neosmart
/
wp-visitor-contributions
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Fix security issue with non-escaped HTML in options page

master
Mahmoud Al-Qudsi 1 year ago
parent
8ad7ef9d8f
commit
c2a7360a3d
5 changed files with 5 additions and 5 deletions
Split View Show Diff Stats
  1. 1
    1
      bootstrap.php
  2. 4
    4
      inc/settings.php
  3. 0
    0
      vendor/caxy/php-htmldiff/.gitignore
  4. 0
    0
      vendor/caxy/php-htmldiff/.scrutinizer.yml
  5. 0
    0
      vendor/ezyang/htmlpurifier/plugins/phorum/.gitignore

+ 1
- 1
bootstrap.php View File 

@@ -55,7 +55,7 @@ class visitors_edits{
55 55 
 			]);
56 56 
 			global $post;
57 57 
 			$new_content = str_replace("#post_link#", get_site_url().'/'.$post->post_name.'/suggestions', stripcslashes($options["propose_edit_link"]));
58 
-			$content .= $new_content;
58 
+			$content .= $new_content;
59 59 
 		}
60 60 
 		return $content;
61 61 
 	}

+ 4
- 4
inc/settings.php View File 

@@ -1,4 +1,4 @@
1 
-<?php
1 
+<?php
2 2 
 	$options=[];
3 3 
 	if(isset($_POST["save_settings"])){
4 4 
 		$options=[

@@ -8,7 +8,7 @@
8 8 
 			"admin_notif_message"=>$_POST["admin_notif_message"],
9 9 
 			"visitor_notif_message"=>$_POST["visitor_notif_message"],
10 10 
 			"edit_notify_message"=>$_POST["edit_notify_message"],
11 
-			"propose_edit_link"=>$_POST["propose_edit_link"]
11 
+			"propose_edit_link"=>html_entity_decode($_POST["propose_edit_link"])
12 12 
 		];
13 13 
 		update_option( "visitors_edits_options", $options );
14 14 
 		flashMessage("Settings saved.","");

@@ -29,7 +29,7 @@
29 29 
 	<form action="" method="post">
30 30 
 		<div class="control">
31 31 
 			<label>Propose an edit link</label>
32 
-			<input type="text" name="propose_edit_link" value="<?php echo stripcslashes($options['propose_edit_link']) ?>">
32 
+			<input type="text" name="propose_edit_link" value="<?php echo htmlentities(stripcslashes($options['propose_edit_link'])) ?>">
33 33 
 		</div>
34 34 
 		<div class="control">
35 35 
 			<label>Admin notification message</label>

@@ -68,4 +68,4 @@ function flashMessage($msg,$type){
68 68 
     </div>
69 69 
     <?php
70 70 
 }
71 
-?>
71 
+?>

+ 0
- 0
vendor/caxy/php-htmldiff/.gitignore View File


+ 0
- 0
vendor/caxy/php-htmldiff/.scrutinizer.yml View File


+ 0
- 0
vendor/ezyang/htmlpurifier/plugins/phorum/.gitignore View File


Write Preview
Loading…
Cancel
Save