Fixes (thanks to unit tests) to over-eager sanitization

ytljc2003 · Jun 3, 2019 · ed77021 · ed77021
1 parent eaaa32f
commit ed77021
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 9 deletions.
diff --git a/includes/CMB2.php b/includes/CMB2.php
@@ -361,15 +361,18 @@ public function box_classes() {
 		 */
 		$classes = apply_filters( 'cmb2_wrap_classes', $classes, $this );
 
-		// Clean up.
-		$classes = array_map( 'strip_tags', array_filter( $classes ) );
+		$split = array();
+		foreach ( array_filter( $classes ) as $class ) {
+			foreach ( explode( ' ', $class ) as $_class ) {
+				// Clean up & sanitize.
+				$split[] = sanitize_html_class( strip_tags( $_class ) );
+			}
+		}
+		$classes = $split;
 
 		// Remove any duplicates.
 		$classes = array_unique( $classes );
 
-		// Sanitize
-		$classes = array_map( 'sanitize_html_class', $classes );
-
 		// Make it a string.
 		return implode( ' ', $classes );
 	}

diff --git a/includes/CMB2_Types.php b/includes/CMB2_Types.php
@@ -393,12 +393,14 @@ public function repeatable_rows() {
 	 * Generates a repeatable row's markup
 	 *
 	 * @since 1.1.0
-	 * @param string $class Repeatable table row's class
+	 * @param string $classes Repeatable table row's class
 	 */
-	protected function repeat_row( $class = 'cmb-repeat-row' ) {
+	protected function repeat_row( $classes = 'cmb-repeat-row' ) {
+		$classes = explode( ' ', $classes );
+		$classes = array_map( 'sanitize_html_class', $classes );
 		?>
 
-		<div class="cmb-row <?php echo esc_attr( sanitize_html_class( $class ) ); ?>">
+		<div class="cmb-row <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
 			<div class="cmb-td">
 				<?php $this->_render(); ?>
 			</div>

diff --git a/tests/test-cmb-core.php b/tests/test-cmb-core.php
@@ -960,7 +960,7 @@ public function test_group_wrap_attributes() {
 
 		$clean_json = str_replace(
 			'<script>xss</script><a href="http://xssattackexamples.com/">Click to Download</a>',
-			'xssClick to Download',
+			'Click to Download',
 			$this->json
 		);