From 1079faaf013e56e866f824d4c99e56547c3a9898 Mon Sep 17 00:00:00 2001 From: Sami Ahmed Siddiqui Date: Tue, 20 Aug 2024 17:50:19 +0500 Subject: [PATCH] Authenticated(Editor+) Stored Cross-Site Scripting (#96) * Authenticated(Editor+) Stored Cross-Site Scripting * Few other small fixes --- ...ass-custom-permalinks-post-types-table.php | 13 ++++--- ...ass-custom-permalinks-taxonomies-table.php | 36 +++++++++---------- 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/admin/class-custom-permalinks-post-types-table.php b/admin/class-custom-permalinks-post-types-table.php index 90d6223..d7bc025 100644 --- a/admin/class-custom-permalinks-post-types-table.php +++ b/admin/class-custom-permalinks-post-types-table.php @@ -239,12 +239,13 @@ protected function column_title( $item ) { } $edit_link = get_edit_post_link( $item['ID'] ); - $title_with_edit_link = $post_title; + $title_with_edit_link = esc_html( $post_title ); if ( ! empty( $edit_link ) ) { $title_with_edit_link = sprintf( - '%s', - $edit_link, - $post_title + '%3s', + esc_url( $edit_link ), + esc_attr__( 'Edit', 'custom-permalinks' ) . ' ' . esc_attr( $post_title ), + $title_with_edit_link ); } @@ -283,10 +284,12 @@ protected function column_type( $item ) { */ protected function column_permalink( $item ) { $page_url = get_permalink( $item['ID'] ); + $page_url = esc_url( $page_url ); $permalink = sprintf( - '%s', + '%3s', $page_url, + esc_attr__( 'Visit', 'custom-permalinks' ) . ' ' . esc_attr( $item['post_title'] ), $page_url ); diff --git a/admin/class-custom-permalinks-taxonomies-table.php b/admin/class-custom-permalinks-taxonomies-table.php index bf8c9ae..10b5700 100644 --- a/admin/class-custom-permalinks-taxonomies-table.php +++ b/admin/class-custom-permalinks-taxonomies-table.php @@ -235,26 +235,22 @@ protected function column_title( $item ) { $edit_link = ''; $term_title = 'NOT SET'; - if ( isset( $item['ID'] ) && isset( $item['type'] ) ) { - $taxonomy_type = 'category'; - if ( 'tag' === $item['type'] ) { - $taxonomy_type = 'post_tag'; - } - - $edit_link = get_edit_term_link( $item['ID'], $taxonomy_type ); - $term = get_term( $item['ID'], $taxonomy_type ); + if ( isset( $item['ID'] ) ) { + $edit_link = get_edit_term_link( $item['ID'] ); + $term = get_term( $item['ID'] ); - if ( isset( $term ) && isset( $term->name ) && ! empty( $term->name ) ) { + if ( isset( $term, $term->name ) && ! empty( $term->name ) ) { $term_title = $term->name; } } - $title_with_edit_link = $term_title; + $title_with_edit_link = esc_html( $term_title ); if ( ! empty( $edit_link ) ) { $title_with_edit_link = sprintf( - '%s', - $edit_link, - $term_title + '%3s', + esc_url( $edit_link ), + esc_attr__( 'Edit', 'custom-permalinks' ) . ' ' . esc_attr( $term_title ), + $title_with_edit_link ); } @@ -312,6 +308,7 @@ protected function column_permalink( $item ) { } } + $taxonomy_type = $item['type']; if ( 'tag' === $item['type'] ) { $taxonomy_type = 'post_tag'; } @@ -333,17 +330,18 @@ protected function column_permalink( $item ) { $perm_text = str_replace( $home_url, '', $permalink ); $term_title = ''; - if ( isset( $item['ID'] ) && isset( $item['type'] ) ) { - $term = get_term( $item['ID'], $item['type'] ); - if ( isset( $term ) && isset( $term->name ) && ! empty( $term->name ) ) { + if ( isset( $item['ID'] ) ) { + $term = get_term( $item['ID'] ); + if ( isset( $term, $term->name ) && ! empty( $term->name ) ) { $term_title = $term->name; } } $permalink = sprintf( - '%s', - $permalink, - $perm_text + '%3s', + esc_url( $permalink ), + esc_attr__( 'Visit', 'custom-permalinks' ) . ' ' . esc_attr( $term_title ), + esc_html( $perm_text ) ); }