Fix security issue with non-escaped HTML in options page

2018-02-10 13:23:21 -06:00 · 2018-02-10 13:23:21 -06:00 · c2a7360a3d
--- a/bootstrap.php
+++ b/bootstrap.php
@ -55,7 +55,7 @@ class visitors_edits{
 			]);
 			global $post;
 			$new_content = str_replace("#post_link#", get_site_url().'/'.$post->post_name.'/suggestions', stripcslashes($options["propose_edit_link"]));
-			$content .= $new_content;	
+			$content .= $new_content;
 		}
 		return $content;
 	}
--- a/inc/settings.php
+++ b/inc/settings.php
@ -1,4 +1,4 @@
-<?php 
+<?php
 	$options=[];
 	if(isset($_POST["save_settings"])){
 		$options=[
@ -8,7 +8,7 @@
 			"admin_notif_message"=>$_POST["admin_notif_message"],
 			"visitor_notif_message"=>$_POST["visitor_notif_message"],
 			"edit_notify_message"=>$_POST["edit_notify_message"],
-			"propose_edit_link"=>$_POST["propose_edit_link"]
+			"propose_edit_link"=>html_entity_decode($_POST["propose_edit_link"])
 		];
 		update_option( "visitors_edits_options", $options );
 		flashMessage("Settings saved.","");
@ -29,7 +29,7 @@
 	<form action="" method="post">
 		<div class="control">
 			<label>Propose an edit link</label>
-			<input type="text" name="propose_edit_link" value="<?php echo stripcslashes($options['propose_edit_link']) ?>">
+			<input type="text" name="propose_edit_link" value="<?php echo htmlentities(stripcslashes($options['propose_edit_link'])) ?>">
 		</div>
 		<div class="control">
 			<label>Admin notification message</label>
@ -68,4 +68,4 @@ function flashMessage($msg,$type){
    </div>
    <?php
 }
-?>
+?>
--- a/vendor/caxy/php-htmldiff/.gitignore
+++ b/vendor/caxy/php-htmldiff/.gitignore
--- a/vendor/caxy/php-htmldiff/.scrutinizer.yml
+++ b/vendor/caxy/php-htmldiff/.scrutinizer.yml
--- a/vendor/ezyang/htmlpurifier/plugins/phorum/.gitignore
+++ b/vendor/ezyang/htmlpurifier/plugins/phorum/.gitignore