Merge branch 'themeAccess'

Author: TheNewCoke

package.json

@@ -1,6 +1,6 @@
 {
   "name": "wolfnet-idx-for-wordpress",
-  "version": "1.19.0",
+  "version": "1.19.1",
   "description": "WolfNet IDX for WordPress",
   "homepage": "https://github.com/wolfnet/wordpressplugin",
   "bugs": "https://github.com/wolfnet/wordpressplugin/issues",

readme.md

@@ -89,6 +89,10 @@ Please upgrade to the latest version of the plugin as we will be disabling our o
 
 ## Changelog
 
+### 1.19.1
+
+* Security update to get custom styles via AJAX instead of via direct PHP execution
+
 ### 1.19.0
 
 * Added a new "Settings" link on the plugins page

src/Ajax.php

@@ -47,6 +47,7 @@ public function registerAdminAjaxActions()
 			'wolfnet_get_listings'            => 'remoteListingsGet',
 			'wolfnet_listing_photos'          => 'remoteListingPhotos',
 			'wolfnet_css'                     => 'remotePublicCss',
+			'wolfnet_theme_custom_css'        => 'remoteThemeCustomCss',
 			'wolfnet_market_name'             => 'remoteGetMarketName',
 			'wolfnet_map_enabled'             => 'remoteMapEnabled',
 			'wolfnet_price_range'             => 'remotePriceRange',
@@ -73,6 +74,7 @@ public function registerAjaxActions()
 			'wolfnet_listing_photos'       => 'remoteListingPhotos',
 			'wolfnet_map_track'            => 'remoteMapTrack',
 			'wolfnet_css'                  => 'remotePublicCss',
+			'wolfnet_theme_custom_css'     => 'remoteThemeCustomCss',
 			'wolfnet_base_url'             => 'remoteGetBaseUrl',
 			'wolfnet_price_range'          => 'remotePriceRange',
 			'wolfnet_route_quicksearch'    => 'remoteRouteQuickSearch',
@@ -538,6 +540,43 @@ public function remotePublicCss()
     }
 
 
+	public function remoteThemeCustomCss()
+	{
+
+		try {
+
+			$args = array();
+
+			if (array_key_exists('colors', $_REQUEST)) {
+				$colors = sanitize_text_field($_REQUEST['colors']);
+				if (!empty($colors)) {
+					$args['colors'] = explode(',', htmlspecialchars($colors));
+				}
+			}
+
+			if (array_key_exists('opacity', $_REQUEST)) {
+				$opacity = sanitize_text_field($_REQUEST['opacity']);
+				if (!empty($opacity) || ($opacity != 0)) {
+					$args['opacity'] = $opacity;
+				}
+			}
+
+			$response = $GLOBALS['wolfnet']->views->getThemeCustomCSS($args);
+
+		} catch (Wolfnet_Exception $e) {
+			status_header(500);
+			echo $GLOBALS['wolfnet']->displayException($e);
+			die;
+		}
+
+		header('Content-type: text/css; charset: UTF-8');
+		echo $response;
+
+		die;
+
+	}
+
+
     public function remotePriceRange()
     {
 

src/Template.php

@@ -254,7 +254,7 @@ public function registerStyles()
                 admin_url('admin-ajax.php') . '?action=wolfnet_css',
             ),
 			'wolfnet-theme-custom' => array(
-				$this->url . 'css/wolfnet.theme.custom.php?' . $this->plugin->views->getThemeStyleArgs(),
+				admin_url('admin-ajax.php') . '?action=wolfnet_theme_custom_css',
 			),
 			'wolfnet-jquery-ui' => array(
 				$this->url . 'lib/jquery-ui/themes/wolfnet-wp/jquery-ui.min.css',

src/Views.php

@@ -318,6 +318,20 @@ public function getThemeStyleArgs(array $args = array())
 	}
 
 
+	public function getThemeCustomCSS(array $args = array())
+	{
+		$defaultArgs = array(
+			'colors'    => $this->getThemeColors(),
+			'opacity'   => $this->getThemeOpacity(),
+		);
+
+		$args = array_merge($defaultArgs, $args);
+
+		return $this->parseTemplate('themeCustomCss', $args);
+
+	}
+
+
     /**
      * This method is used in the context of admin_print_styles to output custom CSS.
      * @return void

src/template/adminStyle.php

@@ -88,7 +88,7 @@
 
 			var updatePreviewTimeout;
 
-			var themeStylesheetBaseUrl = '<?php echo $url; ?>/css/wolfnet.theme.custom.php',
+			var themeStylesheetBaseUrl = '<?php echo admin_url('admin-ajax.php') . '?action=wolfnet_theme_custom_css'; ?>',
 				colorOptionsUrl        = '<?php echo $colorOptionsUrl; ?>';
 
 			var $previewBox         = $('#wolfnet-color-options-preview'),

public/css/wolfnet.theme.custom.php src/template/themeCustomCss.phppublic/css/wolfnet.theme.custom.php renamed to src/template/themeCustomCss.php

@@ -1,25 +1,5 @@
 <?php
 
-	header('Content-type: text/css; charset: UTF-8');
-
-	$styleDefaults = array(
-		'colors'   => array('#333'),
-		'opacity'  => 80,
-	);
-
-	$userOptions = array();
-
-	if (!empty($_REQUEST['colors'])) {
-		$userOptions['colors'] = explode(',', htmlspecialchars($_REQUEST['colors']));
-	}
-
-	if (!empty($_REQUEST['opacity'])) {
-		$userOptions['opacity'] = htmlspecialchars($_REQUEST['opacity']);
-	}
-
-	$args = array_merge($styleDefaults, $userOptions);
-
-
 	function getColorPartDec ($colorPartHex, $colorPartLen = 2) {
 
 		// Convert single-digit values to multiples of hex 11
@@ -112,58 +92,58 @@ function vertGradient(array $startColor, array $endColor, $startOpacity=1, $endO
 
 
 	// Get the color parts
-	foreach ($args['colors'] as $colorKey => $colorVal) {
-		$args['colors'][$colorKey] = getColorParts($colorVal);
+	foreach ($colors as $colorKey => $colorVal) {
+		$colors[$colorKey] = getColorParts($colorVal);
 	}
 
 	// Make the opacity a percentage
-	$args['opacity'] /= 100;
+	$opacity /= 100;
 
 ?>
 
 /* Agent Pages */
 
 	.wolfnet_widget.wolfnet_ao .wnt-btn.wnt-btn-primary,
 	.wolfnet_widget.wolfnet_ao .wnt-btn.wnt-btn-active {
-		background-color: <?php echo getHex($args['colors'][0]); ?>;
+		background-color: <?php echo getHex($colors[0]); ?>;
 	}
 
 	.wolfnet_widget.wolfnet_ao hr {
-		border-color: <?php echo getHex($args['colors'][0]); ?>;
+		border-color: <?php echo getHex($colors[0]); ?>;
 	}
 
 	.wolfnet_widget.wolfnet_ao ul.wolfnet_aoLinks li .wnt-icon,
 	.wolfnet_widget.wolfnet_ao ul.wolfnet_aoLinks li a,
 	.wolfnet_widget.wolfnet_ao ul.wolfnet_aoLinks li a:hover,
 	.wolfnet_widget.wolfnet_ao ul.wolfnet_aoLinks li a:active,
 	.wolfnet_widget.wolfnet_ao ul.wolfnet_aoLinks li a:visited {
-		color: <?php echo getHex($args['colors'][0]); ?>;
+		color: <?php echo getHex($colors[0]); ?>;
 	}
 
 	.wolfnet_widget.wolfnet_ao .wolfnet_aoSocial .wnt-icon {
-		color: <?php echo getHex($args['colors'][0]); ?>;
+		color: <?php echo getHex($colors[0]); ?>;
 	}
 
 
 /* Birch Theme (Modern Lite) */
 
 	.wolfnet_widget.wolfnet-theme-birch.wolfnet_featuredListings .wolfnet_listing .wolfnet_listingHead .wolfnet_listingInfo,
 	.wolfnet_widget.wolfnet-theme-birch.wolfnet_listingGrid      .wolfnet_listing .wolfnet_listingHead .wolfnet_listingInfo {
-		<?php echo vertGradient($args['colors'][0], $args['colors'][0], 0, $args['opacity']); ?>
+		<?php echo vertGradient($colors[0], $colors[0], 0, $opacity); ?>
 	}
 
 
 /* Cedar Theme (Modern Contrast) */
 
 	.wolfnet_widget.wolfnet-theme-cedar.wolfnet_featuredListings .wolfnet_listing .wolfnet_listingHead .wolfnet_listingInfo,
 	.wolfnet_widget.wolfnet-theme-cedar.wolfnet_listingGrid      .wolfnet_listing .wolfnet_listingHead .wolfnet_listingInfo {
-		background-color: rgba(<?php echo getRGBA($args['colors'][0], $args['opacity']); ?>);
+		background-color: rgba(<?php echo getRGBA($colors[0], $opacity); ?>);
 	}
 
 
 /* Dogwood Theme (Modern Tile) */
 
 	.wolfnet_widget.wolfnet-theme-dogwood.wolfnet_featuredListings .wolfnet_listing .wolfnet_listingHead .wolfnet_listingInfo .wolfnet_price_rooms,
 	.wolfnet_widget.wolfnet-theme-dogwood.wolfnet_listingGrid      .wolfnet_listing .wolfnet_listingHead .wolfnet_listingInfo .wolfnet_price_rooms {
-		background-color: rgba(<?php echo getRGBA($args['colors'][0], $args['opacity']); ?>);
+		background-color: rgba(<?php echo getRGBA($colors[0], $opacity); ?>);
 	}