neosmart
/
wp-visitor-contributions
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Fix security issue with non-escaped HTML in options page

master
Mahmoud Al-Qudsi 2 years ago
parent
8ad7ef9d8f
commit
c2a7360a3d
5 changed files with 5 additions and 5 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      bootstrap.php
  2. +4
    -4
      inc/settings.php
  3. +0
    -0
     
  4. +0
    -0
     
  5. +0
    -0
     

+ 1
- 1
bootstrap.php View File

@ -55,7 +55,7 @@ class visitors_edits{
]);
global $post;
$new_content = str_replace("#post_link#", get_site_url().'/'.$post->post_name.'/suggestions', stripcslashes($options["propose_edit_link"]));
$content .= $new_content;
$content .= $new_content;
}
return $content;
}

+ 4
- 4
inc/settings.php View File

@ -1,4 +1,4 @@
<?php
<?php
$options=[];
if(isset($_POST["save_settings"])){
$options=[
@ -8,7 +8,7 @@
"admin_notif_message"=>$_POST["admin_notif_message"],
"visitor_notif_message"=>$_POST["visitor_notif_message"],
"edit_notify_message"=>$_POST["edit_notify_message"],
"propose_edit_link"=>$_POST["propose_edit_link"]
"propose_edit_link"=>html_entity_decode($_POST["propose_edit_link"])
];
update_option( "visitors_edits_options", $options );
flashMessage("Settings saved.","");
@ -29,7 +29,7 @@
<form action="" method="post">
<div class="control">
<label>Propose an edit link</label>
<input type="text" name="propose_edit_link" value="<?php echo stripcslashes($options['propose_edit_link']) ?>">
<input type="text" name="propose_edit_link" value="<?php echo htmlentities(stripcslashes($options['propose_edit_link'])) ?>">
</div>
<div class="control">
<label>Admin notification message</label>
@ -68,4 +68,4 @@ function flashMessage($msg,$type){
</div>
<?php
}
?>
?>

+ 0
- 0
View File


+ 0
- 0
View File


+ 0
- 0
View File


Write Preview
Loading…
Cancel
Save