diff --git a/activitypub.php b/activitypub.php index 75d52b1..0abf189 100644 --- a/activitypub.php +++ b/activitypub.php @@ -109,6 +109,7 @@ if ( \WP_DEBUG && file_exists( $debug_file ) && is_readable( $debug_file ) ) { * Add plugin settings link */ function plugin_settings_link( $actions ) { + $settings_link = array(); $settings_link[] = \sprintf( '%2s', \menu_page_url( 'activitypub', false ), diff --git a/includes/class-admin.php b/includes/class-admin.php index aae1b36..98cbb0e 100644 --- a/includes/class-admin.php +++ b/includes/class-admin.php @@ -205,13 +205,17 @@ class Admin { if ( ! isset( $_REQUEST['_apnonce'] ) ) { return false; } + $nonce = sanitize_text_field( wp_unslash( $_REQUEST['_apnonce'] ) ); if ( - ! wp_verify_nonce( $_REQUEST['_apnonce'], 'activitypub-user-description' ) || + ! wp_verify_nonce( $nonce, 'activitypub-user-description' ) || ! current_user_can( 'edit_user', $user_id ) ) { return false; } - update_user_meta( $user_id, 'activitypub_user_description', sanitize_text_field( $_POST['activitypub-user-description'] ) ); + $description = ! empty( $_POST['activitypub-user-description'] ) ? sanitize_text_field( wp_unslash( $_POST['activitypub-user-description'] ) ) : false; + if ( $description ) { + update_user_meta( $user_id, 'activitypub_user_description', $description ); + } } public static function enqueue_scripts( $hook_suffix ) { diff --git a/includes/class-health-check.php b/includes/class-health-check.php index f248d90..02ebfcf 100644 --- a/includes/class-health-check.php +++ b/includes/class-health-check.php @@ -125,7 +125,7 @@ class Health_Check { \sprintf( // translators: %s: Author URL \__( - '

Your author URL %s was replaced, this is often done by plugins.

', + 'Your author URL %s was replaced, this is often done by plugins.', 'activitypub' ), $author_url @@ -148,7 +148,7 @@ class Health_Check { \sprintf( // translators: %s: Author URL \__( - '

Your author URL %s is not accessible. Please check your WordPress setup or permalink structure. If the setup seems fine, maybe check if a plugin might restrict the access.

', + 'Your author URL %s is not accessible. Please check your WordPress setup or permalink structure. If the setup seems fine, maybe check if a plugin might restrict the access.', 'activitypub' ), $author_url @@ -165,7 +165,7 @@ class Health_Check { \sprintf( // translators: %s: Author URL \__( - '

Your author URL %s is redirecting to another page, this is often done by SEO plugins like "Yoast SEO".

', + 'Your author URL %s is redirecting to another page, this is often done by SEO plugins like "Yoast SEO".', 'activitypub' ), $author_url @@ -182,7 +182,7 @@ class Health_Check { \sprintf( // translators: %s: Author URL \__( - '

Your author URL %s does not return valid JSON for application/activity+json. Please check if your hosting supports alternate Accept headers.

', + 'Your author URL %s does not return valid JSON for application/activity+json. Please check if your hosting supports alternate Accept headers.', 'activitypub' ), $author_url @@ -216,7 +216,7 @@ class Health_Check { 'webfinger_url_invalid_response' => \sprintf( // translators: %s: Author URL \__( - '

Your WebFinger endpoint %s does not return valid JSON for application/jrd+json.

', + 'Your WebFinger endpoint %s does not return valid JSON for application/jrd+json.', 'activitypub' ), $url->get_error_data() diff --git a/includes/functions.php b/includes/functions.php index 69acf43..ec20e2c 100644 --- a/includes/functions.php +++ b/includes/functions.php @@ -256,7 +256,7 @@ function is_activitypub_request() { * is to send an Accept header. */ if ( isset( $_SERVER['HTTP_ACCEPT'] ) ) { - $accept = $_SERVER['HTTP_ACCEPT']; + $accept = sanitize_text_field( wp_unslash( $_SERVER['HTTP_ACCEPT'] ) ); /* * $accept can be a single value, or a comma separated list of values. @@ -347,7 +347,7 @@ if ( ! function_exists( 'get_self_link' ) ) { */ function get_self_link() { $host = wp_parse_url( home_url() ); - - return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) ); + $path = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : ''; + return esc_url( apply_filters( 'self_link', set_url_scheme( 'http://' . $host['host'] . $path ) ) ); } } diff --git a/includes/table/class-followers.php b/includes/table/class-followers.php index b27f311..289a194 100644 --- a/includes/table/class-followers.php +++ b/includes/table/class-followers.php @@ -119,8 +119,8 @@ class Followers extends WP_List_Table { if ( ! isset( $_REQUEST['followers'] ) || ! isset( $_REQUEST['_apnonce'] ) ) { return false; } - - if ( ! wp_verify_nonce( $_REQUEST['_apnonce'], 'activitypub-followers-list' ) ) { + $nonce = sanitize_text_field( wp_unslash( $_REQUEST['_apnonce'] ) ); + if ( ! wp_verify_nonce( $nonce, 'activitypub-followers-list' ) ) { return false; } diff --git a/templates/admin-header.php b/templates/admin-header.php index 3b40468..23fb421 100644 --- a/templates/admin-header.php +++ b/templates/admin-header.php @@ -1,3 +1,6 @@ +

diff --git a/templates/user-settings.php b/templates/user-settings.php index a98b6ce..8de8c81 100644 --- a/templates/user-settings.php +++ b/templates/user-settings.php @@ -1,4 +1,6 @@ - +