Skip to content

Commit da7729a

Browse files
TeoAlexTeoAlex
committed
sanitization fix
1 parent f15e4b7 commit da7729a

File tree

1 file changed

+11
-11
lines changed

1 file changed

+11
-11
lines changed

fancybox.php

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -235,7 +235,7 @@ function mfbfw_init() {
235235
$mfbfw['copyTitleFunction'] = 'var arr = jQuery("a[data-fancybox]");
236236
jQuery.each(arr, function() {
237237
var title = jQuery(this).children("img").attr("title");
238-
var caption = jQuery(this).next("figcaption").html();
238+
var caption = jQuery(this).next("figcaption").html();
239239
if(caption && title){jQuery(this).attr("title",title+" " + caption)}else if(title){ jQuery(this).attr("title",title);}else if(caption){jQuery(this).attr("title",caption);}
240240
}); ';
241241
}
@@ -319,7 +319,7 @@ function mfbfw_init() {
319319
}
320320

321321
jQuery.fn.getTitle = function () { // Copy the title of every IMG tag and add it to its parent A so that fancybox can show titles
322-
<?php echo wp_kses_post( $mfbfw['copyTitleFunction'] ) ?>
322+
<?php echo ( $mfbfw['copyTitleFunction'] ) ?>
323323
}
324324

325325
// Supported file extensions
@@ -411,7 +411,7 @@ function mfbfw_init() {
411411
<?php
412412
} else { ?>
413413
/* Custom Expression */
414-
<?php echo wp_kses_post( $mfbfw['customExpression'] ); ?>
414+
<?php echo html_entity_decode( $mfbfw['customExpression'] ); ?>
415415
<?php } ?>
416416

417417
// Call fancybox and apply it on any link with a rel atribute that starts with "fancybox", with the options set on the admin panel
@@ -443,21 +443,21 @@ function mfbfw_init() {
443443
wheel: <?php echo(isset( $mfbfw['mouseWheel'] ) && $mfbfw['mouseWheel'] ? 'true' : 'false') ?>,
444444
toolbar: <?php echo(isset( $mfbfw['showToolbar'] ) && $mfbfw['showToolbar'] ? 'true' : 'false') ?>,
445445
preventCaptionOverlap: true,
446-
onInit: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnStart'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnStart'] ? wp_kses_post( $mfbfw['callbackOnStart'] ) . ',' : 'function() { },') ?>
446+
onInit: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnStart'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnStart'] ? html_entity_decode( $mfbfw['callbackOnStart'] ) . ',' : 'function() { },') ?>
447447
onDeactivate
448-
: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnCancel'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnCancel'] ? wp_kses_post( $mfbfw['callbackOnCancel'] ) . ',' : 'function() { },') ?>
449-
beforeClose: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnCleanup'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnCleanup'] ? wp_kses_post( $mfbfw['callbackOnCleanup'] ) . ',' : 'function() { },') ?>
450-
afterShow: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnComplete'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnComplete'] ? wp_kses_post( $mfbfw['callbackOnComplete'] ) . ',' : ( isset( $mfbfw['zoomOnClick'] ) ? 'function(instance) { jQuery( ".fancybox-image" ).on("click", function( ){ ( instance.isScaledDown() ) ? instance.scaleToActual() : instance.scaleToFit() }) },' : 'function() {},' ) )?>
451-
afterClose: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnClose'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnClose'] ? wp_kses_post( $mfbfw['callbackOnClose'] ) . ',' : 'function() { },') ?>
452-
caption : <?php echo wp_kses_post( $caption ) ?>,
453-
afterLoad : <?php echo wp_kses_post( $afterLoad ) ?>,
448+
: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnCancel'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnCancel'] ? html_entity_decode( $mfbfw['callbackOnCancel'] ) . ',' : 'function() { },') ?>
449+
beforeClose: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnCleanup'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnCleanup'] ? html_entity_decode( $mfbfw['callbackOnCleanup'] ) . ',' : 'function() { },') ?>
450+
afterShow: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnComplete'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnComplete'] ? html_entity_decode( $mfbfw['callbackOnComplete'] ) . ',' : ( isset( $mfbfw['zoomOnClick'] ) ? 'function(instance) { jQuery( ".fancybox-image" ).on("click", function( ){ ( instance.isScaledDown() ) ? instance.scaleToActual() : instance.scaleToFit() }) },' : 'function() {},' ) )?>
451+
afterClose: <?php echo(isset( $mfbfw['callbackEnable'], $mfbfw['callbackOnClose'] ) && $mfbfw['callbackEnable'] && $mfbfw['callbackOnClose'] ? html_entity_decode( $mfbfw['callbackOnClose'] ) . ',' : 'function() { },') ?>
452+
caption : <?php echo html_entity_decode( $caption ) ?>,
453+
afterLoad : <?php echo html_entity_decode( $afterLoad ) ?>,
454454
<?php echo wp_kses_post( $frameSize ) ?>
455455
})
456456
;
457457

458458
<?php if ( isset( $mfbfw['extraCallsEnable'] ) && $mfbfw['extraCallsEnable'] ) {
459459
echo "/* Extra Calls */";
460-
echo wp_kses_post( $mfbfw['extraCallsData'] );
460+
echo html_entity_decode( $mfbfw['extraCallsData'] );
461461
} ?>
462462
})
463463
</script>

0 commit comments

Comments
 (0)