From 7c478c05fd1467af2e0e73379322775ac8b76501 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karol=C3=ADna=20Vysko=C4=8Dilov=C3=A1?= Date: Mon, 3 May 2021 16:40:17 +0200 Subject: [PATCH] Escape translations. --- readme.txt | 5 +++-- simple-admin-language-change.php | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/readme.txt b/readme.txt index 52a89e0..aa6b5d9 100644 --- a/readme.txt +++ b/readme.txt @@ -44,11 +44,12 @@ You need to install the language first. == Changelog == = 2.0.2 (2021-05-03) = -* Fix CSRF security issues +* Fix security issues * Check for the empty nonce. + * Escape translations. = 2.0.1 (2021-05-03) = -* Fix CSRF security issues (thanks @ErwanLR from WPScan for reporting!) +* Fix security issues (thanks @ErwanLR from WPScan for reporting!) * Check for the empty nonce. * Check for user permission within ajax request. * Retrieve current user ID within the request. diff --git a/simple-admin-language-change.php b/simple-admin-language-change.php index a1adf72..b9af361 100644 --- a/simple-admin-language-change.php +++ b/simple-admin-language-change.php @@ -97,12 +97,12 @@ function change_user_locale_ajax() // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized if (!isset($_REQUEST['nonce']) || !wp_verify_nonce($_REQUEST['nonce'], "salc_change_user_locale")) { - wp_die( __('Something went wrong, try again.', 'kbnt-sacl')); + wp_die(esc_html(__('Something went wrong, try again.', 'kbnt-sacl'))); } // Check for permissions matching the user_locale. if (! current_user_can('edit_posts') || ! current_user_can('edit_pages')) { - wp_die(__('You don\'t have the correct permissions for language change.', 'kbnt-sacl')); + wp_die(esc_html(__('You don\'t have the correct permissions for language change.', 'kbnt-sacl'))); } $user_id = \get_current_user_id();