Skip to content

Commit f8e6e49

Browse files
committed
Fix security escaping in plugin installer
- Sanitize POST variables with sanitize_text_field() and sanitize_key() - Add wp_unslash() and isset() checks for POST data - Escape plugin author output with wp_kses() - Replace die() with wp_die()
1 parent 33edbb4 commit f8e6e49

1 file changed

Lines changed: 6 additions & 6 deletions

File tree

includes/class-plugin-installer.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@ public static function render_template( $plugin, $api, $button_text, $button_cla
127127
<h2><?php echo esc_html( $api->name ); ?></h2>
128128
<p><?php echo esc_html( $api->short_description ); ?></p>
129129

130-
<p class="plugin-author"><?php esc_html_e( 'By', 'indieweb' ); ?> <?php echo $api->author; // phpcs:ignore ?></p>
130+
<p class="plugin-author"><?php esc_html_e( 'By', 'indieweb' ); ?> <?php echo wp_kses( $api->author, array( 'a' => array( 'href' => array() ) ) ); ?></p>
131131
</div>
132132
<ul class="activation-row">
133133
<li>
@@ -160,8 +160,8 @@ public function cnkt_plugin_installer() {
160160
wp_die( esc_html( __( 'Sorry, you are not allowed to install plugins on this site.', 'indieweb' ) ) );
161161
}
162162

163-
$nonce = $_POST['nonce']; // phpcs:ignore
164-
$plugin = $_POST['plugin']; // phpcs:ignore
163+
$nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';
164+
$plugin = isset( $_POST['plugin'] ) ? sanitize_key( wp_unslash( $_POST['plugin'] ) ) : '';
165165

166166
// Check our nonce, if they don't match then bounce!
167167
if ( ! wp_verify_nonce( $nonce, 'cnkt_installer_nonce' ) ) {
@@ -227,12 +227,12 @@ public function cnkt_plugin_activation() {
227227
wp_die( esc_html( __( 'Sorry, you are not allowed to activate plugins on this site.', 'indieweb' ) ) );
228228
}
229229

230-
$nonce = $_POST['nonce']; // phpcs:ignore
231-
$plugin = $_POST['plugin']; // phpcs:ignore
230+
$nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash( $_POST['nonce'] ) ) : '';
231+
$plugin = isset( $_POST['plugin'] ) ? sanitize_key( wp_unslash( $_POST['plugin'] ) ) : '';
232232

233233
// Check our nonce, if they don't match then bounce!
234234
if ( ! wp_verify_nonce( $nonce, 'cnkt_installer_nonce' ) ) {
235-
die( esc_html( __( 'Error - unable to verify nonce, please try again.', 'indieweb' ) ) );
235+
wp_die( esc_html( __( 'Error - unable to verify nonce, please try again.', 'indieweb' ) ) );
236236
}
237237

238238
// Include required libs for activation.

0 commit comments

Comments
 (0)