'
- . __( 'Legacy settings have been migrated and the old configuration file has been deleted.', 'aad-sso-wordpress' )
- . __('To finish migration, unset AADSSO_SETTINGS_PATH from wp-config.php. ', 'aad-sso-wordpress')
+ . esc_html__( 'Legacy settings have been migrated and the old configuration file has been deleted.', 'aad-sso-wordpress' )
+ . esc_html__('To finish migration, unset AADSSO_SETTINGS_PATH from wp-config.php. ', 'aad-sso-wordpress')
.'
'
. esc_html__( 'Legacy settings have been migrated successfully. ', 'aad-sso-wordpress' )
- . sprintf( __('To finish migration, delete the file at the path %s. ', 'aad-sso-wordpress'), AADSSO_SETTINGS_PATH )
- . sprintf( __('Then, unset AADSSO_SETTINGS_PATH from wp-config.php. ', 'aad-sso-wordpress') )
+ . sprintf( esc_html__('To finish migration, delete the file at the path %s. ', 'aad-sso-wordpress'), esc_html( AADSSO_SETTINGS_PATH ) )
+ . sprintf( esc_html__('Then, unset AADSSO_SETTINGS_PATH from wp-config.php. ', 'aad-sso-wordpress') )
.'
'
- . sprintf( __('Legacy settings could not be migrated from %s. ', 'aad-sso-wordpress'), AADSSO_SETTINGS_PATH )
+ . sprintf( esc_html__('Legacy settings could not be migrated from %s. ', 'aad-sso-wordpress'), esc_html( AADSSO_SETTINGS_PATH ) )
. esc_html( 'File could not be parsed as JSON. ', 'aad-sso-wordpress' )
. esc_html( 'Delete the file, or check its syntax.', 'aad-sso-wordpress' )
.'
' - . __( 'Single Sign-on with Azure Active Directory settings have been reset to default.', + . esc_html__( 'Single Sign-on with Azure Active Directory settings have been reset to default.', 'aad-sso-wordpress' ) .'
%s
', - __( 'Map WordPress roles to Azure Active Directory groups.', 'aad-sso-wordpress' ) + esc_html__( 'Map WordPress roles to Azure Active Directory groups.', 'aad-sso-wordpress' ) ); echo '| %s | %s | ||
|---|---|---|---|
| ' . htmlentities( $role['name'] ) . ' | '; + /*echo '' . htmlentities( $role['name'] ) . ' | ';*/ + /** + * In WordPress coding standards Data Validation APIs are recommended to use + * rather than PHP generic functions. + */ + echo '' . esc_html( $role['name'] ) . ' | '; echo '';
printf(
'render_text_field( 'org_display_name' );
printf(
' %s ', - __( 'Display Name will be shown on the WordPress login screen.', 'aad-sso-wordpress' ) + esc_html__( 'Display Name will be shown on the WordPress login screen.', 'aad-sso-wordpress' ) ); } @@ -478,7 +483,7 @@ public function org_domain_hint_callback() { $this->render_text_field( 'org_domain_hint' ); printf( '%s ', - __( 'Provides a hint to Azure AD about the domain or tenant they will be logging in to. If ' + esc_html__( 'Provides a hint to Azure AD about the domain or tenant they will be logging in to. If ' . 'the domain is federated, the user will be automatically redirected to federation ' . 'endpoint.', 'aad-sso-wordpress' ) ); @@ -491,7 +496,7 @@ public function client_id_callback() { $this->render_text_field( 'client_id' ); printf( '%s ', - __( 'The client ID of the Azure AD application representing this blog.', 'aad-sso-wordpress' ) + esc_html__( 'The client ID of the Azure AD application representing this blog.', 'aad-sso-wordpress' ) ); } @@ -502,7 +507,7 @@ public function client_secret_callback() { $this->render_text_field( 'client_secret' ); printf( '%s ', - __( 'A secret key for the Azure AD application representing this blog.', 'aad-sso-wordpress' ) + esc_html__( 'A secret key for the Azure AD application representing this blog.', 'aad-sso-wordpress' ) ); } @@ -514,9 +519,13 @@ public function redirect_uri_callback() { printf( ' %s' . '%s ', - wp_login_url(), - __( 'Set default', 'aad-sso-wordpress' ), - __( 'The URL where the user is redirected to after authenticating with Azure AD. ' + /** + * https://codex.wordpress.org/Data_Validation#Text_Nodes + * Always use esc_url when sanitizing URLs + */ + esc_url( wp_login_url() ), + esc_html__( 'Set default', 'aad-sso-wordpress' ), + esc_html__( 'The URL where the user is redirected to after authenticating with Azure AD. ' . 'This URL must be registered in Azure AD as a valid redirect URL, and it must be a ' . 'page that invokes the "authenticate" filter. If you don\'t know what to set, leave ' . 'the default value (which is this blog\'s login page).', 'aad-sso-wordpress' ) @@ -531,9 +540,9 @@ public function logout_redirect_uri_callback() { printf( ' %s' . '%s ', - wp_login_url(), - __( 'Set default', 'aad-sso-wordpress'), - __( 'The URL where the user is redirected to after signing out of Azure AD. ' + esc_url( wp_login_url() ), + esc_html__( 'Set default', 'aad-sso-wordpress'), + esc_html__( 'The URL where the user is redirected to after signing out of Azure AD. ' . 'This URL must be registered in Azure AD as a valid redirect URL. (This does not affect ' . ' logging out of the blog, it is only used when logging out of Azure AD.)', 'aad-sso-wordpress' ) ); @@ -550,16 +559,16 @@ public function field_to_match_to_upn_callback() { ?> %s', - __( 'This specifies the WordPress user field which will be used to match to the Azure AD user\'s ' + esc_html__( 'This specifies the WordPress user field which will be used to match to the Azure AD user\'s ' . 'UserPrincipalName.', 'aad-sso-wordpress' ) ); } @@ -570,7 +579,7 @@ public function field_to_match_to_upn_callback() { public function match_on_upn_alias_callback() { $this->render_checkbox_field( 'match_on_upn_alias', - __( 'Match WordPress users based on the alias of their Azure AD UserPrincipalName. For example, ' + esc_html__( 'Match WordPress users based on the alias of their Azure AD UserPrincipalName. For example, ' . 'Azure AD usernamebob@example.com will match WordPress user bob.',
'aad-sso-wordpress' )
);
@@ -590,15 +599,19 @@ public function default_wp_role_callback() {
printf( '', '', '(None, deny access)' );
foreach( $this->get_editable_roles() as $role_slug => $role ) {
$selected = $this->settings['default_wp_role'] === $role_slug ? ' selected="selected"' : '';
+ /**
+ * Since $elected can return both the attribute with value as well as an empty string
+ * no escaping has been used.
+ */
printf(
'',
- esc_attr( $role_slug ), $selected, htmlentities( $role['name'] )
+ esc_attr( $role_slug ), $selected, esc_html( $role['name'] )
);
}
echo '';
printf(
'%s ', - __('This is the default role that users will be assigned to if matching Azure AD group to ' + esc_html__('This is the default role that users will be assigned to if matching Azure AD group to ' . 'WordPress roles is enabled, but the signed in user isn\'t a member of any of the ' . 'configured Azure AD groups.', 'aad-sso-wordpress') ); @@ -645,9 +658,13 @@ public function openid_configuration_endpoint_callback() { printf( ' %s' . '%s ', + /** + * get_defaults can return either an array, a string or null + * no escaping has been used + */ AADSSO_Settings::get_defaults( 'openid_configuration_endpoint' ), - __( 'Set default', 'aad-sso-wordpress'), - __( 'The OpenID Connect configuration endpoint to use. To support Microsoft Accounts and external ' + esc_html__( 'Set default', 'aad-sso-wordpress'), + esc_html__( 'The OpenID Connect configuration endpoint to use. To support Microsoft Accounts and external ' . 'users (users invited in from other Azure AD directories, known sometimes as "B2B users") you ' . 'must use:https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration, '
. 'where {tenant-id} is the tenant ID or a verified domain name of your directory.',
@@ -661,7 +678,7 @@ public function openid_configuration_endpoint_callback() {
public function enable_full_logout_callback() {
$this->render_checkbox_field(
'enable_full_logout',
- __( 'Do a full logout of Azure AD when logging out of WordPress.',
+ esc_html__( 'Do a full logout of Azure AD when logging out of WordPress.',
'aad-sso-wordpress' )
);
}
@@ -676,7 +693,7 @@ public function render_text_field( $name ) {
printf(
'',
- $name, $value
+ esc_html( $name ), esc_html( $value )
);
}
@@ -690,9 +707,9 @@ public function render_checkbox_field( $name, $label ) {
printf(
''
. '',
- $name,
+ esc_html( $name ),
isset( $this->settings[ $name ] ) && $this->settings[ $name ] ? 'checked' : '',
- $label
+ esc_html( $label )
);
}
diff --git a/aad-sso-wordpress.php b/aad-sso-wordpress.php
index 9166715..0c73cdc 100644
--- a/aad-sso-wordpress.php
+++ b/aad-sso-wordpress.php
@@ -615,13 +615,14 @@ public function setup_admin_settings() {
*/
function print_plugin_not_configured() {
echo '' - . __( 'Single Sign-on with Azure Active Directory required settings are not defined. ' + . esc_html__( 'Single Sign-on with Azure Active Directory required settings are not defined. ' . 'Update them under Settings > Azure AD.', 'aad-sso-wordpress' ) .' SESSION ' . var_export( $_SESSION, TRUE ) . ''; @@ -643,14 +644,14 @@ function print_login_css() { function print_login_link() { $html = ' ';
$html .= '';
- $html .= sprintf( __( 'Sign in with your %s account', 'aad-sso-wordpress' ),
- htmlentities( $this->settings->org_display_name ) );
+ $html .= sprintf( esc_html__( 'Sign in with your %s account', 'aad-sso-wordpress' ),
+ esc_html( $this->settings->org_display_name ) );
$html .= ' %s %s', - wp_nonce_url( + esc_url( wp_nonce_url( admin_url( 'options-general.php?page=aadsso_settings' ), 'aadsso_migrate_from_json', 'aadsso_nonce' - ), + ) ), esc_html__( 'Migrate Settings' , 'aad-sso-wordpress' ), esc_html__( 'Migrate settings from old plugin versions to new configuration. This will overwrite existing settings! Careful, there is no undo for this.' , 'aad-sso-wordpress' ) ) |