v0.7.1 synched from WP.org plugins SVN

See https://plugins.trac.wordpress.org/changeset/921303

v0.7.1 synched from WP.org plugins SVN
See https://plugins.trac.wordpress.org/changeset/921303
ef2abcc8 · Erick Hitter · 9b940efc · ef2abcc8 · ef2abcc8
Commit ef2abcc8 authored Apr 20, 2015 by Erick Hitter
--- a/readme.txt
+++ b/readme.txt
 === WP-Cron Control ===
-Contributors: tott, ethitter, automattic
+Contributors: tott, ethitter, automattic, batmoo
 Tags: wp-cron, cron, cron jobs, post missed schedule, scheduled posts
-Donate link: http://hitchhackerguide.com
-Tested up to: 3.6
-Stable tag: 0.7
+Requires at least: 3.4
+Tested up to: 4.1
+Stable tag: 0.7.1

 This plugin allows you to take control over the execution of cron jobs.

@@ -30,6 +30,11 @@ This plugin performs a `remove_action( 'sanitize_comment_cookies', 'wp_cron' );`

 == ChangeLog ==

+= Version 0.7.1 =
+
+* Security hardening (better escaping, sanitization of saved values)
+* Update plugin to use core's updated cron hook
+
 = Version 0.7 =

 * Remove unneeded use of `$wpdb->prepare()` that triggered PHP warnings because a second argument wasn't provided.

--- a/wp-cron-control.php
+++ b/wp-cron-control.php
@@ -4,8 +4,7 @@
 Plugin URI: http://wordpress.org/extend/plugins/wp-cron-control/
 Description: Take control of wp-cron execution.
 Author: Thorsten Ott, Erick Hitter, Automattic
- Version: 0.7
- Author URI: http://hitchhackerguide.com
+ Version: 0.7.1
 Text Domain: wp-cron-control
 */

@@ -127,7 +126,7 @@ class WP_Cron_Control {
 		 * and  http://core.trac.wordpress.org/browser/trunk/wp-includes/cron.php#L258
 		 */
 		if ( 1 == $this->settings['enable'] ) {
-			remove_action( 'sanitize_comment_cookies', 'wp_cron' );
+			remove_action( 'init', 'wp_cron' );
 			add_action( 'init', array( &$this, 'validate_cron_request' ) );
 		}

@@ -142,15 +141,38 @@ class WP_Cron_Control {
 	}

 	public function validate_settings( $settings ) {
-		// reset to defaults
+		$validated_settings = array();
+
 		if ( !empty( $_POST[ $this->dashed_name . '-defaults'] ) ) {
-			$settings = $this->default_settings;
+			// Reset to defaults
+			$validated_settings = $this->default_settings;
 			$_REQUEST['_wp_http_referer'] = add_query_arg( 'defaults', 'true', $_REQUEST['_wp_http_referer'] );
-		// or do some custom validations
 		} else {
-
+			foreach ( $this->settings_texts as $setting => $setting_info ) {
+				switch( $setting ) {
+					case 'enable':
+					case 'enable_scheduled_post_validation':
+						$validated_settings[ $setting ] = intval( $settings[ $setting ] );
+						if ( $validated_settings[ $setting ] > 1 || $validated_settings[ $setting ] < 0 ) {
+							$validated_settings[ $setting ] = $this->default_settings[ $setting ];
+						}
+						break;
+
+					case 'secret_string':
+						$validated_settings[ $setting ] = sanitize_text_field( $settings[ $setting ] );
+						if ( empty( $validated_settings[ $setting ] ) ) {
+							$validated_settings[ $setting ] = $this->default_settings[ $setting ];
+						}
+						break;
+
+					default:
+						$validated_settings[ $setting ] = sanitize_text_field( $settings[ $setting ] );
+						break;
+				}
+			}
 		}
-		return $settings;
+
+		return $validated_settings;
 	}

 	public function settings_page() {
@@ -191,13 +213,13 @@ class WP_Cron_Control {
 								<div><input type="text" name="<?php echo $this->plugin_prefix; ?>settings[<?php echo $setting; ?>]" id="<?php echo $this->dashed_name . '-' . $setting; ?>" class="postform" value="<?php echo esc_attr( $value ); ?>" /></div>
 							<?php break;
 							case 'echo': ?>
-								<div><span id="<?php echo $this->dashed_name . '-' . $setting; ?>" class="postform"><?php echo esc_attr( $value ); ?></span></div>
+								<div><span id="<?php echo $this->dashed_name . '-' . $setting; ?>" class="postform"><?php echo esc_html( $value ); ?></span></div>
 							<?php break;
 							default: ?>
-								<?php echo $this->settings_texts[$setting]['type']; ?>
+								<?php echo esc_html( $this->settings_texts[$setting]['type'] ); ?>
 							<?php break;
 						endswitch; ?>
-						<?php if ( !empty( $this->settings_texts[$setting]['desc'] ) ) { echo $this->settings_texts[$setting]['desc']; } ?>
+						<?php if ( !empty( $this->settings_texts[$setting]['desc'] ) ) { echo wp_kses_post( $this->settings_texts[$setting]['desc'] ); } ?>
 					</td>
 				</tr>
 				<?php endforeach; ?>