Changeset 9772

Timestamp:

04/20/2015 03:38:54 PM (10 years ago)

Author:

johnjamesjacoby

Message:

All: make sure URL variables are escaped (trunk)

Location:

trunk/src

Files:

• bp-activity/bp-activity-admin.php (modified) (1 diff)
• bp-activity/bp-activity-functions.php (modified) (2 diffs)
• bp-activity/bp-activity-template.php (modified) (5 diffs)
• bp-blogs/bp-blogs-activity.php (modified) (2 diffs)
• bp-blogs/bp-blogs-template.php (modified) (1 diff)
• bp-core/admin/bp-core-admin-components.php (modified) (1 diff)
• bp-core/admin/bp-core-admin-functions.php (modified) (3 diffs)
• bp-core/admin/bp-core-admin-settings.php (modified) (1 diff)
• bp-core/bp-core-admin.php (modified) (3 diffs)
• bp-core/bp-core-catchuri.php (modified) (1 diff)
• bp-core/bp-core-functions.php (modified) (1 diff)
• bp-forums/bp-forums-template.php (modified) (1 diff)
• bp-forums/deprecated/1.6.php (modified) (4 diffs)
• bp-groups/bp-groups-admin.php (modified) (4 diffs)
• bp-members/admin/bp-members-admin-classes.php (modified) (2 diffs)
• bp-members/bp-members-admin.php (modified) (1 diff)
• bp-members/bp-members-functions.php (modified) (1 diff)
• bp-members/bp-members-template.php (modified) (1 diff)

trunk/src/bp-activity/bp-activity-admin.php

@@ -650 +650 @@
         <?php if ( ! empty( $activity ) ) : ?>
 
-            <form action="<?php echo esc_attr( $form_url ); ?>" id="bp-activities-edit-form" method="post">
+            <form action="<?php echo esc_url( $form_url ); ?>" id="bp-activities-edit-form" method="post">
                 <div id="poststuff">
 

trunk/src/bp-activity/bp-activity-functions.php

@@ -1362 +1362 @@
 
     if ( is_multisite() ) {
-        $blog_link = '<a href="' . $blog_url . '">' . get_blog_option( $activity->item_id, 'blogname' ) . '</a>';
+        $blog_link = '<a href="' . esc_url( $blog_url ) . '">' . get_blog_option( $activity->item_id, 'blogname' ) . '</a>';
 
         if ( ! empty( $bp->activity->track[ $activity->type ]->new_post_type_action_ms ) ) {
             $action = sprintf( $bp->activity->track[ $activity->type ]->new_post_type_action_ms, $user_link, $post_url, $blog_link );
         } else {
-            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>, on the site %3$s', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, $post_url, $blog_link );
+            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>, on the site %3$s', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, esc_url( $post_url ), $blog_link );
         }
     } else {
@@ -1373 +1373 @@
             $action = sprintf( $bp->activity->track[ $activity->type ]->new_post_type_action, $user_link, $post_url );
         } else {
-            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, $post_url );
+            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, esc_url( $post_url ) );
         }
     }

trunk/src/bp-activity/bp-activity-template.php

@@ -388 +388 @@
         if ( (int) $this->total_activity_count && (int) $this->pag_num ) {
             $this->pag_links = paginate_links( array(
-                'base'      => add_query_arg( $page_arg, '%#%' ),
+                'base'      => add_query_arg( $this->page_arg, '%#%' ),
                 'format'    => '',
                 'total'     => ceil( (int) $this->total_activity_count / (int) $this->pag_num ),
@@ -3090 +3090 @@
      * @uses bp_is_activity_component()
      * @uses bp_current_action()
-     * @uses add_query_arg()
      * @uses wp_get_referer()
      * @uses wp_nonce_url()
@@ -3338 +3337 @@
             $link = apply_filters( 'bp_get_activity_filter_link_href', $link, $component );
 
-            $component_links[] = $before . '<a href="' . esc_attr( $link ) . '">' . ucwords( $component ) . '</a>' . $after;
+            $component_links[] = $before . '<a href="' . esc_url( $link ) . '">' . ucwords( $component ) . '</a>' . $after;
         }
 
@@ -3344 +3343 @@
 
         if ( isset( $_GET['afilter'] ) ) {
-            $component_links[] = '<' . $tag . ' id="afilter-clear"><a href="' . esc_attr( $link ) . '">' . __( 'Clear Filter', 'buddypress' ) . '</a></' . $tag . '>';
+            $component_links[] = '<' . $tag . ' id="afilter-clear"><a href="' . esc_url( $link ) . '">' . __( 'Clear Filter', 'buddypress' ) . '</a></' . $tag . '>';
         }
 
@@ -3592 +3591 @@
  */
 function bp_send_public_message_link() {
-    echo bp_get_send_public_message_link();
+    echo esc_url( bp_get_send_public_message_link() );
 }
 

trunk/src/bp-blogs/bp-blogs-activity.php

@@ -173 +173 @@
 
     // Build the 'post link' part of the activity action string
-    $post_link  = '<a href="' . $post_url . '">' . $post_title . '</a>';
+    $post_link  = '<a href="' . esc_url( $post_url ) . '">' . $post_title . '</a>';
 
     $user_link = bp_core_get_userlink( $activity->user_id );
@@ -250 +250 @@
     }
 
-    $post_link = '<a href="' . $post_url . '">' . $post_title . '</a>';
+    $post_link = '<a href="' . esc_url( $post_url ) . '">' . $post_title . '</a>';
     $user_link = bp_core_get_userlink( $activity->user_id );
 

trunk/src/bp-blogs/bp-blogs-template.php

@@ -908 +908 @@
  */
 function bp_blog_latest_post_permalink() {
-    echo bp_get_blog_latest_post_permalink();
+    echo esc_url( bp_get_blog_latest_post_permalink() );
 }
     /**

trunk/src/bp-core/admin/bp-core-admin-components.php

@@ -150 +150 @@
 
     <ul class="subsubsub">
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'all'      ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'all'      ) : ?>class="current"<?php endif; ?>><?php printf( _nx( 'All <span class="count">(%s)</span>',      'All <span class="count">(%s)</span>',      $all_count,         'plugins', 'buddypress' ), number_format_i18n( $all_count                    ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'active'   ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'active'   ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Active <span class="count">(%s)</span>',   'Active <span class="count">(%s)</span>',   count( $active_components   ), 'buddypress' ), number_format_i18n( count( $active_components   ) ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'inactive' ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'inactive' ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Inactive <span class="count">(%s)</span>', 'Inactive <span class="count">(%s)</span>', count( $inactive_components ), 'buddypress' ), number_format_i18n( count( $inactive_components ) ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'mustuse'  ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'mustuse'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Must-Use <span class="count">(%s)</span>', 'Must-Use <span class="count">(%s)</span>', count( $required_components ), 'buddypress' ), number_format_i18n( count( $required_components ) ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'retired'  ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'retired'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Retired <span class="count">(%s)</span>',  'Retired <span class="count">(%s)</span>',  count( $retired_components ),  'buddypress' ), number_format_i18n( count( $retired_components  ) ) ); ?></a></li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'all'      ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'all'      ) : ?>class="current"<?php endif; ?>><?php printf( _nx( 'All <span class="count">(%s)</span>',      'All <span class="count">(%s)</span>',      $all_count,         'plugins', 'buddypress' ), number_format_i18n( $all_count                    ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'active'   ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'active'   ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Active <span class="count">(%s)</span>',   'Active <span class="count">(%s)</span>',   count( $active_components   ), 'buddypress' ), number_format_i18n( count( $active_components   ) ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'inactive' ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'inactive' ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Inactive <span class="count">(%s)</span>', 'Inactive <span class="count">(%s)</span>', count( $inactive_components ), 'buddypress' ), number_format_i18n( count( $inactive_components ) ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'mustuse'  ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'mustuse'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Must-Use <span class="count">(%s)</span>', 'Must-Use <span class="count">(%s)</span>', count( $required_components ), 'buddypress' ), number_format_i18n( count( $required_components ) ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'retired'  ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'retired'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Retired <span class="count">(%s)</span>',  'Retired <span class="count">(%s)</span>',  count( $retired_components ),  'buddypress' ), number_format_i18n( count( $retired_components  ) ) ); ?></a></li>
     </ul>
 

trunk/src/bp-core/admin/bp-core-admin-functions.php

@@ -299 +299 @@
     if ( !empty( $orphaned_components ) ) {
         $admin_url = bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), 'admin.php' ) );
-        $notice    = sprintf( __( 'The following active BuddyPress Components do not have associated WordPress Pages: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), $admin_url, '<strong>' . implode( '</strong>, <strong>', $orphaned_components ) . '</strong>' );
+        $notice    = sprintf( __( 'The following active BuddyPress Components do not have associated WordPress Pages: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), esc_url( $admin_url ), '<strong>' . implode( '</strong>, <strong>', $orphaned_components ) . '</strong>' );
 
         bp_core_add_admin_notice( $notice );
@@ -321 +321 @@
     if ( !empty( $dupe_names ) ) {
         $admin_url = bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), 'admin.php' ) );
-        $notice    = sprintf( __( 'Each BuddyPress Component needs its own WordPress page. The following WordPress Pages have more than one component associated with them: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), $admin_url, '<strong>' . implode( '</strong>, <strong>', $dupe_names ) . '</strong>' );
+        $notice    = sprintf( __( 'Each BuddyPress Component needs its own WordPress page. The following WordPress Pages have more than one component associated with them: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), esc_url( $admin_url ), '<strong>' . implode( '</strong>, <strong>', $dupe_names ) . '</strong>' );
 
         bp_core_add_admin_notice( $notice );
@@ -910 +910 @@
         bp_core_process_spammer_status( $user_id, $status );
 
-        $redirect = add_query_arg( array( 'updated' => 'marked-' . $status ), $redirect);
+        $redirect = add_query_arg( array( 'updated' => 'marked-' . $status ), $redirect );
 
         wp_redirect( $redirect );

trunk/src/bp-core/admin/bp-core-admin-settings.php

@@ -243 +243 @@
         <h2 class="nav-tab-wrapper"><?php bp_core_admin_tabs( __( 'Settings', 'buddypress' ) ); ?></h2>
 
-        <form action="<?php echo $form_action ?>" method="post">
+        <form action="<?php echo esc_url( $form_action ) ?>" method="post">
 
             <?php settings_fields( 'buddypress' ); ?>

trunk/src/bp-core/bp-core-admin.php

@@ -440 +440 @@
         // Add a few links to the existing links array
         return array_merge( $links, array(
-            'settings' => '<a href="' . add_query_arg( array( 'page' => 'bp-components' ), bp_get_admin_url( $this->settings_page ) ) . '">' . esc_html__( 'Settings', 'buddypress' ) . '</a>',
-            'about'    => '<a href="' . add_query_arg( array( 'page' => 'bp-about'      ), bp_get_admin_url( 'index.php'          ) ) . '">' . esc_html__( 'About',    'buddypress' ) . '</a>'
+            'settings' => '<a href="' . esc_url( add_query_arg( array( 'page' => 'bp-components' ), bp_get_admin_url( $this->settings_page ) ) ) . '">' . esc_html__( 'Settings', 'buddypress' ) . '</a>',
+            'about'    => '<a href="' . esc_url( add_query_arg( array( 'page' => 'bp-about'      ), bp_get_admin_url( 'index.php'          ) ) ) . '">' . esc_html__( 'About',    'buddypress' ) . '</a>'
         ) );
     }
@@ -516 +516 @@
                                 <ul>
                                     <li><?php printf(
-                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Set Up Components', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) )
+                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Set Up Components', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) ) )
                                     ); ?></li>
                                     <li><?php printf(
-                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Assign Components to Pages', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), $this->settings_page ) )
+                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Assign Components to Pages', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), $this->settings_page ) ) )
                                     ); ?></li>
                                     <li><?php printf(
-                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Customize Settings', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-settings' ), $this->settings_page ) )
+                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Customize Settings', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-settings' ), $this->settings_page ) ) )
                                     ); ?></li>
                                 </ul>
@@ -531 +531 @@
                                 <ul>
                                     <?php if ( bp_is_active( 'members' ) ) : ?>
-                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Add User Profile Fields', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-profile-setup' ), 'users.php' ) ) ); ?></li>
+                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Add User Profile Fields', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-profile-setup' ), 'users.php' ) ) ) ); ?></li>
                                     <?php endif; ?>
-                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage User Signups', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-signups' ), 'users.php' ) ) ); ?></li>
+                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage User Signups', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-signups' ), 'users.php' ) ) ) ); ?></li>
                                     <?php if ( bp_is_active( 'activity' ) ) : ?>
-                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Moderate Activity Streams', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-activity' ), 'admin.php' ) ) ); ?></li>
+                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Moderate Activity Streams', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-activity' ), 'admin.php' ) ) ) ); ?></li>
                                     <?php endif; ?>
                                     <?php if ( bp_is_active( 'groups' ) ) : ?>
-                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage Groups', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-groups' ), 'admin.php' ) ) ); ?></li>
+                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage Groups', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-groups' ), 'admin.php' ) ) ) ); ?></li>
                                     <?php endif; ?>
-                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Repair Data', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-tools' ), 'tools.php' ) ) ); ?>
+                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Repair Data', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-tools' ), 'tools.php' ) ) ) ); ?>
                                     </li>
                                 </ul>

trunk/src/bp-core/bp-core-catchuri.php

@@ -585 +585 @@
 
             $url = $root;
-            if ( !empty( $redirect ) )
+            if ( !empty( $redirect ) ) {
                 $url = add_query_arg( 'redirect_to', urlencode( $redirect ), $root );
+            }
 
             if ( !empty( $message ) ) {

trunk/src/bp-core/bp-core-functions.php

@@ -1653 +1653 @@
  */
 function bp_admin_url( $path = '', $scheme = 'admin' ) {
-    echo bp_get_admin_url( $path, $scheme );
+    echo esc_url( bp_get_admin_url( $path, $scheme ) );
 }
     /**

trunk/src/bp-forums/bp-forums-template.php

@@ -1776 +1776 @@
  */
 function bp_forum_topic_new_reply_link() {
-    echo bp_get_forum_topic_new_reply_link();
+    echo esc_url( bp_get_forum_topic_new_reply_link() );
 }
     /**

trunk/src/bp-forums/deprecated/1.6.php

@@ -104 +104 @@
 
                 <div>
-                    <a class="button thickbox button-primary" href="<?php echo esc_attr( $button_url ) ?>"><?php echo esc_html( $button_text ) ?></a> &nbsp;
+                    <a class="button thickbox button-primary" href="<?php echo esc_url( $button_url ) ?>"><?php echo esc_html( $button_text ) ?></a> &nbsp;
                 </div>
             </div>
@@ -185 +185 @@
                 <p><?php _e( "You've decided to set up a new installation of bbPress for forum management in BuddyPress. This is very simple and is usually just a one click
                 process. When you're ready, hit the link below.", 'buddypress' ) ?></p>
-                <p><a class="button-primary" href="<?php echo wp_nonce_url( $post_url . '&step=new&doinstall=1', 'bp_forums_new_install_init' ) ?>"><?php _e( 'Complete Installation', 'buddypress' ) ?></a></p>
+                <p><a class="button-primary" href="<?php echo esc_url( wp_nonce_url( $post_url . '&step=new&doinstall=1', 'bp_forums_new_install_init' ) ); ?>"><?php _e( 'Complete Installation', 'buddypress' ) ?></a></p>
 
                 <?php
@@ -223 +223 @@
 
                     <div>
-                        <a class="button button-primary" href="<?php echo $post_url . '&step=new' ?>"><?php _e( 'Install Group Forums', 'buddypress' ) ?></a> &nbsp;
-                        <a class="button" href="<?php echo $post_url . '&step=existing' ?>"><?php _e( 'Use Existing Installation', 'buddypress' ) ?></a>
+                        <a class="button button-primary" href="<?php echo esc_url( $post_url ) . '&step=new' ?>"><?php _e( 'Install Group Forums', 'buddypress' ) ?></a> &nbsp;
+                        <a class="button" href="<?php echo esc_url( $post_url ) . '&step=existing' ?>"><?php _e( 'Use Existing Installation', 'buddypress' ) ?></a>
                     </div>
                 </div>
@@ -246 +246 @@
                     <p><?php printf( __( 'If you decide to use bbPress, you will need to deactivate the legacy group forum component.  For more info, <a href="%s">read this codex article</a>.', 'buddypress' ), 'https://codex.buddypress.org/legacy/getting-started/using-bbpress-2-2-with-buddypress/' ) ?></p>
                     <div>
-                        <a class="button button-primary <?php if ( ! $bbpress_plugin_is_active ) { echo esc_attr( 'thickbox' ); }?>" href="<?php echo esc_attr( $button_url ) ?>"><?php echo esc_html( $button_text ) ?></a> &nbsp;
+                        <a class="button button-primary <?php if ( ! $bbpress_plugin_is_active ) { echo esc_attr( 'thickbox' ); }?>" href="<?php echo esc_url( $button_url ) ?>"><?php echo esc_html( $button_text ) ?></a> &nbsp;
                     </div>
                 </div>

trunk/src/bp-groups/bp-groups-admin.php

@@ -582 +582 @@
         <?php if ( ! empty( $group ) ) : ?>
 
-            <form action="<?php echo esc_attr( $form_url ); ?>" id="bp-groups-edit-form" method="post">
+            <form action="<?php echo esc_url( $form_url ); ?>" id="bp-groups-edit-form" method="post">
                 <div id="poststuff">
 
@@ -674 +674 @@
         <p><strong><?php _e( 'This action cannot be undone.', 'buddypress' ) ?></strong></p>
 
-        <a class="button-primary" href="<?php echo wp_nonce_url( add_query_arg( array( 'action' => 'do_delete', 'gid' => implode( ',', $gids ) ), $base_url ), 'bp-groups-delete' ) ?>"><?php _e( 'Delete Permanently', 'buddypress' ) ?></a>
+        <a class="button-primary" href="<?php echo esc_url( wp_nonce_url( add_query_arg( array( 'action' => 'do_delete', 'gid' => implode( ',', $gids ) ), $base_url ), 'bp-groups-delete' ) ); ?>"><?php _e( 'Delete Permanently', 'buddypress' ) ?></a>
         <a class="button" href="<?php echo esc_attr( $base_url ); ?>"><?php _e( 'Cancel', 'buddypress' ) ?></a>
     </div>
@@ -981 +981 @@
         <div id="major-publishing-actions">
             <div id="delete-action">
-                <a class="submitdelete deletion" href="<?php echo wp_nonce_url( add_query_arg( 'action', 'delete', $base_url ), 'bp-groups-delete' ) ?>"><?php _e( 'Delete Group', 'buddypress' ) ?></a>
+                <a class="submitdelete deletion" href="<?php echo esc_url( wp_nonce_url( add_query_arg( 'action', 'delete', $base_url ), 'bp-groups-delete' ) ); ?>"><?php _e( 'Delete Group', 'buddypress' ) ?></a>
             </div>
 
@@ -1379 +1379 @@
 
         <ul class="subsubsub">
-            <li class="all"><a href="<?php echo esc_attr( esc_url( $url_base ) ); ?>" class="<?php if ( 'all' == $this->view ) echo 'current'; ?>"><?php _e( 'All', 'buddypress' ); ?></a> |</li>
-            <li class="public"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'group_status', 'public', $url_base ) ) ); ?>" class="<?php if ( 'public' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Public <span class="count">(%s)</span>', 'Public <span class="count">(%s)</span>', $this->group_counts['public'], 'buddypress' ), number_format_i18n( $this->group_counts['public'] ) ); ?></a> |</li>
-            <li class="private"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'group_status', 'private', $url_base ) ) ); ?>" class="<?php if ( 'private' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Private <span class="count">(%s)</span>', 'Private <span class="count">(%s)</span>', $this->group_counts['private'], 'buddypress' ), number_format_i18n( $this->group_counts['private'] ) ); ?></a> |</li>
-            <li class="hidden"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'group_status', 'hidden', $url_base ) ) ); ?>" class="<?php if ( 'hidden' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Hidden <span class="count">(%s)</span>', 'Hidden <span class="count">(%s)</span>', $this->group_counts['hidden'], 'buddypress' ), number_format_i18n( $this->group_counts['hidden'] ) ); ?></a></li>
+            <li class="all"><a href="<?php echo esc_url( $url_base ); ?>" class="<?php if ( 'all' == $this->view ) echo 'current'; ?>"><?php _e( 'All', 'buddypress' ); ?></a> |</li>
+            <li class="public"><a href="<?php echo esc_url( add_query_arg( 'group_status', 'public', $url_base ) ); ?>" class="<?php if ( 'public' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Public <span class="count">(%s)</span>', 'Public <span class="count">(%s)</span>', $this->group_counts['public'], 'buddypress' ), number_format_i18n( $this->group_counts['public'] ) ); ?></a> |</li>
+            <li class="private"><a href="<?php echo esc_url( add_query_arg( 'group_status', 'private', $url_base ) ); ?>" class="<?php if ( 'private' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Private <span class="count">(%s)</span>', 'Private <span class="count">(%s)</span>', $this->group_counts['private'], 'buddypress' ), number_format_i18n( $this->group_counts['private'] ) ); ?></a> |</li>
+            <li class="hidden"><a href="<?php echo esc_url( add_query_arg( 'group_status', 'hidden', $url_base ) ); ?>" class="<?php if ( 'hidden' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Hidden <span class="count">(%s)</span>', 'Hidden <span class="count">(%s)</span>', $this->group_counts['hidden'], 'buddypress' ), number_format_i18n( $this->group_counts['hidden'] ) ); ?></a></li>
 
             <?php

trunk/src/bp-members/admin/bp-members-admin-classes.php

@@ -98 +98 @@
         // Remove the 'current' class from the 'All' link
         $views['all']        = str_replace( 'class="current"', '', $views['all'] );
-        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
+        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', esc_url( add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
 
         return $views;
@@ -465 +465 @@
         // Remove the 'current' class from the 'All' link
         $views['all']        = str_replace( 'class="current"', '', $views['all'] );
-        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
+        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', esc_url( add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
 
         return $views;

trunk/src/bp-members/bp-members-admin.php

@@ -1334 +1334 @@
         $text    = sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $signups ) . ')</span>' );
 
-        $views['registered'] = sprintf( '<a href="%1$s" class="%2$s">%3$s</a>', $url, $class, $text );
+        $views['registered'] = sprintf( '<a href="%1$s" class="%2$s">%3$s</a>', esc_url( $url ), $class, $text );
 
         return $views;

trunk/src/bp-members/bp-members-functions.php

@@ -2299 +2299 @@
     );
 
-    $resend_string = '<br /><br />' . sprintf( __( 'If you have not received an email yet, <a href="%s">click here to resend it</a>.', 'buddypress' ), $resend_url );
+    $resend_string = '<br /><br />' . sprintf( __( 'If you have not received an email yet, <a href="%s">click here to resend it</a>.', 'buddypress' ), esc_url( $resend_url ) );
 
     return new WP_Error( 'bp_account_not_activated', __( '<strong>ERROR</strong>: Your account has not been activated. Check your email for the activation link.', 'buddypress' ) . $resend_string );

trunk/src/bp-members/bp-members-template.php

@@ -2342 +2342 @@
  */
 function bp_members_component_link( $component, $action = '', $query_args = '', $nonce = false ) {
-    echo bp_get_members_component_link( $component, $action, $query_args, $nonce );
+    echo esc_url( bp_get_members_component_link( $component, $action, $query_args, $nonce ) );
 }
     /**