Skip to content
Snippets Groups Projects
Commit 3b888336 authored by Marcin Kolanko's avatar Marcin Kolanko
Browse files

fix(templates): add escaping templates from wp-forms 3.0

parent 82feec1b
No related branches found
No related tags found
1 merge request!20Feature/add escaping to templates
Pipeline #6239 passed
This commit is part of merge request !20. Comments created here will be created in the context of that merge request.
Showing
with 302 additions and 187 deletions
......@@ -4,10 +4,9 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<button
......@@ -16,16 +15,21 @@
<?php endif; ?>
<?php foreach ( $field->get_attributes( [] ) as $key => $val ) : ?>
<?php echo $key.'="'.\esc_attr($val).'"'; ?>
<?php echo \esc_attr( $key ) . '="' . \esc_attr( $val ) . '"'; ?>
<?php endforeach; ?>
type="<?php echo \esc_attr( $field->get_type() ); ?>"
name="<?php echo \esc_attr($name_prefix).'['.\esc_attr($field->get_name()).']'?>"
name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
value="<?php echo \esc_html( $value ); ?>"
<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
<?php
if ( $field->is_disabled() ) :
?>
disabled="disabled"<?php endif; ?>
<?php
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
><?php echo \esc_html( $field->get_label() ); ?></button>
<?php
/**
* Form ending with hoverable tip snippet in js.
*/
?>
</tbody>
</table>
</form>
......
......@@ -4,24 +4,30 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<tr valign="top">
<?php if ( $field->has_label() ) : ?>
<?php echo $renderer->render( 'form-label', [ 'field' => $field ] ); ?>
<?php echo wp_kses_post( $renderer->render( 'form-label', [ 'field' => $field ] ) ); ?>
<?php endif; ?>
<td class="forminp">
<?php echo $renderer->render( $template_name, [
<?php
echo wp_kses_post(
$renderer->render(
$template_name,
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
] ); ?>
]
)
);
?>
<?php if ( $field->has_description() ) : ?>
<p class="description"><?php echo wp_kses_post( $field->get_description() ); ?></p>
......
......@@ -4,11 +4,12 @@
* @var string $name_prefix
* @var string $value
*/
?>
<th class="titledesc" scope="row">
<label for="<?php echo esc_attr( $field->get_id() ); ?>"><?php echo esc_html( $field->get_label() ); ?>
<label for="<?php echo \esc_attr( $field->get_id() ); ?>"><?php echo \esc_html( $field->get_label() ); ?>
<?php if ( $field->has_description_tip() ) : ?>
<?php echo wc_help_tip($field->get_description_tip()); ?>
<?php echo esc_html( wc_help_tip( $field->get_description_tip() ) ); ?>
<?php endif ?>
</label>
</th>
......@@ -2,9 +2,10 @@
/**
* @var \WPDesk\Forms\Form\FormWithFields $form
*/
?>
<form class="wrap woocommerce" method="<?php echo esc_attr($form->get_method()); ?>" action="<?php echo esc_attr($form->get_action()); ?>">
<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js ?>
<form class="wrap woocommerce" method="<?php echo \esc_attr( $form->get_method() ); ?>" action="<?php echo \esc_attr( $form->get_action() ); ?>">
<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js. ?>
<table class="form-table">
<tbody>
......@@ -10,9 +10,9 @@ $classes = $field->has_classes() ? 'class="' . esc_attr( $field->get_classes
?>
<?php if ( $field->has_label() ) : ?>
<h<?php echo $header_size; ?> <?php echo $classes; ?>><?php echo esc_html( $field->get_label() ); ?></h<?php echo $header_size; ?>>
<h<?php echo \esc_attr( $header_size ); ?> <?php echo \esc_attr( $classes ); ?>><?php echo \esc_html( $field->get_label() ); ?></h<?php echo \esc_attr( $header_size ); ?>>
<?php endif; ?>
<?php if ( $field->has_description() ) : ?>
<p <?php echo $classes; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<p <?php echo \esc_attr( $classes ); ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<?php endif; ?>
......@@ -4,15 +4,20 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<?php echo $renderer->render('input', [
<?php
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
]); ?>
]
)
);
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
echo $renderer->render('input', ['field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value]);
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,14 +4,19 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<?php echo $renderer->render('input', [
<?php
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
]); ?>
]
)
);
......@@ -7,28 +7,28 @@
$media_container_id = 'media_' . sanitize_key( $field->get_id() );
?>
<div class="media-input-wrapper" id="<?php echo $media_container_id; ?>">
<div class="media-input-wrapper" id="<?php echo \esc_attr( $media_container_id ); ?>">
<input type="hidden" class="image-field-value" value="<?php echo \esc_html( $value ); ?>"
name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
<div class="custom-img-container">
<?php if ( $value ) : ?>
<img src="<?php echo \esc_html( $value ) ?>" alt="" width="100"/>
<img src="<?php echo \esc_url( $value ) ?>" alt="" width="100"/>
<?php endif; ?>
</div>
<p class="hide-if-no-js">
<a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_html( $value ) ?>">
<?php _e( 'Set image', 'wp-forms' ) ?>
<a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_url( $value ) ?>">
<?php \esc_html_e( 'Set image', 'wp-forms' ) ?>
</a>
<a class="delete-custom-img <?php if ( ! $value ): ?>hidden<?php endif ?>" href="#">
<?php _e( 'Remove image', 'wp-forms' ) ?>
<?php \esc_html_e( 'Remove image', 'wp-forms' ) ?>
</a>
</p>
</div>
<script>
jQuery( function ( $ ) {
var frame,
metaBox = $( '#<?php echo esc_attr( $media_container_id ); ?>' ),
metaBox = $( '#<?php echo \esc_attr( $media_container_id ); ?>' ),
addImgLink = metaBox.find( '.upload-custom-img' ),
delImgLink = metaBox.find( '.delete-custom-img' ),
imgContainer = metaBox.find( '.custom-img-container' ),
......@@ -42,9 +42,9 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
}
frame = wp.media( {
title: <?php _e( 'Select or Upload Media', 'wp-forms' ); ?>,
title: <?php esc_html_e( 'Select or Upload Media', 'wp-forms' ); ?>,
button: {
text: <?php _e( 'Use this media', 'wp-forms' ); ?>
text: <?php esc_html_e( 'Use this media', 'wp-forms' ); ?>
},
library: {
type: ['image']
......
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
echo $renderer->render('input', ['field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value]);
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,14 +4,19 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<?php echo $renderer->render('input', [
<?php
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
]); ?>
]
)
);
......@@ -4,27 +4,38 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<tr>
<td style="padding-left:0;">
<p class="submit">
<input
<?php if ( $field->has_classes() ): ?>class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
<?php foreach ( $field->get_attributes( [] ) as $key => $value ) : ?>
<?php echo $key ?>="<?php echo esc_attr( $value ); ?>"
<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $value ); ?>"
<?php endforeach; ?>
type="<?php echo esc_attr( $field->get_type() ); ?>"
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]"
id="<?php echo esc_attr( $field->get_id() ); ?>"
value="<?php echo esc_html( $field->get_label() ); ?>"
<?php if ( $field->is_required() ): ?>required="required"<?php endif; ?>
<?php if ( $field->is_disabled() ): ?>disabled="disabled"<?php endif; ?>
<?php if ( $field->is_readonly() ): ?>readonly="readonly"<?php endif; ?>
type="<?php echo \esc_attr( $field->get_type() ); ?>"
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
value="<?php echo \esc_html( $field->get_label() ); ?>"
<?php
if ( $field->is_required() ) :
?>
required="required"<?php endif; ?>
<?php
if ( $field->is_disabled() ) :
?>
disabled="disabled"<?php endif; ?>
<?php
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
/>
</p>
</td>
......
......@@ -4,12 +4,9 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<?php
if ( empty( $value ) || is_string( $value ) ) {
$input_values[] = '';
} else {
......@@ -18,11 +15,14 @@ if( empty( $value ) || is_string( $value ) ) {
?>
<div class="clone-element-container">
<?php foreach ( $input_values as $text_value ) : ?>
<?php if (!\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
<input type="hidden" name="<?php echo $name_prefix.'['.$field->get_name().']'; ?>" value="no"/>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
<?php endif; ?>
<?php if ($field->get_type() === 'checkbox' && $field->has_sublabel()): ?><label><?php endif; ?>
<?php
if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
?>
<label><?php endif; ?>
<div class="clone-wrapper">
<input
type="<?php echo \esc_attr( $field->get_type() ); ?>"
......@@ -37,14 +37,25 @@ if( empty( $value ) || is_string( $value ) ) {
placeholder="<?php echo \esc_html( $field->get_placeholder() ); ?>"
<?php endif; ?>
<?php foreach ($field->get_attributes() as $key => $atr_val):
echo $key.'="'.\esc_attr($atr_val).'"'; ?>
<?php
foreach ( $field->get_attributes() as $key => $atr_val ) :
echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
?>
<?php endforeach; ?>
<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
<?php if (\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
<?php
if ( $field->is_required() ) :
?>
required="required"<?php endif; ?>
<?php
if ( $field->is_disabled() ) :
?>
disabled="disabled"<?php endif; ?>
<?php
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
value="<?php echo \esc_html( $text_value ); ?>"
<?php else : ?>
value="yes"
......
......@@ -4,14 +4,17 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*
*/
?>
<?php echo $renderer->render('input', [
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
'renderer' => $renderer,
'name_prefix' => $name_prefix,
'value' => $value,
]); ?>
]
)
);
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var string $name_prefix
* @var string $value
*/
?>
<?php if (!\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
<input type="hidden" name="<?php echo $name_prefix.'['.$field->get_name().']'; ?>" value="no"/>
if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
<?php endif; ?>
<?php if ($field->get_type() === 'checkbox' && $field->has_sublabel()): ?><label><?php endif; ?>
<?php
if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
?>
<label><?php endif; ?>
<input
type="<?php echo \esc_attr( $field->get_type() ); ?>"
......@@ -26,14 +27,25 @@
placeholder="<?php echo \esc_html( $field->get_placeholder() ); ?>"
<?php endif; ?>
<?php foreach ($field->get_attributes() as $key => $atr_val):
echo $key.'="'.\esc_attr($atr_val).'"'; ?>
<?php
foreach ( $field->get_attributes() as $key => $atr_val ) :
echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
?>
<?php endforeach; ?>
<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
<?php if (\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
<?php
if ( $field->is_required() ) :
?>
required="required"<?php endif; ?>
<?php
if ( $field->is_disabled() ) :
?>
disabled="disabled"<?php endif; ?>
<?php
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
value="<?php echo \esc_html( $value ); ?>"
<?php else : ?>
value="yes"
......
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var string $name_prefix
* @var string $value
*/
\wp_nonce_field( $field->get_meta_value( 'action' ), $name_prefix . '[' . $field->get_name() . ']' );
......@@ -4,12 +4,15 @@
* @var string $name_prefix
* @var string $value
*/
?>
<?php if ( $field->has_description() ): ?>
if ( $field->has_description() ) : ?>
<tr>
<td style="padding-left:0;" colspan="2">
<p <?php if ( $field->has_classes() ): ?>class="<?php echo $field->get_classes(); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<p
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
</td>
</tr>
<?php endif; ?>
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var string $name_prefix
* @var string[] $value
*/
?>
<select class="wc-product-search" multiple="multiple" style="width: 50%;"
id="<?php echo esc_attr( $field->get_id() ); ?>"
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>][]"
data-placeholder="<?php esc_attr_e( 'Search for a product&hellip;', 'woocommerce' ); ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>][]"
data-placeholder="<?php \esc_attr_e( 'Search for a product&hellip;', 'wp-forms' ); ?>"
data-action="woocommerce_json_search_products_and_variations">
<?php
foreach ( (array) $value as $product_id ) {
$product = wc_get_product( $product_id );
if ( is_object( $product ) ) {
echo '<option value="' . esc_attr( $product_id ) . '"' . selected( true, true,
false ) . '>' . wp_kses_post( $product->get_formatted_name() ) . '</option>';
echo '<option value="' . \esc_attr( $product_id ) . '"' . selected(
true,
true,
false
) . '>' . wp_kses_post( $product->get_formatted_name() ) . '</option>';
}
}
?>
......
......@@ -4,26 +4,49 @@
* @var string $name_prefix
* @var mixed $value
*/
?>
<select
id="<?php echo esc_attr( $field->get_id() ); ?>"
<?php if ($field->has_classes()): ?>class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]<?php echo $field->is_multiple()? '[]' : ''; ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]<?php echo \esc_attr( $field->is_multiple() ) ? '[]' : ''; ?>"
<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
<?php echo esc_attr($key); ?>="<?php echo esc_attr($attr_val); ?>"
<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
<?php endforeach; ?>
<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
<?php if ($field->is_multiple()): ?>multiple="multiple"<?php endif; ?>
<?php
if ( $field->is_required() ) :
?>
required="required"<?php endif; ?>
<?php
if ( $field->is_disabled() ) :
?>
disabled="disabled"<?php endif; ?>
<?php
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php
if ( $field->is_multiple() ) :
?>
multiple="multiple"<?php endif; ?>
>
<?php if ( $field->has_placeholder() ): ?><option value=""><?php echo esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
<?php
if ( $field->has_placeholder() ) :
?>
<option value=""><?php echo \esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
<?php foreach ( $field->get_possible_values() as $possible_value => $label ) : ?>
<option
<?php if ( $possible_value === $value || (is_array($value) && in_array($possible_value, $value)) || (is_numeric($possible_value) && is_numeric($value) && (int) $possible_value === (int) $value )): ?>selected="selected"<?php endif; ?>
value="<?php echo esc_attr( $possible_value ); ?>"
><?php echo esc_html( $label ); ?></option>
<?php
if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value, true ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
?>
selected="selected"<?php endif; ?>
value="<?php echo \esc_attr( $possible_value ); ?>"
><?php echo \esc_html( $label ); ?></option>
<?php endforeach; ?>
</select>
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment