From ef2abcc80dfa255adef0002c8d322ec8750309da Mon Sep 17 00:00:00 2001
From: Erick Hitter <ehitter@gmail.com>
Date: Mon, 20 Apr 2015 16:29:16 -0700
Subject: [PATCH] v0.7.1 synched from WP.org plugins SVN

See https://plugins.trac.wordpress.org/changeset/921303
---
 readme.txt          | 13 +++++++++----
 wp-cron-control.php | 44 +++++++++++++++++++++++++++++++++-----------
 2 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/readme.txt b/readme.txt
index 10b1b4e..0f82091 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,9 +1,9 @@
 === WP-Cron Control ===
-Contributors: tott, ethitter, automattic
+Contributors: tott, ethitter, automattic, batmoo
 Tags: wp-cron, cron, cron jobs, post missed schedule, scheduled posts
-Donate link: http://hitchhackerguide.com
-Tested up to: 3.6
-Stable tag: 0.7
+Requires at least: 3.4
+Tested up to: 4.1
+Stable tag: 0.7.1
 
 This plugin allows you to take control over the execution of cron jobs.
 
@@ -30,6 +30,11 @@ This plugin performs a `remove_action( 'sanitize_comment_cookies', 'wp_cron' );`
 
 == ChangeLog ==
 
+= Version 0.7.1 =
+
+* Security hardening (better escaping, sanitization of saved values)
+* Update plugin to use core's updated cron hook
+
 = Version 0.7 =
 
 * Remove unneeded use of `$wpdb->prepare()` that triggered PHP warnings because a second argument wasn't provided.
diff --git a/wp-cron-control.php b/wp-cron-control.php
index 4c828d8..9f353f8 100644
--- a/wp-cron-control.php
+++ b/wp-cron-control.php
@@ -4,8 +4,7 @@
  Plugin URI: http://wordpress.org/extend/plugins/wp-cron-control/
  Description: Take control of wp-cron execution.
  Author: Thorsten Ott, Erick Hitter, Automattic
- Version: 0.7
- Author URI: http://hitchhackerguide.com
+ Version: 0.7.1
  Text Domain: wp-cron-control
  */
 
@@ -127,7 +126,7 @@ class WP_Cron_Control {
 		 * and  http://core.trac.wordpress.org/browser/trunk/wp-includes/cron.php#L258
 		 */
 		if ( 1 == $this->settings['enable'] ) {
-			remove_action( 'sanitize_comment_cookies', 'wp_cron' );
+			remove_action( 'init', 'wp_cron' );
 			add_action( 'init', array( &$this, 'validate_cron_request' ) );
 		}
 
@@ -142,15 +141,38 @@ class WP_Cron_Control {
 	}
 
 	public function validate_settings( $settings ) {
-		// reset to defaults
+		$validated_settings = array();
+
 		if ( !empty( $_POST[ $this->dashed_name . '-defaults'] ) ) {
-			$settings = $this->default_settings;
+			// Reset to defaults
+			$validated_settings = $this->default_settings;
 			$_REQUEST['_wp_http_referer'] = add_query_arg( 'defaults', 'true', $_REQUEST['_wp_http_referer'] );
-		// or do some custom validations
 		} else {
-
+			foreach ( $this->settings_texts as $setting => $setting_info ) {
+				switch( $setting ) {
+					case 'enable':
+					case 'enable_scheduled_post_validation':
+						$validated_settings[ $setting ] = intval( $settings[ $setting ] );
+						if ( $validated_settings[ $setting ] > 1 || $validated_settings[ $setting ] < 0 ) {
+							$validated_settings[ $setting ] = $this->default_settings[ $setting ];
+						}
+						break;
+
+					case 'secret_string':
+						$validated_settings[ $setting ] = sanitize_text_field( $settings[ $setting ] );
+						if ( empty( $validated_settings[ $setting ] ) ) {
+							$validated_settings[ $setting ] = $this->default_settings[ $setting ];
+						}
+						break;
+
+					default:
+						$validated_settings[ $setting ] = sanitize_text_field( $settings[ $setting ] );
+						break;
+				}
+			}
 		}
-		return $settings;
+
+		return $validated_settings;
 	}
 
 	public function settings_page() {
@@ -191,13 +213,13 @@ class WP_Cron_Control {
 								<div><input type="text" name="<?php echo $this->plugin_prefix; ?>settings[<?php echo $setting; ?>]" id="<?php echo $this->dashed_name . '-' . $setting; ?>" class="postform" value="<?php echo esc_attr( $value ); ?>" /></div>
 							<?php break;
 							case 'echo': ?>
-								<div><span id="<?php echo $this->dashed_name . '-' . $setting; ?>" class="postform"><?php echo esc_attr( $value ); ?></span></div>
+								<div><span id="<?php echo $this->dashed_name . '-' . $setting; ?>" class="postform"><?php echo esc_html( $value ); ?></span></div>
 							<?php break;
 							default: ?>
-								<?php echo $this->settings_texts[$setting]['type']; ?>
+								<?php echo esc_html( $this->settings_texts[$setting]['type'] ); ?>
 							<?php break;
 						endswitch; ?>
-						<?php if ( !empty( $this->settings_texts[$setting]['desc'] ) ) { echo $this->settings_texts[$setting]['desc']; } ?>
+						<?php if ( !empty( $this->settings_texts[$setting]['desc'] ) ) { echo wp_kses_post( $this->settings_texts[$setting]['desc'] ); } ?>
 					</td>
 				</tr>
 				<?php endforeach; ?>
-- 
GitLab