Merge pull request awesomemotive#390 from semperfiwebdesign/sanitize

Detect possible XSS attempts.
stanislavsa · Jul 8, 2016 · 9d06f1f · 9d06f1f
2 parents 7721de4 + 8bcad08
commit 9d06f1f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/admin/aioseop_module_class.php b/admin/aioseop_module_class.php
@@ -1896,6 +1896,9 @@ function get_option_html( $args ) {
 				case 'html':
 					$buf .= $value;
 					break;
+				case 'esc_html':
+					$buf .= "<pre>" . esc_html( $value ) . "</pre>\n";
+					break;
 				default:
 					$buf .= "<input name='$name' type='{$options['type']}' $attr value='$value'>\n";
 			}

diff --git a/modules/aioseop_bad_robots.php b/modules/aioseop_bad_robots.php
@@ -58,7 +58,7 @@ function __construct() {
 				'blocked_log'    => array(
 					'name'     => __( 'Log Of Blocked Bots', 'all-in-one-seo-pack' ),
 					'default'  => __( 'No requests yet.', 'all-in-one-seo-pack' ),
-					'type'     => 'html',
+					'type'     => 'esc_html',
 					'disabled' => 'disabled',
 					'save'     => false,
 					'label'    => 'top',
@@ -99,13 +99,13 @@ function __construct() {
 				if ( ! $this->allow_bot() ) {
 					status_header( 503 );
 					$ip         = $this->validate_ip( $_SERVER['REMOTE_ADDR'] );
-					$user_agent = $this->sanitize_server_vars( $_SERVER['HTTP_USER_AGENT'] );
+					$user_agent = $_SERVER['HTTP_USER_AGENT'];
 					$this->blocked_message( sprintf( __( 'Blocked bot with IP %s -- matched user agent %s found in blocklist.', 'all-in-one-seo-pack' ), $ip, $user_agent ) );
 					exit();
 				} elseif ( $this->option_isset( 'block_refer' ) && $this->is_bad_referer() ) {
 					status_header( 503 );
 					$ip      = $this->validate_ip( $_SERVER['REMOTE_ADDR'] );
-					$referer = $this->sanitize_server_vars( $_SERVER['HTTP_REFERER'] );
+					$referer = $_SERVER['HTTP_REFERER'];
 					$this->blocked_message( sprintf( __( 'Blocked bot with IP %s -- matched referer %s found in blocklist.', 'all-in-one-seo-pack' ), $ip, $referer ) );
 				}
 			}
@@ -263,7 +263,9 @@ function blocked_message( $msg ) {
 		function filter_display_options( $options ) {
 
 			if ( $this->option_isset( 'blocked_log' ) ) {
-				$options["{$this->prefix}blocked_log"] = '<pre>' . $options["{$this->prefix}blocked_log"] . '</pre>';
+				if ( preg_match( '/\<(\?php|script)/', $options["{$this->prefix}blocked_log"] ) ) {
+					$options["{$this->prefix}blocked_log"] = "Probable XSS attempt detected!\n" . $options["{$this->prefix}blocked_log"];
+				}
 			}
 
 			return $options;

diff --git a/modules/aioseop_importer_exporter.php b/modules/aioseop_importer_exporter.php
@@ -199,7 +199,7 @@ function show_import_warnings() {
 
 			if ( is_array( $this->warnings ) ) {
 				foreach ( $this->warnings as $warning ) {
-					echo "<p>{$warning}</p>";
+					echo "<p>" . esc_html( $warning ) . "</p>";
 				}
 			}
 			echo '</div>';