escape download handler URLs

2013-11-26 07:27:46 -08:00 · 2013-11-26 07:27:46 -08:00 · 6bed7bff94
parent b4c66db7e2
commit 6bed7bff94
1 changed files with 12 additions and 12 deletions
--- a/includes/class-wc-download-handler.php
+++ b/includes/class-wc-download-handler.php
@ -34,7 +34,7 @@ class WC_Download_Handler {
 			$_product             = get_product( $product_id );
 			if ( ! is_email( $email) )
-				wp_die( __( 'Invalid email address.', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+				wp_die( __( 'Invalid email address.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 			$query = "
 				SELECT order_id,downloads_remaining,user_id,download_count,access_expires,download_id
@ -58,7 +58,7 @@ class WC_Download_Handler {
 			$download_result = $wpdb->get_row( $wpdb->prepare( $query, $args ) );
 			if ( ! $download_result )
-				wp_die( __( 'Invalid download.', 'woocommerce' ) . ' <a href="'.home_url().'">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+				wp_die( __( 'Invalid download.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 			$download_id 			= $download_result->download_id;
 			$order_id 				= $download_result->order_id;
@ -70,7 +70,7 @@ class WC_Download_Handler {
 			if ( $user_id && get_option( 'woocommerce_downloads_require_login' ) == 'yes' ) {
 				if ( ! is_user_logged_in() )
-					wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . wp_login_url( get_permalink( wc_get_page_id( 'myaccount' ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) );
+					wp_die( __( 'You must be logged in to download files.', 'woocommerce' ) . ' <a href="' . esc_url( wp_login_url( get_permalink( wc_get_page_id( 'myaccount' ) ) ) ) . '">' . __( 'Login &rarr;', 'woocommerce' ) . '</a>', __( 'Log in to Download Files', 'woocommerce' ) );
 				elseif ( !current_user_can( 'download_file', $download_result ) )
 					wp_die( __( 'This is not your download link.', 'woocommerce' ) );
@ -78,20 +78,20 @@ class WC_Download_Handler {
 			}
 			if ( ! get_post( $product_id ) )
-				wp_die( __( 'Product no longer exists.', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+				wp_die( __( 'Product no longer exists.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 			if ( $order_id ) {
 				$order = new WC_Order( $order_id );
 				if ( ! $order->is_download_permitted() || $order->post_status != 'publish' )
-					wp_die( __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+					wp_die( __( 'Invalid order.', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 			}
 			if ( $downloads_remaining == '0' )
-				wp_die( __( 'Sorry, you have reached your download limit for this file', 'woocommerce' ) . ' <a href="'.home_url().'">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+				wp_die( __( 'Sorry, you have reached your download limit for this file', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 			if ( $access_expires > 0 && strtotime( $access_expires) < current_time( 'timestamp' ) )
-				wp_die( __( 'Sorry, this download has expired', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+				wp_die( __( 'Sorry, this download has expired', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 			if ( $downloads_remaining > 0 ) {
 				$wpdb->update( $wpdb->prefix . "woocommerce_downloadable_product_permissions", array(
@ -134,7 +134,7 @@ class WC_Download_Handler {
 		$file_download_method = apply_filters( 'woocommerce_file_download_method', get_option( 'woocommerce_file_download_method' ), $product_id );
 		if ( ! $file_path )
-			wp_die( __( 'No file defined', 'woocommerce' ) . ' <a href="'.home_url().'">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+			wp_die( __( 'No file defined', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
 		// Redirect to the file...
 		if ( $file_download_method == "redirect" ) {
@ -160,7 +160,7 @@ class WC_Download_Handler {
 				$site_url = is_ssl() ? str_replace( 'https:', 'http:', site_url() ) : site_url();
 			}
-			$file_path   = str_replace( trailingslashit( $site_url ), ABSPATH, $file_path );
+			$file_path   = str_replace( trailingslashit( esc_url( $site_url ) ), ABSPATH, $file_path );
 		} else {
@ -168,7 +168,7 @@ class WC_Download_Handler {
 			$upload_dir  = wp_upload_dir();
 			// Try to replace network url
-			$file_path   = str_replace( trailingslashit( $network_url ), ABSPATH, $file_path );
+			$file_path   = str_replace( trailingslashit( esc_url( $network_url ) ), ABSPATH, $file_path );
 			// Now try to replace upload URL
 			$file_path   = str_replace( $upload_dir['baseurl'], $upload_dir['basedir'], $file_path );
@ -264,7 +264,7 @@ class WC_Download_Handler {
        if ( $remote_file )
        	$this->readfile_chunked( $file_path ) or header( 'Location: ' . $file_path );
        else
-        	$this->readfile_chunked( $file_path ) or wp_die( __( 'File not found', 'woocommerce' ) . ' <a href="' . home_url() . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
+        	$this->readfile_chunked( $file_path ) or wp_die( __( 'File not found', 'woocommerce' ) . ' <a href="' . esc_url( home_url() ) . '">' . __( 'Go to homepage &rarr;', 'woocommerce' ) . '</a>' );
        exit;
 	}