Skip to content
Snippets Groups Projects
Unverified Commit 47c8e032 authored by Bartek Jaskulski's avatar Bartek Jaskulski
Browse files

feat: add escaping functions in templates

parent 7596dd72
No related branches found
No related tags found
3 merge requests!28release: 3.0.0,!23Feature/strong typing pp,!19Add strong typing for 3.0 version
This commit is part of merge request !19. Comments created here will be created in the context of that merge request.
Showing
with 136 additions and 123 deletions
......@@ -31,7 +31,7 @@
-->
<!-- Define plugin text domain for i18n. -->
<config name="text_domain" value="shopmagic-for-woocommerce"/>
<config name="text_domain" value="wp-forms"/>
<!-- This value should be aligned with WordPress support version declared in plugin header -->
<config name="minimum_supported_wp_version" value="5.0"/>
......
......@@ -4,7 +4,6 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
......@@ -16,7 +15,7 @@
<?php endif; ?>
<?php foreach ( $field->get_attributes( [] ) as $key => $val ) : ?>
<?php echo $key . '="' . \esc_attr( $val ) . '"'; ?>
<?php echo \esc_attr( $key ) . '="' . \esc_attr( $val ) . '"'; ?>
<?php endforeach; ?>
type="<?php echo \esc_attr( $field->get_type() ); ?>"
......
<?php
/**
* Form ending with hoverable tip snippet in js.
*/
?>
</tbody>
</table>
</form>
......
......@@ -4,19 +4,20 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<tr valign="top">
<?php if ( $field->has_label() ) : ?>
<?php echo $renderer->render( 'form-label', [ 'field' => $field ] ); ?>
<?php echo wp_kses_post( $renderer->render( 'form-label', [ 'field' => $field ] ) ); ?>
<?php endif; ?>
<td class="forminp">
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
$template_name,
[
'field' => $field,
......@@ -24,6 +25,7 @@
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
?>
......
......@@ -4,11 +4,12 @@
* @var string $name_prefix
* @var string $value
*/
?>
<th class="titledesc" scope="row">
<label for="<?php echo esc_attr( $field->get_id() ); ?>"><?php echo esc_html( $field->get_label() ); ?>
<label for="<?php echo \esc_attr( $field->get_id() ); ?>"><?php echo \esc_html( $field->get_label() ); ?>
<?php if ( $field->has_description_tip() ) : ?>
<?php echo wc_help_tip( $field->get_description_tip() ); ?>
<?php echo esc_html( wc_help_tip( $field->get_description_tip() ) ); ?>
<?php endif ?>
</label>
</th>
......@@ -2,9 +2,10 @@
/**
* @var \WPDesk\Forms\Form\FormWithFields $form
*/
?>
<form class="wrap woocommerce" method="<?php echo esc_attr( $form->get_method() ); ?>" action="<?php echo esc_attr( $form->get_action() ); ?>">
<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js ?>
<form class="wrap woocommerce" method="<?php echo \esc_attr( $form->get_method() ); ?>" action="<?php echo \esc_attr( $form->get_action() ); ?>">
<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js. ?>
<table class="form-table">
<tbody>
......@@ -11,9 +11,9 @@ $classes = $field->has_classes() ? 'class="' . esc_attr( $field->get_classes
?>
<?php if ( $field->has_label() ) : ?>
<h<?php echo $header_size; ?> <?php echo $classes; ?>><?php echo esc_html( $field->get_label() ); ?></h<?php echo $header_size; ?>>
<h<?php echo \esc_attr( $header_size ); ?> <?php echo \esc_attr( $classes ); ?>><?php echo \esc_html( $field->get_label() ); ?></h<?php echo \esc_attr( $header_size ); ?>>
<?php endif; ?>
<?php if ( $field->has_description() ) : ?>
<p <?php echo $classes; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<p <?php echo \esc_attr( $classes ); ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<?php endif; ?>
......@@ -4,14 +4,14 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -19,4 +19,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -16,4 +16,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,12 +4,13 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -17,4 +18,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -7,13 +7,13 @@
$media_container_id = 'media_' . sanitize_key( $field->get_id() );
?>
<div class="media-input-wrapper" id="<?php echo esc_attr( $media_container_id ); ?>">
<div class="media-input-wrapper" id="<?php echo \esc_attr( $media_container_id ); ?>">
<input type="hidden" class="image-field-value" value="<?php echo \esc_html( $value ); ?>"
name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
<div class="custom-img-container">
<?php if ( $value ) : ?>
<img src="<?php echo $value; ?>" alt="" width="100"/>
<img src="<?php echo \esc_attr( $value ); ?>" alt="" width="100"/>
<?php endif; ?>
</div>
<p class="hide-if-no-js">
......@@ -21,22 +21,22 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
<?php
if ( $value ) :
?>
hidden<?php endif ?>" href="<?php echo $value; ?>">
<?php _e( 'Set image', 'wp-forms' ); ?>
hidden<?php endif ?>" href="<?php echo \esc_attr( $value ); ?>">
<?php esc_html_e( 'Set image', 'wp-forms' ); ?>
</a>
<a class="delete-custom-img
<?php
if ( ! $value ) :
?>
hidden<?php endif ?>" href="#">
<?php _e( 'Remove image', 'wp-forms' ); ?>
<?php esc_html_e( 'Remove image', 'wp-forms' ); ?>
</a>
</p>
</div>
<script>
jQuery( function ( $ ) {
var frame,
metaBox = $( '#<?php echo esc_attr( $media_container_id ); ?>' ),
metaBox = $( '#<?php echo \esc_attr( $media_container_id ); ?>' ),
addImgLink = metaBox.find( '.upload-custom-img' ),
delImgLink = metaBox.find( '.delete-custom-img' ),
imgContainer = metaBox.find( '.custom-img-container' ),
......@@ -50,9 +50,9 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
}
frame = wp.media( {
title: <?php _e( 'Select or Upload Media', 'wp-forms' ); ?>,
title: <?php esc_html_e( 'Select or Upload Media', 'wp-forms' ); ?>,
button: {
text: <?php _e( 'Use this media', 'wp-forms' ); ?>
text: <?php esc_html_e( 'Use this media', 'wp-forms' ); ?>
},
library: {
type: ['image']
......
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -16,4 +16,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,12 +4,13 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -17,4 +18,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,9 +4,9 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<tr>
......@@ -16,14 +16,14 @@
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
<?php foreach ( $field->get_attributes( [] ) as $key => $value ) : ?>
<?php echo $key; ?>="<?php echo esc_attr( $value ); ?>"
<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $value ); ?>"
<?php endforeach; ?>
type="<?php echo esc_attr( $field->get_type() ); ?>"
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]"
id="<?php echo esc_attr( $field->get_id() ); ?>"
value="<?php echo esc_html( $field->get_label() ); ?>"
type="<?php echo \esc_attr( $field->get_type() ); ?>"
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
value="<?php echo \esc_html( $field->get_label() ); ?>"
<?php
if ( $field->is_required() ) :
?>
......
......@@ -4,11 +4,9 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
if ( empty( $value ) || is_string( $value ) ) {
$input_values[] = '';
} else {
......@@ -17,8 +15,8 @@ if ( empty( $value ) || is_string( $value ) ) {
?>
<div class="clone-element-container">
<?php foreach ( $input_values as $text_value ) : ?>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<input type="hidden" name="<?php echo $name_prefix . '[' . $field->get_name() . ']'; ?>" value="no"/>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
<?php endif; ?>
<?php
......@@ -41,7 +39,7 @@ if ( empty( $value ) || is_string( $value ) ) {
<?php
foreach ( $field->get_attributes() as $key => $atr_val ) :
echo $key . '="' . \esc_attr( $atr_val ) . '"';
echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
?>
<?php endforeach; ?>
......@@ -57,7 +55,7 @@ if ( empty( $value ) || is_string( $value ) ) {
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
value="<?php echo \esc_html( $text_value ); ?>"
<?php else : ?>
value="yes"
......
......@@ -4,12 +4,11 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -17,4 +16,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var string $name_prefix
* @var string $value
*/
?>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<input type="hidden" name="<?php echo $name_prefix . '[' . $field->get_name() . ']'; ?>" value="no"/>
if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
<?php endif; ?>
<?php
......@@ -31,7 +29,7 @@ if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
<?php
foreach ( $field->get_attributes() as $key => $atr_val ) :
echo $key . '="' . \esc_attr( $atr_val ) . '"';
echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
?>
<?php endforeach; ?>
......@@ -47,7 +45,7 @@ if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
value="<?php echo \esc_html( $value ); ?>"
<?php else : ?>
value="yes"
......
......@@ -4,16 +4,15 @@
* @var string $name_prefix
* @var string $value
*/
?>
<?php if ( $field->has_description() ) : ?>
if ( $field->has_description() ) : ?>
<tr>
<td style="padding-left:0;" colspan="2">
<p
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo $field->get_classes(); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
</td>
</tr>
<?php endif; ?>
......@@ -8,15 +8,15 @@
?>
<select class="wc-product-search" multiple="multiple" style="width: 50%;"
id="<?php echo esc_attr( $field->get_id() ); ?>"
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>][]"
data-placeholder="<?php esc_attr_e( 'Search for a product&hellip;', 'woocommerce' ); ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>][]"
data-placeholder="<?php \esc_attr_e( 'Search for a product&hellip;', 'wp-forms' ); ?>"
data-action="woocommerce_json_search_products_and_variations">
<?php
foreach ( (array) $value as $product_id ) {
$product = wc_get_product( $product_id );
if ( is_object( $product ) ) {
echo '<option value="' . esc_attr( $product_id ) . '"' . selected(
echo '<option value="' . \esc_attr( $product_id ) . '"' . selected(
true,
true,
false
......
......@@ -4,16 +4,18 @@
* @var string $name_prefix
* @var mixed $value
*/
?>
<select
id="<?php echo esc_attr( $field->get_id() ); ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]<?php echo $field->is_multiple() ? '[]' : ''; ?>"
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]<?php echo \esc_attr( $field->is_multiple() ) ? '[]' : ''; ?>"
<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
<?php echo esc_attr( $key ); ?>="<?php echo esc_attr( $attr_val ); ?>"
<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
<?php endforeach; ?>
<?php
......@@ -36,15 +38,15 @@
<?php
if ( $field->has_placeholder() ) :
?>
<option value=""><?php echo esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
<option value=""><?php echo \esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
<?php foreach ( $field->get_possible_values() as $possible_value => $label ) : ?>
<option
<?php
if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value, true ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
?>
selected="selected"<?php endif; ?>
value="<?php echo esc_attr( $possible_value ); ?>"
><?php echo esc_html( $label ); ?></option>
value="<?php echo \esc_attr( $possible_value ); ?>"
><?php echo \esc_html( $label ); ?></option>
<?php endforeach; ?>
</select>
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment