Skip to content

Commit 3eb2025

Browse files
committed
Security hardening: nonce updates, sanitization, and version bump to 2.3.1
1 parent 9f1b767 commit 3eb2025

File tree

6 files changed

+77
-21
lines changed

6 files changed

+77
-21
lines changed

inc/meta.php

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,15 @@
44
*
55
* @package Header and Footer Scripts
66
* @author Anand Kumar <anand@anandkumar.net>
7-
* @copyright Copyright (c) 2013 - 2025, Anand Kumar
7+
* @copyright Copyright (c) 2013 - 2026, Anand Kumar
88
* @link https://github.com/anandkumar/header-and-footer-scripts
99
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10-
*/?>
10+
*
11+
*/
12+
13+
if (! defined('ABSPATH') ) {
14+
exit;
15+
}?>
1116
<div class="shfs_meta_control">
1217

1318
<p><?php esc_html_e('The script in the following textbox will be inserted to the &lt;head&gt; section', 'header-and-footer-scripts'); ?>.</p>

inc/options.php

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,14 @@
44
*
55
* @package Header and Footer Scripts
66
* @author Anand Kumar <anand@anandkumar.net>
7-
* @copyright Copyright (c) 2013 - 2025, Anand Kumar
7+
* @copyright Copyright (c) 2013 - 2026, Anand Kumar
88
* @link https://github.com/anandkumar/header-and-footer-scripts
99
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10-
*/?>
10+
*/
11+
12+
if (! defined('ABSPATH') ) {
13+
exit;
14+
}?>
1115
<div class="wrap">
1216
<h2><?php esc_html_e( 'Header and Footer Scripts - Options', 'header-and-footer-scripts'); ?> <a class="add-new-h2" target="_blank" href="<?php echo esc_url( "https://digitalliberation.org/docs/header-and-footer-scripts/?utm_source=wpdash_hfs" ); ?>"><?php esc_html_e( 'Read Tutorial', 'header-and-footer-scripts'); ?></a></h2>
1317

@@ -30,6 +34,7 @@
3034
</select>
3135
</p>
3236
<p class="description"><?php esc_html_e( 'Select the minimum capability required to add scripts to posts using the meta box.', 'header-and-footer-scripts'); ?></p>
37+
<p class="description" style="color: #ea580c; font-weight: bold;"><?php esc_html_e( 'Caution: Giving access to non-admins allows them to execute arbitrary JavaScript on your site.', 'header-and-footer-scripts'); ?></p>
3338
<hr />
3439

3540
<h3 class="shfs-labels" for="shfs_insert_header"><?php esc_html_e( 'Scripts in header:', 'header-and-footer-scripts'); ?></h3>
@@ -43,7 +48,7 @@
4348
<p><?php esc_html_e( 'The following script, if any, will be inserted before &lt;/body&gt; tag using wp_footer hook.', 'header-and-footer-scripts'); ?></p>
4449
<textarea style="width:98%;font-family:monospace;" rows="10" cols="57" id="shfs_insert_footer" name="shfs_insert_footer"><?php echo esc_html( get_option( 'shfs_insert_footer' ) ); ?></textarea>
4550

46-
<p><label for="shfs_insert_footer_priority"><?php _e('Priority'); ?></label>
51+
<p><label for="shfs_insert_footer_priority"><?php esc_html_e('Priority', 'header-and-footer-scripts'); ?></label>
4752
<input type="number" value="<?php echo \esc_html( \get_option( 'shfs_insert_footer_priority', 10 ) ); ?>" name="shfs_insert_footer_priority" id="shfs_insert_footer_priority" style="width:6em;" /> <?php \esc_html_e('Default', 'header-and-footer-scripts'); ?>: 10</p>
4853

4954
<p class="submit">

inc/sidebar.php

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,14 @@
44
*
55
* @package Header and Footer Scripts
66
* @author Anand Kumar <anand@anandkumar.net>
7-
* @copyright Copyright (c) 2013 - 2025, Anand Kumar
7+
* @copyright Copyright (c) 2013 - 2026, Anand Kumar
88
* @link https://github.com/anandkumar/header-and-footer-scripts
99
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10-
*/?>
10+
*/
11+
12+
if (! defined('ABSPATH') ) {
13+
exit;
14+
}?>
1115
<div id="postbox-container-1" class="postbox-container">
1216

1317
<div class="postbox">
@@ -30,15 +34,15 @@
3034
<h3 class="hndle"><?php esc_html_e( 'Rate 5 Stars', 'header-and-footer-scripts'); ?></h3>
3135
<div class="inside">
3236
<p><?php esc_html_e( 'Find this plugin useful rate it 5 stars and leave a nice little comment at wordpress.org. I would really appreciate that.', 'header-and-footer-scripts'); ?></p>
33-
<p><a href="<?php echo esc_url( "https://wordpress.org/support/plugin/header-and-footer-scripts/reviews/?filter=5#new-post" ); ?>" class="button"><?php esc_html_e( 'Rate 5 Stars', 'header-and-footer-scripts'); ?></a></p>
37+
<p><a href="<?php echo esc_url( "https://wordpress.org/support/plugin/header-and-footer-scripts/reviews/" ); ?>" class="button"><?php esc_html_e( 'Rate 5 Stars', 'header-and-footer-scripts'); ?></a></p>
3438
</div>
3539
</div>
3640

3741
<div class="postbox">
3842
<h3 class="hndle"><?php esc_html_e( 'Join Our Community', 'header-and-footer-scripts'); ?></h3>
3943
<div class="inside">
4044
<p><?php esc_html_e( 'We are small WordPress community who welcomes you to join us. Here you will find and share more plugins and themes or even ideas. Ideas are not limited to WordPress. It could be vague or liberal. This is why we are "Digital Liberation .ORG', 'header-and-footer-scripts'); ?></p>
41-
<p><a href="<?php echo esc_url( "https://github.com/anandkumar/header-and-footer-scripts" ); ?>" class="button"><?php esc_html_e( 'Join Digital Liberation', 'header-and-footer-scripts'); ?></a></p>
45+
<p><a href="<?php echo esc_url( "https://github.com/anandkumar/header-and-footer-scripts/discussions" ); ?>" class="button"><?php esc_html_e( 'Join Discussions', 'header-and-footer-scripts'); ?></a></p>
4246
</div>
4347
</div>
4448

readme.txt

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ Donate link: https://github.com/anandkumar/header-and-footer-scripts
55
Tags: head, header, footer, scripts, post
66
Requires at least: 4.6
77
Tested up to: 6.9
8-
Stable tag: 2.3.0
8+
Stable tag: 2.3.1
99
Requires PHP: 8.3
1010
License: GPLv2 or later
1111
License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -75,6 +75,16 @@ A. Nope, There is none. If you need more feature send us feedback or feature req
7575

7676
== Changelog ==
7777

78+
= 2.3.1 =
79+
* Security: Hardened nonce implementation with static action names.
80+
* Security: Added strict sanitization for access level settings.
81+
* Security: Improved input validation with isset() checks and wp_unslash().
82+
* Security: Replaced __FILE__ menu slug to prevent path exposure.
83+
* Security: Added security warning for privilege delegation.
84+
* New: Added uninstall.php for clean database removal.
85+
* Fix: Added proper ABSPATH checks to all files.
86+
* Improvement: Added phpcs:ignore comments for intentional raw output.
87+
7888
= 2.3.0 =
7989
* Fix: Stored Cross-Site Scripting (XSS) vulnerability.
8090
* New Feature: Add minimum capability required to add scripts to posts.

shfs.php

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* Plugin Name: Header and Footer Scripts
44
* Plugin URI: https://github.com/anandkumar/header-and-footer-scripts
55
* Description: Essential WordPress plugin for almost every website to insert codes like Javascript and CSS. Inserting script to your wp_head and wp_footer made easy.
6-
* Version: 2.3.0
6+
* Version: 2.3.1
77
* Author: Anand Kumar
88
* Author URI: http://www.anandkumar.net
99
* Text Domain: header-and-footer-scripts
@@ -29,6 +29,10 @@
2929
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
3030
*/
3131

32+
if (! defined('ABSPATH') ) {
33+
exit;
34+
}
35+
3236
define('SHFS_PLUGIN_DIR',str_replace('\\','/',dirname(__FILE__)));
3337

3438
if ( !class_exists( 'HeaderAndFooterScripts' ) ) {
@@ -57,7 +61,7 @@ function admin_init() {
5761
register_setting( 'header-and-footer-scripts', 'shfs_insert_footer', 'trim' );
5862
register_setting( 'header-and-footer-scripts', 'shfs_insert_header_priority', 'intval' );
5963
register_setting( 'header-and-footer-scripts', 'shfs_insert_footer_priority', 'intval' );
60-
register_setting( 'header-and-footer-scripts', 'shfs_script_access_level' );
64+
register_setting( 'header-and-footer-scripts', 'shfs_script_access_level', array( &$this, 'sanitize_access_level' ) );
6165

6266

6367
// add meta box to all post types
@@ -71,20 +75,19 @@ function admin_init() {
7175
add_action('save_post','shfs_post_meta_save');
7276
}
7377

74-
// adds menu item to wordpress admin dashboard
7578
function admin_menu() {
76-
$page = add_submenu_page( 'options-general.php', esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), 'manage_options', __FILE__, array( &$this, 'shfs_options_panel' ) );
79+
$page = add_submenu_page( 'options-general.php', esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), esc_html__('Header and Footer Scripts', 'header-and-footer-scripts'), 'manage_options', 'header-and-footer-scripts', array( &$this, 'shfs_options_panel' ) );
7780
}
7881

7982
function wp_head() {
8083
$meta = get_option( 'shfs_insert_header', '' );
8184
if ( $meta != '' ) {
82-
echo $meta, "\n";
85+
echo $meta, "\n"; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
8386
}
8487

8588
$shfs_post_meta = get_post_meta( get_the_ID(), '_inpost_head_script' , TRUE );
8689
if ( is_singular() && $shfs_post_meta != '' ) {
87-
echo $shfs_post_meta['synth_header_script'], "\n";
90+
echo $shfs_post_meta['synth_header_script'], "\n"; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
8891
}
8992

9093
}
@@ -96,7 +99,7 @@ function wp_footer() {
9699
$text = do_shortcode( $text );
97100

98101
if ( $text != '' ) {
99-
echo $text, "\n";
102+
echo $text, "\n"; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
100103
}
101104
}
102105
}
@@ -105,6 +108,14 @@ function shfs_options_panel() {
105108
// Load options page
106109
require_once(SHFS_PLUGIN_DIR . '/inc/options.php');
107110
}
111+
112+
function sanitize_access_level( $input ) {
113+
$valid_levels = array( 'manage_options', 'edit_others_posts', 'publish_posts' );
114+
if ( in_array( $input, $valid_levels ) ) {
115+
return $input;
116+
}
117+
return 'manage_options';
118+
}
108119
}
109120

110121
function shfs_meta_setup() {
@@ -118,18 +129,18 @@ function shfs_meta_setup() {
118129
include_once(SHFS_PLUGIN_DIR . '/inc/meta.php');
119130

120131
// create a custom nonce for submit verification later
121-
echo '<input type="hidden" name="shfs_post_meta_noncename" value="' . wp_create_nonce(__FILE__) . '" />';
132+
echo '<input type="hidden" name="shfs_post_meta_noncename" value="' . esc_attr( wp_create_nonce('shfs_post_meta_save') ) . '" />';
122133
}
123134

124135
function shfs_post_meta_save($post_id) {
125136
// authentication checks
126137

127138
// make sure data came from our meta box
128139
if ( ! isset( $_POST['shfs_post_meta_noncename'] )
129-
|| !wp_verify_nonce($_POST['shfs_post_meta_noncename'],__FILE__)) return $post_id;
140+
|| !wp_verify_nonce( sanitize_key( $_POST['shfs_post_meta_noncename'] ),'shfs_post_meta_save')) return $post_id;
130141

131142
// check user permissions
132-
if ( $_POST['post_type'] == 'page' ) {
143+
if ( isset( $_POST['post_type'] ) && 'page' === $_POST['post_type'] ) {
133144

134145
if (!current_user_can('edit_page', $post_id))
135146
return $post_id;
@@ -149,7 +160,7 @@ function shfs_post_meta_save($post_id) {
149160

150161
$current_data = get_post_meta($post_id, '_inpost_head_script', TRUE);
151162

152-
$new_data = $_POST['_inpost_head_script'];
163+
$new_data = isset( $_POST['_inpost_head_script'] ) ? wp_unslash( $_POST['_inpost_head_script'] ) : null; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
153164

154165
shfs_post_meta_clean($new_data);
155166

uninstall.php

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
<?php
2+
/**
3+
* Fired when the plugin is being uninstalled.
4+
*
5+
* @package Header and Footer Scripts
6+
* @author Anand Kumar <anand@anandkumar.net>
7+
* @copyright Copyright (c) 2013 - 2026, Anand Kumar
8+
* @link https://github.com/anandkumar/header-and-footer-scripts
9+
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10+
*/
11+
12+
// If uninstall not called from WordPress, then exit.
13+
if ( ! defined( 'WP_UNINSTALL_PLUGIN' ) ) {
14+
exit;
15+
}
16+
17+
delete_option( 'shfs_insert_header' );
18+
delete_option( 'shfs_insert_footer' );
19+
delete_option( 'shfs_insert_header_priority' );
20+
delete_option( 'shfs_insert_footer_priority' );
21+
delete_option( 'shfs_script_access_level' );

0 commit comments

Comments
 (0)