<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[57625] trunk/src/wp-activate.php: Multisite: Escape urls and html elements in wp-activate.php</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/57625">57625</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/57625","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>jorbin</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2024-02-13 14:17:29 +0000 (Tue, 13 Feb 2024)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Multisite: Escape urls and html elements in wp-activate.php
When WPMU was merged in <a href="https://core.trac.wordpress.org/changeset/12603">[12603]</a>, the intent was to go back and make sure everything was escaped. This completes that intent.
Props rafiq91, rajinsharwar, costdev, oglekler, nicolefurlan, ryan, peterwilsoncc.
Fixes <a href="https://core.trac.wordpress.org/ticket/57336">#57336</a>.
See <a href="https://core.trac.wordpress.org/ticket/11644">#11644</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpactivatephp">trunk/src/wp-activate.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpactivatephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-activate.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-activate.php 2024-02-13 14:07:38 UTC (rev 57624)
+++ trunk/src/wp-activate.php 2024-02-13 14:17:29 UTC (rev 57625)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -150,19 +150,19 @@
</span><span class="cx" style="display: block; padding: 0 10px"> printf(
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: 1: Login URL, 2: Username, 3: User email address, 4: Lost password URL. */
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of “%2$s”. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- network_site_url( $blog_details->path . 'wp-login.php', 'login' ),
- $signup->user_login,
- $signup->user_email,
- wp_lostpassword_url()
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ esc_url( network_site_url( $blog_details->path . 'wp-login.php', 'login' ) ),
+ esc_html( $signup->user_login ),
+ esc_html( $signup->user_email ),
+ esc_url( wp_lostpassword_url() )
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><span class="cx" style="display: block; padding: 0 10px"> printf(
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: 1: Site URL, 2: Username, 3: User email address, 4: Lost password URL. */
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Your site at %1$s is active. You may now log in to your site using your chosen username of “%2$s”. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- sprintf( '<a href="http://%1$s%2$s">%1$s%2$s</a>', $signup->domain, $blog_details->path ),
- $signup->user_login,
- $signup->user_email,
- wp_lostpassword_url()
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ sprintf( '<a href="http://%1$s">%1$s</a>', esc_url( $signup->domain . $blog_details->path ) ),
+ esc_html( $signup->user_login ),
+ esc_html( $signup->user_email ),
+ esc_url( wp_lostpassword_url() )
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> echo '</p>';
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -170,18 +170,18 @@
</span><span class="cx" style="display: block; padding: 0 10px"> ?>
</span><span class="cx" style="display: block; padding: 0 10px"> <h2><?php _e( 'An error occurred during the activation' ); ?></h2>
</span><span class="cx" style="display: block; padding: 0 10px"> <?php if ( is_wp_error( $result ) ) : ?>
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- <p><?php echo $result->get_error_message(); ?></p>
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ <p><?php echo esc_html( $result->get_error_message() ); ?></p>
</ins><span class="cx" style="display: block; padding: 0 10px"> <?php endif; ?>
</span><span class="cx" style="display: block; padding: 0 10px"> <?php
</span><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $url = isset( $result['blog_id'] ) ? get_home_url( (int) $result['blog_id'] ) : '';
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $url = isset( $result['blog_id'] ) ? esc_url( get_home_url( (int) $result['blog_id'] ) ) : '';
</ins><span class="cx" style="display: block; padding: 0 10px"> $user = get_userdata( (int) $result['user_id'] );
</span><span class="cx" style="display: block; padding: 0 10px"> ?>
</span><span class="cx" style="display: block; padding: 0 10px"> <h2><?php _e( 'Your account is now active!' ); ?></h2>
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> <div id="signup-welcome">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- <p><span class="h3"><?php _e( 'Username:' ); ?></span> <?php echo $user->user_login; ?></p>
- <p><span class="h3"><?php _e( 'Password:' ); ?></span> <?php echo $result['password']; ?></p>
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ <p><span class="h3"><?php _e( 'Username:' ); ?></span> <?php echo esc_html( $user->user_login ); ?></p>
+ <p><span class="h3"><?php _e( 'Password:' ); ?></span> <?php echo esc_html( $result['password'] ); ?></p>
</ins><span class="cx" style="display: block; padding: 0 10px"> </div>
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> <?php
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -193,7 +193,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> <p class="view">
</span><span class="cx" style="display: block; padding: 0 10px"> <?php
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: 1: Site URL, 2: Login URL. */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- printf( __( 'Your account is now activated. <a href="%1$s">View your site</a> or <a href="%2$s">Log in</a>' ), $url, esc_url( $login_url ) );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ printf( __( 'Your account is now activated. <a href="%1$s">View your site</a> or <a href="%2$s">Log in</a>' ), esc_url( $url ), esc_url( $login_url ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> ?>
</span><span class="cx" style="display: block; padding: 0 10px"> </p>
</span><span class="cx" style="display: block; padding: 0 10px"> <?php else : ?>
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -202,8 +202,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> printf(
</span><span class="cx" style="display: block; padding: 0 10px"> /* translators: 1: Login URL, 2: Network home URL. */
</span><span class="cx" style="display: block; padding: 0 10px"> __( 'Your account is now activated. <a href="%1$s">Log in</a> or go back to the <a href="%2$s">homepage</a>.' ),
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- network_site_url( $blog_details->path . 'wp-login.php', 'login' ),
- network_home_url( $blog_details->path )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ esc_url( network_site_url( $blog_details->path . 'wp-login.php', 'login' ) ),
+ esc_url( network_home_url( $blog_details->path ) )
</ins><span class="cx" style="display: block; padding: 0 10px"> );
</span><span class="cx" style="display: block; padding: 0 10px"> ?>
</span><span class="cx" style="display: block; padding: 0 10px"> </p>
</span></span></pre>
</div>
</div>
</body>
</html>