Merge branch 'feature/add-escaping-to-templates' into 'master'

Feature/add escaping to templates See merge request !20

Merge branch 'feature/add-escaping-to-templates' into 'master'
d6c43c76 · Marcin Kolanko · d9d44554 · c8e27303 · d6c43c76 · d6c43c76
Commit d6c43c76 authored 3 years ago by Marcin Kolanko
--- a/templates/paragraph.php
+++ b/templates/paragraph.php
@@ -4,12 +4,15 @@
 * @var string $name_prefix
 * @var string $value
 */
-?>
-<?php if ( $field->has_description() ): ?>
+if ( $field->has_description() ) : ?>
 	<tr>
 		<td style="padding-left:0;" colspan="2">
-			<p <?php if ( $field->has_classes() ): ?>class="<?php echo $field->get_classes(); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
+			<p
+			<?php
+			if ( $field->has_classes() ) :
+				?>
+				class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>><?php echo wp_kses_post( $field->get_description() ); ?></p>
 		</td>
 	</tr>
 <?php endif; ?>
--- a/templates/product-select.php
+++ b/templates/product-select.php
 <?php
 /**
 * @var \WPDesk\Forms\Field $field
 * @var string $name_prefix
 * @var string[] $value
 */
 ?>
 <select class="wc-product-search" multiple="multiple" style="width: 50%;"
-        id="<?php echo esc_attr( $field->get_id() ); ?>"
+		id="<?php echo \esc_attr( $field->get_id() ); ?>"
-        name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>][]"
+		name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>][]"
-        data-placeholder="<?php esc_attr_e( 'Search for a product&hellip;', 'woocommerce' ); ?>"
+		data-placeholder="<?php \esc_attr_e( 'Search for a product&hellip;', 'wp-forms' ); ?>"
 		data-action="woocommerce_json_search_products_and_variations">
 	<?php
 	foreach ( (array) $value as $product_id ) {
 		$product = wc_get_product( $product_id );
 		if ( is_object( $product ) ) {
-			echo '<option value="' . esc_attr( $product_id ) . '"' . selected( true, true,
+			echo '<option value="' . \esc_attr( $product_id ) . '"' . selected(
-					false ) . '>' . wp_kses_post( $product->get_formatted_name() ) . '</option>';
+				true,
+				true,
+				false
+			) . '>' . wp_kses_post( $product->get_formatted_name() ) . '</option>';
 		}
 	}
 	?>

--- a/templates/select.php
+++ b/templates/select.php
@@ -4,26 +4,49 @@
 * @var string $name_prefix
 * @var mixed $value
 */
 ?>
 <select
-	id="<?php echo esc_attr( $field->get_id() ); ?>"
+	id="<?php echo \esc_attr( $field->get_id() ); ?>"
-	<?php if ($field->has_classes()): ?>class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+	<?php
-	name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]<?php echo $field->is_multiple()? '[]' : ''; ?>"
+	if ( $field->has_classes() ) :
+		?>
+		class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+	name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]<?php echo \esc_attr( $field->is_multiple() ) ? '[]' : ''; ?>"
 	<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
-		<?php echo esc_attr($key); ?>="<?php echo esc_attr($attr_val); ?>"
+		<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
 	<?php endforeach; ?>
-	<?php if ($field->is_required()): ?>required="required"<?php endif; ?>
+	<?php
-	<?php if ($field->is_disabled()): ?>disabled="disabled"<?php endif; ?>
+	if ( $field->is_required() ) :
-	<?php if ($field->is_readonly()): ?>readonly="readonly"<?php endif; ?>
+		?>
-	<?php if ($field->is_multiple()): ?>multiple="multiple"<?php endif; ?>
+		required="required"<?php endif; ?>
+	<?php
+	if ( $field->is_disabled() ) :
+		?>
+		disabled="disabled"<?php endif; ?>
+	<?php
+	if ( $field->is_readonly() ) :
+		?>
+		readonly="readonly"<?php endif; ?>
+	<?php
+	if ( $field->is_multiple() ) :
+		?>
+		multiple="multiple"<?php endif; ?>
 >
-	<?php if ( $field->has_placeholder() ): ?><option value=""><?php echo esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
+	<?php
+	if ( $field->has_placeholder() ) :
+		?>
+		<option value=""><?php echo \esc_html( $field->get_placeholder() ); ?></option><?php endif; ?>
 	<?php foreach ( $field->get_possible_values() as $possible_value => $label ) : ?>
 		<option
-			<?php if ( $possible_value === $value || (is_array($value) && in_array($possible_value, $value)) || (is_numeric($possible_value) && is_numeric($value) && (int) $possible_value === (int) $value )): ?>selected="selected"<?php endif; ?>
+			<?php
-			value="<?php echo esc_attr( $possible_value ); ?>"
+			if ( $possible_value === $value || ( is_array( $value ) && in_array( $possible_value, $value, true ) ) || ( is_numeric( $possible_value ) && is_numeric( $value ) && (int) $possible_value === (int) $value ) ) :
-		><?php echo esc_html( $label ); ?></option>
+				?>
+				selected="selected"<?php endif; ?>
+			value="<?php echo \esc_attr( $possible_value ); ?>"
+		><?php echo \esc_html( $label ); ?></option>
 	<?php endforeach; ?>
 </select>
--- a/templates/textarea.php
+++ b/templates/textarea.php
@@ -4,20 +4,39 @@
 * @var string $name_prefix
 * @var string $value
 */
 ?>
 <textarea
-    id="<?php echo esc_attr( $field->get_id() ); ?>"
+	id="<?php echo \esc_attr( $field->get_id() ); ?>"
-		<?php if ( $field->has_classes() ): ?>class="<?php echo esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+		<?php
-	name="<?php echo esc_attr( $name_prefix ); ?>[<?php echo esc_attr( $field->get_name() ); ?>]"
+		if ( $field->has_classes() ) :
+			?>
+			class="<?php echo \esc_attr( $field->get_classes() ); ?>"<?php endif; ?>
+	name="<?php echo \esc_attr( $name_prefix ); ?>[<?php echo \esc_attr( $field->get_name() ); ?>]"
 	<?php foreach ( $field->get_attributes() as $key => $attr_val ) : ?>
-    <?php echo esc_attr( $key ); ?>="<?php echo esc_attr( $attr_val ); ?>"
+		<?php echo \esc_attr( $key ); ?>="<?php echo \esc_attr( $attr_val ); ?>"
 	<?php endforeach; ?>
-    <?php if ( $field->is_required() ): ?>required="required"<?php endif; ?>
+	<?php
-    <?php if ( $field->is_disabled() ): ?>disabled="disabled"<?php endif; ?>
+	if ( $field->is_required() ) :
-    <?php if ( $field->is_readonly() ): ?>readonly="readonly"<?php endif; ?>
+		?>
-    <?php if ( $field->is_multiple() ): ?>multiple="multiple"<?php endif; ?>
+		required="required"<?php endif; ?>
+	<?php
+	if ( $field->is_disabled() ) :
+		?>
+		disabled="disabled"<?php endif; ?>
+	<?php
+	if ( $field->is_readonly() ) :
+		?>
+		readonly="readonly"<?php endif; ?>
+	<?php
+	if ( $field->is_multiple() ) :
+		?>
+		multiple="multiple"<?php endif; ?>
-    <?php if ( $field->has_placeholder() ): ?>placeholder="<?php echo esc_html( $field->get_placeholder() ); ?>"<?php endif; ?>
+	<?php
-><?php echo esc_html( $value ); ?></textarea>
+	if ( $field->has_placeholder() ) :
+		?>
+		placeholder="<?php echo \esc_html( $field->get_placeholder() ); ?>"<?php endif; ?>
+><?php echo \esc_html( $value ); ?></textarea>
--- a/templates/wyswig.php
+++ b/templates/wyswig.php
@@ -4,23 +4,24 @@
 * @var string $name_prefix
 * @var string $value
 */
-?>
-<?php wp_print_styles( 'media-views' ); ?>
+wp_print_styles( 'media-views' ); ?>
 <script>
 	window.SM_EditorInitialized = true;
 </script>
 <?php
-$id              = uniqid( 'wyswig_' );
+$editor_id       = uniqid( 'wyswig_' );
-$editor_settings = array(
+$editor_settings = [
-	'textarea_name' => esc_attr( $name_prefix ) . '[' . esc_attr( $field->get_name() ) . ']'
+	'textarea_name' => \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']',
-);
+];
-wp_editor( wp_kses_post( $value ), $id, $editor_settings );
+wp_editor( wp_kses_post( $value ), $editor_id, $editor_settings );
 ?>
 <script type="text/javascript">
 	(function () {
-		ShopMagic.wyswig.init('<?php echo $id; ?>');
+		ShopMagic.wyswig.init('<?php echo \esc_attr( $editor_id ); ?>');
 	}());
 </script>