Changeset 9773

Timestamp:

04/20/2015 04:08:00 PM (10 years ago)

Author:

johnjamesjacoby

Message:

All: make sure URLs are escaped (2.2 branch)

Location:

branches/2.2/src

Files:

• bp-activity/bp-activity-admin.php (modified) (2 diffs)
• bp-activity/bp-activity-functions.php (modified) (2 diffs)
• bp-activity/bp-activity-template.php (modified) (5 diffs)
• bp-blogs/bp-blogs-activity.php (modified) (2 diffs)
• bp-blogs/bp-blogs-template.php (modified) (1 diff)
• bp-core/admin/bp-core-components.php (modified) (1 diff)
• bp-core/admin/bp-core-functions.php (modified) (3 diffs)
• bp-core/admin/bp-core-settings.php (modified) (1 diff)
• bp-core/bp-core-admin.php (modified) (3 diffs)
• bp-core/bp-core-catchuri.php (modified) (1 diff)
• bp-core/bp-core-classes.php (modified) (1 diff)
• bp-core/bp-core-functions.php (modified) (1 diff)
• bp-forums/bp-forums-template.php (modified) (1 diff)
• bp-groups/bp-groups-admin.php (modified) (4 diffs)
• bp-members/admin/bp-members-classes.php (modified) (2 diffs)
• bp-members/bp-members-admin.php (modified) (2 diffs)
• bp-members/bp-members-functions.php (modified) (1 diff)
• bp-members/bp-members-template.php (modified) (1 diff)

branches/2.2/src/bp-activity/bp-activity-admin.php

@@ -650 +650 @@
         <?php if ( ! empty( $activity ) ) : ?>
 
-            <form action="<?php echo esc_attr( $form_url ); ?>" id="bp-activities-edit-form" method="post">
+            <form action="<?php echo esc_url( $form_url ); ?>" id="bp-activities-edit-form" method="post">
                 <div id="poststuff">
 
@@ -1280 +1280 @@
 
         <ul class="subsubsub">
-            <li class="all"><a href="<?php echo esc_attr( esc_url( $url_base ) ); ?>" class="<?php if ( 'spam' != $this->view ) echo 'current'; ?>"><?php _e( 'All', 'buddypress' ); ?></a> |</li>
-            <li class="spam"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'activity_status', 'spam', $url_base ) ) ); ?>" class="<?php if ( 'spam' == $this->view ) echo 'current'; ?>"><?php printf( __( 'Spam <span class="count">(%s)</span>', 'buddypress' ), number_format_i18n( $this->spam_count ) ); ?></a></li>
+            <li class="all"><a href="<?php echo esc_url( $url_base ); ?>" class="<?php if ( 'spam' != $this->view ) echo 'current'; ?>"><?php _e( 'All', 'buddypress' ); ?></a> |</li>
+            <li class="spam"><a href="<?php echo esc_url( add_query_arg( 'activity_status', 'spam', $url_base ) ); ?>" class="<?php if ( 'spam' == $this->view ) echo 'current'; ?>"><?php printf( __( 'Spam <span class="count">(%s)</span>', 'buddypress' ), number_format_i18n( $this->spam_count ) ); ?></a></li>
 
             <?php

branches/2.2/src/bp-activity/bp-activity-functions.php

@@ -1367 +1367 @@
 
     if ( is_multisite() ) {
-        $blog_link = '<a href="' . $blog_url . '">' . get_blog_option( $activity->item_id, 'blogname' ) . '</a>';
+        $blog_link = '<a href="' . esc_url( $blog_url ) . '">' . get_blog_option( $activity->item_id, 'blogname' ) . '</a>';
 
         if ( ! empty( $bp->activity->track[ $activity->type ]->new_post_type_action_ms ) ) {
             $action = sprintf( $bp->activity->track[ $activity->type ]->new_post_type_action_ms, $user_link, $post_url, $blog_link );
         } else {
-            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>, on the site %3$s', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, $post_url, $blog_link );
+            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>, on the site %3$s', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, esc_url( $post_url ), $blog_link );
         }
     } else {
@@ -1378 +1378 @@
             $action = sprintf( $bp->activity->track[ $activity->type ]->new_post_type_action, $user_link, $post_url );
         } else {
-            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, $post_url );
+            $action = sprintf( _x( '%1$s wrote a new <a href="%2$s">item</a>', 'Activity Custom Post Type post action', 'buddypress' ), $user_link, esc_url( $post_url ) );
         }
     }

branches/2.2/src/bp-activity/bp-activity-template.php

@@ -309 +309 @@
         if ( (int) $this->total_activity_count && (int) $this->pag_num ) {
             $this->pag_links = paginate_links( array(
-                'base'      => add_query_arg( $page_arg, '%#%' ),
+                'base'      => add_query_arg( $this->pag_arg, '%#%' ),
                 'format'    => '',
                 'total'     => ceil( (int) $this->total_activity_count / (int) $this->pag_num ),
@@ -2977 +2977 @@
      * @uses bp_is_activity_component()
      * @uses bp_current_action()
-     * @uses add_query_arg()
      * @uses wp_get_referer()
      * @uses wp_nonce_url()
@@ -3222 +3221 @@
             $link = apply_filters( 'bp_get_activity_filter_link_href', $link, $component );
 
-            $component_links[] = $before . '<a href="' . esc_attr( $link ) . '">' . ucwords( $component ) . '</a>' . $after;
+            $component_links[] = $before . '<a href="' . esc_url( $link ) . '">' . ucwords( $component ) . '</a>' . $after;
         }
 
@@ -3228 +3227 @@
 
         if ( isset( $_GET['afilter'] ) )
-            $component_links[] = '<' . $tag . ' id="afilter-clear"><a href="' . esc_attr( $link ) . '">' . __( 'Clear Filter', 'buddypress' ) . '</a></' . $tag . '>';
+            $component_links[] = '<' . $tag . ' id="afilter-clear"><a href="' . esc_url( $link ) . '">' . __( 'Clear Filter', 'buddypress' ) . '</a></' . $tag . '>';
 
         /**
@@ -3472 +3471 @@
  */
 function bp_send_public_message_link() {
-    echo bp_get_send_public_message_link();
+    echo esc_url( bp_get_send_public_message_link() );
 }
 

branches/2.2/src/bp-blogs/bp-blogs-activity.php

@@ -175 +175 @@
 
     // Build the 'post link' part of the activity action string
-    $post_link  = '<a href="' . $post_url . '">' . $post_title . '</a>';
+    $post_link  = '<a href="' . esc_url( $post_url ) . '">' . $post_title . '</a>';
 
     $user_link = bp_core_get_userlink( $activity->user_id );
@@ -252 +252 @@
     }
 
-    $post_link = '<a href="' . $post_url . '">' . $post_title . '</a>';
+    $post_link = '<a href="' . esc_url( $post_url ) . '">' . $post_title . '</a>';
     $user_link = bp_core_get_userlink( $activity->user_id );
 

branches/2.2/src/bp-blogs/bp-blogs-template.php

@@ -902 +902 @@
  */
 function bp_blog_latest_post_permalink() {
-    echo bp_get_blog_latest_post_permalink();
+    echo esc_url( bp_get_blog_latest_post_permalink() );
 }
     /**

branches/2.2/src/bp-core/admin/bp-core-components.php

@@ -142 +142 @@
 
     <ul class="subsubsub">
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'all'      ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'all'      ) : ?>class="current"<?php endif; ?>><?php printf( _nx( 'All <span class="count">(%s)</span>',      'All <span class="count">(%s)</span>',      $all_count,         'plugins', 'buddypress' ), number_format_i18n( $all_count                    ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'active'   ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'active'   ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Active <span class="count">(%s)</span>',   'Active <span class="count">(%s)</span>',   count( $active_components   ), 'buddypress' ), number_format_i18n( count( $active_components   ) ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'inactive' ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'inactive' ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Inactive <span class="count">(%s)</span>', 'Inactive <span class="count">(%s)</span>', count( $inactive_components ), 'buddypress' ), number_format_i18n( count( $inactive_components ) ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'mustuse'  ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'mustuse'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Must-Use <span class="count">(%s)</span>', 'Must-Use <span class="count">(%s)</span>', count( $required_components ), 'buddypress' ), number_format_i18n( count( $required_components ) ) ); ?></a> | </li>
-        <li><a href="<?php echo add_query_arg( array( 'page' => 'bp-components', 'action' => 'retired'  ), bp_get_admin_url( $page ) ); ?>" <?php if ( $action === 'retired'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Retired <span class="count">(%s)</span>',  'Retired <span class="count">(%s)</span>',  count( $retired_components ),  'buddypress' ), number_format_i18n( count( $retired_components  ) ) ); ?></a></li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'all'      ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'all'      ) : ?>class="current"<?php endif; ?>><?php printf( _nx( 'All <span class="count">(%s)</span>',      'All <span class="count">(%s)</span>',      $all_count,         'plugins', 'buddypress' ), number_format_i18n( $all_count                    ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'active'   ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'active'   ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Active <span class="count">(%s)</span>',   'Active <span class="count">(%s)</span>',   count( $active_components   ), 'buddypress' ), number_format_i18n( count( $active_components   ) ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'inactive' ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'inactive' ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Inactive <span class="count">(%s)</span>', 'Inactive <span class="count">(%s)</span>', count( $inactive_components ), 'buddypress' ), number_format_i18n( count( $inactive_components ) ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'mustuse'  ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'mustuse'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Must-Use <span class="count">(%s)</span>', 'Must-Use <span class="count">(%s)</span>', count( $required_components ), 'buddypress' ), number_format_i18n( count( $required_components ) ) ); ?></a> | </li>
+        <li><a href="<?php echo esc_url( add_query_arg( array( 'page' => 'bp-components', 'action' => 'retired'  ), bp_get_admin_url( $page ) ) ); ?>" <?php if ( $action === 'retired'  ) : ?>class="current"<?php endif; ?>><?php printf( _n(  'Retired <span class="count">(%s)</span>',  'Retired <span class="count">(%s)</span>',  count( $retired_components ),  'buddypress' ), number_format_i18n( count( $retired_components  ) ) ); ?></a></li>
     </ul>
 

branches/2.2/src/bp-core/admin/bp-core-functions.php

@@ -106 +106 @@
 
         <p><?php _e( "Don't worry! We've moved the BuddyPress options into more convenient and easier to find locations. You're seeing this page because you are running a legacy BuddyPress plugin which has not been updated.", 'buddypress' ); ?></p>
-        <p><?php printf( __( 'Components, Pages, Settings, and Forums, have been moved to <a href="%s">Settings &gt; BuddyPress</a>. Profile Fields has been moved into the <a href="%s">Users</a> menu.', 'buddypress' ), esc_url( $settings_url ), bp_get_admin_url( 'users.php?page=bp-profile-setup' ) ); ?></p>
+        <p><?php printf( __( 'Components, Pages, Settings, and Forums, have been moved to <a href="%s">Settings &gt; BuddyPress</a>. Profile Fields has been moved into the <a href="%s">Users</a> menu.', 'buddypress' ), esc_url( $settings_url ), esc_url( bp_get_admin_url( 'users.php?page=bp-profile-setup' ) ) ); ?></p>
     </div>
 
@@ -299 +299 @@
     if ( !empty( $orphaned_components ) ) {
         $admin_url = bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), 'admin.php' ) );
-        $notice    = sprintf( __( 'The following active BuddyPress Components do not have associated WordPress Pages: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), $admin_url, '<strong>' . implode( '</strong>, <strong>', $orphaned_components ) . '</strong>' );
+        $notice    = sprintf( __( 'The following active BuddyPress Components do not have associated WordPress Pages: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), esc_url( $admin_url ), '<strong>' . implode( '</strong>, <strong>', $orphaned_components ) . '</strong>' );
 
         bp_core_add_admin_notice( $notice );
@@ -321 +321 @@
     if ( !empty( $dupe_names ) ) {
         $admin_url = bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), 'admin.php' ) );
-        $notice    = sprintf( __( 'Each BuddyPress Component needs its own WordPress page. The following WordPress Pages have more than one component associated with them: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), $admin_url, '<strong>' . implode( '</strong>, <strong>', $dupe_names ) . '</strong>' );
+        $notice    = sprintf( __( 'Each BuddyPress Component needs its own WordPress page. The following WordPress Pages have more than one component associated with them: %2$s. <a href="%1$s">Repair</a>', 'buddypress' ), usc_url( $admin_url ), '<strong>' . implode( '</strong>, <strong>', $dupe_names ) . '</strong>' );
 
         bp_core_add_admin_notice( $notice );

branches/2.2/src/bp-core/admin/bp-core-settings.php

@@ -243 +243 @@
         <h2 class="nav-tab-wrapper"><?php bp_core_admin_tabs( __( 'Settings', 'buddypress' ) ); ?></h2>
 
-        <form action="<?php echo $form_action ?>" method="post">
+        <form action="<?php echo esc_url( $form_action ); ?>" method="post">
 
             <?php settings_fields( 'buddypress' ); ?>

branches/2.2/src/bp-core/bp-core-admin.php

@@ -440 +440 @@
         // Add a few links to the existing links array
         return array_merge( $links, array(
-            'settings' => '<a href="' . add_query_arg( array( 'page' => 'bp-components' ), bp_get_admin_url( $this->settings_page ) ) . '">' . esc_html__( 'Settings', 'buddypress' ) . '</a>',
-            'about'    => '<a href="' . add_query_arg( array( 'page' => 'bp-about'      ), bp_get_admin_url( 'index.php'          ) ) . '">' . esc_html__( 'About',    'buddypress' ) . '</a>'
+            'settings' => '<a href="' . esc_url( add_query_arg( array( 'page' => 'bp-components' ), bp_get_admin_url( $this->settings_page ) ) ) . '">' . esc_html__( 'Settings', 'buddypress' ) . '</a>',
+            'about'    => '<a href="' . esc_url( add_query_arg( array( 'page' => 'bp-about'      ), bp_get_admin_url( 'index.php'          ) ) ) . '">' . esc_html__( 'About',    'buddypress' ) . '</a>'
         ) );
     }
@@ -508 +508 @@
                                 <ul>
                                     <li><?php printf(
-                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Set Up Components', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) )
+                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Set Up Components', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) ) )
                                     ); ?></li>
                                     <li><?php printf(
-                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Assign Components to Pages', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), $this->settings_page ) )
+                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Assign Components to Pages', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-page-settings' ), $this->settings_page ) ) )
                                     ); ?></li>
                                     <li><?php printf(
-                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Customize Settings', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-settings' ), $this->settings_page ) )
+                                    '<a href="%s" class="welcome-icon welcome-edit-page">' . __( 'Customize Settings', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-settings' ), $this->settings_page ) ) )
                                     ); ?></li>
                                 </ul>
@@ -523 +523 @@
                                 <ul>
                                     <?php if ( bp_is_active( 'members' ) ) : ?>
-                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Add User Profile Fields', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-profile-setup' ), 'users.php' ) ) ); ?></li>
+                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Add User Profile Fields', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-profile-setup' ), 'users.php' ) ) ) ); ?></li>
                                     <?php endif; ?>
-                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage User Signups', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-signups' ), 'users.php' ) ) ); ?></li>
+                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage User Signups', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-signups' ), 'users.php' ) ) ) ); ?></li>
                                     <?php if ( bp_is_active( 'activity' ) ) : ?>
-                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Moderate Activity Streams', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-activity' ), 'admin.php' ) ) ); ?></li>
+                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Moderate Activity Streams', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-activity' ), 'admin.php' ) ) ) ); ?></li>
                                     <?php endif; ?>
                                     <?php if ( bp_is_active( 'groups' ) ) : ?>
-                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage Groups', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-groups' ), 'admin.php' ) ) ); ?></li>
+                                        <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Manage Groups', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-groups' ), 'admin.php' ) ) ) ); ?></li>
                                     <?php endif; ?>
-                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Repair Data', 'buddypress' ) . '</a>', bp_get_admin_url( add_query_arg( array( 'page' => 'bp-tools' ), 'tools.php' ) ) ); ?>
+                                    <li><?php printf( '<a href="%s" class="welcome-icon welcome-add-page">' . __( 'Repair Data', 'buddypress' ) . '</a>', esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-tools' ), 'tools.php' ) ) ) ); ?>
                                     </li>
                                 </ul>

branches/2.2/src/bp-core/bp-core-catchuri.php

@@ -500 +500 @@
 
             $url = $root;
-            if ( !empty( $redirect ) )
+            if ( !empty( $redirect ) ) {
                 $url = add_query_arg( 'redirect_to', urlencode( $redirect ), $root );
+            }
 
             if ( !empty( $message ) ) {

branches/2.2/src/bp-core/bp-core-classes.php

@@ -2425 +2425 @@
 
         // Add href attribute
-        $attributes = ! empty( $item->link ) ? ' href="' . esc_attr( esc_url( $item->link ) ) . '"' : '';
+        $attributes = ! empty( $item->link ) ? ' href="' . esc_url( $item->link ) . '"' : '';
 
         // Construct the link

branches/2.2/src/bp-core/bp-core-functions.php

@@ -1424 +1424 @@
  */
 function bp_admin_url( $path = '', $scheme = 'admin' ) {
-    echo bp_get_admin_url( $path, $scheme );
+    echo esc_url( bp_get_admin_url( $path, $scheme ) );
 }
     /**

branches/2.2/src/bp-forums/bp-forums-template.php

@@ -1785 +1785 @@
  */
 function bp_forum_topic_new_reply_link() {
-    echo bp_get_forum_topic_new_reply_link();
+    echo esc_url( bp_get_forum_topic_new_reply_link() );
 }
     /**

branches/2.2/src/bp-groups/bp-groups-admin.php

@@ -536 +536 @@
         <?php if ( ! empty( $group ) ) : ?>
 
-            <form action="<?php echo esc_attr( $form_url ); ?>" id="bp-groups-edit-form" method="post">
+            <form action="<?php echo esc_url( $form_url ); ?>" id="bp-groups-edit-form" method="post">
                 <div id="poststuff">
 
@@ -628 +628 @@
         <p><strong><?php _e( 'This action cannot be undone.', 'buddypress' ) ?></strong></p>
 
-        <a class="button-primary" href="<?php echo wp_nonce_url( add_query_arg( array( 'action' => 'do_delete', 'gid' => implode( ',', $gids ) ), $base_url ), 'bp-groups-delete' ) ?>"><?php _e( 'Delete Permanently', 'buddypress' ) ?></a>
-        <a class="button" href="<?php echo esc_attr( $base_url ); ?>"><?php _e( 'Cancel', 'buddypress' ) ?></a>
+        <a class="button-primary" href="<?php echo esc_url( wp_nonce_url( add_query_arg( array( 'action' => 'do_delete', 'gid' => implode( ',', $gids ) ), $base_url ), 'bp-groups-delete' ) ); ?>"><?php _e( 'Delete Permanently', 'buddypress' ) ?></a>
+        <a class="button" href="<?php echo esc_url( $base_url ); ?>"><?php _e( 'Cancel', 'buddypress' ) ?></a>
     </div>
 
@@ -917 +917 @@
         <div id="major-publishing-actions">
             <div id="delete-action">
-                <a class="submitdelete deletion" href="<?php echo wp_nonce_url( add_query_arg( 'action', 'delete', $base_url ), 'bp-groups-delete' ) ?>"><?php _e( 'Delete Group', 'buddypress' ) ?></a>
+                <a class="submitdelete deletion" href="<?php echo esc_url( wp_nonce_url( add_query_arg( 'action', 'delete', $base_url ), 'bp-groups-delete' ) ); ?>"><?php _e( 'Delete Group', 'buddypress' ) ?></a>
             </div>
 
@@ -1303 +1303 @@
 
         <ul class="subsubsub">
-            <li class="all"><a href="<?php echo esc_attr( esc_url( $url_base ) ); ?>" class="<?php if ( 'all' == $this->view ) echo 'current'; ?>"><?php _e( 'All', 'buddypress' ); ?></a> |</li>
-            <li class="public"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'group_status', 'public', $url_base ) ) ); ?>" class="<?php if ( 'public' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Public <span class="count">(%s)</span>', 'Public <span class="count">(%s)</span>', $this->group_counts['public'], 'buddypress' ), number_format_i18n( $this->group_counts['public'] ) ); ?></a> |</li>
-            <li class="private"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'group_status', 'private', $url_base ) ) ); ?>" class="<?php if ( 'private' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Private <span class="count">(%s)</span>', 'Private <span class="count">(%s)</span>', $this->group_counts['private'], 'buddypress' ), number_format_i18n( $this->group_counts['private'] ) ); ?></a> |</li>
-            <li class="hidden"><a href="<?php echo esc_attr( esc_url( add_query_arg( 'group_status', 'hidden', $url_base ) ) ); ?>" class="<?php if ( 'hidden' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Hidden <span class="count">(%s)</span>', 'Hidden <span class="count">(%s)</span>', $this->group_counts['hidden'], 'buddypress' ), number_format_i18n( $this->group_counts['hidden'] ) ); ?></a></li>
+            <li class="all"><a href="<?php echo esc_url( $url_base ); ?>" class="<?php if ( 'all' == $this->view ) echo 'current'; ?>"><?php _e( 'All', 'buddypress' ); ?></a> |</li>
+            <li class="public"><a href="<?php echo esc_url( add_query_arg( 'group_status', 'public', $url_base ) ); ?>" class="<?php if ( 'public' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Public <span class="count">(%s)</span>', 'Public <span class="count">(%s)</span>', $this->group_counts['public'], 'buddypress' ), number_format_i18n( $this->group_counts['public'] ) ); ?></a> |</li>
+            <li class="private"><a href="<?php echo esc_url( add_query_arg( 'group_status', 'private', $url_base ) ); ?>" class="<?php if ( 'private' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Private <span class="count">(%s)</span>', 'Private <span class="count">(%s)</span>', $this->group_counts['private'], 'buddypress' ), number_format_i18n( $this->group_counts['private'] ) ); ?></a> |</li>
+            <li class="hidden"><a href="<?php echo esc_url( add_query_arg( 'group_status', 'hidden', $url_base ) ); ?>" class="<?php if ( 'hidden' == $this->view ) echo 'current'; ?>"><?php printf( _n( 'Hidden <span class="count">(%s)</span>', 'Hidden <span class="count">(%s)</span>', $this->group_counts['hidden'], 'buddypress' ), number_format_i18n( $this->group_counts['hidden'] ) ); ?></a></li>
 
             <?php do_action( 'bp_groups_list_table_get_views', $url_base, $this->view ); ?>

branches/2.2/src/bp-members/admin/bp-members-classes.php

@@ -98 +98 @@
         // Remove the 'current' class from the 'All' link
         $views['all']        = str_replace( 'class="current"', '', $views['all'] );
-        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
+        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', esc_url( add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
 
         return $views;
@@ -463 +463 @@
         // Remove the 'current' class from the 'All' link
         $views['all']        = str_replace( 'class="current"', '', $views['all'] );
-        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
+        $views['registered'] = sprintf( '<a href="%1$s" class="current">%2$s</a>', esc_url( add_query_arg( 'page', 'bp-signups', bp_get_admin_url( 'users.php' ) ) ), sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $this->signup_counts ) . ')</span>' ) );
 
         return $views;

branches/2.2/src/bp-members/bp-members-admin.php

@@ -1175 +1175 @@
             // Add query args and setup the Extended link
             $edit_profile      = add_query_arg( $args, $this->edit_profile_url );
-            $edit_profile_link = sprintf( '<a href="%1$s">%2$s</a>',  esc_url( $edit_profile ), esc_html__( 'Extended', 'buddypress' ) );
+            $edit_profile_link = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $edit_profile ), esc_html__( 'Extended', 'buddypress' ) );
 
             /**
@@ -1330 +1330 @@
         $text    = sprintf( _x( 'Pending %s', 'signup users', 'buddypress' ), '<span class="count">(' . number_format_i18n( $signups ) . ')</span>' );
 
-        $views['registered'] = sprintf( '<a href="%1$s" class="%2$s">%3$s</a>', $url, $class, $text );
+        $views['registered'] = sprintf( '<a href="%1$s" class="%2$s">%3$s</a>', esc_url( $url ), $class, $text );
 
         return $views;

branches/2.2/src/bp-members/bp-members-functions.php

@@ -2303 +2303 @@
     );
 
-    $resend_string = '<br /><br />' . sprintf( __( 'If you have not received an email yet, <a href="%s">click here to resend it</a>.', 'buddypress' ), $resend_url );
+    $resend_string = '<br /><br />' . sprintf( __( 'If you have not received an email yet, <a href="%s">click here to resend it</a>.', 'buddypress' ), esc_url( $resend_url ) );
 
     return new WP_Error( 'bp_account_not_activated', __( '<strong>ERROR</strong>: Your account has not been activated. Check your email for the activation link.', 'buddypress' ) . $resend_string );

branches/2.2/src/bp-members/bp-members-template.php

@@ -2289 +2289 @@
  */
 function bp_members_component_link( $component, $action = '', $query_args = '', $nonce = false ) {
-    echo bp_get_members_component_link( $component, $action, $query_args, $nonce );
+    echo esc_url( bp_get_members_component_link( $component, $action, $query_args, $nonce ) );
 }
     /**