JasonWoof

Both the CSS snippets in my workarounds are to undo stuff in your CSS. You don’t need to add stuff, you need to remove things.

Just stop meddling with the <html> and <body> tags.

I tried a simple workaround of adding this custom CSS to my theme:

html.md-perspective {
	height: auto;
	overflow: auto;
}

But then the modal was appearing half way down, ie “position: fixed” wasn’t behaving as expected, because of this:

.md-perspective body {
    background: #222;
    -webkit-perspective: 600px;
    -moz-perspective: 600px;
    perspective: 600px;
}

The “perspective:” css property breaks “position: fixed” (of children).

So I had to add this to my workaround:

html.md-perspective body {
    -webkit-perspective: none;
    -moz-perspective: none;
    perspective: none;
}

Now the modal appears in the center of the window, and nothing happens to the scrollbar.

Presumably because the author didn’t escape strings before passing them to SQL.

Try replacing the $wpdb->query(sprintf('UPDATE... line near the bottom of category-thumbnails.php with this:

if ($data !== NULL) {
	$data = base64_decode($data);
}
$wpdb->update(
	$wpdb->prefix . 'term_taxonomy',
	array('term_thumbnail' => $data),
	array('term_id' => $category)
);

I did some work on this plugin, trying to fix all XSS issues. I succeeded in making sitelock happy. Here’s my patch:

https://jasonwoof.com/downloads/xss-fixes-for-wpuspsc.patch

I release all copyright claims to this work. Do what you want with it, CC0, etc.

I hope you will merge this (or similar) into future versions of this plugin.

Also, also I hope that you will do input sanitation on the rest of the fields in your forms. The price field makes me particularly nervous.

Below is the patch I made, which makes sufficient improvements so that sitelock does not detect any XSS issues.

I hope you will merge this (or similar) into future versions of this plugin.

Also, also I hope that you will do input sanitation on the rest of the fields in your forms.

diff --git a/wp_ultra_simple_shopping_cart.php b/wp_ultra_simple_shopping_cart.php
index bb39e12..42666c9 100644
--- a/wp_ultra_simple_shopping_cart.php
+++ b/wp_ultra_simple_shopping_cart.php
@@ -24,6 +24,32 @@ Domain Path: /languages/

 wp_enqueue_script('jquery');

+# utility functions for sanitizing and encoding data
+function jasonwoof_enc_html($str) {
+	$str = str_replace('&', '&', $str);
+	$str = str_replace('<', '<', $str);
+	$str = str_replace('>', '>', $str);
+	return $str;
+}
+function jasonwoof_enc_attr($str) {
+	$str = str_replace('&', '&', $str);
+	$str = str_replace('"', '"', $str);
+	return $str;
+}
+# sanitize an integer. return 1 if it's blank
+function jasonwoof_format_int_1($str) {
+	# remove all non-digits
+	$str = preg_replace('|[^0-9]|', '', $str);
+	# remove leading zeros (but not last digit)
+	$str = preg_replace('|^0*([0-9])|', '\1', $str);
+	# default to 1 (if there are no digits)
+	if($str == '') {
+		return '1';
+	}
+	return $str;
+}
+
+
 if(!isset($_SESSION)) {
 	session_start();
 }
@@ -116,7 +142,7 @@ if($_POST['addcart']) {
 		$product = array(
 			'name'			=> stripslashes($_POST['product']),
 			'price'			=> $price,
-			'quantity'		=> $_POST['quantity'],
+			'quantity'		=> jasonwoof_format_int_1($_POST['quantity']),
 			'shipping'		=> $_POST['shipping'],
 			'cartLink'		=> $_POST['cartLink'],
 			'item_number'	=> $_POST['item_number']
@@ -352,12 +378,12 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 					$product_thumbnail = "";
 				}

-				$cartProductDisplayLink = '<a href="'.$item['cartLink'].'">'.$product_thumbnail.$name.'</a>';
+				$cartProductDisplayLink = '<a href="'.jasonwoof_enc_attr($item['cartLink']).'">'.$product_thumbnail.jasonwoof_enc_html($name).'</a>';
 			} else {
 				$cartProductDisplayLink = $name;
 			}

-			$output_name .= "<input type=\"hidden\" name=\"product\" value=\"".$name."\" >";
+			$output_name .= "<input type=\"hidden\" name=\"product\" value=\"".jasonwoof_enc_attr($name)."\" >";

 			$output .= "
 			<tr id=\"cartcontent\" class=\"cartcontent\">
@@ -366,13 +392,13 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 					<form method=\"post\"  action=\"\" name='pcquantity' style='display: inline'>
 					".$output_name."
 					<input type=\"hidden\" name=\"cquantity\" value=\"1\" >
-					<input class=\"iquantity\" type=\"text\" name=\"quantity\" value=\"".$item['quantity']."\" size=\"1\"  onchange=\"this.form.submit();\" ><input class=\"pinfo\" type=\"image\" title=\"Reload\" value=\"Reload\" src=\"".WUSPSC_CART_URL."/images/Shoppingcart_reload.png\">
+					<input class=\"iquantity\" type=\"text\" name=\"quantity\" value=\"".jasonwoof_enc_attr($item['quantity'])."\" size=\"1\"  onchange=\"this.form.submit();\" ><input class=\"pinfo\" type=\"image\" title=\"Reload\" value=\"Reload\" src=\"".WUSPSC_CART_URL."/images/Shoppingcart_reload.png\">
 					</form>
 				</td>
 				<td class=\"left\">".print_payment_currency(($price * $item['quantity']), $paypal_symbol, $decimal, get_option('cart_currency_symbol_order'))."</td>
 				<td>
 					<form method=\"post\"  action=\"\">
-					<input type=\"hidden\" name=\"product\" value=\"".$item['name']."\" >
+					<input type=\"hidden\" name=\"product\" value=\"".jasonwoof_enc_attr($item['name'])."\" >
 					<input type='hidden' name='delcart' value='1' >
 					<input class=\"remove\" type=\"image\" src='".WUSPSC_CART_URL."/images/Shoppingcart_delete.png' value='".get_option('remove_text')."' title='".get_option('remove_text')."' >
 					</form>
@@ -381,16 +407,16 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 			";

 			$form .= "
-				<input type=\"hidden\" name=\"item_name_{$count}\" value=\"{$name}\" >
-				<input type=\"hidden\" name=\"amount_{$count}\" value='{$price}' >
-				<input type=\"hidden\" name=\"quantity_{$count}\" value=\"{$item['quantity']}\" >
-				<input type=\"hidden\" name=\"amount_{$count}\" value=\"{$price}\" >
-				<input type='hidden' name='item_number' value='".$item['item_number']."' >
+				<input type=\"hidden\" name=\"item_name_{$count}\" value=\"".jasonwoof_enc_attr($name)."\" >
+				<input type=\"hidden\" name=\"amount_{$count}\" value='".jasonwoof_enc_attr($price)."' >
+				<input type=\"hidden\" name=\"quantity_{$count}\" value=\"".jasonwoof_enc_attr($item['quantity'])."\" >
+				<input type=\"hidden\" name=\"amount_{$count}\" value=\"".jasonwoof_enc_attr($price)."\" >
+				<input type='hidden' name='item_number' value='".jasonwoof_enc_attr($item['item_number'])."' >
 			";

 			$item_tax = (!empty($display_vat) && is_numeric($display_vat) )? round(($price * $display_vat) / 100, 2) : 0 ;
 			if(!empty($item_tax)){
-				$form .= "<input type=\"hidden\" name=\"tax_{$count}\"  value=\"{$item_tax}\">";
+				$form .= "<input type=\"hidden\" name=\"tax_{$count}\"  value=\"".jasonwoof_enc_attr($item_tax)."\">";
 				$total_vat = $total_vat + ( $item_tax * $item['quantity'] );
 			}

@@ -399,7 +425,7 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {

 		if(!get_option('wpus_shopping_cart_use_profile_shipping')) {
 			$postage_cost = number_format($postage_cost,2);
-			$form .= "<input type=\"hidden\" name=\"shipping_1\" value='".$postage_cost."' >";
+			$form .= "<input type=\"hidden\" name=\"shipping_1\" value='".jasonwoof_enc_attr($postage_cost)."' >";
 		}

 		if(get_option('wpus_shopping_cart_collect_address')) {//force address collection
@@ -499,7 +525,7 @@ function print_wpus_shopping_cart( $step="paypal", $type="page") {
 			  	// all data sent to paypal
 			  	$output .= $urls.'<input type="hidden" name="business" value="'.$email.'"><input type="hidden" name="currency_code" value="'.$paypal_currency.'"><input type="hidden" name="cmd" value="_cart"><input type="hidden" name="upload" value="1"><input type="hidden" name="rm" value="2"><input type="hidden" name="mrb" value="DKBDRZGU62JYC"><input type="hidden" name="bn" value="UltraProdSAS_SI_ADHOC">';

-				if(!empty($vat)) $output .= '<input type="hidden" name="tax_cart" value="'.$total_vat.'" >';
+				if(!empty($vat)) $output .= '<input type="hidden" name="tax_cart" value="'.jasonwoof_enc_attr($total_vat).'" >';

 				if($use_affiliate_platform) {
 					$output .= wp_cart_add_custom_field();
@@ -859,4 +885,4 @@ add_shortcode('always_show_wpus_shopping_cart', 'us_always_show_cart_handler');
 add_action('wp_head', 'wp_cart_add_read_form_javascript');

-?>
\ No newline at end of file
+?>