Sanitize SAML settings input

Author: pitbulk

onelogin-saml-sso/php/configuration.php

@@ -184,25 +184,25 @@ function onelogin_saml_configuration() {
 
 	function plugin_setting_string_onelogin_saml_idp_entityid() {
 		echo '<input type="text" name="onelogin_saml_idp_entityid" id="onelogin_saml_idp_entityid"
-			  value= "'.get_option('onelogin_saml_idp_entityid').'" size="80">'.
+			  value= "'.esc_html(get_option('onelogin_saml_idp_entityid')).'" size="80">'.
 			  '<p class="description">'.__('Identifier of the IdP entity. ("Issuer URL")', 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_idp_sso() {
 		echo '<input type="text" name="onelogin_saml_idp_sso" id="onelogin_saml_idp_sso"
-			  value= "'.get_option('onelogin_saml_idp_sso').'" size="80">'.
+			  value= "'.esc_url(get_option('onelogin_saml_idp_sso')).'" size="80">'.
 			  '<p class="description">'.__('SSO endpoint info of the IdP. URL target of the IdP where the SP will send the Authentication Request. ("SAML 2.0 Endpoint (HTTP)")', 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_idp_slo() {
 		echo '<input type="text" name="onelogin_saml_idp_slo" id="onelogin_saml_idp_slo"
-			  value= "'.get_option('onelogin_saml_idp_slo').'" size="80">'.
+			  value= "'.esc_url(get_option('onelogin_saml_idp_slo')).'" size="80">'.
 			  '<p class="description">'.__('SLO endpoint info of the IdP. URL target of the IdP where the SP will send the SLO Request. ("SLO Endpoint (HTTP)")', 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_idp_x509cert() {
 		echo '<textarea name="onelogin_saml_idp_x509cert" id="onelogin_saml_idp_x509cert" style="width:600px; height:220px; font-size:12px; font-family:courier,arial,sans-serif;">';
-		echo get_option('onelogin_saml_idp_x509cert');
+		echo esc_textarea(get_option('onelogin_saml_idp_x509cert'));
 		echo '</textarea>';
 		echo '<p class="description">'.__('Public x509 certificate of the IdP.  ("X.509 certificate")', 'onelogin-saml-sso');
 	}
@@ -268,50 +268,50 @@ function plugin_setting_boolean_onelogin_saml_alternative_acs() {
 
 	function plugin_setting_string_onelogin_saml_attr_mapping_username() {
 		echo '<input type="text" name="onelogin_saml_attr_mapping_username" id="onelogin_saml_attr_mapping_username"
-			  value= "'.get_option('onelogin_saml_attr_mapping_username').'" size="30">';
+			  value= "'.esc_html(get_option('onelogin_saml_attr_mapping_username')).'" size="30">';
 	}
 
 	function plugin_setting_string_onelogin_saml_attr_mapping_mail() {
 		echo '<input type="text" name="onelogin_saml_attr_mapping_mail" id="onelogin_saml_attr_mapping_mail"
-			  value= "'.get_option('onelogin_saml_attr_mapping_mail').'" size="30">';
+			  value= "'.esc_html(get_option('onelogin_saml_attr_mapping_mail')).'" size="30">';
 	}
 
 	function plugin_setting_string_onelogin_saml_attr_mapping_firstname() {
 		echo '<input type="text" name="onelogin_saml_attr_mapping_firstname" id="onelogin_saml_attr_mapping_firstname"
-			  value= "'.get_option('onelogin_saml_attr_mapping_firstname').'" size="30">';
+			  value= "'.esc_html(get_option('onelogin_saml_attr_mapping_firstname')).'" size="30">';
 	}
 
 	function plugin_setting_string_onelogin_saml_attr_mapping_lastname() {
 		echo '<input type="text" name="onelogin_saml_attr_mapping_lastname" id="onelogin_saml_attr_mapping_lastname"
-			  value= "'.get_option('onelogin_saml_attr_mapping_lastname').'" size="30">';
+			  value= "'.esc_html(get_option('onelogin_saml_attr_mapping_lastname')).'" size="30">';
 	}
 
 	function plugin_setting_string_onelogin_saml_attr_mapping_role() {
 		echo '<input type="text" name="onelogin_saml_attr_mapping_role" id="onelogin_saml_attr_mapping_role"
-			  value= "'.get_option('onelogin_saml_attr_mapping_role').'" size="30">'.
+			  value= "'.esc_html(get_option('onelogin_saml_attr_mapping_role')).'" size="30">'.
 			  '<p class="description">'.__("The attribute that contains the role of the user, For example 'memberOf'. If WordPress can't figure what role assign to the user, it will assign the default role defined at the general settings.", 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_role_mapping($role_value) {
 		echo '<input type="text" name="onelogin_saml_role_mapping_'.$role_value.'" id="onelogin_saml_role_mapping_'.$role_value.'"
-			  value= "'.get_option('onelogin_saml_role_mapping_'.$role_value).'" size="30">';
+			  value= "'.esc_html(get_option('onelogin_saml_role_mapping_'.$role_value)).'" size="30">';
 	}
 
 	function plugin_setting_string_onelogin_saml_role_order($role_value) {
 		echo '<input type="text" name="onelogin_saml_role_order_'.$role_value.'" id="onelogin_saml_role_order_'.$role_value.'"
-			  value= "'.get_option('onelogin_saml_role_order_'.$role_value).'" size="3">';
+			  value= "'.esc_html(get_option('onelogin_saml_role_order_'.$role_value)).'" size="3">';
 	}
 
 	function plugin_setting_boolean_onelogin_saml_role_mapping_multivalued_in_one_attribute_value() {
-		$value = get_option('onelogin_saml_role_mapping_multivalued_in_one_attribute_value');
+		$value = esc_html(get_option('onelogin_saml_role_mapping_multivalued_in_one_attribute_value'));
 		echo '<input type="checkbox" name="onelogin_saml_role_mapping_multivalued_in_one_attribute_value" id="onelogin_saml_role_mapping_multivalued_in_one_attribute_value"
 			  '.($value ? 'checked="checked"': '').'>
 			  <p class="description">'.__("Sometimes role values are provided in an unique attribute statement (instead multiple attribute statements). If that is the case, activate this and the plugin will try to split those values by ;<br>Use a regular expression pattern in order to extract complex data.", 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_role_mapping_multivalued_pattern() {
 		echo '<input type="text" name="onelogin_saml_role_mapping_multivalued_pattern" id="onelogin_saml_role_mapping_multivalued_pattern"
-			  value= "'.get_option('onelogin_saml_role_mapping_multivalued_pattern').'" size="70">
+			  value= "'.esc_html(get_option('onelogin_saml_role_mapping_multivalued_pattern')).'" size="70">
 			  <p class="description">'.__("Regular expression that extract roles from complex multivalued data (required to active the previous option).<br> E.g. If the SAMLResponse has a role attribute like: CN=admin;CN=superuser;CN=europe-admin; , use the regular expression <code>/CN=([A-Z0-9\s _-]*);/i</code> to retrieve the values. Or use <code>/CN=([^,;]*)/</code>", 'onelogin-saml-sso').'</p>';
 	}
 
@@ -352,19 +352,19 @@ function plugin_setting_boolean_onelogin_saml_customize_stay_in_wordpress_after_
 
 	function plugin_setting_string_onelogin_saml_customize_links_user_registration() {
 		echo '<input type="text" name="onelogin_saml_customize_links_user_registration" id="onelogin_saml_customize_links_user_registration"
-			  value= "'.get_option('onelogin_saml_customize_links_user_registration').'" size="80">
+			  value= "'.esc_url(get_option('onelogin_saml_customize_links_user_registration')).'" size="80">
 			  <p class="description">'.__("Override the user registration link. ", 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_customize_links_lost_password() {
 		echo '<input type="text" name="onelogin_saml_customize_links_lost_password" id="onelogin_saml_customize_links_lost_password"
-			  value= "'.get_option('onelogin_saml_customize_links_lost_password').'" size="80">
+			  value= "'.esc_url(get_option('onelogin_saml_customize_links_lost_password')).'" size="80">
  			  <p class="description">'.__("Override the lost password link. (Prevent reset password must be deactivated or the SAML SSO will be used.)", 'onelogin-saml-sso').'</p>';
 	}
 
 	function plugin_setting_string_onelogin_saml_customize_links_saml_login() {
 		echo '<input type="text" name="onelogin_saml_customize_links_saml_login" id="onelogin_saml_customize_links_saml_login"
-			  value= "'.get_option('onelogin_saml_customize_links_saml_login').'" size="80">
+			  value= "'.esc_url(get_option('onelogin_saml_customize_links_saml_login')).'" size="80">
  			  <p class="description">'.__("If 'Keep Local login' enabled, this will be showed as message at the SAML link.", 'onelogin-saml-sso').'</p>';
 	}
 
@@ -385,7 +385,7 @@ function plugin_setting_boolean_onelogin_saml_advanced_settings_strict_mode() {
 
 	function plugin_setting_string_onelogin_saml_advanced_settings_sp_entity_id() {
 		echo '<input type="text" name="onelogin_saml_advanced_settings_sp_entity_id" id="onelogin_saml_advanced_settings_sp_entity_id"
-			  value= "'.get_option('onelogin_saml_advanced_settings_sp_entity_id').'" size="80">'.
+			  value= "'.esc_html(get_option('onelogin_saml_advanced_settings_sp_entity_id')).'" size="80">'.
 			  '<p class="description">'.__("Set the Entity ID for the Service Provider. If not provided, 'php-saml' will be used.", 'onelogin-saml-sso').'</p>';
 	}
 
@@ -441,14 +441,14 @@ function plugin_setting_boolean_onelogin_saml_advanced_settings_want_assertion_e
 
 	function plugin_setting_string_onelogin_saml_advanced_settings_sp_x509cert() {
 		echo '<textarea name="onelogin_saml_advanced_settings_sp_x509cert" id="onelogin_saml_advanced_settings_sp_x509cert" style="width:600px; height:220px; font-size:12px; font-family:courier,arial,sans-serif;">';
-		echo get_option('onelogin_saml_advanced_settings_sp_x509cert');
+		echo esc_textarea(get_option('onelogin_saml_advanced_settings_sp_x509cert'));
 		echo '</textarea>';
 		echo '<p class="description">'.__('Public x509 certificate of the SP. Leave this field empty if you are providing the cert by the sp.crt.', 'onelogin-saml-sso');
 	}
 
 	function plugin_setting_string_onelogin_saml_advanced_settings_sp_privatekey() {
 		echo '<textarea name="onelogin_saml_advanced_settings_sp_privatekey" id="onelogin_saml_advanced_settings_sp_privatekey" style="width:600px; height:220px; font-size:12px; font-family:courier,arial,sans-serif;">';
-		echo get_option('onelogin_saml_advanced_settings_sp_privatekey');
+		echo esc_textarea(get_option('onelogin_saml_advanced_settings_sp_privatekey'));
 		echo '</textarea>';
 		echo '<p class="description">'.__('Private Key of the SP. Leave this field empty if you are providing the private key by the sp.key.', 'onelogin-saml-sso');
 	}

onelogin-saml-sso/php/functions.php

@@ -12,7 +12,7 @@
 function saml_checker() {
 	if (isset($_GET['saml_acs'])) {
 		if (empty($_POST['SAMLResponse'])) {
-			print_r("That ACS endpoint expects a SAMLResponse value sent using HTTP-POST binding. Nothing was found");
+			echo "That ACS endpoint expects a SAMLResponse value sent using HTTP-POST binding. Nothing was found";
 			exit();
 		}
 		saml_acs();
@@ -32,7 +32,7 @@ function saml_custom_login_footer() {
 		$saml_login_message = "SAML Login";
 	}
 
-    echo '<div style="font-size: 110%;padding:8px;background: #fff;text-align: center;"><a href="'.get_site_url().'/wp-login.php?saml_sso">'.$saml_login_message.'</a></div>';
+    echo '<div style="font-size: 110%;padding:8px;background: #fff;text-align: center;"><a href="'.get_site_url().'/wp-login.php?saml_sso">'.esc_html($saml_login_message).'</a></div>';
 }
 
 function saml_load_translations() {
@@ -137,8 +137,10 @@ function saml_acs() {
 	$errors = $auth->getErrors();
 	if (!empty($errors)) {
 		echo '<br>'.__("There was at least one error processing the SAML Response").': ';
-		echo implode("<br>", $errors);
-		echo '<br>'.__("Contact the administrator");
+		foreach($errors as $error) {
+			echo esc_html($error).'<br>';
+		}
+		echo __("Contact the administrator");
 		exit();
 	}
 
@@ -254,19 +256,21 @@ function saml_acs() {
 		}
 	} else if (get_option('onelogin_saml_autocreate')) {
 		if (!validate_username($username)) {
-			echo __("The username provided by the IdP"). ' "'. $username. '" '. __("is not valid and can't create the user at wordpress");
+			echo __("The username provided by the IdP"). ' "'. esc_attr($username). '" '. __("is not valid and can't create the user at wordpress");
 			exit();
 		}
 		$userdata['user_pass'] = wp_generate_password();
 		$user_id = wp_insert_user($userdata);
 	} else {
-		echo __("User provided by the IdP "). ' "'. $matcherValue. '" '. __("does not exist in wordpress and auto-provisioning is disabled.");
+		echo __("User provided by the IdP "). ' "'. esc_attr($matcherValue). '" '. __("does not exist in wordpress and auto-provisioning is disabled.");
 		exit();
 	}
 
 	if (is_a($user_id, 'WP_Error')) {
-		$error = $user_id->get_error_messages();
-		echo implode('<br>', $error);
+		$errors = $user_id->get_error_messages();
+		foreach($errors as $error) {
+			echo esc_html($error).'<br>';
+		}
 		exit();
 	} else if ($user_id) {
 		wp_set_current_user($user_id);
@@ -324,7 +328,9 @@ function saml_sls() {
 		exit();
 	} else {
 		echo __("SLS endpoint found an error.");
-		echo implode("<br>", $errors);
+		foreach($errors as $error) {
+			echo esc_html($error).'<br>';
+		}
 		exit();
 	}
 }
@@ -337,7 +343,7 @@ function saml_metadata() {
 	$metadata = $samlSettings->getSPMetadata();
 
 	header('Content-Type: text/xml');
-	echo $metadata;
+	echo ent2ncr($metadata);
 	exit();
 }
 
@@ -358,7 +364,7 @@ function initialize_saml() {
 		$auth = new Onelogin_Saml2_Auth($settings);
 	} catch (Exception $e) {
 		echo '<br>'.__("The Onelogin SSO/SAML plugin is not correctly configured.", 'onelogin-saml-sso').'<br>';
-		print_r($e->getMessage());
+		echo esc_html($e->getMessage());
 		echo '<br>'.__("If you are the administrator", 'onelogin-saml-sso').', <a href="'.get_site_url().'/wp-login.php?normal">'.__("access using your wordpress credentials", 'onelogin-saml-sso').'</a> '.__("and fix the problem", 'onelogin-saml-sso');
 		exit();
 	}

onelogin-saml-sso/php/validate.php

@@ -35,7 +35,7 @@
 	echo '<br>'.__("SAML settings are", 'onelogin-saml-sso').' <strong>ok</strong>.<br>';
 } catch (Exception $e) {
 	echo '<br>'.__("Found errors while validating SAML settings info.", 'onelogin-saml-sso');
-	print_r($e->getMessage());
+	echo esc_html($e->getMessage());
 	echo '<br>';
 }
 
@@ -54,7 +54,7 @@
 $fileSystemKeyExists = file_exists(plugin_dir_path(__FILE__).'certs/sp.key');
 $fileSystemCertExists = file_exists(plugin_dir_path(__FILE__).'certs/sp.crt');
 if ($fileSystemKeyExists) {
-	$privatekey_url = plugins_url('php/certs/sp.key', dirname(__FILE__));
+	$privatekey_url = plugins_url('php/certs/sp.key', __DIR__);
 	echo '<br>'.__("There is a private key stored at the filesystem. Protect the 'certs' path. Nobody should be allowed to access:", 'onelogin-saml-sso').'<br>'.$privatekey_url.'<br>';
 }
 
@@ -103,14 +103,14 @@
 		}
 		if ($account_matcher == 'email' && $field == 'onelogin_saml_attr_mapping_mail') {
 			echo '<br>'.__("E-mail mapping is required in order to enable the SAML Single Sign On", 'onelogin-saml-sso').'<br>';
-		}		
+		}
 		$lacked_attr_mappings[] = $name;
 	}
 }
 
 if (!empty($lacked_attr_mappings)) {
 	echo '<br>'.__("Notice that there are attributes without mapping:", 'onelogin-saml-sso').'<br>';
-	print_r(implode('<br>', $lacked_attr_mappings).'</br>');
+	echo implode('<br>', $lacked_attr_mappings).'</br>';
 }
 
 $lacked_role_mappings = array();
@@ -128,12 +128,12 @@
 
 if (!empty($lacked_role_mappings)) {
 	echo '<br>'.__("Notice that there are roles without mapping:", 'onelogin-saml-sso').'<br>';
-	print_r(implode('<br>', $lacked_role_mappings).'</br>');
+	echo implode('<br>', $lacked_role_mappings).'</br>';
 }
 
 if (!empty($lacked_role_orders)) {
 	echo '<br>'.__("Notice that there are roles without ordering:", 'onelogin-saml-sso').'<br>';
-	print_r(implode('<br>', $lacked_role_orders).'</br>');
+	echo implode('<br>', $lacked_role_orders).'</br>';
 }
 ?>