Merge pull request #21 from itthinx/pre-2.13.2

fixed unescaped use of REQUEST_URI
itthinx · Oct 21, 2015 · cfc2855 · cfc2855
2 parents 194f0dd + 1f57acd
commit cfc2855
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 14 deletions.
diff --git a/affiliates.php b/affiliates.php
@@ -21,14 +21,14 @@
  * Plugin Name: Affiliates
  * Plugin URI: http://www.itthinx.com/plugins/affiliates
  * Description: The Affiliates plugin provides the right tools to maintain a partner referral program.
- * Version: 2.13.1
+ * Version: 2.13.2
  * Author: itthinx
  * Author URI: http://www.itthinx.com
  * Donate-Link: http://www.itthinx.com
  * License: GPLv3
  */
 if ( !defined( 'AFFILIATES_CORE_VERSION' ) ) {
-	define( 'AFFILIATES_CORE_VERSION', '2.13.1' );
+	define( 'AFFILIATES_CORE_VERSION', '2.13.2' );
 	define( 'AFFILIATES_PLUGIN_NAME', 'affiliates' );
 	define( 'AFFILIATES_FILE', __FILE__ );
 	define( 'AFFILIATES_PLUGIN_BASENAME', plugin_basename( AFFILIATES_FILE ) );

diff --git a/lib/core/affiliates-admin-affiliates-add.php b/lib/core/affiliates-admin-affiliates-add.php
@@ -51,7 +51,7 @@ function affiliates_admin_affiliates_add() {
 			'</h1>' .
 		'</div>' .
 
-		'<form id="add-affiliate" action="' . $current_url . '" method="post">' .
+		'<form id="add-affiliate" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="affiliate new">' .
 
 		'<div class="field">' .
@@ -112,7 +112,7 @@ function affiliates_admin_affiliates_add() {
 		'<input class="button button-primary" type="submit" value="' . __( 'Add', AFFILIATES_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="add" name="action"/>' .
 		' ' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', AFFILIATES_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', AFFILIATES_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 
 		'</div>' . // .affiliate.new

diff --git a/lib/core/affiliates-admin-affiliates-edit.php b/lib/core/affiliates-admin-affiliates-edit.php
@@ -103,7 +103,7 @@ function affiliates_admin_affiliates_edit( $affiliate_id ) {
 			'</h1>' .
 		'</div>' .
 
-		'<form id="edit-affiliate" action="' . $current_url . '" method="post">' .
+		'<form id="edit-affiliate" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="affiliate edit">' .
 		'<input id="affiliate-id-field" name="affiliate-id-field" type="hidden" value="' . esc_attr( intval( $affiliate_id ) ) . '"/>' .
 
@@ -172,7 +172,7 @@ function affiliates_admin_affiliates_edit( $affiliate_id ) {
 		'<input class="button button-primary" type="submit" value="' . __( 'Save', AFFILIATES_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="edit" name="action"/>' .
 		' ' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', AFFILIATES_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', AFFILIATES_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 
 		'</div>' . // .affiliate.edit

diff --git a/lib/core/affiliates-admin-affiliates-remove.php b/lib/core/affiliates-admin-affiliates-remove.php
@@ -68,7 +68,7 @@ function affiliates_admin_affiliates_remove( $affiliate_id ) {
 				__( 'Remove an affiliate', AFFILIATES_PLUGIN_DOMAIN ) .
 			'</h1>' .
 		'</div>' .
-		'<form id="remove-affiliate" action="' . $current_url . '" method="post">' .
+		'<form id="remove-affiliate" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="affiliate remove">' .
 		'<input id="affiliate-id-field" name="affiliate-id-field" type="hidden" value="' . esc_attr( intval( $affiliate_id ) ) . '"/>' .
 		'<ul>' .
@@ -82,7 +82,7 @@ function affiliates_admin_affiliates_remove( $affiliate_id ) {
 		'<input class="button button-primary" type="submit" value="' . __( 'Remove', AFFILIATES_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="remove" name="action"/>' .
 		' ' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', AFFILIATES_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', AFFILIATES_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 		'</div>' . // .affiliate.remove
 		'</form>' .

diff --git a/lib/core/affiliates-admin-referral-edit.php b/lib/core/affiliates-admin-referral-edit.php
@@ -153,7 +153,7 @@ function affiliates_admin_referral_edit( $referral_id = null ) {
 	}
 	$output .= '</h1>';
 
-	$output .= '<form id="referral" action="' . $current_url . '" method="post">';
+	$output .= '<form id="referral" action="' . esc_url( $current_url ) . '" method="post">';
 	$output .= '<div>';
 
 	if ( $referral_id ) {

diff --git a/lib/core/affiliates-admin-referral-remove.php b/lib/core/affiliates-admin-referral-remove.php
@@ -83,7 +83,7 @@ function affiliates_admin_referral_remove( $referral_id = null ) {
 					$status       = $referral->status;
 					$reference    = wp_strip_all_tags( $referral->reference );
 
-					$output .= '<form id="referral" action="' . $current_url . '" method="post">';
+					$output .= '<form id="referral" action="' . esc_url( $current_url ) . '" method="post">';
 					$output .= '<div>';
 
 					$output .= sprintf( '<input type="hidden" name="referral_id" value="%d" />', intval( $referral_id ) );

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Donate link: http://www.itthinx.com/plugins/affiliates
 Tags: ads, AddToAny, AddThis, advertising, affiliate, affiliate marketing, affiliate plugin, affiliate tool, affiliates, contact form, contact form 7, downloads, e-commerce, Ecwid, Events Manager, Jigoshop, lead, link, marketing, money, partner, Pay per Click, PayPal, PPC, referral, referral links, referrer, sales, shopping cart, TheCartPress, track, transaction, WooCommerce, WP e-Commerce
 Requires at least: 4.0.0
 Tested up to: 4.3.1
-Stable tag: 2.13.1
+Stable tag: 2.13.2
 License: GPLv3
 
 The Affiliates system provides powerful tools to maintain an Affiliate Marketing Program.
@@ -340,6 +340,9 @@ See [Affiliates Screenshots](http://www.itthinx.com/plugins/affiliates/affiliate
 
 == Changelog ==
 
+= 2.13.2 =
+* Fixed potential XSS vulnerabilities related to the unescaped use of $_SERVER['REQUEST_URI'].
+
 = 2.13.1 =
 * Reverted a change introduced in 2.13.0 related to trailing slashes.
 
@@ -670,6 +673,5 @@ See [Affiliates Screenshots](http://www.itthinx.com/plugins/affiliates/affiliate
 
 == Upgrade Notice ==
 
-= 2.13.1 =
-This release reverts a change introduced in 2.13.0 related to trailing slashes before the query part of an affiliate URL.
-The change could affect valid URLs and has been removed in this version.
+= 2.13.2 =
+Security Release : This release fixes potential XSS vulnerabilities.