Merge branch 'bugfix/remove-invalid-escaping' into 'master'

Bugfix/remove invalid escaping

See merge request !21

changelog.txt

 # Changelog
 
+## [2.4.9] - 2021-09-28
+### Fixed
+- Prevent form fields from being deleted by escaping functions
+
 ## [2.4.8] - 2021-09-27
 ### Fixed
 - Add escaping functions to all templates

templates/button.php

@@ -33,3 +33,4 @@
 		readonly="readonly"<?php endif; ?>
 
 ><?php echo \esc_html( $field->get_label() ); ?></button>
+

templates/form-field.php

@@ -11,22 +11,12 @@
 
 <tr valign="top">
 	<?php if ( $field->has_label() ) : ?>
-		<?php echo wp_kses_post( $renderer->render( 'form-label', [ 'field' => $field ] ) ); ?>
+		<?php echo $renderer->render( 'form-label', [ 'field' => $field ] );  // phpcs:ignore ?>
 	<?php endif; ?>
 
 	<td class="forminp">
 		<?php
-		echo wp_kses_post(
-			$renderer->render(
-				$template_name,
-				[
-					'field'       => $field,
-					'renderer'    => $renderer,
-					'name_prefix' => $name_prefix,
-					'value'       => $value,
-				]
-			)
-		);
+		echo $renderer->render( $template_name, [ 'field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value ]); // phpcs:ignore
 		?>
 
 		<?php if ( $field->has_description() ) : ?>

templates/form-label.php

@@ -9,7 +9,7 @@
 <th class="titledesc" scope="row">
 	<label for="<?php echo \esc_attr( $field->get_id() ); ?>"><?php echo \esc_html( $field->get_label() ); ?>
 		<?php if ( $field->has_description_tip() ) : ?>
-			<?php echo esc_html( wc_help_tip( $field->get_description_tip() ) ); ?>
+			<?php echo wp_kses_post( wc_help_tip( $field->get_description_tip() ) ); ?>
 		<?php endif ?>
 	</label>
 </th>

templates/input-checkbox.php

@@ -10,14 +10,4 @@
 ?>
 
 <?php
-echo wp_kses_post(
-	$renderer->render(
-		'input',
-		[
-			'field'       => $field,
-			'renderer'    => $renderer,
-			'name_prefix' => $name_prefix,
-			'value'       => $value,
-		]
-	)
-);
+echo $renderer->render( 'input', [ 'field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value ] );  // phpcs:ignore;

templates/input-date-picker.php

@@ -7,14 +7,5 @@
  * @var string $template_name Real field template.
  */
 
-echo wp_kses_post(
-	$renderer->render(
-		'input',
-		[
-			'field'       => $field,
-			'renderer'    => $renderer,
-			'name_prefix' => $name_prefix,
-			'value'       => $value,
-		]
-	)
-);
+echo $renderer->render( 'input',[ 'field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value ]); // phpcs:ignore
+

templates/input-hidden.php

@@ -9,14 +9,4 @@
 
 ?>
 <?php
-echo wp_kses_post(
-	$renderer->render(
-		'input',
-		[
-			'field'       => $field,
-			'renderer'    => $renderer,
-			'name_prefix' => $name_prefix,
-			'value'       => $value,
-		]
-	)
-);
+echo $renderer->render( 'input', [ 'field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value ] ); // phpcs:ignore

templates/input-image.php

@@ -13,17 +13,25 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 			id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
 	<div class="custom-img-container">
 		<?php if ( $value ) : ?>
-            <img src="<?php echo \esc_url( $value ) ?>" alt="" width="100"/>
+			<img src="<?php echo \esc_url( $value ); ?>" alt="" width="100"/>
 		<?php endif; ?>
-    </div>
-    <p class="hide-if-no-js">
-        <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_url( $value ) ?>">
-			<?php \esc_html_e( 'Set image', 'wp-forms' ) ?>
-        </a>
-        <a class="delete-custom-img <?php if ( ! $value ): ?>hidden<?php endif ?>" href="#">
-			<?php \esc_html_e( 'Remove image', 'wp-forms' ) ?>
-        </a>
-    </p>
+	</div>
+	<p class="hide-if-no-js">
+		<a class="upload-custom-img 
+		<?php
+		if ( $value ) :
+			?>
+			hidden<?php endif ?>" href="<?php echo \esc_url( $value ); ?>">
+			<?php \esc_html_e( 'Set image', 'wp-forms' ); ?>
+		</a>
+		<a class="delete-custom-img 
+		<?php
+		if ( ! $value ) :
+			?>
+			hidden<?php endif ?>" href="#">
+			<?php \esc_html_e( 'Remove image', 'wp-forms' ); ?>
+		</a>
+	</p>
 </div>
 <script>
 	jQuery( function ( $ ) {

templates/input-number.php

@@ -7,14 +7,4 @@
  * @var string $template_name Real field template.
  */
 
-echo wp_kses_post(
-	$renderer->render(
-		'input',
-		[
-			'field'       => $field,
-			'renderer'    => $renderer,
-			'name_prefix' => $name_prefix,
-			'value'       => $value,
-		]
-	)
-);
+echo $renderer->render( 'input', ['field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix,'value' => $value ] ); // phpcs:ignore

templates/input-radio.php

@@ -9,14 +9,4 @@
 
 ?>
 <?php
-echo wp_kses_post(
-	$renderer->render(
-		'input',
-		[
-			'field'       => $field,
-			'renderer'    => $renderer,
-			'name_prefix' => $name_prefix,
-			'value'       => $value,
-		]
-	)
-);
+echo $renderer->render( 'input', [ 'field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value ] );  // phpcs:ignore

templates/input-text.php

@@ -7,14 +7,4 @@
  * @var string $template_name Real field template.
  */
 
-echo wp_kses_post(
-	$renderer->render(
-		'input',
-		[
-			'field'       => $field,
-			'renderer'    => $renderer,
-			'name_prefix' => $name_prefix,
-			'value'       => $value,
-		]
-	)
-);
+echo $renderer->render( 'input', [ 'field' => $field, 'renderer' => $renderer, 'name_prefix' => $name_prefix, 'value' => $value ] ); // phpcs:ignore