Changeset 3069819

Timestamp:

04/13/2024 12:42:02 AM (4 months ago)

Author:

dglingren

Message:

Fix SQL Injection and Reflected Cross Site Scripting issues, add custom:* to MLA Multi-search Example plugin.

Location:

media-library-assistant/trunk

Files:

• examples/plugins/mla-multi-search-example.php (modified) (11 diffs)
• includes/class-mla-core.php (modified) (2 diffs)
• includes/class-mla-edit-media.php (modified) (1 diff)
• includes/class-mla-shortcode-custom-list.php (modified) (5 diffs)
• index.php (modified) (1 diff)
• readme.txt (modified) (1 diff)

media-library-assistant/trunk/examples/plugins/mla-multi-search-example.php

@@ -6 +6 @@
  *
  * 1. A custom "multi_search" parameter names one or more "search keys", e.g.
- *    multi_search="keyword:,custom:Country,custom:City"
- *
- * 2. Each custom field is queried for a LIKE match with the content of the "s" parameter.
+ *        multi_search="keyword:,custom:Country,custom:City"
+ *    Where "keyword:" performs the usual Keyword(s) search
+ *    and "custom:" searches the custom fields names in the list.
+ *    You can code "custom:*" to search ALL custom fields without naming them.
+ *
+ * 2. Each custom field is queried for a LIKE match with the content of the "s" parameter.<br />
+ *    Note that this is more limited than the logic provided by the Keyword(s) Search function.
  *
  * 3. Matches from the custom field search(es) are added to any keyword(s) search matches,
@@ -20 +24 @@
  * https://wordpress.org/support/topic/gallery-layout-with-thumbnails/
  *
+
+
+
+
  * @package MLA Multi-search Example
- * @version 1.01
+ * @version 1.0
  */
 
@@ -29 +37 @@
 Description: Adds custom field search(es) to the [mla_gallery] keyword(s) search results
 Author: David Lingren
-Version: 1.01
+Version: 1.0
 Author URI: http://davidlingren.com/
 
-Copyright 2016 David Lingren
+Copyright 2016 David Lingren
 
     This program is free software; you can redistribute it and/or modify
@@ -59 +67 @@
 class MLAMultiSearchExample {
     /**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
      * Initialization function, similar to __construct()
      *
@@ -91 +117 @@
      */
     public static function mla_gallery_attributes( $shortcode_attributes ) {
-        //error_log( 'MLAMultiSearchExample::mla_gallery_attributes $shortcode_attributes = ' . var_export( $shortcode_attributes, true ), 0 );
+        if ( isset( $shortcode_attributes['multi_search'] ) ) {
+            MLACore::mla_debug_add( __LINE__ . " MLAMultiSearchExample::mla_gallery_attributes \$shortcode_attributes = " . var_export( $shortcode_attributes, true ), self::MLA_DEBUG_CATEGORY );
+        }
+
         // Save the attributes for use in the later filters
         self::$shortcode_attributes = $shortcode_attributes;
@@ -98 +127 @@
         return $shortcode_attributes;
     } // mla_gallery_attributes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
     /**
@@ -119 +169 @@
             global $post;
             
+
+
             $multi_search = self::$shortcode_attributes['multi_search'];
             unset( self::$shortcode_attributes['multi_search'] );
@@ -141 +193 @@
             
             $results = array();
-            $search_value = !empty( self::$shortcode_attributes['s'] ) ? trim( self::$shortcode_attributes['s'] ) : '';
+            $search_value = !empty( self::$shortcode_attributes['s'] ) ? trim( self::$shortcode_attributes['s'] ) : '';
             $search_keys = explode( ',', $multi_search );
+
+
+
+
+
+
+
+
+
+
+
+
 
             foreach( $search_keys as $search_key ) {
                 $tokens = array_map( 'trim', explode( ':', $search_key ) ); 
+
                 switch ( $tokens[0] ) {
                     case 'keyword':
@@ -166 +231 @@
 
                 if ( is_string( $attachments ) ) {
+
                     $attachments = array();
+
+
                 }
-
+                
                 unset( $attachments['found_rows'] );
                 unset( $attachments['max_num_pages'] );
@@ -179 +247 @@
             if ( count( $results ) ) {          
                 $all_query_parameters['include'] = implode( ',', $results );
+
             } else {
                 $all_query_parameters['include'] = '1';
@@ -190 +259 @@
 } // Class MLAMultiSearchExample
 
-/*
- * Install the filters at an early opportunity
- */
+// Install the filters at an early opportunity
 add_action('init', 'MLAMultiSearchExample::initialize');
 ?>

media-library-assistant/trunk/includes/class-mla-core.php

@@ -31 +31 @@
      * @var string
      */
-    const MLA_DEVELOPMENT_VERSION = '';
+    const MLA_DEVELOPMENT_VERSION = '';
 
     /**
@@ -793 +793 @@
         if ( ( false !== strpos( $location, 'upload.php?' ) ) || ( false !== strpos( $location, 'post.php?' ) ) ) {
             if ( isset( $_REQUEST['mla_source'] ) ) {
-                $location = add_query_arg( array( 'mla_source' => sanitize_text_field( wp_unslash( $_REQUEST['mla_source'] ) ) ), $location );
+                $location = add_query_arg( array( 'mla_source' =>  ) ) ), $location );
             }
         }

media-library-assistant/trunk/includes/class-mla-edit-media.php

@@ -1078 +1078 @@
         $view_args = array( 'page' => MLACore::ADMIN_PAGE_SLUG, 'mla_item_ID' => $post->ID );
         if ( isset( $_REQUEST['mla_source'] ) ) {
-            $view_args['mla_source'] = sanitize_text_field( wp_unslash( $_REQUEST['mla_source'] ) );
+            $view_args['mla_source'] =  ) );
         
-            // apply_filters( 'get_delete_post_link', wp_nonce_url( $delete_link, "$action-post_{$post->ID}" ), $post->ID, $force_delete ) in /wp-includes/link-template.php
             add_filter( 'get_delete_post_link', 'MLAEdit::get_delete_post_link_filter', 10, 3 );
         }
         
         if ( isset( $_REQUEST['lang'] ) ) {
-            $view_args['lang'] = sanitize_text_field( wp_unslash( $_REQUEST['lang'] ) );
+            $view_args['lang'] =  ) );
         }
 

media-library-assistant/trunk/includes/class-mla-shortcode-custom-list.php

@@ -1 +1 @@
 <?php
 /**
- * Media Library Assistant Term List Shortcode
+ * Media Library Assistant  List Shortcode
  *
  * @package Media Library Assistant
@@ -1801 +1801 @@
         $clause_parameters = array( $arguments['meta_key'] );
         $clause = array ( $wpdb->prepare( 'm.meta_key = \'' . join( ',', $placeholders ) . '\'', $clause_parameters ) ); // phpcs:ignore
-//      $clause = array( "m.meta_key = '" . $arguments['meta_key'] . "'" );
 
         $clause_parameters = array();
@@ -1807 +1806 @@
 
         /*
-         * The "ids" parameter can build an item-specific cloud.
-         * Compile a list of all the terms assigned to the items.
+         * The "ids" parameter can build an item-specific .
+         * Compile a list of all the s assigned to the items.
          */
         if ( ! empty( $arguments['ids'] ) ) {
             $ids = wp_parse_id_list( $arguments['ids'] );
-            $placeholders = implode( "','", $ids );
-            $clause[] = "AND m.post_id IN ( '{$placeholders}' )";
+            $ = implode( "','", $ids );
+            $clause[] = "AND m.post_id IN ( '{$}' )";
 
             $includes = array();
@@ -1827 +1826 @@
             // Apply a non-empty argument before we replace it.
             if ( ! empty( $arguments['include'] ) ) {
-                $includes = array_intersect( $includes, wp_parse_id_list( $arguments['include'] ) );
-            }
-
-            // If there are no values we want an empty cloud
+                $includes = array_intersect( $includes, ( $arguments['include'] ) );
+            }
+
+            // If there are no values we want an empty 
             if ( empty( $includes ) ) {
                 $arguments['include'] = (string) 0x7FFFFFFF;
@@ -1839 +1838 @@
         }
 
-        // Add include/exclude and parent constraints to WHERE cluse
+        // Add include/exclude constraints to WHERE cluse
         if ( ! empty( $arguments['include'] ) ) {
-            $placeholders = implode( "','", str_getcsv( $arguments['include'] ) );
-            $clause[] = "AND m.meta_value IN ( '{$placeholders}' )";
+            $includes = str_getcsv( $arguments['include'] );
+            foreach ( $includes as $include ) {
+                $placeholders[] = '%s';
+                $clause_parameters[] = $include;
+            }
+
+            $clause[] = 'AND m.meta_value IN (' . join( ',', $placeholders ) . ')';
         } elseif ( ! empty( $arguments['exclude'] ) ) {
-            $placeholders = implode( "','", str_getcsv( $arguments['exclude'] ) );
-            $clause[] = "AND m.meta_value NOT IN ( '{$placeholders}' )";
+            $excludes = str_getcsv( $arguments['exclude'] );
+            foreach ( $excludes as $exclude ) {
+                $placeholders[] = '%s';
+                $clause_parameters[] = $exclude;
+            }
+
+            $clause[] = 'AND m.meta_value NOT IN (' . join( ',', $placeholders ) . ')';
         }
 

media-library-assistant/trunk/index.php

@@ -16 +16 @@
 Plugin Name: Media Library Assistant
 Plugin URI: http://davidlingren.com/#two
-Description: Enhances the Media Library; powerful [mla_gallery] [mla_tag_cloud] [mla_term_list], taxonomy support, IPTC/EXIF/XMP/PDF processing, bulk/quick edit.
+Description: Enhances the Media Library; powerful [mla_gallery] [mla_tag_cloud] [mla_term_list], taxonomy support, IPTC/EXIF/XMP/PDF processing, bulk/quick edit.
 Version: 3.15
 Requires at least: 4.1

media-library-assistant/trunk/readme.txt

@@ -187 +187 @@
 
 == Changelog ==
+
+
+
+
+
+
 
 = 3.15 =