More security issues

Author: otrok7

admin/partials/_bmlt_server_setup.php

@@ -31,7 +31,7 @@
                                 <label for="sslverify"><?php esc_html_e('Disable SSL verification of server', 'bread') ?></label>
                         <?php }
                     } elseif ($this->bread->emptyOption('root_server')) {
-                        echo "<span style='color: #f00;'><div style='font-size: 16px;vertical-align: middle;' class='dashicons dashicons-dismiss'></div>".__('ERROR: Please enter a BMLT Server', 'bread')."</span>";
+                        echo "<span style='color: #f00;'><div style='font-size: 16px;vertical-align: middle;' class='dashicons dashicons-dismiss'></div>".esc_html(__('ERROR: Please enter a BMLT Server', 'bread'))."</span>";
                         echo '<input type="hidden" id="user_agent" value="' . esc_html($this->bread->getOption('user_agent')) . '" />';
                         if ($this->bread->getOption('sslverify') == '1') { ?>
                             <p>
@@ -70,7 +70,10 @@
                     <div id="customquery-tooltip-content">
                         <p>
                             <?php esc_html_e('This will be executed as part of the meeting search query. This will override any setting in the Service Body dropdowns.', 'bread') ?>
-                            <br /><?php echo sprintf(__('You can get help formulating a query using your sites <a href="%s">semantic interface</a>.', 'bread'), esc_url($this->bread->getOption('root_server')).'/semantic') ?>
+                            /* translators: draft saved date format, see http://php.net/date */
+                            <br /><?php
+                                /* translators: the string is a link to the semantic interface of the BMLT server */
+                                echo esc_html(sprintf(__('You can get help formulating a query using your sites <a href="%s">semantic interface</a>.', 'bread'), esc_url($this->bread->getOption('root_server'))).'/semantic') ?>
                         </p>
                     </div>
                 </div>

admin/partials/_custom_section_setup.php

@@ -7,7 +7,7 @@
         <div id="normal-sortables" class="meta-box-sortables ui-sortable">
             <div id="custom-content-div" class="postbox">
                 <div style="display:none;">
-                    <div id="customsection-tooltip-content"><?php echo wp_filter_post_kses(__("
+                    <div id="customsection-tooltip-content"><?php echo wp_kses_post(__("
                         <p>The Custom Content can be customized with text, graphics, tables, shortcodes, etc.</p>
                         <p><strong>Default Font Size</strong> can be changed for specific text in the editor.</p>
                         <p><strong>Add Media</strong> button - upload and add graphics.</p>

admin/partials/_front_page_setup.php

@@ -7,7 +7,7 @@
         <div id="normal-sortables" class="meta-box-sortables ui-sortable">
             <div id="frontpagecontentdiv" class="postbox">
                 <div style="display:none;">
-                    <div id="frontpage-tooltip-content"><?php echo wp_filter_post_kses(__("
+                    <div id="frontpage-tooltip-content"><?php echo wp_kses_post(__("
                         <p>The Front Page can be customized with text, graphics, tables, shortcodes, ect.</p>
                         <p><strong>Add Media</strong> button - upload and add graphics.</p>
                         <p><strong>Meeting List Shortcodes</strong> dropdown - insert custom data.</p>

admin/partials/_meetings_setup.php

@@ -336,9 +336,9 @@
                         <select id="additional_list_language" name="additional_list_language">
                             <?php
                             if ($this->bread->getOption('additional_list_language') == '') {
-                                echo "<option value=\"\" selected=\"selected\">".__('Same as main list', 'bread')."</option>";
+                                echo "<option value=\"\" selected=\"selected\">".esc_html(__('Same as main list', 'bread'))."</option>";
                             } else {
-                                echo "<option value=\"\">".__('Same as main list', 'bread')."</option>";
+                                echo "<option value=\"\">".esc_html(__('Same as main list', 'bread'))."</option>";
                             }
                             foreach ($this->bread->getTranslateTable() as $key => $value) {
                                 if ($this->bread->getOption('additional_list_language') == $key) {

admin/partials/bread-admin-display.php

@@ -36,14 +36,17 @@ private function refresh_status()
             if ($serverInfo[0]["aggregator_mode_enabled"] ?? false) {
                 $this->server_version = "<span style='color: #00AD00;'><div style='font-size: 16px;vertical-align: middle;' class='dashicons dashicons-admin-site'></div>".__('Using Tomato Server', 'bread')."</span>";
             } elseif ($this->connected) {
+                /* translators: string is the version number of the BMLT Server */
                 $this->server_version = "<span style='color: #0A8ADD;'><div style='font-size: 16px;vertical-align: middle;' class='dashicons dashicons-smiley'></div>".sprintf(__('Your BMLT Server is running %s', 'bread'), esc_html($this->connected)). "</span>";
             }
         }
     }
     private function select_service_bodies()
     {
         for ($i = 1; $i <= 5; $i++) { ?>
-            <li><label for="service_body_<?php echo esc_html($i); ?>"><?php echo sprintf(__('Service Body %s', 'bread'), esc_html($i)) ?>: </label>
+            <li><label for="service_body_<?php
+                /* translators: Bread can query up to five servers, the string is the number 1-5 */
+                echo esc_html($i); ?>"><?php echo esc_html(sprintf(__('Service Body %s', 'bread'), $i)) ?>: </label>
                 <select class="service_body_select" id="service_body_<?php echo esc_html($i); ?>" name="service_body_<?php echo esc_html($i); ?>"><?php
                 if ($this->connected) {
                     $this->select_service_body_options($i);
@@ -90,16 +93,17 @@ function admin_options_page()
         set_transient('admin_notice', 'Please put down your weapon. You have 20 seconds to comply.');
         echo '<div class="updated">';
         if (!$this->admin->current_user_can_modify()) {
-            echo '<p style="color: #F00;">'.__('You do not have permission to save this configuation!', 'bread').'</p>';
+            echo '<p style="color: #F00;">'.esc_html(__('You do not have permission to save this configuation!', 'bread')).'</p>';
         } elseif (isset($_COOKIE['bread_import_file'])) {
-            echo '<p style="color: #F00;">'.__('File loaded', 'bread').'</p>';
+            echo '<p style="color: #F00;">'.esc_html(__('File loaded', 'bread')).'</p>';
             delete_transient($this->bread->get_TransientKey($this->bread->getRequestedSetting()));
         } elseif (isset($_POST['bmltmeetinglistsave']) && $_POST['bmltmeetinglistsave']) {
             $this->admin->save_admin_options();
-            echo '<p style="color: #F00;">'.__('Your changes were successfully saved!', 'bread').'</p>';
+            echo '<p style="color: #F00;">'.esc_html(__('Your changes were successfully saved!', 'bread')).'</p>';
             $num = delete_transient($this->bread->get_TransientKey($this->bread->getRequestedSetting()));
             if ($num > 0) {
-                echo "<p>" . sprintf(__('%s Cache entries deleted', 'bread'), esc_attr($num))."</p>";
+                /* translators: string is number of cache entries deleted */
+                echo "<p>" . esc_html(sprintf(__('%s Cache entries deleted', 'bread')), esc_attr($num))."</p>";
             }
         }
         echo '</div>';

includes/class-bread-i18n.php

@@ -35,11 +35,11 @@ class Bread_i18n
      */
     public function load_plugin_textdomain()
     {
-
+/*
         load_plugin_textdomain(
             'bread',
             false,
             dirname(dirname(plugin_basename(__FILE__))) . '/languages/'
-        );
+        ); */
     }
 }