feat: add escaping functions in templates

phpcs.xml.dist

@@ -31,7 +31,7 @@
 	-->
 
 	<!-- Define plugin text domain for i18n. -->
-	<config name="text_domain" value="shopmagic-for-woocommerce"/>
+	<config name="text_domain" value="wp-forms"/>
 
 	<!-- This value should be aligned with WordPress support version declared in plugin header -->
 	<config name="minimum_supported_wp_version" value="5.0"/>

templates/button.php

@@ -4,7 +4,6 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
 
@@ -16,7 +15,7 @@
 <?php endif; ?>
 
 <?php foreach ( $field->get_attributes( [] ) as $key => $val ) : ?>
-	<?php echo $key . '="' . \esc_attr( $val ) . '"'; ?>
+	<?php echo \esc_attr( $key ) . '="' . \esc_attr( $val ) . '"'; ?>
 <?php endforeach; ?>
 
 	type="<?php echo \esc_attr( $field->get_type() ); ?>"

templates/form-end.php

+<?php
+/**
+ * Form ending with hoverable tip snippet in js.
+ */
+
+?>
 </tbody>
 </table>
 </form>

templates/form-field.php

@@ -4,19 +4,20 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
+
 ?>
 
 <tr valign="top">
 	<?php if ( $field->has_label() ) : ?>
-		<?php echo $renderer->render( 'form-label', [ 'field' => $field ] ); ?>
+		<?php echo wp_kses_post( $renderer->render( 'form-label', [ 'field' => $field ] ) ); ?>
 	<?php endif; ?>
 
 	<td class="forminp">
 		<?php
-		echo $renderer->render(
+		echo wp_kses_post(
+			$renderer->render(
 				$template_name,
 				[
 					'field'       => $field,
@@ -24,6 +25,7 @@
 					'name_prefix' => $name_prefix,
 					'value'       => $value,
 				]
+			)
 		);
 		?>
 

templates/form-label.php

@@ -4,11 +4,12 @@
  * @var string $name_prefix
  * @var string $value
  */
+
 ?>
 <th class="titledesc" scope="row">
-	<label for="<?php echo esc_attr( $field->get_id() ); ?>"><?php echo esc_html( $field->get_label() ); ?>
+	<label for="<?php echo \esc_attr( $field->get_id() ); ?>"><?php echo \esc_html( $field->get_label() ); ?>
 		<?php if ( $field->has_description_tip() ) : ?>
-			<?php echo wc_help_tip( $field->get_description_tip() ); ?>
+			<?php echo esc_html( wc_help_tip( $field->get_description_tip() ) ); ?>
 		<?php endif ?>
 	</label>
 </th>

templates/form-start.php

@@ -2,9 +2,10 @@
 /**
  * @var \WPDesk\Forms\Form\FormWithFields $form
  */
+
 ?>
-<form class="wrap woocommerce" method="<?php echo esc_attr( $form->get_method() ); ?>" action="<?php echo esc_attr( $form->get_action() ); ?>">
-	<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js ?>
+<form class="wrap woocommerce" method="<?php echo \esc_attr( $form->get_method() ); ?>" action="<?php echo \esc_attr( $form->get_action() ); ?>">
+	<h2 style="display:none;"></h2><?php // All admin notices will be moved here by WP js. ?>
 
 	<table class="form-table">
 		<tbody>

templates/header.php

@@ -11,9 +11,9 @@ $classes     = $field->has_classes() ? 'class="' . esc_attr( $field->get_classes
 ?>
 
 <?php if ( $field->has_label() ) : ?>
-	<h<?php echo $header_size; ?> <?php echo $classes; ?>><?php echo esc_html( $field->get_label() ); ?></h<?php echo $header_size; ?>>
+	<h<?php echo \esc_attr( $header_size ); ?> <?php echo \esc_attr( $classes ); ?>><?php echo \esc_html( $field->get_label() ); ?></h<?php echo \esc_attr( $header_size ); ?>>
 <?php endif; ?>
 
 <?php if ( $field->has_description() ) : ?>
-	<p <?php echo $classes; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
+	<p <?php echo \esc_attr( $classes ); ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
 <?php endif; ?>

templates/input-checkbox.php

@@ -4,14 +4,14 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
 
 ?>
 
 <?php
-echo $renderer->render(
+echo wp_kses_post(
+	$renderer->render(
 		'input',
 		[
 			'field'       => $field,
@@ -19,4 +19,5 @@ echo $renderer->render(
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
 		]
+	)
 );

templates/input-date-picker.php

 <?php
-
 /**
  * @var \WPDesk\Forms\Field $field
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
-echo $renderer->render(
+
+echo wp_kses_post(
+	$renderer->render(
 		'input',
 		[
 			'field'       => $field,
@@ -16,4 +16,5 @@ echo $renderer->render(
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
 		]
+	)
 );

templates/input-hidden.php

@@ -4,12 +4,13 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
+
 ?>
 <?php
-echo $renderer->render(
+echo wp_kses_post(
+	$renderer->render(
 		'input',
 		[
 			'field'       => $field,
@@ -17,4 +18,5 @@ echo $renderer->render(
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
 		]
+	)
 );

templates/input-image.php

@@ -7,13 +7,13 @@
 
 $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 ?>
-<div class="media-input-wrapper" id="<?php echo esc_attr( $media_container_id ); ?>">
+<div class="media-input-wrapper" id="<?php echo \esc_attr( $media_container_id ); ?>">
 	<input type="hidden" class="image-field-value" value="<?php echo \esc_html( $value ); ?>"
 			name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
 			id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
 	<div class="custom-img-container">
 		<?php if ( $value ) : ?>
-			<img src="<?php echo $value; ?>" alt="" width="100"/>
+			<img src="<?php echo \esc_attr( $value ); ?>" alt="" width="100"/>
 		<?php endif; ?>
 	</div>
 	<p class="hide-if-no-js">
@@ -21,22 +21,22 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 		<?php
 		if ( $value ) :
 			?>
-			hidden<?php endif ?>" href="<?php echo $value; ?>">
-			<?php _e( 'Set image', 'wp-forms' ); ?>
+			hidden<?php endif ?>" href="<?php echo \esc_attr( $value ); ?>">
+			<?php esc_html_e( 'Set image', 'wp-forms' ); ?>
 		</a>
 		<a class="delete-custom-img
 		<?php
 		if ( ! $value ) :
 			?>
 			hidden<?php endif ?>" href="#">
-			<?php _e( 'Remove image', 'wp-forms' ); ?>
+			<?php esc_html_e( 'Remove image', 'wp-forms' ); ?>
 		</a>
 	</p>
 </div>
 <script>
 	jQuery( function ( $ ) {
 		var frame,
-			metaBox = $( '#<?php echo esc_attr( $media_container_id ); ?>' ),
+			metaBox = $( '#<?php echo \esc_attr( $media_container_id ); ?>' ),
 			addImgLink = metaBox.find( '.upload-custom-img' ),
 			delImgLink = metaBox.find( '.delete-custom-img' ),
 			imgContainer = metaBox.find( '.custom-img-container' ),
@@ -50,9 +50,9 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 			}
 
 			frame = wp.media( {
-				title: <?php _e( 'Select or Upload Media', 'wp-forms' ); ?>,
+				title: <?php esc_html_e( 'Select or Upload Media', 'wp-forms' ); ?>,
 				button: {
-					text: <?php _e( 'Use this media', 'wp-forms' ); ?>
+					text: <?php esc_html_e( 'Use this media', 'wp-forms' ); ?>
 				},
 				library: {
 					type: ['image']

templates/input-number.php

 <?php
-
 /**
  * @var \WPDesk\Forms\Field $field
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
-echo $renderer->render(
+
+echo wp_kses_post(
+	$renderer->render(
 		'input',
 		[
 			'field'       => $field,
@@ -16,4 +16,5 @@ echo $renderer->render(
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
 		]
+	)
 );

templates/input-radio.php

@@ -4,12 +4,13 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
+
 ?>
 <?php
-echo $renderer->render(
+echo wp_kses_post(
+	$renderer->render(
 		'input',
 		[
 			'field'       => $field,
@@ -17,4 +18,5 @@ echo $renderer->render(
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
 		]
+	)
 );

templates/input-submit.php

@@ -4,9 +4,9 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
+
 ?>
 
 <tr>
@@ -16,14 +16,14 @@
 				<?php
 				if ( $field->has_classes() ) :
 					?>
-					class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+					class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
 				<?php foreach ( $field->get_attributes( [] ) as $key => $value ) : ?>
-					<?php echo $key; ?>="<?php echo esc_attr( $value ); ?>"
+					<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $value ); ?>"
 				<?php endforeach; ?>
-				type="<?php echo esc_attr( $field->get_type() ); ?>"
-				name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]"
-				id="<?php echo esc_attr( $field->get_id() ); ?>"
-				value="<?php echo esc_html( $field->get_label() ); ?>"
+				type="<?php echo \esc_attr( $field->get_type() ); ?>"
+				name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]"
+				id="<?php echo \esc_attr( $field->get_id() ); ?>"
+				value="<?php echo \esc_html( $field->get_label() ); ?>"
 				<?php
 				if ( $field->is_required() ) :
 					?>

templates/input-text-multiple.php

@@ -4,11 +4,9 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
-?>
-<?php
+
 if ( empty( $value ) || is_string( $value ) ) {
 	$input_values[] = '';
 } else {
@@ -17,8 +15,8 @@ if ( empty( $value ) || is_string( $value ) ) {
 ?>
 <div class="clone-element-container">
 <?php foreach ( $input_values as $text_value ) : ?>
-	<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
-	<input type="hidden" name="<?php echo $name_prefix . '[' . $field->get_name() . ']'; ?>" value="no"/>
+	<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
+	<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
 <?php endif; ?>
 
 	<?php
@@ -41,7 +39,7 @@ if ( empty( $value ) || is_string( $value ) ) {
 
 		<?php
 		foreach ( $field->get_attributes() as $key => $atr_val ) :
-			echo $key . '="' . \esc_attr( $atr_val ) . '"';
+			echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
 			?>
 		<?php endforeach; ?>
 
@@ -57,7 +55,7 @@ if ( empty( $value ) || is_string( $value ) ) {
 		if ( $field->is_readonly() ) :
 			?>
 			readonly="readonly"<?php endif; ?>
-		<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
+		<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
 			value="<?php echo \esc_html( $text_value ); ?>"
 		<?php else : ?>
 			value="yes"

templates/input-text.php

@@ -4,12 +4,11 @@
  * @var \WPDesk\View\Renderer\Renderer $renderer
  * @var string $name_prefix
  * @var string $value
- *
  * @var string $template_name Real field template.
  */
-?>
-<?php
-echo $renderer->render(
+
+echo wp_kses_post(
+	$renderer->render(
 		'input',
 		[
 			'field'       => $field,
@@ -17,4 +16,5 @@ echo $renderer->render(
 			'name_prefix' => $name_prefix,
 			'value'       => $value,
 		]
+	)
 );

templates/input.php

 <?php
-
 /**
  * @var \WPDesk\Forms\Field $field
  * @var string $name_prefix
  * @var string $value
  */
-?>
 
-<?php if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
-	<input type="hidden" name="<?php echo $name_prefix . '[' . $field->get_name() . ']'; ?>" value="no"/>
+if ( ! \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
+	<input type="hidden" name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>" value="no"/>
 <?php endif; ?>
 
 <?php
@@ -31,7 +29,7 @@ if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
 
 	<?php
 	foreach ( $field->get_attributes() as $key => $atr_val ) :
-		echo $key . '="' . \esc_attr( $atr_val ) . '"';
+		echo \esc_attr( $key ) . '="' . \esc_attr( $atr_val ) . '"';
 		?>
 	<?php endforeach; ?>
 
@@ -47,7 +45,7 @@ if ( $field->get_type() === 'checkbox' && $field->has_sublabel() ) :
 	if ( $field->is_readonly() ) :
 		?>
 		readonly="readonly"<?php endif; ?>
-	<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ] ) ) : ?>
+	<?php if ( \in_array( $field->get_type(), [ 'number', 'text', 'hidden' ], true ) ) : ?>
 		value="<?php echo \esc_html( $value ); ?>"
 	<?php else : ?>
 		value="yes"

templates/paragraph.php

@@ -4,16 +4,15 @@
  * @var string $name_prefix
  * @var string $value
  */
-?>
 
-<?php if ( $field->has_description() ) : ?>
+if ( $field->has_description() ) : ?>
 	<tr>
 		<td style="padding-left:0;" colspan="2">
 			<p
 			<?php
 			if ( $field->has_classes() ) :
 				?>
-				class="<?php echo $field->get_classes(); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
+				class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
 		</td>
 	</tr>
 <?php endif; ?>

templates/product-select.php

@@ -8,15 +8,15 @@
 ?>
 
 <select class="wc-product-search" multiple="multiple" style="width: 50%;"
-		id="<?php echo esc_attr( $field->get_id() ); ?>"
-		name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>][]"
-		data-placeholder="<?php esc_attr_e( 'Search for a product&hellip;', 'woocommerce' ); ?>"
+		id="<?php echo \esc_attr( $field->get_id() ); ?>"
+		name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>][]"
+		data-placeholder="<?php \esc_attr_e( 'Search for a product&hellip;', 'wp-forms' ); ?>"
 		data-action="woocommerce_json_search_products_and_variations">
 	<?php
 	foreach ( (array) $value as $product_id ) {
 		$product = wc_get_product( $product_id );
 		if ( is_object( $product ) ) {
-			echo '<option value="' . esc_attr( $product_id ) . '"' . selected(
+			echo '<option value="' . \esc_attr( $product_id ) . '"' . selected(
 				true,
 				true,
 				false

templates/select.php

@@ -4,16 +4,18 @@
  * @var string $name_prefix
  * @var mixed $value
  */
+
 ?>
+
 <select
-	id="<?php echo esc_attr( $field->get_id() ); ?>"
+	id="<?php echo \esc_attr( $field->get_id() ); ?>"
 	<?php
 	if ( $field->has_classes() ) :
 		?>
-		class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
-	name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]<?php echo $field->is_multiple() ? '[]' : ''; ?>"
+		class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+	name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]<?php echo \esc_attr( $field->is_multiple() ) ? '[]' : ''; ?>"
 	<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
-		<?php echo esc_attr( $key ); ?>="<?php echo esc_attr( $attr_val ); ?>"
+		<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
 	<?php endforeach; ?>
 
 	<?php
@@ -36,15 +38,15 @@
 	<?php
 	if ( $field->has_placeholder() ) :
 		?>
-		<option value=""><?php echo esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
+		<option value=""><?php echo \esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
 
 	<?php foreach ( $field->get_possible_values() as $possible_value => $label ) : ?>
 		<option
 			<?php
-			if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
+			if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value, true ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
 				?>
 				selected="selected"<?php endif; ?>
-			value="<?php echo esc_attr( $possible_value ); ?>"
-		><?php echo esc_html( $label ); ?></option>
+			value="<?php echo \esc_attr( $possible_value ); ?>"
+		><?php echo \esc_html( $label ); ?></option>
 	<?php endforeach; ?>
 </select>