Skip to content

Commit 8afca6a

Browse files
authored
Merge pull request #52 from david-binda/fix-escaping
Fix wrong and missing late escaping.
2 parents 5ab40a1 + c6134c9 commit 8afca6a

4 files changed

Lines changed: 25 additions & 25 deletions

File tree

onelogin-saml-sso/php/compatibility.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ function wp_roles() {
66
global $wp_roles;
77

88
if ( ! isset( $wp_roles ) ) {
9-
$wp_roles = new WP_Roles();
9+
$wp_roles = new WP_Roles(); // Override ok.
1010
}
1111
return $wp_roles;
1212
}

onelogin-saml-sso/php/configuration.php

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,11 @@ function onelogin_saml_configuration_render() {
1717
<div class="wrap">
1818
<?php screen_icon(); ?>
1919
<div class="alignleft">
20-
<a href="http://www.onelogin.com"><img src="<?php echo plugins_url('onelogin.png', dirname(__FILE__));?>"></a>
20+
<a href="http://www.onelogin.com"><img src="<?php echo esc_url( plugins_url('onelogin.png', dirname(__FILE__)) );?>"></a>
2121
</div>
2222
<div class="alignright">
23-
<a href="<?php echo get_site_url().'/wp-login.php?saml_metadata'; ?>" target="blank"><?php echo __("Go to the metadata of this SP", 'onelogin-saml-sso');?></a><br>
24-
<a href="<?php echo get_site_url().'/wp-login.php?saml_validate_config'; ?>" target="blank"><?php echo __("Once configured, validate here your OneLogin SSO/SAML Settings", 'onelogin-saml-sso');?></a>
23+
<a href="<?php echo esc_url( get_site_url().'/wp-login.php?saml_metadata' ); ?>" target="blank"><?php echo __("Go to the metadata of this SP", 'onelogin-saml-sso');?></a><br>
24+
<a href="<?php echo esc_url( get_site_url().'/wp-login.php?saml_validate_config' ); ?>" target="blank"><?php echo __("Once configured, validate here your OneLogin SSO/SAML Settings", 'onelogin-saml-sso');?></a>
2525
</div>
2626
<div style="clear:both"></div>
2727
<h2><?php echo esc_html( $title ); ?></h2>
@@ -184,7 +184,7 @@ function onelogin_saml_configuration() {
184184

185185
function plugin_setting_string_onelogin_saml_idp_entityid() {
186186
echo '<input type="text" name="onelogin_saml_idp_entityid" id="onelogin_saml_idp_entityid"
187-
value= "'.esc_html(get_option('onelogin_saml_idp_entityid')).'" size="80">'.
187+
value= "'.esc_attr(get_option('onelogin_saml_idp_entityid')).'" size="80">'.
188188
'<p class="description">'.__('Identifier of the IdP entity. ("Issuer URL")', 'onelogin-saml-sso').'</p>';
189189
}
190190

@@ -273,45 +273,45 @@ function plugin_setting_string_onelogin_saml_attr_mapping_username() {
273273

274274
function plugin_setting_string_onelogin_saml_attr_mapping_mail() {
275275
echo '<input type="text" name="onelogin_saml_attr_mapping_mail" id="onelogin_saml_attr_mapping_mail"
276-
value= "'.esc_html(get_option('onelogin_saml_attr_mapping_mail')).'" size="30">';
276+
value= "'.esc_attr(get_option('onelogin_saml_attr_mapping_mail')).'" size="30">';
277277
}
278278

279279
function plugin_setting_string_onelogin_saml_attr_mapping_firstname() {
280280
echo '<input type="text" name="onelogin_saml_attr_mapping_firstname" id="onelogin_saml_attr_mapping_firstname"
281-
value= "'.esc_html(get_option('onelogin_saml_attr_mapping_firstname')).'" size="30">';
281+
value= "'.esc_attr(get_option('onelogin_saml_attr_mapping_firstname')).'" size="30">';
282282
}
283283

284284
function plugin_setting_string_onelogin_saml_attr_mapping_lastname() {
285285
echo '<input type="text" name="onelogin_saml_attr_mapping_lastname" id="onelogin_saml_attr_mapping_lastname"
286-
value= "'.esc_html(get_option('onelogin_saml_attr_mapping_lastname')).'" size="30">';
286+
value= "'.esc_attr(get_option('onelogin_saml_attr_mapping_lastname')).'" size="30">';
287287
}
288288

289289
function plugin_setting_string_onelogin_saml_attr_mapping_role() {
290290
echo '<input type="text" name="onelogin_saml_attr_mapping_role" id="onelogin_saml_attr_mapping_role"
291-
value= "'.esc_html(get_option('onelogin_saml_attr_mapping_role')).'" size="30">'.
291+
value= "'.esc_attr(get_option('onelogin_saml_attr_mapping_role')).'" size="30">'.
292292
'<p class="description">'.__("The attribute that contains the role of the user, For example 'memberOf'. If WordPress can't figure what role assign to the user, it will assign the default role defined at the general settings.", 'onelogin-saml-sso').'</p>';
293293
}
294294

295295
function plugin_setting_string_onelogin_saml_role_mapping($role_value) {
296-
echo '<input type="text" name="onelogin_saml_role_mapping_'.$role_value.'" id="onelogin_saml_role_mapping_'.$role_value.'"
297-
value= "'.esc_html(get_option('onelogin_saml_role_mapping_'.$role_value)).'" size="30">';
296+
echo '<input type="text" name="onelogin_saml_role_mapping_'.esc_attr($role_value).'" id="onelogin_saml_role_mapping_'.esc_attr($role_value).'"
297+
value= "'.esc_attr(get_option('onelogin_saml_role_mapping_'.$role_value)).'" size="30">';
298298
}
299299

300300
function plugin_setting_string_onelogin_saml_role_order($role_value) {
301-
echo '<input type="text" name="onelogin_saml_role_order_'.$role_value.'" id="onelogin_saml_role_order_'.$role_value.'"
302-
value= "'.esc_html(get_option('onelogin_saml_role_order_'.$role_value)).'" size="3">';
301+
echo '<input type="text" name="onelogin_saml_role_order_'.esc_attr($role_value).'" id="onelogin_saml_role_order_'.esc_attr($role_value).'"
302+
value= "'.esc_attr(get_option('onelogin_saml_role_order_'.$role_value)).'" size="3">';
303303
}
304304

305305
function plugin_setting_boolean_onelogin_saml_role_mapping_multivalued_in_one_attribute_value() {
306-
$value = esc_html(get_option('onelogin_saml_role_mapping_multivalued_in_one_attribute_value'));
306+
$value = get_option('onelogin_saml_role_mapping_multivalued_in_one_attribute_value');
307307
echo '<input type="checkbox" name="onelogin_saml_role_mapping_multivalued_in_one_attribute_value" id="onelogin_saml_role_mapping_multivalued_in_one_attribute_value"
308308
'.($value ? 'checked="checked"': '').'>
309309
<p class="description">'.__("Sometimes role values are provided in an unique attribute statement (instead multiple attribute statements). If that is the case, activate this and the plugin will try to split those values by ;<br>Use a regular expression pattern in order to extract complex data.", 'onelogin-saml-sso').'</p>';
310310
}
311311

312312
function plugin_setting_string_onelogin_saml_role_mapping_multivalued_pattern() {
313313
echo '<input type="text" name="onelogin_saml_role_mapping_multivalued_pattern" id="onelogin_saml_role_mapping_multivalued_pattern"
314-
value= "'.esc_html(get_option('onelogin_saml_role_mapping_multivalued_pattern')).'" size="70">
314+
value= "'.esc_attr(get_option('onelogin_saml_role_mapping_multivalued_pattern')).'" size="70">
315315
<p class="description">'.__("Regular expression that extract roles from complex multivalued data (required to active the previous option).<br> E.g. If the SAMLResponse has a role attribute like: CN=admin;CN=superuser;CN=europe-admin; , use the regular expression <code>/CN=([A-Z0-9\s _-]*);/i</code> to retrieve the values. Or use <code>/CN=([^,;]*)/</code>", 'onelogin-saml-sso').'</p>';
316316
}
317317

@@ -477,7 +477,7 @@ function plugin_setting_select_onelogin_saml_advanced_nameidformat() {
477477
echo '<select name="onelogin_saml_advanced_nameidformat" id="onelogin_saml_advanced_nameidformat">';
478478

479479
foreach ($posible_nameidformat_values as $key => $value) {
480-
echo '<option value='.$key.' '.($key == $nameidformat_value ? 'selected="selected"': '').' >'.$value.'</option>';
480+
echo '<option value='.esc_attr($key).' '.($key == $nameidformat_value ? 'selected="selected"': '').' >'.esc_html($value).'</option>';
481481
}
482482

483483
echo '</select>'.
@@ -503,7 +503,7 @@ function plugin_setting_select_onelogin_saml_advanced_requestedauthncontext() {
503503
echo '<select multiple="multiple" name="onelogin_saml_advanced_requestedauthncontext[]" id="onelogin_saml_advanced_requestedauthncontext">';
504504
echo '<option value=""></option>';
505505
foreach ($posible_requestedauthncontext_values as $key => $value) {
506-
echo '<option value='.$key.' '.(in_array($key, $requestedauthncontext_values) ? 'selected="selected"': '').' >'.$value.'</option>';
506+
echo '<option value='.esc_attr($key).' '.(in_array($key, $requestedauthncontext_values) ? 'selected="selected"': '').' >'.esc_html($value).'</option>';
507507
}
508508

509509
echo '</select>'.
@@ -524,7 +524,7 @@ function plugin_setting_select_onelogin_saml_advanced_signaturealgorithm() {
524524
echo '<select name="onelogin_saml_advanced_signaturealgorithm" id="onelogin_saml_advanced_signaturealgorithm">';
525525

526526
foreach ($posible_signaturealgorithm_values as $key => $value) {
527-
echo '<option value='.$key.' '.($key == $signaturealgorithm_value ? 'selected="selected"': '').' >'.$value.'</option>';
527+
echo '<option value='.esc_attr($key).' '.($key == $signaturealgorithm_value ? 'selected="selected"': '').' >'.esc_html($value).'</option>';
528528
}
529529

530530
echo '</select>'.
@@ -543,7 +543,7 @@ function plugin_setting_select_onelogin_saml_advanced_digestalgorithm() {
543543
echo '<select name="onelogin_saml_advanced_digestalgorithm" id="onelogin_saml_advanced_digestalgorithm">';
544544

545545
foreach ($posible_digestalgorithm_values as $key => $value) {
546-
echo '<option value='.$key.' '.($key == $digestalgorithm_value ? 'selected="selected"': '').' >'.$value.'</option>';
546+
echo '<option value='.esc_attr($key).' '.($key == $digestalgorithm_value ? 'selected="selected"': '').' >'.esc_html($value).'</option>';
547547
}
548548

549549
echo '</select>'.

onelogin-saml-sso/php/functions.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ function saml_custom_login_footer() {
3232
$saml_login_message = "SAML Login";
3333
}
3434

35-
echo '<div style="font-size: 110%;padding:8px;background: #fff;text-align: center;"><a href="'.get_site_url().'/wp-login.php?saml_sso">'.esc_html($saml_login_message).'</a></div>';
35+
echo '<div style="font-size: 110%;padding:8px;background: #fff;text-align: center;"><a href="'.esc_url( get_site_url().'/wp-login.php?saml_sso') .'">'.esc_html($saml_login_message).'</a></div>';
3636
}
3737

3838
function saml_load_translations() {
@@ -372,7 +372,7 @@ function initialize_saml() {
372372
} catch (Exception $e) {
373373
echo '<br>'.__("The Onelogin SSO/SAML plugin is not correctly configured.", 'onelogin-saml-sso').'<br>';
374374
echo esc_html($e->getMessage());
375-
echo '<br>'.__("If you are the administrator", 'onelogin-saml-sso').', <a href="'.get_site_url().'/wp-login.php?normal">'.__("access using your wordpress credentials", 'onelogin-saml-sso').'</a> '.__("and fix the problem", 'onelogin-saml-sso');
375+
echo '<br>'.__("If you are the administrator", 'onelogin-saml-sso').', <a href="'.esc_url( get_site_url().'/wp-login.php?normal').'">'.__("access using your wordpress credentials", 'onelogin-saml-sso').'</a> '.__("and fix the problem", 'onelogin-saml-sso');
376376
exit();
377377
}
378378

onelogin-saml-sso/php/validate.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@
5555
$fileSystemCertExists = file_exists(plugin_dir_path(__FILE__).'certs/sp.crt');
5656
if ($fileSystemKeyExists) {
5757
$privatekey_url = plugins_url('php/certs/sp.key', __DIR__);
58-
echo '<br>'.__("There is a private key stored at the filesystem. Protect the 'certs' path. Nobody should be allowed to access:", 'onelogin-saml-sso').'<br>'.$privatekey_url.'<br>';
58+
echo '<br>'.__("There is a private key stored at the filesystem. Protect the 'certs' path. Nobody should be allowed to access:", 'onelogin-saml-sso').'<br>'.esc_html( $privatekey_url ).'<br>';
5959
}
6060

6161
if ($spPrivatekey && !empty($spPrivatekey)) {
@@ -110,7 +110,7 @@
110110

111111
if (!empty($lacked_attr_mappings)) {
112112
echo '<br>'.__("Notice that there are attributes without mapping:", 'onelogin-saml-sso').'<br>';
113-
echo implode('<br>', $lacked_attr_mappings).'</br>';
113+
echo wp_kses( implode('<br>',$lacked_attr_mappings), array( 'br' => array() ) ).'</br>';
114114
}
115115

116116
$lacked_role_mappings = array();
@@ -128,12 +128,12 @@
128128

129129
if (!empty($lacked_role_mappings)) {
130130
echo '<br>'.__("Notice that there are roles without mapping:", 'onelogin-saml-sso').'<br>';
131-
echo implode('<br>', $lacked_role_mappings).'</br>';
131+
echo wp_kses( implode('<br>', $lacked_role_mappings ), array( 'br' => array() ) ).'</br>';
132132
}
133133

134134
if (!empty($lacked_role_orders)) {
135135
echo '<br>'.__("Notice that there are roles without ordering:", 'onelogin-saml-sso').'<br>';
136-
echo implode('<br>', $lacked_role_orders).'</br>';
136+
echo wp_kses( implode('<br>', $lacked_role_orders), array( 'br' => array() ) ).'</br>';
137137
}
138138
?>
139139

0 commit comments

Comments
 (0)