Skip to content
This repository was archived by the owner on Mar 1, 2024. It is now read-only.

Commit 90615fe

Browse files
author
whiteshadow
committed
Fixed an XSS vulnerability on the link checker settings page. Two input fields were not properly escaped, which would allow a malicious admin-level user to insert arbitrary HTML/JS into the page.
Also fixed certain special characters being prefixed with slashes after saving settings. This was caused by WordPress automatically applying "magic quotes" (as in the deprecated PHP "feature") to all POST fields. git-svn-id: https://plugins.svn.wordpress.org/broken-link-checker/trunk@1038180 b8457f37-d9ea-0310-8a92-e5e31aec5664
1 parent 41adf93 commit 90615fe

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

Diff for: core/core.php

+5-5
Original file line numberDiff line numberDiff line change
@@ -463,18 +463,18 @@ function options_page(){
463463

464464
$this->conf->options['suggestions_enabled'] = !empty($_POST['suggestions_enabled']);
465465

466-
$this->conf->options['exclusion_list'] = array_filter(
466+
$this->conf->options['exclusion_list'] = array_filter(
467467
preg_split(
468468
'/[\s\r\n]+/', //split on newlines and whitespace
469-
$_POST['exclusion_list'],
469+
$cleanPost['exclusion_list'],
470470
-1,
471471
PREG_SPLIT_NO_EMPTY //skip empty values
472472
)
473473
);
474474

475475
//Parse the custom field list
476476
$new_custom_fields = array_filter(
477-
preg_split( '/[\r\n]+/', $_POST['blc_custom_fields'], -1, PREG_SPLIT_NO_EMPTY )
477+
preg_split( '/[\r\n]+/', $cleanPost['blc_custom_fields'], -1, PREG_SPLIT_NO_EMPTY )
478478
);
479479

480480
//Calculate the difference between the old custom field list and the new one (used later)
@@ -993,7 +993,7 @@ class="regular-text ltr">
993993
<td><?php _e("Don't check links where the URL contains any of these words (one per line) :", 'broken-link-checker'); ?><br/>
994994
<textarea name="exclusion_list" id="exclusion_list" cols='45' rows='4'><?php
995995
if( isset($this->conf->options['exclusion_list']) )
996-
echo implode("\n", $this->conf->options['exclusion_list']);
996+
echo esc_textarea(implode("\n", $this->conf->options['exclusion_list']));
997997
?></textarea>
998998

999999
</td>
@@ -1403,7 +1403,7 @@ function make_custom_field_input($html, $current_settings){
14031403
'</span>';
14041404
$html .= '<br><textarea name="blc_custom_fields" id="blc_custom_fields" cols="45" rows="4">';
14051405
if( isset($current_settings['custom_fields']) )
1406-
$html .= implode("\n", $current_settings['custom_fields']);
1406+
$html .= esc_textarea(implode("\n", $current_settings['custom_fields']));
14071407
$html .= '</textarea>';
14081408

14091409
return $html;

0 commit comments

Comments
 (0)