From 0372f4d1f43dbf1aeaf85df6bb12819864d34e44 Mon Sep 17 00:00:00 2001
From: Serhiy Zakharchenko <zaharchenko.dev@gmail.com>
Date: Tue, 29 Oct 2024 12:20:59 +0000
Subject: [PATCH 1/2] Security improvements #741

---
 .../class-admin-notifications-handler.php     |   4 +-
 .../handlers/class-options-handler.php        |   4 +-
 templates/ssp-analytics.php                   | 250 ------------------
 3 files changed, 4 insertions(+), 254 deletions(-)
 delete mode 100644 templates/ssp-analytics.php

diff --git a/php/classes/handlers/class-admin-notifications-handler.php b/php/classes/handlers/class-admin-notifications-handler.php
index 157a4f09..239b6b29 100644
--- a/php/classes/handlers/class-admin-notifications-handler.php
+++ b/php/classes/handlers/class-admin-notifications-handler.php
@@ -448,10 +448,10 @@ public function check_existing_podcasts() {
 	 */
 	public function existing_episodes_notice() {
 		$hosting_tab_url = ssp_get_tab_url( 'castos-hosting' );
-		$ignore_message_url = add_query_arg( array(
+		$ignore_message_url = esc_url( add_query_arg( array(
 			'podcast_import_action' => 'ignore',
 			'nonce' => wp_create_nonce( 'podcast_import_action' ),
-		) );
+		) ) );
 		$message = '';
 		$message .= '<p>You\'ve connected to your Castos account, and you have existing podcasts that can be synced.</p>';
 		$message .= '<p>You can <a href="' . $hosting_tab_url . '">sync your existing podcasts to Castos now.</a></p>';
diff --git a/php/classes/handlers/class-options-handler.php b/php/classes/handlers/class-options-handler.php
index 735db17e..989b8eda 100644
--- a/php/classes/handlers/class-options-handler.php
+++ b/php/classes/handlers/class-options-handler.php
@@ -85,13 +85,13 @@ public function options_fields() {
 
 		$subscribe_options_array = $this->get_subscribe_field_options();
 
-		$feed_details_url = add_query_arg(
+		$feed_details_url = esc_url( add_query_arg(
 			array(
 				'post_type' => SSP_CPT_PODCAST,
 				'page'      => 'podcast_settings',
 				'tab'       => 'feed-details',
 			)
-		);
+		) );
 
 		$options['subscribe'] = array(
 			'title'       => __( 'Distribution options', 'seriously-simple-podcasting' ),
diff --git a/templates/ssp-analytics.php b/templates/ssp-analytics.php
deleted file mode 100644
index 060348a3..00000000
--- a/templates/ssp-analytics.php
+++ /dev/null
@@ -1,250 +0,0 @@
-<?php
-
-
-?>
-<div style="padding-right: 20px;overflow:hidden;">
-    <h1 style="width:70%;float:left"><?php echo __( 'Podcast Analytics', 'seriously-simple-podcasting' ); ?></h1>
-    <div style="overflow: auto; text-align:right; padding-top:20px;">
-        <div style="width:100%;">
-            <div style="width:45%;float:left; text-align:left">
-                <input type="tex" class="ssp-date" placeholder="From">
-            </div>
-            <div style="width: 10%; float:left;text-align:center">
-                -
-            </div>
-            <div style="width:45%;float:left;text-align:right">
-                <input type="text" class="ssp-date" placeholder="To">
-            </div>
-        </div>
-    </div>
-</div>
-<hr>
-
-<?php
-$series = get_terms( 'series', array( 'hide_empty' => false ) );
-
-if ( ! empty( $series ) ) {
-
-    if ( isset( $_GET['feed-series'] ) && $_GET['feed-series'] && 'all' != $_GET['feed-series'] ) {
-        $current_series = esc_attr( $_GET['feed-series'] );
-        $series_class   = '';
-    } else {
-        $current_series = 'all';
-        $series_class   = 'current';
-    }
-
-    $html .= '<div class="feed-series-list-container">' . "\n";
-    $html .= '<span id="feed-series-toggle" class="series-open" title="' . __( 'Toggle podcasts list display', 'seriously-simple-podcasting' ) . '"></span>' . "\n";
-
-    $html .= '<ul id="feed-series-list" class="subsubsub series-open">' . "\n";
-    $html .= '<li><a href="' . add_query_arg( array(
-            'feed-series' => 'all',
-            'settings-updated' => false
-        ) ) . '" class="' . $series_class . '">' . __( 'All Podcasts', 'seriously-simple-podcasting' ) . '</a></li>';
-
-    foreach ( $series as $s ) {
-
-        if ( $current_series == $s->slug ) {
-            $series_class = 'current';
-        } else {
-            $series_class = '';
-        }
-
-        $html .= '<li>' . "\n";
-        $html .= ' | <a href="' . esc_url( add_query_arg( array(
-                'feed-series'      => $s->slug,
-                'settings-updated' => false
-            ) ) ) . '" class="' . $series_class . '">' . $s->name . '</a>' . "\n";
-        $html .= '</li>' . "\n";
-    }
-
-    $html .= '</ul>' . "\n";
-    $html .= '<br class="clear" />' . "\n";
-    $html .= '</div>' . "\n";
-
-    echo $html;
-}
-
-?>
-
-<div style="padding-right: 20px;overflow:hidden;">
-
-    <div style="overflow:hidden;padding:20px;">
-        <h3 style="margin-bottom: 5px;text-align: left;">Total Listens</h3>
-        <div id="tester" style="height:350px;"></div>
-    </div>
-
-    <div style="overflow:hidden">
-
-        <div style="width:33.33%;float:left;">
-            <div style="padding: 20px; overflow:hidden;">
-                <div style="overflow: hidden; background:#fff;">
-                    <h3 style="padding: 5px 0; text-align: center">Episode Stats</h3>
-                    <div id="ssp_episode_stats" style="width: 100%;"></div>
-                </div>
-            </div>
-        </div>
-
-        <div style="width:33.33%;float:left;">
-            <div style="padding: 20px; overflow:hidden;">
-                <div style="overflow: hidden; background:#fff;">
-                    <h3 style="padding: 5px 0; text-align: center">Listening Source</h3>
-                    <div id="ssp_listening_sources" style="width: 100%;"></div>
-                </div>
-            </div>
-        </div>
-
-        <div style="width:33.33%;float:left;">
-            <div style="padding: 20px; overflow:hidden;">
-                <div style="overflow: hidden; background:#fff;">
-                    <h3 style="padding: 5px 0; text-align: center">Geographic</h3>
-                    <div id="ssp_global_stats" style="width:100%;"></div>
-                </div>
-            </div>
-        </div>
-
-    </div>
-
-</div>
-
-<?php
-    add_action( 'admin_footer', function(){
-        ?>
-            <script>
-
-                var SspChartColours = [
-                    ['rgb(0, 207, 207)', 'rgb(255, 201, 0)', 'rgb(237, 0, 104)']
-                ];
-
-                TESTER = document.getElementById('tester');
-
-                Plotly.plot(
-
-                    TESTER,
-
-                    [
-                        {
-                            x: [1, 2, 3, 4, 5],
-                            y: [1, 2, 4, 8, 16]
-                        }
-                    ],
-
-                    {
-                        margin: {
-                            t: 25,
-                            b: 25,
-                            r: 25,
-                            l: 25
-                        }
-                    }
-
-                );
-
-                var ssp_listening_sources_data = [{
-                    values: [19, 26, 55],
-                    labels: ['Web', 'Mobile', 'Apps'],
-                    hole: .5    ,
-                    type: 'pie',
-                    marker: {
-                        colors: SspChartColours[0]
-                    },
-                    hoverinfo: "label+percent",
-                    hoverlabel: {
-                        bgcolor: '#222',
-                        font: {
-                            color: '#fff'
-                        }
-                    },
-                    textfont: {
-                        color: '#fff'
-                    }
-                }];
-
-                var ssp_listening_sources_layout = {
-                    height: 400,
-                    margin: {
-                        t: 25,
-                        b: 25,
-                        r: 25,
-                        l: 25
-                    },
-                    font: {
-                        size: 14,
-                    },
-                    legend: {
-                        orientation: "h"
-                    }
-                };
-
-                // ----- LISTENING SOURCES
-
-                var ssp_listening_sources = document.getElementById('ssp_listening_sources');
-
-                Plotly.plot('ssp_listening_sources', ssp_listening_sources_data, ssp_listening_sources_layout);
-
-                var ssp_episode_stats = document.getElementById('ssp_listening_sources');
-
-                var ssp_episode_stats_data = [
-                    {
-                        x: ['plays', 'complete', 'avg time'],
-                        y: [999, 450, 67],
-                        type: 'bar'
-                    }
-                ];
-
-                var ssp_episode_stats_layout = {
-                    xaxis: {
-                        tickangle: 0
-                    },
-                    barmode: 'group'
-                };
-
-                Plotly.plot( 'ssp_episode_stats', ssp_episode_stats_data, ssp_episode_stats_layout );
-
-                // ----- GLOBAL STATS
-
-                var ssp_global_stats_data = [{
-                    type: 'scattergeo',
-                    mode: 'markers',
-                    locations: ['FRA', 'DEU', 'RUS', 'ESP'],
-                    marker: {
-                        size: [20, 30, 15, 10],
-                        color: [10, 20, 40, 50],
-                        cmin: 0,
-                        cmax: 50,
-                        colorscale: 'Greens',
-                        colorbar: {
-                            title: 'Some rate',
-                            ticksuffix: '%',
-                            showticksuffix: 'last'
-                        },
-                        line: {
-                            color: 'black'
-                        }
-                    },
-                    name: 'europe data'
-                }];
-
-                var ssp_global_stats_layout = {
-                    'geo': {
-                        'scope': 'all',
-                        'resolution': 50
-                    },
-                    margin: {
-                        t: 25,
-                        b: 25,
-                        r: 25,
-                        l: 25
-                    }
-                };
-
-                var ssp_global_stats = document.getElementById('ssp_global_stats');
-
-                Plotly.plot( 'ssp_global_stats', ssp_global_stats_data, ssp_global_stats_layout );
-
-                jQuery( '.ssp-date' ).datepicker();
-
-            </script>
-        <?php
-    } );
-?>

From 0e5f077d72d8447ee19d458419fa283d969c1ced Mon Sep 17 00:00:00 2001
From: Serhiy Zakharchenko <zaharchenko.dev@gmail.com>
Date: Tue, 29 Oct 2024 16:36:31 +0000
Subject: [PATCH 2/2] Version 3.6.0-alpha.3

---
 seriously-simple-podcasting.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/seriously-simple-podcasting.php b/seriously-simple-podcasting.php
index f1f1b9c3..5c6adf09 100644
--- a/seriously-simple-podcasting.php
+++ b/seriously-simple-podcasting.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * Plugin Name: Seriously Simple Podcasting
- * Version: 3.6.0-alpha.2
+ * Version: 3.6.0-alpha.3
  * Plugin URI: https://castos.com/seriously-simple-podcasting/?utm_medium=sspodcasting&utm_source=wordpress&utm_campaign=wpplugin_08_2019
  * Description: Podcasting the way it's meant to be. No mess, no fuss - just you and your content taking over the world.
  * Author: Castos
@@ -22,7 +22,7 @@
 	exit;
 }
 
-define( 'SSP_VERSION', '3.6.0-alpha.2' );
+define( 'SSP_VERSION', '3.6.0-alpha.3' );
 define( 'SSP_PLUGIN_FILE', __FILE__ );
 define( 'SSP_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'SSP_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );