Changeset 5692

Timestamp:

04/20/2015 04:40:37 PM (11 years ago)

Author:

johnjamesjacoby

Message:

All: ensure all URLs are escaped (2.5 branch)

Location:

branches/2.5/includes

Files:

• admin/admin.php (modified) (2 diffs)
• admin/metaboxes.php (modified) (10 diffs)
• admin/replies.php (modified) (2 diffs)
• admin/topics.php (modified) (2 diffs)
• common/template.php (modified) (3 diffs)
• replies/functions.php (modified) (1 diff)
• replies/template.php (modified) (1 diff)
• topics/functions.php (modified) (1 diff)
• topics/template.php (modified) (1 diff)

branches/2.5/includes/admin/admin.php

@@ -510 +510 @@
         // Settings page link
         if ( current_user_can( 'bbp_settings_page' ) ) {
-            $new_links['settings'] = '<a href="' . add_query_arg( array( 'page' => 'bbpress'   ), admin_url( 'options-general.php' ) ) . '">' . esc_html__( 'Settings', 'bbpress' ) . '</a>';
+            $new_links['settings'] = '<a href="' . esc_url( add_query_arg( array( 'page' => 'bbpress'   ), admin_url( 'options-general.php' ) ) ) . '">' . esc_html__( 'Settings', 'bbpress' ) . '</a>';
         }
 
         // About page link
         if ( current_user_can( 'bbp_about_page' ) ) {
-            $new_links['about']    = '<a href="' . add_query_arg( array( 'page' => 'bbp-about' ), admin_url( 'index.php'           ) ) . '">' . esc_html__( 'About',    'bbpress' ) . '</a>';
+            $new_links['about']    = '<a href="' . esc_url( add_query_arg( array( 'page' => 'bbp-about' ), admin_url( 'index.php'           ) ) ) . '">' . esc_html__( 'About',    'bbpress' ) . '</a>';
         }
 
@@ -541 +541 @@
      */
     public function admin_bar_about_link( $wp_admin_bar ) {
-
         if ( is_user_logged_in() ) {
-
             $wp_admin_bar->add_menu( array(
                 'parent' => 'wp-logo',

branches/2.5/includes/admin/metaboxes.php

@@ -51 +51 @@
                     if ( current_user_can( 'publish_forums' ) ) {
                         $link = add_query_arg( array( 'post_type' => bbp_get_forum_post_type() ), get_admin_url( null, 'edit.php' ) );
-                        $num  = '<a href="' . $link . '">' . $num  . '</a>';
-                        $text = '<a href="' . $link . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '">' . $num  . '</a>';
+                        $text = '<a href="' . esc_url( $link ) . '">' . $text . '</a>';
                     }
                 ?>
@@ -68 +68 @@
                     if ( current_user_can( 'publish_topics' ) ) {
                         $link = add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), get_admin_url( null, 'edit.php' ) );
-                        $num  = '<a href="' . $link . '">' . $num  . '</a>';
-                        $text = '<a href="' . $link . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '">' . $num  . '</a>';
+                        $text = '<a href="' . esc_url( $link ) . '">' . $text . '</a>';
                     }
                 ?>
@@ -85 +85 @@
                     if ( current_user_can( 'publish_replies' ) ) {
                         $link = add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), get_admin_url( null, 'edit.php' ) );
-                        $num  = '<a href="' . $link . '">' . $num  . '</a>';
-                        $text = '<a href="' . $link . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '">' . $num  . '</a>';
+                        $text = '<a href="' . esc_url( $link ) . '">' . $text . '</a>';
                     }
                 ?>
@@ -104 +104 @@
                         if ( current_user_can( 'manage_topic_tags' ) ) {
                             $link = add_query_arg( array( 'taxonomy' => bbp_get_topic_tag_tax_id(), 'post_type' => bbp_get_topic_post_type() ), get_admin_url( null, 'edit-tags.php' ) );
-                            $num  = '<a href="' . $link . '">' . $num  . '</a>';
-                            $text = '<a href="' . $link . '">' . $text . '</a>';
+                            $num  = '<a href="' . esc_url( $link ) . '">' . $num  . '</a>';
+                            $text = '<a href="' . esc_url( $link ) . '">' . $text . '</a>';
                         }
                     ?>
@@ -136 +136 @@
                     if ( current_user_can( 'edit_users' ) ) {
                         $link = get_admin_url( null, 'users.php' );
-                        $num  = '<a href="' . $link . '">' . $num  . '</a>';
-                        $text = '<a href="' . $link . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '">' . $num  . '</a>';
+                        $text = '<a href="' . esc_url( $link ) . '">' . $text . '</a>';
                     }
                 ?>
@@ -157 +157 @@
                             $link = add_query_arg( array( 'post_status' => bbp_get_spam_status_id() ), $link );
                         }
-                        $num  = '<a href="' . $link . '" title="' . esc_attr( $r['hidden_topic_title'] ) . '">' . $num  . '</a>';
-                        $text = '<a class="waiting" href="' . $link . '" title="' . esc_attr( $r['hidden_topic_title'] ) . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '" title="' . esc_attr( $r['hidden_topic_title'] ) . '">' . $num  . '</a>';
+                        $text = '<a class="waiting" href="' . esc_url( $link ) . '" title="' . esc_attr( $r['hidden_topic_title'] ) . '">' . $text . '</a>';
                     ?>
 
@@ -179 +179 @@
                             $link = add_query_arg( array( 'post_status' => bbp_get_spam_status_id() ), $link );
                         }
-                        $num  = '<a href="' . $link . '" title="' . esc_attr( $r['hidden_reply_title'] ) . '">' . $num  . '</a>';
-                        $text = '<a class="waiting" href="' . $link . '" title="' . esc_attr( $r['hidden_reply_title'] ) . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '" title="' . esc_attr( $r['hidden_reply_title'] ) . '">' . $num  . '</a>';
+                        $text = '<a class="waiting" href="' . esc_url( $link ) . '" title="' . esc_attr( $r['hidden_reply_title'] ) . '">' . $text . '</a>';
                     ?>
 
@@ -198 +198 @@
                         $text = _n( 'Empty Topic Tag', 'Empty Topic Tags', $r['empty_topic_tag_count'], 'bbpress' );
                         $link = add_query_arg( array( 'taxonomy' => bbp_get_topic_tag_tax_id(), 'post_type' => bbp_get_topic_post_type() ), get_admin_url( null, 'edit-tags.php' ) );
-                        $num  = '<a href="' . $link . '">' . $num  . '</a>';
-                        $text = '<a class="waiting" href="' . $link . '">' . $text . '</a>';
+                        $num  = '<a href="' . esc_url( $link ) . '">' . $num  . '</a>';
+                        $text = '<a class="waiting" href="' . esc_url( $link ) . '">' . $text . '</a>';
                     ?>
 
@@ -457 +457 @@
         <strong class="label"><?php esc_html_e( 'Topic:', 'bbpress' ); ?></strong>
         <label class="screen-reader-text" for="parent_id"><?php esc_html_e( 'Topic', 'bbpress' ); ?></label>
-        <input name="parent_id" id="bbp_topic_id" type="text" value="<?php echo esc_attr( $reply_topic_id ); ?>" data-ajax-url="<?php echo wp_nonce_url( add_query_arg( array( 'action' => 'bbp_suggest_topic' ), admin_url( 'admin-ajax.php', 'relative' ) ), 'bbp_suggest_topic_nonce' ); ?>" />
+        <input name="parent_id" id="bbp_topic_id" type="text" value="<?php echo esc_attr( $reply_topic_id ); ?>" data-ajax-url="<?php echo esc_url( wp_nonce_url( add_query_arg( array( 'action' => 'bbp_suggest_topic' ), admin_url( 'admin-ajax.php', 'relative' ) ) ), 'bbp_suggest_topic_nonce' ); ?>" />
     </p>
 
@@ -516 +516 @@
             <strong class="label"><?php esc_html_e( 'ID:', 'bbpress' ); ?></strong>
             <label class="screen-reader-text" for="bbp_author_id"><?php esc_html_e( 'ID', 'bbpress' ); ?></label>
-            <input type="text" id="bbp_author_id" name="post_author_override" value="<?php echo esc_attr( bbp_get_global_post_field( 'post_author' ) ); ?>" data-ajax-url="<?php echo wp_nonce_url( add_query_arg( array( 'action' => 'bbp_suggest_user' ), admin_url( 'admin-ajax.php', 'relative' ) ), 'bbp_suggest_user_nonce' ); ?>" />
+            <input type="text" id="bbp_author_id" name="post_author_override" value="<?php echo esc_attr( bbp_get_global_post_field( 'post_author' ) ); ?>" data-ajax-url="<?php echo esc_url( wp_nonce_url( add_query_arg( array( 'action' => 'bbp_suggest_user' ), admin_url( 'admin-ajax.php', 'relative' ) ) ), 'bbp_suggest_user_nonce' ); ?>" />
         </p>
 

branches/2.5/includes/admin/replies.php

@@ -593 +593 @@
      * @uses bbp_get_forum_permalink() To get the forum permalink
      * @uses admin_url() To get the admin url of post.php
-     * @uses add_query_arg() To add custom args to the url
      * @uses apply_filters() Calls 'reply_topic_forum_row_actions' with an
      *                        array of reply topic forum actions
@@ -746 +745 @@
             if ( bbp_get_trash_status_id() === $reply->post_status ) {
                 $post_type_object   = get_post_type_object( bbp_get_reply_post_type() );
-                $actions['untrash'] = "<a title='" . esc_attr__( 'Restore this item from the Trash', 'bbpress' ) . "' href='" . add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), admin_url( 'edit.php' ) ) ), wp_nonce_url( admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $reply->ID ) ), 'untrash-' . $reply->post_type . '_' . $reply->ID ) ) . "'>" . esc_html__( 'Restore', 'bbpress' ) . "</a>";
+                $actions['untrash'] = "<a title='" . esc_attr__( 'Restore this item from the Trash', 'bbpress' ) . "' href='" . esc_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), admin_url( 'edit.php' ) ) ), wp_nonce_url( admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $reply->ID ) ), 'untrash-' . $reply->post_type . '_' . $reply->ID ) ) ) . "'>" . esc_html__( 'Restore', 'bbpress' ) . "</a>";
             } elseif ( EMPTY_TRASH_DAYS ) {
-                $actions['trash'] = "<a class='submitdelete' title='" . esc_attr__( 'Move this item to the Trash', 'bbpress' ) . "' href='" . add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $reply->ID ) ) . "'>" . esc_html__( 'Trash', 'bbpress' ) . "</a>";
+                $actions['trash'] = "<a class='submitdelete' title='" . esc_attr__( 'Move this item to the Trash', 'bbpress' ) . "' href='" . esc_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $reply->ID ) ) ) . "'>" . esc_html__( 'Trash', 'bbpress' ) . "</a>";
             }
 
             if ( bbp_get_trash_status_id() === $reply->post_status || !EMPTY_TRASH_DAYS ) {
-                $actions['delete'] = "<a class='submitdelete' title='" . esc_attr__( 'Delete this item permanently', 'bbpress' ) . "' href='" . add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $reply->ID, '', true ) ) . "'>" . esc_html__( 'Delete Permanently', 'bbpress' ) . "</a>";
+                $actions['delete'] = "<a class='submitdelete' title='" . esc_attr__( 'Delete this item permanently', 'bbpress' ) . "' href='" . esc_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_reply_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $reply->ID, '', true ) ) ) . "'>" . esc_html__( 'Delete Permanently', 'bbpress' ) . "</a>";
             } elseif ( bbp_get_spam_status_id() === $reply->post_status ) {
                 unset( $actions['trash'] );

branches/2.5/includes/admin/topics.php

@@ -655 +655 @@
      * @uses bbp_get_forum_permalink() To get the forum permalink
      * @uses admin_url() To get the admin url of post.php
-     * @uses add_query_arg() To add custom args to the url
      * @uses bbp_topic_reply_count() To output the topic reply count
      * @uses bbp_topic_voice_count() To output the topic voice count
@@ -816 +815 @@
             if ( bbp_get_trash_status_id() === $topic->post_status ) {
                 $post_type_object   = get_post_type_object( bbp_get_topic_post_type() );
-                $actions['untrash'] = "<a title='" . esc_attr__( 'Restore this item from the Trash', 'bbpress' ) . "' href='" . wp_nonce_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), admin_url( 'edit.php' ) ) ), admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $topic->ID ) ) ), 'untrash-' . $topic->post_type . '_' . $topic->ID ) . "'>" . esc_html__( 'Restore', 'bbpress' ) . "</a>";
+                $actions['untrash'] = "<a title='" . esc_attr__( 'Restore this item from the Trash', 'bbpress' ) . "' href='" . esc_url( wp_nonce_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), admin_url( 'edit.php' ) ) ), admin_url( sprintf( $post_type_object->_edit_link . '&amp;action=untrash', $topic->ID ) ) ), 'untrash-' . $topic->post_type . '_' . $topic->ID ) ) . "'>" . esc_html__( 'Restore', 'bbpress' ) . "</a>";
             } elseif ( EMPTY_TRASH_DAYS ) {
-                $actions['trash'] = "<a class='submitdelete' title='" . esc_attr__( 'Move this item to the Trash', 'bbpress' ) . "' href='" . add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $topic->ID ) ) . "'>" . esc_html__( 'Trash', 'bbpress' ) . "</a>";
+                $actions['trash'] = "<a class='submitdelete' title='" . esc_attr__( 'Move this item to the Trash', 'bbpress' ) . "' href='" . esc_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $topic->ID ) ) ) . "'>" . esc_html__( 'Trash', 'bbpress' ) . "</a>";
             }
 
             if ( bbp_get_trash_status_id() === $topic->post_status || !EMPTY_TRASH_DAYS ) {
-                $actions['delete'] = "<a class='submitdelete' title='" . esc_attr__( 'Delete this item permanently', 'bbpress' ) . "' href='" . add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $topic->ID, '', true ) ) . "'>" . esc_html__( 'Delete Permanently', 'bbpress' ) . "</a>";
+                $actions['delete'] = "<a class='submitdelete' title='" . esc_attr__( 'Delete this item permanently', 'bbpress' ) . "' href='" . esc_url( add_query_arg( array( '_wp_http_referer' => add_query_arg( array( 'post_type' => bbp_get_topic_post_type() ), admin_url( 'edit.php' ) ) ), get_delete_post_link( $topic->ID, '', true ) ) ) . "'>" . esc_html__( 'Delete Permanently', 'bbpress' ) . "</a>";
             } elseif ( bbp_get_spam_status_id() === $topic->post_status ) {
                 unset( $actions['trash'] );

branches/2.5/includes/common/template.php

@@ -1135 +1135 @@
  * @since bbPress (r2815)
  *
- * @param string $url Pass a URL to redirect to
+ * @param string $args Pass a URL to redirect to
  * @uses add_query_arg() To add a arg to the url
  * @uses site_url() Toget the site url
@@ -1141 +1141 @@
  */
 function bbp_wp_login_action( $args = '' ) {
-
-    // Parse arguments against default values
-    $r = bbp_parse_args( $args, array(
-        'action'  => '',
-        'context' => ''
-    ), 'login_action' );
-
-    // Add action as query arg
-    if ( !empty( $r['action'] ) ) {
-        $login_url = add_query_arg( array( 'action' => $r['action'] ), 'wp-login.php' );
-
-    // No query arg
-    } else {
-        $login_url = 'wp-login.php';
+    echo esc_url( bbp_wp_login_action( $args ) );
+}
+
+    /**
+     * return the login form action url
+     *
+     * @since bbPress (r5691)
+     *
+     * @param string $args Pass a URL to redirect to
+     * @uses add_query_arg() To add a arg to the url
+     * @uses site_url() Toget the site url
+     * @uses apply_filters() Calls 'bbp_wp_login_action' with the url and args
+     */
+    function bbp_get_wp_login_action( $args = '' ) {
+
+        // Parse arguments against default values
+        $r = bbp_parse_args( $args, array(
+            'action'  => '',
+            'context' => '',
+            'url'     => 'wp-login.php'
+        ), 'login_action' );
+
+        // Add action as query arg
+        if ( !empty( $r['action'] ) ) {
+            $login_url = add_query_arg( array( 'action' => $r['action'] ), $r['url'] );
+
+        // No query arg
+        } else {
+            $login_url = $r['url'];
+        }
+
+        $login_url = site_url( $login_url, $r['context'] );
+
+        return apply_filters( 'bbp_wp_login_action', $login_url, $r, $args );
     }
-
-    $login_url = site_url( $login_url, $r['context'] );
-
-    echo apply_filters( 'bbp_wp_login_action', $login_url, $r );
-}
 
 /**
@@ -1188 +1203 @@
 
     // Remove loggedout query arg if it's there
-    $redirect_to    = (string) esc_attr( remove_query_arg( 'loggedout', $redirect_to ) );
-    $redirect_field = '<input type="hidden" id="bbp_redirect_to" name="redirect_to" value="' . $redirect_to . '" />';
+    $redirect_to    = remove_query_arg( 'loggedout', $redirect_to );
+    $redirect_field = '<input type="hidden" id="bbp_redirect_to" name="redirect_to" value="' . esc_url( $redirect_to ) . '" />';
 
     echo apply_filters( 'bbp_redirect_to_field', $redirect_field, $redirect_to );

branches/2.5/includes/replies/functions.php

@@ -1496 +1496 @@
  *                    and action
  * @uses bbp_get_reply_url() To get the reply url
- * @uses add_query_arg() To add custom args to the reply url
  * @uses wp_safe_redirect() To redirect to the reply
  * @uses bbPress::errors:add() To log the error messages

branches/2.5/includes/replies/template.php

@@ -459 +459 @@
      *
      * @param int $reply_id Optional. Reply id
-     * @param $string $redirect_to Optional. Pass a redirect value for use with
+     * @param string $redirect_to Optional. Pass a redirect value for use with
      *                              shortcodes and other fun things.
      * @uses bbp_get_reply_id() To get the reply id

branches/2.5/includes/topics/functions.php

@@ -2052 +2052 @@
  * @uses bbp_get_forum_permalink() To get the forum link
  * @uses bbp_get_topic_permalink() To get the topic link
- * @uses add_query_arg() To add args to the url
  * @uses wp_safe_redirect() To redirect to the topic
  * @uses bbPress::errors:add() To log the error messages

branches/2.5/includes/topics/template.php

@@ -2094 +2094 @@
      * @uses current_user_can() To check if the current user can edit others
      *                           replies
-     * @uses add_query_arg() To add custom args to the url
      * @uses apply_filters() Calls 'bbp_get_topic_replies_link' with the
      *                        replies link and topic id