Skip to content

security: escape output in admin interfaces #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
GaryJones merged 2 commits into from
Jan 3, 2026
Merged

security: escape output in admin interfaces #181

GaryJones merged 2 commits into from
Jan 3, 2026

Conversation

@GaryJones
Copy link
Contributor

@GaryJones GaryJones commented Jan 3, 2026

This PR completes the security hardening for version 2.2.0 by addressing all PHPCS WordPress.Security.EscapeOutput warnings across the plugin's admin interfaces.

Problem

The codebase contained multiple instances where translated strings and dynamic content were output directly to HTML without proper escaping. This created potential XSS vulnerabilities where user-controlled or external data could be rendered without sanitisation. The PHPCS WordPress.Security.EscapeOutput sniff flagged these security concerns across seven core files.

This issue was particularly prevalent in:

  • Admin notice displays where translated strings contained HTML markup
  • URL outputs in admin interfaces lacking esc_url() wrapper
  • Form input values missing esc_attr() protection
  • Exception messages and dynamic text rendered without esc_html()
  • Inconsistent text domain usage that could affect translation security

Solution

The changes systematically address each security concern whilst maintaining functionality and preserving intended HTML markup in translations:

Translation Function Replacements

  • Replaced __() with esc_html__() in printf/echo statements for plain text translations
  • Implemented wp_kses() with appropriate allowed tags for translations containing intentional HTML markup
  • Corrected text domain usage to consistently use 'push-syndication'

URL and Attribute Escaping

  • Added esc_url() wrappers for all URL outputs including admin_url(), get_delete_post_link(), and add_query_arg() calls
  • Added esc_attr() for all form input values and HTML attributes

Dynamic Content Protection

  • Added esc_html() for exception messages and dynamic text output
  • Applied phpcs:ignore comments only where escaping was demonstrably handled by WordPress core functions

Files Modified

  • includes/class-syndication-admin-notices.php - Enhanced notice rendering with proper HTML escaping
  • includes/class-syndication-client-factory.php - Fixed text domain and added URL escaping
  • includes/class-syndication-logger-viewer.php - Added attribute and URL escaping for form elements
  • includes/class-syndication-wp-rest-client.php - Escaped exception messages
  • includes/class-syndication-wp-xml-client.php - Applied comprehensive escaping to admin interface output
  • includes/class-syndication-wp-xmlrpc-client.php - Escaped URLs and dynamic content in admin displays
  • includes/class-wp-push-syndication-server.php - Added escaping throughout settings interfaces

This PR supersedes #121, which encountered complex merge conflicts with the develop branch.

GaryJones and others added 2 commits January 3, 2026 17:00
@GaryJones @claude
security: escape translated strings in HTML output
c27ac82 
Applies output escaping to translation functions used in HTML contexts:
- Uses esc_html__() and esc_html_e() for text output
- Uses esc_attr_e() for HTML attribute values
- Fixes text domain from 'syndication' to 'push-syndication'
- Escapes wp_die() message

Supersedes #121

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@GaryJones
fix: resolve remaining PHPCS EscapeOutput security warnings
549b5f8 
Addresses all outstanding WordPress.Security.EscapeOutput violations across six core plugin files to strengthen output sanitisation and prevent potential XSS vulnerabilities. These fixes complete the security hardening efforts for the 2.2.0 release by ensuring all user-facing output is properly escaped according to WordPress coding standards.

Changes include replacing legacy escaping patterns with WordPress core functions, adding appropriate escaping to previously missed outputs, and documenting intentionally safe outputs with inline PHPCS exceptions where applicable.
@GaryJones GaryJones requested a review from a team as a code owner January 3, 2026 17:18
@GaryJones GaryJones mentioned this pull request Jan 3, 2026
Closed
@GaryJones GaryJones self-assigned this Jan 3, 2026
@GaryJones GaryJones added the type: maintenance Routine maintenance and code quality improvements label Jan 3, 2026
@GaryJones GaryJones added this to the 2.2.0 milestone Jan 3, 2026
@GaryJones GaryJones merged commit 6c70a6f into develop Jan 3, 2026
8 checks passed
@GaryJones GaryJones deleted the security/output-escaping branch January 3, 2026 17:29
@GaryJones GaryJones mentioned this pull request Jan 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

type: maintenance Routine maintenance and code quality improvements

Projects

None yet

Milestone

2.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@GaryJones