Fix security issue with non-escaped HTML in options page

master
Mahmoud Al-Qudsi 2018-02-10 13:23:21 -06:00
parent 8ad7ef9d8f
commit c2a7360a3d
5 changed files with 5 additions and 5 deletions

@ -55,7 +55,7 @@ class visitors_edits{
]); ]);
global $post; global $post;
$new_content = str_replace("#post_link#", get_site_url().'/'.$post->post_name.'/suggestions', stripcslashes($options["propose_edit_link"])); $new_content = str_replace("#post_link#", get_site_url().'/'.$post->post_name.'/suggestions', stripcslashes($options["propose_edit_link"]));
$content .= $new_content; $content .= $new_content;
} }
return $content; return $content;
} }

@ -1,4 +1,4 @@
<?php <?php
$options=[]; $options=[];
if(isset($_POST["save_settings"])){ if(isset($_POST["save_settings"])){
$options=[ $options=[
@ -8,7 +8,7 @@
"admin_notif_message"=>$_POST["admin_notif_message"], "admin_notif_message"=>$_POST["admin_notif_message"],
"visitor_notif_message"=>$_POST["visitor_notif_message"], "visitor_notif_message"=>$_POST["visitor_notif_message"],
"edit_notify_message"=>$_POST["edit_notify_message"], "edit_notify_message"=>$_POST["edit_notify_message"],
"propose_edit_link"=>$_POST["propose_edit_link"] "propose_edit_link"=>html_entity_decode($_POST["propose_edit_link"])
]; ];
update_option( "visitors_edits_options", $options ); update_option( "visitors_edits_options", $options );
flashMessage("Settings saved.",""); flashMessage("Settings saved.","");
@ -29,7 +29,7 @@
<form action="" method="post"> <form action="" method="post">
<div class="control"> <div class="control">
<label>Propose an edit link</label> <label>Propose an edit link</label>
<input type="text" name="propose_edit_link" value="<?php echo stripcslashes($options['propose_edit_link']) ?>"> <input type="text" name="propose_edit_link" value="<?php echo htmlentities(stripcslashes($options['propose_edit_link'])) ?>">
</div> </div>
<div class="control"> <div class="control">
<label>Admin notification message</label> <label>Admin notification message</label>
@ -68,4 +68,4 @@ function flashMessage($msg,$type){
</div> </div>
<?php <?php
} }
?> ?>