Merge pull request #33 from itthinx/pre-1.8.1

increased version to 1.8.1; added missing esc_url()

groups.php

@@ -21,7 +21,7 @@
  * Plugin Name: Groups
  * Plugin URI: http://www.itthinx.com/plugins/groups
  * Description: Groups provides group-based user membership management, group-based capabilities and content access control.
- * Version: 1.8.0
+ * Version: 1.8.1
  * Author: itthinx
  * Author URI: http://www.itthinx.com
  * Donate-Link: http://www.itthinx.com
@@ -30,7 +30,7 @@
 if ( !defined( 'ABSPATH' ) ) {
 	exit;
 }
-define( 'GROUPS_CORE_VERSION', '1.8.0' );
+define( 'GROUPS_CORE_VERSION', '1.8.1' );
 define( 'GROUPS_FILE', __FILE__ );
 if ( !defined( 'GROUPS_CORE_DIR' ) ) {
 	define( 'GROUPS_CORE_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) );

lib/admin/groups-admin-capabilities-add.php

@@ -52,7 +52,7 @@ function groups_admin_capabilities_add() {
 			'</h2>' .
 		'</div>' .
 		Groups_Admin::render_messages() .
-		'<form id="add-capability" action="' . $current_url . '" method="post">' .
+		'<form id="add-capability" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="capability new">' .
 
 		'<div class="field">' .
@@ -69,7 +69,7 @@ function groups_admin_capabilities_add() {
 		wp_nonce_field( 'capabilities-add', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
 		'<input class="button button-primary" type="submit" value="' . __( 'Add', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="add" name="action"/>' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 		'</div>' . // .capability.new
 		'</form>' .

lib/admin/groups-admin-capabilities-edit.php

@@ -60,7 +60,7 @@ function groups_admin_capabilities_edit( $capability_id ) {
 
 		Groups_Admin::render_messages() .
 
-		'<form id="edit-capability" action="' . $current_url . '" method="post">' .
+		'<form id="edit-capability" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="capability edit">' .
 		'<input id="capability-id-field" name="capability-id-field" type="hidden" value="' . esc_attr( intval( $capability_id ) ) . '"/>' .
 
@@ -78,7 +78,7 @@ function groups_admin_capabilities_edit( $capability_id ) {
 		wp_nonce_field( 'capabilities-edit', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
 		'<input class="button button-primary" type="submit" value="' . __( 'Save', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="edit" name="action"/>' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 		'</div>' . // .capability.edit
 		'</form>' .

lib/admin/groups-admin-capabilities-remove.php

@@ -54,7 +54,7 @@ function groups_admin_capabilities_remove( $capability_id ) {
 				__( 'Remove a capability', GROUPS_PLUGIN_DOMAIN ) .
 			'</h2>' .
 		'</div>' .
-		'<form id="remove-capability" action="' . $current_url . '" method="post">' .
+		'<form id="remove-capability" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="capability remove">' .
 		'<input id="capability-id-field" name="capability-id-field" type="hidden" value="' . esc_attr( intval( $capability->capability_id ) ) . '"/>' .
 		'<ul>' .
@@ -63,7 +63,7 @@ function groups_admin_capabilities_remove( $capability_id ) {
 		wp_nonce_field( 'capabilities-remove', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
 		'<input class="button button-primary" type="submit" value="' . __( 'Remove', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="remove" name="action"/>' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 		'</div>' . // .capability.remove
 		'</form>' .
@@ -153,7 +153,7 @@ function groups_admin_capabilities_bulk_remove() {
 		$output .= '</ul>';
 	}
 	$output .= '<input class="button button-primary" type="submit" name="bulk" value="' . __( "Remove", GROUPS_PLUGIN_DOMAIN ) . '"/>';
-	$output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
+	$output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
 
 	$output .= '<input type="hidden" name="action" value="groups-action"/>';
 	$output .= '<input type="hidden" name="bulk-action" value="remove"/>';

lib/admin/groups-admin-groups-add.php

@@ -63,7 +63,7 @@ function groups_admin_groups_add() {
 
 	$output .= Groups_Admin::render_messages();
 
-	$output .= '<form id="add-group" action="' . $current_url . '" method="post">';
+	$output .= '<form id="add-group" action="' . esc_url( $current_url ) . '" method="post">';
 	$output .= '<div class="group new">';
 
 	$output .= '<div class="field">';
@@ -118,7 +118,7 @@ function groups_admin_groups_add() {
 	$output .= wp_nonce_field( 'groups-add', GROUPS_ADMIN_GROUPS_NONCE, true, false );
 	$output .= '<input class="button button-primary" type="submit" value="' . __( 'Add', GROUPS_PLUGIN_DOMAIN ) . '"/>';
 	$output .= '<input type="hidden" value="add" name="action"/>';
-	$output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
+	$output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
 	$output .= '</div>';
 	$output .= '</div>'; // .group.new
 	$output .= '</form>';

lib/admin/groups-admin-groups-edit.php

@@ -72,7 +72,7 @@ function groups_admin_groups_edit( $group_id ) {
 
 	$output .= Groups_Admin::render_messages();
 
-	$output .= '<form id="edit-group" action="' . $current_url . '" method="post">';
+	$output .= '<form id="edit-group" action="' . esc_url( $current_url ) . '" method="post">';
 	$output .= '<div class="group edit">';
 	$output .= '<input id="group-id-field" name="group-id-field" type="hidden" value="' . esc_attr( intval( $group_id ) ) . '"/>';
 
@@ -157,7 +157,7 @@ function groups_admin_groups_edit( $group_id ) {
 	$output .= wp_nonce_field( 'groups-edit', GROUPS_ADMIN_GROUPS_NONCE, true, false );
 	$output .= '<input class="button button-primary" type="submit" value="' . __( 'Save', GROUPS_PLUGIN_DOMAIN ) . '"/>';
 	$output .= '<input type="hidden" value="edit" name="action"/>';
-	$output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
+	$output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
 	$output .= '</div>';
 	$output .= '</div>'; // .group.edit
 	$output .= '</form>';

lib/admin/groups-admin-groups-remove.php

@@ -54,7 +54,7 @@ function groups_admin_groups_remove( $group_id ) {
 		__( 'Remove a group', GROUPS_PLUGIN_DOMAIN ) .
 		'</h2>' .
 		'</div>' .
-		'<form id="remove-group" action="' . $current_url . '" method="post">' .
+		'<form id="remove-group" action="' . esc_url( $current_url ) . '" method="post">' .
 		'<div class="group remove">' .
 		'<input id="group-id-field" name="group-id-field" type="hidden" value="' . esc_attr( intval( $group->group_id ) ) . '"/>' .
 		'<ul>' .
@@ -63,7 +63,7 @@ function groups_admin_groups_remove( $group_id ) {
 		wp_nonce_field( 'groups-remove', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
 		'<input class="button button-primary" type="submit" value="' . __( 'Remove', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
 		'<input type="hidden" value="remove" name="action"/>' .
-		'<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
+		'<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
 		'</div>' .
 		'</div>' . // .group.remove
 		'</form>' .
@@ -157,7 +157,7 @@ function groups_admin_groups_bulk_remove() {
 		$output .= '</ul>';
 	}
 	$output .= '<input class="button button-primary" type="submit" name="bulk" value="' . __( "Remove", GROUPS_PLUGIN_DOMAIN ) . '"/>';
-	$output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
+	$output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
 
 	$output .= '<input type="hidden" name="action" value="groups-action"/>';
 	$output .= '<input type="hidden" name="bulk-action" value="remove-group"/>';

readme.txt

@@ -4,7 +4,7 @@ Donate link: http://www.itthinx.com/plugins/groups
 Tags: access, access control, capability, capabilities, content, download, downloads, file, file access, files, group, groups, member, members, membership, memberships, paypal, permission, permissions, subscription, subscriptions, woocommerce
 Requires at least: 4.0
 Tested up to: 4.3.1
-Stable tag: 1.8.0
+Stable tag: 1.8.1
 License: GPLv3
 
 Groups is an efficient and powerful solution, providing group-based user membership management, group-based capabilities and content access control.
@@ -181,6 +181,9 @@ See also [Groups](http://www.itthinx.com/plugins/groups/)
 
 == Changelog ==
 
+= 1.8.1 =
+* Fixed potential XSS vulnerabilities related to the unescaped use of the $_SERVER['REQUEST_URI'] in some forms.
+
 = 1.8.0 =
 * WordPress 4.3.1 compatibility tested.
 * Add-ons section added.
@@ -487,5 +490,5 @@ Some installations wouldn't work correctly, showing no capabilities and making i
 
 == Upgrade Notice ==
 
-= 1.8.0 =
-This release has been tested with WordPress 4.3.1 and includes a section for recommended add-ons.
+= 1.8.1 =
+Security Release : This release fixes potential XSS vulnerabilities.