Skip to content
This repository was archived by the owner on Mar 1, 2024. It is now read-only.

Commit f306388

Browse files
author
whiteshadow
committed
Fix a CSRF/XSS vulnerability caused by not escaping the URL returned by add_query_arg().
Version 1.10.6 (stable). git-svn-id: https://plugins.svn.wordpress.org/broken-link-checker/trunk@1139206 b8457f37-d9ea-0310-8a92-e5e31aec5664
1 parent b0bf207 commit f306388

File tree

3 files changed

+8
-7
lines changed

3 files changed

+8
-7
lines changed

Diff for: core/core.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -1315,7 +1315,7 @@ function print_module_list($modules, $current_settings){
13151315

13161316
printf(
13171317
' | <a class="blc-toggle-link toggle-module-settings" id="toggle-module-settings-%s" href="#">%s</a>',
1318-
$module_id,
1318+
esc_attr($module_id),
13191319
__('Configure', 'broken-link-checker')
13201320
);
13211321

@@ -2248,13 +2248,13 @@ public function show_warnings_section_notice() {
22482248
'The "Warnings" page lists problems that are probably temporary or suspected to be false positives.<br> Warnings that persist for a long time will usually be reclassified as broken links.',
22492249
'broken-link-checker'
22502250
),
2251-
add_query_arg($notice_name, '0'),
2251+
esc_attr(add_query_arg($notice_name, '0')),
22522252
_x(
22532253
'Hide notice',
22542254
'admin notice under Tools - Broken links - Warnings',
22552255
'broken-link-checker'
22562256
),
2257-
admin_url('options-general.php?page=link-checker-settings#blc_warning_settings'),
2257+
esc_attr(admin_url('options-general.php?page=link-checker-settings#blc_warning_settings')),
22582258
_x(
22592259
'Change warning settings',
22602260
'a link from the admin notice under Tools - Broken links - Warnings',
@@ -2783,7 +2783,7 @@ function status_text( $status ){
27832783
"<a href='%s' title='" . __('View broken links', 'broken-link-checker') . "'><strong>".
27842784
_n('Found %d broken link', 'Found %d broken links', $status['broken_links'], 'broken-link-checker') .
27852785
"</strong></a>",
2786-
admin_url('tools.php?page=view-broken-links'),
2786+
esc_attr(admin_url('tools.php?page=view-broken-links')),
27872787
$status['broken_links']
27882788
);
27892789
} else {

Diff for: includes/any-post.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -432,14 +432,14 @@ function ui_get_action_links($container_field = ''){
432432
$actions['trash'] = sprintf(
433433
"<span class='trash'><a class='submitdelete' title='%s' href='%s'>%s</a>",
434434
esc_attr(__('Move this item to the Trash')),
435-
get_delete_post_link($this->container_id, '', false),
435+
esc_attr(get_delete_post_link($this->container_id, '', false)),
436436
__('Trash')
437437
);
438438
} else {
439439
$actions['delete'] = sprintf(
440440
"<span><a class='submitdelete' title='%s' href='%s'>%s</a>",
441441
esc_attr(__('Delete this item permanently')),
442-
get_delete_post_link($this->container_id, '', true),
442+
esc_attr(get_delete_post_link($this->container_id, '', true)),
443443
__('Delete')
444444
);
445445
}

Diff for: readme.txt

+2-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_i
44
Tags: links, broken, maintenance, blogroll, custom fields, admin, comments, posts
55
Requires at least: 3.2
66
Tested up to: 4.2-beta
7-
Stable tag: 1.10.5
7+
Stable tag: 1.10.6
88

99
This plugin will check your posts, comments and other content for broken links and missing images, and notify you if any are found.
1010

@@ -99,6 +99,7 @@ To upgrade your installation
9999
== Changelog ==
100100

101101
= 1.10.6 =
102+
* Fixed a serious CSRF/XSS vulnerability.
102103
* Switched to YouTube API v3. The old API version will be shut down on April 20, so the plugin needs to be updated to continue checking links to YouTube videos.
103104
* Fixed long URLs overflowing into adjacent table columns.
104105
* Fixed a few minor PHP strict-mode notices.

0 commit comments

Comments
 (0)