Merge pull request #386 from lloc/raise-coverage

Security fixes
lloc · Sep 23, 2024 · 6509fa4 · 6509fa4
2 parents 6dcea8b + 603ec7d
commit 6509fa4
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 17 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,10 +1,12 @@
+.idea/
+.phpunit.result.cache
+.phpunit.cache
 composer.lock
 composer.phar
+multisite-language-switcher/
+multisite-language-switcher.zip
 package-lock.json
 phpunit.xml.bak
-.idea/
-.phpunit.result.cache
-.phpunit.cache
 tests/coverage/
 tests/playwright-results/
 tests/playwright-report/

diff --git a/includes/Map/HrefLang.php b/includes/Map/HrefLang.php
@@ -12,7 +12,7 @@
 class HrefLang {
 
 	/**
-	 * @var array<string, array<int, string>>
+	 * @var array<string, string>
 	 */
 	protected $map = array();
 

diff --git a/includes/MslsCustomColumn.php b/includes/MslsCustomColumn.php
@@ -94,7 +94,7 @@ public function td( $column_name, $item_id ): void {
 					printf(
 						'<span class="msls-icon-wrapper %1$s">%2$s</span>',
 						esc_attr( $this->options->get_icon_type() ),
-						$icon->get_a()
+						wp_kses_post( $icon->get_a() )
 					);
 
 					restore_current_blog();

diff --git a/includes/MslsOutput.php b/includes/MslsOutput.php
@@ -95,9 +95,9 @@ public function get( ?int $display, bool $filter = false, $exists = false ): arr
 	 * @return string
 	 */
 	public function get_alternate_links() {
-		$blogs    = msls_blog_collection();
-		$hreflang = new HrefLang( $blogs );
-		$options  = MslsOptions::create();
+		$blogs   = msls_blog_collection();
+		$hlObj   = new HrefLang( $blogs );
+		$options = MslsOptions::create();
 
 		$arr     = array();
 		$default = '';
@@ -110,13 +110,14 @@ public function get_alternate_links() {
 			}
 
 			$description = $blog->get_description();
+			$hreflang    = $hlObj->get( $blog->get_language() );
 
 			$format = '<link rel="alternate" hreflang="%s" href="%s" title="%s" />';
 			if ( '' === $default ) {
-				$default = sprintf( $format, 'x-default', $url, esc_attr( $description ) );
+				$default = sprintf( $format, 'x-default', esc_url( $url ), esc_attr( $description ) );
 			}
 
-			$arr[] = sprintf( $format, $hreflang->get( $blog->get_language() ), $url, esc_attr( $description ) );
+			$arr[] = sprintf( $format, esc_attr( $hreflang ), esc_url( $url ), esc_attr( $description ) );
 		}
 
 		if ( 1 === count( $arr ) ) {

diff --git a/includes/MslsPlugin.php b/includes/MslsPlugin.php
@@ -190,7 +190,7 @@ public function init_i18n_support(): void {
 	 */
 	public static function message_handler( $message, $css_class = 'error' ) {
 		if ( ! empty( $message ) ) {
-			printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', $css_class, $message );
+			printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', esc_attr( $css_class ), esc_html( $message ) );
 
 			return true;
 		}

diff --git a/includes/MslsPostTag.php b/includes/MslsPostTag.php
@@ -160,7 +160,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 
 			$this->maybe_set_linked_term( $mydata );
 
-			printf( $title_format, $this->get_select_title(), $type );
+			printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ), esc_attr( $type ) );
 
 			foreach ( $blogs as $blog ) {
 				switch_to_blog( $blog->userblog_id );
@@ -179,7 +179,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 					}
 				}
 
-				printf( $item_format, $blog->userblog_id, $icon, $language, $value, $title );
+				printf( wp_kses_post( $item_format ), esc_attr( $blog->userblog_id ), wp_kses_post( $icon ), esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );
 
 				restore_current_blog();
 			}

diff --git a/includes/MslsPostTagClassic.php b/includes/MslsPostTagClassic.php
@@ -77,7 +77,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 
 			$this->maybe_set_linked_term( $mydata );
 
-			printf( $title_format, $this->get_select_title() );
+			printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ) );
 
 			foreach ( $blogs as $blog ) {
 				$this->print_option( $blog, $type, $mydata, $item_format );
@@ -119,14 +119,14 @@ public function print_option( MslsBlog $blog, string $type, MslsOptionsTax $myda
 			foreach ( $terms as $term ) {
 				$options .= sprintf(
 					'<option value="%s" %s>%s</option>',
-					$term->term_id,
+					esc_attr( $term->term_id ),
 					selected( $term->term_id, $mydata->$language, false ),
-					$term->name
+					esc_html( $term->name )
 				);
 			}
 		}
 
-		printf( $item_format, $language, $icon, $options );
+		printf( wp_kses_post( $item_format ), esc_attr( $language ), wp_kses_post( $icon ), wp_kses_post( $options ) );
 
 		restore_current_blog();
 	}

diff --git a/tests/phpunit/MslsUnitTestCase.php b/tests/phpunit/MslsUnitTestCase.php
@@ -26,6 +26,7 @@ protected function setUp(): void {
 		Functions\when( 'esc_url' )->returnArg();
 		Functions\when( '__' )->returnArg();
 		Functions\when( 'wp_kses' )->returnArg();
+		Functions\when( 'wp_kses_post' )->returnArg();
 		Functions\when( 'sanitize_text_field' )->returnArg();
 	}