Skip to content

Commit 743e669

Browse files
kkMattkkMatt
committed
More escaping optimization
1 parent 044bb0e commit 743e669

File tree

11 files changed

+80
-120
lines changed

11 files changed

+80
-120
lines changed

Controllers/Admin/NetworkMenuController.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -81,8 +81,11 @@ private function processError($paramName, $paramErrorMessage)
8181
// 'add_action('admin_notices', ...)' doesn't work here (maybe due to fact, that 'admin_notices' has to be registered not later than X point in code)
8282

8383
// Works
84-
$sanitizedErrorMessage = '<div id="message" class="error"><p>'.$sanitizedErrorMessage.'</p></div>';
85-
_doing_it_wrong($sanitizedName, $sanitizedErrorMessage, $this->conf->getPluginSemver());
84+
$sanitizedErrorMessage = '<div id="message" class="error"><p>'.esc_br_html($sanitizedErrorMessage).'</p></div>';
85+
86+
// Based on WP Coding Standards ticket #341, the WordPress '_doing_it_wrong' method does not escapes the HTML by default,
87+
// so this has to be done by us. Read more: https://github.com/WordPress/WordPress-Coding-Standards/pull/341
88+
_doing_it_wrong(esc_html($sanitizedName), esc_br_html($sanitizedErrorMessage), $this->conf->getPluginSemver());
8689
}
8790
}
8891
}

Controllers/Admin/SingleMenuController.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -257,8 +257,11 @@ private function processError($paramName, $paramErrorMessage)
257257
// 'add_action('admin_notices', ...)' doesn't work here (maybe due to fact, that 'admin_notices' has to be registered not later than X point in code)
258258

259259
// Works
260-
$sanitizedErrorMessage = '<div id="message" class="error"><p>'.$sanitizedErrorMessage.'</p></div>';
261-
_doing_it_wrong($sanitizedName, $sanitizedErrorMessage, $this->conf->getPluginSemver());
260+
$sanitizedErrorMessage = '<div id="message" class="error"><p>'.esc_br_html($sanitizedErrorMessage).'</p></div>';
261+
262+
// Based on WP Coding Standards ticket #341, the WordPress '_doing_it_wrong' method does not escapes the HTML by default,
263+
// so this has to be done by us. Read more: https://github.com/WordPress/WordPress-Coding-Standards/pull/341
264+
_doing_it_wrong(esc_html($sanitizedName), esc_br_html($sanitizedErrorMessage), $this->conf->getPluginSemver());
262265
}
263266
}
264267
}

Controllers/MainController.php

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,17 +26,17 @@ final class MainController
2626
// Because loading of language text is not allowed in the very early time, we use constants to simulate language text behavior, just the text is English
2727
const LANG_ERROR_CLONING_IS_FORBIDDEN_TEXT = 'Error in __clone() method: Cloning instances of the class in the Rental System is forbidden.';
2828
const LANG_ERROR_UNSERIALIZING_IS_FORBIDDEN_TEXT = 'Error in __wakeup() method: Unserializing instances of the class in the Rental System is forbidden.';
29-
const LANG_ERROR_SESSIONS_ARE_DISABLED_IN_SERVER_TEXT = 'Warning: Sessions are disabled in your server configuration. Please enabled sessions. As a slower &amp; less secure workaround you can use virtual session via cookies, but that is not recommended.';
29+
const LANG_ERROR_SESSIONS_ARE_DISABLED_IN_SERVER_TEXT = 'Warning: Sessions are disabled in your server configuration. Please enabled sessions. As a slower & less secure workaround you can use virtual session via cookies, but that is not recommended.';
3030
const LANG_ERROR_PLEASE_UPGRADE_PHP_TEXT = 'Sorry, %s requires PHP %s or higher. Your current PHP version is %s. Please upgrade your server PHP version.';
3131
const LANG_ERROR_PLEASE_UPGRADE_WP_TEXT = 'Sorry, %s requires WordPress %s or higher. Your current WordPress version is %s. Please upgrade your WordPress setup.';
32-
const LANG_ERROR_EXTENSION_NOT_EXIST_PLUGIN_CHILD_THEME_TEXT = 'Sorry, but %s extension does not exist neither in %s plugin directory, nor in %s child theme folder, nor in it&#39;s parent %s theme&#39;s folder.';
32+
const LANG_ERROR_EXTENSION_NOT_EXIST_PLUGIN_CHILD_THEME_TEXT = 'Sorry, but %s extension does not exist neither in %s plugin directory, nor in %s child theme folder, nor in it\'s parent %s theme\'s folder.';
3333
const LANG_ERROR_EXTENSION_NOT_EXIST_PLUGIN_THEME_TEXT = 'Sorry, but %s extension does not exist neither in %s plugin directory, nor in %s theme folder.';
3434
const LANG_ERROR_UNKNOWN_NAME_TEXT = 'Unknown name';
3535
const LANG_ERROR_DEPENDENCIES_ARE_NOT_LOADED_TEXT = 'Dependencies are not loaded';
3636
const LANG_ERROR_CONF_WITHOUT_ROUTING_IS_NULL_TEXT = '$confWithoutRouting is NULL';
3737
const LANG_ERROR_CONF_IS_NULL_TEXT = '$conf is NULL';
3838
const LANG_ERROR_LANG_IS_NULL_TEXT = '$lang is NULL';
39-
const LANG_ERROR_IN_METHOD_TEXT = 'Error in &#39;%s&#39; method: %s!';
39+
const LANG_ERROR_IN_METHOD_TEXT = 'Error in \'%s\' method: %s!';
4040

4141
// Configuration object reference
4242
private $confWithoutRouting = NULL;
@@ -1380,22 +1380,24 @@ private function processError($paramMethodName, $paramErrorMessage)
13801380
{
13811381
if(StaticValidator::inWP_Debug())
13821382
{
1383-
// Load errors only in local or global debug mode
1384-
$validMethodName = esc_html($paramMethodName);
1385-
$validErrorMessage = esc_html($paramErrorMessage);
1386-
13871383
// NOTE: add_action('admin_notices', ...); doesn't always work - maybe due to fact, that 'admin_notices'
13881384
// has to be registered not later than X point in code. So we use '_doing_it_wrong' instead
13891385
// Works
13901386
if(!is_null($this->confWithoutRouting))
13911387
{
1392-
$validErrorMessage = '<div class="'.$this->confWithoutRouting->getPluginCSS_Prefix().'error"><div id="message" class="error"><p>'.$validErrorMessage.'</p></div></div>';
1393-
_doing_it_wrong($validMethodName, $validErrorMessage, $this->confWithoutRouting->getPluginSemver());
1388+
$validErrorMessage = '<div class="'.$this->confWithoutRouting->getPluginCSS_Prefix().'error"><div id="message" class="error"><p>'.esc_html($paramMethodName).'</p></div></div>';
1389+
1390+
// Based on WP Coding Standards ticket #341, the WordPress '_doing_it_wrong' method does not escapes the HTML by default,
1391+
// so this has to be done by us. Read more: https://github.com/WordPress/WordPress-Coding-Standards/pull/341
1392+
_doing_it_wrong(esc_html($paramMethodName), esc_br_html($validErrorMessage), $this->confWithoutRouting->getPluginSemver());
13941393
} else
13951394
{
13961395
// $confWithoutRouting is NULL
1397-
$validErrorMessage = '<div id="message" class="error"><p>'.$validErrorMessage.'</p></div>';
1398-
_doing_it_wrong($validMethodName, $validErrorMessage, 0.0);
1396+
$validErrorMessage = '<div id="message" class="error"><p>'.esc_br_html($paramErrorMessage).'</p></div>';
1397+
1398+
// Based on WP Coding Standards ticket #341, the WordPress '_doing_it_wrong' method does not escapes the HTML by default,
1399+
// so this has to be done by us. Read more: https://github.com/WordPress/WordPress-Coding-Standards/pull/341
1400+
_doing_it_wrong(esc_html($paramMethodName), esc_br_html($validErrorMessage), 0.0);
13991401
}
14001402
}
14011403
}

Models/Administrator/AdministratorsObserver.php

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,13 +60,12 @@ public function getTrustedDropdownOptionsHTML($paramSelectedWPUserId = -1, $para
6060
foreach($arrOjbWPUsers AS $objWPUser)
6161
{
6262
$validWPUserId = StaticValidator::getValidPositiveInteger($objWPUser->ID, 0);
63-
$printWPUserDisplayName = esc_html($objWPUser->display_name);
6463
if($validWPUserId == $paramSelectedWPUserId)
6564
{
66-
$retHTML .= '<option value="'.esc_attr($validWPUserId).'" selected="selected">'.$printWPUserDisplayName.'</option>';
65+
$retHTML .= '<option value="'.esc_attr($validWPUserId).'" selected="selected">'.esc_html($objWPUser->display_name).'</option>';
6766
} else
6867
{
69-
$retHTML .= '<option value="'.esc_attr($validWPUserId).'">'.$printWPUserDisplayName.'</option>';
68+
$retHTML .= '<option value="'.esc_attr($validWPUserId).'">'.esc_html($objWPUser->display_name).'</option>';
7069
}
7170
}
7271
return $retHTML;

Models/FAQ/FAQsObserver.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -134,10 +134,10 @@ public function getTrustedAdminListHTML()
134134
}
135135

136136
$retHTML .= '<tr>';
137-
$retHTML .= '<td>'.$faqId.'</td>';
137+
$retHTML .= '<td>'.esc_html($faqId).'</td>';
138138
$retHTML .= '<td>'.$questionHMTL.'</td>';
139139
$retHTML .= '<td>'.$answerHTML.'</td>';
140-
$retHTML .= '<td style="text-align: center">'.$faqDetails['faq_order'].'</td>';
140+
$retHTML .= '<td style="text-align: center">'.esc_html($faqDetails['faq_order']).'</td>';
141141
$retHTML .= '<td align="right">';
142142
if(current_user_can('manage_'.$this->conf->getPluginPrefix().'all_faqs'))
143143
{

Models/Formatting/StaticFormatter.php

Lines changed: 46 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -459,38 +459,6 @@ public static function getHourRangeTimestampArray($paramFromTimestamp, $paramTil
459459
return $arrHourTimestamps;
460460
}
461461

462-
public static function generateDropdownOptionsHTML($from, $to, $selectedValue = "", $defaultValue = "", $defaultText = "", $prefixed = FALSE, $suffix = "")
463-
{
464-
$ret = "";
465-
$suffix = $suffix != '' ? ' '.$suffix : '';
466-
467-
if($defaultText != "")
468-
{
469-
if($selectedValue == $defaultValue)
470-
{
471-
$ret .= '<option value="'.esc_attr($defaultValue).'" selected="selected">'.$defaultText.'</option>';
472-
} else
473-
{
474-
$ret .= '<option value="'.esc_attr($defaultValue).'">'.$defaultText.'</option>';
475-
}
476-
}
477-
478-
for($i = $from; $i <= $to; $i++)
479-
{
480-
$prefixedValue = $prefixed ? sprintf('%0'.strlen($to).'d', $i) : $i;
481-
if($prefixedValue == $selectedValue)
482-
{
483-
$ret .= '<option value="'.esc_attr($prefixedValue).'" selected="selected">'.$i.$suffix.'</option>';
484-
485-
} else
486-
{
487-
$ret .= '<option value="'.esc_attr($prefixedValue).'">'.$i.$suffix.'</option>';
488-
}
489-
}
490-
491-
return $ret;
492-
}
493-
494462
/**
495463
* @param array $paramValueTextPairs
496464
* @param string $paramSelectedValue
@@ -506,20 +474,20 @@ public static function getKeyValueDropdownOptionsHTML(array $paramValueTextPairs
506474
{
507475
if($paramSelectedValue == $paramDefaultValue)
508476
{
509-
$ret = '<option value="'.esc_attr($paramDefaultValue).'" selected="selected">'.$paramDefaultText.'</option>';
477+
$ret = '<option value="'.esc_attr($paramDefaultValue).'" selected="selected">'.esc_html($paramDefaultText).'</option>';
510478
} else
511479
{
512-
$ret = '<option value="'.esc_attr($paramDefaultValue).'">'.$paramDefaultText.'</option>';
480+
$ret = '<option value="'.esc_attr($paramDefaultValue).'">'.esc_html($paramDefaultText).'</option>';
513481
}
514482
}
515483
foreach ($paramValueTextPairs as $value => $text)
516484
{
517485
if($value == $paramSelectedValue)
518486
{
519-
$ret .= '<option value="'.esc_attr($value).'" selected="selected">'.$text.'</option>';
487+
$ret .= '<option value="'.esc_attr($value).'" selected="selected">'.esc_html($text).'</option>';
520488
} else
521489
{
522-
$ret .= '<option value="'.esc_attr($value).'">'.$text.'</option>';
490+
$ret .= '<option value="'.esc_attr($value).'">'.esc_html($text).'</option>';
523491
}
524492
}
525493

@@ -592,10 +560,10 @@ public static function getYearStartDatesDropdownOptionsHTML(
592560
$value = date($shortDateFormat, $timestamp);
593561
if($year == $paramSelectedValue)
594562
{
595-
$retHTML .= '<option value="'.esc_attr($value).'" selected="selected">'.$year.'</option>';
563+
$retHTML .= '<option value="'.esc_attr($value).'" selected="selected">'.esc_html($year).'</option>';
596564
} else
597565
{
598-
$retHTML .= '<option value="'.esc_attr($value).'">'.$year.'</option>';
566+
$retHTML .= '<option value="'.esc_attr($value).'">'.esc_html($year).'</option>';
599567
}
600568
}
601569

@@ -640,8 +608,8 @@ public static function getMonthStartDatesDropdownOptionsHTML(
640608
}
641609

642610
/*DEBUG*/ //echo "<br />Start Timestamp: ".intval($paramStartTimestamp).", End Timestamp: ".intval($paramEndTimestamp);
643-
/*DEBUG*/ //echo "<br />Start Year: {$validStartYear}, Start Month: {$validStartMonth}";
644-
/*DEBUG*/ //echo "<br />End Year: {$validEndYear}, End Month: {$validEndMonth}";
611+
/*DEBUG*/ //echo "<br />Start Year: ".esc_html($validStartYear}, Start Month: ".esc_html($validStartMonth);
612+
/*DEBUG*/ //echo "<br />End Year: ".esc_html($validEndYear}, End Month: ".esc_html($validEndMonth);
645613

646614
if($paramDefaultValue != "" || $paramDefaultLabel != "")
647615
{
@@ -665,10 +633,10 @@ public static function getMonthStartDatesDropdownOptionsHTML(
665633
$label = date($monthWithYearFormat, $timestamp);
666634
if($value == $paramSelectedValue)
667635
{
668-
$retHTML .= '<option value="'.esc_attr($value).'" selected="selected">'.$label.'</option>';
636+
$retHTML .= '<option value="'.esc_attr($value).'" selected="selected">'.esc_html($label).'</option>';
669637
} else
670638
{
671-
$retHTML .= '<option value="'.esc_attr($value).'">'.$label.'</option>';
639+
$retHTML .= '<option value="'.esc_attr($value).'">'.esc_html($label).'</option>';
672640
}
673641
}
674642
}
@@ -795,7 +763,7 @@ public static function getTimeDropdownOptionsHTML($paramTimeInterval = 1800, $pa
795763
$currentTimeText = sanitize_text_field($paramNoonText);
796764
} else
797765
{
798-
// i18n
766+
// i18n
799767
$currentTimeText = date_i18n(get_option('time_format'), $utcUnixCurrentTime, TRUE);
800768
}
801769

@@ -822,7 +790,6 @@ public static function getTimeDropdownOptionsHTML($paramTimeInterval = 1800, $pa
822790
if($paramSelectedTime == "23:59:59")
823791
{
824792
$retHTML .= '<option value="23:59:59" selected="selected">'.esc_html($currentTimeText).'</option>';
825-
826793
} else
827794
{
828795
$retHTML .= '<option value="23:59:59">'.esc_html($currentTimeText).'</option>';
@@ -835,6 +802,38 @@ public static function getTimeDropdownOptionsHTML($paramTimeInterval = 1800, $pa
835802
return $retHTML;
836803
}
837804

805+
public static function generateTrustedNumberDropdownOptionsHTML($from, $to, $selectedValue = "", $defaultValue = "", $defaultText = "", $prefixed = FALSE, $suffix = "")
806+
{
807+
$ret = "";
808+
$suffix = $suffix != '' ? ' '.$suffix : '';
809+
810+
if($defaultText != "")
811+
{
812+
if($selectedValue == $defaultValue)
813+
{
814+
$ret .= '<option value="'.esc_attr($defaultValue).'" selected="selected">'.esc_html($defaultText).'</option>';
815+
} else
816+
{
817+
$ret .= '<option value="'.esc_attr($defaultValue).'">'.esc_html($defaultText).'</option>';
818+
}
819+
}
820+
821+
for($i = $from; $i <= $to; $i++)
822+
{
823+
$prefixedValue = $prefixed ? sprintf('%0'.strlen($to).'d', $i) : $i;
824+
if($prefixedValue == $selectedValue)
825+
{
826+
$ret .= '<option value="'.esc_attr($prefixedValue).'" selected="selected">'.esc_html($i.$suffix).'</option>';
827+
828+
} else
829+
{
830+
$ret .= '<option value="'.esc_attr($prefixedValue).'">'.esc_html($i.$suffix).'</option>';
831+
}
832+
}
833+
834+
return $ret;
835+
}
836+
838837
/**
839838
* Number drop-down options for any select
840839
* @param int $paramValueFrom
@@ -845,7 +844,7 @@ public static function getTimeDropdownOptionsHTML($paramTimeInterval = 1800, $pa
845844
* @param string $paramSuffix
846845
* @return string
847846
*/
848-
public static function getTrustedNumberDropdownOptionsHTML($paramValueFrom = 0, $paramValueTill = 100, $paramSelectedValue = 0, $paramDefaultValue = "", $paramDefaultLabel = "", $paramSuffix = "")
847+
public static function getTrustedProgressiveNumberDropdownOptionsHTML($paramValueFrom = 0, $paramValueTill = 100, $paramSelectedValue = 0, $paramDefaultValue = "", $paramDefaultLabel = "", $paramSuffix = "")
849848
{
850849
$retHTML = '';
851850
$validSuffix = $paramSuffix != "" ? " ".esc_html(sanitize_text_field($paramSuffix)) : "";
@@ -867,10 +866,10 @@ public static function getTrustedNumberDropdownOptionsHTML($paramValueFrom = 0,
867866
{
868867
if($i == $paramSelectedValue)
869868
{
870-
$retHTML .= '<option value="'.esc_attr($i).'" selected="selected">'.$i.$validSuffix.'</option>';
869+
$retHTML .= '<option value="'.esc_attr($i).'" selected="selected">'.esc_html($i.$validSuffix).'</option>';
871870
} else
872871
{
873-
$retHTML .= '<option value="'.esc_attr($i).'">'.$i.$validSuffix.'</option>';
872+
$retHTML .= '<option value="'.esc_attr($i).'">'.esc_html($i.$validSuffix).'</option>';
874873
}
875874

876875
if($i < 100)

Models/Settings/SettingsObserver.php

Lines changed: 0 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -106,50 +106,4 @@ public function get($key, $paramDefaultValue = '', $paramTranslated = FALSE)
106106

107107
return $ret;
108108
}
109-
110-
111-
/*****************************************************************************/
112-
/***************************** SETTINGS SECTION ******************************/
113-
/*****************************************************************************/
114-
115-
/**
116-
* @param string $paramType - "YES/NO" (DEFAULT), "SHOW/HIDE", "ENABLED/DISABLED"
117-
* @param int $paramSelectedValue
118-
* @return string
119-
*/
120-
public function generateDropdownOptionsHTML($paramType = "YES/NO", $paramSelectedValue = 0)
121-
{
122-
$retHTML = '';
123-
if($paramType == "SHOW/HIDE")
124-
{
125-
$options = array(
126-
1 => $this->lang->getText('LANG_VISIBLE_TEXT'),
127-
0 => $this->lang->getText('LANG_HIDDEN_TEXT'),
128-
);
129-
} else if($paramType == "ENABLED/DISABLED")
130-
{
131-
$options = array(
132-
1 => $this->lang->getText('LANG_ENABLED_TEXT'),
133-
0 => $this->lang->getText('LANG_DISABLED_TEXT'),
134-
);
135-
} else
136-
{
137-
$options = array(
138-
1 => $this->lang->getText('LANG_YES_TEXT'),
139-
0 => $this->lang->getText('LANG_NO_TEXT'),
140-
);
141-
}
142-
143-
foreach($options as $key => $value)
144-
{
145-
if($paramSelectedValue == $key)
146-
{
147-
$retHTML .= '<option value="'.esc_attr($key).'" selected="selected">'.esc_html($value).'</option>';
148-
} else
149-
{
150-
$retHTML .= '<option value="'.esc_attr($key).'">'.esc_html($value).'</option>';
151-
}
152-
}
153-
return $retHTML;
154-
}
155109
}

Models/Status/NetworkStatus.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,7 @@ public function checkPluginCompatibleDataExistsInSomeBlog()
196196
// DEBUG
197197
if($this->debugMode)
198198
{
199-
$debugMessage = "Debug: checkPluginDataExistsInSomeBlogOf(): ".($retExists ? "Yes" : "No")."<br />SQL: {$sqlQuery}<br />";
199+
$debugMessage = "Debug: checkPluginDataExistsInSomeBlogOf(): ".($retExists ? "Yes" : "No")."<br />SQL: ".esc_br_html($sqlQuery)."<br />";
200200
$this->debugMessages[] = $debugMessage;
201201
if($this->echoDebug)
202202
{
@@ -232,7 +232,7 @@ public function checkPluginDataExistsInSomeBlogOf($paramRequiredPluginSemver)
232232
// DEBUG
233233
if($this->debugMode)
234234
{
235-
$debugMessage = "Debug: checkPluginDataExistsInSomeBlogOf(): ".($retExists ? "Yes" : "No")."<br />SQL: {$sqlQuery}<br />";
235+
$debugMessage = "Debug: checkPluginDataExistsInSomeBlogOf(): ".($retExists ? "Yes" : "No")."<br />SQL: SQL: ".esc_br_html($sqlQuery)."<br />";
236236
$this->debugMessages[] = $debugMessage;
237237
if($this->echoDebug)
238238
{

0 commit comments

Comments
 (0)