Security improvements

deckerweb · deckerweb · commit 4bb44208693a · 2016-08-19T22:48:53.000+02:00
- security improvements &amp; refinements
- Readme update
- further polishing
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,3 +1,10 @@
+#### Version 2016-08-19
+
+* Updated Readme file
+* Updated .pot file plus German translations
+* Improved security and polishing of plugin
+
+
 #### Version 2016-08-12
 
 * Added Shortcut for German date format to get output `d.m.Y` like `12.08.2016` (Usage: `date_format="de"`)
@@ -23,4 +30,4 @@
 
 #### Version 2015-05-25
 
-* Initial release on GitHub
+* Initial release on GitHub
diff --git a/README.md b/README.md
@@ -2,14 +2,14 @@
 
 * Contributors: [David Decker](https://github.com/deckerweb), [contributors](https://github.com/deckerweb/shortcode-item-updated/graphs/contributors)
 * Tags: shortcode, updated, last updated, date, time, item, post type, custom post types, post, element
-* Requires at least: 3.6
+* Requires at least: 3.6.0
 * Tested up to: 4.6.x
 * Stable tag: master
-* Donate link: http://ddwb.me/9s
+* Donate link: [http://ddwb.me/9s](http://ddwb.me/9s)
 * License: GPL-2.0+
-* License URI: http://www.opensource.org/licenses/gpl-license.php
+* License URI: [http://www.opensource.org/licenses/gpl-license.php](http://www.opensource.org/licenses/gpl-license.php)
 
-Shortcode for showing the last updated date (and/or time) of an item of a post type.
+Flexible Shortcode for showing the last updated date (and/or time) of an item of a post type.
 
 
 ## Description:
@@ -19,6 +19,16 @@ Very useful to output the updated date of a custom post type item on a regular p
 *Backstory:* I needed something like that for a client project to display the last updated date/time of a download post type on a regular content page. Since I knew, I would need the same functionality for an other existing site and maybe in future too, I just build it into a "general plugin" rather than a simple code snippet...! There were no existing plugins/solutions out there (at least I didn't found them yet...) that fitted my needs so I had to build it myself...
 
 
+## Features:
+
+* Can be used in post/ page content (also post types), text widgets and also for page builder plugins etc.
+* Supports date/ time format from WordPress settings by default
+* Genesis Framework: easily use this in various footer/ simple edit plugins (don't forget post ID) or with the awesome Blox free/pro plugin and similar - it's that easy!
+* Developer friendly: customize or extend via filters, styles and styling-friendly CSS classes
+* Fully internationalized and translateable! -- German translations already packaged!
+* Developed with security in mind: proper WordPress coding standards and security functions - escape all the things! :)
+
+
 ## Plugin Installation:
 
 **Manual Upload**
@@ -37,6 +47,7 @@ Very useful to output the updated date of a custom post type item on a regular p
 **Updates**
 * Are done via the plugin "GitHub Updater" (see above) - leveraging the default WordPress update system!
 * Setting your GitHub API Token is recommended! :)
+* It's so easy and seamless you won't find any better solution for this ;-)
 
 
 ## Usage - Examples:
@@ -117,7 +128,6 @@ Will show only date (as set in WordPress Settings > General) for the item of a p
 * Used textdomain: `shortcode-item-updated`
 * Default `.pot` file included
 * German translations included (`de_DE`)
-* Currently translateable are the plugin title, plugin description, label before string and the separator string
 * Plugin's own path for translations: `wp-content/plugins/shortcode-item-updated/languages/shortcode-item-updated-de_DE.mo`
 * *Recommended:* Global WordPress lang dir path for translations: `wp-content/languages/plugins/shortcode-item-updated-de_DE.mo` ---> *NOTE: if this file/path exists it will be loaded at higher priority than the plugin path! This is the recommended path & way to store your translations as it is update-safe and allows for custom translations!*
 * Recommended translation tools: *Poedit Pro v1.8+* or *WordPress Plugin "Loco Translate"* or *your IDE/ Code Editor* or *old WordPress "Codestyling Localization"* (for the brave who know what they are doing :) )
@@ -127,4 +137,4 @@ Will show only date (as set in WordPress Settings > General) for the item of a p
 
 See plugin file [CHANGES.md here](https://github.com/deckerweb/shortcode-item-updated/blob/master/CHANGES.md)
 
-Copyright (c) 2015-2016 David Decker - DECKERWEB.de
+Copyright (c) 2015-2016 David Decker - DECKERWEB.de
diff --git a/shortcode-item-updated.php b/shortcode-item-updated.php
@@ -11,7 +11,7 @@
  * Plugin Name:       Shortcode Item Updated
  * Plugin URI:        https://github.com/deckerweb/shortcode-item-updated
  * Description:       Shortcode for showing the last updated date (and/or time) of an item of a post type.
- * Version:           2016.08.12
+ * Version:           2016.08.19
  * Author:            David Decker - DECKERWEB
  * Author URI:        http://deckerweb.de/
  * License:           GPL-2.0+
@@ -24,7 +24,7 @@
  * Copyright (c) 2015-2016 David Decker - DECKERWEB
  */
 
-/*
+/**
  * Exit if called directly.
  */
 if ( ! defined( 'WPINC' ) ) {
@@ -35,7 +35,7 @@
 add_action( 'init', 'ddw_siu_load_translations', 1 );
 /**
  * Load the text domain for translation of the plugin.
- * 
+ *
  * @since 2015.05.26
  *
  * @uses  load_textdomain()	To load translations first from WP_LANG_DIR sub folder.
@@ -71,6 +71,32 @@ function ddw_siu_load_translations() {
 }  // end function
 
 
+/**
+ * Data validation function to only allow values "yes" and "no".
+ *
+ * @since  2016.08.16
+ *
+ * @param  string $param
+ *
+ * @return string Validated and escaped string.
+ */
+function ddw_siu_yes_no( $param = '' ) {
+
+	$param = strtolower( esc_attr( $param ) );
+
+	if ( 'yes' === $param ) {
+
+		return $param;
+
+	} else {
+
+		return 'no';
+
+	}  // end if
+
+}  // end function
+
+
 add_shortcode( 'siu-item-updated', 'ddw_siu_item_updated' );
 /**
  * Shortcode for showing the last updated date (and/or time) of an item of a post type.
@@ -79,6 +105,7 @@ function ddw_siu_load_translations() {
  * @since  2015.05.25
  *
  * @uses   shortcode_atts()
+ * @uses   ddw_siu_yes_no()
  *
  * @param  array $atts
  *
@@ -138,18 +165,18 @@ function ddw_siu_item_updated( $atts ) {
 	/** Prepare time display */
 	$time_display = sprintf(
 		'%1$s%2$s%3$s',
-		( 'yes' == esc_attr( $atts[ 'show_sep' ] ) ) ? esc_attr( $atts[ 'sep' ] ) : '',
-		( 'yes' == esc_attr( $atts[ 'show_time' ] ) ) ? ' ' . $time_updated : '',
+		( 'yes' === ddw_siu_yes_no( $atts[ 'show_sep' ] ) ) ? esc_attr( $atts[ 'sep' ] ) : '',
+		( 'yes' === ddw_siu_yes_no( $atts[ 'show_time' ] ) ) ? ' ' . $time_updated : '',
 		! empty( $atts[ 'label_after' ] ) ? ' ' . esc_html__( $atts[ 'label_after' ] ) : ''
 	);
 
 	/** Prepare output */
 	$output = sprintf(
 		'<%1$s class="item-last-updated%2$s">%3$s%4$s%5$s</%1$s>',
-		esc_attr( $atts[ 'wrapper' ] ),
-		! empty( $atts[ 'class' ] ) ? ' ' . esc_attr( $atts[ 'class' ] ) : '',
-		( 'yes' == esc_attr( $atts[ 'show_label' ] ) ) ? esc_html__( $atts[ 'label_before' ] ) . ' ' : '',
-		( 'yes' == esc_attr( $atts[ 'show_date' ] ) ) ? $date_updated : '',
+		strtolower( sanitize_html_class( $atts[ 'wrapper' ] ) ),
+		! empty( $atts[ 'class' ] ) ? ' ' . sanitize_html_class( $atts[ 'class' ] ) : '',
+		( 'yes' === ddw_siu_yes_no( $atts[ 'show_label' ] ) ) ? esc_html__( $atts[ 'label_before' ] ) . ' ' : '',
+		( 'yes' === ddw_siu_yes_no( $atts[ 'show_date' ] ) ) ? $date_updated : '',
 		$time_display
 	);
 
@@ -189,6 +216,7 @@ function ddw_siu_prepare_shortcode_ui() {
 
 /**
  * Shortcode UI setup for Shortcake plugin (Shortcode UI).
+ * @link   https://wordpress.org/plugins/shortcode-ui/
  *
  * @since  2016.08.12
  *
@@ -228,17 +256,17 @@ function ddw_siu_register_shortcode_for_ui() {
 				'attr'    => 'show_date',
 				'type'    => 'select',
 				'options' => array(
-								'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
-								'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
+					'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
+					'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
 				),
 			),
 			array(
 				'label'   => esc_html__( 'Show time?', 'shortcode-item-updated' ),
 				'attr'    => 'show_time',
 				'type'    => 'select',
 				'options' => array(
-								'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
-								'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
+					'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
+					'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
 				),
 				'description' => esc_html__( 'Optional time of last update', 'shortcode-item-updated' ),
 			),
@@ -247,8 +275,8 @@ function ddw_siu_register_shortcode_for_ui() {
 				'attr'    => 'show_sep',
 				'type'    => 'select',
 				'options' => array(
-								'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
-								'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
+					'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
+					'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
 				),
 				'description' => esc_html__( 'Whether to show some string between date and time values', 'shortcode-item-updated' ),
 			),
@@ -269,8 +297,8 @@ function ddw_siu_register_shortcode_for_ui() {
 				'attr'     => 'show_label',
 				'type'    => 'select',
 				'options' => array(
-								'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
-								'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
+					'no'  => esc_html__( 'No', 'shortcode-item-updated' ),
+					'yes' => esc_html__( 'Yes', 'shortcode-item-updated' ),
 				),
 				'description' => esc_html__( 'Whether to show label before date', 'shortcode-item-updated' ),
 			),
@@ -314,9 +342,10 @@ function ddw_siu_register_shortcode_for_ui() {
 		),
 	);  // end array
 
+	/** Pass our Shortcode and UI args to Shortcake plugin - filterable */
 	shortcode_ui_register_for_shortcode(
 		'siu-item-updated',
 		apply_filters( 'siu_filter_shortcode_ui_args', $shortcode_ui_args )
 	);
 
-}  // end function
+}  // end function
