From 77873d12b3ed55bf66536d081a2a0f20a52009ec Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Thu, 11 May 2023 14:20:35 +0200 Subject: [PATCH] sanitize output --- includes/class-shortcodes.php | 44 +++++++++++++++-------------------- includes/class-webfinger.php | 2 +- includes/help.php | 4 ++-- 3 files changed, 22 insertions(+), 28 deletions(-) diff --git a/includes/class-shortcodes.php b/includes/class-shortcodes.php index 7289808..f0f8e22 100644 --- a/includes/class-shortcodes.php +++ b/includes/class-shortcodes.php @@ -42,8 +42,8 @@ class Shortcodes { foreach ( $tags as $tag ) { $hash_tags[] = \sprintf( '', - \get_tag_link( $tag ), - $tag->slug + \esc_url( \get_tag_link( $tag ) ), + \esc_html( $tag->slug ) ); } @@ -66,7 +66,7 @@ class Shortcodes { return ''; } - return \get_the_title( $post_id ); + return \esc_html( \get_the_title( $post_id ) ); } @@ -170,7 +170,7 @@ class Shortcodes { } } - return \apply_filters( 'the_excerpt', $excerpt ); + return $excerpt; } /** @@ -189,21 +189,11 @@ class Shortcodes { return ''; } - $atts = shortcode_atts( - array( 'apply_filters' => 'yes' ), - $atts, - $tag - ); - $content = \get_post_field( 'post_content', $post ); - if ( 'yes' === $atts['apply_filters'] ) { - $content = \apply_filters( 'the_content', $content ); - } else { - $content = do_blocks( $content ); - $content = wptexturize( $content ); - $content = wp_filter_content_tags( $content ); - } + $content = do_blocks( $content ); + $content = wptexturize( $content ); + $content = wp_filter_content_tags( $content ); // replace script and style elements $content = \preg_replace( '@<(script|style)[^>]*?>.*?@si', '', $content ); @@ -343,7 +333,11 @@ class Shortcodes { $hash_tags = array(); foreach ( $categories as $category ) { - $hash_tags[] = \sprintf( '', \get_category_link( $category ), $category->slug ); + $hash_tags[] = \sprintf( + '', + \esc_url( \get_category_link( $category ) ), + \esc_html( $category->slug ) + ); } return \implode( ' ', $hash_tags ); @@ -365,13 +359,13 @@ class Shortcodes { return ''; } - $name = \get_the_author_meta( 'display_name', $post->post_author ); + $name = \esc_html( \get_the_author_meta( 'display_name', $post->post_author ) ); if ( ! $name ) { return ''; } - return $name; + return \esc_html( $name ); } /** @@ -422,7 +416,7 @@ class Shortcodes { * @return string */ public static function blogname( $atts, $content, $tag ) { - return \get_bloginfo( 'name' ); + return \esc_html( \get_bloginfo( 'name' ) ); } /** @@ -435,7 +429,7 @@ class Shortcodes { * @return string */ public static function blogdesc( $atts, $content, $tag ) { - return \get_bloginfo( 'description' ); + return \esc_html( \get_bloginfo( 'description' ) ); } /** @@ -464,7 +458,7 @@ class Shortcodes { return ''; } - return $date; + return \esc_html( $date ); } /** @@ -493,7 +487,7 @@ class Shortcodes { return ''; } - return $date; + return \esc_html( $date ); } /** @@ -522,6 +516,6 @@ class Shortcodes { return ''; } - return $date; + return \esc_html( $date ); } } diff --git a/includes/class-webfinger.php b/includes/class-webfinger.php index 1581853..679f8a1 100644 --- a/includes/class-webfinger.php +++ b/includes/class-webfinger.php @@ -51,7 +51,7 @@ class Webfinger { } // try to access author URL - $response = \wp_remote_get( + $response = \wp_safe_remote_get( $url, array( 'headers' => array( 'Accept' => 'application/activity+json' ), diff --git a/includes/help.php b/includes/help.php index 58339fb..ccf61cc 100644 --- a/includes/help.php +++ b/includes/help.php @@ -9,8 +9,8 @@ '
' . '
[ap_title]
' . '
' . \wp_kses( __( 'The post\'s title.', 'activitypub' ), 'default' ) . '
' . - '
[ap_content apply_filters="yes"]
' . - '
' . \wp_kses( __( 'The post\'s content. With apply_filters you can decide if filters should be applied or not (default is yes). The values can be yes or no. apply_filters attribute is optional.', 'activitypub' ), 'default' ) . '
' . + '
[ap_content]
' . + '
' . \wp_kses( __( 'The post\'s content.', 'activitypub' ), 'default' ) . '
' . '
[ap_excerpt lenght="400"]
' . '
' . \wp_kses( __( 'The post\'s excerpt (default 400 chars). length attribute is optional.', 'activitypub' ), 'default' ) . '
' . '
[ap_permalink type="url"]
' .