Escape translations.

vyskoczilova · May 3, 2021 · 7c478c0 · 7c478c0
1 parent 47f89da
commit 7c478c0
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/readme.txt b/readme.txt
@@ -44,11 +44,12 @@ You need to install the language first.
 == Changelog ==
 
 = 2.0.2 (2021-05-03) =
-* Fix CSRF security issues
+* Fix security issues
     * Check for the empty nonce.
+    * Escape translations.
 
 = 2.0.1 (2021-05-03) =
-* Fix CSRF security issues (thanks @ErwanLR from WPScan for reporting!)
+* Fix security issues (thanks @ErwanLR from WPScan for reporting!)
     * Check for the empty nonce.
     * Check for user permission within ajax request.
     * Retrieve current user ID within the request.

diff --git a/simple-admin-language-change.php b/simple-admin-language-change.php
@@ -97,12 +97,12 @@ function change_user_locale_ajax()
 
 	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 	if (!isset($_REQUEST['nonce']) || !wp_verify_nonce($_REQUEST['nonce'], "salc_change_user_locale")) {
-		wp_die( __('Something went wrong, try again.', 'kbnt-sacl'));
+		wp_die(esc_html(__('Something went wrong, try again.', 'kbnt-sacl')));
 	}
 
 	// Check for permissions matching the user_locale.
 	if (! current_user_can('edit_posts') || ! current_user_can('edit_pages')) {
-		wp_die(__('You don\'t have the correct permissions for language change.', 'kbnt-sacl'));
+		wp_die(esc_html(__('You don\'t have the correct permissions for language change.', 'kbnt-sacl')));
 	}
 
 	$user_id = \get_current_user_id();