Release version 4.1.5 (#100)

Merge pull request #100 from short-pixel-optimizer/hotfix-4.1.5

Author: pdobrescu

build/shortpixel/log/src/ShortPixelLogger.php

@@ -82,7 +82,6 @@ public function __construct()
       {
           if (defined('SHORTPIXEL_LOG_OVERWRITE')) // if overwrite, do this on init once.
             file_put_contents($this->logPath,'-- Log Reset -- ' .PHP_EOL);
-
       }
 
       if ($this->is_active)

classes/emr-plugin.php

@@ -56,6 +56,7 @@ public function adminInit()
 		{
 			$this->features['replace']  = true; // does nothing just for completeness
 			$this->features['background'] = apply_filters('emr/feature/background', true);
+      $this->features['remote_notice']  = apply_filters('emr/feature/remote_notice', true);
 
 			load_plugin_textdomain('enable-media-replace', false, basename(dirname(EMR_ROOT_FILE)) . '/languages');
 
@@ -86,6 +87,9 @@ public function useFeature($name)
 					 case 'background':
 					 		$bool = $this->features['background'];
 					 break;
+           case 'remote_notice':
+		           $bool = $this->features['remote_notice'];
+           break;
 					 default:
 					 		$bool = false;
 					 break;
@@ -190,9 +194,8 @@ public function setScreen()
 			 $screen = get_current_screen();
 
 			 $notice_pages = array('attachment',  'media_page_enable-media-replace/enable-media-replace', 'upload' );
-			 if ( in_array($screen->id, $notice_pages) &&	true === emr()->useFeature('background'))
+			 if ( in_array($screen->id, $notice_pages) &&	true === emr()->useFeature('remote_notice'))
 			 {
-
 				 RemoteNoticeController::getInstance(); // check for remote stuff
 			 	 $notices = Notices::getInstance();
 				 $notices->loadIcons(array(

classes/uihelper.php

@@ -54,9 +54,8 @@ public function getFormUrl($attach_id, $action = null)
         if (is_numeric($spdebug))
           $spdebug = intval($spdebug);
         else {
-          $spdebug = sanitize_text_field($spdebug);
+          $spdebug = 3;
         }
-
         $url = add_query_arg('SHORTPIXEL_DEBUG', $spdebug, $url);
       }
 
@@ -75,9 +74,8 @@ public function getSuccesRedirect($attach_id)
       if (is_numeric($spdebug))
         $spdebug = intval($spdebug);
       else {
-        $spdebug = sanitize_text_field($spdebug);
+        $spdebug = 3;
       }
-
       $url = add_query_arg('SHORTPIXEL_DEBUG', $spdebug, $url);
     }
 

enable-media-replace.php

@@ -3,7 +3,7 @@
  * Plugin Name: Enable Media Replace
  * Plugin URI: https://wordpress.org/plugins/enable-media-replace/
  * Description: Enable replacing media files by uploading a new file in the "Edit Media" section of the WordPress Media Library.
- * Version: 4.1.4
+ * Version: 4.1.5
  * Author: ShortPixel
  * Author URI: https://shortpixel.com
  * GitHub Plugin URI: https://github.com/short-pixel-optimizer/enable-media-replace
@@ -25,7 +25,7 @@
  *
  */
 
-define( 'EMR_VERSION', '4.1.4' );
+define( 'EMR_VERSION', '4.1.5' );
 
 if ( ! defined( 'ABSPATH' ) ) {
 	exit; // Exit if accessed directly.

readme.txt

@@ -5,7 +5,7 @@ Tags: replace, attachment, media, files, replace image, remove background, repla
 Requires at least: 4.9.7
 Tested up to: 6.3
 Requires PHP: 5.6
-Stable tag: 4.1.4
+Stable tag: 4.1.5
 
 Easily replace any attached image/file by simply uploading a new file in the Media Library edit view - a real time saver!
 
@@ -38,6 +38,10 @@ If you don't want to use the background removal feature, add this line to your t
 
 ```add_filter( 'emr/feature/background', '__return_false' );```
 
+A similar filter, for the remote notification system is:
+
+```add_filter( 'emr/feature/remote_notice', '__return_false' );```
+
 To shorten the wait time before redirecting to the media editing screen, use the following filter and specify the wait time in seconds (0 means that redirection is immediate, but may cause problems in certain configurations):
 
 ```add_filter('emr/success/timeout', function () { return 3; });```
@@ -69,6 +73,12 @@ If you want more control over the format in which the time is shown, you can use
 
 == Changelog ==
 
+= 4.1.5 =
+
+Release date: December 14, 2023
+* Tweak: Added a filter to disable the remote notification system added in version 4.1.0;
+* Fix: A potential "Reflected Cross-Site Scripting" vulnerability has been patched, responsibly disclosed by the Wordfence team.
+
 = 4.1.4 =
 
 Release date: September 22, 2023

views/screen.php

@@ -45,14 +45,13 @@
 	<?php
 
 	$formurl = $uiHelper->getFormUrl($attachment_id);
-  //$formurl = wp_nonce_url( $url, "media_replace_upload" );
 
 	if (FORCE_SSL_ADMIN) {
 			$formurl = str_replace("http:", "https:", $formurl);
 		}
 	?>
 
-	<form enctype="multipart/form-data" method="POST" action="<?php echo $formurl; ?>">
+	<form enctype="multipart/form-data" method="POST" action="<?php echo esc_url($formurl); ?>">
 		<?php wp_nonce_field('media_replace_upload', 'emr_nonce'); ?>
 
 <div class='editor-wrapper'>