Skip to content
Snippets Groups Projects
Unverified Commit 47c8e032 authored by Bartek Jaskulski's avatar Bartek Jaskulski
Browse files

feat: add escaping functions in templates

parent 7596dd72
No related branches found
No related tags found
3 merge requests!28release: 3.0.0,!23Feature/strong typing pp,!19Add strong typing for 3.0 version
Showing
with 136 additions and 123 deletions
......@@ -31,7 +31,7 @@
-->
<!-- Define plugin text domain for i18n. -->
<config name="text_domain" value="shopmagic-for-woocommerce"/>
<config name="text_domain" value="wp-forms"/>
<!-- This value should be aligned with WordPress support version declared in plugin header -->
<config name="minimum_supported_wp_version" value="5.0"/>
......
......@@ -4,7 +4,6 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
......@@ -16,7 +15,7 @@
<?php endif; ?>
<?php foreach ( $field->get_attributes( [] ) as $key => $val ) : ?>
<?php echo $key . '="' . \esc_attr( $val ) . '"'; ?>
<?php echo \esc_attr( $key ) . '="' . \esc_attr( $val ) . '"'; ?>
<?php endforeach; ?>
type="<?php echo \esc_attr( $field->get_type() ); ?>"
......
<?php
/**
* Form ending with hoverable tip snippet in js.
*/
?>
</tbody>
</table>
</form>
......
......@@ -4,19 +4,20 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<tr valign="top">
<?php if ( $field->has_label() ) : ?>
<?php echo $renderer->render( 'form-label', [ 'field' => $field ] ); ?>
<?php echo wp_kses_post( $renderer->render( 'form-label', [ 'field' => $field ] ) ); ?>
<?php endif; ?>
<td class="forminp">
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
$template_name,
[
'field' => $field,
......@@ -24,6 +25,7 @@
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
?>
......
......@@ -4,11 +4,12 @@
* @var string $name_prefix
* @var string $value
*/
?>
<th class="titledesc" scope="row">
<label for="<?php echo esc_attr( $field->get_id() ); ?>"><?php echo esc_html( $field->get_label() ); ?>
<label for="<?php echo \esc_attr( $field->get_id() ); ?>"><?php echo \esc_html( $field->get_label() ); ?>
<?php if ( $field->has_description_tip() ) : ?>
<?php echo wc_help_tip( $field->get_description_tip() ); ?>
<?php echo esc_html( wc_help_tip( $field->get_description_tip() ) ); ?>
<?php endif ?>
</label>
</th>
......@@ -2,9 +2,10 @@
/**
* @var \WPDesk\Forms\Form\FormWithFields $form
*/
?>
<form class="wrap woocommerce" method="<?php echo esc_attr( $form->get_method() ); ?>" action="<?php echo esc_attr( $form->get_action() ); ?>">
<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js ?>
<form class="wrap woocommerce" method="<?php echo \esc_attr( $form->get_method() ); ?>" action="<?php echo \esc_attr( $form->get_action() ); ?>">
<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js. ?>
<table class="form-table">
<tbody>
......@@ -11,9 +11,9 @@ $classes = $field->has_classes() ? 'class="' . esc_attr( $field->get_classes
?>
<?php if ( $field->has_label() ) : ?>
<h<?php echo $header_size; ?> <?php echo $classes; ?>><?php echo esc_html( $field->get_label() ); ?></h<?php echo $header_size; ?>>
<h<?php echo \esc_attr( $header_size ); ?> <?php echo \esc_attr( $classes ); ?>><?php echo \esc_html( $field->get_label() ); ?></h<?php echo \esc_attr( $header_size ); ?>>
<?php endif; ?>
<?php if ( $field->has_description() ) : ?>
<p <?php echo $classes; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<p <?php echo \esc_attr( $classes ); ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
<?php endif; ?>
......@@ -4,14 +4,14 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -19,4 +19,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -16,4 +16,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,12 +4,13 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -17,4 +18,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -7,13 +7,13 @@
$media_container_id = 'media_' . sanitize_key( $field->get_id() );
?>
<div class="media-input-wrapper" id="<?php echo esc_attr( $media_container_id ); ?>">
<div class="media-input-wrapper" id="<?php echo \esc_attr( $media_container_id ); ?>">
<input type="hidden" class="image-field-value" value="<?php echo \esc_html( $value ); ?>"
name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
<div class="custom-img-container">
<?php if ( $value ) : ?>
<img src="<?php echo $value; ?>" alt="" width="100"/>
<img src="<?php echo \esc_attr( $value ); ?>" alt="" width="100"/>
<?php endif; ?>
</div>
<p class="hide-if-no-js">
......@@ -21,22 +21,22 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
<?php
if ( $value ) :
?>
hidden<?php endif ?>" href="<?php echo $value; ?>">
<?php _e( 'Set image', 'wp-forms' ); ?>
hidden<?php endif ?>" href="<?php echo \esc_attr( $value ); ?>">
<?php esc_html_e( 'Set image', 'wp-forms' ); ?>
</a>
<a class="delete-custom-img
<?php
if ( ! $value ) :
?>
hidden<?php endif ?>" href="#">
<?php _e( 'Remove image', 'wp-forms' ); ?>
<?php esc_html_e( 'Remove image', 'wp-forms' ); ?>
</a>
</p>
</div>
<script>
jQuery( function ( $ ) {
var frame,
metaBox = $( '#<?php echo esc_attr( $media_container_id ); ?>' ),
metaBox = $( '#<?php echo \esc_attr( $media_container_id ); ?>' ),
addImgLink = metaBox.find( '.upload-custom-img' ),
delImgLink = metaBox.find( '.delete-custom-img' ),
imgContainer = metaBox.find( '.custom-img-container' ),
......@@ -50,9 +50,9 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
}
frame = wp.media( {
title: <?php _e( 'Select or Upload Media', 'wp-forms' ); ?>,
title: <?php esc_html_e( 'Select or Upload Media', 'wp-forms' ); ?>,
button: {
text: <?php _e( 'Use this media', 'wp-forms' ); ?>
text: <?php esc_html_e( 'Use this media', 'wp-forms' ); ?>
},
library: {
type: ['image']
......
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -16,4 +16,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,12 +4,13 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -17,4 +18,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
......@@ -4,9 +4,9 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<tr>
......@@ -16,14 +16,14 @@
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
<?php foreach ( $field->get_attributes( [] ) as $key => $value ) : ?>
<?php echo $key; ?>="<?php echo esc_attr( $value ); ?>"
<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $value ); ?>"
<?php endforeach; ?>
type="<?php echo esc_attr( $field->get_type() ); ?>"
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]"
id="<?php echo esc_attr( $field->get_id() ); ?>"
value="<?php echo esc_html( $field->get_label() ); ?>"
type="<?php echo \esc_attr( $field->get_type() ); ?>"
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
value="<?php echo \esc_html( $field->get_label() ); ?>"
<?php
if ( $field->is_required() ) :
?>
......
......@@ -4,11 +4,9 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
if ( empty( $value ) || is_string( $value ) ) {
$input_values[] = '';
} else {
......@@ -17,8 +15,8 @@ if ( empty( $value ) || is_string( $value ) ) {
?>
<div class="clone-element-container">
<?php foreach ( $input_values as $text_value ) : ?>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<input type="hidden" name="<?php echo $name_prefix . '[' . $field->get_name() . ']'; ?>" value="no"/>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
<?php endif; ?>
<?php
......@@ -41,7 +39,7 @@ if ( empty( $value ) || is_string( $value ) ) {
<?php
foreach ( $field->get_attributes() as $key => $atr_val ) :
echo $key . '="' . \esc_attr( $atr_val ) . '"';
echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
?>
<?php endforeach; ?>
......@@ -57,7 +55,7 @@ if ( empty( $value ) || is_string( $value ) ) {
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
value="<?php echo \esc_html( $text_value ); ?>"
<?php else : ?>
value="yes"
......
......@@ -4,12 +4,11 @@
* @var \WPDesk\View\Renderer\Renderer $renderer
* @var string $name_prefix
* @var string $value
*
* @var string $template_name Real field template.
*/
?>
<?php
echo $renderer->render(
echo wp_kses_post(
$renderer->render(
'input',
[
'field' => $field,
......@@ -17,4 +16,5 @@ echo $renderer->render(
'name_prefix' => $name_prefix,
'value' => $value,
]
)
);
<?php
/**
* @var \WPDesk\Forms\Field $field
* @var string $name_prefix
* @var string $value
*/
?>
<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<input type="hidden" name="<?php echo $name_prefix . '[' . $field->get_name() . ']'; ?>" value="no"/>
if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
<?php endif; ?>
<?php
......@@ -31,7 +29,7 @@ if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
<?php
foreach ( $field->get_attributes() as $key => $atr_val ) :
echo $key . '="' . \esc_attr( $atr_val ) . '"';
echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
?>
<?php endforeach; ?>
......@@ -47,7 +45,7 @@ if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
if ( $field->is_readonly() ) :
?>
readonly="readonly"<?php endif; ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
value="<?php echo \esc_html( $value ); ?>"
<?php else : ?>
value="yes"
......
......@@ -4,16 +4,15 @@
* @var string $name_prefix
* @var string $value
*/
?>
<?php if ( $field->has_description() ) : ?>
if ( $field->has_description() ) : ?>
<tr>
<td style="padding-left:0;" colspan="2">
<p
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo $field->get_classes(); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
</td>
</tr>
<?php endif; ?>
......@@ -8,15 +8,15 @@
?>
<select class="wc-product-search" multiple="multiple" style="width: 50%;"
id="<?php echo esc_attr( $field->get_id() ); ?>"
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>][]"
data-placeholder="<?php esc_attr_e( 'Search for a product&hellip;', 'woocommerce' ); ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>][]"
data-placeholder="<?php \esc_attr_e( 'Search for a product&hellip;', 'wp-forms' ); ?>"
data-action="woocommerce_json_search_products_and_variations">
<?php
foreach ( (array) $value as $product_id ) {
$product = wc_get_product( $product_id );
if ( is_object( $product ) ) {
echo '<option value="' . esc_attr( $product_id ) . '"' . selected(
echo '<option value="' . \esc_attr( $product_id ) . '"' . selected(
true,
true,
false
......
......@@ -4,16 +4,18 @@
* @var string $name_prefix
* @var mixed $value
*/
?>
<select
id="<?php echo esc_attr( $field->get_id() ); ?>"
id="<?php echo \esc_attr( $field->get_id() ); ?>"
<?php
if ( $field->has_classes() ) :
?>
class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]<?php echo $field->is_multiple() ? '[]' : ''; ?>"
class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]<?php echo \esc_attr( $field->is_multiple() ) ? '[]' : ''; ?>"
<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
<?php echo esc_attr( $key ); ?>="<?php echo esc_attr( $attr_val ); ?>"
<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
<?php endforeach; ?>
<?php
......@@ -36,15 +38,15 @@
<?php
if ( $field->has_placeholder() ) :
?>
<option value=""><?php echo esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
<option value=""><?php echo \esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
<?php foreach ( $field->get_possible_values() as $possible_value => $label ) : ?>
<option
<?php
if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value, true ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
?>
selected="selected"<?php endif; ?>
value="<?php echo esc_attr( $possible_value ); ?>"
><?php echo esc_html( $label ); ?></option>
value="<?php echo \esc_attr( $possible_value ); ?>"
><?php echo \esc_html( $label ); ?></option>
<?php endforeach; ?>
</select>
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment