Security update: correct misuse of add_query_arg() as identified by…

… Sucuri: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html.

Also bumps WP compatability


git-svn-id: https://plugins.svn.wordpress.org/view-all-posts-pages/trunk@1139958 b8457f37-d9ea-0310-8a92-e5e31aec5664

readme.txt

@@ -3,8 +3,8 @@ Contributors: ethitter, thinkoomph
 Donate link: http://www.thinkoomph.com/plugins-modules/view-all-posts-pages/
 Tags: view all, pages, paged, paged post, multipage, single view, single page, wp_link_pages, nextpage, next page, quicktag
 Requires at least: 3.2.1
-Tested up to: 4.1
-Stable tag: 0.9
+Tested up to: 4.2
+Stable tag: 0.9.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -45,6 +45,9 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an
 
 == Changelog ==
 
+= 0.9.1 =
+* Security update: correct misuse of `add_query_arg()` as identified by Sucuri: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html.
+
 = 0.9 =
 * Move conditional registration of some filters to `init`, both to ensure external code can interact with filters and to avoid PHP notices.
 
@@ -92,6 +95,9 @@ This plugin is known to conflict with certain plugins, many pertaining to SEO an
 
 == Upgrade Notice ==
 
+= 0.9.1 =
+Security update: correct misuse of `add_query_arg()` as identified by Sucuri: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html.
+
 = 0.9 =
 Recommended update for anyone hoping to use plugin's filters to modify its behaviour.
 

view-all-posts-pages.php

@@ -1,11 +1,11 @@
 <?php
 /*
 Plugin Name: View All Post's Pages
-Plugin URI: http://www.thinkoomph.com/plugins-modules/view-all-posts-pages/
+Plugin URI: http://www.oomphinc.com/plugins-modules/view-all-posts-pages/
 Description: Provides a "view all" (single page) option for posts, pages, and custom post types paged using WordPress' <a href="http://codex.wordpress.org/Write_Post_SubPanel#Quicktags" target="_blank"><code>&lt;!--nextpage--&gt;</code> Quicktag</a> (multipage posts).
 Author: Erick Hitter & Oomph, Inc.
-Version: 0.9
-Author URI: http://www.thinkoomph.com/
+Version: 0.9.1
+Author URI: http://www.oomphinc.com/
 Text Domain: view_all_posts_pages
 
 This program is free software; you can redistribute it and/or modify
@@ -686,9 +686,9 @@ public function action_admin_notices_activation() {
 		<div id="wpf-rewrite-flush-warning" class="error fade">
 			<p><strong><?php _e( 'View All Post\'s Pages', 'view_all_posts_pages' ); ?></strong></p>
 
-			<p><?php printf( __( 'You must refresh your site\'s permalinks before <em>View All Post\'s Pages</em> is fully activated. To do so, go to <a href="%s">Permalinks</a> and click the <strong><em>Save Changes</em></strong> button at the bottom of the screen.', 'view_all_posts_pages' ), admin_url( 'options-permalink.php' ) ); ?></p>
+			<p><?php printf( __( 'You must refresh your site\'s permalinks before <em>View All Post\'s Pages</em> is fully activated. To do so, go to <a href="%s">Permalinks</a> and click the <strong><em>Save Changes</em></strong> button at the bottom of the screen.', 'view_all_posts_pages' ), esc_url( admin_url( 'options-permalink.php' ) ) ); ?></p>
 
-			<p><?php printf( __( 'When finished, click <a href="%s">here</a> to hide this message.', 'view_all_posts_pages' ), admin_url( add_query_arg( $this->notice_key, 1, 'index.php' ) ) ); ?></p>
+			<p><?php printf( __( 'When finished, click <a href="%s">here</a> to hide this message.', 'view_all_posts_pages' ), esc_url( admin_url( add_query_arg( $this->notice_key, 1, 'index.php' ) ) ) ); ?></p>
 		</div>
 
 		<?php