-
-
Save david-binda/22ecc45afb9be23b3445 to your computer and use it in GitHub Desktop.
Security a coding standards patch pro plugin https://wordpress.org/plugins/ceske-komentare/ v.1.5.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Index: ceske-komentare.php | |
=================================================================== | |
--- ceske-komentare.php (revision 1179588) | |
+++ ceske-komentare.php (working copy) | |
@@ -8,70 +8,88 @@ | |
Author URI: http://blog.doprofilu.cz | |
License: GNU General Public License v2 | |
License URI: http://www.gnu.org/licenses/gpl-2.0.html | |
+Text Domain: ceske-komentare | |
*/ | |
+ | |
// If this file is called directly, abort. | |
if ( ! defined( 'WPINC' ) ) { | |
die; | |
} | |
+//Load plugin's texdomain | |
+function ceske_komentare_load_plugin_textdomain() { | |
+ load_plugin_textdomain( 'ceske-komentare', FALSE, basename( dirname( __FILE__ ) ) . '/languages/' ); | |
+} | |
-function pridat() { | |
+add_action( 'plugins_loaded', 'ceske_komentare_load_plugin_textdomain' ); | |
+ | |
+function ceske_komentare_activation_callback() { | |
// Activation code here... | |
add_option( 'pocet0', 'Žádný komentář', '', 'yes' ); | |
add_option( 'pocet1', '1 komentář', '', 'yes' ); | |
add_option( 'pocet2', '% komentáře', '', 'yes' ); | |
add_option( 'pocet5', '% komentářů', '', 'yes' ); | |
} | |
-register_activation_hook( __FILE__, 'pridat' ); | |
+register_activation_hook( __FILE__, 'ceske_komentare_activation_callback' ); | |
-$pocet0=get_option('pocet0'); | |
-$pocet1=get_option('pocet1'); | |
-$pocet2=get_option('pocet2'); | |
-$pocet5=get_option('pocet5'); | |
+function ceske_komentare_get_options() { | |
+ return array( | |
+ 'pocet0' => get_option( 'pocet0' ), | |
+ 'pocet1' => get_option( 'pocet1' ), | |
+ 'pocet2' => get_option( 'pocet2' ), | |
+ 'pocet5' => get_option( 'pocet5' ), | |
+ ); | |
+} | |
-add_action( 'admin_menu', 'register_my_custom_menu_page' ); | |
+add_action( 'admin_menu', 'ceske_komentare_register_menu_page' ); | |
-function register_my_custom_menu_page(){ | |
- $page_title = 'Administrace'; | |
- $menu_title = 'České komentáře'; | |
+function ceske_komentare_register_menu_page(){ | |
+ $page_title = esc_html__( 'Administrace', 'ceske-komentare' ); | |
+ $menu_title = esc_html__( 'České komentáře', 'ceske-komentare' ); | |
$capability = 'manage_options'; | |
$menu_slug = 'ceske_komentare'; | |
- $function = 'my_custom_menu_page'; | |
+ $function = 'ceske_komentare_menu_page'; | |
add_options_page($page_title, $menu_title, $capability, $menu_slug, $function); | |
} | |
-function my_custom_menu_page(){ | |
-echo '<h1>Administrace</h1>'; | |
- include('nastaveni.php'); | |
+function ceske_komentare_menu_page() { | |
+ echo '<h1>' . esc_html__( 'Administrace', 'ceske-komentare' ) . '</h1>'; | |
+ include('nastaveni.php'); | |
} | |
-function ceske_komentare($output, $number ){ | |
-global $pocet0,$pocet1,$pocet2,$pocet5; | |
-if ( $number == 0) $output = $pocet0; | |
-elseif ($number == 1 ) | |
-$output = str_replace('%', number_format_i18n($number), $pocet1); | |
-elseif ($number > 1 and $number < 5 ) | |
-$output = str_replace('%', number_format_i18n($number), $pocet2); | |
-else | |
-$output = str_replace('%', number_format_i18n($number), $pocet5); | |
+function ceske_komentare( $output, $number ) { | |
-return $output; } | |
+ $options = ceske_komentare_get_options(); | |
+ $pocet0 = $options['pocet0']; | |
+ $pocet1 = $options['pocet1']; | |
+ $pocet2 = $options['pocet2']; | |
+ $pocet5 = $options['pocet5']; | |
+ if ( intval( $number ) === 0) { | |
+ $output = $pocet0; | |
+ } elseif ( intval( $number ) === 1 ) { | |
+ $output = str_replace( '%', number_format_i18n( $number ), $pocet1 ); | |
+ } elseif ( intval( $number ) > 1 && intval( $number ) < 5 ) { | |
+ $output = str_replace( '%', number_format_i18n( $number ), $pocet2 ); | |
+ } else { | |
+ $output = str_replace( '%', number_format_i18n( $number ), $pocet5 ); | |
+ } | |
+ return $output; | |
+} | |
add_action('comments_number', 'ceske_komentare', 10, 2); | |
- | |
-function komentare_meta( $links, $file ) { // Add a link to this plugin's settings page | |
+function ceske_komentare_meta( $links, $file ) { // Add a link to this plugin's settings page | |
static $this_plugin; | |
- if(!$this_plugin) $this_plugin = plugin_basename(__FILE__); | |
- if($file == $this_plugin) { | |
- $settings_link = '<a href="options-general.php?page=ceske_komentare">'.__('Nastavení', 'ceske-komentare').'</a>'; | |
- array_unshift($links, $settings_link); | |
+ if ( !$this_plugin ) { | |
+ $this_plugin = plugin_basename(__FILE__); | |
} | |
+ if ( $file == $this_plugin ) { | |
+ $settings_link = '<a href="<?php echo esc_url( admin_url( options-general.php?page=ceske_komentare ) ); ?>">'.esc_html__( 'Nastavení', 'ceske-komentare' ).'</a>'; | |
+ array_unshift( $links, $settings_link ); | |
+ } | |
return $links; | |
} | |
-add_filter('plugin_row_meta','komentare_meta', 10, 2); | |
- | |
-?> | |
\ No newline at end of file | |
+add_filter( 'plugin_row_meta', 'ceske_komentare_meta', 10, 2 ); | |
Index: nastaveni.php | |
=================================================================== | |
--- nastaveni.php (revision 1179588) | |
+++ nastaveni.php (working copy) | |
@@ -10,26 +10,30 @@ | |
} | |
</style> | |
<?php | |
-if( $_SERVER['REQUEST_METHOD'] == 'POST') { | |
- //.. | |
- update_option( 'pocet0', $_POST['pocet0']); | |
- update_option( 'pocet1', $_POST['pocet1']); | |
- update_option( 'pocet2', $_POST['pocet2']); | |
- update_option( 'pocet5', $_POST['pocet5']); | |
+if ( $_SERVER['REQUEST_METHOD'] == 'POST') { | |
+ if ( | |
+ true === current_user_can( 'manage_options' ) //only administrators can update strings | |
+ && false !== wp_verify_nonce( $_POST['_wpnonce'], 'ceske-komentare-update' ) //nonces verify intention | |
+ ) { | |
+ update_option( 'pocet0', sanitize_text_field( $_POST['pocet0'] ) ); | |
+ update_option( 'pocet1', sanitize_text_field( $_POST['pocet1'] ) ); | |
+ update_option( 'pocet2', sanitize_text_field( $_POST['pocet2'] ) ); | |
+ update_option( 'pocet5', sanitize_text_field( $_POST['pocet5'] ) ); | |
+ $updated = true; | |
+ } | |
} | |
-if ( ! isset( $_POST['updated'] ) ) | |
- $_POST['updated'] = false; | |
-if ( false !== $_POST['updated']) : ?> | |
- <div id="message" class="updated fade"><p><strong><?php _e( 'Nastavení uloženo' ); ?></strong></p></div> | |
- <?php endif; ?> | |
+if ( true === isset( $updated ) && true === $updated ) : ?> | |
+ <div id="message" class="updated fade"><p><strong><?php esc_html_e( 'Nastavení uloženo', 'ceske-komentare' ); ?></strong></p></div> | |
+<?php endif; ?> | |
+ | |
<div class="wrap"> | |
-<h2>České komentáře nastavení</h2> | |
-<form action="" method="post"> | |
-<label class="left" for="pocet0"><b>Text při žádném komentáři</b>: </label><input type="text" id="pocet0" name="pocet0" value="<?php echo get_option('pocet0')?>"></br> | |
-<label class="left" for="pocet1"><b>Text při 1 komentáři</b>:</label><input id="pocet1" type="text" name="pocet1" value="<?php echo get_option('pocet1')?>"></br> | |
-<label class="left" for="pocet2"><b>Text při 2 - 4 komentářích</b>:</label><input id="pocet2" type="text" name="pocet2" value="<?php echo get_option('pocet2')?>"></br> | |
-<label class="left" for="pocet5"><b>Text při více jak 4 komentáříh (5,6,...)</b>:</label><input id="pocet5" type="text" name="pocet5" value="<?php echo get_option('pocet5')?>"><br> | |
-<input type="hidden" name="updated"> | |
-<b>Pozn: Je možné používat zástupný znak "%" pro dosazení aktuálního počtu komentářů</b> | |
-<?php submit_button ('Uložit nastavení'); ?> | |
-</form> | |
+<h2><?php esc_html_e( 'České komentáře nastavení', 'ceske-komentare' ); ?></h2> | |
+<form action="<?php echo esc_url( admin_url( 'options-general.php?page=ceske_komentare' ) ); ?>" method="post"> | |
+<label class="left" for="pocet0"><b><?php esc_html_e( 'Text při žádném komentáři', 'ceske-komentare' ); ?></b>: </label><input type="text" id="pocet0" name="pocet0" value="<?php echo esc_attr( get_option('pocet0' ) ); ?>"></br> | |
+<label class="left" for="pocet1"><b><?php esc_html_e( 'Text při 1 komentáři', 'ceske-komentare' ); ?></b>:</label><input id="pocet1" type="text" name="pocet1" value="<?php echo esc_attr( get_option('pocet1') ); ?>"></br> | |
+<label class="left" for="pocet2"><b><?php esc_html_e( 'Text při 2 - 4 komentářích', 'ceske-komentare' ); ?></b>:</label><input id="pocet2" type="text" name="pocet2" value="<?php echo esc_attr( get_option('pocet2') ); ?>"></br> | |
+<label class="left" for="pocet5"><b><?php esc_html_e( 'Text při více jak 4 komentářích (5,6,...)', 'ceske-komentare' ); ?></b>:</label><input id="pocet5" type="text" name="pocet5" value="<?php echo esc_attr( get_option('pocet5') ); ?>"><br> | |
+<b><?php esc_html_e( 'Pozn: Je možné používat zástupný znak "%" pro dosazení aktuálního počtu komentářů', 'ceske-komentare' ); ?></b> | |
+<?php | |
+ wp_nonce_field( 'ceske-komentare-update' ); | |
+ submit_button ( esc_html__( 'Uložit nastavení', 'ceske-komentare' ) ); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Patch odstraňuje následující nedostatky
* obsahuje úpravy kódu tak, aby vyhovovaly WordPress coding standards