v2.0.8 * sanitize avatar First and Last Name

README.md

@@ -5,7 +5,7 @@
 * Requires at least: 5.0
 * Requires PHP: 5.6
 * Tested up to: 5.8.1
-* Stable tag: master
+* Stable tag: 2.0.8
 * License: AGPLv3
 * License URI: https://www.gnu.org/licenses/agpl-3.0.txt
 
@@ -120,6 +120,9 @@ This plugin is intended for grids. For standalone simulators, see [OpenSimulator
 
 ## Changelog
 
+### 2.0.8
+* sanitize avatar First and Last Name
+
 ### 2.0.7
 * fix other WP plugins directory requirements
 * renamed plugin as W4OS - OpenSimulator Web Interface

includes/profile.php

@@ -556,8 +556,8 @@ function w4os_profile_wc_edit( $user ) {
   } else {
     $action = 'w4os_create_avatar';
 
-    $firstname = esc_attr(preg_replace("/[^[:alnum:]]/", "", ($_REQUEST['w4os_firstname']) ? $_REQUEST['w4os_firstname'] : get_user_meta( $user->ID, 'first_name', true )));
-    $lastname = esc_attr(preg_replace("/[^[:alnum:]]/", "", ($_REQUEST['w4os_lastname']) ? $_REQUEST['w4os_lastname'] : get_user_meta( $user->ID, 'last_name', true )));
+    $firstname = sanitize_text_field(preg_replace("/[^[:alnum:]]/", "", (isset($_REQUEST['w4os_firstname'])) ? $_REQUEST['w4os_firstname'] : get_user_meta( $user->ID, 'first_name', true )));
+    $lastname  = sanitize_text_field(preg_replace("/[^[:alnum:]]/", "", (isset($_REQUEST['w4os_lastname']))  ? $_REQUEST['w4os_lastname']  : get_user_meta( $user->ID, 'last_name', true )));
 
     $content .= "<p class=description>" . __('Choose your avatar name below. This is how people will see you in-world. Once the avatar is created, it cannot be changed.', 'w4os') . "</p>";
 
@@ -566,11 +566,11 @@ function w4os_profile_wc_edit( $user ) {
 
       <p class='woocommerce-form-row woocommerce-form-row--first form-row form-row-first'>
     		<label for='w4os_firstname'>" . __("Avatar first name", "w4os") . "&nbsp;<span class='required'>*</span></label>
-    		<input type='text' class='woocommerce-Input woocommerce-Input--text input-text' name='w4os_firstname' id='w4os_firstname' autocomplete='given-name' value='$firstname' required>
+    		<input type='text' class='woocommerce-Input woocommerce-Input--text input-text' name='w4os_firstname' id='w4os_firstname' autocomplete='given-name' value='" . esc_attr($firstname) . "' required>
     	</p>
     	<p class='woocommerce-form-row woocommerce-form-row--last form-row form-row-last'>
     		<label for='w4os_lastname'>" . __("Avatar last name", "w4os") . "&nbsp;<span class='required'>*</span></label>
-    		<input type='text' class='woocommerce-Input woocommerce-Input--text input-text' name='w4os_lastname' id='w4os_lastname' autocomplete='family-name' value='$lastname' required>
+    		<input type='text' class='woocommerce-Input woocommerce-Input--text input-text' name='w4os_lastname' id='w4os_lastname' autocomplete='family-name' value='" . esc_attr($lastname) . "' required>
     	</p>
       <div class='clear'></div>
       ";

languages/w4os-fr_FR.po

@@ -7,8 +7,8 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2021-09-28T11:06:22-04:00\n"
-"PO-Revision-Date: 2021-09-28 11:18-0400\n"
+"POT-Creation-Date: 2021-10-04T18:43:07-04:00\n"
+"PO-Revision-Date: 2021-10-04 18:43-0400\n"
 "Language: fr_FR\n"
 "X-Generator: Poedit 2.4.2\n"
 
@@ -72,7 +72,7 @@ msgstr "Base de données du serveur Robust"
 
 #: admin/settings-inc.php:20
 msgid "Required tables are missing, check your connection settings or your database"
-msgstr "Des tables requises sont manquantes. Vérifiez vos réglages de connexion ou votre base de donées"
+msgstr "Des tables requises sont manquantes. Vérifiez vos réglages de connexion ou votre base de données"
 
 #: admin/settings-inc.php:24
 msgid "Hostname"
@@ -202,7 +202,7 @@ msgstr "UUID de l'avatar"
 
 # wpml-name: a2ac9ef42c9ebc25f8dbab799ac23565
 #: includes/profile.php:58
-#: includes/profile.php:529
+#: includes/profile.php:536
 msgid "Avatar name"
 msgstr "Nom de l'avatar"
 
@@ -212,140 +212,140 @@ msgid "Password must contain at least %s characters, including uppercase, lowerc
 msgstr "Le mot de passe doit contenir au moins %s caractères, dont une majuscule, une minuscule et un chiffre"
 
 # wpml-name: 0d3e39fb622d9e6d7b389757aa651fff
-#: includes/profile.php:223
+#: includes/profile.php:224
 msgid "This user already has an avatar."
 msgstr "Cet utilisateur a déjà un avatar."
 
 # wpml-name: b2d0fb30e09bf39693f6183c33455748
-#: includes/profile.php:235
+#: includes/profile.php:236
 msgid "First name required"
 msgstr "Prénom requis"
 
 # wpml-name: 14bcd8bac9d052de9f9aa0f685a6da73
-#: includes/profile.php:236
+#: includes/profile.php:237
 msgid "Last name required"
 msgstr "Nom de famille requis"
 
 # wpml-name: 8ffca1456a2308a5556a750be1ecbac0
-#: includes/profile.php:237
+#: includes/profile.php:238
 msgid "Password required"
 msgstr "Mot de passe requis"
 
-#: includes/profile.php:238
+#: includes/profile.php:239
 msgid "The password does not match."
 msgstr "Le mot de passe ne correspond pas."
 
 # wpml-name: 4eb86d524f30b9885871ed68c24b0f29
-#: includes/profile.php:245
-#: includes/profile.php:249
+#: includes/profile.php:246
+#: includes/profile.php:250
 msgid "The name %s is not allowed"
 msgstr "Le nom %s n'est pas autorisé"
 
-#: includes/profile.php:254
+#: includes/profile.php:255
 msgid "Names can only contain alphanumeric characters"
 msgstr "Les noms ne peuvent contenir que des caractères alphanumériques"
 
-#: includes/profile.php:261
+#: includes/profile.php:262
 msgid "There is already a grid user named %s"
 msgstr "Il y a déjà un utilisateur appelé %s"
 
-#: includes/profile.php:269
+#: includes/profile.php:270
 msgid "This should never happen! Generated a random UUID that already existed. Sorry. Try again."
 msgstr "Ceci ne devrait jamais arriver. L'UUID généré existe déjà. Désolé. Essayez encore."
 
-#: includes/profile.php:291
+#: includes/profile.php:292
 msgid "Error while creating user"
 msgstr "Erreur lors de la création de l'utilisateur"
 
 # wpml-name: d9c2d86a66aa5a45326c3757f3a272cc
-#: includes/profile.php:300
+#: includes/profile.php:301
 msgid "Error while setting password"
 msgstr "Erreur lors de l'enregistrement du mot de passe"
 
-#: includes/profile.php:311
+#: includes/profile.php:312
 msgid "Error while setting home region"
 msgstr "Erreur lors du réglage de la région domicile"
 
-#: includes/profile.php:328
+#: includes/profile.php:329
 msgid "Error while creating user inventory"
 msgstr "Erreur lors de la création de l'inventaire"
 
-#: includes/profile.php:451
+#: includes/profile.php:452
 msgid "Error while adding inventory item"
 msgstr "Erreur lors de l'ajout d'un élément d'inventaire"
 
-#: includes/profile.php:462
+#: includes/profile.php:463
 msgid "Error while adding inventory outfit link"
 msgstr "Erreur lors de l'ajout du lien d'apparence"
 
-#: includes/profile.php:474
+#: includes/profile.php:475
 msgid "Error while adding avatar"
 msgstr "Erreur lors de la création de l'avatar"
 
 # wpml-name: 02cb97a68e5137af44e882dbe2180485
-#: includes/profile.php:485
+#: includes/profile.php:486
 msgid "Avatar %s created successfully."
 msgstr "L'avatar %s a été créé avec succès."
 
 # wpml-name: 9e186e1c05cc43a7c8e119a8ad12e201
-#: includes/profile.php:495
+#: includes/profile.php:496
 msgid "Action %s not implemented"
 msgstr "Action %s non implémentée"
 
-#: includes/profile.php:504
+#: includes/profile.php:505
 msgid "%sLog in%s to choose an avatar."
 msgstr "%sConnectez-vous%s pour choisir un avatar."
 
 # wpml-name: bc2068f5bf9d75b50d1f046f1e57c23c
-#: includes/profile.php:518
+#: includes/profile.php:525
 msgid "You have no grid account yet. Fill the form below to create your avatar."
 msgstr "Vous n'avez pas encore de compte sur la grille. Remplissez le formulaire ci-dessous pour créer votre avatar."
 
 # wpml-name: 877a81d559efa8e5dac0cccac9f80a09
-#: includes/profile.php:526
+#: includes/profile.php:533
 msgid "leave blank to leave unchanged"
 msgstr "laissez vide pour ne pas faire de modification"
 
 # wpml-name: 5a54d9ad87f7c4c1c70c8f05b9515d5a
-#: includes/profile.php:534
+#: includes/profile.php:541
 msgid "UUID"
 msgstr "UUID"
 
 # wpml-name: 1a87f41bc2db648685564cf6fa5b2903
-#: includes/profile.php:555
+#: includes/profile.php:562
 msgid "Choose your avatar name below. This is how people will see you in-world. Once the avatar is created, it cannot be changed."
 msgstr "Choisissez le nom de votre avatar. C'est sous ce nom que les autres vous verront en ligne. Une fois que l'avatar est créé, il n'est plus possible de modifier ce nom."
 
 # wpml-name: bfc045552fb736eb0e776baee784de42
-#: includes/profile.php:561
+#: includes/profile.php:568
 msgid "Avatar first name"
 msgstr "Prénom de l'avatar"
 
 # wpml-name: a2ac9ef42c9ebc25f8dbab799ac23565
-#: includes/profile.php:565
+#: includes/profile.php:572
 msgid "Avatar last name"
 msgstr "Nom de famille de l'avatar"
 
-#: includes/profile.php:577
+#: includes/profile.php:584
 msgid "Your in-world Avatar password is the same as your password on this website"
 msgstr "Votre mot de passe d'avatar est le même que votre mot de passe sur ce site"
 
 # wpml-name: d9c2d86a66aa5a45326c3757f3a272cc
-#: includes/profile.php:579
+#: includes/profile.php:586
 msgid "Confirm your password"
 msgstr "Confirmez votre mot de passe"
 
 # wpml-name: 847fcf17b5e3d8a6625d71c4dedd34a1
-#: includes/profile.php:594
+#: includes/profile.php:601
 msgid "Your avatar"
 msgstr "Votre avatar"
 
 # wpml-name: 90efd059f58183a99038e138b8fe17f0
-#: includes/profile.php:595
+#: includes/profile.php:602
 msgid "You can change and customize it in-world, as often as you want."
 msgstr "Vous pourrez le changer et le personnaliser à votre guise en ligne."
 
-#: includes/profile.php:632
+#: includes/profile.php:639
 msgid "Save"
 msgstr "Enregistrer"