Google XML Sitemaps - Version 4.1.0

Version Description

(2018-12-18) = * Fixed security issue related to escaping external URLs * Fixed security issue related to option tags in forms

Download this release

Release Info

Developer	fredericktownes
Plugin	Google XML Sitemaps
Version	4.1.0
Comparing to
See all releases

Code changes from version 4.0.9 to 4.1.0

Files changed (5) hide show

documentation.txt +3 -1
readme.txt +6 -2
sitemap-core.php +7 -7
sitemap-ui.php +14 -7
sitemap.php +2 -2

documentation.txt CHANGED Viewed

	@@ -310,6 +310,8 @@ Release History:
310	Changed "Tested up to" to 4.0
311	2014-11-15 4.0.8 Fixed bug with excluded categories, thanks to Claus Schöffel!
312	2017-03-22 4.0.9 Fixed security issue with donation submission.


313
314
315
	@@ -321,7 +323,7 @@ Todo:
321
322	License:
323	==============================================================================
324	- Copyright 2005 - ~~2017~~ ARNE BRACHHOLD (email : himself - arnebrachhold - de)
325
326	This program is free software; you can redistribute it and/or modify
327	it under the terms of the GNU General Public License as published by


310	Changed "Tested up to" to 4.0
311	2014-11-15 4.0.8 Fixed bug with excluded categories, thanks to Claus Schöffel!
312	2017-03-22 4.0.9 Fixed security issue with donation submission.
313	+ 2018-12-18 4.1.0 Fixed security issues related to forms and external URLs
314	+
315
316
317

323
324	License:
325	==============================================================================
326	+ Copyright 2005 - 2018 ARNE BRACHHOLD (email : himself - arnebrachhold - de)
327
328	This program is free software; you can redistribute it and/or modify
329	it under the terms of the GNU General Public License as published by

readme.txt CHANGED Viewed

	@@ -2,8 +2,8 @@
2	Contributors: arnee
3	Tags: seo, google, bing, yahoo, msn, ask, live, sitemaps, google sitemaps, xml sitemap, xml
4	Requires at least: 3.3
5	- Tested up to: 4.9.5
6	- Stable tag: 4.0.9
7	License: GPLv2
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
	@@ -77,6 +77,10 @@ The WordPress.org repository is just another place to download this plugin. I do
77
78	== Changelog ==
79




80	= 4.0.9 (2017-07-24) =
81	* Fixed security issue related to donation functionality.
82


2	Contributors: arnee
3	Tags: seo, google, bing, yahoo, msn, ask, live, sitemaps, google sitemaps, xml sitemap, xml
4	Requires at least: 3.3
5	+ Tested up to: 5.0.1
6	+ Stable tag: 4.1.0
7	License: GPLv2
8	License URI: http://www.gnu.org/licenses/gpl-2.0.html
9

77
78	== Changelog ==
79
80	+ = 4.1.0 (2018-12-18) =
81	+ * Fixed security issue related to escaping external URLs
82	+ * Fixed security issue related to option tags in forms
83	+
84	= 4.0.9 (2017-07-24) =
85	* Fixed security issue related to donation functionality.
86

sitemap-core.php CHANGED Viewed

	@@ -340,7 +340,7 @@ class GoogleSitemapGeneratorPage {
340
341	$r = "";
342	$r .= "\t<url>\n";
343	- $r .= "\t\t<loc>" . $this->EscapeXML($this->_url) . "</loc>\n";
344	if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
345	if(!empty($this->_changeFreq)) $r .= "\t\t<changefreq>" . $this->_changeFreq . "</changefreq>\n";
346	if($this->_priority !== false && $this->_priority !== "") $r .= "\t\t<priority>" . number_format($this->_priority, 1) . "</priority>\n";
	@@ -451,7 +451,7 @@ class GoogleSitemapGeneratorSitemapEntry {
451
452	$r = "";
453	$r .= "\t<sitemap>\n";
454	- $r .= "\t\t<loc>" . $this->EscapeXML($this->_url) . "</loc>\n";
455	if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
456	$r .= "\t</sitemap>\n";
457	return $r;
	@@ -845,7 +845,7 @@ final class GoogleSitemapGenerator {
845	*/
846	public static function GetBackLink($extra = '') {
847	global $wp_version;
848	- $url = admin_url("options-general.php?page=" .
849	GoogleSitemapGeneratorLoader::GetBaseName() . $extra);
850	return $url;
851	}
	@@ -1686,7 +1686,7 @@ final class GoogleSitemapGenerator {
1686	? $this->GetDefaultStyle() : $this->GetOption('b_style'));
1687
1688	if(!empty($styleSheet)) {
1689	- $this->AddElement(new GoogleSitemapGeneratorXmlEntry('<' . '?xml-stylesheet type="text/xsl" href="' . $styleSheet . '"?' . '>'));
1690	}
1691
1692	$this->AddElement(new GoogleSitemapGeneratorDebugEntry("sitemap-generator-url=\"http://www.arnebrachhold.de\" sitemap-generator-version=\"" . $this->GetVersion() . "\""));
	@@ -2260,13 +2260,13 @@ final class GoogleSitemapGenerator {
2260	<div class="updated">
2261	<strong>
2262	<p>
2263	- <?php echo str_replace('%s', 'https://w3edge.wufoo.com/forms/mex338s1ysw3i0/',
2264	- __('Thank you for using Google XML Sitemaps! <a href="%s" target="_blank">Please help us improve by taking this short survey!</a>','sitemap'));
2265	?> <a href="<?php echo $this->GetBackLink() . "&sm_hide_survey=true"; ?>" style="float:right; display:block; border:none;"><small style="font-weight:normal; "><?php _e('Don\'t show this anymore', 'sitemap'); ?></small></a>
2266	</p>
2267	</strong>
2268	<div style="clear:right;"></div>
2269	</div>
2270	- <?php
2271	}
2272	}


340
341	$r = "";
342	$r .= "\t<url>\n";
343	+ $r .= "\t\t<loc>" . $this->EscapeXML(esc_url_raw($this->_url)) . "</loc>\n";
344	if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
345	if(!empty($this->_changeFreq)) $r .= "\t\t<changefreq>" . $this->_changeFreq . "</changefreq>\n";
346	if($this->_priority !== false && $this->_priority !== "") $r .= "\t\t<priority>" . number_format($this->_priority, 1) . "</priority>\n";

451
452	$r = "";
453	$r .= "\t<sitemap>\n";
454	+ $r .= "\t\t<loc>" . $this->EscapeXML(esc_url_raw($this->_url)) . "</loc>\n";
455	if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
456	$r .= "\t</sitemap>\n";
457	return $r;

845	*/
846	public static function GetBackLink($extra = '') {
847	global $wp_version;
848	+ $url = admin_url("options-general.php?page=" .
849	GoogleSitemapGeneratorLoader::GetBaseName() . $extra);
850	return $url;
851	}

1686	? $this->GetDefaultStyle() : $this->GetOption('b_style'));
1687
1688	if(!empty($styleSheet)) {
1689	+ $this->AddElement(new GoogleSitemapGeneratorXmlEntry('<' . '?xml-stylesheet type="text/xsl" href="' . esc_url( $styleSheet ) . '"?' . '>'));
1690	}
1691
1692	$this->AddElement(new GoogleSitemapGeneratorDebugEntry("sitemap-generator-url=\"http://www.arnebrachhold.de\" sitemap-generator-version=\"" . $this->GetVersion() . "\""));

2260	<div class="updated">
2261	<strong>
2262	<p>
2263	+ <?php echo str_replace('%s', 'https://w3edge.wufoo.com/forms/mex338s1ysw3i0/',
2264	+ __('Thank you for using Google XML Sitemaps! <a href="%s" target="_blank">Please help us improve by taking this short survey!</a>','sitemap'));
2265	?> <a href="<?php echo $this->GetBackLink() . "&sm_hide_survey=true"; ?>" style="float:right; display:block; border:none;"><small style="font-weight:normal; "><?php _e('Don\'t show this anymore', 'sitemap'); ?></small></a>
2266	</p>
2267	</strong>
2268	<div style="clear:right;"></div>
2269	</div>
2270	+ <?php
2271	}
2272	}

sitemap-ui.php CHANGED Viewed

	@@ -145,6 +145,11 @@ class GoogleSitemapGeneratorUI {
145
146	return $pages;
147	}





148
149	/**
150	* Displays the option page
	@@ -297,10 +302,13 @@ class GoogleSitemapGeneratorUI {
297	if(substr($k,0,5)=="sm_b_") {
298	if($k=="sm_b_prio_provider" \|\| $k == "sm_b_style" \|\| $k == "sm_b_memory" \|\| $k == "sm_b_baseurl") {
299	if($k=="sm_b_filename_manual" && strpos($_POST[$k],"\\")!==false){
300	- $_POST[$k]=stripslashes($_POST[$k]);
301	} else if($k=="sm_b_baseurl") {
302	- $_POST[$k] = trim($_POST[$k]);
303	if(!empty($_POST[$k])) $_POST[$k] = trailingslashit($_POST[$k]);



304	}
305	$this->sg->SetOption($k,(string) $_POST[$k]);
306	} else if($k == "sm_b_time") {
	@@ -335,7 +343,7 @@ class GoogleSitemapGeneratorUI {
335	foreach(array_keys((array) $_POST[$k]) AS $taxName) {
336	if(empty($taxName) \|\| !taxonomy_exists($taxName)) continue;
337
338	- $enabledTaxonomies[] = $taxName;
339	}
340
341	$this->sg->SetOption($k,$enabledTaxonomies);
	@@ -347,7 +355,7 @@ class GoogleSitemapGeneratorUI {
347	foreach(array_keys((array) $_POST[$k]) AS $postTypeName) {
348	if(empty($postTypeName) \|\| !post_type_exists($postTypeName)) continue;
349
350	- $enabledPostTypes[] = $postTypeName;
351	}
352
353	$this->sg->SetOption($k, $enabledPostTypes);
	@@ -355,7 +363,7 @@ class GoogleSitemapGeneratorUI {
355	} else $this->sg->SetOption($k,(bool) $_POST[$k]);
356	//Options of the category "Change frequencies" are string
357	} else if(substr($k,0,6)=="sm_cf_") {
358	- $this->sg->SetOption($k,(string) $_POST[$k]);
359	//Options of the category "Priorities" are float
360	} else if(substr($k,0,6)=="sm_pr_") {
361	$this->sg->SetOption($k,(float) $_POST[$k]);
	@@ -789,7 +797,7 @@ HTML;
789	echo "<li class=\"sm_error\">" . str_replace("%s",wp_nonce_url($this->sg->GetBackLink() . "&sm_delete_old=true",'sitemap'),__('There is still a sitemap.xml or sitemap.xml.gz file in your site directory. Please delete them as no static files are used anymore or <a href="%s">try to delete them automatically</a>.','sitemap')) . "</li>";
790	}
791
792	- echo "<li>" . str_replace("%s",$this->sg->getXmlUrl(),__('The URL to your sitemap index file is: <a href="%s">%s</a>.','sitemap')) . "</li>";
793
794	if($status == null) {
795	echo "<li>" . __('Search engines haven\'t been notified yet. Write a post to let them know about your sitemap.','sitemap') . "</li>";
	@@ -1306,4 +1314,3 @@ HTML;
1306	<?php
1307	}
1308	}
1309	-


145
146	return $pages;
147	}
148	+
149	+ static public function escape($v) {
150	+ // prevent html tags in strings where they are not required
151	+ return strtr($v, '<>', '..');
152	+ }
153
154	/**
155	* Displays the option page

302	if(substr($k,0,5)=="sm_b_") {
303	if($k=="sm_b_prio_provider" \|\| $k == "sm_b_style" \|\| $k == "sm_b_memory" \|\| $k == "sm_b_baseurl") {
304	if($k=="sm_b_filename_manual" && strpos($_POST[$k],"\\")!==false){
305	+ $_POST[$k]=stripslashes(self::escape($_POST[$k]));
306	} else if($k=="sm_b_baseurl") {
307	+ $_POST[$k] = esc_url_raw(trim(self::escape($_POST[$k])));
308	if(!empty($_POST[$k])) $_POST[$k] = trailingslashit($_POST[$k]);
309	+ } else if($k=="sm_b_style") {
310	+ $_POST[$k] = esc_url_raw(trim(self::escape($_POST[$k])));
311	+ if(!empty($_POST[$k])) $_POST[$k] = trailingslashit($_POST[$k]);
312	}
313	$this->sg->SetOption($k,(string) $_POST[$k]);
314	} else if($k == "sm_b_time") {

343	foreach(array_keys((array) $_POST[$k]) AS $taxName) {
344	if(empty($taxName) \|\| !taxonomy_exists($taxName)) continue;
345
346	+ $enabledTaxonomies[] = self::escape($taxName);
347	}
348
349	$this->sg->SetOption($k,$enabledTaxonomies);

355	foreach(array_keys((array) $_POST[$k]) AS $postTypeName) {
356	if(empty($postTypeName) \|\| !post_type_exists($postTypeName)) continue;
357
358	+ $enabledPostTypes[] = self::escape($postTypeName);
359	}
360
361	$this->sg->SetOption($k, $enabledPostTypes);

363	} else $this->sg->SetOption($k,(bool) $_POST[$k]);
364	//Options of the category "Change frequencies" are string
365	} else if(substr($k,0,6)=="sm_cf_") {
366	+ $this->sg->SetOption($k,(string) self::escape($_POST[$k]));
367	//Options of the category "Priorities" are float
368	} else if(substr($k,0,6)=="sm_pr_") {
369	$this->sg->SetOption($k,(float) $_POST[$k]);

797	echo "<li class=\"sm_error\">" . str_replace("%s",wp_nonce_url($this->sg->GetBackLink() . "&sm_delete_old=true",'sitemap'),__('There is still a sitemap.xml or sitemap.xml.gz file in your site directory. Please delete them as no static files are used anymore or <a href="%s">try to delete them automatically</a>.','sitemap')) . "</li>";
798	}
799
800	+ echo "<li>" . str_replace("%s", esc_url($this->sg->getXmlUrl()),__('The URL to your sitemap index file is: <a href="%s">%s</a>.','sitemap')) . "</li>";
801
802	if($status == null) {
803	echo "<li>" . __('Search engines haven\'t been notified yet. Write a post to let them know about your sitemap.','sitemap') . "</li>";

1314	<?php
1315	}
1316	}

sitemap.php CHANGED Viewed

	@@ -18,14 +18,14 @@
18	Plugin Name: Google XML Sitemaps
19	Plugin URI: http://www.arnebrachhold.de/redir/sitemap-home/
20	Description: This plugin improves SEO using sitemaps for best indexation by search engines like Google, Bing, Yahoo and others.
21	- Version: 4.0.9
22	Author: Arne Brachhold
23	Author URI: http://www.arnebrachhold.de/
24	Text Domain: sitemap
25	Domain Path: /lang
26
27
28	- Copyright 2005 - ~~2014~~ ARNE BRACHHOLD (email : himself - arnebrachhold - de)
29
30	This program is free software; you can redistribute it and/or modify
31	it under the terms of the GNU General Public License as published by


18	Plugin Name: Google XML Sitemaps
19	Plugin URI: http://www.arnebrachhold.de/redir/sitemap-home/
20	Description: This plugin improves SEO using sitemaps for best indexation by search engines like Google, Bing, Yahoo and others.
21	+ Version: 4.1.0
22	Author: Arne Brachhold
23	Author URI: http://www.arnebrachhold.de/
24	Text Domain: sitemap
25	Domain Path: /lang
26
27
28	+ Copyright 2005 - 2018 ARNE BRACHHOLD (email : himself - arnebrachhold - de)
29
30	This program is free software; you can redistribute it and/or modify
31	it under the terms of the GNU General Public License as published by