From 625237339cf8feb8f6f38ea26e4bb0d1e7ecdebe Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sat, 16 Sep 2023 23:13:57 +0200 Subject: [PATCH 1/2] Downgrader: output escape exception arguments When an exception isn't caught, it is likely to end up on the end-user's screen. While we obviously hope this will never happen, we should make sure that those exception messages are then not subject to XSS attacks, which could be hidden in translations. This hardens the code in the `Downgrader` class against these type of issues. --- src/downgrader.php | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/src/downgrader.php b/src/downgrader.php index cc849f8..69817b2 100644 --- a/src/downgrader.php +++ b/src/downgrader.php @@ -95,11 +95,11 @@ public function handle_submit() { */ protected function downgrade( $target_version ) { if ( ! \preg_match( '/^\d+\.\d+$/', $target_version ) ) { - throw new Exception( \__( 'An invalid version number was passed.', 'yoast-test-helper' ) ); + throw new Exception( \esc_html__( 'An invalid version number was passed.', 'yoast-test-helper' ) ); } if ( \version_compare( $target_version, '14.1', '<' ) ) { - throw new Exception( \__( 'Downgrading to below 14.1 is not supported', 'yoast-test-helper' ) ); + throw new Exception( \esc_html__( 'Downgrading to below 14.1 is not supported', 'yoast-test-helper' ) ); } require_once \ABSPATH . 'wp-admin/includes/class-wp-upgrader.php'; @@ -109,7 +109,7 @@ protected function downgrade( $target_version ) { $downloaded_archive = $upgrader->download_package( "https://downloads.wordpress.org/plugin/wordpress-seo.$target_version.zip" ); if ( \is_wp_error( $downloaded_archive ) ) { - throw new Exception( \__( 'The requested version could not be downloaded', 'yoast-test-helper' ) ); + throw new Exception( \esc_html__( 'The requested version could not be downloaded', 'yoast-test-helper' ) ); } // Open the downloaded archive. @@ -138,7 +138,7 @@ protected function downgrade( $target_version ) { $migrations = $loader->get_migrations( 'free' ); if ( ! $migration_status->lock_migration( 'free' ) ) { - throw new Exception( \__( 'A migration is already in progress. Please try again later.', 'yoast-test-helper' ) ); + throw new Exception( \esc_html__( 'A migration is already in progress. Please try again later.', 'yoast-test-helper' ) ); } // Downgrade all migrations. @@ -154,14 +154,16 @@ protected function downgrade( $target_version ) { $adapter->rollback_transaction(); throw new Exception( - \sprintf( - /* translators: %1$s is the class name of the migration that failed, %2$s is the message given by the failure. */ - \__( 'Migration %1$s failed with the message: %2$s', 'yoast-test-helper' ), - $class, - $e->getMessage() + \esc_html( + \sprintf( + /* translators: %1$s is the class name of the migration that failed, %2$s is the message given by the failure. */ + \__( 'Migration %1$s failed with the message: %2$s', 'yoast-test-helper' ), + $class, + $e->getMessage() + ) ), 0, - $e + $e // phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped -- This is an exception object. ); } } @@ -169,7 +171,7 @@ protected function downgrade( $target_version ) { $working_dir = $upgrader->unpack_package( $downloaded_archive, true ); if ( \is_wp_error( $working_dir ) ) { - throw new Exception( \__( 'Could not unpack the requested version.', 'yoast-test-helper' ) ); + throw new Exception( \esc_html__( 'Could not unpack the requested version.', 'yoast-test-helper' ) ); } $result = $upgrader->install_package( @@ -185,7 +187,7 @@ protected function downgrade( $target_version ) { ] ); if ( \is_wp_error( $result ) ) { - throw new Exception( \__( 'Could not install the requested version.', 'yoast-test-helper' ) ); + throw new Exception( \esc_html__( 'Could not install the requested version.', 'yoast-test-helper' ) ); } $downgrade_version = static function( $option ) use ( $target_version ) { From 43f1e3106e80c75bda9d57fedd100dfd71f54ea0 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Fri, 22 Sep 2023 09:08:46 +0200 Subject: [PATCH 2/2] CS/QA: always escape the complete value --- src/wordpress-plugin-features.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wordpress-plugin-features.php b/src/wordpress-plugin-features.php index 4026e56..7c66fcc 100644 --- a/src/wordpress-plugin-features.php +++ b/src/wordpress-plugin-features.php @@ -71,7 +71,7 @@ protected function get_plugin_features( WordPress_Plugin $plugin ) { static function ( $name, $feature ) { return \sprintf( ' ', - \esc_attr( $feature ) . '_button', + \esc_attr( $feature . '_button' ), \esc_attr( $feature ), \esc_html( $name ) );