Tweak: Add output escaping, fixed: #194 (#208)

Author: KingYes

includes/admin-functions.php

@@ -133,7 +133,7 @@ function hello_elementor_fail_load_admin_notice() {
 		} );</script>
 	<div class="notice updated is-dismissible hello-elementor-notice hello-elementor-install-elementor">
 		<div class="hello-elementor-notice-aside">
-			<img src="<?php echo esc_url( get_template_directory_uri() ) . '/assets/images/elementor-notice-icon.svg'; ?>" alt="<?php _e( 'Get Elementor', 'hello-elementor' ); ?>" />
+			<img src="<?php echo esc_url( get_template_directory_uri() ) . '/assets/images/elementor-notice-icon.svg'; ?>" alt="<?php esc_attr_e( 'Get Elementor', 'hello-elementor' ); ?>" />
 		</div>
 		<div class="hello-elementor-notice-inner">
 			<div class="hello-elementor-notice-content">

includes/customizer/elementor-upsell.php

@@ -23,16 +23,10 @@ public function render_content() {
 		$this->print_customizer_upsell();
 
 		if ( isset( $this->description ) ) {
-			echo '<span class="description customize-control-description">' . $this->description . '</span>';
+			echo '<span class="description customize-control-description">' . wp_kses_post( $this->description ) . '</span>';
 		}
 	}
 
-	/**
-	 * Customizer deeplinks HTML
-	 *
-	 * @return string HTML to use in the customizer panel
-	 */
-
 	private function print_customizer_upsell() {
 		if ( ! function_exists( 'get_plugins' ) ) {
 			require_once ABSPATH . 'wp-admin/includes/plugin.php';
@@ -94,7 +88,7 @@ private function print_customizer_upsell() {
 			);
 		}
 
-		echo $customizer_content;
+		echo wp_kses_post( $customizer_content );
 	}
 
 	private function get_customizer_upsell_html( $title, $text, $url, $button_text, $image ) {

phpcs.xml

@@ -27,14 +27,11 @@
 		<exclude name="WordPress.Arrays.MultipleStatementAlignment" />
 		<exclude name="WordPress.CSRF.NonceVerification.NoNonceVerification" />
 		<exclude name="WordPress.Files.FileName.InvalidClassFileName" />
-		<exclude name="WordPress.Security.EscapeOutput.OutputNotEscaped"/>
-		<exclude name="WordPress.Security.EscapeOutput.UnsafePrintingFunction" />
 		<exclude name="WordPress.Security.NonceVerification.NoNonceVerification"/>
 		<exclude name="WordPress.Security.NonceVerification.Missing"/>
 		<exclude name="WordPress.WP.I18n.MissingTranslatorsComment" />
 		<exclude name="WordPress.WP.I18n.NonSingularStringLiteralSingle" />
 		<exclude name="WordPress.WP.I18n.NonSingularStringLiteralPlural" />
-		<exclude name="WordPress.XSS.EscapeOutput.OutputNotEscaped" />
 		<exclude name="WordPress.WP.EnqueuedResources.NonEnqueuedStylesheet" />
 		<exclude name="PEAR.Functions.FunctionCallSignature.ContentAfterOpenBracket" />
 		<exclude name="PEAR.Functions.FunctionCallSignature.MultipleArguments" />

template-parts/dynamic-footer.php

@@ -19,39 +19,42 @@
 	'echo' => false,
 ] );
 ?>
-<footer id="site-footer" class="site-footer dynamic-footer <?php echo $footer_class; ?>" role="contentinfo">
+<footer id="site-footer" class="site-footer dynamic-footer <?php echo esc_attr( $footer_class ); ?>" role="contentinfo">
 	<div class="footer-inner">
-		<div class="site-branding show-<?php echo hello_elementor_get_setting( 'hello_footer_logo_type' ); ?>">
+		<div class="site-branding show-<?php echo esc_attr( hello_elementor_get_setting( 'hello_footer_logo_type' ) ); ?>">
 			<?php if ( has_custom_logo() && ( 'title' !== hello_elementor_get_setting( 'hello_footer_logo_type' ) || $is_editor ) ) : ?>
-				<div class="site-logo <?php echo hello_show_or_hide( 'hello_footer_logo_display' ); ?>">
+				<div class="site-logo <?php echo esc_attr( hello_show_or_hide( 'hello_footer_logo_display' ) ); ?>">
 					<?php the_custom_logo(); ?>
 				</div>
 			<?php endif;
 
 			if ( $site_name && ( 'logo' !== hello_elementor_get_setting( 'hello_footer_logo_type' ) ) || $is_editor ) : ?>
-				<h4 class="site-title <?php echo hello_show_or_hide( 'hello_footer_logo_display' ); ?>">
+				<h4 class="site-title <?php echo esc_attr( hello_show_or_hide( 'hello_footer_logo_display' ) ); ?>">
 					<a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Home', 'hello-elementor' ); ?>" rel="home">
 						<?php echo esc_html( $site_name ); ?>
 					</a>
 				</h4>
 			<?php endif;
 
 			if ( $tagline || $is_editor ) : ?>
-				<p class="site-description <?php echo hello_show_or_hide( 'hello_footer_tagline_display' ); ?>">
+				<p class="site-description <?php echo esc_attr( hello_show_or_hide( 'hello_footer_tagline_display' ) ); ?>">
 					<?php echo esc_html( $tagline ); ?>
 				</p>
 			<?php endif; ?>
 		</div>
 
 		<?php if ( $footer_nav_menu ) : ?>
-			<nav class="site-navigation <?php echo hello_show_or_hide( 'hello_footer_menu_display' ); ?>" role="navigation">
-				<?php echo $footer_nav_menu; ?>
+			<nav class="site-navigation <?php echo esc_attr( hello_show_or_hide( 'hello_footer_menu_display' ) ); ?>" role="navigation">
+				<?php
+				// PHPCS - escaped by WordPress with "wp_nav_menu"
+				echo $footer_nav_menu; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				?>
 			</nav>
 		<?php endif; ?>
 
 		<?php if ( '' !== hello_elementor_get_setting( 'hello_footer_copyright_text' ) || $is_editor ) : ?>
-			<div class="copyright <?php echo hello_show_or_hide( 'hello_footer_copyright_display' ); ?>">
-				<p><?php echo hello_elementor_get_setting( 'hello_footer_copyright_text' ); ?></p>
+			<div class="copyright <?php echo esc_attr( hello_show_or_hide( 'hello_footer_copyright_display' ) ); ?>">
+				<p><?php echo wp_kses_post( hello_elementor_get_setting( 'hello_footer_copyright_text' ) ); ?></p>
 			</div>
 		<?php endif; ?>
 	</div>

template-parts/dynamic-header.php

@@ -24,40 +24,46 @@
 ?>
 <header id="site-header" class="site-header dynamic-header <?php echo esc_attr( hello_get_header_layout_class() ); ?>" role="banner">
 	<div class="header-inner">
-		<div class="site-branding show-<?php echo hello_elementor_get_setting( 'hello_header_logo_type' ); ?>">
+		<div class="site-branding show-<?php echo esc_attr( hello_elementor_get_setting( 'hello_header_logo_type' ) ); ?>">
 			<?php if ( has_custom_logo() && ( 'title' !== hello_elementor_get_setting( 'hello_header_logo_type' ) || $is_editor ) ) : ?>
-				<div class="site-logo <?php echo hello_show_or_hide( 'hello_header_logo_display' ); ?>">
+				<div class="site-logo <?php echo esc_attr( hello_show_or_hide( 'hello_header_logo_display' ) ); ?>">
 					<?php the_custom_logo(); ?>
 				</div>
 			<?php endif;
 
 			if ( $site_name && ( 'logo' !== hello_elementor_get_setting( 'hello_header_logo_type' ) || $is_editor ) ) : ?>
-				<h1 class="site-title <?php echo hello_show_or_hide( 'hello_header_logo_display' ); ?>">
+				<h1 class="site-title <?php echo esc_attr( hello_show_or_hide( 'hello_header_logo_display' ) ); ?>">
 					<a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Home', 'hello-elementor' ); ?>" rel="home">
 						<?php echo esc_html( $site_name ); ?>
 					</a>
 				</h1>
 			<?php endif;
 
 			if ( $tagline && ( hello_elementor_get_setting( 'hello_header_tagline_display' ) || $is_editor ) ) : ?>
-				<p class="site-description <?php echo hello_show_or_hide( 'hello_header_tagline_display' ); ?> ">
+				<p class="site-description <?php echo esc_attr( hello_show_or_hide( 'hello_header_tagline_display' ) ); ?>">
 					<?php echo esc_html( $tagline ); ?>
 				</p>
 			<?php endif; ?>
 		</div>
 
 		<?php if ( $header_nav_menu ) : ?>
-			<nav class="site-navigation <?php echo hello_show_or_hide( 'hello_header_menu_display' ); ?>" role="navigation">
-				<?php echo $header_nav_menu; ?>
+			<nav class="site-navigation <?php echo esc_attr( hello_show_or_hide( 'hello_header_menu_display' ) ); ?>" role="navigation">
+				<?php
+				// PHPCS - escaped by WordPress with "wp_nav_menu"
+				echo $header_nav_menu; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				?>
 			</nav>
-			<div class="site-navigation-toggle-holder <?php echo hello_show_or_hide( 'hello_header_menu_display' ); ?>">
+			<div class="site-navigation-toggle-holder <?php echo esc_attr( hello_show_or_hide( 'hello_header_menu_display' ) ); ?>">
 				<div class="site-navigation-toggle">
 					<i class="eicon-menu-bar"></i>
 					<span class="elementor-screen-only">Menu</span>
 				</div>
 			</div>
-			<nav class="site-navigation-dropdown <?php echo hello_show_or_hide( 'hello_header_menu_display' ); ?>" role="navigation">
-				<?php echo $header_nav_menu; ?>
+			<nav class="site-navigation-dropdown <?php echo esc_attr( hello_show_or_hide( 'hello_header_menu_display' ) ); ?>" role="navigation">
+				<?php
+				// PHPCS - escaped by WordPress with "wp_nav_menu"
+				echo $header_nav_menu; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				?>
 			</nav>
 		<?php endif; ?>
 	</div>

template-parts/footer.php

@@ -18,7 +18,10 @@
 <footer id="site-footer" class="site-footer" role="contentinfo">
 	<?php if ( $footer_nav_menu ) : ?>
 		<nav class="site-navigation" role="navigation">
-			<?php echo $footer_nav_menu; ?>
+			<?php
+			// PHPCS - escaped by WordPress with "wp_nav_menu"
+			echo $footer_nav_menu; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			?>
 		</nav>
 	<?php endif; ?>
 </footer>

template-parts/header.php

@@ -17,7 +17,7 @@
 ] );
 ?>
 <a class="skip-link screen-reader-text" href="#content">
-	<?php _e( 'Skip to content', 'hello-elementor' ); ?></a>
+	<?php esc_html_e( 'Skip to content', 'hello-elementor' ); ?></a>
 
 <header id="site-header" class="site-header" role="banner">
 
@@ -44,7 +44,10 @@
 
 	<?php if ( $header_nav_menu ) : ?>
 		<nav class="site-navigation" role="navigation">
-			<?php echo $header_nav_menu; ?>
+			<?php
+			// PHPCS - escaped by WordPress with "wp_nav_menu"
+			echo $header_nav_menu; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			?>
 		</nav>
 	<?php endif; ?>
 </header>