release: fixes

* Harden security by enforcing unescaped urls.

Author: selul

classes/Visualizer/Module/Admin.php

@@ -365,7 +365,7 @@ public function setupMediaViewStrings( $strings ) {
 				'types'   => array_keys( $chart_types ),
 			),
 			'nonce'      => wp_create_nonce(),
-			'buildurl'   => add_query_arg( 'action', Visualizer_Plugin::ACTION_CREATE_CHART, admin_url( 'admin-ajax.php' ) ),
+			'buildurl'   => esc_url( add_query_arg( 'action', Visualizer_Plugin::ACTION_CREATE_CHART, admin_url( 'admin-ajax.php' ) ) ),
 		);
 
 		return $strings;
@@ -988,24 +988,28 @@ public function renderLibraryPage() {
 				'map_api_key' => get_option( 'visualizer-map-api-key' ),
 				'charts' => $charts,
 				'urls'   => array(
-					'base'   => add_query_arg( array( 'vpage' => false, 'vaction' => false ) ),
-					'create' => add_query_arg(
-						array(
-							'action'  => Visualizer_Plugin::ACTION_CREATE_CHART,
-							'library' => 'yes',
-							'type'      => isset( $_GET['type'] ) ? $_GET['type'] : '',
-							'chart-library'      => isset( $_GET['chart-library'] ) ? $_GET['chart-library'] : '',
-							'vaction' => false,
-						),
-						$ajaxurl
+					'base'   => esc_url( add_query_arg( array( 'vpage' => false, 'vaction' => false ) ) ),
+					'create' => esc_url(
+						add_query_arg(
+							array(
+								'action'  => Visualizer_Plugin::ACTION_CREATE_CHART,
+								'library' => 'yes',
+								'type'      => isset( $_GET['type'] ) ? $_GET['type'] : '',
+								'chart-library'      => isset( $_GET['chart-library'] ) ? $_GET['chart-library'] : '',
+								'vaction' => false,
+							),
+							$ajaxurl
+						)
 					),
-					'edit'   => add_query_arg(
-						array(
-							'action'  => Visualizer_Plugin::ACTION_EDIT_CHART,
-							'library' => 'yes',
-							'vaction' => false,
-						),
-						$ajaxurl
+					'edit'   => esc_url(
+						add_query_arg(
+							array(
+								'action'  => Visualizer_Plugin::ACTION_EDIT_CHART,
+								'library' => 'yes',
+								'vaction' => false,
+							),
+							$ajaxurl
+						)
 					),
 				),
 				'page_type' => 'library',
@@ -1024,7 +1028,7 @@ public function renderLibraryPage() {
 		$render->custom_css     = $css;
 		$render->pagination = paginate_links(
 			array(
-				'base'    => add_query_arg( array( 'vpage' => '%#%', 'vaction' => false ) ),
+				'base'    => esc_url( add_query_arg( array( 'vpage' => '%#%', 'vaction' => false ) ) ),
 				'format'  => '',
 				'current' => $page,
 				'total'   => $query->max_num_pages,

classes/Visualizer/Module/Chart.php

@@ -526,7 +526,7 @@ public function renderChartPages() {
 				);
 				do_action( 'visualizer_pro_new_chart_defaults', $chart_id );
 			}
-			wp_redirect( add_query_arg( 'chart', (int) $chart_id ) );
+			wp_redirect( esc_url_raw( add_query_arg( 'chart', (int) $chart_id ) ) );
 
 			if ( defined( 'WP_TESTS_DOMAIN' ) ) {
 				wp_die();
@@ -891,7 +891,7 @@ private function _handleTypesPage() {
 
 				// redirect to next tab
 				// changed by Ash/Upwork
-				wp_redirect( add_query_arg( 'tab', 'settings' ) );
+				wp_redirect( esc_url_raw( add_query_arg( 'tab', 'settings' ) ) );
 
 				return;
 			}
@@ -1226,13 +1226,15 @@ public function cloneChart() {
 						add_post_meta( $new_chart_id, $key, maybe_unserialize( $value[0] ) );
 					}
 				}
-				$redirect = add_query_arg(
-					array(
-						'page' => 'visualizer',
-						'type' => filter_input( INPUT_GET, 'type' ),
-						'vaction' => false,
-					),
-					admin_url( 'admin.php' )
+				$redirect = esc_url(
+					add_query_arg(
+						array(
+							'page' => 'visualizer',
+							'type' => filter_input( INPUT_GET, 'type' ),
+							'vaction' => false,
+						),
+						admin_url( 'admin.php' )
+					)
 				);
 			}
 		}

classes/Visualizer/Module/Setup.php

@@ -251,7 +251,7 @@ public function adminInit() {
 			delete_option( 'visualizer-activated' );
 			if ( ! headers_sent() ) {
 				$page_name = Visualizer_Module::numberOfCharts() > 0 ? Visualizer_Plugin::NAME : 'viz-support';
-				wp_redirect( add_query_arg( 'page', $page_name, admin_url( 'admin.php' ) ) );
+				wp_redirect( esc_url_raw( add_query_arg( 'page', $page_name, admin_url( 'admin.php' ) ) ) );
 				exit();
 			}
 		}

classes/Visualizer/Render/Layout.php

@@ -128,13 +128,15 @@ public static function _renderDbWizardResults( $args ) {
 	 */
 	public static function _renderJsonScreen( $args ) {
 		$id      = $args[1];
-		$action = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_JSON_SET_DATA,
-				'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_JSON_SET_DATA . Visualizer_Plugin::VERSION ),
-				'chart'  => $id,
-			),
-			admin_url( 'admin-ajax.php' )
+		$action = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_JSON_SET_DATA,
+					'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_JSON_SET_DATA . Visualizer_Plugin::VERSION ),
+					'chart'  => $id,
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 
 		$url = get_post_meta( $id, Visualizer_Plugin::CF_JSON_URL, true );
@@ -306,13 +308,15 @@ class="visualizer-input json-form-element">
 	 */
 	public static function _renderSimpleEditorScreen( $args ) {
 		$chart_id   = $args[1];
-		$action = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-				'nonce'  => wp_create_nonce(),
-				'chart'  => $chart_id,
-			),
-			admin_url( 'admin-ajax.php' )
+		$action = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
+					'nonce'  => wp_create_nonce(),
+					'chart'  => $chart_id,
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 		?>
 			<div class="viz-simple-editor">
@@ -582,13 +586,13 @@ public static function _renderTabAdvanced( $args ) {
 				<li class="viz-group open" id="vz-chart-settings">
 					<ul class="viz-group-content">
 						<ul class="viz-group-wrapper">
-						<form id="settings-form" action="<?php echo add_query_arg( 'nonce', wp_create_nonce() ); ?>" method="post">
+						<form id="settings-form" action="<?php echo esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ); ?>" method="post">
 							<input type="hidden" id="chart-img" name="chart-img">
 							<?php echo $sidebar; ?>
 							<?php self::_renderPermissions( $args ); ?>
 							<input type="hidden" name="save" value="1">
 						</form>
-						<form id="cancel-form" action="<?php echo add_query_arg( 'nonce', wp_create_nonce() ); ?>" method="post">
+						<form id="cancel-form" action="<?php echo esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ); ?>" method="post">
 							<input type="hidden" name="cancel" value="1">
 						</form>
 						</ul>
@@ -654,13 +658,15 @@ public static function _renderTabHelp( $args ) {
 	public static function _renderTabBasic( $args ) {
 		$chart_id = $args[1];
 
-		$upload_link = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
-				'nonce'  => wp_create_nonce(),
-				'chart'  => $chart_id,
-			),
-			admin_url( 'admin-ajax.php' )
+		$upload_link = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_UPLOAD_DATA,
+					'nonce'  => wp_create_nonce(),
+					'chart'  => $chart_id,
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 
 		// this will allow us to open the correct source tab by default.
@@ -815,12 +821,14 @@ class="dashicons dashicons-lock"></span></h2>
 										<form>
 											<select name="vz-import-from-chart" id="chart-id" class="visualizer-select">
 												<?php
-												$fetch_link        = add_query_arg(
-													array(
-														'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
-														'nonce'  => wp_create_nonce(),
-													),
-													admin_url( 'admin-ajax.php' )
+												$fetch_link        = esc_url(
+													add_query_arg(
+														array(
+															'action' => Visualizer_Module::is_pro() ? Visualizer_Pro::ACTION_FETCH_DATA : '',
+															'nonce'  => wp_create_nonce(),
+														),
+														admin_url( 'admin-ajax.php' )
+													)
 												);
 												$query_args_charts = array(
 													'post_type'      => Visualizer_Plugin::CPT_VISUALIZER,
@@ -862,12 +870,14 @@ class="dashicons dashicons-lock"></span></h2>
 							</li>
 
 							<?php
-								$save_filter = add_query_arg(
-									array(
-										'action' => Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY,
-										'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY . Visualizer_Plugin::VERSION ),
-										'chart'  => $chart_id,
-									), admin_url( 'admin-ajax.php' )
+								$save_filter = esc_url(
+									add_query_arg(
+										array(
+											'action' => Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY,
+											'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_FILTER_QUERY . Visualizer_Plugin::VERSION ),
+											'chart'  => $chart_id,
+										), admin_url( 'admin-ajax.php' )
+									)
 								);
 							?>
 							<!-- import from WordPress -->
@@ -911,12 +921,14 @@ class="dashicons dashicons-lock"></span></h2>
 							</li>
 
 							<?php
-								$save_query = add_query_arg(
-									array(
-										'action' => Visualizer_Plugin::ACTION_SAVE_DB_QUERY,
-										'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION ),
-										'chart'  => $chart_id,
-									), admin_url( 'admin-ajax.php' )
+								$save_query = esc_url(
+									add_query_arg(
+										array(
+											'action' => Visualizer_Plugin::ACTION_SAVE_DB_QUERY,
+											'security'  => wp_create_nonce( Visualizer_Plugin::ACTION_SAVE_DB_QUERY . Visualizer_Plugin::VERSION ),
+											'chart'  => $chart_id,
+										), admin_url( 'admin-ajax.php' )
+									)
 								);
 							?>
 							<!-- import from db -->

classes/Visualizer/Render/Library.php

@@ -297,30 +297,36 @@ private function _renderChartBox( $placeholder_id, $chart_id ) {
 		}
 
 		$ajax_url    = admin_url( 'admin-ajax.php' );
-		$delete_url  = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_DELETE_CHART,
-				'nonce'  => wp_create_nonce(),
-				'chart'  => $chart_id,
-			),
-			$ajax_url
+		$delete_url  = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_DELETE_CHART,
+					'nonce'  => wp_create_nonce(),
+					'chart'  => $chart_id,
+				),
+				$ajax_url
+			)
 		);
-		$clone_url   = add_query_arg(
-			array(
-				'action' => Visualizer_Plugin::ACTION_CLONE_CHART,
-				'nonce'  => wp_create_nonce( Visualizer_Plugin::ACTION_CLONE_CHART ),
-				'chart'  => $chart_id,
-				'type'   => $this->type,
-			),
-			$ajax_url
+		$clone_url   = esc_url(
+			add_query_arg(
+				array(
+					'action' => Visualizer_Plugin::ACTION_CLONE_CHART,
+					'nonce'  => wp_create_nonce( Visualizer_Plugin::ACTION_CLONE_CHART ),
+					'chart'  => $chart_id,
+					'type'   => $this->type,
+				),
+				$ajax_url
+			)
 		);
-		$export_link = add_query_arg(
-			array(
-				'action'   => Visualizer_Plugin::ACTION_EXPORT_DATA,
-				'chart'    => $chart_id,
-				'security' => wp_create_nonce( Visualizer_Plugin::ACTION_EXPORT_DATA . Visualizer_Plugin::VERSION ),
-			),
-			admin_url( 'admin-ajax.php' )
+		$export_link = esc_url(
+			add_query_arg(
+				array(
+					'action'   => Visualizer_Plugin::ACTION_EXPORT_DATA,
+					'chart'    => $chart_id,
+					'security' => wp_create_nonce( Visualizer_Plugin::ACTION_EXPORT_DATA . Visualizer_Plugin::VERSION ),
+				),
+				admin_url( 'admin-ajax.php' )
+			)
 		);
 
 		$chart_status   = array( 'date' => get_the_modified_date( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), $chart_id ), 'error' => get_post_meta( $chart_id, Visualizer_Plugin::CF_ERROR, true ), 'icon' => 'dashicons-yes-alt', 'title' => 'A-OK!' );

classes/Visualizer/Render/Page/Data.php

@@ -107,7 +107,7 @@ protected function _renderToolbar() {
 		// NOTE: We can't be selective on the post_status here because when a new chart reaches the settings screen, its status changes to publish.
 		if ( ! VISUALIZER_SKIP_CHART_TYPE_PAGE ) {
 			echo '<div class="toolbar-div">';
-			echo '<a class="button button-large" href="', add_query_arg( 'tab', 'types' ), '">';
+			echo '<a class="button button-large" href="', esc_url( add_query_arg( 'tab', 'types' ) ), '">';
 			esc_html_e( 'Back', 'visualizer' );
 			echo '</a>';
 			echo '</div>';

classes/Visualizer/Render/Page/Settings.php

@@ -51,7 +51,7 @@ protected function _renderContent() {
 	 * @access protected
 	 */
 	protected function _renderToolbar() {
-		echo '<a class="button button-large" href="', add_query_arg( 'tab', 'data' ), '">';
+		echo '<a class="button button-large" href="', esc_url( add_query_arg( 'tab', 'data' ) ), '">';
 			esc_html_e( 'Back', 'visualizer' );
 		echo '</a>';
 		echo '<input type="submit" class="button button-primary button-large push-right" value="', $this->button, '">';
@@ -65,7 +65,7 @@ protected function _renderToolbar() {
 	 * @access protected
 	 */
 	protected function _toHTML() {
-		echo '<form id="settings-form" action="', add_query_arg( 'nonce', wp_create_nonce() ), '" method="post">';
+		echo '<form id="settings-form" action="', esc_url( add_query_arg( 'nonce', wp_create_nonce() ) ), '" method="post">';
 			parent::_toHTML();
 		echo '</form>';
 	}

composer.json

@@ -41,6 +41,9 @@
     "optimize-autoloader": true,
     "platform": {
       "php": "5.6"
+    },
+    "allow-plugins": {
+      "dealerdirect/phpcodesniffer-composer-installer": true
     }
   },
   "require-dev": {