Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a CSRF/XSS vulnerability caused by not escaping the URL returned …
…by add_query_arg().

Version 1.10.6 (stable). 

git-svn-id: https://plugins.svn.wordpress.org/broken-link-checker/trunk@1139206 b8457f37-d9ea-0310-8a92-e5e31aec5664
  • Loading branch information
whiteshadow committed Apr 20, 2015
1 parent b0bf207 commit f306388
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 7 deletions.
8 changes: 4 additions & 4 deletions core/core.php
Expand Up @@ -1315,7 +1315,7 @@ function print_module_list($modules, $current_settings){

printf(
' | <a class="blc-toggle-link toggle-module-settings" id="toggle-module-settings-%s" href="#">%s</a>',
$module_id,
esc_attr($module_id),
__('Configure', 'broken-link-checker')
);

Expand Down Expand Up @@ -2248,13 +2248,13 @@ public function show_warnings_section_notice() {
'The "Warnings" page lists problems that are probably temporary or suspected to be false positives.<br> Warnings that persist for a long time will usually be reclassified as broken links.',
'broken-link-checker'
),
add_query_arg($notice_name, '0'),
esc_attr(add_query_arg($notice_name, '0')),
_x(
'Hide notice',
'admin notice under Tools - Broken links - Warnings',
'broken-link-checker'
),
admin_url('options-general.php?page=link-checker-settings#blc_warning_settings'),
esc_attr(admin_url('options-general.php?page=link-checker-settings#blc_warning_settings')),
_x(
'Change warning settings',
'a link from the admin notice under Tools - Broken links - Warnings',
Expand Down Expand Up @@ -2783,7 +2783,7 @@ function status_text( $status ){
"<a href='%s' title='" . __('View broken links', 'broken-link-checker') . "'><strong>".
_n('Found %d broken link', 'Found %d broken links', $status['broken_links'], 'broken-link-checker') .
"</strong></a>",
admin_url('tools.php?page=view-broken-links'),
esc_attr(admin_url('tools.php?page=view-broken-links')),
$status['broken_links']
);
} else {
Expand Down
4 changes: 2 additions & 2 deletions includes/any-post.php
Expand Up @@ -432,14 +432,14 @@ function ui_get_action_links($container_field = ''){
$actions['trash'] = sprintf(
"<span class='trash'><a class='submitdelete' title='%s' href='%s'>%s</a>",
esc_attr(__('Move this item to the Trash')),
get_delete_post_link($this->container_id, '', false),
esc_attr(get_delete_post_link($this->container_id, '', false)),
__('Trash')
);
} else {
$actions['delete'] = sprintf(
"<span><a class='submitdelete' title='%s' href='%s'>%s</a>",
esc_attr(__('Delete this item permanently')),
get_delete_post_link($this->container_id, '', true),
esc_attr(get_delete_post_link($this->container_id, '', true)),
__('Delete')
);
}
Expand Down
3 changes: 2 additions & 1 deletion readme.txt
Expand Up @@ -4,7 +4,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_i
Tags: links, broken, maintenance, blogroll, custom fields, admin, comments, posts
Requires at least: 3.2
Tested up to: 4.2-beta
Stable tag: 1.10.5
Stable tag: 1.10.6

This plugin will check your posts, comments and other content for broken links and missing images, and notify you if any are found.

Expand Down Expand Up @@ -99,6 +99,7 @@ To upgrade your installation
== Changelog ==

= 1.10.6 =
* Fixed a serious CSRF/XSS vulnerability.
* Switched to YouTube API v3. The old API version will be shut down on April 20, so the plugin needs to be updated to continue checking links to YouTube videos.
* Fixed long URLs overflowing into adjacent table columns.
* Fixed a few minor PHP strict-mode notices.
Expand Down

0 comments on commit f306388

Please sign in to comment.