From 49a305a7e842409dc7eb9c1d4fd1f388e16e91fb Mon Sep 17 00:00:00 2001
From: Javad Ahshamian <ham3da.j@gmail.com>
Date: Fri, 16 Dec 2022 15:04:20 +0330
Subject: [PATCH] Optimization and cleaning

Optimization and cleaning based on the recommendations of the WordPress Plugin Review Team
---
 inc/admin/add-word.php              |  15 ++--
 inc/admin/dashboard-template.php    |   6 +-
 inc/admin/data-template.php         |  10 +--
 inc/admin/import-data.php           |   5 +-
 inc/admin/settings-template.php     |   6 +-
 inc/admin/settings.php              |   4 +-
 inc/admin/words-list.php            |   2 +-
 inc/admin/words-table.php           |  60 ++++++++-----
 inc/ajax.php                        |  12 ++-
 inc/pagination/Pagination.class.php |  39 ---------
 inc/pagination/render.inc.php       |  16 ++--
 inc/search-tool.php                 |  35 ++++----
 inc/templates/description.php       |   6 +-
 inc/templates/searchbox.php         |  21 ++---
 lang/mdict-fa_IR.mo                 | Bin 6371 -> 6369 bytes
 lang/mdict-fa_IR.po                 | 130 ++++++++++++++--------------
 moein-dictionary-free.php           |   4 +-
 readme.txt                          |   7 +-
 18 files changed, 181 insertions(+), 197 deletions(-)

diff --git a/inc/admin/add-word.php b/inc/admin/add-word.php
index 8816086..05d3eec 100644
--- a/inc/admin/add-word.php
+++ b/inc/admin/add-word.php
@@ -50,7 +50,11 @@ function mdict_add() {
             <div class="mdict-lower">
 
                 <div class="mdict-alert mdict-critical mdict-text-center">
-                    <h3 class="mdict-key-status failed"><?php echo __('Moein Dictionary', 'mdict') . __(' » ', 'mdict') . $title ?></h3>
+                    <h3 class="mdict-key-status failed"><?php
+                        _e('Moein Dictionary', 'mdict');
+                        _e(' » ', 'mdict');
+                        echo esc_html($title)
+                        ?></h3>
                     <p class="mdict-description">
 
                     </p>
@@ -59,18 +63,17 @@ function mdict_add() {
                 <div class="mdict-boxes">
                     <div class="mdict-box">
                         <form method="post">
-                            <input type="hidden" name="item_id" value="<?php echo $item_id ?>">
+                            <input type="hidden" name="item_id" value="<?php echo esc_attr($item_id) ?>">
                             <div class="wrap">
                                 <table class="form-table" role="presentation">
                                     <tr>
                                         <th scope="row"><label for="word"><?php _e('Word', 'mdict'); ?></label></th>
-                                        <td><input name="word" type="text" id="word" value="<?php echo $word ?>" class="regular-text"></td>
+                                        <td><input name="word" type="text" id="word" value="<?php echo sanitize_text_field($word)?>" class="regular-text"></td>
                                     </tr> 
                                     <tr>
                                         <th scope="row"><label for="description"><?php _e('Description', 'mdict'); ?></label></th>
                                         <td>
-                                            <textarea class="regular-text" id="description" name="description" rows="5" cols="10"><?php echo $des ?></textarea>
-
+                                            <textarea class="regular-text" id="description" name="description" rows="5" cols="10"><?php echo esc_textarea($des) ?></textarea>
                                         </td>
                                     </tr> 
                                 </table>
@@ -145,7 +148,7 @@ function save_func() {
             $data_id = $wpdb->insert_id;
             do_action('mdict_word_add', $data_id, $data_array);
 
-            $url = admin_url('admin.php?page=mdict-add&item_id=' . $data_id);
+            $url = esc_url(admin_url('admin.php?page=mdict-add&item_id=' . $data_id));
             wp_redirect($url);
             exit();
         }
diff --git a/inc/admin/dashboard-template.php b/inc/admin/dashboard-template.php
index a9e54c7..4dc529a 100644
--- a/inc/admin/dashboard-template.php
+++ b/inc/admin/dashboard-template.php
@@ -20,14 +20,14 @@
                     <ul>
                         <li>✔ <?php printf(__('Name: %s', 'mdict'), __('Moein Dictionary(free)', 'mdict')); ?></li>
                         <li>✔ <?php
-                            echo sprintf(__('Number of available words: %s', 'mdict'), number_format($w_count));
+                            printf(__('Number of available words: %s', 'mdict'), number_format($w_count));
                             if ($w_count < MDict_SearchTools::get_check_count())
                             {
-                                echo ' 🔔 <a href="'. admin_url('admin.php?page=mdict-data-intall').'">'.__('Install the data', 'mdict') .'</a>';
+                                ?>🔔 <a href="<?php echo esc_url(admin_url('admin.php?page=mdict-data-intall')) ?>"><?php _e('Install the data', 'mdict') ?></a><?php
                             }
                             ?>
                         </li>
-                        <li>✔ <?php printf(__('Version: %s', 'mdict'), MDC_PLUGIN_VERSION).' - ' .__('free version', 'mdict'); ?></li>
+                        <li>✔ <?php printf(__('Version: %s', 'mdict'), MDC_PLUGIN_VERSION) . ' - ' . __('free version', 'mdict'); ?></li>
 
                     </ul>
 
diff --git a/inc/admin/data-template.php b/inc/admin/data-template.php
index b9d06d1..32984d6 100644
--- a/inc/admin/data-template.php
+++ b/inc/admin/data-template.php
@@ -1,8 +1,7 @@
 <div id="mdict-plugin-container" class="mdict">
     <div class="mdict-lower">
-
         <div class="mdict-alert mdict-critical mdict-text-center">
-            <h3 class="mdict-key-status failed"><?php echo __('Moein Dictionary', 'mdict') . __(' » ', 'mdict') . __('Data installation', 'mdict') ?></h3>
+            <h3 class="mdict-key-status failed"><?php _e('Moein Dictionary', 'mdict'); _e(' » ', 'mdict') ; _e('Data installation', 'mdict') ?></h3>
             <p class="mdict-description">
 
             </p>
@@ -12,7 +11,6 @@
             <div class="mdict-box">
                 <div class="wrap">
                     <table class="form-table" role="presentation">
-
                         <?php
                         for ($index = 1; $index <= 8; $index++)
                         {
@@ -20,13 +18,13 @@
                             $is_installed = MDict_Import_Data::is_installed($file_name);
                             ?>
                             <tr>
-                                <th scope="row"><label for="data_<?php echo $index ?>"><?php printf(__('Step %d', 'mdict'), $index); ?></label></th>
+                                <th scope="row"><label for="data_<?php echo esc_attr($index) ?>"><?php printf(__('Part %d', 'mdict'), $index); ?></label></th>
                                 <td>
                                     <?php
                                     if ($index <= 4)
                                     {
                                         ?>
-                                        <button <?php echo ($is_installed ? 'disabled="disabled"' : '') ?> name="data_<?php echo $index ?>" type="button" id="data_<?php echo $index ?>" data-file_name="<?php echo 'data_' . $index ?>" class="button button-primary mdict-install"><?php ($is_installed ? _e('Installed', 'mdict') : _e('Install', 'mdict')) ?></button>
+                                    <button <?php echo ($is_installed ? 'disabled="disabled"' : '') ?> name="data_<?php echo esc_attr($index) ?>" type="button" id="data_<?php echo esc_attr($index) ?>" data-file_name="<?php echo 'data_' . esc_attr($index) ?>" class="button button-primary mdict-install"><?php ($is_installed ? _e('Installed', 'mdict') : _e('Install', 'mdict')) ?></button>
                                         &nbsp;
                                         <progress class="progress_loading" style="display: none"
                                                   indeterminate 
@@ -42,7 +40,7 @@
                                         <p>
                                            <?php
                                            $pro_link = '<br><a href="https://www.zhaket.com/web/moien-farhang-plugin">'.__('Go to commercial version', 'mdict').'</a>';
-                                           printf(__('This step is only available on the commercial version. %s', 'mdict'), $pro_link);
+                                           printf(__('This part is only available on the commercial version. %s', 'mdict'), $pro_link);
                                            ?> 
                                         </p>
                                         <?php
diff --git a/inc/admin/import-data.php b/inc/admin/import-data.php
index 88188d1..58759d8 100644
--- a/inc/admin/import-data.php
+++ b/inc/admin/import-data.php
@@ -22,7 +22,7 @@ function check_data_installed() {
             if ($w_count < MDict_SearchTools::get_check_count())
             {
                 $class = 'notice notice-error';
-                $message = __('Moein Dictionary data is not fully installed.', 'mdict') . ' 🔔 <a href="' . admin_url('admin.php?page=mdict-data-intall') . '">' . __('Install the data', 'mdict') . '</a>';
+                $message = __('Moein Dictionary data is not fully installed.', 'mdict') . ' 🔔 <a href="' . esc_url(admin_url('admin.php?page=mdict-data-intall')) . '">' . __('Install the data', 'mdict') . '</a>';
                 printf('<div class="%1$s"><p>%2$s</p></div>', esc_attr($class), $message);
             }
         }
@@ -106,8 +106,7 @@ public static function import($file_name) {
 
             if (mysqli_connect_errno())
             {
-                echo "Failed to connect to MySQL: " . mysqli_connect_error();
-                exit();
+                die( "Failed to connect to MySQL: " . mysqli_connect_error());
             }
 
             $utf8 = mysqli_set_charset($con, "utf8");
diff --git a/inc/admin/settings-template.php b/inc/admin/settings-template.php
index fd74465..f0b648f 100644
--- a/inc/admin/settings-template.php
+++ b/inc/admin/settings-template.php
@@ -2,7 +2,7 @@
     <div class="mdict-lower">
 
         <div class="mdict-alert mdict-critical mdict-text-center">
-            <h3 class="mdict-key-status failed"><?php echo __('Moein Dictionary', 'mdict') . __(' » ', 'mdict') . __('Settings', 'mdict') ?></h3>
+            <h3 class="mdict-key-status failed"><?php _e('Moein Dictionary', 'mdict'); _e(' » ', 'mdict'); _e('Settings', 'mdict') ?></h3>
             <p class="mdict-description">
 
             </p>
@@ -59,7 +59,7 @@
                                         foreach ($font_options as $key => $value)
                                         {
                                             ?>
-                                            <option <?php selected($font_saved, $key) ?> value="<?php echo $key ?>" ><?php echo $value ?></option>
+                                        <option <?php selected($font_saved, $key) ?> value="<?php echo esc_attr($key) ?>" ><?php echo esc_html($value) ?></option>
                                             <?php
                                         }
                                         ?>
@@ -70,7 +70,7 @@
                             <tr>
                                 <th scope="row"><label for="font_size"><?php _e('Font size', 'mdict'); ?></label></th>
 
-                                <td><input name="font_size" type="number" id="font_size" value="<?php echo $font_size ?>" class="small-text"> px</td>
+                                <td><input name="font_size" type="number" id="font_size" value="<?php echo sanitize_text_field($font_size) ?>" class="small-text"> px</td>
 
                             </tr> 
                         </table>
diff --git a/inc/admin/settings.php b/inc/admin/settings.php
index 3535a18..4aeecde 100644
--- a/inc/admin/settings.php
+++ b/inc/admin/settings.php
@@ -52,7 +52,7 @@ public static function  custom_css() {
             .mdict a.mdict-word-link,
             .mdict h1.card-header
             {
-                font-size: <?php echo $font_size ?>px;
+            font-size: <?php echo sanitize_text_field($font_size)  ?>px;
             }
         <?php
          return ob_get_clean();
@@ -97,7 +97,7 @@ function wcpl_admin_notice__success() {
     function save_func() {
 
         $page = filter_input(INPUT_GET, 'page'); 
-        if ('POST' != $_SERVER['REQUEST_METHOD'] || $page != 'mdict-settings')
+        if ('POST' != sanitize_text_field($_SERVER['REQUEST_METHOD']) || $page != 'mdict-settings')
         {
             return;
         }
diff --git a/inc/admin/words-list.php b/inc/admin/words-list.php
index 58ddbdb..d64c4b0 100644
--- a/inc/admin/words-list.php
+++ b/inc/admin/words-list.php
@@ -48,7 +48,7 @@ function words_list() {
         ?>
         <div class="wrap mdict">
             <h1 class="wp-heading-inline"><?php _e('List of words', 'mdict'); ?></h1>
-            <a href="<?php echo admin_url('admin.php?page=mdict-add') ?>" class="page-title-action"><?php _e('Add Word', 'mdict') ?></a>
+            <a href="<?php echo esc_url(admin_url('admin.php?page=mdict-add')) ?>" class="page-title-action"><?php _e('Add Word', 'mdict') ?></a>
             <hr class="wp-header-end">
             <form method="post" action="">
                 <?php
diff --git a/inc/admin/words-table.php b/inc/admin/words-table.php
index 96d991f..ebf1c08 100644
--- a/inc/admin/words-table.php
+++ b/inc/admin/words-table.php
@@ -19,14 +19,15 @@ function __construct() {
 
         if (($action == 'delete') || ( $action2 == 'delete'))
         {
-            
-            
+
+
             $posted_data = filter_input_array(INPUT_POST);
 
             if (isset($posted_data['id']))
             {
                 $ids = implode(',', $posted_data['id']);
-                $wpdb->query("DELETE FROM $table WHERE `id` IN($ids)");
+
+                $wpdb->query($wpdb->prepare("DELETE FROM `$table` WHERE `id` IN(%s)", $ids));
 
                 $count = count($posted_data['id']);
                 add_action('admin_notices', function () use ($count) {
@@ -85,14 +86,11 @@ function prepare_items() {
         $per_page = $this->get_items_per_page('mdict_wl_per_page', 20);
         $current_page = $this->get_pagenum();
 
+        $offset = ($current_page - 1) * $per_page;
+
         $table_name = $wpdb->prefix . "pn_mdict";
-        $query = "SELECT * FROM $table_name";
-        $s = $_REQUEST["s"] ?? '';
 
-        if (!empty($s))
-        {
-            $query = "SELECT * FROM `$table_name` Where `Word` LIKE '$s'";
-        }
+        $s = isset($_REQUEST["s"]) ? sanitize_text_field($_REQUEST["s"]) : '';
 
         $orderby = filter_input(INPUT_GET, 'orderby');
         $orderby = !empty($orderby) ? esc_sql($orderby) : 'id';
@@ -100,33 +98,51 @@ function prepare_items() {
         $order = filter_input(INPUT_GET, 'order');
         $order = !empty($order) ? esc_sql($order) : 'ASC';
 
-        if (!empty($orderby) & !empty($order))
+        if (!empty($s))
+        {
+            $s = esc_sql($s);
+
+            $totalitems = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM `$table_name` Where `Word` LIKE '%s'", $s));
+            $totalpages = ceil($totalitems / $per_page);
+
+            if (!empty($orderby) & !empty($order))
+            {
+                $this->items = $wpdb->get_results($wpdb->prepare("SELECT * FROM `$table_name` Where `Word` LIKE '%s' ORDER BY $orderby $order LIMIT $offset, $per_page", $s));
+            }
+            else
+            {
+                $this->items = $wpdb->get_results($wpdb->prepare("SELECT * FROM `$table_name` Where `Word` LIKE '%s' LIMIT $offset, $per_page", $s));
+            }
+        }
+        else
         {
-            $query .= " ORDER BY  $orderby $order";
+            $totalitems = $wpdb->get_var("SELECT COUNT(*) FROM `$table_name`");
+            $totalpages = ceil($totalitems / $per_page);
+            
+            if (!empty($orderby) & !empty($order))
+            {
+                $this->items = $wpdb->get_results("SELECT * FROM `$table_name` ORDER BY $orderby $order LIMIT $offset, $per_page");
+            }
+            else
+            {
+                $this->items = $wpdb->get_results("SELECT * FROM `$table_name` LIMIT $offset, $per_page");
+            }
         }
 
 
-        $totalitems = $wpdb->query($query);
-        $offset = ($current_page - 1) * $per_page;
-        $totalpages = ceil($totalitems / $per_page);
-        $query .= " LIMIT $offset, $per_page";
         $this->set_pagination_args(array(
             "total_items" => $totalitems,
             "total_pages" => $totalpages,
             "per_page" => $per_page,
         ));
-        $this->items = $wpdb->get_results($query);
     }
 
     function column_Word($item) {
 
-
         $actions = array(
-            'edit' => '<a href="' . admin_url('admin.php?page=mdict-add&item_id=' . $item->id) . '">' . __('Edit', 'mdict') . '</a>',
+            'edit' => '<a href="' . esc_url(admin_url('admin.php?page=mdict-add&item_id=' . $item->id)) . '">' . __('Edit', 'mdict') . '</a>',
         );
-
-        $link = '<a href="' . admin_url('admin.php?page=mdict-add&item_id=' . $item->id) . '">' . $item->Word . '</a>';
-
+        $link = '<a href="' . esc_url(admin_url('admin.php?page=mdict-add&item_id=' . $item->id)) . '">' . esc_html($item->Word) . '</a>';
         return sprintf('%1$s %2$s', '<strong>' . $link . '</strong>', $this->row_actions($actions));
     }
 
@@ -135,8 +151,6 @@ protected function get_primary_column_name() {
     }
 
     function column_Description($item) {
-
-
         return mdict_get_excerot($item->Description, 10);
     }
 
diff --git a/inc/ajax.php b/inc/ajax.php
index 2ffb89b..a000446 100644
--- a/inc/ajax.php
+++ b/inc/ajax.php
@@ -31,27 +31,25 @@ public static function check_register()
     }
     
     public static function import_data() {
-        $data_file = $_POST['data_file'] ?? null;
+        
+        $data_file = filter_input(INPUT_POST, 'data_file');
         if (!$data_file)
         {
             return false;
         }
-
         $res = MDict_Import_Data::import($data_file);
-        echo wp_send_json($res);
-        wp_die();
+        wp_send_json($res);
     }
 
     public static function search_word() {
 
-        $word = $_POST['word'] ?? null;
+        $word =  filter_input(INPUT_POST, 'word');
         if (!$word)
         {
             return false;
         }
         $result = MDict_SearchTools::search_ajax($word);
-        echo wp_send_json(array('res' => 1, 'data' => $result));
-        wp_die();
+        wp_send_json(array('res' => 1, 'data' => $result));
     }
 
 }
diff --git a/inc/pagination/Pagination.class.php b/inc/pagination/Pagination.class.php
index f54bb10..dc04761 100644
--- a/inc/pagination/Pagination.class.php
+++ b/inc/pagination/Pagination.class.php
@@ -2,45 +2,6 @@
 
 /**
  * Pagination
- * 
- * Supplies an API for setting pagination details, and renders the resulting
- * pagination markup (html) through the included render.inc.php file.
- * 
- * @note    The SEO methods (canonical/rel) were written following Google's
- *          suggested patterns. Namely, the canoical url excludes any 
- *          peripheral parameters that don't relate to the pagination
- *          series. Whereas the prev/next rel link tags include any params
- *          found in the request.
- * @author  Oliver Nassar <onassar@gmail.com>
- * @todo    add setter parameter type and range checks w/ exceptions
- * @example
- * <code>
- *     // source inclusion
- *     require_once APP . '/vendors/PHP-Pagination/Pagination.class.php';
- *     
- *     // determine page (based on <_GET>)
- *     $page = isset($_GET['page']) ? ((int) $_GET['page']) : 1;
- *     
- *     // instantiate with page and records as constructor parameters
- *     $pagination = (new Pagination($page, 200));
- *     $markup = $pagination->parse();
- * </code>
- * @example
- * <code>
- *     // source inclusion
- *     require_once APP . '/vendors/PHP-Pagination/Pagination.class.php';
- *     
- *     // determine page (based on <_GET>)
- *     $page = isset($_GET['page']) ? ((int) $_GET['page']) : 1;
- *     
- *     // instantiate; set current page; set number of records
- *     $pagination = (new Pagination());
- *     $pagination->setCurrent($page);
- *     $pagination->setTotal(200);
- *     
- *     // grab rendered/parsed pagination markup
- *     $markup = $pagination->parse();
- * </code>
  */
 class Pagination
 {
diff --git a/inc/pagination/render.inc.php b/inc/pagination/render.inc.php
index ba485a6..9d740a7 100644
--- a/inc/pagination/render.inc.php
+++ b/inc/pagination/render.inc.php
@@ -16,7 +16,7 @@
 if ($pages > 1 || $alwaysShowPagination === true)
 {
     ?>
-    <ul class="<?php echo implode(' ', $classes) ?>">
+    <ul class="<?php echo esc_attr(implode(' ', $classes)) ?>">
         <?php
         /**
          * Previous Link
@@ -39,7 +39,7 @@
             array_push($classes, 'disabled');
         }
         ?>
-        <li class="page-item <?php echo implode(' ', $classes) ?>"><a class="page-link" href="<?php echo esc_url($href_first) ?>"><?php echo ($first) ?></a></li>
+        <li class="page-item <?php echo esc_attr(implode(' ', $classes)) ?>"><a class="page-link" href="<?php echo esc_url($href_first) ?>"><?php echo esc_html($first) ?></a></li>
         <?php
         $classes = array('copy', 'previous');
 
@@ -58,7 +58,7 @@
         }
         ?>
 
-        <li class="page-item <?php echo implode(' ', $classes) ?>"><a class="page-link" href="<?php echo esc_url($href) ?>"><?php echo ($previous) ?></a></li>
+        <li class="page-item <?php echo esc_attr( implode(' ', $classes)) ?>"><a class="page-link" href="<?php echo esc_url($href) ?>"><?php echo esc_html($previous) ?></a></li>
         <?php
         /**
          * if this isn't a clean output for pagination (eg. show numerical
@@ -108,13 +108,13 @@
                         $href
                 );
                 ?>
-                <li class="page-item"><a class="page-link" data-pagenumber="<?php echo ($current + $x - $leading) ?>" href="<?php echo esc_url($href) ?>"><?php echo ($current + $x - $leading) ?></a></li>
+        <li class="page-item"><a class="page-link" data-pagenumber="<?php echo esc_attr($current + $x - $leading) ?>" href="<?php echo esc_url($href) ?>"><?php echo esc_html($current + $x - $leading) ?></a></li>
                 <?php
             }
 
             // print current page
             ?>
-            <li class="page-item active"><a class="page-link" data-pagenumber="<?php echo ($current) ?>" href="#"><?php echo ($current) ?></a></li>
+        <li class="page-item active"><a class="page-link" data-pagenumber="<?php echo esc_attr($current) ?>" href="#"><?php echo esc_html($current) ?></a></li>
             <?php
             // generate/render trailing crumbs
             for ($x = 0; $x < $trailing; ++$x)
@@ -130,7 +130,7 @@
                         $href
                 );
                 ?>
-                <li class="page-item"><a class="page-link" data-pagenumber="<?php echo ($current + $x + 1) ?>" href="<?php echo esc_url($href) ?>"><?php echo ($current + $x + 1) ?></a></li>
+        <li class="page-item"><a class="page-link" data-pagenumber="<?php echo esc_attr($current + $x + 1) ?>" href="<?php echo esc_url($href) ?>"><?php echo esc_html($current + $x + 1) ?></a></li>
                 <?php
             }
         }
@@ -163,9 +163,9 @@
                 $href_last
         );
         ?>
-        <li class="page-item <?php echo implode(' ', $classes) ?>"><a class="page-link" href="<?php echo esc_url($href) ?>"><?php echo ($next) ?></a></li>
+        <li class="page-item <?php echo esc_attr(implode(' ', $classes)) ?>"><a class="page-link" href="<?php echo esc_url($href) ?>"><?php echo esc_html($next) ?></a></li>
 
-        <li class="page-item <?php echo implode(' ', $classes) ?>"><a class="page-link" href="<?php echo esc_url($href_last) ?>"><?php echo ($last) ?></a></li>
+        <li class="page-item <?php echo esc_attr(implode(' ', $classes)) ?>"><a class="page-link" href="<?php echo esc_url($href_last) ?>"><?php echo esc_html($last) ?></a></li>
 
     </ul>
     <?php
diff --git a/inc/search-tool.php b/inc/search-tool.php
index 7e17c09..aedcc4a 100644
--- a/inc/search-tool.php
+++ b/inc/search-tool.php
@@ -45,33 +45,36 @@ public static function search($word, $sb = 1) {
         $offset = ($current_page - 1) * $per_page;
         $where = "";
         $order_by = "`Word` ASC";
-
+        $query_total = 0;
+        $query_res = null;
+        
         if (!empty($word))
         {
             if ($sb == 1)
             {
-                $where .= "Where `Word` LIKE '%$word%'";
-                $order_by = "LOCATE('$word', Word), `Word` ASC";
+                $where .= "Where `Word` LIKE '%s'";
+                $order_by = "LOCATE('%s', Word), `Word` ASC";
+
+                $query_total = $wpdb->prepare("SELECT COUNT(*) FROM `$table` $where", "%$word%");
+                $query_res = $wpdb->prepare("SELECT * FROM `$table` $where ORDER BY $order_by LIMIT $offset , $per_page", "%$word%", $word);
             }
             else
             {
-                if (!empty($where))
-                {
-                    $where .= " AND";
-                }
-                else
-                {
-                    $where .= "Where";
-                }
-                $where .= " `Description` LIKE '%$word%'";
+
+                $where .= "Where `Description` LIKE '%s'";
                 $order_by = "`Word` ASC";
+
+                $query_total = $wpdb->prepare("SELECT COUNT(*) FROM `$table` $where", "%$word%");
+                $query_res = $wpdb->prepare("SELECT * FROM `$table` $where ORDER BY $order_by LIMIT $offset , $per_page", "%$word%");
             }
         }
+        else
+        {
+            $query_total = "SELECT COUNT(*) FROM `$table`";
+            $query_res = "SELECT * FROM `$table` ORDER BY $order_by LIMIT $offset , $per_page";
+        }
 
 
-        $query_total = "SELECT COUNT(*) FROM `$table` $where";
-        $query_res = "SELECT * FROM `$table` $where ORDER BY $order_by LIMIT $offset , $per_page";
-
         $total_items = $wpdb->get_var($query_total);
         $data = $wpdb->get_results($query_res);
 
@@ -82,7 +85,7 @@ public static function search_ajax($word) {
         global $wpdb;
         $word = esc_sql($word);
         $table = $wpdb->prefix . "pn_mdict";
-        $query_res = "SELECT `id`, `Word` FROM `$table` WHERE `Word` LIKE '%$word%' ORDER BY LOCATE('$word', Word), `Word` ASC LIMIT 20";
+        $query_res = $wpdb->prepare("SELECT `id`, `Word` FROM `$table` WHERE `Word` LIKE '%s' ORDER BY LOCATE('%s', Word), `Word` ASC LIMIT 20", "%$word%", $word);
         $data = $wpdb->get_results($query_res, ARRAY_A);
         return $data;
     }
diff --git a/inc/templates/description.php b/inc/templates/description.php
index 9fcc1f2..1861b8e 100644
--- a/inc/templates/description.php
+++ b/inc/templates/description.php
@@ -2,7 +2,7 @@
     <div class="col-12 mdic-description">
         <div class="row">
             <div class="col-sm-11">
-                <h1 class="text-justify"><?php echo $word_item->Word ?></h1>
+                <h1 class="text-justify"><?php echo esc_html($word_item->Word) ?></h1>
             </div>
             <div class="col-sm-1 m-t-2 pull-left">
                 <a class="btn print-btn btn-lg bg-purple mdict-print no-print" title="<?php _e('Print', 'mdict') ?>"></a>        
@@ -11,8 +11,8 @@
 
         <div class="content text-justify">
             <?php
-            $des = ($word_item->Description);
-            echo wpautop($des);
+            $des = $word_item->Description;
+            echo wp_kses( wpautop($des), 'post');
             ?>
         </div>
 
diff --git a/inc/templates/searchbox.php b/inc/templates/searchbox.php
index 250ce89..86db4d5 100644
--- a/inc/templates/searchbox.php
+++ b/inc/templates/searchbox.php
@@ -1,12 +1,9 @@
 <div class="bootstrap-iso rtl mdict">
     <div class="col-12">
         <div class="grid-view">
-
             <div class="card mb-2">
-
                 <div class="card-body pb-0">
                     <div class="card-title text-center border-bottom"><?php _e('Word search', 'mdict'); ?></div> 
-
                     <form method="get" class="pt-1 pb-1 mb-1">
                         <div class="form-row centered">
                             <div class="form-group col-md-6">
@@ -31,7 +28,7 @@
 
             <div class="card mb-2">
                 <h1 class="card-header h6">
-                    <?php echo $word_w ? sprintf(__('Searching for the meaning of %s', 'mdict'), '<b>' . $word_w . '</b>') : __('List of words', 'mdict'); ?> <span class="float-left">(<?php _e('Total:', 'mdict'); ?> <?php echo number_format($total) ?>)</span>
+                    <?php $word_w ? printf(__('Searching for the meaning of %s', 'mdict'), '<b>' . $word_w . '</b>') : _e('List of words', 'mdict'); ?> <span class="float-left">(<?php _e('Total:', 'mdict'); ?> <?php echo number_format_i18n($total) ?>)</span>
                 </h1> 
                 <div class="card-body p-4 words-items">
                     <?php
@@ -46,23 +43,27 @@
                             $word_url = add_query_arg(array('wid' => $word_item->id), $current_page_url);
                             ?>
                             <div class="border-bottom p-2">
-                                <h2 class="font-weight-bold h6"><a class="mdict-word-link" href="<?php echo $word_url ?>"><?php echo $word_item->Word ?></a></h2> 
+                                <h2 class="font-weight-bold h6"><a class="mdict-word-link" href="<?php echo esc_url($word_url) ?>"><?php echo esc_html($word_item->Word) ?></a></h2> 
                                 <div class="detail">
                                     <?php
                                     $des = mdict_get_excerot($word_item->Description);
-                                    echo wpautop($des);
+                                    echo wp_kses( wpautop($des), 'post');
                                     ?>
                                 </div> 
                             </div>
                             <?php
                         }
-
-                        echo '<br>';
-                        echo mdict_pagination($total, MDict_SearchTools::get_pagenum(), MDict_SearchTools::get_perpage());
+                        ?>
+                        <br>
+                        <?php
+                        $pg = mdict_pagination($total, MDict_SearchTools::get_pagenum(), MDict_SearchTools::get_perpage());
+                        echo wp_kses($pg, 'post');
                     }
                     else
                     {
-                        echo '<p>' . __('Nothing found!', 'mdict') . '</p>';
+                        ?>
+                        <p><?php _e('Nothing found!', 'mdict'); ?></p>
+                        <?php
                     }
                     ?>
                 </div>
diff --git a/lang/mdict-fa_IR.mo b/lang/mdict-fa_IR.mo
index 865cdc9411be916a9510f9e73a63da529224a032..1564920733e31764eaf91df92e74e1e830f008dc 100644
GIT binary patch
delta 772
zcmXxiPe>GD9LDkAY&*N|BxSCvsZpz9D_O2n{wa$kDhNf9f)Jxi&@GCR)swRR!ISN2
zpj&jUD6od2Q->hBZ$w)+>yUvRqKg_q-^blv_L<K+@9ezu&hMRX{+ho!>lET<Hk~j#
zj&s<CtJs1i%-~OSG3A-*|E(Cs4vb+Jwqq6#;$_^6cX2l^;2|tx4L-vI_{y{JkMrCq
zOzL8N<>BA4lk-H<EQeX-XSX?UpDki57O@*2qaN}Rui+XFVy?l=#~D12k5G%<K;FlG
zqvreDV1=DdP0H*j14%rBXHl!ZiOgv$xE~+l9(;{@z<WH5TX+f6jb?Q?g)_K>s>(KA
z#pb3;74oS0=bFYV6F#V3c#0~|OJq(fp~|_ATEHgW!hM{a!vZp7Z&7dfCD@8)uAHE!
z)<YshOVlR*Zx`qckzt}uRa2cV?)1#gpq4j4YDot<9Zb99&dK1N+wJ6nUv6?(1yIvY
z93!JdpU^3y)<x1}gs8Y$r#?09uv)f)^#)_HOmjbHD*a$}RAp1C`@&-EM<jNADxdDW
z5#|#UPVm8Ni{4=%-1N#$d?4-j5B2tipK9N@yS~of3-8zG9B;84eqJs=(LJSPOC;D%
N^~9@Vq2Kr-@(+uSW9R??

delta 775
zcmX}qPe>GD7{~GFU3PZcZPjr6S1UFewxXFkn`WALus{^UgDgVStw2E`NQI!<0v8YA
zA?6}oIz=HQ=^Vt1r@H9PgjNv2WDnILy7}+W_hGkQ_P3vT-(}u;=6QGDJ#argHJOx%
zOh-iO@dIAK4NPDjEi8$Ogwe(z#xaBrHedqla1hII9M9qtyogymgYU2wmr(cHjEa9^
zmQ7}q$$WXCh&(nj58EQW*ou5)f-mlq7Z}G^*n;oz9)876Ojd}vIEJ_I4QjD_$oohh
zb)Vlwk1Hf2S6HwrMVc{%TJ?QoPkDwl_!>)b5%mFUSc1RsG9KXwI#nX)a0+KIi`t!2
zyo>SbLN{hmpOdK`E^Pd^_`?!vn^uuMWgE4vKT!)g#!0l9^x;cnNj{^#>8^JaOr-T-
z2T3al5G_#;Q-}8THt8ZgL=WTN=r3N}L@lp_#K<Mm?M++5rqlakwHWdKSoT1YRULW~
z+U+5tf2A8lM-y?#0MRCEo!UG-VI5ZsNSk*jlsMncOpoAtaaG%<Ex+c^hkgY7=aIAt
zk4!y$<TO6;wxSKe$6Wh|(VPjV9Jiy}?ef3H)-B`s3+27W|8Ca=V%gks?&Hqv&Ya$J
PSecCcU+~+iRsw$k%p7Hn

diff --git a/lang/mdict-fa_IR.po b/lang/mdict-fa_IR.po
index 3877806..0fee4b7 100644
--- a/lang/mdict-fa_IR.po
+++ b/lang/mdict-fa_IR.po
@@ -1,8 +1,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: Moein Dictionary\n"
-"POT-Creation-Date: 2022-12-12 15:19+0330\n"
-"PO-Revision-Date: 2022-12-12 15:19+0330\n"
+"POT-Creation-Date: 2022-12-16 15:04+0330\n"
+"PO-Revision-Date: 2022-12-16 15:04+0330\n"
 "Last-Translator: \n"
 "Language-Team: \n"
 "Language: fa_IR\n"
@@ -25,48 +25,48 @@ msgstr ""
 msgid "Add/Edit Word"
 msgstr "افزودن/ویرایش واژه"
 
-#: inc/admin/add-word.php:20 inc/admin/add-word.php:42
+#: inc/admin/add-word.php:20 inc/admin/add-word.php:45
 #: inc/admin/words-list.php:51
 msgid "Add Word"
 msgstr "افزودن واژه"
 
-#: inc/admin/add-word.php:35
+#: inc/admin/add-word.php:38
 msgid "Edit Word"
 msgstr "ویرایش واژه"
 
-#: inc/admin/add-word.php:50 inc/admin/dashboard.php:18
-#: inc/admin/dashboard.php:19 inc/admin/data-template.php:5
+#: inc/admin/add-word.php:54 inc/admin/dashboard.php:18
+#: inc/admin/dashboard.php:19 inc/admin/data-template.php:4
 #: inc/admin/settings-template.php:5
 msgid "Moein Dictionary"
 msgstr "فرهنگ معین"
 
-#: inc/admin/add-word.php:50 inc/admin/data-template.php:5
+#: inc/admin/add-word.php:55 inc/admin/data-template.php:4
 #: inc/admin/settings-template.php:5
 msgid " » "
 msgstr ""
 
-#: inc/admin/add-word.php:63 inc/admin/words-table.php:9
-#: inc/admin/words-table.php:57
+#: inc/admin/add-word.php:70 inc/admin/words-table.php:9
+#: inc/admin/words-table.php:62
 msgid "Word"
 msgstr "واژه"
 
-#: inc/admin/add-word.php:67 inc/admin/words-table.php:60
+#: inc/admin/add-word.php:74 inc/admin/words-table.php:63
 msgid "Description"
 msgstr "شرح"
 
-#: inc/admin/add-word.php:75 inc/admin/settings-template.php:83
+#: inc/admin/add-word.php:81 inc/admin/settings-template.php:78
 msgid "Save"
 msgstr "ذخیره"
 
-#: inc/admin/add-word.php:90
+#: inc/admin/add-word.php:96
 msgid "The word must not be empty!"
 msgstr "واژه نباید خالی باشد!"
 
-#: inc/admin/add-word.php:108 inc/admin/settings.php:107
+#: inc/admin/add-word.php:114 inc/admin/settings.php:106
 msgid "You do not have permission to access this section!"
 msgstr "شما مجوز دسترسی به این بخش را ندارید!"
 
-#: inc/admin/add-word.php:108 inc/admin/settings.php:107
+#: inc/admin/add-word.php:114 inc/admin/settings.php:106
 msgid "Error!"
 msgstr "خطا!"
 
@@ -93,7 +93,7 @@ msgstr "فرهنگ معین(رایگان)"
 msgid "Number of available words: %s"
 msgstr "تعداد واژه‌های موجود: %s"
 
-#: inc/admin/dashboard-template.php:26 inc/admin/import-data.php:24
+#: inc/admin/dashboard-template.php:26 inc/admin/import-data.php:25
 msgid "Install the data"
 msgstr "داده‌ها را نصب کنید"
 
@@ -129,46 +129,46 @@ msgstr "از کد کوتاه زیر داخل محتوای برگه‌ها است
 msgid "You can also use shortcode inside php codes:"
 msgstr "همچنین می‌توانید از کد کوتاه زیر درون کدهای php استفاده کنید:"
 
-#: inc/admin/data-template.php:5 inc/admin/import-data.php:34
-#: inc/admin/import-data.php:35
+#: inc/admin/data-template.php:4 inc/admin/import-data.php:35
+#: inc/admin/import-data.php:36
 msgid "Data installation"
 msgstr "نصب داده‌ها"
 
-#: inc/admin/data-template.php:23
+#: inc/admin/data-template.php:21
 #, php-format
-msgid "Step %d"
-msgstr "مرحله %d"
+msgid "Part %d"
+msgstr "قسمت %d"
 
-#: inc/admin/data-template.php:29 inc/functions.php:62
+#: inc/admin/data-template.php:27 inc/functions.php:82
 msgid "Installed"
 msgstr "نصب شده"
 
-#: inc/admin/data-template.php:29 inc/functions.php:64
+#: inc/admin/data-template.php:27 inc/functions.php:84
 msgid "Install"
 msgstr "نصب"
 
-#: inc/admin/data-template.php:36
+#: inc/admin/data-template.php:34
 msgid "Please be patient. This may take a minute or more."
 msgstr "لطفاً صبور باشید. ممکن است یک یا چند دقیقه طول بکشد."
 
-#: inc/admin/data-template.php:44
+#: inc/admin/data-template.php:42
 msgid "Go to commercial version"
 msgstr "برو به نسخه تجاری"
 
-#: inc/admin/data-template.php:45
+#: inc/admin/data-template.php:43
 #, php-format
-msgid "This step is only available on the commercial version. %s"
-msgstr "این مرحله فقط بر روی نسخه تجاری در دسترس است. %s"
+msgid "This part is only available on the commercial version. %s"
+msgstr "این قسمت فقط بر روی نسخه تجاری در دسترس است. %s"
 
-#: inc/admin/import-data.php:24
+#: inc/admin/import-data.php:25
 msgid "Moein Dictionary data is not fully installed."
-msgstr "داده های فرهنگ لغت معین به طور کامل نصب نشده است."
+msgstr "داده‌های فرهنگ لغت معین به طور کامل نصب نشده است."
 
-#: inc/admin/import-data.php:43
+#: inc/admin/import-data.php:44
 msgid "Dashboard"
 msgstr "پیشخوان"
 
-#: inc/admin/import-data.php:90
+#: inc/admin/import-data.php:91
 msgid "It is already installed."
 msgstr "قبلاً نصب شده است."
 
@@ -176,8 +176,8 @@ msgstr "قبلاً نصب شده است."
 msgid "Data not found!"
 msgstr "داده‌ها یافت نشد!"
 
-#: inc/admin/settings-template.php:5 inc/admin/settings.php:77
-#: inc/admin/settings.php:78
+#: inc/admin/settings-template.php:5 inc/admin/settings.php:76
+#: inc/admin/settings.php:77
 msgid "Settings"
 msgstr "تنظیمات"
 
@@ -193,19 +193,19 @@ msgstr "وزیر"
 msgid "Vazir(Persian number)"
 msgstr "وزیر(شماره فارسی)"
 
-#: inc/admin/settings-template.php:34
+#: inc/admin/settings-template.php:31
 msgid "Dictionary page"
 msgstr "برگه فرهنگ لغت"
 
-#: inc/admin/settings-template.php:50
+#: inc/admin/settings-template.php:45
 msgid "Word meaning tooltip"
 msgstr "ابزار معنی واژه"
 
-#: inc/admin/settings-template.php:52
+#: inc/admin/settings-template.php:47
 msgid "Active"
 msgstr "فعال‌سازی"
 
-#: inc/admin/settings-template.php:55
+#: inc/admin/settings-template.php:50
 msgid ""
 "By activating this option, the meaning tooltip will be displayed after "
 "selecting the word on the site."
@@ -213,15 +213,15 @@ msgstr ""
 "با فعال کردن این گزینه پس از انتخاب واژه، ابزار نمایش معنی در سایت نمایش "
 "داده خواهد شد."
 
-#: inc/admin/settings-template.php:59
+#: inc/admin/settings-template.php:54
 msgid "Font"
 msgstr "قلم"
 
-#: inc/admin/settings-template.php:76
+#: inc/admin/settings-template.php:71
 msgid "Font size"
 msgstr "اندازه فونت"
 
-#: inc/admin/settings.php:93
+#: inc/admin/settings.php:92
 msgid "Settings saved successfully."
 msgstr "تنظیمات با موفقیت ذخیره شد."
 
@@ -233,36 +233,36 @@ msgstr "لیست واژه‌ها"
 msgid "Words"
 msgstr "واژه‌ها"
 
-#: inc/admin/words-list.php:50 inc/templates/searchbox.php:55
+#: inc/admin/words-list.php:50 inc/templates/searchbox.php:31
 msgid "List of words"
 msgstr "لیست واژه‌ها"
 
-#: inc/admin/words-list.php:56
+#: inc/admin/words-list.php:55
 msgid "Search word"
 msgstr "جستجوی لغت"
 
-#: inc/admin/words-table.php:31
+#: inc/admin/words-table.php:36
 #, php-format
 msgid "%d item(s) were removed."
 msgstr "%d مورد حذف شد."
 
-#: inc/admin/words-table.php:39
+#: inc/admin/words-table.php:44
 msgid "Please select one or more."
 msgstr "لطفاً موردی را انتخاب کنید."
 
-#: inc/admin/words-table.php:51 inc/templates/searchbox.php:85
+#: inc/admin/words-table.php:56 inc/templates/searchbox.php:65
 msgid "Nothing found!"
 msgstr "موردی یافت نشد!"
 
-#: inc/admin/words-table.php:61
+#: inc/admin/words-table.php:64
 msgid "ID"
 msgstr "شناسه"
 
-#: inc/admin/words-table.php:74
+#: inc/admin/words-table.php:77
 msgid "Delete"
 msgstr "حذف"
 
-#: inc/admin/words-table.php:120
+#: inc/admin/words-table.php:143
 msgid "Edit"
 msgstr "ویرایش"
 
@@ -282,31 +282,31 @@ msgstr "اولی"
 msgid "Last"
 msgstr "آخری"
 
-#: inc/functions.php:35
+#: inc/functions.php:39
 msgid "Search for words in the dictionary"
 msgstr "جستجوی واژه در فرهنگ لغت"
 
-#: inc/functions.php:36
+#: inc/functions.php:40
 msgid "Meaning"
 msgstr "معنی"
 
-#: inc/functions.php:63
+#: inc/functions.php:83
 msgid "Installing"
 msgstr "در حال نصب"
 
-#: inc/functions.php:65
+#: inc/functions.php:85
 msgid "Plugin license registration successful."
 msgstr "ثبت لایسنس افزونه با موفقیت انجام شد."
 
-#: inc/functions.php:66
+#: inc/functions.php:86
 msgid "Error: The request failed!"
 msgstr "خطا: درخواست با شکست مواجه شد!"
 
-#: inc/functions.php:67
+#: inc/functions.php:87
 msgid "Error: "
 msgstr "خطا: "
 
-#: inc/functions.php:68
+#: inc/functions.php:88
 msgid "Please enter the activation code!"
 msgstr "لطفا کد فعال سازی را وارد کنید!"
 
@@ -314,36 +314,36 @@ msgstr "لطفا کد فعال سازی را وارد کنید!"
 msgid "Moein dictionary"
 msgstr "فرهنگ معین"
 
-#: inc/templates/description.php:15
+#: inc/templates/description.php:8
 msgid "Print"
 msgstr "چاپ"
 
-#: inc/templates/searchbox.php:29
+#: inc/templates/searchbox.php:6
 msgid "Word search"
 msgstr "جستجوی واژه"
 
-#: inc/templates/searchbox.php:35
+#: inc/templates/searchbox.php:11
 msgid "Enter a word"
 msgstr "واژه مورد نظر را وارد کنید"
 
-#: inc/templates/searchbox.php:40
+#: inc/templates/searchbox.php:16
 msgid "Search in words"
 msgstr "جستجو در واژه‌ها"
 
-#: inc/templates/searchbox.php:41
+#: inc/templates/searchbox.php:17
 msgid "Search in the meaning of words"
 msgstr "جستجو در معنای واژه‌ها"
 
-#: inc/templates/searchbox.php:45
+#: inc/templates/searchbox.php:21
 msgid "Search"
 msgstr "جستجو"
 
-#: inc/templates/searchbox.php:55
+#: inc/templates/searchbox.php:31
 #, php-format
 msgid "Searching for the meaning of %s"
 msgstr "جستجوی معنی %s"
 
-#: inc/templates/searchbox.php:55
+#: inc/templates/searchbox.php:31
 msgid "Total:"
 msgstr "تعداد کل:"
 
@@ -363,6 +363,10 @@ msgstr "ham3da"
 msgid "https://ham3da.ir"
 msgstr ""
 
+#, php-format
+#~ msgid "Step %d"
+#~ msgstr "مرحله %d"
+
 #~ msgid "License"
 #~ msgstr "لایسنس"
 
diff --git a/moein-dictionary-free.php b/moein-dictionary-free.php
index 7ae33c8..4658570 100644
--- a/moein-dictionary-free.php
+++ b/moein-dictionary-free.php
@@ -2,7 +2,7 @@
 /*
   Plugin Name: Moein Dictionary(free)
   Description: Moein Persian dictionary(free version)
-  Version: 1.4.0
+  Version: 1.4.1
   Author: ham3da
   Plugin URI: https://wordpress.org/plugins/moein-dictionary-free
   Author URI: https://ham3da.ir
@@ -17,7 +17,7 @@
     die("Access denied!");
 }
 
-define('MDC_PLUGIN_VERSION', '1.4.0');
+define('MDC_PLUGIN_VERSION', '1.4.1');
 define('MDC_PLUGIN_FILE', __FILE__);
 define('MDC_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('MDC_PLUGIN_URL', plugin_dir_url(__FILE__));
diff --git a/readme.txt b/readme.txt
index 0031911..726c9e1 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: ham3da
 Tags: dictionary, moein, moein dictionary, persian dictionary, persian, farsi, persian to persian
 Requires at least: 5.0
 Tested up to: 6.1.1
-Stable tag: 1.4.0
+Stable tag: 1.4.1
 Requires PHP: 7.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -35,8 +35,11 @@ Major features in Moein Dictionary include:
 3. Use the `[mdict_search]` shortcode to display the dictionary search engine on your desired page or template.
 
 == Changelog ==
-= 1.4.0 =
 
+= 1.4.1 =
+* Optimization and cleaning
+
+= 1.4.0 =
 * Redesign of the dictionary search form
 
 = 1.3.0 =