Merge pull request #31 from brainstormforce/security-audit-fix

 fix : plugin security audits.

README.md

@@ -3,8 +3,8 @@
 **Donate link:** https://www.paypal.me/BrainstormForce  
 **Tags:** custom sidebar, sidebar manager, custom widget areas, widgets, conditional sidebar  
 **Requires at least:** 4.0  
-**Tested up to:** 5.5  
-**Stable tag:** 1.1.5 
+**Tested up to:** 5.5.1  
+**Stable tag:** 1.1.6  
 **License:** GPLv2 or later  
 **License URI:** https://www.gnu.org/licenses/gpl-2.0.html  
 
@@ -51,7 +51,10 @@ Other plugins we found are heavy with ugly interface, non supported, developed o
 
 ## Changelog ##
 
-### 1.1.5 ### 
+### 1.1.6 ###
+- Improvement: Hardened the security of plugin.
+
+### 1.1.5 ###
 - Fix: Security hardening. 
 
 ### 1.1.4 ###

classes/class-bsf-sb-metabox.php

@@ -81,7 +81,7 @@ public function metabox_actions() {
 		 */
 		public function metabox_save( $post_id ) {
 
-			if( ! isset( $_POST[ BSF_SB_POST_TYPE . '-nonce' ] ) ) {
+			if ( ! isset( $_POST[ BSF_SB_POST_TYPE . '-nonce' ] ) ) {
 				return;
 			}
 
@@ -110,12 +110,13 @@ public function metabox_save( $post_id ) {
 			}
 
 			if ( isset( $_POST['bsf-sb-users'] ) ) {
-				update_post_meta( $post_id, '_bsf-sb-users', $_POST['bsf-sb-users'] );
+				$bsf_sb_user_roles = array_map( 'sanitize_text_field', $_POST['bsf-sb-users'] );
+				update_post_meta( $post_id, '_bsf-sb-users', $bsf_sb_user_roles );
 			}
 
 			if ( isset( $_POST['replace_this_sidebar'] ) ) {
 
-				$replace_sidebar = esc_attr( $_POST['replace_this_sidebar'] );
+				$replace_sidebar = sanitize_text_field( $_POST['replace_this_sidebar'] );
 
 				update_post_meta( $post_id, '_replace_this_sidebar', $replace_sidebar );
 			}
@@ -158,7 +159,7 @@ public function sidebar_settings( $post ) {
 					if ( strrpos( $slug, BSF_SB_PREFIX ) !== false ) {
 						continue;
 					}
-					$out .= '<option value="' . $slug . '"' . selected( $replace_sidebar, $slug, false ) . '>' . $name . '</option>';
+					$out .= '<option value="' . esc_attr( $slug ) . '"' . selected( $replace_sidebar, $slug, false ) . '>' . esc_attr( $name ) . '</option>';
 				}
 				$out .= '</select>';
 			} else {
@@ -174,7 +175,7 @@ public function sidebar_settings( $post ) {
 							$out .= '<i class="bsf-sb-help dashicons dashicons-editor-help" title="' . esc_attr__( 'Add an optional description fot the Widgets screen.', 'sidebar-manager' ) . '"></i>';
 						$out     .= '</td>';
 						$out     .= '<td class="bsf-sb-row-content">';
-							$out .= '<input type="text" rows="1" name="excerpt" value="' . $post->post_excerpt . '">';
+							$out .= '<input type="text" rows="1" name="excerpt" value="' . esc_attr( $post->post_excerpt ) . '">';
 						$out     .= '</td>';
 					$out         .= '</tr>';
 

readme.txt

@@ -3,8 +3,8 @@ Contributors: BrainstormForce
 Donate link: https://www.paypal.me/BrainstormForce
 Tags: custom sidebar, sidebar manager, custom widget areas, widgets, conditional sidebar
 Requires at least: 4.0
-Tested up to: 5.5
-Stable tag: 1.1.5
+Tested up to: 5.5.1
+Stable tag: 1.1.6
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -51,6 +51,9 @@ Other plugins we found are heavy with ugly interface, non supported, developed o
 
 == Changelog ==
 
+= 1.1.6 =
+- Improvement: Hardened the security of plugin.
+
 = 1.1.5 = 
 - Fix: Security hardening. 
 

sidebar-manager.php

@@ -3,7 +3,7 @@
  * Plugin Name:     Sidebar Manager
  * Plugin URI:      http://www.brainstormforce.com
  * Description:     This is the plugin to create custom siderbars to your site.
- * Version:         1.1.5
+ * Version:         1.1.6
  * Author:          Brainstorm Force
  * Author URI:      https://www.brainstormforce.com/
  * Text Domain:     bsfsidebars
@@ -25,7 +25,7 @@
 define( 'BSF_SB_BASE', plugin_basename( BSF_SB_FILE ) );
 define( 'BSF_SB_DIR', plugin_dir_path( BSF_SB_FILE ) );
 define( 'BSF_SB_URL', plugins_url( '/', BSF_SB_FILE ) );
-define( 'BSF_SB_VER', '1.1.5' );
+define( 'BSF_SB_VER', '1.1.6' );
 define( 'BSF_SB_PREFIX', 'bsf-sb' );
 define( 'BSF_SB_POST_TYPE', 'bsf-sidebar' );