Skip to content

Commit

Permalink
Added automatic escaping.
Browse files Browse the repository at this point in the history
  • Loading branch information
ThierryA committed Mar 25, 2016
1 parent 1375587 commit 2554ee8
Show file tree
Hide file tree
Showing 16 changed files with 73 additions and 44 deletions.
33 changes: 31 additions & 2 deletions lib/api/utilities/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -503,12 +503,41 @@ function beans_admin_menu_position( $position ) {
*/
function beans_sanitize_attributes( $attributes ) {

/**
* Filter attributes escaping methods.
*
* @since 1.3.1
*/
$methods = apply_filters( 'beans_escape_attributes_methods', array(
'id' => 'esc_attr',
'class' => 'esc_attr',
'name' => 'esc_attr',
'title' => 'esc_html',
'alt' => 'esc_html',
'href' => 'esc_url',
'src' => 'esc_url',
'placeholder' => 'esc_html',
'itemscope' => 'esc_attr',
'itemprop'=> 'esc_attr',
'itemtype' => 'esc_url',
'onclick' => 'esc_js'
) );

$string = '';

foreach ( (array) $attributes as $attribute => $value )
if ( $value !== null )
foreach ( (array) $attributes as $attribute => $value ) {

if ( $value !== null ) {

if ( $method = beans_get( $attribute, $methods ) )
$value = call_user_func( $method, $value );

$string .= $attribute . '="' . $value . '" ';

}

}

return trim( $string );

}
Expand Down
2 changes: 1 addition & 1 deletion lib/templates/fragments/breadcrumb.php
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ function beans_breadcrumb() {
echo beans_open_markup( 'beans_breadcrumb_item', 'li' );

echo beans_open_markup( 'beans_breadcrumb_item_link', 'a', array(
'href' => esc_url( $breadcrumb_url )
'href' => $breadcrumb_url // Automatically escaped.
) );

// Used for mobile devices.
Expand Down
6 changes: 3 additions & 3 deletions lib/templates/fragments/comments.php
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ function beans_comment_links() {
echo beans_open_markup( 'beans_comment_item[_edit]', 'li' );

echo beans_open_markup( 'beans_comment_item_link[_edit]', 'a', array(
'href' => esc_url( get_edit_comment_link( $comment->comment_ID ) )
'href' => get_edit_comment_link( $comment->comment_ID ) // Automatically escaped.
) );

echo beans_output( 'beans_comment_edit_text', __( 'Edit', 'tm-beans' ) );
Expand All @@ -220,7 +220,7 @@ function beans_comment_links() {
echo beans_open_markup( 'beans_comment_item[_link]', 'li' );

echo beans_open_markup( 'beans_comment_item_link[_link]', 'a', array(
'href' => esc_url( get_comment_link( $comment->comment_ID ) )
'href' => get_comment_link( $comment->comment_ID ) // Automatically escaped.
) );

echo beans_output( 'beans_comment_link_text', __( 'Link', 'tm-beans' ) );
Expand Down Expand Up @@ -388,7 +388,7 @@ function beans_comment_cancel_reply_link( $html, $link, $text ) {
'id' => 'cancel-comment-reply-link',
'class' => 'uk-button uk-button-small uk-button-danger uk-margin-small-right',
'style' => isset( $_GET['replytocom'] ) ? '' : 'display:none;',
'href' => $link
'href' => $link // Automatically escaped.
) );

echo beans_output( 'beans_comment_cancel_reply_link_text', $text );
Expand Down
2 changes: 1 addition & 1 deletion lib/templates/fragments/footer.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ function beans_footer_content() {
echo beans_close_markup( 'beans_footer_credit_left', 'span' );

$framework_link = beans_open_markup( 'beans_footer_credit_framework_link', 'a', array(
'href' => esc_url( 'http://www.getbeans.io' ),
'href' => 'http://www.getbeans.io', // Automatically escaped.
'rel' => 'designer'
) );

Expand Down
10 changes: 5 additions & 5 deletions lib/templates/fragments/header.php
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,11 @@ function beans_favicon() {
if ( function_exists( 'has_site_icon' ) && has_site_icon() )
return;

$path = file_exists( get_template_directory() . 'favicon.ico' ) ? get_template_directory() . 'favicon.ico' : BEANS_URL . 'favicon.ico';
$url = file_exists( get_template_directory() . 'favicon.ico' ) ? get_template_directory_uri() . 'favicon.ico' : BEANS_URL . 'favicon.ico';

echo beans_selfclose_markup( 'beans_favicon', 'link', array(
'rel' => 'Shortcut Icon',
'href' => esc_url( $path ),
'href' => $url, // Automatically escaped.
'type' => 'image/x-icon',
) );

Expand Down Expand Up @@ -96,16 +96,16 @@ function beans_site_branding() {
if ( $logo = get_theme_mod( 'beans_logo_image', false ) )
$name = beans_selfclose_markup( 'beans_logo_image', 'img', array(
'class' => 'tm-logo',
'src' => esc_url( $logo ),
'alt' => esc_attr( $name ),
'src' => $logo, // Automatically escaped.
'alt' => $name, // Automatically escaped.
) );

echo beans_open_markup( 'beans_site_branding', 'div', array(
'class' => 'tm-site-branding uk-float-left' . ( !get_bloginfo( 'description' ) ? ' uk-margin-small-top' : null ),
) );

echo beans_open_markup( 'beans_site_title_link', 'a', array(
'href' => esc_url( home_url() ),
'href' => home_url(), // Automatically escaped.
'rel' => 'home',
'itemprop' => 'headline'
) );
Expand Down
2 changes: 1 addition & 1 deletion lib/templates/fragments/menu.php
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ function beans_primary_menu() {
'theme_location' => has_nav_menu( 'primary' ) ? 'primary' : '',
'fallback_cb' => 'beans_no_menu_notice',
'container' => '',
'menu_class' => $nav_visibility,
'menu_class' => $nav_visibility, // Automatically escaped.
'echo' => false,
'beans_type' => 'navbar'
) );
Expand Down
4 changes: 2 additions & 2 deletions lib/templates/fragments/post-shortcodes.php
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ function beans_post_meta_author_shortcode() {
beans_output( 'beans_post_meta_author_prefix', __( 'By ', 'tm-beans' ) ) ;

echo beans_open_markup( 'beans_post_meta_author', 'a', array(
'href' => esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
'href' => get_author_posts_url( get_the_author_meta( 'ID' ) ), // Automatically escaped.
'rel' => 'author',
'itemprop' => 'author',
'itemtype' => 'http://schema.org/Person'
Expand Down Expand Up @@ -77,7 +77,7 @@ function beans_post_meta_comments_shortcode() {
$comment_text = beans_output( 'beans_post_meta_comments_text_plurial', __( '%s comments', 'tm-beans' ) );

echo beans_open_markup( 'beans_post_meta_comments', 'a', array(
'href' => esc_url( get_comments_link() )
'href' => get_comments_link() // Automatically escaped.
) );

printf( $comment_text, (int) get_comments_number( $post->ID ) );
Expand Down
32 changes: 16 additions & 16 deletions lib/templates/fragments/post.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ function beans_post_title() {
if ( !is_singular() ) {

$title_link = beans_open_markup( 'beans_post_title_link', 'a', array(
'href' => esc_url( get_permalink() ),
'href' => get_permalink(), // Automatically escaped.
'title' => the_title_attribute( 'echo=0' ),
'rel' => 'bookmark'
) );
Expand Down Expand Up @@ -184,7 +184,7 @@ function beans_post_image() {

if ( !is_singular() )
echo beans_open_markup( 'beans_post_image_link', 'a', array(
'href' => esc_url( get_permalink() ),
'href' => get_permalink(), // Automatically escaped.
'title' => the_title_attribute( 'echo=0' )
) );

Expand All @@ -200,8 +200,8 @@ function beans_post_image() {
echo beans_selfclose_markup( 'beans_post_image_item', 'img', array(
'width' => $image->width,
'height' => $image->height,
'src' => esc_url( $image->src ),
'alt' => esc_attr( $image->alt ),
'src' => $image->src, // Automatically escaped.
'alt' => $image->alt, // Automatically escaped.
'itemprop' => 'image'
), $image );

Expand Down Expand Up @@ -268,7 +268,7 @@ function beans_post_more_link() {
global $post;

$output = beans_open_markup( 'beans_post_more_link', 'a', array(
'href' => esc_url( get_permalink() ) . "#more-{$post->ID}",
'href' => get_permalink() . "#more-{$post->ID}", // Automatically escaped.
'class' => 'more-link',
) );

Expand Down Expand Up @@ -362,9 +362,9 @@ function beans_previous_post_link( $output, $format, $link, $post ) {
$text = strip_tags( $output );

$output = beans_open_markup( 'beans_previous_link[_post_navigation]', 'a', array(
'href' => esc_url( get_permalink( $post ) ),
'href' => get_permalink( $post ), // Automatically escaped.
'ref' => 'previous',
'title' => esc_html( $post->post_title )
'title' => $post->post_title // Automatically escaped.
) );

$output .= beans_open_markup( 'beans_previous_icon[_post_navigation]', 'i', array(
Expand Down Expand Up @@ -398,9 +398,9 @@ function beans_next_post_link( $output, $format, $link, $post ) {
$text = strip_tags( $output );

$output = beans_open_markup( 'beans_next_link[_post_navigation]', 'a', array(
'href' => esc_url( get_permalink( $post ) ),
'href' => get_permalink( $post ), // Automatically escaped.
'rel' => 'next',
'title' => esc_html( $post->post_title )
'title' => $post->post_title // Automatically escaped.
) );

$output .= beans_output( 'beans_next_text[_post_navigation]', $text );
Expand Down Expand Up @@ -513,7 +513,7 @@ function beans_posts_pagination() {
echo beans_open_markup( 'beans_posts_pagination_item[_previous]', 'li' );

echo beans_open_markup( 'beans_previous_link[_posts_pagination]', 'a', array(
'href' => esc_url( previous_posts( false ) )
'href' => previous_posts( false ) // Automatically escaped.
), $current );

echo beans_open_markup( 'beans_previous_icon[_posts_pagination]', 'i', array(
Expand Down Expand Up @@ -582,7 +582,7 @@ function beans_posts_pagination() {
echo beans_open_markup( 'beans_posts_pagination_item', 'li' );

echo beans_open_markup( 'beans_posts_pagination_item_link', 'a', array(
'href' => esc_url( get_pagenum_link( $link ) )
'href' => get_pagenum_link( $link ) // Automatically escaped.
), $link );

echo beans_output( 'beans_posts_pagination_item_link_text', $link );
Expand All @@ -601,7 +601,7 @@ function beans_posts_pagination() {
echo beans_open_markup( 'beans_posts_pagination_item[_next]', 'li' );

echo beans_open_markup( 'beans_next_link[_posts_pagination]', 'a', array(
'href' => esc_url( next_posts( $count, false ) )
'href' => next_posts( $count, false ) // Automatically escaped.
), $current );

echo beans_output( 'beans_next_text[_posts_pagination]', __( 'Next', 'tm-beans' ) );
Expand Down Expand Up @@ -692,13 +692,13 @@ function beans_post_password_form() {
$output .= beans_open_markup( 'beans_password_form', 'form', array(
'class' => 'uk-form uk-margin-bottom',
'method' => 'post',
'action' => esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) )
'action' => site_url( 'wp-login.php?action=postpass', 'login_post' ) // Automatically escaped.
) );

$output .= beans_selfclose_markup( 'beans_password_form_input', 'input', array(
'class' => 'uk-margin-small-top uk-margin-small-right',
'type' => 'password',
'placeholder' => esc_attr( apply_filters( 'beans_password_form_input_placeholder', __( 'Password', 'tm-beans' ) ) ),
'placeholder' => apply_filters( 'beans_password_form_input_placeholder', __( 'Password', 'tm-beans' ) ), // Automatically escaped.
'name' => 'post_password'
) );

Expand Down Expand Up @@ -828,7 +828,7 @@ function beans_post_gallery( $output, $attr, $instance ) {

// WP adds the opening div in the gallery_style filter (weird), so we follow it as don't want to break people's site.
$gallery_div = beans_open_markup( "beans_post_gallery[_{$id}]", 'div', array(
'class' => "uk-grid uk-grid-width-small-1-{$columns} gallery galleryid-{$id} gallery-columns-{$columns} gallery-size-{$size_class}",
'class' => "uk-grid uk-grid-width-small-1-{$columns} gallery galleryid-{$id} gallery-columns-{$columns} gallery-size-{$size_class}", // Automatically escaped.
'data-uk-grid-margin' => false
), $id, $columns );

Expand Down Expand Up @@ -858,7 +858,7 @@ function beans_post_gallery( $output, $attr, $instance ) {

$output .= beans_open_markup( "beans_post_gallery_item[_{$attachment_id}]", $atts['itemtag'], array( 'class' => 'gallery-item' ) );

$output .= beans_open_markup( "beans_post_gallery_icon[_{$attachment_id}]", $atts['icontag'], array( 'class' => "gallery-icon {$orientation}" ) );
$output .= beans_open_markup( "beans_post_gallery_icon[_{$attachment_id}]", $atts['icontag'], array( 'class' => "gallery-icon {$orientation}" ) ); // Automatically escaped.

$output .= beans_output( "beans_post_gallery_icon[_{$attachment_id}]", $image_output, $attachment_id, $atts );

Expand Down
2 changes: 1 addition & 1 deletion lib/templates/fragments/searchform.php
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ function beans_search_form() {
$output .= beans_selfclose_markup( 'beans_search_form_input', 'input', array(
'class' => 'uk-width-1-1',
'type' => 'search',
'placeholder' => __( 'Search', 'tm-beans' ),
'placeholder' => __( 'Search', 'tm-beans' ), // Automatically escaped.
'value' => esc_attr( get_search_query() ),
'name' => 's'
) );
Expand Down
4 changes: 2 additions & 2 deletions lib/templates/fragments/widget.php
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,10 @@ function beans_modify_widget_content_attributes( $attributes ) {
$current_class = isset( $attributes['class'] ) ? $attributes['class'] . ' ' : '';

if ( in_array( beans_get_widget( 'type' ), $target ) )
$attributes['class'] = $current_class . 'uk-list';
$attributes['class'] = $current_class . 'uk-list'; // Automatically escaped.

if ( $type == 'calendar' )
$attributes['class'] = $current_class . 'uk-table uk-table-condensed';
$attributes['class'] = $current_class . 'uk-table uk-table-condensed'; // Automatically escaped.

return $attributes;

Expand Down
2 changes: 1 addition & 1 deletion lib/templates/structure/comment.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/

echo beans_open_markup( 'beans_comment', 'article', array(
'id' => 'div-comment-' . get_comment_ID(),
'id' => 'div-comment-' . get_comment_ID(), // Automatically escaped.
'class' => 'uk-comment',
'itemprop' => 'comment',
'itemscope' => 'itemscope',
Expand Down
8 changes: 4 additions & 4 deletions lib/templates/structure/content.php
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,16 @@
// Blog specific attributes.
if ( is_home() || is_page_template( 'page_blog.php' ) || is_singular( 'post' ) || is_archive() ) {

$content_attributes['itemscope'] = 'itemscope';
$content_attributes['itemtype'] = 'http://schema.org/Blog';
$content_attributes['itemscope'] = 'itemscope'; // Automatically escaped.
$content_attributes['itemtype'] = 'http://schema.org/Blog'; // Automatically escaped.

}

// Blog specific attributes.
if ( is_search() ) {

$content_attributes['itemscope'] = 'itemscope';
$content_attributes['itemtype'] = 'http://schema.org/SearchResultsPage';
$content_attributes['itemscope'] = 'itemscope'; // Automatically escaped.
$content_attributes['itemtype'] = 'http://schema.org/SearchResultsPage'; // Automatically escaped.

}

Expand Down
4 changes: 2 additions & 2 deletions lib/templates/structure/loop.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@
while ( have_posts() ) : the_post();

$article_attributes = array(
'id' => get_the_ID(),
'class' => implode( ' ', get_post_class( array( 'uk-article', ( current_theme_supports( 'beans-default-styling' ) ? 'uk-panel-box' : null ) ) ) ),
'id' => get_the_ID(), // Automatically escaped.
'class' => implode( ' ', get_post_class( array( 'uk-article', ( current_theme_supports( 'beans-default-styling' ) ? 'uk-panel-box' : null ) ) ) ), // Automatically escaped.
'itemscope' => 'itemscope',
'itemtype' => 'http://schema.org/CreativeWork'
);
Expand Down
2 changes: 1 addition & 1 deletion lib/templates/structure/sidebar-primary.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/

echo beans_open_markup( 'beans_sidebar_primary', 'aside', array(
'class' => 'tm-secondary ' . beans_get_layout_class( 'sidebar_primary' ),
'class' => 'tm-secondary ' . beans_get_layout_class( 'sidebar_primary' ), // Automatically escaped.
'role' => 'complementary',
'itemscope' => 'itemscope',
'itemtype' => 'http://schema.org/WPSideBar'
Expand Down
2 changes: 1 addition & 1 deletion lib/templates/structure/sidebar-secondary.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/

echo beans_open_markup( 'beans_sidebar_secondary', 'aside', array(
'class' => 'tm-tertiary ' . beans_get_layout_class( 'sidebar_secondary' ),
'class' => 'tm-tertiary ' . beans_get_layout_class( 'sidebar_secondary' ), // Automatically escaped.
'role' => 'complementary',
'itemscope' => 'itemscope',
'itemtype' => 'http://schema.org/WPSideBar'
Expand Down
2 changes: 1 addition & 1 deletion lib/templates/structure/widget-area.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
if ( beans_get_widget_area( 'beans_type' ) == 'offcanvas' ) {

echo beans_open_markup( 'beans_widget_area_offcanvas_wrap' . _beans_widget_area_subfilters(), 'div', array(
'id' => beans_get_widget_area( 'id' ),
'id' => beans_get_widget_area( 'id' ), // Automatically escaped.
'class' => 'uk-offcanvas'
) );

Expand Down

0 comments on commit 2554ee8

Please sign in to comment.