Changeset 3207795

Timestamp:

12/13/2024 08:33:49 PM (14 months ago)

Author:

theandystratton

Message:

Update to v1.9.0 – fixes for security review

Location:

the-permalinker

Files:

• tags/1.9.0 (added)
• tags/1.9.0/readme.txt (added)
• tags/1.9.0/screenshot-1.png (added)
• tags/1.9.0/screenshot-2.png (added)
• tags/1.9.0/screenshot-3.png (added)
• tags/1.9.0/the-permalinker.php (added)
• trunk/readme.txt (modified) (1 diff)
• trunk/the-permalinker.php (modified) (4 diffs)

the-permalinker/trunk/readme.txt

@@ -36 +36 @@
 
 == Changelog ==
+
+= 1.9.0 =
+* Added important security enhancements for escaping URLs and HTML content to prevent XSS and other potential security holes
+* Some legacy output may be affected as we are now escaping URLs and HTML attributes.
+* Content inside of the shortcode should _not_ be escaped as we want to preserve any HTML within that shortcode content/anchor text.
 
 = 1.8.0 =

the-permalinker/trunk/the-permalinker.php

@@ -5 +5 @@
 Plugin URI: http://theandystratton.com/2009/the-permalinker-wordpress-plugin-dynamic-permalinks
 Author URI: http://theandystratton.com
-Version: 1.8.1
+Version: 1.9.0
 Description: Add dynamically created permalinks using the short code tag [permalink] and output dynamic links to your current template directory using short code [template_uri]. <a href="options-general.php?page=permalinker_help">Need help?</a>
 */
@@ -28 +28 @@
     if ( !empty($content) )
     {
-        $output = '<a href="' . \get_permalink( $id ) . \esc_attr( $append ) . '"';
+        $output = '<a href="' . \esc_url( \get_permalink( $id ) . \esc_attr( $append )  ) . '"';
         
         if ( !empty( $target ) )
-            $output .= ' target="' . $target . '"';
+            $output .= ' target="' . \esc_attr( $target ) . '"';
 
-        $output .= ' class="permalinker_link ' . $class . '"';
+        $output .= ' class="permalinker_link ' . \esc_attr( $class ) . '"';
 
         if ( !empty($rel) )
-            $output .= ' rel="' . $rel . '"';
+            $output .= ' rel="' . \esc_attr( $rel ) . '"';
 
         $output .= '>' . \str_replace( '%post_title%', \get_the_title( $id ), $content ) . '</a>';
@@ -42 +42 @@
     else
     {
-        $output = \get_permalink( $id ) . $append;
+        $output = \esc_url( \get_permalink( $id ) . \esc_attr( $append ) );
     }
     return $output;
@@ -51 +51 @@
 //
 function permalinker_template_uri( $atts, $content = null ) {
-    return \get_template_directory_uri();
+    return \esc_url( \get_template_directory_uri() );
 }