fix(templates): add escaping templates from wp-forms 3.0

3b888336 · Marcin Kolanko · 82feec1b · 3b888336 · 3b888336 · 3b888336
Commit 3b888336 authored 3 years ago by Marcin Kolanko
--- a/templates/button.php
+++ b/templates/button.php
@@ -4,10 +4,9 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
+
 ?>

 <button
@@ -16,16 +15,21 @@
 <?php endif; ?>

 <?php foreach ( $field->get_attributes( [] ) as $key => $val ) : ?>
-	<?php echo $key.'="'.\esc_attr($val).'"'; ?>
+	<?php echo \esc_attr( $key ) . '="' . \esc_attr( $val ) . '"'; ?>
 <?php endforeach; ?>

 	type="<?php echo \esc_attr( $field->get_type() ); ?>"
-	name="<?php echo \esc_attr($name_prefix).'['.\esc_attr($field->get_name()).']'?>"
+	name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
 	id="<?php echo \esc_attr( $field->get_id() ); ?>"
 	value="<?php echo \esc_html( $value ); ?>"

-	<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
-	<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
-	<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
+	<?php
+	if ( $field->is_disabled() ) :
+		?>
+		disabled="disabled"<?php endif; ?>
+	<?php
+	if ( $field->is_readonly() ) :
+		?>
+		readonly="readonly"<?php endif; ?>

 ><?php echo \esc_html( $field->get_label() ); ?></button>
--- a/templates/form-end.php
+++ b/templates/form-end.php
+<?php
+/**
+ * Form ending with hoverable tip snippet in js.
+ */
+
+?>
 </tbody>
 </table>
 </form>

--- a/templates/form-field.php
+++ b/templates/form-field.php
@@ -4,24 +4,30 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
+
 ?>

 <tr valign="top">
 	<?php if ( $field->has_label() ) : ?>
-		<?php echo $renderer->render( 'form-label', [ 'field' => $field ] ); ?>
+		<?php echo wp_kses_post( $renderer->render( 'form-label', [ 'field' => $field ] ) ); ?>
 	<?php endif; ?>

 	<td class="forminp">
-		<?php echo $renderer->render( $template_name, [
+		<?php
+		echo wp_kses_post(
+			$renderer->render(
+				$template_name,
+				[
 					'field'       => $field,
 					'renderer'    => $renderer,
 					'name_prefix' => $name_prefix,
 					'value'       => $value,
-		] ); ?>
+				]
+			)
+		);
+		?>

 		<?php if ( $field->has_description() ) : ?>
 			<p class="description"><?php echo wp_kses_post( $field->get_description() ); ?></p>

--- a/templates/form-label.php
+++ b/templates/form-label.php
@@ -4,11 +4,12 @@
 * @var string $name_prefix
 * @var string $value
 */
+
 ?>
 <th class="titledesc" scope="row">
-	<label for="<?php echo esc_attr( $field->get_id() ); ?>"><?php echo esc_html( $field->get_label() ); ?>
+	<label for="<?php echo \esc_attr( $field->get_id() ); ?>"><?php echo \esc_html( $field->get_label() ); ?>
 		<?php if ( $field->has_description_tip() ) : ?>
-			<?php echo wc_help_tip($field->get_description_tip()); ?>
+			<?php echo esc_html( wc_help_tip( $field->get_description_tip() ) ); ?>
 		<?php endif ?>
 	</label>
 </th>
--- a/templates/form-start.php
+++ b/templates/form-start.php
@@ -2,9 +2,10 @@
 /**
 * @var \WPDesk\Forms\Form\FormWithFields $form
 */
+
 ?>
-<form class="wrap woocommerce" method="<?php echo esc_attr($form->get_method()); ?>" action="<?php echo esc_attr($form->get_action()); ?>">
-	<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js ?>
+<form class="wrap woocommerce" method="<?php echo \esc_attr( $form->get_method() ); ?>" action="<?php echo \esc_attr( $form->get_action() ); ?>">
+	<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js. ?>

 	<table class="form-table">
 		<tbody>
--- a/templates/header.php
+++ b/templates/header.php
@@ -10,9 +10,9 @@ $classes     = $field->has_classes() ? 'class="' . esc_attr( $field->get_classes
 ?>

 <?php if ( $field->has_label() ) : ?>
-	<h<?php echo $header_size; ?> <?php echo $classes; ?>><?php echo esc_html( $field->get_label() ); ?></h<?php echo $header_size; ?>>
+	<h<?php echo \esc_attr( $header_size ); ?> <?php echo \esc_attr( $classes ); ?>><?php echo \esc_html( $field->get_label() ); ?></h<?php echo \esc_attr( $header_size ); ?>>
 <?php endif; ?>

 <?php if ( $field->has_description() ) : ?>
-	<p <?php echo $classes; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
+	<p <?php echo \esc_attr( $classes ); ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
 <?php endif; ?>
--- a/templates/input-checkbox.php
+++ b/templates/input-checkbox.php
@@ -4,15 +4,20 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
+
 ?>

-<?php echo $renderer->render('input', [
+<?php
+echo wp_kses_post(
+	$renderer->render(
+		'input',
+		[
 			'field'       => $field,
 			'renderer'    => $renderer,
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
-]); ?>
+		]
+	)
+);
--- a/templates/input-date-picker.php
+++ b/templates/input-date-picker.php
 <?php
-
 /**
 * @var \WPDesk\Forms\Field $field
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
-echo $renderer->render('input', ['field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value]);
+
+echo wp_kses_post(
+	$renderer->render(
+		'input',
+		[
+			'field'       => $field,
+			'renderer'    => $renderer,
+			'name_prefix' => $name_prefix,
+			'value'       => $value,
+		]
+	)
+);
--- a/templates/input-hidden.php
+++ b/templates/input-hidden.php
@@ -4,14 +4,19 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
+
 ?>
-<?php echo $renderer->render('input', [
+<?php
+echo wp_kses_post(
+	$renderer->render(
+		'input',
+		[
 			'field'       => $field,
 			'renderer'    => $renderer,
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
-]); ?>
+		]
+	)
+);
--- a/templates/input-image.php
+++ b/templates/input-image.php
@@ -7,28 +7,28 @@

 $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 ?>
-<div class="media-input-wrapper" id="<?php echo $media_container_id; ?>">
+<div class="media-input-wrapper" id="<?php echo \esc_attr( $media_container_id ); ?>">
 	<input type="hidden" class="image-field-value" value="<?php echo \esc_html( $value ); ?>"
 			name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
 			id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
 	<div class="custom-img-container">
 		<?php if ( $value ) : ?>
-            <img src="<?php echo \esc_html( $value ) ?>" alt="" width="100"/>
+            <img src="<?php echo \esc_url( $value ) ?>" alt="" width="100"/>
 		<?php endif; ?>
    </div>
    <p class="hide-if-no-js">
-        <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_html( $value ) ?>">
-			<?php _e( 'Set image', 'wp-forms' ) ?>
+        <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_url( $value ) ?>">
+			<?php \esc_html_e( 'Set image', 'wp-forms' ) ?>
        </a>
        <a class="delete-custom-img <?php if ( ! $value ): ?>hidden<?php endif ?>" href="#">
-			<?php _e( 'Remove image', 'wp-forms' ) ?>
+			<?php \esc_html_e( 'Remove image', 'wp-forms' ) ?>
        </a>
    </p>
 </div>
 <script>
 	jQuery( function ( $ ) {
 		var frame,
-			metaBox = $( '#<?php echo esc_attr( $media_container_id ); ?>' ),
+			metaBox = $( '#<?php echo \esc_attr( $media_container_id ); ?>' ),
 			addImgLink = metaBox.find( '.upload-custom-img' ),
 			delImgLink = metaBox.find( '.delete-custom-img' ),
 			imgContainer = metaBox.find( '.custom-img-container' ),
@@ -42,9 +42,9 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 			}

 			frame = wp.media( {
-				title: <?php _e( 'Select or Upload Media', 'wp-forms' ); ?>,
+				title: <?php esc_html_e( 'Select or Upload Media', 'wp-forms' ); ?>,
 				button: {
-					text: <?php _e( 'Use this media', 'wp-forms' ); ?>
+					text: <?php esc_html_e( 'Use this media', 'wp-forms' ); ?>
 				},
 				library: {
 					type: ['image']

--- a/templates/input-number.php
+++ b/templates/input-number.php
 <?php
-
 /**
 * @var \WPDesk\Forms\Field $field
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
-echo $renderer->render('input', ['field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value]);
+
+echo wp_kses_post(
+	$renderer->render(
+		'input',
+		[
+			'field'       => $field,
+			'renderer'    => $renderer,
+			'name_prefix' => $name_prefix,
+			'value'       => $value,
+		]
+	)
+);
--- a/templates/input-radio.php
+++ b/templates/input-radio.php
@@ -4,14 +4,19 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
+
 ?>
-<?php echo $renderer->render('input', [
+<?php
+echo wp_kses_post(
+	$renderer->render(
+		'input',
+		[
 			'field'       => $field,
 			'renderer'    => $renderer,
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
-]); ?>
+		]
+	)
+);
--- a/templates/input-submit.php
+++ b/templates/input-submit.php
@@ -4,27 +4,38 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
+
 ?>

 <tr>
 	<td style="padding-left:0;">
 		<p class="submit">
 			<input
-				<?php if ( $field->has_classes() ): ?>class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+				<?php
+				if ( $field->has_classes() ) :
+					?>
+					class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
 				<?php foreach ( $field->get_attributes( [] ) as $key => $value ) : ?>
-					<?php echo $key ?>="<?php echo esc_attr( $value ); ?>"
+					<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $value ); ?>"
 				<?php endforeach; ?>
-				type="<?php echo esc_attr( $field->get_type() ); ?>"
-				name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]"
-				id="<?php echo esc_attr( $field->get_id() ); ?>"
-				value="<?php echo esc_html( $field->get_label() ); ?>"
-				<?php if ( $field->is_required() ): ?>required="required"<?php endif; ?>
-				<?php if ( $field->is_disabled() ): ?>disabled="disabled"<?php endif; ?>
-				<?php if ( $field->is_readonly() ): ?>readonly="readonly"<?php endif; ?>
+				type="<?php echo \esc_attr( $field->get_type() ); ?>"
+				name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]"
+				id="<?php echo \esc_attr( $field->get_id() ); ?>"
+				value="<?php echo \esc_html( $field->get_label() ); ?>"
+				<?php
+				if ( $field->is_required() ) :
+					?>
+					required="required"<?php endif; ?>
+				<?php
+				if ( $field->is_disabled() ) :
+					?>
+					disabled="disabled"<?php endif; ?>
+				<?php
+				if ( $field->is_readonly() ) :
+					?>
+					readonly="readonly"<?php endif; ?>
 			/>
 		</p>
 	</td>

--- a/templates/input-text-multiple.php
+++ b/templates/input-text-multiple.php
@@ -4,12 +4,9 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
-?>
-<?php
+
 if ( empty( $value ) || is_string( $value ) ) {
 	$input_values[] = '';
 } else {
@@ -18,11 +15,14 @@ if( empty( $value ) || is_string( $value ) ) {
 ?>
 <div class="clone-element-container">
 <?php foreach ( $input_values as $text_value ) : ?>
-<?php if (!\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
-	<input type="hidden" name="<?php echo $name_prefix.'['.$field->get_name().']'; ?>" value="no"/>
+	<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
+	<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
 <?php endif; ?>

-<?php if ($field->get_type() === 'checkbox' && $field->has_sublabel()): ?><label><?php endif; ?>
+	<?php
+	if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
+		?>
+		<label><?php endif; ?>
 	<div class="clone-wrapper">
 	<input
 		type="<?php echo \esc_attr( $field->get_type() ); ?>"
@@ -37,14 +37,25 @@ if( empty( $value ) || is_string( $value ) ) {
 			placeholder="<?php echo \esc_html( $field->get_placeholder() ); ?>"
 		<?php endif; ?>

-		<?php foreach ($field->get_attributes() as $key => $atr_val):
-			echo $key.'="'.\esc_attr($atr_val).'"'; ?>
+		<?php
+		foreach ( $field->get_attributes() as $key => $atr_val ) :
+			echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
+			?>
 		<?php endforeach; ?>

-		<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
-		<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
-		<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
-		<?php if (\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
+		<?php
+		if ( $field->is_required() ) :
+			?>
+			required="required"<?php endif; ?>
+		<?php
+		if ( $field->is_disabled() ) :
+			?>
+			disabled="disabled"<?php endif; ?>
+		<?php
+		if ( $field->is_readonly() ) :
+			?>
+			readonly="readonly"<?php endif; ?>
+		<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
 			value="<?php echo \esc_html( $text_value ); ?>"
 		<?php else : ?>
 			value="yes"

--- a/templates/input-text.php
+++ b/templates/input-text.php
@@ -4,14 +4,17 @@
 * @var \WPDesk\View\Renderer\Renderer $renderer
 * @var string $name_prefix
 * @var string $value
- *
 * @var string $template_name Real field template.
- *
 */
-?>
-<?php echo $renderer->render('input', [
+
+echo wp_kses_post(
+	$renderer->render(
+		'input',
+		[
 			'field'       => $field,
 			'renderer'    => $renderer,
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
-]); ?>
+		]
+	)
+);
--- a/templates/input.php
+++ b/templates/input.php
 <?php
-
 /**
 * @var \WPDesk\Forms\Field $field
 * @var string $name_prefix
 * @var string $value
 */
-?>

-<?php if (!\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
-	<input type="hidden" name="<?php echo $name_prefix.'['.$field->get_name().']'; ?>" value="no"/>
+if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
+	<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
 <?php endif; ?>

-<?php if ($field->get_type() === 'checkbox' && $field->has_sublabel()): ?><label><?php endif; ?>
+<?php
+if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
+	?>
+	<label><?php endif; ?>

 <input
 	type="<?php echo \esc_attr( $field->get_type() ); ?>"
@@ -26,14 +27,25 @@
 		placeholder="<?php echo \esc_html( $field->get_placeholder() ); ?>"
 	<?php endif; ?>

-	<?php foreach ($field->get_attributes() as $key => $atr_val):
-        echo $key.'="'.\esc_attr($atr_val).'"'; ?>
+	<?php
+	foreach ( $field->get_attributes() as $key => $atr_val ) :
+		echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
+		?>
 	<?php endforeach; ?>

-	<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
-	<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
-	<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
-	<?php if (\in_array($field->get_type(), ['number', 'text', 'hidden'])): ?>
+	<?php
+	if ( $field->is_required() ) :
+		?>
+		required="required"<?php endif; ?>
+	<?php
+	if ( $field->is_disabled() ) :
+		?>
+		disabled="disabled"<?php endif; ?>
+	<?php
+	if ( $field->is_readonly() ) :
+		?>
+		readonly="readonly"<?php endif; ?>
+	<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
 		value="<?php echo \esc_html( $value ); ?>"
 	<?php else : ?>
 		value="yes"

--- a/templates/noonce.php
+++ b/templates/noonce.php
 <?php
-
 /**
 * @var \WPDesk\Forms\Field $field
 * @var string $name_prefix
 * @var string $value
 */
+
 \wp_nonce_field( $field->get_meta_value( 'action' ), $name_prefix . '[' . $field->get_name() . ']' );
--- a/templates/paragraph.php
+++ b/templates/paragraph.php
@@ -4,12 +4,15 @@
 * @var string $name_prefix
 * @var string $value
 */
-?>

-<?php if ( $field->has_description() ): ?>
+if ( $field->has_description() ) : ?>
 	<tr>
 		<td style="padding-left:0;" colspan="2">
-			<p <?php if ( $field->has_classes() ): ?>class="<?php echo $field->get_classes(); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
+			<p
+			<?php
+			if ( $field->has_classes() ) :
+				?>
+				class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
 		</td>
 	</tr>
 <?php endif; ?>
--- a/templates/product-select.php
+++ b/templates/product-select.php
 <?php
-
 /**
 * @var \WPDesk\Forms\Field $field
 * @var string $name_prefix
 * @var string[] $value
 */
+
 ?>

 <select class="wc-product-search" multiple="multiple" style="width: 50%;"
-        id="<?php echo esc_attr( $field->get_id() ); ?>"
-        name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>][]"
-        data-placeholder="<?php esc_attr_e( 'Search for a product&hellip;', 'woocommerce' ); ?>"
+		id="<?php echo \esc_attr( $field->get_id() ); ?>"
+		name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>][]"
+		data-placeholder="<?php \esc_attr_e( 'Search for a product&hellip;', 'wp-forms' ); ?>"
 		data-action="woocommerce_json_search_products_and_variations">
 	<?php
 	foreach ( (array) $value as $product_id ) {
 		$product = wc_get_product( $product_id );
 		if ( is_object( $product ) ) {
-			echo '<option value="' . esc_attr( $product_id ) . '"' . selected( true, true,
-					false ) . '>' . wp_kses_post( $product->get_formatted_name() ) . '</option>';
+			echo '<option value="' . \esc_attr( $product_id ) . '"' . selected(
+				true,
+				true,
+				false
+			) . '>' . wp_kses_post( $product->get_formatted_name() ) . '</option>';
 		}
 	}
 	?>

--- a/templates/select.php
+++ b/templates/select.php
@@ -4,26 +4,49 @@
 * @var string $name_prefix
 * @var mixed $value
 */
+
 ?>
+
 <select
-	id="<?php echo esc_attr( $field->get_id() ); ?>"
-	<?php if ($field->has_classes()): ?>class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
-	name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]<?php echo $field->is_multiple()? '[]' : ''; ?>"
+	id="<?php echo \esc_attr( $field->get_id() ); ?>"
+	<?php
+	if ( $field->has_classes() ) :
+		?>
+		class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+	name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]<?php echo \esc_attr( $field->is_multiple() ) ? '[]' : ''; ?>"
 	<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
-		<?php echo esc_attr($key); ?>="<?php echo esc_attr($attr_val); ?>"
+		<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
 	<?php endforeach; ?>

-	<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
-	<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
-	<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
-	<?php if ($field->is_multiple()): ?>multiple="multiple"<?php endif; ?>
+	<?php
+	if ( $field->is_required() ) :
+		?>
+		required="required"<?php endif; ?>
+	<?php
+	if ( $field->is_disabled() ) :
+		?>
+		disabled="disabled"<?php endif; ?>
+	<?php
+	if ( $field->is_readonly() ) :
+		?>
+		readonly="readonly"<?php endif; ?>
+	<?php
+	if ( $field->is_multiple() ) :
+		?>
+		multiple="multiple"<?php endif; ?>
 >
-	<?php if ( $field->has_placeholder() ): ?><option value=""><?php echo esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
+	<?php
+	if ( $field->has_placeholder() ) :
+		?>
+		<option value=""><?php echo \esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>

 	<?php foreach ( $field->get_possible_values() as $possible_value => $label ) : ?>
 		<option
-			<?php if ( $possible_value === $value || (is_array($value) && in_array($possible_value, $value)) || (is_numeric($possible_value) && is_numeric($value) && (int) $possible_value === (int) $value )): ?>selected="selected"<?php endif; ?>
-			value="<?php echo esc_attr( $possible_value ); ?>"
-		><?php echo esc_html( $label ); ?></option>
+			<?php
+			if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value, true ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
+				?>
+				selected="selected"<?php endif; ?>
+			value="<?php echo \esc_attr( $possible_value ); ?>"
+		><?php echo \esc_html( $label ); ?></option>
 	<?php endforeach; ?>
 </select>