER_REQUIRE_ARRAY,
),
);
$input = filter_input_array( INPUT_POST, $input_args );
// Chop $nicknames to same size as ids.
$nicknames = array_slice( $nicknames, 0, count( $_POST['strava_id'] ) );
$nicknames = array_slice( $nicknames, 0, count( $input['strava_id'] ) );
// Remove indexes from $nicknames that have empty ids.
foreach ( $_POST['strava_id'] as $index => $id ) {
foreach ( $input['strava_id'] as $index => $id ) {
$id = trim( $id );
if ( empty( $id ) ) {
unset( $nicknames[ $index ] );
@@ -324,7 +348,7 @@ class WPStrava_Settings {
*/
public function print_gmaps_key_input() {
?>
<input type="text" id="strava_gmaps_key" name="strava_gmaps_key" value="<?php echo $this->gmaps_key; ?>" />
<input type="text" id="strava_gmaps_key" name="strava_gmaps_key" value="<?php echo esc_attr( $this->gmaps_key ); ?>" />
<?php
}
@@ -632,7 +656,7 @@ class WPStrava_Settings {
* @since 2.0.0
*/
public function is_option_page() {
return isset( $_POST['option_page'] ) && $_POST['option_page'] === $this->option_page;
return filter_input( INPUT_POST, 'option_page', FILTER_SANITIZE_STRING ) === $this->option_page;
}
/**
@@ -643,7 +667,7 @@ class WPStrava_Settings {
* @since 2.0.0
*/
public function is_settings_page() {
return isset( $_GET['page'] ) && $_GET['page'] === $this->page_name;
return filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ) === $this->page_name;
}
/**
@@ -665,7 +689,7 @@ class WPStrava_Settings {
* @since 2.0.0
*/
private function is_adding_athlete() {
return ! ( empty( $_POST['strava_client_id'] ) && empty( $_POST['strava_client_secret'] ) );
return filter_input( INPUT_POST, 'strava_client_id', FILTER_SANITIZE_NUMBER_INT ) && filter_input( INPUT_POST, 'strava_client_secret', FILTER_SANITIZE_STRING );
}
/**
@@ -722,11 +746,13 @@ class WPStrava_Settings {
public function ms_plugin_update_message( $file, $plugin ) {
if ( is_multisite() && ! is_network_admin() && version_compare( $plugin['Version'], $plugin['new_version'], '<' ) ) {
$wp_list_table = _get_list_table( 'WP_Plugins_List_Table' );
printf(
'<tr class="plugin-update-tr"><td colspan="%s" class="plugin-update update-message notice inline notice-warning notice-alt"><div class="update-message"><h4 style="margin: 0; font-size: 14px;">%s</h4>%s</div></td></tr>',
$wp_list_table->get_column_count(),
$plugin['Name'],
wp_kses_post( $plugin['upgrade_notice'] )
echo wp_kses_post(
sprintf(
'<tr class="plugin-update-tr"><td colspan="%s" class="plugin-update update-message notice inline notice-warning notice-alt"><div class="update-message"><h4 style="margin: 0; font-size: 14px;">%s</h4>%s</div></td></tr>',
$wp_list_table->get_column_count(),
$plugin['Name'],
$plugin['upgrade_notice']
)
);
}
}
wp-strava.php
+2 -1
View File
@@ -3,7 +3,7 @@
* Plugin Name: WP Strava
* Plugin URI: https://wordpress.org/plugins/wp-strava/
* Description: Show your strava.com activity on your WordPress site. Some Icons are Copyright © Yusuke Kamiyamane. All rights reserved. Licensed under a Creative Commons Attribution 3.0 license.
* Version: 2.0.0
* Version: 2.0.1
* Author: Carlos Santa Cruz, Justin Foell, Lance Willett, Daniel Lintott, Sebastian Erb
* License: GPL2
* Text Domain: wp-strava
@@ -28,6 +28,7 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
define( 'WPSTRAVA_PLUGIN_VERSION', '2.0.1' );
define( 'WPSTRAVA_PLUGIN_DIR', trailingslashit( dirname( __FILE__ ) ) );
define( 'WPSTRAVA_PLUGIN_URL', plugins_url( '/', __FILE__ ) );
define( 'WPSTRAVA_PLUGIN_NAME', plugin_basename( __FILE__ ) );