Security updates (#138)

* updates gitlab-ci to include jest tests

* extracts sanitize functions for associative arrays

* updates attributions to more secure markdown syntax only

* verifies nonces in admin; resolves #135

* updates shortcodes atts to escape with filter_var and htmlspecialchars; resolves #136

* test the test stage

* force test ci update

* force update stage

* update gitlab ci test job

* popup_text is already escaped and set with textContent

* const -> var

* geojson atts are already escaped

* removes unnecessary attribution changes

* removes trailing commas

* only test javascript when it changes

* bump major version

* fixes extra variables in shape popup script

* update docker images

* updates node dependencies

* removes overwritting from all extract calls

* removes unwanted HTML tags in attribution

Co-authored-by: bozdoz <[email protected]>

Author: bozdoz

.github/workflows/test.yml

@@ -1,6 +1,12 @@
 name: Node.js CI
 
-on: [push]
+on:
+  pull_request:
+    paths:
+      - '**.js' 
+  push:
+    paths:
+      - '**.js'
 
 jobs:
   build:

.gitlab-ci.yml

@@ -1,6 +1,10 @@
 variables:
   GIT_DEPTH: 5
 
+stages:
+  - test
+  - deploy
+
 image: alpine:3.11
 
 before_script:
@@ -11,6 +15,17 @@ before_script:
   - cp -r * /repo/trunk
   - cd /repo
 
+test:
+  stage: test
+  before_script:
+    - apk add --no-cache nodejs npm
+  script:
+    - npm ci
+    - npm test
+  rules:
+    - changes:
+      - '**/*.js'
+
 new version:
   stage: deploy
   script:

class.leaflet-map.php

@@ -2,8 +2,6 @@
 /**
  * Leaflet Map Class File
  * 
- * PHP Version 5.5
- * 
  * @category Admin
  * @author   Benjamin J DeLong <[email protected]>
  */
@@ -249,7 +247,29 @@ function remove_empty_string ($var) {
     }
 
     /**
-     * Sanitize JSON
+     * Sanitize any given validations, but concatenate with the remaining keys from $arr
+     */
+    public function sanitize_inclusive($arr, $validations) {
+        return array_merge(
+            $arr,
+            $this->sanitize_exclusive($arr, $validations)
+        );
+    }
+
+    /**
+     * Sanitize and return ONLY given validations
+     */
+    public function sanitize_exclusive($arr, $validations) {
+        // remove nulls
+        $arr = $this->filter_null($arr);
+
+        // sanitize output
+        $args = array_intersect_key($validations, $arr);
+        return filter_var_array($arr, $args);
+    }
+
+    /**
+     * Sanitize JSON 
      *
      * Takes options for filtering/correcting inputs for use in JavaScript
      *
@@ -259,12 +279,7 @@ function remove_empty_string ($var) {
      */
     public function json_sanitize($arr, $args)
     {
-        // remove nulls
-        $arr = $this->filter_null($arr);
-
-        // sanitize output
-        $args = array_intersect_key($args, $arr);
-        $arr = filter_var_array($arr, $args);
+        $arr = $this->sanitize_exclusive($arr, $args);
 
         $output = json_encode($arr);
 
@@ -288,7 +303,7 @@ public function json_sanitize($arr, $args)
     public function get_style_json($atts)
     {
         if ($atts) {
-            extract($atts);
+            extract($atts, EXTR_SKIP);
         }
 
         // from http://leafletjs.com/reference-1.0.3.html#path
@@ -343,7 +358,8 @@ public function get_style_json($atts)
     public function add_popup_to_shape($atts, $content, $shape)
     {
         if (!empty($atts)) {
-            extract($atts);
+            // don't overwrite existing variables
+            extract($atts, EXTR_SKIP);
         }
 
         $message = empty($message) ? 

class.plugin-settings.php

@@ -2,8 +2,6 @@
 /**
  * Class for getting and setting db/default values
  * 
- * PHP Version 5.5
- * 
  * @category Admin
  * @author   Benjamin J DeLong <[email protected]>
  */
@@ -15,6 +13,8 @@
 
 require_once LEAFLET_MAP__PLUGIN_DIR . 'class.plugin-option.php';
 
+// TODO: add option to reset just a single field
+
 /**
  * Used to get and set values
  * 

docker-compose.yml

@@ -10,7 +10,7 @@ services:
       MYSQL_ROOT_PASSWORD: rootpass
 
   cli:
-    image: bozdoz/wordpress-initialize:2.4.0-20201102
+    image: bozdoz/wordpress-initialize:2.5.0
     depends_on:
       - mysql
     volumes:
@@ -33,7 +33,7 @@ services:
       WP_THEME: twentynineteen
 
   wordpress:
-    image: wordpress:5.5.3-php7.4
+    image: wordpress:5.7.2-php7.4
     depends_on:
       - cli
     volumes:

leaflet-map.php

@@ -8,7 +8,7 @@
  * Author URI: https://bozdoz.com/
  * Text Domain: leaflet-map
  * Domain Path: /languages/
- * Version: 2.23.3
+ * Version: 3.0.0
  * License: GPL2
  * Leaflet Map is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -29,7 +29,7 @@
     exit; 
 }
 
-define('LEAFLET_MAP__PLUGIN_VERSION', '2.23.3');
+define('LEAFLET_MAP__PLUGIN_VERSION', '3.0.0');
 define('LEAFLET_MAP__PLUGIN_FILE', __FILE__);
 define('LEAFLET_MAP__PLUGIN_DIR', plugin_dir_path(__FILE__));