Fixed XSS

README.md

@@ -3,17 +3,14 @@ Contributors: GamerZ
 Donate link: https://lesterchan.net/site/donation/  
 Tags: banned, ban, deny, denied, permission, ip, hostname, host, spam, bots, bot, exclude, referrer, url, referral, range  
 Requires at least: 4.3   
-Tested up to: 5.9  
-Stable tag: 1.69  
+Tested up to: 6.1  
+Stable tag: 1.69.1  
 
 Ban users by IP, IP Range, host name, user agent and referrer url from visiting your WordPress's blog.
 
 ## Description
 It will display a custom ban message when the banned IP, IP range, host name or referrer url that tries to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recorded on how many times they attempt to visit your blog. It allows wildcard matching too.
 
-### Build Status
-[![Build Status](https://travis-ci.org/lesterchan/wp-ban.svg?branch=master)](https://travis-ci.org/lesterchan/wp-ban)
-
 ### Development
 * [https://github.com/lesterchan/wp-ban](https://github.com/lesterchan/wp-ban "https://github.com/lesterchan/wp-ban")
 
@@ -27,6 +24,9 @@ It will display a custom ban message when the banned IP, IP range, host name or
 * I spent most of my free time creating, updating, maintaining and supporting these plugins, if you really love my plugins and could spare me a couple of bucks, I will really appreciate it. If not feel free to use it without any obligations.
 
 ## Changelog
+### Version 1.69.1
+* NEW: Fixed XSS
+
 ### Version 1.69
 * NEW: Bump WordPress 4.7
 * FIXED: Notices

ban-options.php

@@ -9,6 +9,15 @@
 $base_page = 'admin.php?page='.$base_name;
 $admin_login = trim($current_user->user_login);
 
+# Allow HTML
+$allowed_tags = wp_kses_allowed_html( 'post' );
+$allowed_tags['html'] = true;
+$allowed_tags['head'] = true;
+$allowed_tags['meta'] = array(
+    'charset' => true,
+);
+$allowed_tags['body'] = true;
+
 ### Form Processing
 // Update Options
 if( ! empty( $_POST['Submit'] ) ) {
@@ -24,101 +33,101 @@
     $banned_referers_post       = ! empty( $_POST['banned_referers'] )          ? explode( "\n", trim($_POST['banned_referers'] ) ) : array();
     $banned_user_agents_post    = ! empty( $_POST['banned_user_agents'] )       ? explode( "\n", trim($_POST['banned_user_agents'] ) ) : array();
     $banned_exclude_ips_post    = ! empty( $_POST['banned_exclude_ips'] )       ? explode( "\n", trim( $_POST['banned_exclude_ips'] ) ) : array();
-    $banned_message             = ! empty( $_POST['banned_template_message'] )  ? trim( $_POST['banned_template_message'] ) : '';
+    $banned_message             = ! empty( $_POST['banned_template_message'] )  ? wp_kses( trim( $_POST['banned_template_message'] ), $allowed_tags ) : '';
 
     $banned_ips = array();
-    if(!empty($banned_ips_post)) {
-        foreach($banned_ips_post as $banned_ip) {
-            if($admin_login == 'admin' && ($banned_ip == ban_get_ip() || is_admin_ip($banned_ip))) {
-                $text .= '<p style="color: blue;">'.sprintf(__('This IP \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'),$banned_ip).'</p>';
+    if ( ! empty( $banned_ips_post ) ) {
+        foreach ( $banned_ips_post as $banned_ip ) {
+            if( $admin_login === 'admin' && ( $banned_ip === ban_get_ip() || is_admin_ip( $banned_ip ) ) ) {
+                $text .= '<p style="color: blue;">' . sprintf( __( 'This IP \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban' ), $banned_ip ) . '</p>';
             } else {
-                $banned_ips[] = trim($banned_ip);
+                $banned_ips[] = esc_html( trim( $banned_ip ) );
             }
         }
     }
 
     $banned_ips_range = array();
-    if( ! empty( $banned_ips_range_post ) ) {
+    if ( ! empty( $banned_ips_range_post ) ) {
         foreach( $banned_ips_range_post as $banned_ip_range ) {
             $range = explode( '-', $banned_ip_range );
-            if( sizeof( $range ) === 2 ) {
+            if ( sizeof( $range ) === 2 ) {
                 $range_start = trim( $range[0] );
                 $range_end = trim( $range[1] );
-                if( $admin_login === 'admin' && ( check_ip_within_range( ban_get_ip(), $range_start, $range_end ) ) ) {
-                    $text .= '<p style="color: blue;">'.sprintf( __( 'The Admin\'s IP \'%s\' Fall Within This Range (%s - %s) And Will Not Be Added To Ban List', 'wp-ban' ), ban_get_ip(), $range_start, $range_end ).'</p>';
+                if ( $admin_login === 'admin' && ( check_ip_within_range( ban_get_ip(), $range_start, $range_end ) ) ) {
+                    $text .= '<p style="color: blue;">' . sprintf( __( 'The Admin\'s IP \'%s\' Fall Within This Range (%s - %s) And Will Not Be Added To Ban List', 'wp-ban' ), ban_get_ip(), $range_start, $range_end ) . '</p>';
                 } else {
-                    $banned_ips_range[] = trim( $banned_ip_range );
+                    $banned_ips_range[] = esc_html( trim( $banned_ip_range ) );
                 }
             }
         }
     }
 
     $banned_hosts = array();
-    if(!empty($banned_hosts_post)) {
-        foreach($banned_hosts_post as $banned_host) {
-            if($admin_login == 'admin' && ($banned_host == @gethostbyaddr(ban_get_ip()) || is_admin_hostname($banned_host))) {
-                $text .= '<p style="color: blue;">'.sprintf(__('This Hostname \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban'), $banned_host).'</p>';
+    if ( ! empty( $banned_hosts_post ) ) {
+        foreach ( $banned_hosts_post as $banned_host ) {
+            if ( $admin_login === 'admin' && ( $banned_host === @gethostbyaddr( ban_get_ip() ) || is_admin_hostname( $banned_host ) ) ) {
+                $text .= '<p style="color: blue;">' . sprintf( __( 'This Hostname \'%s\' Belongs To The Admin And Will Not Be Added To Ban List', 'wp-ban' ), $banned_host ) . '</p>';
             } else {
-                $banned_hosts[] = trim($banned_host);
+                $banned_hosts[] = esc_html( trim( $banned_host ) );
             }
         }
     }
 
     $banned_referers = array();
-    if(!empty($banned_referers_post)) {
-        foreach($banned_referers_post as $banned_referer) {
-            if(is_admin_referer($banned_referer)) {
-                $text .= '<p style="color: blue;">'.sprintf(__('This Referer \'%s\' Belongs To This Site And Will Not Be Added To Ban List', 'wp-ban'), $banned_referer).'</p>';
+    if ( ! empty( $banned_referers_post ) ) {
+        foreach ( $banned_referers_post as $banned_referer ) {
+            if ( is_admin_referer( $banned_referer ) ) {
+                $text .= '<p style="color: blue;">' . sprintf( __( 'This Referer \'%s\' Belongs To This Site And Will Not Be Added To Ban List', 'wp-ban' ), $banned_referer ) . '</p>';
             } else {
-                $banned_referers[] = trim($banned_referer);
+                $banned_referers[] = esc_html( trim( $banned_referer ) );
             }
         }
     }
 
     $banned_user_agents = array();
-    if(!empty($banned_user_agents_post)) {
-        foreach($banned_user_agents_post as $banned_user_agent) {
-            if(is_admin_user_agent($banned_user_agent)) {
-                $text .= '<p style="color: blue;">'.sprintf(__('This User Agent \'%s\' Is Used By The Current Admin And Will Not Be Added To Ban List', 'wp-ban'), $banned_user_agent).'</p>';
+    if ( ! empty( $banned_user_agents_post ) ) {
+        foreach ( $banned_user_agents_post as $banned_user_agent ) {
+            if ( is_admin_user_agent( $banned_user_agent ) ) {
+                $text .= '<p style="color: blue;">' . sprintf( __( 'This User Agent \'%s\' Is Used By The Current Admin And Will Not Be Added To Ban List', 'wp-ban' ), $banned_user_agent ) . '</p>';
             } else {
-                $banned_user_agents[] = trim($banned_user_agent);
+                $banned_user_agents[] = esc_html( trim( $banned_user_agent ) );
             }
         }
     }
 
     $banned_exclude_ips = array();
-    if(!empty($banned_exclude_ips_post)) {
-        foreach($banned_exclude_ips_post as $banned_exclude_ip) {
-            $banned_exclude_ips[] = trim($banned_exclude_ip);
+    if ( ! empty( $banned_exclude_ips_post ) ) {
+        foreach ( $banned_exclude_ips_post as $banned_exclude_ip ) {
+            $banned_exclude_ips[] = esc_html( trim( $banned_exclude_ip ) );
         }
     }
     $update_ban_queries = array();
     $update_ban_queries[] = update_option( 'banned_options', $banned_options );
-    $update_ban_queries[] = update_option('banned_ips', $banned_ips);
-    $update_ban_queries[] = update_option('banned_ips_range', $banned_ips_range);
-    $update_ban_queries[] = update_option('banned_hosts', $banned_hosts);
-    $update_ban_queries[] = update_option('banned_referers', $banned_referers);
-    $update_ban_queries[] = update_option('banned_user_agents', $banned_user_agents);
-    $update_ban_queries[] = update_option('banned_exclude_ips', $banned_exclude_ips);
-    $update_ban_queries[] = update_option('banned_message', $banned_message);
+    $update_ban_queries[] = update_option( 'banned_ips', $banned_ips );
+    $update_ban_queries[] = update_option( 'banned_ips_range', $banned_ips_range );
+    $update_ban_queries[] = update_option( 'banned_hosts', $banned_hosts );
+    $update_ban_queries[] = update_option( 'banned_referers', $banned_referers );
+    $update_ban_queries[] = update_option( 'banned_user_agents', $banned_user_agents );
+    $update_ban_queries[] = update_option( 'banned_exclude_ips', $banned_exclude_ips );
+    $update_ban_queries[] = update_option( 'banned_message', $banned_message );
     $update_ban_text = array();
     $update_ban_text[] = __( 'Banned Options', 'wp-ban' );
-    $update_ban_text[] = __('Banned IPs', 'wp-ban');
-    $update_ban_text[] = __('Banned IP Range', 'wp-ban');
-    $update_ban_text[] = __('Banned Host Names', 'wp-ban');
-    $update_ban_text[] = __('Banned Referers', 'wp-ban');
-    $update_ban_text[] = __('Banned User Agents', 'wp-ban');
-    $update_ban_text[] = __('Banned Excluded IPs', 'wp-ban');
-    $update_ban_text[] = __('Banned Message', 'wp-ban');
-    $i=0;
-    foreach($update_ban_queries as $update_ban_query) {
-        if($update_ban_query) {
-            $text .= '<p style="color: green;">'.$update_ban_text[$i].' '.__('Updated', 'wp-ban').'</p>';
+    $update_ban_text[] = __( 'Banned IPs', 'wp-ban');
+    $update_ban_text[] = __( 'Banned IP Range', 'wp-ban');
+    $update_ban_text[] = __( 'Banned Host Names', 'wp-ban');
+    $update_ban_text[] = __( 'Banned Referers', 'wp-ban');
+    $update_ban_text[] = __( 'Banned User Agents', 'wp-ban');
+    $update_ban_text[] = __( 'Banned Excluded IPs', 'wp-ban');
+    $update_ban_text[] = __( 'Banned Message', 'wp-ban');
+    $i = 0;
+    foreach ( $update_ban_queries as $update_ban_query ) {
+        if ( $update_ban_query ) {
+            $text .= '<p style="color: green;">' . $update_ban_text[$i] . ' ' . __( 'Updated', 'wp-ban' ) . '</p>';
         }
         $i++;
     }
-    if(empty($text)) {
-        $text = '<p style="color: red;">'.__('No Ban Option Updated', 'wp-ban').'</p>';
+    if ( empty( $text ) ) {
+        $text = '<p style="color: red;">' . __( 'No Ban Option Updated', 'wp-ban' ) . '</p>';
     }
 }
 if( ! empty( $_POST['do'] ) ) {
@@ -202,7 +211,7 @@ function banned_default_templates(template) {
         var default_template;
         switch(template) {
             case "message":
-                default_template = "<!DOCTYPE html>\n<html>\n<head>\n<meta charset=\"utf-8\">\n<title>%SITE_NAME% - %SITE_URL%</title>\n</head>\n<body>\n<div id=\"wp-ban-container\">\n<p style=\"text-align: center; font-weight: bold;\"><?php _e('You Are Banned.', 'wp-ban'); ?></p>\n</div>\n</body>\n</html>";
+                default_template = "<html>\n<head>\n<meta charset=\"utf-8\">\n<title>%SITE_NAME% - %SITE_URL%</title>\n</head>\n<body>\n<div id=\"wp-ban-container\">\n<p style=\"text-align: center; font-weight: bold;\"><?php _e('You Are Banned.', 'wp-ban'); ?></p>\n</div>\n</body>\n</html>";
                 break;
         }
         jQuery("#banned_template_" + template).val(default_template);
@@ -276,7 +285,7 @@ function toggle_checkbox() {
             <td><strong><?php echo get_option('home'); ?></strong></td>
         </tr>
         <tr>
-            <td valign="top" colspan="2" align="center">
+            <td valign="top" colspan="2" style="text-align: center;">
                 <?php _e('Please <strong>DO NOT</strong> ban yourself.', 'wp-ban'); ?>
             </td>
         </tr>

wp-ban.php

@@ -3,15 +3,15 @@
 Plugin Name: WP-Ban
 Plugin URI: https://lesterchan.net/portfolio/programming/php/
 Description: Ban users by IP, IP Range, host name, user agent and referer url from visiting your WordPress's blog. It will display a custom ban message when the banned IP, IP range, host name, user agent or referer url tries to visit you blog. You can also exclude certain IPs from being banned. There will be statistics recordered on how many times they attemp to visit your blog. It allows wildcard matching too.
-Version: 1.69
+Version: 1.69.1
 Author: Lester 'GaMerZ' Chan
 Author URI: https://lesterchan.net
 Text Domain: wp-ban
 */
 
 
 /*
-	Copyright 2016  Lester Chan  (email : lesterchan@gmail.com)
+	Copyright 2022  Lester Chan  (email : lesterchan@gmail.com)
 
 	This program is free software; you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
@@ -91,12 +91,12 @@ function preview_banned_message() {
 function print_banned_message() {
 	$banned_ip = ban_get_ip();
 	$banned_stats = get_option( 'banned_stats' );
-	if( isset( $banned_stats['count'] ) ) {
+	if ( isset( $banned_stats['count'] ) ) {
 		$banned_stats['count'] += 1;
 	} else {
 		$banned_stats['count'] = 1;
 	}
-	if( isset( $banned_stats['users'][$banned_ip] ) ) {
+	if ( isset( $banned_stats['users'][$banned_ip] ) ) {
 		$banned_stats['users'][$banned_ip] += 1;
 	} else {
 		$banned_stats['users'][$banned_ip] = 1;
@@ -121,6 +121,7 @@ function print_banned_message() {
 		),
 		stripslashes( get_option( 'banned_message' ) )
 	);
+	echo '<!DOCTYPE html>' . "\n";
 	echo $banned_message;
 	exit();
 }
@@ -156,60 +157,60 @@ function process_ban_ip_range($banned_ips_range) {
 
 
 ### Function: Banned
-add_action('init', 'banned');
+add_action( 'init', 'banned' );
 function banned() {
 	$ip = ban_get_ip();
-	if($ip == 'unknown') {
+	if ( $ip === 'unknown' ) {
 		return;
 	}
-	$banned_ips = get_option('banned_ips');
-	if(is_array($banned_ips))
-		$banned_ips = array_filter($banned_ips);
+	$banned_ips = get_option( 'banned_ips' );
+	if ( is_array( $banned_ips ) )
+		$banned_ips = array_filter( $banned_ips );
 
-	$banned_ips_range = get_option('banned_ips_range');
-	if(is_array($banned_ips_range))
-		$banned_ips_range = array_filter($banned_ips_range);
+	$banned_ips_range = get_option( 'banned_ips_range' );
+	if ( is_array( $banned_ips_range ) )
+		$banned_ips_range = array_filter( $banned_ips_range );
 
-	$banned_hosts = get_option('banned_hosts');
-	if(is_array($banned_hosts))
-		$banned_hosts = array_filter($banned_hosts);
+	$banned_hosts = get_option( 'banned_hosts' );
+	if ( is_array( $banned_hosts ) )
+		$banned_hosts = array_filter( $banned_hosts );
 
-	$banned_referers = get_option('banned_referers');
-	if(is_array($banned_referers))
-		$banned_referers = array_filter($banned_referers);
+	$banned_referers = get_option( 'banned_referers' );
+	if ( is_array( $banned_referers ) )
+		$banned_referers = array_filter( $banned_referers );
 
-	$banned_user_agents = get_option('banned_user_agents');
-	if(is_array($banned_user_agents))
-		$banned_user_agents = array_filter($banned_user_agents);
+	$banned_user_agents = get_option( 'banned_user_agents' );
+	if ( is_array( $banned_user_agents ) )
+		$banned_user_agents = array_filter( $banned_user_agents );
 
 	$banned_exclude_ips = get_option('banned_exclude_ips');
-	if(is_array($banned_exclude_ips))
-		$banned_exclude_ips = array_filter($banned_exclude_ips);
+	if ( is_array( $banned_exclude_ips ) )
+		$banned_exclude_ips = array_filter( $banned_exclude_ips );
 
 	$is_excluded = false;
-	if(!empty($banned_exclude_ips)) {
-		foreach($banned_exclude_ips as $banned_exclude_ip) {
-			if($ip == $banned_exclude_ip) {
+	if ( ! empty( $banned_exclude_ips ) ) {
+		foreach( $banned_exclude_ips as $banned_exclude_ip ) {
+			if ( $ip === $banned_exclude_ip ) {
 				$is_excluded = true;
 				break;
 			}
 		}
 	}
 
-	if( ! $is_excluded ) {
+	if ( ! $is_excluded ) {
 		if( ! empty( $banned_ips ) ) {
 			process_ban( $banned_ips, $ip );
 		}
-		if( ! empty( $banned_ips_range ) ) {
+		if ( ! empty( $banned_ips_range ) ) {
 			process_ban_ip_range( $banned_ips_range );
 		}
-		if( ! empty( $banned_hosts ) ) {
+		if ( ! empty( $banned_hosts ) ) {
 			process_ban( $banned_hosts, @gethostbyaddr( $ip ) );
 		}
-		if( ! empty( $banned_referers ) && ! empty( $_SERVER['HTTP_REFERER'] ) ) {
+		if ( ! empty( $banned_referers ) && ! empty( $_SERVER['HTTP_REFERER'] ) ) {
 			process_ban( $banned_referers, $_SERVER['HTTP_REFERER'] );
 		}
-		if( ! empty( $banned_user_agents ) && ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
+		if ( ! empty( $banned_user_agents ) && ! empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
 			process_ban( $banned_user_agents, $_SERVER['HTTP_USER_AGENT'] );
 		}
 	}
@@ -299,8 +300,7 @@ function ban_activate() {
 	add_option('banned_ips', array());
 	add_option('banned_hosts',array());
 	add_option('banned_stats', array('users' => array(), 'count' => 0));
-	add_option('banned_message', '<!DOCTYPE html>'."\n".
-	'<html>'."\n".
+	add_option('banned_message', '<html>'."\n".
 	'<head>'."\n".
 	'<meta charset="utf-8">'."\n".
 	'<title>%SITE_NAME% - %SITE_URL%</title>'."\n".