Merge pull request #744 from versionpress/637-escape-echoed-variables

Late escape all echoed variables

plugins/versionpress/admin/deactivate.php

@@ -17,9 +17,9 @@
  * @param string $cssClass Optional CSS class to be used for the button
  */
 function _vp_button($label, $action, $type = "delete", $cssClass = "") {
-    echo "<form action='" . admin_url('admin-post.php') . "' method='post' class='$cssClass'>";
+    echo "<form action='" . esc_url(admin_url('admin-post.php')) . "' method='post' class='" . esc_attr($cssClass) . "'>";
     echo "<input type='hidden' name='action' value='$action' />";
-    submit_button($label, $type, $action, false, $other_attributes = array("id" => $action) );
+    submit_button($label, $type, $action, false, $other_attributes = array("id" => $action));
     echo "</form>";
 }
 

plugins/versionpress/admin/inc/activationPanel.php

@@ -35,8 +35,8 @@
                         $iconClass = $requirement["fulfilled"] ? "icon-checkmark" : "icon-warning";
                         ?>
                         <li>
-                            <span class="icon <?php echo $iconClass; ?>"></span>
-                            <?php echo $requirement["name"]; ?>
+                            <span class="icon <?php echo esc_attr($iconClass); ?>"></span>
+                            <?php echo esc_html($requirement["name"]); ?>
                             <p class="<?php echo $requirement["fulfilled"] ? 'closed' : 'open'; ?>">
                                 <?php echo Markdown::transform($requirement["help"]); ?>
                             </p>
@@ -55,7 +55,7 @@
                     ?>
                 </ul>
 
-                <div><a href="<?php echo admin_url('admin.php?page=versionpress/admin/system-info.php') ?>">View full system info</a><?php if (!$requirementsChecker->isWithoutCriticalErrors()) { ?>, <a href="https://github.com/versionpress/support">get support on GitHub</a><?php } ?></div>
+                <div><a href="<?php echo esc_url(admin_url('admin.php?page=versionpress/admin/system-info.php')) ?>">View full system info</a><?php if (!$requirementsChecker->isWithoutCriticalErrors()) { ?>, <a href="https://github.com/versionpress/support">get support on GitHub</a><?php } ?></div>
 
             </div>
 
@@ -92,8 +92,8 @@
                 $buttonClass = "button-primary-disabled";
             }
             ?>
-            <a href="<?php echo $activationUrl; ?>"
-               class="button <?php echo $buttonClass; ?> button-hero" id="activate-versionpress-btn">Activate
+            <a href="<?php echo esc_url($activationUrl); ?>"
+               class="button <?php echo esc_attr($buttonClass); ?> button-hero" id="activate-versionpress-btn">Activate
                 VersionPress</a>
         </div>
 

plugins/versionpress/admin/system-info.php

@@ -22,7 +22,7 @@ function vp_display_system_info_array($array, $outputFormat) {
         case 've': // var_export
 
             echo '<pre><code style="language-php">';
-            echo htmlspecialchars(var_export($array, true));
+            echo esc_html(var_export($array, true));
             echo '</code></pre>';
 
             break;
@@ -66,8 +66,8 @@ function vp_display_system_info_array($array, $outputFormat) {
 
 <div>
     Format:
-    <a href="<?php echo admin_url('admin.php?page=versionpress/admin/system-info.php&f=ve') ?>">var_export</a> |
-    <a href="<?php echo admin_url('admin.php?page=versionpress/admin/system-info.php&f=tc') ?>">tracy</a>
+    <a href="<?php echo esc_url(admin_url('admin.php?page=versionpress/admin/system-info.php&f=ve')) ?>">var_export</a> |
+    <a href="<?php echo esc_url(admin_url('admin.php?page=versionpress/admin/system-info.php&f=tc')) ?>">tracy</a>
 
     <br />