Google XML Sitemaps - Version 4.1.0

Version Description

(2018-12-18) = * Fixed security issue related to escaping external URLs * Fixed security issue related to option tags in forms

Download this release

Release Info

Developer fredericktownes
Plugin Icon 128x128 Google XML Sitemaps
Version 4.1.0
Comparing to
See all releases

Code changes from version 4.0.9 to 4.1.0

Files changed (5) hide show
  1. documentation.txt +3 -1
  2. readme.txt +6 -2
  3. sitemap-core.php +7 -7
  4. sitemap-ui.php +14 -7
  5. sitemap.php +2 -2
documentation.txt CHANGED
@@ -310,6 +310,8 @@ Release History:
310
Changed "Tested up to" to 4.0
311
2014-11-15 4.0.8 Fixed bug with excluded categories, thanks to Claus Schöffel!
312
2017-03-22 4.0.9 Fixed security issue with donation submission.
313
314
315
@@ -321,7 +323,7 @@ Todo:
321
322
License:
323
==============================================================================
324
- Copyright 2005 - 2017 ARNE BRACHHOLD (email : himself - arnebrachhold - de)
325
326
This program is free software; you can redistribute it and/or modify
327
it under the terms of the GNU General Public License as published by
310
Changed "Tested up to" to 4.0
311
2014-11-15 4.0.8 Fixed bug with excluded categories, thanks to Claus Schöffel!
312
2017-03-22 4.0.9 Fixed security issue with donation submission.
313
+ 2018-12-18 4.1.0 Fixed security issues related to forms and external URLs
314
+
315
316
317
323
324
License:
325
==============================================================================
326
+ Copyright 2005 - 2018 ARNE BRACHHOLD (email : himself - arnebrachhold - de)
327
328
This program is free software; you can redistribute it and/or modify
329
it under the terms of the GNU General Public License as published by
readme.txt CHANGED
@@ -2,8 +2,8 @@
2
Contributors: arnee
3
Tags: seo, google, bing, yahoo, msn, ask, live, sitemaps, google sitemaps, xml sitemap, xml
4
Requires at least: 3.3
5
- Tested up to: 4.9.5
6
- Stable tag: 4.0.9
7
License: GPLv2
8
License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
@@ -77,6 +77,10 @@ The WordPress.org repository is just another place to download this plugin. I do
77
78
== Changelog ==
79
80
= 4.0.9 (2017-07-24) =
81
* Fixed security issue related to donation functionality.
82
2
Contributors: arnee
3
Tags: seo, google, bing, yahoo, msn, ask, live, sitemaps, google sitemaps, xml sitemap, xml
4
Requires at least: 3.3
5
+ Tested up to: 5.0.1
6
+ Stable tag: 4.1.0
7
License: GPLv2
8
License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
77
78
== Changelog ==
79
80
+ = 4.1.0 (2018-12-18) =
81
+ * Fixed security issue related to escaping external URLs
82
+ * Fixed security issue related to option tags in forms
83
+
84
= 4.0.9 (2017-07-24) =
85
* Fixed security issue related to donation functionality.
86
sitemap-core.php CHANGED
@@ -340,7 +340,7 @@ class GoogleSitemapGeneratorPage {
340
341
$r = "";
342
$r .= "\t<url>\n";
343
- $r .= "\t\t<loc>" . $this->EscapeXML($this->_url) . "</loc>\n";
344
if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
345
if(!empty($this->_changeFreq)) $r .= "\t\t<changefreq>" . $this->_changeFreq . "</changefreq>\n";
346
if($this->_priority !== false && $this->_priority !== "") $r .= "\t\t<priority>" . number_format($this->_priority, 1) . "</priority>\n";
@@ -451,7 +451,7 @@ class GoogleSitemapGeneratorSitemapEntry {
451
452
$r = "";
453
$r .= "\t<sitemap>\n";
454
- $r .= "\t\t<loc>" . $this->EscapeXML($this->_url) . "</loc>\n";
455
if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
456
$r .= "\t</sitemap>\n";
457
return $r;
@@ -845,7 +845,7 @@ final class GoogleSitemapGenerator {
845
*/
846
public static function GetBackLink($extra = '') {
847
global $wp_version;
848
- $url = admin_url("options-general.php?page=" .
849
GoogleSitemapGeneratorLoader::GetBaseName() . $extra);
850
return $url;
851
}
@@ -1686,7 +1686,7 @@ final class GoogleSitemapGenerator {
1686
? $this->GetDefaultStyle() : $this->GetOption('b_style'));
1687
1688
if(!empty($styleSheet)) {
1689
- $this->AddElement(new GoogleSitemapGeneratorXmlEntry('<' . '?xml-stylesheet type="text/xsl" href="' . $styleSheet . '"?' . '>'));
1690
}
1691
1692
$this->AddElement(new GoogleSitemapGeneratorDebugEntry("sitemap-generator-url=\"http://www.arnebrachhold.de\" sitemap-generator-version=\"" . $this->GetVersion() . "\""));
@@ -2260,13 +2260,13 @@ final class GoogleSitemapGenerator {
2260
<div class="updated">
2261
<strong>
2262
<p>
2263
- <?php echo str_replace('%s', 'https://w3edge.wufoo.com/forms/mex338s1ysw3i0/',
2264
- __('Thank you for using Google XML Sitemaps! <a href="%s" target="_blank">Please help us improve by taking this short survey!</a>','sitemap'));
2265
?> <a href="<?php echo $this->GetBackLink() . "&amp;sm_hide_survey=true"; ?>" style="float:right; display:block; border:none;"><small style="font-weight:normal; "><?php _e('Don\'t show this anymore', 'sitemap'); ?></small></a>
2266
</p>
2267
</strong>
2268
<div style="clear:right;"></div>
2269
</div>
2270
- <?php
2271
}
2272
}
340
341
$r = "";
342
$r .= "\t<url>\n";
343
+ $r .= "\t\t<loc>" . $this->EscapeXML(esc_url_raw($this->_url)) . "</loc>\n";
344
if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
345
if(!empty($this->_changeFreq)) $r .= "\t\t<changefreq>" . $this->_changeFreq . "</changefreq>\n";
346
if($this->_priority !== false && $this->_priority !== "") $r .= "\t\t<priority>" . number_format($this->_priority, 1) . "</priority>\n";
451
452
$r = "";
453
$r .= "\t<sitemap>\n";
454
+ $r .= "\t\t<loc>" . $this->EscapeXML(esc_url_raw($this->_url)) . "</loc>\n";
455
if($this->_lastMod > 0) $r .= "\t\t<lastmod>" . date('Y-m-d\TH:i:s+00:00', $this->_lastMod) . "</lastmod>\n";
456
$r .= "\t</sitemap>\n";
457
return $r;
845
*/
846
public static function GetBackLink($extra = '') {
847
global $wp_version;
848
+ $url = admin_url("options-general.php?page=" .
849
GoogleSitemapGeneratorLoader::GetBaseName() . $extra);
850
return $url;
851
}
1686
? $this->GetDefaultStyle() : $this->GetOption('b_style'));
1687
1688
if(!empty($styleSheet)) {
1689
+ $this->AddElement(new GoogleSitemapGeneratorXmlEntry('<' . '?xml-stylesheet type="text/xsl" href="' . esc_url( $styleSheet ) . '"?' . '>'));
1690
}
1691
1692
$this->AddElement(new GoogleSitemapGeneratorDebugEntry("sitemap-generator-url=\"http://www.arnebrachhold.de\" sitemap-generator-version=\"" . $this->GetVersion() . "\""));
2260
<div class="updated">
2261
<strong>
2262
<p>
2263
+ <?php echo str_replace('%s', 'https://w3edge.wufoo.com/forms/mex338s1ysw3i0/',
2264
+ __('Thank you for using Google XML Sitemaps! <a href="%s" target="_blank">Please help us improve by taking this short survey!</a>','sitemap'));
2265
?> <a href="<?php echo $this->GetBackLink() . "&amp;sm_hide_survey=true"; ?>" style="float:right; display:block; border:none;"><small style="font-weight:normal; "><?php _e('Don\'t show this anymore', 'sitemap'); ?></small></a>
2266
</p>
2267
</strong>
2268
<div style="clear:right;"></div>
2269
</div>
2270
+ <?php
2271
}
2272
}
sitemap-ui.php CHANGED
@@ -145,6 +145,11 @@ class GoogleSitemapGeneratorUI {
145
146
return $pages;
147
}
148
149
/**
150
* Displays the option page
@@ -297,10 +302,13 @@ class GoogleSitemapGeneratorUI {
297
if(substr($k,0,5)=="sm_b_") {
298
if($k=="sm_b_prio_provider" || $k == "sm_b_style" || $k == "sm_b_memory" || $k == "sm_b_baseurl") {
299
if($k=="sm_b_filename_manual" && strpos($_POST[$k],"\\")!==false){
300
- $_POST[$k]=stripslashes($_POST[$k]);
301
} else if($k=="sm_b_baseurl") {
302
- $_POST[$k] = trim($_POST[$k]);
303
if(!empty($_POST[$k])) $_POST[$k] = trailingslashit($_POST[$k]);
304
}
305
$this->sg->SetOption($k,(string) $_POST[$k]);
306
} else if($k == "sm_b_time") {
@@ -335,7 +343,7 @@ class GoogleSitemapGeneratorUI {
335
foreach(array_keys((array) $_POST[$k]) AS $taxName) {
336
if(empty($taxName) || !taxonomy_exists($taxName)) continue;
337
338
- $enabledTaxonomies[] = $taxName;
339
}
340
341
$this->sg->SetOption($k,$enabledTaxonomies);
@@ -347,7 +355,7 @@ class GoogleSitemapGeneratorUI {
347
foreach(array_keys((array) $_POST[$k]) AS $postTypeName) {
348
if(empty($postTypeName) || !post_type_exists($postTypeName)) continue;
349
350
- $enabledPostTypes[] = $postTypeName;
351
}
352
353
$this->sg->SetOption($k, $enabledPostTypes);
@@ -355,7 +363,7 @@ class GoogleSitemapGeneratorUI {
355
} else $this->sg->SetOption($k,(bool) $_POST[$k]);
356
//Options of the category "Change frequencies" are string
357
} else if(substr($k,0,6)=="sm_cf_") {
358
- $this->sg->SetOption($k,(string) $_POST[$k]);
359
//Options of the category "Priorities" are float
360
} else if(substr($k,0,6)=="sm_pr_") {
361
$this->sg->SetOption($k,(float) $_POST[$k]);
@@ -789,7 +797,7 @@ HTML;
789
echo "<li class=\"sm_error\">" . str_replace("%s",wp_nonce_url($this->sg->GetBackLink() . "&sm_delete_old=true",'sitemap'),__('There is still a sitemap.xml or sitemap.xml.gz file in your site directory. Please delete them as no static files are used anymore or <a href="%s">try to delete them automatically</a>.','sitemap')) . "</li>";
790
}
791
792
- echo "<li>" . str_replace("%s",$this->sg->getXmlUrl(),__('The URL to your sitemap index file is: <a href="%s">%s</a>.','sitemap')) . "</li>";
793
794
if($status == null) {
795
echo "<li>" . __('Search engines haven\'t been notified yet. Write a post to let them know about your sitemap.','sitemap') . "</li>";
@@ -1306,4 +1314,3 @@ HTML;
1306
<?php
1307
}
1308
}
1309
-
145
146
return $pages;
147
}
148
+
149
+ static public function escape($v) {
150
+ // prevent html tags in strings where they are not required
151
+ return strtr($v, '<>', '..');
152
+ }
153
154
/**
155
* Displays the option page
302
if(substr($k,0,5)=="sm_b_") {
303
if($k=="sm_b_prio_provider" || $k == "sm_b_style" || $k == "sm_b_memory" || $k == "sm_b_baseurl") {
304
if($k=="sm_b_filename_manual" && strpos($_POST[$k],"\\")!==false){
305
+ $_POST[$k]=stripslashes(self::escape($_POST[$k]));
306
} else if($k=="sm_b_baseurl") {
307
+ $_POST[$k] = esc_url_raw(trim(self::escape($_POST[$k])));
308
if(!empty($_POST[$k])) $_POST[$k] = trailingslashit($_POST[$k]);
309
+ } else if($k=="sm_b_style") {
310
+ $_POST[$k] = esc_url_raw(trim(self::escape($_POST[$k])));
311
+ if(!empty($_POST[$k])) $_POST[$k] = trailingslashit($_POST[$k]);
312
}
313
$this->sg->SetOption($k,(string) $_POST[$k]);
314
} else if($k == "sm_b_time") {
343
foreach(array_keys((array) $_POST[$k]) AS $taxName) {
344
if(empty($taxName) || !taxonomy_exists($taxName)) continue;
345
346
+ $enabledTaxonomies[] = self::escape($taxName);
347
}
348
349
$this->sg->SetOption($k,$enabledTaxonomies);
355
foreach(array_keys((array) $_POST[$k]) AS $postTypeName) {
356
if(empty($postTypeName) || !post_type_exists($postTypeName)) continue;
357
358
+ $enabledPostTypes[] = self::escape($postTypeName);
359
}
360
361
$this->sg->SetOption($k, $enabledPostTypes);
363
} else $this->sg->SetOption($k,(bool) $_POST[$k]);
364
//Options of the category "Change frequencies" are string
365
} else if(substr($k,0,6)=="sm_cf_") {
366
+ $this->sg->SetOption($k,(string) self::escape($_POST[$k]));
367
//Options of the category "Priorities" are float
368
} else if(substr($k,0,6)=="sm_pr_") {
369
$this->sg->SetOption($k,(float) $_POST[$k]);
797
echo "<li class=\"sm_error\">" . str_replace("%s",wp_nonce_url($this->sg->GetBackLink() . "&sm_delete_old=true",'sitemap'),__('There is still a sitemap.xml or sitemap.xml.gz file in your site directory. Please delete them as no static files are used anymore or <a href="%s">try to delete them automatically</a>.','sitemap')) . "</li>";
798
}
799
800
+ echo "<li>" . str_replace("%s", esc_url($this->sg->getXmlUrl()),__('The URL to your sitemap index file is: <a href="%s">%s</a>.','sitemap')) . "</li>";
801
802
if($status == null) {
803
echo "<li>" . __('Search engines haven\'t been notified yet. Write a post to let them know about your sitemap.','sitemap') . "</li>";
1314
<?php
1315
}
1316
}
sitemap.php CHANGED
@@ -18,14 +18,14 @@
18
Plugin Name: Google XML Sitemaps
19
Plugin URI: http://www.arnebrachhold.de/redir/sitemap-home/
20
Description: This plugin improves SEO using sitemaps for best indexation by search engines like Google, Bing, Yahoo and others.
21
- Version: 4.0.9
22
Author: Arne Brachhold
23
Author URI: http://www.arnebrachhold.de/
24
Text Domain: sitemap
25
Domain Path: /lang
26
27
28
- Copyright 2005 - 2014 ARNE BRACHHOLD (email : himself - arnebrachhold - de)
29
30
This program is free software; you can redistribute it and/or modify
31
it under the terms of the GNU General Public License as published by
18
Plugin Name: Google XML Sitemaps
19
Plugin URI: http://www.arnebrachhold.de/redir/sitemap-home/
20
Description: This plugin improves SEO using sitemaps for best indexation by search engines like Google, Bing, Yahoo and others.
21
+ Version: 4.1.0
22
Author: Arne Brachhold
23
Author URI: http://www.arnebrachhold.de/
24
Text Domain: sitemap
25
Domain Path: /lang
26
27
28
+ Copyright 2005 - 2018 ARNE BRACHHOLD (email : himself - arnebrachhold - de)
29
30
This program is free software; you can redistribute it and/or modify
31
it under the terms of the GNU General Public License as published by