Release new version 2.5.0

* This release is for compatibility with WordPress major version 6.0 plus includes various tweaks to harden the plugins security.
* Tweak - Test for compatibility with WordPress 6.0
* Framework – Upgrade Plugin Framework to version 2.6.0
* Security - Various code hardening tweaks.
* Security - Escape all $-variable
* Security - Sanitize all $_REQUEST, $_GET, $_POST
* Security - Apply wp_unslash before sanitize

Author: alextuan

a3-lazy-load.php

@@ -2,11 +2,11 @@
 /*
 Plugin Name: a3 Lazy Load
 Description: Speed up your site and enhance frontend user's visual experience in PC's, Tablets and mobile with a3 Lazy Load.
-Version: 2.4.9
+Version: 2.5.0
 Author: a3rev Software
 Author URI: https://a3rev.com/
 Requires at least: 5.6
-Tested up to: 5.9
+Tested up to: 6.0
 Text Domain: a3-lazy-load
 Domain Path: /languages
 License: GPLv2 or later
@@ -31,7 +31,7 @@
 
 define( 'A3_LAZY_LOAD_KEY', 'a3_lazy_load' );
 define( 'A3_LAZY_LOAD_PREFIX', 'a3_lazy_load_' );
-define( 'A3_LAZY_VERSION', '2.4.9' );
+define( 'A3_LAZY_VERSION', '2.5.0' );
 define( 'A3_LAZY_LOAD_G_FONTS', false );
 
 use \A3Rev\LazyLoad\FrameWork;

admin/admin-init.php

@@ -199,7 +199,7 @@ public function admin_settings_page( $page_data = array() ) {
 			<?php
 					if ( $page_data !== false) {
 						echo esc_html( $page_data['page_title'] );
-						if ( isset( $page_data['view_doc'] ) ) echo $page_data['view_doc'];
+						if ( isset( $page_data['view_doc'] ) ) echo wp_kses_post( $page_data['view_doc'] );
 					}
 			?>
 			</h1>
@@ -281,7 +281,7 @@ public function admin_settings_tab( $current_page = '', $tab_data = array()  ) {
 			$separate_text = '';
 			$activated_first_subtab = false;
 			foreach ( $subtabs as $subtab ) {
-				echo '<li>' . $separate_text . '<a href="#' . trim( esc_attr( $subtab['name'] ) ) . '" class="';
+				echo '<li>' . esc_html( $separate_text ) . '<a href="#' . trim( esc_attr( $subtab['name'] ) ) . '" class="';
 				if ( $current_subtab == '' && $activated_first_subtab === false ) {
 					echo 'current';
 					$activated_first_subtab = true;

admin/admin-interface.php

@@ -33,7 +33,7 @@ class Admin_UI
 	 * You must change to correct plugin name that you are working
 	 */
 
-	public $framework_version      = '2.5.0';
+	public $framework_version      = '2.6.0';
 	public $plugin_name            = A3_LAZY_LOAD_KEY;
 	public $plugin_path            = A3_LAZY_LOAD_NAME;
 	public $google_api_key_option  = '';
@@ -87,8 +87,6 @@ public function __construct() {
 		}
 
 		$this->support_url = 'https://wordpress.org/support/plugin/a3-lazy-load/';
-
-		$this->update_google_map_api_key();
 	}
 
 
@@ -182,13 +180,20 @@ public function validate_google_map_api_key( $g_key = '' ) {
 	}
 
 	public function update_google_map_api_key() {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return false;
+		}
+
+		check_admin_referer( 'save_settings_' . $this->plugin_name );
+
 		// Enable Google Map API Key
 		if ( isset( $_POST[ $this->google_map_api_key_option . '_enable' ] ) ) {
+
 			$old_google_map_api_key_enable = get_option( $this->google_map_api_key_option . '_enable', 0 );
 
 			update_option( $this->google_map_api_key_option . '_enable', 1 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_map_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_map_api_key_option ] ) ) );
 			update_option( $this->google_map_api_key_option, $option_value );
 
 			if ( 1 != $old_google_map_api_key_enable ) {
@@ -203,7 +208,7 @@ public function update_google_map_api_key() {
 
 			update_option( $this->google_map_api_key_option . '_enable', 0 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_map_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_map_api_key_option ] ) ) );
 			update_option( $this->google_map_api_key_option, $option_value );
 
 			if ( 0 != $old_google_map_api_key_enable ) {
@@ -254,7 +259,7 @@ public function plugin_premium_video_box( $echo = true ) {
 		$output = apply_filters( $this->plugin_name . '_plugin_premium_video', $output );
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -275,7 +280,7 @@ public function plugin_premium_video( $echo = false ) {
 		$output .= '</div>';
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -293,7 +298,7 @@ public function plugin_premium_video_text( $echo = false ) {
 		}
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -327,7 +332,7 @@ public function plugin_extension_boxes( $echo = false ) {
 		}
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 	}
@@ -364,7 +369,7 @@ public function plugin_extension_end( $echo = true ) {
 		$output = apply_filters( $this->plugin_name . '_plugin_extension_end', $output );
 
 		if ( $echo )
-			echo $output;
+			echo wp_kses_post( $output );
 		else
 			return $output;
 
@@ -384,7 +389,7 @@ public function upgrade_top_message( $echo = false, $setting_id = '' ) {
 
 		$upgrade_top_message = apply_filters( $this->plugin_name . '_upgrade_top_message', $upgrade_top_message, $setting_id );
 
-		if ( $echo ) echo $upgrade_top_message;
+		if ( $echo ) echo wp_kses_post( $upgrade_top_message );
 		else return $upgrade_top_message;
 
 	}

admin/admin-ui.php

@@ -364,13 +364,46 @@ public function __construct() {
 			return;
 		}
 
+		if ( apply_filters( $this->plugin_name . '_new_google_fonts_enable', true ) ) {
+			$this->is_valid_google_api_key();
+			$google_fonts = get_option( $this->plugin_name . '_google_font_list', array() );
+		} else {
+			$google_fonts = array();
+		}
+
+		if ( ! is_array( $google_fonts ) || count( $google_fonts ) < 1 ) {
+			$google_fonts = apply_filters( $this->plugin_name . '_google_fonts', $this->google_fonts );
+		}
+
+		sort( $google_fonts );
+
+		$new_google_fonts = array();
+		foreach ( $google_fonts as $row ) {
+			$new_google_fonts[$row['name']]  = $row;
+		}
+
+		$this->google_fonts = $new_google_fonts;
+
+	}
+
+	public function update_google_font_api_key() {
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return false;
+		}
+
+		check_admin_referer( 'save_settings_' . $this->plugin_name );
+
+		if ( ! $this->is_load_google_fonts ) {
+			return;
+		}
+
 		// Enable Google Font API Key
 		if ( isset( $_POST[ $this->google_api_key_option . '_enable' ] ) ) {
 			$old_google_api_key_enable = get_option( $this->google_api_key_option . '_enable', 0 );
 
 			update_option( $this->google_api_key_option . '_enable', 1 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_api_key_option ] ) ) );
 
 			$old_google_api_key_option = get_option( $this->google_api_key_option );
 
@@ -388,35 +421,14 @@ public function __construct() {
 
 			update_option( $this->google_api_key_option . '_enable', 0 );
 
-			$option_value = trim( sanitize_text_field( $_POST[ $this->google_api_key_option ] ) );
+			$option_value = trim( sanitize_text_field( wp_unslash( $_POST[ $this->google_api_key_option ] ) ) );
 			update_option( $this->google_api_key_option, $option_value );
 
 			if ( 0 != $old_google_api_key_enable ) {
 				// Clear cached of google api key status
 				delete_transient( $this->google_api_key_option . '_status' );
 			}
 		}
-
-		if ( apply_filters( $this->plugin_name . '_new_google_fonts_enable', true ) ) {
-			$this->is_valid_google_api_key();
-			$google_fonts = get_option( $this->plugin_name . '_google_font_list', array() );
-		} else {
-			$google_fonts = array();
-		}
-
-		if ( ! is_array( $google_fonts ) || count( $google_fonts ) < 1 ) {
-			$google_fonts = apply_filters( $this->plugin_name . '_google_fonts', $this->google_fonts );
-		}
-
-		sort( $google_fonts );
-
-		$new_google_fonts = array();
-		foreach ( $google_fonts as $row ) {
-			$new_google_fonts[$row['name']]  = $row;
-		}
-
-		$this->google_fonts = $new_google_fonts;
-
 	}
 
 	public function validate_google_api_key( $g_key = '' ) {
@@ -608,10 +620,14 @@ public function generate_font_css( $option, $em = '1.2' ) {
             $line_height = $option['line_height'];
         }
 
+        $font_css = '';
+
 		if ( !@$option['style'] && !@$option['size'] && !@$option['color'] )
-			return 'font-family: '.stripslashes($option["face"]).' !important;';
+			$font_css = 'font-family: '.stripslashes($option["face"]).' !important;';
 		else
-			return 'font:'.$option['style'].' '.$option['size'].'/' . $line_height . ' ' .stripslashes($option['face']).' !important; color:'.$option['color'].' !important;';
+			$font_css = 'font:'.$option['style'].' '.$option['size'].'/' . $line_height . ' ' .stripslashes($option['face']).' !important; color:'.$option['color'].' !important;';
+
+		return apply_filters( $this->plugin_name . '_generate_font_css', $font_css, $option, $em );
 	}
 
 
@@ -641,14 +657,20 @@ public function generate_google_webfonts( $my_google_fonts = array(), $echo = tr
 			// Output google font css in header
 			if ( trim( $fonts ) != '' ) {
 				$fonts = str_replace( " ","+",$fonts);
-				$output .= "\n<!-- Google Webfonts -->\n";
-				$output .= '<link href="http'. ( is_ssl() ? 's' : '' ) .'://fonts.googleapis.com/css?family=' . $fonts .'" rel="stylesheet" type="text/css" />'."\n";
-				$output = str_replace( '|"','"',$output);
+
+				if ( $echo ) {
+					echo "\n<!-- Google Webfonts -->\n";
+					echo '<link href="http'. ( is_ssl() ? 's' : '' ) .'://fonts.googleapis.com/css?family=' . esc_attr( $fonts ) .'" rel="stylesheet" type="text/css" />'."\n";
+				} else {
+					$output .= "\n<!-- Google Webfonts -->\n";
+					$output .= '<link href="http'. ( is_ssl() ? 's' : '' ) .'://fonts.googleapis.com/css?family=' . esc_attr( $fonts ) .'" rel="stylesheet" type="text/css" />'."\n";
+					$output = str_replace( '|"','"',$output);
+				}
 			}
 		}
 
 		if ( $echo )
-			echo $output;
+			echo '';
 		else
 			return $output;
 

admin/includes/fonts_face.php

@@ -85,15 +85,20 @@ public function uploader_style () {
 	/*-----------------------------------------------------------------------------------*/
 	/* Get Upload Input Field */
 	/*-----------------------------------------------------------------------------------*/
-	public function upload_input ( $name_attribute, $id_attribute = '', $value = '', $attachment_id = 0, $default_value = '', $field_name = '', $class = '', $css = '', $description = '', $strip_methods = true ) {
+	public function upload_input ( $name_attribute, $id_attribute = '', $value = '', $attachment_id = 0, $default_value = '', $field_name = '', $class = '', $css = '', $description = '', $strip_methods = true, $size = 'original' ) {
 		$output = '';
 
 		if ( trim( $value ) == '' ) $value = trim( $default_value );
 
 		if ( strstr( $name_attribute, ']' ) ) {
 			$attachment_id_name_attribute = substr_replace( $name_attribute, '_attachment_id', -1, 0 );
+
+			$attachment_size_name_attribute = substr_replace( $name_attribute, '_attachment_size', -1, 0 );
+
 		} else {
 			$attachment_id_name_attribute = $name_attribute.'_attachment_id';
+
+			$attachment_size_name_attribute = $name_attribute.'_attachment_size';
 		}
 
 		if ( $strip_methods === false ) {
@@ -103,6 +108,7 @@ public function upload_input ( $name_attribute, $id_attribute = '', $value = '',
 		}
 
 		$output .= '<input type="hidden" name="'.$attachment_id_name_attribute.'" id="'.$id_attribute.'_attachment_id" value="'.$attachment_id.'" class=" a3_upload_attachment_id" />';
+		$output .= '<input type="hidden" name="'.$attachment_size_name_attribute.'" id="'.$id_attribute.'_attachment_size" value="'.$size.'" class=" a3_upload_attachment_size" />';
 		$output .= '<input data-strip-methods="'.$strip_methods.'" type="text" name="'.$name_attribute.'" id="'.$id_attribute.'" value="'.esc_attr( $value ).'" class="'.$id_attribute. ' ' .$class.' a3_upload" style="'.$css.'" rel="'.$field_name.'" /> ';
 		$output .= '<input id="upload_'.$id_attribute.'" class="a3rev-ui-upload-button a3_upload_button button" type="button" value="'.__( 'Upload', 'a3-lazy-load' ).'" /> '.$description;
 
@@ -126,7 +132,7 @@ public function upload_input ( $name_attribute, $id_attribute = '', $value = '',
 
 				$title = __( 'View File', 'a3-lazy-load' );
 
-				$output .= '<div class="a3_no_image"><span class="a3_file_link"><a href="'.esc_url( $value ).'" target="_blank" rel="a3_external">'.$title.'</a></span>'.$remove.'</div>';
+				$output .= '<div class="a3_no_image"><span class="a3_file_link"><a href="'.esc_url( $value ).'" target="_blank" rel="noopener">'.$title.'</a></span>'.$remove.'</div>';
 
 			}
 		}

admin/includes/uploader/class-uploader.php

@@ -2,8 +2,8 @@
 Contributors: a3rev, a3rev Software, nguyencongtuan
 Tags: a3 lazy load, Lazy Loading, image lazy load, lazyload
 Requires at least: 5.6
-Tested up to: 5.9
-Stable tag: 2.4.9
+Tested up to: 6.0
+Stable tag: 2.5.0
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -198,6 +198,15 @@ Filter tags to add to class name of theme to exclude lazy load on images or vide
 
 == Changelog ==
 
+= 2.5.0 - 2022/05/24 =
+* This release is for compatibility with WordPress major version 6.0 plus includes various tweaks to harden the plugins security. 
+* Tweak - Test for compatibility with WordPress 6.0
+* Framework – Upgrade Plugin Framework to version 2.6.0
+* Security - Various code hardening tweaks.
+* Security - Escape all $-variable
+* Security - Sanitize all $_REQUEST, $_GET, $_POST
+* Security - Apply wp_unslash before sanitize
+
 = 2.4.9 - 2022/01/21 =
 * This is a maintenance release for compatibility with WordPress major version 5.9
 * Tweak - Test for compatibility with WordPress 5.9
@@ -591,6 +600,9 @@ Filter tags to add to class name of theme to exclude lazy load on images or vide
 
 == Upgrade Notice ==
 
+= 2.5.0 =
+This release is for compatibility with WordPress major version 6.0 plus includes various tweaks to harden the plugins security
+
 = 2.4.9 =
 This is a maintenance release for compatibility with WordPress major version 5.9