From ae4f12d4064d0f47a424be3ca6145733d0cc8835 Mon Sep 17 00:00:00 2001
From: Aaron Jorbin <aaron@jorb.in>
Date: Tue, 13 Feb 2024 14:19:09 +0000
Subject: [PATCH] Multisite: Escape urls and html elements in wp-activate.php

When WPMU was merged in [12603], the intent was to go back and make sure everything was escaped. This completes that intent.

Props rafiq91, rajinsharwar, costdev, oglekler, nicolefurlan, ryan, peterwilsoncc.
Fixes #57336.
See #11644.


Built from https://develop.svn.wordpress.org/trunk@57625


git-svn-id: http://core.svn.wordpress.org/trunk@57126 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-activate.php         | 30 +++++++++++++++---------------
 wp-includes/version.php |  2 +-
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/wp-activate.php b/wp-activate.php
index 36772a2d9d..5dc602337b 100644
--- a/wp-activate.php
+++ b/wp-activate.php
@@ -150,19 +150,19 @@ $blog_details = get_site();
 				printf(
 					/* translators: 1: Login URL, 2: Username, 3: User email address, 4: Lost password URL. */
 					__( 'Your account has been activated. You may now <a href="%1$s">log in</a> to the site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
-					network_site_url( $blog_details->path . 'wp-login.php', 'login' ),
-					$signup->user_login,
-					$signup->user_email,
-					wp_lostpassword_url()
+					esc_url( network_site_url( $blog_details->path . 'wp-login.php', 'login' ) ),
+					esc_html( $signup->user_login ),
+					esc_html( $signup->user_email ),
+					esc_url( wp_lostpassword_url() )
 				);
 			} else {
 				printf(
 					/* translators: 1: Site URL, 2: Username, 3: User email address, 4: Lost password URL. */
 					__( 'Your site at %1$s is active. You may now log in to your site using your chosen username of &#8220;%2$s&#8221;. Please check your email inbox at %3$s for your password and login instructions. If you do not receive an email, please check your junk or spam folder. If you still do not receive an email within an hour, you can <a href="%4$s">reset your password</a>.' ),
-					sprintf( '<a href="http://%1$s%2$s">%1$s%2$s</a>', $signup->domain, $blog_details->path ),
-					$signup->user_login,
-					$signup->user_email,
-					wp_lostpassword_url()
+					sprintf( '<a href="http://%1$s">%1$s</a>', esc_url( $signup->domain . $blog_details->path ) ),
+					esc_html( $signup->user_login ),
+					esc_html( $signup->user_email ),
+					esc_url( wp_lostpassword_url() )
 				);
 			}
 			echo '</p>';
@@ -170,18 +170,18 @@ $blog_details = get_site();
 			?>
 			<h2><?php _e( 'An error occurred during the activation' ); ?></h2>
 			<?php if ( is_wp_error( $result ) ) : ?>
-				<p><?php echo $result->get_error_message(); ?></p>
+				<p><?php echo esc_html( $result->get_error_message() ); ?></p>
 			<?php endif; ?>
 			<?php
 		} else {
-			$url  = isset( $result['blog_id'] ) ? get_home_url( (int) $result['blog_id'] ) : '';
+			$url  = isset( $result['blog_id'] ) ? esc_url( get_home_url( (int) $result['blog_id'] ) ) : '';
 			$user = get_userdata( (int) $result['user_id'] );
 			?>
 			<h2><?php _e( 'Your account is now active!' ); ?></h2>
 
 			<div id="signup-welcome">
-			<p><span class="h3"><?php _e( 'Username:' ); ?></span> <?php echo $user->user_login; ?></p>
-			<p><span class="h3"><?php _e( 'Password:' ); ?></span> <?php echo $result['password']; ?></p>
+			<p><span class="h3"><?php _e( 'Username:' ); ?></span> <?php echo esc_html( $user->user_login ); ?></p>
+			<p><span class="h3"><?php _e( 'Password:' ); ?></span> <?php echo esc_html( $result['password'] ); ?></p>
 			</div>
 
 			<?php
@@ -193,7 +193,7 @@ $blog_details = get_site();
 				<p class="view">
 				<?php
 					/* translators: 1: Site URL, 2: Login URL. */
-					printf( __( 'Your account is now activated. <a href="%1$s">View your site</a> or <a href="%2$s">Log in</a>' ), $url, esc_url( $login_url ) );
+					printf( __( 'Your account is now activated. <a href="%1$s">View your site</a> or <a href="%2$s">Log in</a>' ), esc_url( $url ), esc_url( $login_url ) );
 				?>
 				</p>
 			<?php else : ?>
@@ -202,8 +202,8 @@ $blog_details = get_site();
 					printf(
 						/* translators: 1: Login URL, 2: Network home URL. */
 						__( 'Your account is now activated. <a href="%1$s">Log in</a> or go back to the <a href="%2$s">homepage</a>.' ),
-						network_site_url( $blog_details->path . 'wp-login.php', 'login' ),
-						network_home_url( $blog_details->path )
+						esc_url( network_site_url( $blog_details->path . 'wp-login.php', 'login' ) ),
+						esc_url( network_home_url( $blog_details->path ) )
 					);
 				?>
 				</p>
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 3fb2180595..19a3f084d8 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.5-alpha-57624';
+$wp_version = '6.5-alpha-57625';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.