add nonce in forms, thanks Burak Kelebek for the report

Author: hunk

.htaccess

@@ -0,0 +1,9 @@
+<FilesMatch "^(mf_upload|phpThumb)\.php$">
+  <IfModule !mod_authz_core.c>
+	Order allow,deny
+	Allow from all
+  </IfModule>
+  <IfModule mod_authz_core.c>
+    Require all granted
+  </IfModule>
+</FilesMatch>

admin/mf_admin.php

@@ -260,7 +260,7 @@ public function get_custom_field_by_name($name_custom_field, $post_type){
     $field = $wpdb->get_row( $query, ARRAY_A);
     return $field;
   }
-  
+
   public function mf_resolve_linebreaks($data = NULL){
     $data = preg_replace(array("/\r\n/","/\r/","/\n/"),"\\n",$data);
     return $data;
@@ -375,7 +375,7 @@ public function import($file_path,$overwrite){
           $post_type['label']['name'] = $temp_name;
           $post_type['label']['menu_name'] = $temp_name;
         }
-        
+
         $post_type['core']['id'] = NULL;
 
         $this->new_posttype($post_type);
@@ -398,7 +398,7 @@ public function import($file_path,$overwrite){
           unset($tmp_group);
           $tmp_group['core'] = $group;
           $this->update_custom_group($tmp_group);
-          
+
           foreach($fields as $field){
             $tmp_field = $this->get_custom_field_by_name($field['name'],$name);
 
@@ -416,7 +416,7 @@ public function import($file_path,$overwrite){
               $tmp_field['option'] = unserialize( $field['options'] );
               $this->new_custom_field($tmp_field);
             }
-         
+
           }
 
         }else{
@@ -453,7 +453,7 @@ public function import($file_path,$overwrite){
     foreach($taxonomies as $taxonomy){
       if($overwrite){
         $t_type = $taxonomy['core']['type'];
-        
+
         $tmp_taxonomy = $this->get_custom_taxonomy_by_type($t_type);
 
         if($tmp_taxonomy){
@@ -468,9 +468,9 @@ public function import($file_path,$overwrite){
 
       }else{
         $t_type = $taxonomy['core']['type'];
-        
+
         $tmp_taxonomy = $this->get_custom_taxonomy_by_type($t_type);
-        
+
         if($tmp_taxonomy){
           $i = 2;
           $temp_name = $t_type . "_1";
@@ -490,7 +490,7 @@ public function import($file_path,$overwrite){
           $this->new_custom_taxonomy($taxonomy);
         }
       }
-      
+
     }
     /* end register custom taxonomies */
 
@@ -503,12 +503,47 @@ function escape_data(&$value){
     // quick fix for ' character
     /** @todo have a proper function escaping all these */
     if(is_string($value)){
+        $value = htmlspecialchars_decode($value);
+        $value = self::strip_html_tags($value);
+        $value = htmlentities($value);
         $value = stripslashes($value);
         $value = preg_replace('/\'/','´', $value);
         $value = addslashes($value);
+        pr($value);
     }
   }
 
+  public static function strip_html_tags( $text ) {
+    $text = preg_replace(
+        array(
+          // Remove invisible content
+            '@<head[^>]*?>.*?</head>@siu',
+            '@<style[^>]*?>.*?</style>@siu',
+            '@<script[^>]*?.*?</script>@siu',
+            '@<object[^>]*?.*?</object>@siu',
+            '@<embed[^>]*?.*?</embed>@siu',
+            '@<applet[^>]*?.*?</applet>@siu',
+            '@<noframes[^>]*?.*?</noframes>@siu',
+            '@<noscript[^>]*?.*?</noscript>@siu',
+            '@<noembed[^>]*?.*?</noembed>@siu',
+          // Add line breaks before and after blocks
+            '@</?((address)|(blockquote)|(center)|(del))@iu',
+            '@</?((div)|(h[1-9])|(ins)|(isindex)|(p)|(pre))@iu',
+            '@</?((dir)|(dl)|(dt)|(dd)|(li)|(menu)|(ol)|(ul))@iu',
+            '@</?((table)|(th)|(td)|(caption))@iu',
+            '@</?((form)|(button)|(fieldset)|(legend)|(input))@iu',
+            '@</?((label)|(select)|(optgroup)|(option)|(textarea))@iu',
+            '@</?((frameset)|(frame)|(iframe))@iu',
+        ),
+        array(
+            ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ',
+            "\n\$0", "\n\$0", "\n\$0", "\n\$0", "\n\$0", "\n\$0",
+            "\n\$0", "\n\$0",
+        ),
+        $text );
+    return strip_tags( $text );
+  }
+
   /* function save and update for post type */
 
   /**
@@ -545,7 +580,7 @@ public function update_post_type($data){
 
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
-		
+
     $sql = $wpdb->prepare(
       "Update " . MF_TABLE_POSTTYPES .
       " SET type = %s, name = %s, description = %s, arguments = %s " .
@@ -567,10 +602,10 @@ public function update_post_type($data){
    */
   public function new_custom_group($data){
     global $wpdb;
-    
+
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
-   
+
     $sql = $wpdb->prepare(
       "INSERT INTO ". MF_TABLE_CUSTOM_GROUPS .
       " (name, label, post_type, duplicated, expanded) ".
@@ -582,7 +617,7 @@ public function new_custom_group($data){
       1
     );
     $wpdb->query($sql);
-    
+
     $postTypeId = $wpdb->insert_id;
     return $postTypeId;
   }
@@ -596,7 +631,7 @@ public function update_custom_group($data){
     //ToDo: falta sanitizar variables
     // podriamos crear un mettodo para hacerlo
     // la funcion podria pasarle como primer parametro los datos y como segundo un array con los campos que se va a sanitizar o si se quiere remplazar espacios por _ o quitar caracteres extraños
-    
+
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
 
@@ -610,7 +645,7 @@ public function update_custom_group($data){
       1,
       $data['core']['id']
     );
-    
+
     $wpdb->query($sql);
   }
 
@@ -619,7 +654,7 @@ public function new_custom_field($data){
     global $wpdb;
 
     if( !isset($data['option']) ) $data['option'] = array();
-    
+
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
 
@@ -632,7 +667,7 @@ public function new_custom_field($data){
     $data['core']['name'] = str_replace(" ","_",$data['core']['name']);
 
     $sql = $wpdb->prepare(
-      "INSERT INTO ". MF_TABLE_CUSTOM_FIELDS . 
+      "INSERT INTO ". MF_TABLE_CUSTOM_FIELDS .
       " (name, label, description, post_type, custom_group_id, type, required_field, duplicated, options) ".
       " VALUES (%s, %s, %s, %s, %d, %s, %d, %d, %s)",
       $data['core']['name'],
@@ -656,7 +691,7 @@ public function update_custom_field($data){
     global $wpdb;
 
     if( !isset($data['option']) ) $data['option'] = array();
-    
+
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
 
@@ -669,7 +704,7 @@ public function update_custom_field($data){
     $data['core']['name'] = str_replace(" ","_",$data['core']['name']);
 
     $sql = $wpdb->prepare(
-     "UPDATE ". MF_TABLE_CUSTOM_FIELDS . 
+     "UPDATE ". MF_TABLE_CUSTOM_FIELDS .
      " SET name = %s, label = %s, description = %s, type = %s, required_field = %d, ".
      " duplicated = %d, options = %s ".
      " WHERE id = %d",
@@ -686,13 +721,13 @@ public function update_custom_field($data){
   }
 
   /* function for save and update custom taxonomies */
-  
+
   /**
    * Save a new custom taxonomy
    */
   public function new_custom_taxonomy($data){
     global $wpdb;
-    
+
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
 
@@ -708,7 +743,7 @@ public function new_custom_taxonomy($data){
       1
     );
 
-    $wpdb->query($sql); 
+    $wpdb->query($sql);
     $custom_taxonomy_id = $wpdb->insert_id;
     return $custom_taxonomy_id;
   }
@@ -718,7 +753,7 @@ public function new_custom_taxonomy($data){
    */
   public function update_custom_taxonomy($data){
     global $wpdb;
-    
+
     // escape all the strings
     array_walk_recursive($data, array($this, 'escape_data'));
 
@@ -737,7 +772,7 @@ public function update_custom_taxonomy($data){
   }
 
   public static function mf_unregister_post_type( $post_type ) {
-    /* Ideally we should just unset the post type from the array 
+    /* Ideally we should just unset the post type from the array
        but wordpress 3.2.1 this doesn't work */
 
     //global $wp_post_types;
@@ -746,8 +781,8 @@ public static function mf_unregister_post_type( $post_type ) {
     // return true;
     //}
 
-    /* So, we are only remove the item from the menu (this is not a 
-       real unregister post_type but for at least we not will see 
+    /* So, we are only remove the item from the menu (this is not a
+       real unregister post_type but for at least we not will see
        the post or page menu)
      */
     if( $post_type == "post" ) {

admin/mf_custom_fields.php

@@ -39,7 +39,7 @@ public function get_properties() {
   public function get_options($options = NULL,$name){
     global $mf_domain;
 
-        print '<div class="desc_field">';
+    print '<div class="desc_field">';
     printf('<p>%s</p>',$this->description);
     printf('<p>%s:</p>',__('Preview',$mf_domain));
     printf('<p><img src="%sfield_types/%s/preview.jpg" /></p>',MF_URL,$name);
@@ -53,7 +53,7 @@ public function get_options($options = NULL,$name){
           @$this->options['option'][$k]['value'] = $v;
         }
       }
-      $this->form_options();  
+      $this->form_options();
     }
 
 
@@ -94,11 +94,11 @@ function fields_list() {
     print '<h2>';
     print $post_type->label;
     print '  ';
-    
+
     print '<span style="font-size:small">';
     printf('<a href="admin.php?page=mf_dispatcher&noheader=true&mf_section=mf_posttype&mf_action=export_post_type&post_type=%s ">%s</a>',$post_type->name,__('Export',$mf_domain) );
     print '</span>';
-    
+
     if(in_array($post_type->name,$mf_pt_register)):
       print '<span style="font-size:small">';
     print ' | ';
@@ -142,7 +142,7 @@ function fields_list() {
     $name = $group['label'];
     if($name != 'Magic Fields'){
       $name = sprintf('<a class="edit-group-h2" href="admin.php?page=mf_dispatcher&mf_section=mf_custom_group&mf_action=edit_group&custom_group_id=%s">%s</a>',$group['id'],$name);
-    
+
       $add = sprintf('admin.php?page=mf_dispatcher&mf_section=mf_custom_fields&mf_action=add_field&post_type=%s&custom_group_id=%s',$post_type->name,$group['id']);
 
       $name .= sprintf('  <span class="mf_add_group_field">(<a href="%s">create field</a>)</span>',$add);
@@ -154,7 +154,7 @@ function fields_list() {
       $name .= sprintf( '  <span class="mf_delete_group_field mf-delete">(<a  alt="%s" class="mf_confirm" href="%s">delete group</a>)</span>', $delete_msg, $delete_link );
     }
     else {
-      $name .= sprintf( '  <span class="mf_add_group_field">(<a href="admin.php?page=mf_dispatcher&mf_section=mf_custom_fields&mf_action=add_field&post_type=%s">create field</a>)</span>',$post_type->name );	
+      $name .= sprintf( '  <span class="mf_add_group_field">(<a href="admin.php?page=mf_dispatcher&mf_section=mf_custom_fields&mf_action=add_field&post_type=%s">create field</a>)</span>',$post_type->name );
     }
     //return all fields for group
     $fields = $this->get_custom_fields_by_group($group['id']);
@@ -231,8 +231,6 @@ function add_field() {
 
     $data = $this->fields_form();
     $this->form_custom_field($data);
-    ?>
-    <?php
   }
 
    /**
@@ -242,8 +240,6 @@ function edit_field() {
     global $mf_domain;
 
     //check param custom_field_id
-
-
     $data = $this->fields_form();
     $field = $this->get_custom_field($_GET['custom_field_id']);
 
@@ -265,9 +261,16 @@ function edit_field() {
   }
 
   function save_custom_field(){
+    check_admin_referer('save_custom_field');
 
     //save custom field
     $mf = $_POST['mf_field'];
+    // array_walk_recursive($mf, function (&$value) {
+    //   $value = strip_tags($value);
+    // });
+
+    array_walk_recursive($data, array($this, 'escape_data'));
+
     if($mf['core']['id']){
       //update
       $this->update_name_field($mf);
@@ -426,7 +429,7 @@ public function fields_form() {
 
   function form_custom_field( $data ) {
     global $mf_domain;
-    
+
     $name_group = '';
     if($data['core']['custom_group_id']['value']){
       $group = $this->get_group( $data['core']['custom_group_id']['value'] );
@@ -438,14 +441,18 @@ function form_custom_field( $data ) {
       <div id="message_mf_error" class="error below-h2" style="display:none;"><p></p></div>
       <div id="icon-edit-pages" class="icon32 icon32-posts-page"><br></div>
       <?php if( !$data['core']['id']['value'] ): ?>
-       <h2><?php _e('Create Custom Field', $mf_domain);?></h2>
-    <?php else: ?>
-    <h2><?php _e('Edit Custom Field', $mf_domain); echo ' - '.$data['core']['label']['value'];?></h2>
+        <h2><?php _e('Create Custom Field', $mf_domain);?></h2>
+      <?php else: ?>
+        <h2><?php _e('Edit Custom Field', $mf_domain); echo ' - '.$data['core']['label']['value'];?></h2>
       <?php endif; ?>
 
-     <form id="addCustomField" method="post" action="admin.php?page=mf_dispatcher&init=true&mf_section=mf_custom_fields&mf_action=save_custom_field" class="validate mf_form_admin">
+      <form id="addCustomField" method="post" action="admin.php?page=mf_dispatcher&init=true&mf_section=mf_custom_fields&mf_action=save_custom_field" class="validate mf_form_admin">
+
+        <?php wp_nonce_field('save_custom_field'); ?>
+
       <div class="alignleft fixed" style="width: 40%;" id="mf_add_custom_field">
-        <?php foreach( $data['core'] as $core ):?>
+        <?php foreach( $data['core'] as $core ): ?>
+          <?php $core['value'] = htmlentities($core['value']); ?>
           <?php if( $core['type'] == 'hidden' ): ?>
                   <?php mf_form_hidden($core); ?>
           <?php elseif( $core['type'] == 'text' ):?>
@@ -643,7 +650,7 @@ public function display_field( $field, $group_index = 1, $field_index = 1 ) {
   public function upload($custom_field_id, $type = 'image',$callback = 'mf_callback_upload'){
     $iframe_src = sprintf('%sadmin/mf_upload.php?input_name=%s&callback=%s&type=%s',MF_BASENAME,$custom_field_id,$callback,$type);
     $out = sprintf('<iframe id="iframe_upload_%s" src="%s" height="45" scrolling="no" ></iframe>',$custom_field_id,$iframe_src);
-    
+
     return $out;
   }
 }