Merge pull request #343 from paulschreiber/fix/sanitization

Escaping of attributes and HTML output
Automattic · Mar 28, 2016 · 1f33031 · 1f33031
2 parents 0c28e66 + a0334e8
commit 1f33031
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 35 deletions.
diff --git a/co-authors-plus.php b/co-authors-plus.php
@@ -363,7 +363,7 @@ public function coauthors_meta_box( $post ) {
 					?>
 					<li>
 						<?php echo get_avatar( $coauthor->user_email, $this->gravatar_size ); ?>
-						<span id="coauthor-readonly-<?php echo $count; ?>" class="coauthor-tag">
+						<span id="<?php echo esc_attr( 'coauthor-readonly-' . $count ); ?>" class="coauthor-tag">
 							<input type="text" name="coauthorsinput[]" readonly="readonly" value="<?php echo esc_attr( $coauthor->display_name ); ?>" />
 							<input type="text" name="coauthors[]" value="<?php echo esc_attr( $coauthor->user_login ); ?>" />
 							<input type="text" name="coauthorsemails[]" value="<?php echo esc_attr( $coauthor->user_email ); ?>" />
@@ -1066,7 +1066,7 @@ public function ajax_suggest() {
 		$authors = $this->search_authors( $search, $ignore );
 
 		foreach ( $authors as $author ) {
-			echo $author->ID . ' | ' . $author->user_login . ' | ' . $author->display_name . ' | ' . $author->user_email . ' | ' . $author->user_nicename . "\n";
+			echo esc_html( $author->ID . ' | ' . $author->user_login . ' | ' . $author->display_name . ' | ' . $author->user_email . ' | ' . $author->user_nicename ) . "\n";
 		}
 
 		die();

diff --git a/php/class-coauthors-guest-authors.php b/php/class-coauthors-guest-authors.php
@@ -187,19 +187,19 @@ function handle_create_guest_author_action() {
 		}
 
 		if ( ! wp_verify_nonce( $_GET['nonce'], 'create-guest-author' ) ) {
-			wp_die( __( "Doin' something fishy, huh?", 'co-authors-plus' ) );
+			wp_die( esc_html__( "Doin' something fishy, huh?", 'co-authors-plus' ) );
 		}
 
 		if ( ! current_user_can( $this->list_guest_authors_cap ) ) {
-			wp_die( __( "You don't have permission to perform this action.", 'co-authors-plus' ) );
+			wp_die( esc_html__( "You don't have permission to perform this action.", 'co-authors-plus' ) );
 		}
 
 		$user_id = intval( $_GET['user_id'] );
 
 		// Create the guest author
 		$post_id = $this->create_guest_author_from_user_id( $user_id );
 		if ( is_wp_error( $post_id ) ) {
-			wp_die( $post_id->get_error_message() );
+			wp_die( esc_html( $post_id->get_error_message() ) );
 		}
 
 		// Redirect to the edit Guest Author screen
@@ -224,18 +224,18 @@ function handle_delete_guest_author_action() {
 
 		// Verify the user is who they say they are
 		if ( ! wp_verify_nonce( $_POST['_wpnonce'], 'delete-guest-author' ) ) {
-			wp_die( __( "Doin' something fishy, huh?", 'co-authors-plus' ) );
+			wp_die( esc_html__( "Doin' something fishy, huh?", 'co-authors-plus' ) );
 		}
 
 		// Make sure they can perform the action
 		if ( ! current_user_can( $this->list_guest_authors_cap ) ) {
-			wp_die( __( "You don't have permission to perform this action.", 'co-authors-plus' ) );
+			wp_die( esc_html__( "You don't have permission to perform this action.", 'co-authors-plus' ) );
 		}
 
 		// Make sure the guest author actually exists
 		$guest_author = $this->get_guest_author_by( 'ID', (int) $_POST['id'] );
 		if ( ! $guest_author ) {
-			wp_die( sprintf( __( "%s can't be deleted because it doesn't exist.", 'co-authors-plus' ), $this->labels['singular'] ) );
+			wp_die( esc_html( sprintf( __( "%s can't be deleted because it doesn't exist.", 'co-authors-plus' ), $this->labels['singular'] ) ) );
 		}
 
 		// Perform the reassignment if needed
@@ -250,7 +250,7 @@ function handle_delete_guest_author_action() {
 				$user_nicename = sanitize_title( $_POST['leave-assigned-to'] );
 				$reassign_to = $coauthors_plus->get_coauthor_by( 'user_nicename', $user_nicename );
 				if ( ! $reassign_to ) {
-					wp_die( __( 'Co-author does not exists. Try again?', 'co-authors-plus' ) );
+					wp_die( esc_html__( 'Co-author does not exists. Try again?', 'co-authors-plus' ) );
 				}
 				$reassign_to = $reassign_to->user_login;
 				break;
@@ -259,7 +259,7 @@ function handle_delete_guest_author_action() {
 				$reassign_to = false;
 				break;
 			default:
-				wp_die( __( 'Please make sure to pick an option.', 'co-authors-plus' ) );
+				wp_die( esc_html__( 'Please make sure to pick an option.', 'co-authors-plus' ) );
 				break;
 		}
 
@@ -453,22 +453,22 @@ function view_guest_authors_list() {
 		if ( isset( $_GET['action'], $_GET['id'], $_GET['_wpnonce'] ) && 'delete' == $_GET['action'] ) {
 			// Make sure the user is who they say they are
 			if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'guest-author-delete' ) ) {
-				wp_die( __( "Doin' something fishy, huh?", 'co-authors-plus' ) );
+				wp_die( esc_html__( "Doin' something fishy, huh?", 'co-authors-plus' ) );
 			}
 
 			// Make sure the guest author actually exists
 			$guest_author = $this->get_guest_author_by( 'ID', (int) $_GET['id'] );
 			if ( ! $guest_author ) {
-				wp_die( sprintf( __( "%s can't be deleted because it doesn't exist.", 'co-authors-plus' ), $this->labels['singular'] ) );
+				wp_die( esc_html( sprintf( __( "%s can't be deleted because it doesn't exist.", 'co-authors-plus' ), $this->labels['singular'] ) ) );
 			}
 
 			echo '<div class="wrap">';
 			echo '<div class="icon32" id="icon-users"><br/></div>';
-			echo '<h2>' . sprintf( __( 'Delete %s', 'co-authors-plus ' ), $this->labels['plural'] ) . '</h2>';
-			echo '<p>' . sprintf( __( 'You have specified this %s for deletion:', 'co-authors-plus' ), strtolower( $this->labels['singular'] ) ) . '</p>';
-			echo '<p>#' . $guest_author->ID . ': ' . esc_html( $guest_author->display_name ) . '</p>';
-			echo '<p>' . sprintf( __( 'What should be done with posts assigned to this %s?', 'co-authors-plus' ), strtolower( $this->labels['singular'] ) ) . '</p>';
-			echo '<p class="description">' . sprintf( __( "Note: If you'd like to delete the %s and all of their posts, you should delete their posts first and then come back to delete the %s.", 'co-authors-plus' ), strtolower( $this->labels['singular'] ), strtolower( $this->labels['singular'] ) ) . '</p>';
+			echo '<h2>' . esc_html( sprintf( __( 'Delete %s', 'co-authors-plus ' ), $this->labels['plural'] ) ) . '</h2>';
+			echo '<p>' . esc_html(  sprintf( __( 'You have specified this %s for deletion:', 'co-authors-plus' ), strtolower( $this->labels['singular'] ) ) ) . '</p>';
+			echo '<p>#' . esc_html( $guest_author->ID . ': ' . $guest_author->display_name ) . '</p>';
+			echo '<p>' . esc_html(  sprintf( __( 'What should be done with posts assigned to this %s?', 'co-authors-plus' ), strtolower( $this->labels['singular'] ) ) ) . '</p>';
+			echo '<p class="description">' . esc_html( sprintf( __( "Note: If you'd like to delete the %s and all of their posts, you should delete their posts first and then come back to delete the %s.", 'co-authors-plus' ), strtolower( $this->labels['singular'] ), strtolower( $this->labels['singular'] ) ) ) . '</p>';
 			echo '<form method="POST" action="' . esc_url( add_query_arg( 'page', 'view-guest-authors', admin_url( $this->parent_page ) ) ) . '">';
 			// Hidden stuffs
 			echo '<input type="hidden" name="action" value="delete-guest-author" />';
@@ -477,18 +477,18 @@ function view_guest_authors_list() {
 			echo '<fieldset><ul style="list-style-type:none;">';
 			// Reassign to another user
 			echo '<li class="hide-if-no-js"><label for="reassign-another">';
-			echo '<input type="radio" id="reassign-another" name="reassign" class="reassign-option" value="reassign-another" />&nbsp;&nbsp;' . __( 'Reassign to another co-author:', 'co-authors-plus' ) . '&nbsp;&nbsp;</label>';
+			echo '<input type="radio" id="reassign-another" name="reassign" class="reassign-option" value="reassign-another" />&nbsp;&nbsp;' . esc_html__( 'Reassign to another co-author:', 'co-authors-plus' ) . '&nbsp;&nbsp;</label>';
 			echo '<input type="hidden" id="leave-assigned-to" name="leave-assigned-to" style="width:200px;" />';
 			echo '</li>';
 			// Leave mapped to a linked account
 			if ( get_user_by( 'login', $guest_author->linked_account ) ) {
 				echo '<li><label for="leave-assigned">';
-				echo '<input type="radio" id="leave-assigned" class="reassign-option" name="reassign" value="leave-assigned" />&nbsp;&nbsp;' . sprintf( __( 'Leave posts assigned to the mapped user, %s.', 'co-authors-plus' ), $guest_author->linked_account );
+				echo '<input type="radio" id="leave-assigned" class="reassign-option" name="reassign" value="leave-assigned" />&nbsp;&nbsp;' . esc_html( sprintf( __( 'Leave posts assigned to the mapped user, %s.', 'co-authors-plus' ) ), $guest_author->linked_account );
 				echo '</label></li>';
 			}
 			// Remove bylines from the posts
 			echo '<li><label for="remove-byline">';
-			echo '<input type="radio" id="remove-byline" class="reassign-option" name="reassign" value="remove-byline" />&nbsp;&nbsp;' . __( 'Remove byline from posts (but leave each post in its current status).', 'co-authors-plus' );
+			echo '<input type="radio" id="remove-byline" class="reassign-option" name="reassign" value="remove-byline" />&nbsp;&nbsp;' . esc_html__( 'Remove byline from posts (but leave each post in its current status).', 'co-authors-plus' );
 			echo '</label></li>';
 			echo '</ul></fieldset>';
 			submit_button( __( 'Confirm Deletion', 'co-authors-plus' ), 'secondary', 'submit', true, array( 'disabled' => 'disabled' ) );
@@ -497,10 +497,10 @@ function view_guest_authors_list() {
 		} else {
 			echo '<div class="wrap">';
 			echo '<div class="icon32" id="icon-users"><br/></div>';
-			echo '<h2>' . $this->labels['plural'];
+			echo '<h2>' . esc_html( $this->labels['plural'] );
 			// @todo caps check for creating a new user
 			$add_new_link = admin_url( "post-new.php?post_type=$this->post_type" );
-			echo '<a href="' . $add_new_link . '" class="add-new-h2">' . esc_html( __( 'Add New', 'co-authors-plus' ) ) . '</a>';
+			echo '<a href="' . esc_url( $add_new_link ) . '" class="add-new-h2">' . esc_html__( 'Add New', 'co-authors-plus' ) . '</a>';
 			echo '</h2>';
 			$cap_list_table = new CoAuthors_WP_List_Table();
 			$cap_list_table->prepare_items();
@@ -565,7 +565,7 @@ function metabox_manage_guest_author_slug() {
 			unset( $linked_account_user_ids[ $key ] );
 		}
 
-		echo '<p><label>' . __( 'WordPress User Mapping', 'co-authors-plus' ) . '</label> ';
+		echo '<p><label>' . esc_html__( 'WordPress User Mapping', 'co-authors-plus' ) . '</label> ';
 		wp_dropdown_users( apply_filters( 'coauthors_guest_author_linked_account_args', array(
 			'show_option_none' => __( '-- Not mapped --', 'co-authors-plus' ),
 			'name' => esc_attr( $this->get_post_meta_key( 'linked_account' ) ),
@@ -604,7 +604,7 @@ function metabox_manage_guest_author_name() {
 			$pm_key = $this->get_post_meta_key( $field['key'] );
 			$value = get_post_meta( $post->ID, $pm_key, true );
 			echo '<tr><th>';
-			echo '<label for="' . esc_attr( $pm_key ) . '">' . $field['label'] . '</label>';
+			echo '<label for="' . esc_attr( $pm_key ) . '">' . esc_html( $field['label'] ) . '</label>';
 			echo '</th><td>';
 
 			if ( ! isset( $field['input'] ) ) {
@@ -639,7 +639,7 @@ function metabox_manage_guest_author_contact_info() {
 			$pm_key = $this->get_post_meta_key( $field['key'] );
 			$value = get_post_meta( $post->ID, $pm_key, true );
 			echo '<tr><th>';
-			echo '<label for="' . esc_attr( $pm_key ) . '">' . $field['label'] . '</label>';
+			echo '<label for="' . esc_attr( $pm_key ) . '">' . esc_html( $field['label'] ) . '</label>';
 			echo '</th><td>';
 
 			if ( ! isset( $field['input'] ) ) {
@@ -675,7 +675,7 @@ function metabox_manage_guest_author_bio() {
 			$pm_key = $this->get_post_meta_key( $field['key'] );
 			$value = get_post_meta( $post->ID, $pm_key, true );
 			echo '<tr><th>';
-			echo '<label for="' . esc_attr( $pm_key ) . '">' . $field['label'] . '</label>';
+			echo '<label for="' . esc_attr( $pm_key . '">' ) . esc_html( $field['label'] ) . '</label>';
 			echo '</th><td>';
 			echo '<textarea style="width:300px;margin-bottom:6px;" name="' . esc_attr( $pm_key ) . '">' . esc_textarea( $value ) . '</textarea>';
 			echo '</td></tr>';
@@ -703,7 +703,7 @@ function manage_guest_author_filter_post_data( $post_data, $original_args ) {
 
 		// Validate the display name
 		if ( empty( $_POST['cap-display_name'] ) ) {
-			wp_die( __( 'Guest authors cannot be created without display names.', 'co-authors-plus' ) );
+			wp_die( esc_html__( 'Guest authors cannot be created without display names.', 'co-authors-plus' ) );
 		}
 		$post_data['post_title'] = sanitize_text_field( $_POST['cap-display_name'] );
 
@@ -714,7 +714,7 @@ function manage_guest_author_filter_post_data( $post_data, $original_args ) {
 
 		// Uh oh, no guest authors without slugs
 		if ( ! $slug ) {
-			wp_die( __( 'Guest authors cannot be created without display names.', 'co-authors-plus' ) );
+			wp_die( esc_html__( 'Guest authors cannot be created without display names.', 'co-authors-plus' ) );
 		}
 		$post_data['post_name'] = $this->get_post_meta_key( $slug );
 
@@ -724,13 +724,13 @@ function manage_guest_author_filter_post_data( $post_data, $original_args ) {
 		if ( $user
 			&& is_user_member_of_blog( $user->ID, get_current_blog_id() )
 			&& $user->user_login != get_post_meta( $original_args['ID'], $this->get_post_meta_key( 'linked_account' ), true ) ) {
-			wp_die( __( 'Guest authors cannot be created with the same user_login value as a user. Try creating a profile from the user on the Manage Users listing instead.', 'co-authors-plus' ) );
+			wp_die( esc_html__( 'Guest authors cannot be created with the same user_login value as a user. Try creating a profile from the user on the Manage Users listing instead.', 'co-authors-plus' ) );
 		}
 
 		// Guest authors can't have the same post_name value
 		$guest_author = $this->get_guest_author_by( 'post_name', $post_data['post_name'] );
 		if ( $guest_author && $guest_author->ID != $original_args['ID'] ) {
-			wp_die( __( 'Display name conflicts with another guest author display name.', 'co-authors-plus' ) );
+			wp_die( esc_html__( 'Display name conflicts with another guest author display name.', 'co-authors-plus' ) );
 		}
 
 		return $post_data;

diff --git a/php/class-coauthors-template-filters.php b/php/class-coauthors-template-filters.php
@@ -43,7 +43,7 @@ function action_add_rss_guest_authors() {
 		array_shift( $coauthors );
 
 		foreach ( $coauthors as $coauthor ) {
-			echo '      <dc:creator><![CDATA[' . $coauthor->display_name . "]]></dc:creator>\n";
+			echo '      <dc:creator><![CDATA[' . esc_html( $coauthor->display_name ) . "]]></dc:creator>\n";
 		}
 	}
 }
diff --git a/php/class-coauthors-wp-list-table.php b/php/class-coauthors-wp-list-table.php
@@ -164,10 +164,10 @@ function get_columns() {
 	function single_row( $item ) {
 		static $alternate_class = '';
 		$alternate_class = ( '' === $alternate_class ? ' alternate' : '' );
-		$row_class = ' class="guest-author-static' . $alternate_class . '"';
+		$row_class = 'guest-author-static' . $alternate_class . '"';
 
-		echo '<tr id="guest-author-' . $item->ID . '"' . $row_class . '>';
-		echo $this->single_row_columns( $item );
+		echo '<tr id="' . esc_attr( 'guest-author-' . $item->ID ) . '" class="' . esc_attr( $row_class ) . '">';
+		$this->single_row_columns( $item );
 		echo '</tr>';
 	}
 

diff --git a/template-tags.php b/template-tags.php
@@ -92,7 +92,7 @@ function __construct( $postID = 0 ) {
 		}
 
 		if ( ! $postID ) {
-			trigger_error( __( 'No post ID provided for CoAuthorsIterator constructor. Are you not in a loop or is $post not set?', 'co-authors-plus' ) ); // return null;
+			trigger_error( esc_html__( 'No post ID provided for CoAuthorsIterator constructor. Are you not in a loop or is $post not set?', 'co-authors-plus' ) ); // return null;
 		}
 
 		$this->original_authordata = $this->current_author = $authordata;