Make WordPress Core


Ignore:
Timestamp:
02/13/2024 02:17:29 PM (3 months ago)
Author:
jorbin
Message:

Multisite: Escape urls and html elements in wp-activate.php

When WPMU was merged in [12603], the intent was to go back and make sure everything was escaped. This completes that intent.

Props rafiq91, rajinsharwar, costdev, oglekler, nicolefurlan, ryan, peterwilsoncc.
Fixes #57336.
See #11644.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-activate.php

    r57158 r57625  
    151151                    /* translators: 1: Login URL, 2: Username, 3: User email address, 4: Lost password URL. */
    152152                    __( 'Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
    153                     network_site_url( $blog_details->path . 'wp-login.php', 'login' ),
    154                     $signup->user_login,
    155                     $signup->user_email,
    156                     wp_lostpassword_url()
     153                    esc_url( network_site_url( $blog_details->path . 'wp-login.php', 'login' ) ),
     154                    esc_html( $signup->user_login ),
     155                    esc_html( $signup->user_email ),
     156                    esc_url( wp_lostpassword_url() )
    157157                );
    158158            } else {
     
    160160                    /* translators: 1: Site URL, 2: Username, 3: User email address, 4: Lost password URL. */
    161161                    __( 'Your site at %1$s is active. You may now log in to your site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
    162                     sprintf( '<a href="http://%1$s%2$s">%1$s%2$s</a>', $signup->domain, $blog_details->path ),
    163                     $signup->user_login,
    164                     $signup->user_email,
    165                     wp_lostpassword_url()
     162                    sprintf( '<a href="http://%1$s">%1$s</a>', esc_url( $signup->domain . $blog_details->path ) ),
     163                    esc_html( $signup->user_login ),
     164                    esc_html( $signup->user_email ),
     165                    esc_url( wp_lostpassword_url() )
    166166                );
    167167            }
     
    171171            <h2><?php _e( 'An error occurred during the activation' ); ?></h2>
    172172            <?php if ( is_wp_error( $result ) ) : ?>
    173                 <p><?php echo $result->get_error_message(); ?></p>
     173                <p><?php echo esc_html( $result->get_error_message() ); ?></p>
    174174            <?php endif; ?>
    175175            <?php
    176176        } else {
    177             $url  = isset( $result['blog_id'] ) ? get_home_url( (int) $result['blog_id'] ) : '';
     177            $url  = isset( $result['blog_id'] ) ? esc_url( get_home_url( (int) $result['blog_id'] ) ) : '';
    178178            $user = get_userdata( (int) $result['user_id'] );
    179179            ?>
     
    181181
    182182            <div id="signup-welcome">
    183             <p><span class="h3"><?php _e( 'Username:' ); ?></span> <?php echo $user->user_login; ?></p>
    184             <p><span class="h3"><?php _e( 'Password:' ); ?></span> <?php echo $result['password']; ?></p>
     183            <p><span class="h3"><?php _e( 'Username:' ); ?></span> <?php echo esc_html( $user->user_login ); ?></p>
     184            <p><span class="h3"><?php _e( 'Password:' ); ?></span> <?php echo esc_html( $result['password'] ); ?></p>
    185185            </div>
    186186
     
    194194                <?php
    195195                    /* translators: 1: Site URL, 2: Login URL. */
    196                     printf( __( 'Your account is now activated. <a href="%1$s">View your site</a> or <a href="%2$s">Log in</a>' ), $url, esc_url( $login_url ) );
     196                    printf( __( 'Your account is now activated. <a href="%1$s">View your site</a> or <a href="%2$s">Log in</a>' ), esc_url( $url ), esc_url( $login_url ) );
    197197                ?>
    198198                </p>
     
    203203                        /* translators: 1: Login URL, 2: Network home URL. */
    204204                        __( 'Your account is now activated. <a href="%1$s">Log in</a> or go back to the <a href="%2$s">homepage</a>.' ),
    205                         network_site_url( $blog_details->path . 'wp-login.php', 'login' ),
    206                         network_home_url( $blog_details->path )
     205                        esc_url( network_site_url( $blog_details->path . 'wp-login.php', 'login' ) ),
     206                        esc_url( network_home_url( $blog_details->path ) )
    207207                    );
    208208                ?>
Note: See TracChangeset for help on using the changeset viewer.