XSS vulnerability being exploited in the wild

[Xavier59]

Describe the bug
An XSS vulnerability targeting the plugin multiple domain and is being actually exploited in the wild

Faulty lines :

multiple-domain/multiple-domain/MultipleDomain.php

Lines 882 to 886 in 51691cb

	private function outputHrefLangTag($url, $lang = 'x-default')
	{
	$lang = str_replace('_', '-', $lang);
	printf('<link rel="alternate" href="%s" hreflang="%s" />', $url, $lang);
	}

multiple-domain/multiple-domain/MultipleDomain.php

Lines 895 to 898 in 51691cb

	private function outputCanonicalTag($url)
	{
	printf('<link rel="canonical" href="%s" />', $url);
	}

$url should be encoded using htmlentities(urlencode($url))

To Reproduce
Steps to reproduce the behavior:

1. Go to www.yourwordpresswebsite.com/;>"'><script>alert(1)</script>&type=
2. This should trigger the XSS and print an alert. (make sure to use Firefox because Chrome/Safari have some inboard XSS protection)

Expected behavior
Output should be encoded to prevent xss

[straube]

Hey @Xavier59, thank you for reporting that. I'll fix it ASAP. Also, feel free if you want to submit a PR right away.

[straube]

@Xavier59 I tried to add the solution you suggested but it doesn't work the way it's supposed.

For instance, after changing the outputCanonicalTag this way:

private function outputCanonicalTag($url)
{
    $url = htmlentities(urlencode($url));
    printf('<link rel="canonical" href="%s" />', $url);
}

I got the following canonical tag in my front-end:

<link rel="canonical" href="http%3A%2F%2Fsandbox.test%2F%253B%253E%2522%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E%2526type%253D" />

Since the entire URL got encoded, the link doesn't work as expected.

I'm using only htmlentities, then. Which got me the following tag and doesn't show the alert on page load.

<link rel="canonical" href="http://wp_sb.test/;&gt;&quot;\'&gt;&lt;script&gt;alert(1)&lt;/script&gt;&amp;type" />