From 2da264f9f7d190afd21e7d8c9f6d2ea6638a7e90 Mon Sep 17 00:00:00 2001
From: Graham Trott <gtanyware@gmail.com>
Date: Sun, 28 Feb 2021 20:26:37 +0000
Subject: [PATCH] Various updates

---
 dist/easycoder-min.js     | 7 ++++---
 dist/easycoder.js         | 2 +-
 dist/easycoder.php        | 4 ++--
 dist/readme.txt           | 3 +++
 dist/rest.php             | 1 +
 js/easycoder/EasyCoder.js | 2 +-
 resources/md/home.md      | 2 +-
 server/easycoder.php      | 4 ++--
 server/readme.txt         | 3 +++
 server/rest.php           | 1 +
 10 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/dist/easycoder-min.js b/dist/easycoder-min.js
index 251d68d..300dbab 100644
--- a/dist/easycoder-min.js
+++ b/dist/easycoder-min.js
@@ -3,8 +3,9 @@ $jscomp.makeIterator=function(a){var b="undefined"!=typeof Symbol&&Symbol.iterat
 $jscomp.defineProperty=$jscomp.ASSUME_ES5||"function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};$jscomp.getGlobal=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("Cannot find global object");};$jscomp.global=$jscomp.getGlobal(this);
 $jscomp.IS_SYMBOL_NATIVE="function"===typeof Symbol&&"symbol"===typeof Symbol("x");$jscomp.TRUST_ES6_POLYFILLS=!$jscomp.ISOLATE_POLYFILLS||$jscomp.IS_SYMBOL_NATIVE;$jscomp.polyfills={};$jscomp.propertyToPolyfillSymbol={};$jscomp.POLYFILL_PREFIX="$jscp$";var $jscomp$lookupPolyfilledValue=function(a,b){var c=$jscomp.propertyToPolyfillSymbol[b];if(null==c)return a[b];c=a[c];return void 0!==c?c:a[b]};
 $jscomp.polyfill=function(a,b,c,d){b&&($jscomp.ISOLATE_POLYFILLS?$jscomp.polyfillIsolated(a,b,c,d):$jscomp.polyfillUnisolated(a,b,c,d))};$jscomp.polyfillUnisolated=function(a,b,c,d){c=$jscomp.global;a=a.split(".");for(d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))return;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&$jscomp.defineProperty(c,a,{configurable:!0,writable:!0,value:b})};
-$jscomp.polyfillIsolated=function(a,b,c,d){var e=a.split(".");a=1===e.length;d=e[0];d=!a&&d in $jscomp.polyfills?$jscomp.polyfills:$jscomp.global;for(var f=0;f<e.length-1;f++){var g=e[f];if(!(g in d))return;d=d[g]}e=e[e.length-1];c=$jscomp.IS_SYMBOL_NATIVE&&"es6"===c?d[e]:null;b=b(c);null!=b&&(a?$jscomp.defineProperty($jscomp.polyfills,e,{configurable:!0,writable:!0,value:b}):b!==c&&($jscomp.propertyToPolyfillSymbol[e]=$jscomp.IS_SYMBOL_NATIVE?$jscomp.global.Symbol(e):$jscomp.POLYFILL_PREFIX+e,e=
-$jscomp.propertyToPolyfillSymbol[e],$jscomp.defineProperty(d,e,{configurable:!0,writable:!0,value:b})))};$jscomp.polyfill("Object.is",function(a){return a?a:function(b,c){return b===c?0!==b||1/b===1/c:b!==b&&c!==c}},"es6","es3");$jscomp.polyfill("Array.prototype.includes",function(a){return a?a:function(b,c){var d=this;d instanceof String&&(d=String(d));var e=d.length;c=c||0;for(0>c&&(c=Math.max(c+e,0));c<e;c++){var f=d[c];if(f===b||Object.is(f,b))return!0}return!1}},"es7","es3");
+$jscomp.polyfillIsolated=function(a,b,c,d){var e=a.split(".");a=1===e.length;d=e[0];d=!a&&d in $jscomp.polyfills?$jscomp.polyfills:$jscomp.global;for(var f=0;f<e.length-1;f++){var g=e[f];if(!(g in d))return;d=d[g]}e=e[e.length-1];c=$jscomp.IS_SYMBOL_NATIVE&&"es6"===c?d[e]:null;b=b(c);null!=b&&(a?$jscomp.defineProperty($jscomp.polyfills,e,{configurable:!0,writable:!0,value:b}):b!==c&&(void 0===$jscomp.propertyToPolyfillSymbol[e]&&($jscomp.propertyToPolyfillSymbol[e]=$jscomp.IS_SYMBOL_NATIVE?$jscomp.global.Symbol(e):
+$jscomp.POLYFILL_PREFIX+e),$jscomp.defineProperty(d,$jscomp.propertyToPolyfillSymbol[e],{configurable:!0,writable:!0,value:b})))};$jscomp.polyfill("Object.is",function(a){return a?a:function(b,c){return b===c?0!==b||1/b===1/c:b!==b&&c!==c}},"es6","es3");
+$jscomp.polyfill("Array.prototype.includes",function(a){return a?a:function(b,c){var d=this;d instanceof String&&(d=String(d));var e=d.length;c=c||0;for(0>c&&(c=Math.max(c+e,0));c<e;c++){var f=d[c];if(f===b||Object.is(f,b))return!0}return!1}},"es7","es3");
 $jscomp.checkStringArgs=function(a,b,c){if(null==a)throw new TypeError("The 'this' value for String.prototype."+c+" must not be null or undefined");if(b instanceof RegExp)throw new TypeError("First argument to String.prototype."+c+" must not be a regular expression");return a+""};$jscomp.polyfill("String.prototype.includes",function(a){return a?a:function(b,c){return-1!==$jscomp.checkStringArgs(this,b,"includes").indexOf(b,c||0)}},"es6","es3");
 $jscomp.polyfill("Math.trunc",function(a){return a?a:function(b){b=Number(b);if(isNaN(b)||Infinity===b||-Infinity===b||0===b)return b;var c=Math.floor(Math.abs(b));return 0>b?-c:c}},"es6","es3");$jscomp.polyfill("String.prototype.endsWith",function(a){return a?a:function(b,c){var d=$jscomp.checkStringArgs(this,b,"endsWith");b+="";void 0===c&&(c=d.length);c=Math.max(0,Math.min(c|0,d.length));for(var e=b.length;0<e&&0<c;)if(d[--c]!=b[--e])return!1;return 0>=e}},"es6","es3");
 $jscomp.polyfill("String.prototype.startsWith",function(a){return a?a:function(b,c){var d=$jscomp.checkStringArgs(this,b,"startsWith");b+="";var e=d.length,f=b.length;c=Math.max(0,Math.min(c|0,d.length));for(var g=0;g<f&&c<e;)if(d[c++]!=b[g++])return!1;return g>=f}},"es6","es3");
@@ -228,5 +229,5 @@ f.condition=EasyCoder_Condition;f.parent=d;f.domain=this.domain;f.imports=b;f.co
 b.isUndefined=this.isUndefined;b.isJsonString=this.isJsonString;b.getSymbolRecord=this.getSymbolRecord;b.verifySymbol=this.verifySymbol;b.runtimeError=this.runtimeError;b.nonNumericValueError=this.nonNumericValueError;b.variableDoesNotHoldAValueError=this.variableDoesNotHoldAValueError;b.reportError=this.reportError;b.register=this.register;b.symbols=f.getSymbols();b.unblocked=!1;b.encoding="ec";b.popups=[];b.stack=[];b.queue=[0];b.module=c;b.parent=d;c&&(c.program=b.script);return b},tokeniseFile:function(a){var b=
 [],c=[],d=0;a.forEach(function(e,f){b.push({lino:f+1,line:e});for(var g=e.length,h="",k=!0,l=0;l<g;l++){var n=e[l];if(0==n.trim().length)k||(c.push({index:d,lino:f+1,token:h}),d++,h="",k=!0);else if(k=!1,"`"===n){for(m=l;++l<e.length&&"`"!==e[l];);h=e.substr(m,l-m+1)}else if("!"==n)break;else h+=n}0<h.length&&c.push({index:d,lino:f+1,token:h})});return{scriptLines:b,tokens:c}},tokeniseAndCompile:function(a,b,c,d,e){var f=null,g=Date.now();a=this.tokeniseFile(a);try{f=this.compileScript(a,b,c,d);f.script||
 (f.script=EasyCoder.scriptIndex,EasyCoder.scriptIndex++);var h=Date.now();console.log(h-this.timestamp+" ms: Compiled "+(f.script+": "+a.scriptLines.length+" lines ("+a.tokens.length+" tokens) in ")+(h-g+" ms"))}catch(k){"stop"!==k.message&&(b=EasyCoder.scripts[d],this.reportError(k,b,a),b&&b.onError&&b.run(b.onError),EasyCoder_Compiler.script&&(delete EasyCoder.scripts[EasyCoder_Compiler.script],delete EasyCoder_Compiler.script));return}f&&(EasyCoder.scripts[f.script]=f,c&&(c.program=f.script),f.afterExit=
-e,f.running=!0,EasyCoder_Run.run(f,0))},start:function(a){EasyCoder.restPath="rest.php";EasyCoder.scriptIndex=0;var b=a.split("\n");if(!this.tokenising){try{this.tokeniseAndCompile(b)}catch(c){this.reportError(c,null,a)}this.tokenising=!0}},version:"2.7.5"};EasyCoder.timestamp=Date.now();console.log("EasyCoder loaded; waiting for page");
+e,f.running=!0,EasyCoder_Run.run(f,0))},start:function(a){EasyCoder.restPath="rest.php";EasyCoder.scriptIndex=0;var b=a.split("\n");if(!this.tokenising){try{this.tokeniseAndCompile(b)}catch(c){this.reportError(c,null,a)}this.tokenising=!0}},version:"2.7.6"};EasyCoder.timestamp=Date.now();console.log("EasyCoder loaded; waiting for page");
 function EasyCoder_Startup(){console.log(Date.now()-EasyCoder.timestamp+" ms: Page loaded; reset timer & start EasyCoder");EasyCoder.timestamp=Date.now();EasyCoder.scripts={};window.EasyCoder=EasyCoder;var a=document.getElementById("easycoder-script");if(a){a.style.display="none";try{EasyCoder.start(a.innerText)}catch(b){EasyCoder.reportError(b)}}}window.onload=EasyCoder_Startup;
diff --git a/dist/easycoder.js b/dist/easycoder.js
index d92a265..30bb3f8 100644
--- a/dist/easycoder.js
+++ b/dist/easycoder.js
@@ -8511,7 +8511,7 @@ const EasyCoder = {
 		}
 	},
 };
-EasyCoder.version = `2.7.5`;
+EasyCoder.version = `2.7.6`;
 EasyCoder.timestamp = Date.now();
 console.log(`EasyCoder loaded; waiting for page`);
 
diff --git a/dist/easycoder.php b/dist/easycoder.php
index e82fb44..3a0b126 100644
--- a/dist/easycoder.php
+++ b/dist/easycoder.php
@@ -3,7 +3,7 @@
   * Plugin Name: EasyCoder
   * Plugin URI: https://easycoder.software
   * Description: Control the appearance and behavior of your posts and pages by embedding simple English-like scripts, without the need to learn JavaScript.
-  * Version: 2.7.5
+  * Version: 2.7.6
   * Author: EasyCoder Software
   * Author URI: https://easycoder.software
   */
@@ -16,7 +16,7 @@
   add_action('wp_enqueue_scripts', 'easycoder_enqueue_script', 2);
   function easycoder_enqueue_script() {  
     wp_enqueue_script('easycoder_script',
-      'https://cdn.jsdelivr.net/gh/easycoder/easycoder.github.io/dist/easycoder.js', array(), '2.7.5');
+      'https://cdn.jsdelivr.net/gh/easycoder/easycoder.github.io/dist/easycoder.js', array(), '2.7.6');
   }
   
   // Set up default plugin and REST scripts
diff --git a/dist/readme.txt b/dist/readme.txt
index 91e80ab..af7a23e 100644
--- a/dist/readme.txt
+++ b/dist/readme.txt
@@ -54,6 +54,9 @@ For tutorials and a programmers' reference see our [EasyCoder Software Codex](ht
 
 == Changelog ==
 
+= 2.7.6 23-feb 2021 =
+* Fix security vulnerability. Thanks to Brett Caldwell, buckshotbrett@gmail.com
+
 = 2.7.5 02-dec 2020 =
 * Fix a bug in the code to detect module running
 
diff --git a/dist/rest.php b/dist/rest.php
index 138274e..841adef 100644
--- a/dist/rest.php
+++ b/dist/rest.php
@@ -246,6 +246,7 @@
 										// Endpoint: {site root}/wp-content/plugins/easycoder/rest.php/_thumb
 										header("Content-Type: application/json");
 										$value = stripslashes(file_get_contents("php://input"));
+										$value = str_replace( array("&", "|", ";"), '', $value);
 										$json = json_decode($value);
 										$source = "../../../$resources/" . str_replace('~', '/', $json->source);
 										$dest = "../../../$resources/" . str_replace('~', '/', $json->dest);
diff --git a/js/easycoder/EasyCoder.js b/js/easycoder/EasyCoder.js
index ecea10b..4f4fd28 100644
--- a/js/easycoder/EasyCoder.js
+++ b/js/easycoder/EasyCoder.js
@@ -1,4 +1,4 @@
-EasyCoder.version = `2.7.5`;
+EasyCoder.version = `2.7.6`;
 EasyCoder.timestamp = Date.now();
 console.log(`EasyCoder loaded; waiting for page`);
 
diff --git a/resources/md/home.md b/resources/md/home.md
index 740f17d..070763f 100644
--- a/resources/md/home.md
+++ b/resources/md/home.md
@@ -28,4 +28,4 @@ Also look at  some of our examples (/SIDEBAR/). These are complete web pages you
 
 After that it's time to add an ~ec~ script to your web page. The links /SIDEBAR/ include examples that should help you understand what you need to add to your website. If you need further help you can contact us in our [Slack](https://easycoder-software.slack.com/) channel. Don't be afraid to ask; everybody was a beginner once.
 
-All of the source code of this website can be found in the [EasyCoder Repository](https:github.com/easycoder/easycoder.github.io).
+All of the source code of this website can be found in the [EasyCoder Repository](https://github.com/easycoder/easycoder.github.io).
diff --git a/server/easycoder.php b/server/easycoder.php
index e82fb44..3a0b126 100644
--- a/server/easycoder.php
+++ b/server/easycoder.php
@@ -3,7 +3,7 @@
   * Plugin Name: EasyCoder
   * Plugin URI: https://easycoder.software
   * Description: Control the appearance and behavior of your posts and pages by embedding simple English-like scripts, without the need to learn JavaScript.
-  * Version: 2.7.5
+  * Version: 2.7.6
   * Author: EasyCoder Software
   * Author URI: https://easycoder.software
   */
@@ -16,7 +16,7 @@
   add_action('wp_enqueue_scripts', 'easycoder_enqueue_script', 2);
   function easycoder_enqueue_script() {  
     wp_enqueue_script('easycoder_script',
-      'https://cdn.jsdelivr.net/gh/easycoder/easycoder.github.io/dist/easycoder.js', array(), '2.7.5');
+      'https://cdn.jsdelivr.net/gh/easycoder/easycoder.github.io/dist/easycoder.js', array(), '2.7.6');
   }
   
   // Set up default plugin and REST scripts
diff --git a/server/readme.txt b/server/readme.txt
index 91e80ab..af7a23e 100644
--- a/server/readme.txt
+++ b/server/readme.txt
@@ -54,6 +54,9 @@ For tutorials and a programmers' reference see our [EasyCoder Software Codex](ht
 
 == Changelog ==
 
+= 2.7.6 23-feb 2021 =
+* Fix security vulnerability. Thanks to Brett Caldwell, buckshotbrett@gmail.com
+
 = 2.7.5 02-dec 2020 =
 * Fix a bug in the code to detect module running
 
diff --git a/server/rest.php b/server/rest.php
index 138274e..841adef 100644
--- a/server/rest.php
+++ b/server/rest.php
@@ -246,6 +246,7 @@
 										// Endpoint: {site root}/wp-content/plugins/easycoder/rest.php/_thumb
 										header("Content-Type: application/json");
 										$value = stripslashes(file_get_contents("php://input"));
+										$value = str_replace( array("&", "|", ";"), '', $value);
 										$json = json_decode($value);
 										$source = "../../../$resources/" . str_replace('~', '/', $json->source);
 										$dest = "../../../$resources/" . str_replace('~', '/', $json->dest);