search

TukuToi / tukutoi-maintenance

Enable and Control a Custom Maintenance Mode for your WordPress Website.
https://www.tukutoi.com/program/tukutoi-maintenance/
GNU General Public License v2.0
0 stars 1 forks source link

[From WP Review Team] Variables must be escaped when echo'd #29

Closed smileBeda closed 3 years ago

smileBeda commented 3 years ago

Much related to sanitizing everything, all variables that are echoed need to be escaped, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.

This is true for all $-variables, as it's possible that an XSS vulnerability in another plugin, or a MITM (Man in the Middle) attack, could subvert your data. It's doubly important when you're echoing content on the back-end of WordPress, as those are regularly targeted for exploits. By escaping, you ensure that you have future-proofed your plugin and protected your users.

Also keep in mind that sometimes a function is echoing when it should really be returning content instead. This is a common mistake when it comes to returning JSON encoded content. Very rarely is that actually something you should be echoing at all. Echoing is because it needs to be on the screen, read by a human. Returning (which is what you would do with an API) can be json encoded, though remember to sanitize when you save to that json object!

There are a number of options to secure all types of content (html, email, etc). Yes, even HTML needs to be properly escaped. https://developer.wordpress.org/plugins/security/securing-output/

Remember: You must use the most appropriate functions for the context. If you’re outputting HTML, use esc_html(), and so on.

Example(s) from your plugin:

tkt-maintenance/admin/class-tkt-maintenance-admin.php:382: echo '<fieldset><legend><span>'. __( 'Enter an URL or Upload an Image for the Logo', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_logo" id="'. $this->plugin_short . '_logo" type="text" size="36" value="' . esc_url_raw( get_option( $this->plugin_short . '_logo' ) ) . '" /><input id="'. $this->plugin_short . '_logo_button" type="button" value="Upload Image" /><p>'. __( 'Enter an URL or Upload an Image for the Logo', 'tkt-maintenance' ) .'</p></fieldset>';
tkt-maintenance/admin/class-tkt-maintenance-admin.php:393: echo '<fieldset><legend><span>'. __( 'Add your own Footer Text', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_footer" id="'. $this->plugin_short . '_footer" type="text" value="' . sanitize_text_field( get_option( $this->plugin_short . '_footer' ) ) . '" /><p>'. __( 'Add your own Footer Text', 'tkt-maintenance' ) .'</p></fieldset>';
tkt-maintenance/admin/class-tkt-maintenance-admin.php:404: echo '<fieldset><legend><span>'. __( 'Add your own Header Text', 'tkt-maintenance' ) .'</span></legend><input name="'. $this->plugin_short . '_header" id="'. $this->plugin_short . '_header" type="text" value="' . sanitize_text_field( get_option( $this->plugin_short . '_header' ) ) . '" /><p>'. __( 'Add your own Header Text', 'tkt-maintenance' ) .'</p></fieldset>';
smileBeda commented 3 years ago

Resolved in Develop I hope.