fix: properly escape some strings

bfintal@gmail.com · bfintal@gmail.com · commit a95eeb8bfc1c · 2025-10-20T14:55:51.000+08:00
diff --git a/src/rest-api/class-rest-editor.php b/src/rest-api/class-rest-editor.php
@@ -65,7 +65,7 @@ public function register_route() {
 		public static function validate_string( $value, $request, $param ) {
 			if ( ! is_string( $value ) ) {
 				// Translators: %s is the parameter name.
-				return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), $param ) );
+				return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), esc_html( $param ) ) );
 			}
 			return true;
 		}
@@ -79,12 +79,12 @@ public static function validate_interaction( $value, $request, $param ) {
 			$data = json_decode( $value );
 			if ( ! $data ) {
 				// Translators: %s is the parameter name.
-				return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a valid JSON string.', 'interactions' ), $param ) );
+				return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a valid JSON string.', 'interactions' ), esc_html( $param ) ) );
 			}
 
 			$result = Interact_Interaction::validate_interaction_data( $data );
 			if ( is_wp_error( $result ) ) {
-				return $is_valid;
+				return $result;
 			}
 
 			return true;
diff --git a/src/rest-api/class-rest-location-rules.php b/src/rest-api/class-rest-location-rules.php
@@ -38,7 +38,7 @@ public function register_route() {
 		public static function validate_string( $value, $request, $param ) {
 			if ( ! is_string( $value ) ) {
 				// Translators: %s is a placeholder for a parameter name.
-				return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), $param ) );
+				return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), esc_html( $param ) ) );
 			}
 			return true;
 		}

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ public function register_route() {`
`65`	`65`	`public static function validate_string( $value, $request, $param ) {`
`66`	`66`	`if ( ! is_string( $value ) ) {`
`67`	`67`	`// Translators: %s is the parameter name.`
`68`		`- return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), $param ) );`
	`68`	`+ return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), esc_html( $param ) ) );`
`69`	`69`	`}`
`70`	`70`	`return true;`
`71`	`71`	`}`
`@@ -79,12 +79,12 @@ public static function validate_interaction( $value, $request, $param ) {`
`79`	`79`	`$data = json_decode( $value );`
`80`	`80`	`if ( ! $data ) {`
`81`	`81`	`// Translators: %s is the parameter name.`
`82`		`- return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a valid JSON string.', 'interactions' ), $param ) );`
	`82`	`+ return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a valid JSON string.', 'interactions' ), esc_html( $param ) ) );`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`$result = Interact_Interaction::validate_interaction_data( $data );`
`86`	`86`	`if ( is_wp_error( $result ) ) {`
`87`		`- return $is_valid;`
	`87`	`+ return $result;`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ public function register_route() {`
`38`	`38`	`public static function validate_string( $value, $request, $param ) {`
`39`	`39`	`if ( ! is_string( $value ) ) {`
`40`	`40`	`// Translators: %s is a placeholder for a parameter name.`
`41`		`- return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), $param ) );`
	`41`	`+ return new WP_Error( 'invalid_param', sprintf( esc_html__( '%s must be a string.', 'interactions' ), esc_html( $param ) ) );`
`42`	`42`	`}`
`43`	`43`	`return true;`
`44`	`44`	`}`