Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent XSS with esc_url() in old WordPress versions and prepare for …
…using URL as href attr. 4.2 pass URL to urlencode() and strip all "bad" symbols from URL.
  • Loading branch information
Kolya Korobochkin committed Apr 22, 2015
1 parent c5ddc92 commit e705972
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion plugin/plugin.php
Expand Up @@ -103,8 +103,16 @@ public static function user_row_actions( $actions, $user_object ) {
'mark_user_as_spammer_nonce'
);

$url = site_url( $url );

/*
* Always use esc_url() before output link!
* wp_nonce_url() already pass url to esc_html and script tags will be encoded but we need armor to protect URL from XSS
*/
$url = esc_url( $url );

$actions['spammer'] = '<a href="'
. site_url( $url )
. $url
. '" class="mark-user-as-spammer" title="' . (
$is_spammer ?
esc_attr_x ('Unban user. He will be able to log in on site.', 'Verb. Mark user (account) like non spammer account', 'mark_user_as_spammer')
Expand Down

0 comments on commit e705972

Please sign in to comment.