Headline
CVE-2023-5099: Changeset 2985200 for hk-filter-and-search – WordPress Plugin Repository
The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the ‘src’ attribute of the ‘csvsearch’ shortcode. This allows authenticated attackers, with contributor-level permissions and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
hk-filter-and-search/tags/2.8/hk-filter-and-search.php
r2957037
r2985200
4
4
Plugin URI: http://wordpress.org/plugins/hk-filter-and-search
5
5
Description: Easy way to enable jquery HTML filter or a CSV-file-search to a webpage. Use the shortcodes \[csvsearch\] and \[filtersearch\] to enable.
6
Version: 2.7
6
Version: 2.8
7
7
Author: jonashjalmarsson
8
8
Author URI: https://jonashjalmarsson.se
9
9
License: GPLv3
10
Text domain: hk-filter-and-search
10
Text Domain: hk-filter-and-search
11
Domain Path: /languages
11
12
\*/
12
13
13
14
namespace hk\_filter\_and\_search;
14
15
16
if ( ! defined( 'ABSPATH' ) ) {
17
exit; // Exit if accessed directly.
18
}
19
20
/\*
21
\* load textdomain
22
\*/
23
function hk\_load\_textdomain() {
24
load\_plugin\_textdomain( 'hk-filter-and-search', false, dirname( plugin\_basename( \_\_FILE\_\_ ) ) . '/languages' );
25
}
26
add\_action( 'init', \_\_NAMESPACE\_\_ . '\\\\hk\_load\_textdomain' );
27
28
/\*
29
\* enqueue scripts
30
\*/
15
31
function hk\_filter\_search\_scripts() {
16
32
if ( ! wp\_script\_is( 'jquery', 'enqueued' )) {
…
…
30
46
'charset' => 'iso-8859-1',
31
47
'format' => '{b}{0}{/b}, {1}, {2}{br/}',
32
'searchtext' => 'sök',
48
'searchtext' => \_\_('Search', 'hk-filter-and-search'),
33
49
'instantformat' => '{0}',
34
50
'instantsearch' => 'false',
35
51
'dataidformat' => "{0}",
36
52
'csv\_separator' => ";",
37
'nothing\_found\_message' => 'Nothing found when searching for: ',
53
'nothing\_found\_message' => \_\_('Nothing found when searching for: ', 'hk-filter-and-search'),
38
54
'placeholder\_text' => '',
39
55
'exact\_match' => 'false',
…
…
44
60
'ignore\_default\_header\_style' => 'false',
45
61
'set\_focus\_on\_load' => 'false',
46
), $atts );
47
48
/\*foreach ( $defaults as $default => $value ) { // add defaults
49
if ( ! @array\_key\_exists( $default, $atts ) ) { // mute warning with "@" when no params at all
50
$atts\[$default\] = $value;
51
}
52
}\*/
53
54
62
), $atts );
63
64
$atts = hk\_escape\_atts($atts);
65
55
66
$src = $atts\["src"\];
56
67
…
…
58
69
$html .= "<div class='content-container csv-container'>";
59
70
60
$src = $atts\["src"\];
61
71
$src = trim($src, '\\'"”\`´ ');
72
73
if (empty($src)) {
74
$html .= '<b>' . \_\_('No file found or not a valid .csv file!', 'hk-filter-and-search') . '</b><br/>';
75
$html .= '<b>' . \_\_("Src has to be set and point to a .csv file.", 'hk-filter-and-search') . '</b><br/>';
76
$html .= '</div><!-- END HK CSV search -->';
77
return wp\_kses\_post($html);
78
}
79
62
80
$rand = rand(0,10000);
63
81
$charset = $atts\["charset"\];
…
…
74
92
$dataidformat = $atts\["dataidformat"\];
75
93
$csv\_separator = $atts\["csv\_separator"\];
94
$nothing\_found\_message = $atts\["nothing\_found\_message"\];
76
95
$placeholder\_text = $atts\["placeholder\_text"\];
77
96
$only\_search\_in\_column = $atts\["only\_search\_in\_column"\];
…
…
114
133
$src\_without\_site\_url = str\_replace($site\_url, '', $src);
115
134
116
117
$file\_valid = true;
118
if (empty($src)) {
119
$html .= '<b>No file found!</b><br/>';
120
$html .= "<b>Src has to be set to use csvsearch shortcode.</b><br/>";
121
$file\_valid = false;
122
}
123
124
135
if ($skip\_file\_check == "true") {
125
136
// skip file check
…
…
132
143
}
133
144
else {
134
$html .= "<b>File: " . $src . " not found.</b> Only support for local files.<br/>";
135
$file\_valid = false;
136
}
137
138
if ($file\_valid) {
139
$html .= '<div class="hk-csv-search-wrapper">';
140
$html .= '<form method="POST" class="hk-csv-search-form-'.$rand.'">';
141
$html .= '<input type="text" name="hk-csv-input" class="hk-csv-input" ' . $autofocus . '/>';
142
$html .= '<input type="submit" name="hk-csv-button" class="hk-csv-button" value="' . $search\_text . '" />';
143
if ($instantsearch == "true") {
144
$html .= '<div class="hk-csv-instantsearch">'.$placeholder\_text.'</div>';
145
}
146
$html .= '<div class="hk-csv-search-output">'.$placeholder\_text.'</div>';
147
$html .= '</form></div>';
148
}
149
145
/\* translators: %s: filename \*/
146
$html .= \_\_(sprintf("<b>File: %s not found.</b> Only support for local files.", $src), 'hk-filter-and-search') . '<br />';
147
$html .= '</div><!-- END HK CSV search -->';
148
return wp\_kses\_post($html);
149
}
150
151
$keep\_writing = \_\_('Keep writing...', 'hk-filter-and-search');
152
153
$html .= '<div class="hk-csv-search-wrapper">';
154
$html .= '<form method="POST" class="hk-csv-search-form-'.$rand.'">';
155
$html .= '<input type="text" name="hk-csv-input" class="hk-csv-input" ' . $autofocus . '/>';
156
$html .= '<input type="submit" name="hk-csv-button" class="hk-csv-button" value="' . $search\_text . '" />';
157
if ($instantsearch == "true") {
158
$html .= '<div class="hk-csv-instantsearch">'.$placeholder\_text.'</div>';
159
}
160
$html .= '<div class="hk-csv-search-output">'.$placeholder\_text.'</div>';
161
$html .= '</form></div>';
150
162
$html .= '</div>'."\\n";
151
163
152
$html .= '<style>.hk\_header\_row { font-weight: bold } .hk-csv-instant-list { list-style-type: none; margin-left: 0; display: inline-block; border: 1px solid #ddd; } .hk-csv-instant-list li { padding: 4px; } .hk-csv-instant-list li:hover { background-color: #ddd; }</style>'."\\n";
153
$html .= '<script>
164
$style = '.hk\_header\_row { font-weight: bold } .hk-csv-instant-list { list-style-type: none; margin-left: 0; display: inline-block; border: 1px solid #ddd; } .hk-csv-instant-list li { padding: 4px; } .hk-csv-instant-list li:hover { background-color: #ddd; }';
165
$js = '
154
166
(function($) {
155
167
show\_header\_row\_' . $rand . ' = ' . $show\_header\_row . ';
156
168
$(document).ready(function () {
157
169
var lines' . $rand . ' = \[\];
158
var nothing\_msg\_' . $rand . ' = "' . $atts\['nothing\_found\_message'\] . '";
170
var nothing\_msg\_' . $rand . ' = "' . $nothing\_found\_message . '";
159
171
// search button
160
172
$( ".hk-csv-search-form-' . $rand . '" ).submit(function( event ) {
…
…
185
197
// on list click
186
198
$(document).on("click", ".hk-csv-search-form-' . $rand . ' .hk-csv-instant-list li a", function(event){
187
//$(".hk-csv-search-form-' . $rand . ' .hk-csv-instant-list li a").click( function(event){
188
event.preventDefault();
189
search = $(this).data("id");
190
if (search != "") {
191
$(this).parents("ul").remove();
192
}
193
194
doSearch' . $rand . '(search);
195
});
199
event.preventDefault();
200
search = $(this).data("id");
201
if (search != "") {
202
$(this).parents("ul").remove();
203
}
204
205
doSearch' . $rand . '(search);
206
});
196
207
197
208
198
// do search
199
function doSearch' . $rand . '(search) {
200
if (search != "") {
201
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").html("");
202
var output = searchData' . $rand . '(search);
203
209
// do search
210
function doSearch' . $rand . '(search) {
211
if (search != "") {
212
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").html("");
213
var output = searchData' . $rand . '(search);
214
204
215
if ((!show\_header\_row\_' . $rand . ' && output.length == 0) || (show\_header\_row\_' . $rand . ' && output.length <= 1)) {
205
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").append(nothing\_msg\_' . $rand . ' + search);
216
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").append(nothing\_msg\_' . $rand . ' + " " + search);
206
217
}
207
218
else {
…
…
220
231
retline = retline.replace(/\\{/g,"<");
221
232
retline = retline.replace(/\\}/g,">");
222
//retline = retline.toLowerCase();
223
233
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").append(retline);
224
234
}
…
…
233
243
var output = searchData' . $rand . '(search);
234
244
if (search.length < 3) {
235
$(event).parents(".hk-csv-search-wrapper").find(".hk-csv-instantsearch").html("<ul class=\\'hk-csv-instant-list\\'><li>Fortsätt skriva...</li></ul>");
245
$(event).parents(".hk-csv-search-wrapper").find(".hk-csv-instantsearch").html("<ul class=\\'hk-csv-instant-list\\'><li>' . $keep\_writing . '</li></ul>");
236
246
}
237
247
else {
…
…
339
349
340
350
})(jQuery);
341
</script>
351
342
352
';
343
$html .= "\\n".'<!-- END HK CSV search -->'."\\n";
344
345
346
return $html;
353
354
return wp\_kses(
355
$html,
356
array(
357
'a' => array(
358
'href' => array(),
359
'title' => array(),
360
),
361
'br' => array(),
362
'em' => array(),
363
'strong' => array(),
364
'div' => array(
365
'class' => array(),
366
),
367
'form' => array(
368
'method' => array(),
369
'class' => array(),
370
),
371
'input' => array(
372
'type' => array(),
373
'name' => array(),
374
'class' => array(),
375
'value' => array(),
376
),
377
) ) .
378
"<script>" . $js . "</script>\\n" .
379
"<style>" . esc\_attr($style) . "</style>\\n" .
380
'<!-- END HK CSV search -->'."\\n";
347
381
}
348
382
…
…
359
393
'search\_element' => 'table',
360
394
'show\_header\_in\_table' => 'false',
361
'text' => 'sök på denna sida',
395
'text' => \_\_('Search on this site', 'hk-filter-and-search'),
362
396
'clear\_icon\_class' => 'delete-icon',
363
397
'clear\_text' => '',
…
…
365
399
'set\_focus\_on\_load' => 'true',
366
400
), $atts );
401
402
$atts = hk\_escape\_atts($atts);
367
403
368
404
$html = "";
…
…
405
441
$html .= "</div>";
406
442
/\* add default filter style \*/
407
$html .= '<style>
443
$style = '
408
444
.filtersearch' . $rand . ' {
409
445
background-color: #C6CACB;
…
…
434
470
display: none;
435
471
cursor: pointer;
436
</style>';
472
';
437
473
/\* add the jquery script, the script uses random id to work even if added more than once in a page \*/
438
$html .= '<script>
474
$warning\_text = \_\_('Warning: Nothing to filter!', 'hk-filter-and-search');
475
$js = '
439
476
(function($) {
440
477
/\* case insensitive contain \*/
…
…
469
506
if ($(selected\_element) === undefined || $(selected\_element).length == 0) {
470
507
if($("#hk\_filter\_warning'.$rand.'").length > 0) {
471
$("#hk\_filter\_warning'.$rand.'").html("<b>Warning: Nothing to filter!</b>");
508
$("#hk\_filter\_warning'.$rand.'").html("<b>'.$warning\_text.'</b>");
472
509
}
473
510
else {
474
$(el).after("<p id=\\"hk\_filter\_warning'.$rand.'\\"><b>Warning: Nothing to filter!</b></p>");
511
$(el).after("<p id=\\"hk\_filter\_warning'.$rand.'\\"><b>'.$warning\_text.'</b></p>");
475
512
}
476
513
}
…
…
540
577
541
578
})(jQuery);
542
</script>
543
579
';
544
$html .= "\\n".'<!-- END HK filter search -->'."\\n";
545
546
return $html;
580
581
return wp\_kses(
582
$html,
583
array(
584
'span' => array(
585
'class' => array(),
586
),
587
'div' => array(
588
'class' => array(),
589
),
590
'input' => array(
591
'type' => array(),
592
'name' => array(),
593
'class' => array(),
594
'value' => array(),
595
),
596
) ) .
597
"<script>" . $js . "</script>\\n" .
598
"<style>" . esc\_attr($style) . "</style>\\n" .
599
'<!-- END HK filter search -->'."\\n";
547
600
}
548
601
…
…
556
609
557
610
558
611
function hk\_escape\_atts($atts) {
612
foreach($atts as $key => $value) {
613
if ($key == "src") {
614
$atts\[$key\] = esc\_url($value);
615
// ignore src if not ending with .csv
616
if (substr($atts\[$key\], -4) != ".csv") {
617
$atts\[$key\] = "";
618
}
619
}
620
else {
621
$atts\[$key\] = esc\_attr($value);
622
}
623
}
624
return $atts;
625
}
626
627
hk-filter-and-search/tags/2.8/readme.txt
r2957037
r2985200
3
3
Tags: filter, csv, excel, search, jquery
4
4
Requires at least: 5.0
5
Tested up to: 6.3
6
Stable tag: 2.7
5
Tested up to: 6.3.2
6
Stable tag: 2.8
7
7
License: GPLv3
8
Text Domain: hk-filter-and-search
9
Domain Path: /languages
8
10
License URI: http://www.gnu.org/licenses/gpl.html
9
11
…
…
103
105
\== Changelog ==
104
106
107
\= 2.8 =
108
Major security fix. Attributes escaped. Cross scripting fix. Please update to this version!
109
Translation added. Swedish and English.
110
105
111
\= 2.7 =
106
112
Bugfixes for filtersearch, search per td cell if filtering table. Support if thead is used in table.
107
108
113
109
114
\= 2.6 =
hk-filter-and-search/trunk/hk-filter-and-search.php
r2957037
r2985200
4
4
Plugin URI: http://wordpress.org/plugins/hk-filter-and-search
5
5
Description: Easy way to enable jquery HTML filter or a CSV-file-search to a webpage. Use the shortcodes \[csvsearch\] and \[filtersearch\] to enable.
6
Version: 2.7
6
Version: 2.8
7
7
Author: jonashjalmarsson
8
8
Author URI: https://jonashjalmarsson.se
9
9
License: GPLv3
10
Text domain: hk-filter-and-search
10
Text Domain: hk-filter-and-search
11
Domain Path: /languages
11
12
\*/
12
13
13
14
namespace hk\_filter\_and\_search;
14
15
16
if ( ! defined( 'ABSPATH' ) ) {
17
exit; // Exit if accessed directly.
18
}
19
20
/\*
21
\* load textdomain
22
\*/
23
function hk\_load\_textdomain() {
24
load\_plugin\_textdomain( 'hk-filter-and-search', false, dirname( plugin\_basename( \_\_FILE\_\_ ) ) . '/languages' );
25
}
26
add\_action( 'init', \_\_NAMESPACE\_\_ . '\\\\hk\_load\_textdomain' );
27
28
/\*
29
\* enqueue scripts
30
\*/
15
31
function hk\_filter\_search\_scripts() {
16
32
if ( ! wp\_script\_is( 'jquery', 'enqueued' )) {
…
…
30
46
'charset' => 'iso-8859-1',
31
47
'format' => '{b}{0}{/b}, {1}, {2}{br/}',
32
'searchtext' => 'sök',
48
'searchtext' => \_\_('Search', 'hk-filter-and-search'),
33
49
'instantformat' => '{0}',
34
50
'instantsearch' => 'false',
35
51
'dataidformat' => "{0}",
36
52
'csv\_separator' => ";",
37
'nothing\_found\_message' => 'Nothing found when searching for: ',
53
'nothing\_found\_message' => \_\_('Nothing found when searching for: ', 'hk-filter-and-search'),
38
54
'placeholder\_text' => '',
39
55
'exact\_match' => 'false',
…
…
44
60
'ignore\_default\_header\_style' => 'false',
45
61
'set\_focus\_on\_load' => 'false',
46
), $atts );
47
48
/\*foreach ( $defaults as $default => $value ) { // add defaults
49
if ( ! @array\_key\_exists( $default, $atts ) ) { // mute warning with "@" when no params at all
50
$atts\[$default\] = $value;
51
}
52
}\*/
53
54
62
), $atts );
63
64
$atts = hk\_escape\_atts($atts);
65
55
66
$src = $atts\["src"\];
56
67
…
…
58
69
$html .= "<div class='content-container csv-container'>";
59
70
60
$src = $atts\["src"\];
61
71
$src = trim($src, '\\'"”\`´ ');
72
73
if (empty($src)) {
74
$html .= '<b>' . \_\_('No file found or not a valid .csv file!', 'hk-filter-and-search') . '</b><br/>';
75
$html .= '<b>' . \_\_("Src has to be set and point to a .csv file.", 'hk-filter-and-search') . '</b><br/>';
76
$html .= '</div><!-- END HK CSV search -->';
77
return wp\_kses\_post($html);
78
}
79
62
80
$rand = rand(0,10000);
63
81
$charset = $atts\["charset"\];
…
…
74
92
$dataidformat = $atts\["dataidformat"\];
75
93
$csv\_separator = $atts\["csv\_separator"\];
94
$nothing\_found\_message = $atts\["nothing\_found\_message"\];
76
95
$placeholder\_text = $atts\["placeholder\_text"\];
77
96
$only\_search\_in\_column = $atts\["only\_search\_in\_column"\];
…
…
114
133
$src\_without\_site\_url = str\_replace($site\_url, '', $src);
115
134
116
117
$file\_valid = true;
118
if (empty($src)) {
119
$html .= '<b>No file found!</b><br/>';
120
$html .= "<b>Src has to be set to use csvsearch shortcode.</b><br/>";
121
$file\_valid = false;
122
}
123
124
135
if ($skip\_file\_check == "true") {
125
136
// skip file check
…
…
132
143
}
133
144
else {
134
$html .= "<b>File: " . $src . " not found.</b> Only support for local files.<br/>";
135
$file\_valid = false;
136
}
137
138
if ($file\_valid) {
139
$html .= '<div class="hk-csv-search-wrapper">';
140
$html .= '<form method="POST" class="hk-csv-search-form-'.$rand.'">';
141
$html .= '<input type="text" name="hk-csv-input" class="hk-csv-input" ' . $autofocus . '/>';
142
$html .= '<input type="submit" name="hk-csv-button" class="hk-csv-button" value="' . $search\_text . '" />';
143
if ($instantsearch == "true") {
144
$html .= '<div class="hk-csv-instantsearch">'.$placeholder\_text.'</div>';
145
}
146
$html .= '<div class="hk-csv-search-output">'.$placeholder\_text.'</div>';
147
$html .= '</form></div>';
148
}
149
145
/\* translators: %s: filename \*/
146
$html .= \_\_(sprintf("<b>File: %s not found.</b> Only support for local files.", $src), 'hk-filter-and-search') . '<br />';
147
$html .= '</div><!-- END HK CSV search -->';
148
return wp\_kses\_post($html);
149
}
150
151
$keep\_writing = \_\_('Keep writing...', 'hk-filter-and-search');
152
153
$html .= '<div class="hk-csv-search-wrapper">';
154
$html .= '<form method="POST" class="hk-csv-search-form-'.$rand.'">';
155
$html .= '<input type="text" name="hk-csv-input" class="hk-csv-input" ' . $autofocus . '/>';
156
$html .= '<input type="submit" name="hk-csv-button" class="hk-csv-button" value="' . $search\_text . '" />';
157
if ($instantsearch == "true") {
158
$html .= '<div class="hk-csv-instantsearch">'.$placeholder\_text.'</div>';
159
}
160
$html .= '<div class="hk-csv-search-output">'.$placeholder\_text.'</div>';
161
$html .= '</form></div>';
150
162
$html .= '</div>'."\\n";
151
163
152
$html .= '<style>.hk\_header\_row { font-weight: bold } .hk-csv-instant-list { list-style-type: none; margin-left: 0; display: inline-block; border: 1px solid #ddd; } .hk-csv-instant-list li { padding: 4px; } .hk-csv-instant-list li:hover { background-color: #ddd; }</style>'."\\n";
153
$html .= '<script>
164
$style = '.hk\_header\_row { font-weight: bold } .hk-csv-instant-list { list-style-type: none; margin-left: 0; display: inline-block; border: 1px solid #ddd; } .hk-csv-instant-list li { padding: 4px; } .hk-csv-instant-list li:hover { background-color: #ddd; }';
165
$js = '
154
166
(function($) {
155
167
show\_header\_row\_' . $rand . ' = ' . $show\_header\_row . ';
156
168
$(document).ready(function () {
157
169
var lines' . $rand . ' = \[\];
158
var nothing\_msg\_' . $rand . ' = "' . $atts\['nothing\_found\_message'\] . '";
170
var nothing\_msg\_' . $rand . ' = "' . $nothing\_found\_message . '";
159
171
// search button
160
172
$( ".hk-csv-search-form-' . $rand . '" ).submit(function( event ) {
…
…
185
197
// on list click
186
198
$(document).on("click", ".hk-csv-search-form-' . $rand . ' .hk-csv-instant-list li a", function(event){
187
//$(".hk-csv-search-form-' . $rand . ' .hk-csv-instant-list li a").click( function(event){
188
event.preventDefault();
189
search = $(this).data("id");
190
if (search != "") {
191
$(this).parents("ul").remove();
192
}
193
194
doSearch' . $rand . '(search);
195
});
199
event.preventDefault();
200
search = $(this).data("id");
201
if (search != "") {
202
$(this).parents("ul").remove();
203
}
204
205
doSearch' . $rand . '(search);
206
});
196
207
197
208
198
// do search
199
function doSearch' . $rand . '(search) {
200
if (search != "") {
201
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").html("");
202
var output = searchData' . $rand . '(search);
203
209
// do search
210
function doSearch' . $rand . '(search) {
211
if (search != "") {
212
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").html("");
213
var output = searchData' . $rand . '(search);
214
204
215
if ((!show\_header\_row\_' . $rand . ' && output.length == 0) || (show\_header\_row\_' . $rand . ' && output.length <= 1)) {
205
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").append(nothing\_msg\_' . $rand . ' + search);
216
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").append(nothing\_msg\_' . $rand . ' + " " + search);
206
217
}
207
218
else {
…
…
220
231
retline = retline.replace(/\\{/g,"<");
221
232
retline = retline.replace(/\\}/g,">");
222
//retline = retline.toLowerCase();
223
233
$(".hk-csv-search-form-' . $rand . ' .hk-csv-search-output").append(retline);
224
234
}
…
…
233
243
var output = searchData' . $rand . '(search);
234
244
if (search.length < 3) {
235
$(event).parents(".hk-csv-search-wrapper").find(".hk-csv-instantsearch").html("<ul class=\\'hk-csv-instant-list\\'><li>Fortsätt skriva...</li></ul>");
245
$(event).parents(".hk-csv-search-wrapper").find(".hk-csv-instantsearch").html("<ul class=\\'hk-csv-instant-list\\'><li>' . $keep\_writing . '</li></ul>");
236
246
}
237
247
else {
…
…
339
349
340
350
})(jQuery);
341
</script>
351
342
352
';
343
$html .= "\\n".'<!-- END HK CSV search -->'."\\n";
344
345
346
return $html;
353
354
return wp\_kses(
355
$html,
356
array(
357
'a' => array(
358
'href' => array(),
359
'title' => array(),
360
),
361
'br' => array(),
362
'em' => array(),
363
'strong' => array(),
364
'div' => array(
365
'class' => array(),
366
),
367
'form' => array(
368
'method' => array(),
369
'class' => array(),
370
),
371
'input' => array(
372
'type' => array(),
373
'name' => array(),
374
'class' => array(),
375
'value' => array(),
376
),
377
) ) .
378
"<script>" . $js . "</script>\\n" .
379
"<style>" . esc\_attr($style) . "</style>\\n" .
380
'<!-- END HK CSV search -->'."\\n";
347
381
}
348
382
…
…
359
393
'search\_element' => 'table',
360
394
'show\_header\_in\_table' => 'false',
361
'text' => 'sök på denna sida',
395
'text' => \_\_('Search on this site', 'hk-filter-and-search'),
362
396
'clear\_icon\_class' => 'delete-icon',
363
397
'clear\_text' => '',
…
…
365
399
'set\_focus\_on\_load' => 'true',
366
400
), $atts );
401
402
$atts = hk\_escape\_atts($atts);
367
403
368
404
$html = "";
…
…
405
441
$html .= "</div>";
406
442
/\* add default filter style \*/
407
$html .= '<style>
443
$style = '
408
444
.filtersearch' . $rand . ' {
409
445
background-color: #C6CACB;
…
…
434
470
display: none;
435
471
cursor: pointer;
436
</style>';
472
';
437
473
/\* add the jquery script, the script uses random id to work even if added more than once in a page \*/
438
$html .= '<script>
474
$warning\_text = \_\_('Warning: Nothing to filter!', 'hk-filter-and-search');
475
$js = '
439
476
(function($) {
440
477
/\* case insensitive contain \*/
…
…
469
506
if ($(selected\_element) === undefined || $(selected\_element).length == 0) {
470
507
if($("#hk\_filter\_warning'.$rand.'").length > 0) {
471
$("#hk\_filter\_warning'.$rand.'").html("<b>Warning: Nothing to filter!</b>");
508
$("#hk\_filter\_warning'.$rand.'").html("<b>'.$warning\_text.'</b>");
472
509
}
473
510
else {
474
$(el).after("<p id=\\"hk\_filter\_warning'.$rand.'\\"><b>Warning: Nothing to filter!</b></p>");
511
$(el).after("<p id=\\"hk\_filter\_warning'.$rand.'\\"><b>'.$warning\_text.'</b></p>");
475
512
}
476
513
}
…
…
540
577
541
578
})(jQuery);
542
</script>
543
579
';
544
$html .= "\\n".'<!-- END HK filter search -->'."\\n";
545
546
return $html;
580
581
return wp\_kses(
582
$html,
583
array(
584
'span' => array(
585
'class' => array(),
586
),
587
'div' => array(
588
'class' => array(),
589
),
590
'input' => array(
591
'type' => array(),
592
'name' => array(),
593
'class' => array(),
594
'value' => array(),
595
),
596
) ) .
597
"<script>" . $js . "</script>\\n" .
598
"<style>" . esc\_attr($style) . "</style>\\n" .
599
'<!-- END HK filter search -->'."\\n";
547
600
}
548
601
…
…
556
609
557
610
558
611
function hk\_escape\_atts($atts) {
612
foreach($atts as $key => $value) {
613
if ($key == "src") {
614
$atts\[$key\] = esc\_url($value);
615
// ignore src if not ending with .csv
616
if (substr($atts\[$key\], -4) != ".csv") {
617
$atts\[$key\] = "";
618
}
619
}
620
else {
621
$atts\[$key\] = esc\_attr($value);
622
}
623
}
624
return $atts;
625
}
626
627
hk-filter-and-search/trunk/readme.txt
r2957037
r2985200
3
3
Tags: filter, csv, excel, search, jquery
4
4
Requires at least: 5.0
5
Tested up to: 6.3
6
Stable tag: 2.7
5
Tested up to: 6.3.2
6
Stable tag: 2.8
7
7
License: GPLv3
8
Text Domain: hk-filter-and-search
9
Domain Path: /languages
8
10
License URI: http://www.gnu.org/licenses/gpl.html
9
11
…
…
103
105
\== Changelog ==
104
106
107
\= 2.8 =
108
Major security fix. Attributes escaped. Cross scripting fix. Please update to this version!
109
Translation added. Swedish and English.
110
105
111
\= 2.7 =
106
112
Bugfixes for filtersearch, search per td cell if filtering table. Support if thead is used in table.
107
108
113
109
114
\= 2.6 =