From ab6aefe446b5cfde8d9ebb41f1033ebb62350bea Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Tue, 18 Jul 2023 06:30:06 +0200 Subject: [PATCH] Add missing output escaping --- includes/class-mention.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/includes/class-mention.php b/includes/class-mention.php index a072bde..6798833 100644 --- a/includes/class-mention.php +++ b/includes/class-mention.php @@ -27,8 +27,12 @@ class Mention { public static function the_content( $the_content ) { $protected_tags = array(); $protect = function( $m ) use ( &$protected_tags ) { - $c = count( $protected_tags ); + $c = \rand( 100000, 999999 ); $protect = '!#!#PROTECT' . $c . '#!#!'; + while ( isset( $protected_tags[ $protect ] ) ) { + $c = \rand( 100000, 999999 ); + $protect = '!#!#PROTECT' . $c . '#!#!'; + } $protected_tags[ $protect ] = $m[0]; return $protect; }; @@ -78,8 +82,7 @@ class Mention { if ( ! empty( $metadata['preferredUsername'] ) ) { $username = $metadata['preferredUsername']; } - $username = '@' . $username . ''; - return \sprintf( '%s', $metadata['url'], $username ); + return \sprintf( '@%s', esc_url( $metadata['url'] ), esc_html( $username ) ); } return $result[0];