Escape output

andergmartins · andergmartins · commit 8fb0d9d36a9f · 2022-03-08T11:44:18.000-03:00
diff --git a/src/core/Classes/Author_Editor.php b/src/core/Classes/Author_Editor.php
@@ -619,7 +619,10 @@ public static function admin_notices()
             if (empty($count)) {
                 esc_html__('No authors were updated', 'publishpress-authors');
             } else {
-                esc_html(printf(__('Updated %d authors', 'publishpress-authors'), $count));  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+                printf(
+                        esc_html__('Updated %d authors', 'publishpress-authors'),
+                        esc_html($count)
+                );
             }
 
             echo '</div>';
diff --git a/src/core/Classes/Post_Editor.php b/src/core/Classes/Post_Editor.php
@@ -209,7 +209,7 @@ public static function render_authors_metabox()
 
         $authors = get_multiple_authors();
 
-        echo self::get_rendered_authors_selection($authors, false);
+        echo self::get_rendered_authors_selection($authors, false);  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**
@@ -224,8 +224,7 @@ public static function get_rendered_authors_selection($authors, $showAvatars = t
             $classes[] = 'authors-current-user-can-assign';
         }
         ?>
-        <ul class="<?php
-        echo(implode(' ', $classes)); ?>">
+        <ul class="<?php echo esc_attr(implode(' ', $classes)); ?>">
             <?php
             if (!empty($authors)) {
                 foreach ($authors as $author) {
@@ -251,7 +250,7 @@ public static function get_rendered_authors_selection($authors, $showAvatars = t
                         $args['avatar'] = $author->get_avatar(20);
                     }
 
-                    echo self::get_rendered_author_partial($args);
+                    echo self::get_rendered_author_partial($args);  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                 }
             }
             ?>
@@ -271,7 +270,7 @@ class="authors-select2 authors-search"
             </select>
             <script type="text/html" id="tmpl-authors-author-partial">
                 <?php
-                echo self::get_rendered_author_partial(
+                echo self::get_rendered_author_partial(  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                     [
                         'display_name' => '{{ data.display_name }}',
                         'term'         => '{{ data.id }}',
@@ -287,7 +286,7 @@ class="authors-select2 authors-search"
             <div id="publishpress-authors-user-author-wrapper">
                 <hr>
                 <label for="publishpress-authors-user-author-select"><?php
-                    echo __(
+                    echo esc_html__(
                         'This option is showing because you do not have a WordPress user selected as an author. For some tasks, it can be helpful to have a user selected here. This user will not be visible on the front of your site.',
                         'publishpress-authors'
                     ); ?></label>
@@ -298,7 +297,7 @@ class="authors-select2 authors-user-search"
                         esc_attr_e('Search for an user', 'publishpress-authors'); ?>" style="width: 100%"
                         name="fallback_author_user">
                     <option value="<?php echo (int)$post->post_author; ?>">
-                        <?php echo is_object($userAuthor) ? $userAuthor->display_name : ''; ?>
+                        <?php echo is_object($userAuthor) ? esc_html($userAuthor->display_name) : ''; ?>
                     </option>
                 </select>
             </div>
@@ -333,13 +332,11 @@ private static function get_rendered_author_partial($args = [])
             <?php
             if (!empty($args['avatar'])) : ?>
                 <?php
-                echo $args['avatar']; ?>
+                echo $args['avatar'];  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
             <?php
             endif; ?>
-            <span class="display-name"><?php
-                echo wp_kses_post($args['display_name']); ?></span>
-            <input type="hidden" name="authors[]" value="<?php
-            echo esc_attr($args['term']); ?>">
+            <span class="display-name"><?php echo esc_html($args['display_name']); ?></span>
+            <input type="hidden" name="authors[]" value="<?php echo esc_attr($args['term']); ?>">
         </li>
         <?php
         return ob_get_clean();
diff --git a/src/core/Widget.php b/src/core/Widget.php
@@ -86,10 +86,10 @@ public function widget( $args, $instance )
             }
 
 			if ( ! empty( $output ) ) {
-				echo $args['before_widget'];
-				echo $args['before_title'] . apply_filters( 'widget_title', $title ) . $args['after_title'];
-				echo $output;
-				echo $args['after_widget'];
+				echo $args['before_widget']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo $args['before_title'] . apply_filters('widget_title', esc_html($title)) . $args['after_title'];  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo $output;  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo $args['after_widget'];  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			}
 		}
 	}
@@ -123,29 +123,29 @@ public function form( $instance )
 				'layout' => esc_html__( 'Layout', 'publishpress-authors' ),
 			),
 			'ids'     => array(
-				'title'  => $this->get_field_id( 'title' ),
-				'title_plural'  => $this->get_field_id( 'title_plural' ),
-				'layout' => $this->get_field_id( 'layout' ),
-				'nonce' => $this->get_field_id( 'nonce' ),
+				'title'  => esc_html($this->get_field_id( 'title' )),
+				'title_plural'  => esc_html($this->get_field_id( 'title_plural' )),
+				'layout' => esc_html($this->get_field_id( 'layout' )),
+				'nonce' => esc_html($this->get_field_id( 'nonce' )),
 			),
 			'names'   => array(
-				'title'  => $this->get_field_name( 'title' ),
-				'title_plural'  => $this->get_field_name( 'title_plural' ),
-				'layout' => $this->get_field_name( 'layout' ),
-				'nonce' => $this->get_field_name( 'nonce' ),
+				'title'  => esc_html($this->get_field_name( 'title' )),
+				'title_plural'  => esc_html($this->get_field_name( 'title_plural' )),
+				'layout' => esc_html($this->get_field_name( 'layout' )),
+				'nonce' => esc_html($this->get_field_name( 'nonce' )),
 			),
 			'values'  => array(
-				'title'  => $titleSingle,
-				'title_plural'  => $titlePlural,
-				'layout' => $layout,
+				'title'  => esc_html($titleSingle),
+				'title_plural'  => esc_html($titlePlural),
+				'layout' => esc_html($layout),
                 'nonce' => wp_create_nonce('pp_multiple_authors_widget_form'),
             ),
             'layouts' => apply_filters( 'pp_multiple_authors_author_layouts', array() ),
 		);
 
 		$container = Factory::get_container();
 
-		echo $container['twig']->render( 'widget-form.twig', $context );
+		echo $container['twig']->render( 'widget-form.twig', $context );  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
 
 	/**
diff --git a/src/functions/template-tags.php b/src/functions/template-tags.php
@@ -355,7 +355,7 @@ function multiple_authors__echo($tag, $type = 'tag', $separators = [], $tag_args
         $output .= $separators['after'];
 
         if ($echo) {
-            echo $output;
+            echo $output;  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         }
 
         return $output;
@@ -688,7 +688,7 @@ function get_the_multiple_author_meta($field)
     function the_multiple_author_meta($field, $user_id = 0)
     {
         // TODO: need before after options
-        echo get_the_multiple_author_meta($field, $user_id);
+        echo get_the_multiple_author_meta($field, $user_id);  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 }
 
@@ -728,7 +728,7 @@ function multiple_authors_wp_list_authors($args = [])
             return $return;
         }
 
-        echo $return;
+        echo $return;  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 }
 
@@ -786,7 +786,7 @@ function multiple_authors_get_avatar($coauthor, $size = 32, $default = '', $alt
      */
     function the_authors()
     {
-        echo get_the_authors();
+        echo get_the_authors();  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 }
 
@@ -815,7 +815,7 @@ function ($author) {
      */
     function the_authors_posts_links()
     {
-        echo get_the_authors_posts_links();
+        echo get_the_authors_posts_links();  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 }
 
@@ -872,7 +872,7 @@ function ($author) {
      */
     function the_authors_links()
     {
-        echo get_the_authors_links();
+        echo get_the_authors_links();  // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 }
 
diff --git a/src/modules/debug/debug.php b/src/modules/debug/debug.php
@@ -129,7 +129,7 @@ public function renderDebugMetaBox()
 
             echo '<pre><ul>';
             foreach ($dataList as $key => $data) {
-                echo '<li style="border-bottom: 1px solid silver; padding: 5px;">' . $key . ' = ' . print_r($data, true) . '</li>';
+                echo '<li style="border-bottom: 1px solid silver; padding: 5px;">' . esc_html($key) . ' = ' . esc_html(print_r($data, true)) . '</li>';
             }
             echo '</ul></pre>';
         }
diff --git a/src/modules/elementor-integration/Modules/Posts/Skins/PostsSkinCards.php b/src/modules/elementor-integration/Modules/Posts/Skins/PostsSkinCards.php
@@ -52,7 +52,7 @@ protected function render_author()
                 $authorNames[] = $author->display_name;
             }
 
-            echo apply_filters(
+            echo apply_filters( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                 'publishpress_authors_elementor_posts_skin_cards_byline',
                 implode(', ', $authorNames),
                 $authorNames,
@@ -73,9 +73,9 @@ protected function render_avatar()
 
             foreach ($authors as $author) {
                 if (is_a($author, Author::class)) {
-                    echo $author->get_avatar($avatarSize);
+                    echo $author->get_avatar($avatarSize); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                 } elseif (isset($author->ID)) {
-                    echo get_avatar($author->ID, $avatarSize);
+                    echo get_avatar($author->ID, $avatarSize); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                 }
             }
             ?>
diff --git a/src/modules/elementor-integration/Modules/Posts/Skins/PostsSkinClassic.php b/src/modules/elementor-integration/Modules/Posts/Skins/PostsSkinClassic.php
@@ -50,7 +50,7 @@ protected function render_author()
                 $authorNames[] = $author->display_name;
             }
 
-            echo apply_filters(
+            echo apply_filters( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                 'publishpress_authors_elementor_posts_skin_classic_byline',
                 implode(', ', $authorNames),
                 $authorNames,
diff --git a/src/modules/modules-settings/modules-settings.php b/src/modules/modules-settings/modules-settings.php
@@ -182,7 +182,7 @@ public function print_configure_view()
                             echo '<ul id="publishpress-authors-settings-tabs" class="nav-tab-wrapper">';
                             foreach ($tabs as $tabLink => $tabLabel) {
                                 echo '<li class="nav-tab ' . ($tabLink === '#ppma-tab-general' ? 'nav-tab-active' : '') . '">';
-                                echo '<a href="' . $tabLink . '">' . $tabLabel . '</a>';
+                                echo '<a href="' . esc_url($tabLink) . '">' . esc_html($tabLabel) . '</a>';
                                 echo '</li>';
                             }
                             echo '</ul>';
@@ -203,12 +203,11 @@ public function print_configure_view()
                                 continue;
                             }
 
-                            echo sprintf('<h3>%s</h3>', $mod_data->title);
-                            echo sprintf('<p>%s</p>', $mod_data->short_description);
+                            echo sprintf('<h3>%s</h3>', esc_html($mod_data->title));
+                            echo sprintf('<p>%s</p>', esc_html($mod_data->short_description));
 
-                            echo '<input name="multiple_authors_module_name[]" type="hidden" value="' . esc_attr(
-                                    $mod_data->name
-                                ) . '" />';
+                            echo '<input name="multiple_authors_module_name[]" type="hidden" value="'
+                                . esc_attr($mod_data->name) . '" />';
 
                             $legacyPlugin->$slug->print_configure_view();
                         }
@@ -228,16 +227,16 @@ public function print_configure_view()
 
                         <?php if ($featuresCount > 0) : ?>
                             <div id="modules-wrapper">
-                                <h3><?php echo __('Features', 'publishpress-authors'); ?></h3>
-                                <p><?php echo __(
+                                <h3><?php echo esc_html__('Features', 'publishpress-authors'); ?></h3>
+                                <p><?php echo esc_html__(
                                         'Feel free to select only the features you need.',
                                         'publishpress-authors'
                                     ); ?></p>
 
                                 <table class="form-table">
                                     <tbody>
                                     <tr>
-                                        <th scope="row"><?php echo __(
+                                        <th scope="row"><?php echo esc_html__(
                                                 'Enabled features',
                                                 'publishpress-authors'
                                             ); ?></th>
@@ -254,7 +253,7 @@ public function print_configure_view()
                                                                $mod_data->slug
                                                            ); ?>]" <?php echo ($mod_data->options->enabled == 'on') ? "checked=\"checked\"" : ""; ?>
                                                            type="checkbox">
-                                                    &nbsp;&nbsp;&nbsp;<?php echo $mod_data->title; ?>
+                                                    &nbsp;&nbsp;&nbsp;<?php echo esc_html($mod_data->title); ?>
                                                 </label>
                                                 <br>
                                             <?php endforeach; ?>
@@ -263,9 +262,8 @@ public function print_configure_view()
                                     </tbody>
                                 </table>
 
-                                <?php echo '<input name="multiple_authors_module_name[]" type="hidden" value="' . esc_attr(
-                                        $this->module->name
-                                    ) . '" />'; ?>
+                                <?php echo '<input name="multiple_authors_module_name[]" type="hidden" value="'
+                                    . esc_attr($this->module->name) . '" />'; ?>
                             </div>
                         <?php endif; ?>
 
@@ -280,16 +278,16 @@ public function print_configure_view()
                         <?php
                         $banners = new PublishPress\WordPressBanners\BannersMain;
                         $banners->pp_display_banner(
-                            __( 'Recommendations for you', 'publishpress-authors' ),
-                            __( 'Showcase your Authors with PublishPress Blocks', 'publishpress-authors' ),
+                            esc_html__( 'Recommendations for you', 'publishpress-authors' ),
+                            esc_html__( 'Showcase your Authors with PublishPress Blocks', 'publishpress-authors' ),
                             array(
-                                __( 'PublishPress Blocks is a free plugin with full support for PublishPress Authors.', 'publishpress-authors' ),
-                                __( 'Install this plugin to showcase content by your Authors.', 'publishpress-authors' ),
-                                __( 'Use the Content Display block to show your posts in many beautiful layouts.', 'publishpress-authors' ),
-                                __( 'PublishPress Blocks has over 20 extra Gutenberg blocks including accordions, galleries, tables, and more.', 'publishpress-authors' ),
+                                esc_html__( 'PublishPress Blocks is a free plugin with full support for PublishPress Authors.', 'publishpress-authors' ),
+                                esc_html__( 'Install this plugin to showcase content by your Authors.', 'publishpress-authors' ),
+                                esc_html__( 'Use the Content Display block to show your posts in many beautiful layouts.', 'publishpress-authors' ),
+                                esc_html__( 'PublishPress Blocks has over 20 extra Gutenberg blocks including accordions, galleries, tables, and more.', 'publishpress-authors' ),
                             ),
-                            admin_url( 'plugin-install.php?s=publishpress-advg-install&tab=search&type=term' ),
-                            __( 'Click here to install PublishPress Blocks', 'publishpress-authors' ),
+                            esc_url(admin_url( 'plugin-install.php?s=publishpress-advg-install&tab=search&type=term' )),
+                            esc_html__( 'Click here to install PublishPress Blocks', 'publishpress-authors' ),
                             'install-blocks.jpg'
                         );
                         ?>
diff --git a/src/modules/multiple-authors/multiple-authors.php b/src/modules/multiple-authors/multiple-authors.php
diff --git a/src/modules/pro-placeholders/views/fields-placeholder.php b/src/modules/pro-placeholders/views/fields-placeholder.php
diff --git a/src/modules/pro-placeholders/views/layouts-placeholder.php b/src/modules/pro-placeholders/views/layouts-placeholder.php
diff --git a/src/modules/settings/settings.php b/src/modules/settings/settings.php

Original file line number	Diff line number	Diff line change
`@@ -355,7 +355,7 @@ function multiple_authors__echo($tag, $type = 'tag', $separators = [], $tag_args`
`355`	`355`	`$output .= $separators['after'];`
`356`	`356`
`357`	`357`	`if ($echo) {`
`358`		`- echo $output;`
	`358`	`+ echo $output; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`359`	`359`	`}`
`360`	`360`
`361`	`361`	`return $output;`
`@@ -688,7 +688,7 @@ function get_the_multiple_author_meta($field)`
`688`	`688`	`function the_multiple_author_meta($field, $user_id = 0)`
`689`	`689`	`{`
`690`	`690`	`// TODO: need before after options`
`691`		`- echo get_the_multiple_author_meta($field, $user_id);`
	`691`	`+ echo get_the_multiple_author_meta($field, $user_id); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`692`	`692`	`}`
`693`	`693`	`}`
`694`	`694`
`@@ -728,7 +728,7 @@ function multiple_authors_wp_list_authors($args = [])`
`728`	`728`	`return $return;`
`729`	`729`	`}`
`730`	`730`
`731`		`- echo $return;`
	`731`	`+ echo $return; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`732`	`732`	`}`
`733`	`733`	`}`
`734`	`734`
`@@ -786,7 +786,7 @@ function multiple_authors_get_avatar($coauthor, $size = 32, $default = '', $alt`
`786`	`786`	`*/`
`787`	`787`	`function the_authors()`
`788`	`788`	`{`
`789`		`- echo get_the_authors();`
	`789`	`+ echo get_the_authors(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`790`	`790`	`}`
`791`	`791`	`}`
`792`	`792`
`@@ -815,7 +815,7 @@ function ($author) {`
`815`	`815`	`*/`
`816`	`816`	`function the_authors_posts_links()`
`817`	`817`	`{`
`818`		`- echo get_the_authors_posts_links();`
	`818`	`+ echo get_the_authors_posts_links(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`819`	`819`	`}`
`820`	`820`	`}`
`821`	`821`
`@@ -872,7 +872,7 @@ function ($author) {`
`872`	`872`	`*/`
`873`	`873`	`function the_authors_links()`
`874`	`874`	`{`
`875`		`- echo get_the_authors_links();`
	`875`	`+ echo get_the_authors_links(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`876`	`876`	`}`
`877`	`877`	`}`
`878`	`878`
Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ public function renderDebugMetaBox()`
`129`	`129`
`130`	`130`	`echo '<pre><ul>';`
`131`	`131`	`foreach ($dataList as $key => $data) {`
`132`		`- echo '<li style="border-bottom: 1px solid silver; padding: 5px;">' . $key . ' = ' . print_r($data, true) . '</li>';`
	`132`	`+ echo '<li style="border-bottom: 1px solid silver; padding: 5px;">' . esc_html($key) . ' = ' . esc_html(print_r($data, true)) . '</li>';`
`133`	`133`	`}`
`134`	`134`	`echo '</ul></pre>';`
`135`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ protected function render_author()`
`52`	`52`	`$authorNames[] = $author->display_name;`
`53`	`53`	`}`
`54`	`54`
`55`		`- echo apply_filters(`
	`55`	`+ echo apply_filters( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`56`	`56`	`'publishpress_authors_elementor_posts_skin_cards_byline',`
`57`	`57`	`implode(', ', $authorNames),`
`58`	`58`	`$authorNames,`
`@@ -73,9 +73,9 @@ protected function render_avatar()`
`73`	`73`
`74`	`74`	`foreach ($authors as $author) {`
`75`	`75`	`if (is_a($author, Author::class)) {`
`76`		`- echo $author->get_avatar($avatarSize);`
	`76`	`+ echo $author->get_avatar($avatarSize); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`77`	`77`	`} elseif (isset($author->ID)) {`
`78`		`- echo get_avatar($author->ID, $avatarSize);`
	`78`	`+ echo get_avatar($author->ID, $avatarSize); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`	`?>`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ protected function render_author()`
`50`	`50`	`$authorNames[] = $author->display_name;`
`51`	`51`	`}`
`52`	`52`
`53`		`- echo apply_filters(`
	`53`	`+ echo apply_filters( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`
`54`	`54`	`'publishpress_authors_elementor_posts_skin_classic_byline',`
`55`	`55`	`implode(', ', $authorNames),`
`56`	`56`	`$authorNames,`