Fixed an XSS vulnerability on the link checker settings page. Two inp…

…ut fields were not properly escaped, which would allow a malicious admin-level user to insert arbitrary HTML/JS into the page. Also fixed certain special characters being prefixed with slashes after saving settings. This was caused by WordPress automatically applying "magic quotes" (as in the deprecated PHP "feature") to all POST fields. git-svn-id: https://plugins.svn.wordpress.org/broken-link-checker/trunk@1038180 b8457f37-d9ea-0310-8a92-e5e31aec5664
wp-plugins · Dec 4, 2014 · 90615fe · 90615fe
1 parent 41adf93
commit 90615fe
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/core/core.php b/core/core.php
@@ -463,18 +463,18 @@ function options_page(){
 
             $this->conf->options['suggestions_enabled'] = !empty($_POST['suggestions_enabled']);
 
-            $this->conf->options['exclusion_list'] = array_filter( 
+            $this->conf->options['exclusion_list'] = array_filter(
 				preg_split( 
 					'/[\s\r\n]+/',				//split on newlines and whitespace 
-					$_POST['exclusion_list'], 
+					$cleanPost['exclusion_list'],
 					-1,
 					PREG_SPLIT_NO_EMPTY			//skip empty values
 				) 
 			);
 
             //Parse the custom field list
             $new_custom_fields = array_filter( 
-				preg_split( '/[\r\n]+/', $_POST['blc_custom_fields'], -1, PREG_SPLIT_NO_EMPTY )
+				preg_split( '/[\r\n]+/', $cleanPost['blc_custom_fields'], -1, PREG_SPLIT_NO_EMPTY )
 			);
 
 			//Calculate the difference between the old custom field list and the new one (used later)
@@ -993,7 +993,7 @@ class="regular-text ltr">
         <td><?php _e("Don't check links where the URL contains any of these words (one per line) :", 'broken-link-checker'); ?><br/>
         <textarea name="exclusion_list" id="exclusion_list" cols='45' rows='4'><?php
             if( isset($this->conf->options['exclusion_list']) )
-                echo implode("\n", $this->conf->options['exclusion_list']);
+                echo esc_textarea(implode("\n", $this->conf->options['exclusion_list']));
         ?></textarea>
 
         </td>
@@ -1403,7 +1403,7 @@ function make_custom_field_input($html, $current_settings){
 				 '</span>';
     	$html .= '<br><textarea name="blc_custom_fields" id="blc_custom_fields" cols="45" rows="4">';
         if( isset($current_settings['custom_fields']) )
-            $html .= implode("\n", $current_settings['custom_fields']);
+            $html .= esc_textarea(implode("\n", $current_settings['custom_fields']));
         $html .= '</textarea>';
 
         return $html;