diff --git a/rt-plugin-report.php b/rt-plugin-report.php index 8e1dd54..6b76f78 100644 --- a/rt-plugin-report.php +++ b/rt-plugin-report.php @@ -82,7 +82,7 @@ public function register_settings_page() { */ public function settings_page() { // Check user capabilities, just to be sure. - if ( ! current_user_can( 'manage_options' ) ) { + if ( ! current_user_can( is_multisite() ? 'manage_sites' : 'manage_options' ) ) { wp_die(); } // Assemble information we'll need. @@ -92,8 +92,8 @@ public function settings_page() { // Check wether a core update is available. $wp_latest = $this->check_core_updates(); - // Refresh the cache, but only if this is a fresh timestamp (not if the page has been refreshed with the timestamp still in the URL). - if ( isset( $_GET['clear_cache'] ) ) { + // Refresh the cache, but only if nonce is valid and this is a fresh timestamp (not if the page has been refreshed with the timestamp still in the URL). + if ( isset( $_GET['clear_cache'] ) && isset( $_GET['_wpnonce'] ) && wp_verify_nonce( sanitize_key( $_GET['_wpnonce'] ), 'plugin_report_clear_cache' ) ) { $new_timestamp = intval( $_GET['clear_cache'] ); $last_timestamp = intval( get_site_transient( 'plugin_report_cache_cleared' ) ); if ( ! $last_timestamp || $new_timestamp > $last_timestamp ) { @@ -121,7 +121,7 @@ public function settings_page() { } else { $page_url = 'plugins.php?page=plugin_report'; } - echo '' . esc_html__( 'Clear cached plugin data and reload', 'plugin-report' ) . ''; + echo '' . esc_html__( 'Clear cached plugin data and reload', 'plugin-report' ) . ''; echo '

'; echo '

' . esc_html__( 'Currently installed plugins', 'plugin-report' ) . '

'; echo '

'; @@ -237,7 +237,7 @@ public function get_plugin_info() { } // Check user capabilites, just to be sure. - if ( ! current_user_can( 'manage_options' ) ) { + if ( ! current_user_can( is_multisite() ? 'manage_sites' : 'manage_options' ) ) { wp_die(); } @@ -390,7 +390,7 @@ private function assemble_plugin_report( $slug ) { */ private function check_exists_in_svn( $slug ) { // Attempt to load the plugin's SVN repo page. - $response = wp_remote_get( 'http://svn.wp-plugins.org/' . $slug . '/' ); + $response = wp_remote_get( 'https://plugins.svn.wordpress.org/' . rawurlencode( $slug ) . '/' ); // If the return value was a WP_Error, assume the answer is no. if ( is_wp_error( $response ) ) { return false; @@ -421,20 +421,20 @@ private function render_table_row( $report ) { $html = $this->render_error_row( esc_html__( 'No plugin data available.', 'plugin-report' ) ); } else { // Start the new table row. - $html = ''; + $html = ''; // Name. if ( isset( $report['local_info']['PluginURI'] ) && ! empty( $report['local_info']['PluginURI'] ) ) { - $html .= '' . $report['local_info']['Name'] . ''; + $html .= '' . esc_html( $report['local_info']['Name'] ) . ''; } else { - $html .= '' . $report['local_info']['Name'] . ''; + $html .= '' . esc_html( $report['local_info']['Name'] ) . ''; } // Author. if ( isset( $report['local_info']['AuthorURI'] ) && ! empty( $report['local_info']['AuthorURI'] ) ) { - $html .= '' . $report['local_info']['Author'] . ''; + $html .= '' . esc_html( $report['local_info']['Author'] ) . ''; } else { - $html .= '' . $report['local_info']['Author'] . ''; + $html .= '' . esc_html( $report['local_info']['Author'] ) . ''; } // Repository. @@ -460,7 +460,7 @@ private function render_table_row( $report ) { } else { if ( $parsed_repo_url && isset( $parsed_repo_url['host'] ) ) { // Update URI is a valid URL, display the host. - $html .= '' . $repo_host . ''; + $html .= '' . esc_html( $repo_host ) . ''; } else { // Some other value (like 'false'), so assume updates are disabled. $html .= '' . __( 'Updates disabled', 'plugin-report' ) . ''; @@ -496,7 +496,7 @@ private function render_table_row( $report ) { if ( isset( $report['repo_info'] ) ) { $css_class = $this->get_version_risk_classname( $report['local_info']['Version'], $report['repo_info']->version ); $html .= ''; - $html .= $report['local_info']['Version']; + $html .= esc_html( $report['local_info']['Version'] ); if ( $report['local_info']['Version'] !== $report['repo_info']->version ) { // Any platform upgrades needed? $needs_php_upgrade = isset( $report['repo_info']->requires_php ) ? version_compare( phpversion(), $report['repo_info']->requires_php, '<' ) : false; @@ -504,21 +504,21 @@ private function render_table_row( $report ) { // Create the additional message. if ( $needs_wp_upgrade && $needs_php_upgrade ) { /* translators: %1$s: Plugin version number, %2$s: WP version number, %3$s: PHP version number */ - $html .= ' ' . sprintf( esc_html__( '(%1$s available, requires WP %2$s and PHP %3$s)', 'plugin-report' ), $report['repo_info']->version, $report['repo_info']->requires, $report['repo_info']->requires_php ) . ''; + $html .= ' ' . sprintf( esc_html__( '(%1$s available, requires WP %2$s and PHP %3$s)', 'plugin-report' ), esc_html( $report['repo_info']->version ), esc_html( $report['repo_info']->requires ), esc_html( $report['repo_info']->requires_php ) ) . ''; } elseif ( $needs_wp_upgrade ) { /* translators: %1$s: Plugin version number, %2$s: WP version number. */ - $html .= ' ' . sprintf( esc_html__( '(%1$s available, requires WP %2$s)', 'plugin-report' ), $report['repo_info']->version, $report['repo_info']->requires ) . ''; + $html .= ' ' . sprintf( esc_html__( '(%1$s available, requires WP %2$s)', 'plugin-report' ), esc_html( $report['repo_info']->version ), esc_html( $report['repo_info']->requires ) ) . ''; } elseif ( $needs_php_upgrade ) { /* translators: %1$s: Plugin version number, %2$s: PHP version number. */ - $html .= ' ' . sprintf( esc_html__( '(%1$s available, requires PHP %2$s)', 'plugin-report' ), $report['repo_info']->version, $report['repo_info']->requires_php ) . ''; + $html .= ' ' . sprintf( esc_html__( '(%1$s available, requires PHP %2$s)', 'plugin-report' ), esc_html( $report['repo_info']->version ), esc_html( $report['repo_info']->requires_php ) ) . ''; } else { /* translators: %s: Plugin version number. */ - $html .= ' ' . sprintf( esc_html__( '(%s available)', 'plugin-report' ), $report['repo_info']->version ) . ''; + $html .= ' ' . sprintf( esc_html__( '(%s available)', 'plugin-report' ), esc_html( $report['repo_info']->version ) ) . ''; } } $html .= ''; } else { - $html .= '' . $report['local_info']['Version'] . ''; + $html .= '' . esc_html( $report['local_info']['Version'] ) . ''; } // Auto-update. @@ -537,7 +537,7 @@ private function render_table_row( $report ) { $time_update = new DateTime( $report['repo_info']->last_updated ); $time_diff = human_time_diff( $time_update->getTimestamp(), current_time( 'timestamp' ) ); $css_class = $this->get_timediff_risk_classname( current_time( 'timestamp' ) - $time_update->getTimestamp() ); - $html .= '' . $time_diff . ''; + $html .= '' . esc_html( $time_diff ) . ''; } else { $html .= $this->render_error_cell(); } @@ -545,7 +545,7 @@ private function render_table_row( $report ) { // Tested up to. if ( isset( $report['repo_info'] ) && isset( $report['repo_info']->tested ) && ! empty( $report['repo_info']->tested ) ) { $css_class = $this->get_version_risk_classname( $report['repo_info']->tested, $wp_latest, true ); - $html .= '' . $report['repo_info']->tested . ''; + $html .= '' . esc_html( $report['repo_info']->tested ) . ''; } else { $html .= $this->render_error_cell(); } @@ -553,7 +553,7 @@ private function render_table_row( $report ) { // Overall user rating. if ( isset( $report['repo_info'] ) && isset( $report['repo_info']->num_ratings ) && isset( $report['repo_info']->rating ) ) { $css_class = ( intval( $report['repo_info']->num_ratings ) > 0 ) ? $this->get_percentage_risk_classname( intval( $report['repo_info']->rating ) ) : ''; - $value_text = ( ( intval( $report['repo_info']->num_ratings ) > 0 ) ? $report['repo_info']->rating . '%' : esc_html__( 'No data available', 'plugin-report' ) ); + $value_text = ( ( intval( $report['repo_info']->num_ratings ) > 0 ) ? esc_html( $report['repo_info']->rating ) . '%' : esc_html__( 'No data available', 'plugin-report' ) ); $html .= '' . $value_text . ''; } else { $html .= $this->render_error_cell();