Fix security issue with non-escaped HTML in options page

master
Mahmoud Al-Qudsi 2018-02-10 13:23:21 -06:00
parent 8ad7ef9d8f
commit c2a7360a3d
5 changed files with 5 additions and 5 deletions

@ -8,7 +8,7 @@
"admin_notif_message"=>$_POST["admin_notif_message"], "admin_notif_message"=>$_POST["admin_notif_message"],
"visitor_notif_message"=>$_POST["visitor_notif_message"], "visitor_notif_message"=>$_POST["visitor_notif_message"],
"edit_notify_message"=>$_POST["edit_notify_message"], "edit_notify_message"=>$_POST["edit_notify_message"],
"propose_edit_link"=>$_POST["propose_edit_link"] "propose_edit_link"=>html_entity_decode($_POST["propose_edit_link"])
]; ];
update_option( "visitors_edits_options", $options ); update_option( "visitors_edits_options", $options );
flashMessage("Settings saved.",""); flashMessage("Settings saved.","");
@ -29,7 +29,7 @@
<form action="" method="post"> <form action="" method="post">
<div class="control"> <div class="control">
<label>Propose an edit link</label> <label>Propose an edit link</label>
<input type="text" name="propose_edit_link" value="<?php echo stripcslashes($options['propose_edit_link']) ?>"> <input type="text" name="propose_edit_link" value="<?php echo htmlentities(stripcslashes($options['propose_edit_link'])) ?>">
</div> </div>
<div class="control"> <div class="control">
<label>Admin notification message</label> <label>Admin notification message</label>