Escape all data and use native WP functions, where applicable, instea…

…d of their PHP counterparts
wolffe · Jun 12, 2024 · ad372e4 · ad372e4
1 parent 724a034
commit ad372e4
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 15 deletions.
diff --git a/includes/builder/class-custom-css.php b/includes/builder/class-custom-css.php
@@ -155,7 +155,7 @@ public function print_css() {
         if ( $css && ! $disable ) {
             ?>
             <style id="fx-builder-custom-css">
-                <?php echo wp_strip_all_tags( $css ); ?>
+                <?php echo esc_html( wp_strip_all_tags( $css ) ); ?>
             </style>
             <?php
         }

diff --git a/includes/builder/class-functions.php b/includes/builder/class-functions.php
@@ -59,9 +59,9 @@ public static function render_settings( $args = array() ) {
 
         $args = wp_parse_args( $args, $args_default );
         ?>
-        <div class="<?php echo sanitize_title( $args['id'] ); ?> fxb-modal" style="display:none;width:<?php echo esc_attr( $args['width'] ); ?>;height:<?php echo esc_attr( $args['height'] ); ?>;">
+        <div class="<?php echo esc_attr( sanitize_title( $args['id'] ) ); ?> fxb-modal" style="display:none;width:<?php echo esc_attr( $args['width'] ); ?>;height:<?php echo esc_attr( $args['height'] ); ?>;">
             <div class="fxb-modal-container">
-                <div class="fxb-modal-title"><?php echo $args['title']; ?><span class="fxb-modal-close" style="background-color:<?php echo esc_attr( $fxb_admin_color['2'] ); ?>"><?php esc_attr_e( 'Done', 'fx-builder' ); ?></span></div><!-- .fxb-modal-title -->
+                <div class="fxb-modal-title"><?php echo esc_attr( $args['title'] ); ?><span class="fxb-modal-close" style="background-color:<?php echo esc_attr( $fxb_admin_color['2'] ); ?>"><?php esc_attr_e( 'Done', 'fx-builder' ); ?></span></div><!-- .fxb-modal-title -->
 
                 <div class="fxb-modal-content">
                     <?php
@@ -185,7 +185,7 @@ public static function render_column( $args = array() ) {
             <input type="hidden" data-id="item_ids" data-row_field="<?php echo esc_attr( $field ); ?>" name="_fxb_rows[{{data.id}}][<?php echo esc_attr( $field ); ?>]" value="{{data.<?php echo esc_attr( $field ); ?>}}" autocomplete="off"/>
 
             <?php /* Column Title */ ?>
-            <h3 class="fxb-col-title"><span><?php echo $title; ?></span></h3>
+            <h3 class="fxb-col-title"><span><?php echo esc_attr( $title ); ?></span></h3>
 
             <div class="fxb-col-content"></div><!-- .fxb-col-content -->
 
@@ -242,7 +242,7 @@ public static function content( $post_id ) {
         }
         ob_start();
         ?>
-        <div id="fxb-<?php echo strip_tags( $post_id ); ?>" class="fxb-container">
+        <div id="fxb-<?php echo esc_attr( $post_id ); ?>" class="fxb-container">
 
             <?php foreach ( $rows as $row_id ) { ?>
                 <?php
@@ -270,9 +270,9 @@ public static function content( $post_id ) {
                     $row_column_gap = $rows_data[ $row_id ]['row_column_gap'] ? $rows_data[ $row_id ]['row_column_gap'] . $rows_data[ $row_id ]['row_column_gap_unit'] : '2em';
                     ?>
 
-                    <div id="<?php echo $row_html_id; ?>" class="<?php echo esc_attr( $row_html_class ); ?>" data-index="<?php echo intval( $rows_data[ $row_id ]['index'] ); ?>" data-layout="<?php echo esc_attr( $rows_data[ $row_id ]['layout'] ); ?>">
+                    <div id="<?php echo esc_attr( $row_html_id ); ?>" class="<?php echo esc_attr( $row_html_class ); ?>" data-index="<?php echo intval( $rows_data[ $row_id ]['index'] ); ?>" data-layout="<?php echo esc_attr( $rows_data[ $row_id ]['layout'] ); ?>">
 
-                        <div class="fxb-wrap" style="gap: <?php echo $row_column_gap; ?>">
+                        <div class="fxb-wrap" style="gap: <?php echo esc_attr( $row_column_gap ); ?>">
 
                             <?php
                             $cols = range( 1, $rows_data[ $row_id ]['col_num'] );
@@ -286,7 +286,7 @@ public static function content( $post_id ) {
                                         <?php foreach ( $items as $item_id ) { ?>
                                             <?php if ( isset( $items_data[ $item_id ] ) ) { ?>
 
-                                                <div id="fxb-item-<?php echo strip_tags( $item_id ); ?>" class="fxb-item">
+                                                <div id="fxb-item-<?php echo esc_attr( $item_id ); ?>" class="fxb-item">
                                                     <div class="fxb-wrap">
                                                         <?php echo wpautop( $items_data[ $item_id ]['content'] ); ?>
                                                     </div><!-- .fxb-item > .fxb-wrap -->

diff --git a/includes/builder/class-sanitize.php b/includes/builder/class-sanitize.php
@@ -39,8 +39,8 @@ public static function rows_data( $input ) {
             ];
 
             $rows[ $row_id ]                   = wp_parse_args( $row_data, $default );
-            $rows[ $row_id ]['id']             = strip_tags( $rows[ $row_id ]['id'] );
-            $rows[ $row_id ]['index']          = strip_tags( $rows[ $row_id ]['index'] );
+            $rows[ $row_id ]['id']             = wp_strip_all_tags( $rows[ $row_id ]['id'] );
+            $rows[ $row_id ]['index']          = wp_strip_all_tags( $rows[ $row_id ]['index'] );
             $rows[ $row_id ]['state']          = self::state( $rows[ $row_id ]['state'] );
             $rows[ $row_id ]['col_num']        = Functions::get_col_num( $rows[ $row_id ]['layout'] );
             $rows[ $row_id ]['layout']         = self::layout( $rows[ $row_id ]['layout'] );
@@ -80,11 +80,11 @@ public static function items_data( $input ) {
             );
 
             $items[ $item_id ]               = wp_parse_args( $item_data, $default );
-            $items[ $item_id ]['item_id']    = strip_tags( $items[ $item_id ]['item_id'] );
-            $items[ $item_id ]['item_index'] = strip_tags( $items[ $item_id ]['item_index'] );
+            $items[ $item_id ]['item_id']    = wp_strip_all_tags( $items[ $item_id ]['item_id'] );
+            $items[ $item_id ]['item_index'] = wp_strip_all_tags( $items[ $item_id ]['item_index'] );
             $items[ $item_id ]['item_state'] = self::state( $items[ $item_id ]['item_state'] );
             $items[ $item_id ]['item_type']  = self::item_type( $items[ $item_id ]['item_type'] );
-            $items[ $item_id ]['row_id']     = strip_tags( $items[ $item_id ]['row_id'] );
+            $items[ $item_id ]['row_id']     = wp_strip_all_tags( $items[ $item_id ]['row_id'] );
             $items[ $item_id ]['col_index']  = self::item_col_index( $items[ $item_id ]['col_index'] );
             $items[ $item_id ]['content']    = wp_kses_post( $items[ $item_id ]['content'] );
         }
@@ -124,7 +124,7 @@ public static function layout( $layout ) {
      */
     public static function ids( $input ) {
         $output = explode( ',', $input );
-        $output = array_map( 'strip_tags', $output );
+        $output = array_map( 'wp_strip_all_tags', $output );
         $output = implode( ',', $output );
         return $output;
     }

diff --git a/includes/builder/class-tools.php b/includes/builder/class-tools.php
@@ -125,7 +125,7 @@ public function ajax_export_to_json() {
             'items'   => isset( $request['items'] ) ? $request['items'] : array(),
         );
 
-        echo json_encode( $data );
+        echo wp_json_encode( $data );
         wp_die();
     }