Fix escaping issues on WP.com (#2334)

* Fix sending a message to teacher * Add missing form tag around Edit Start Date field * Add missing form tag around button on learner profile page * Fix Question Description field not showing * Fix fields not showing when adding multiline or file upload questions * Fix Answer Feedback field not showing for certain question types * Fix pagination on learner profile page
Automattic · Nov 21, 2018 · fd46d79 · fd46d79
1 parent c096ca7
commit fd46d79
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 16 deletions.
diff --git a/includes/class-sensei-course.php b/includes/class-sensei-course.php
@@ -1805,13 +1805,22 @@ public function load_user_courses_content( $user = false ) {
 						array_merge(
 							wp_kses_allowed_html( 'post' ),
 							array(
+								// Explicitly allow form tag for WP.com.
+								'form'  => array(
+									'action' => array(),
+									'method' => array(),
+								),
 								'input' => array(
 									'class' => array(),
 									'id'    => array(),
 									'name'  => array(),
 									'type'  => array(),
 									'value' => array(),
 								),
+								// Explicitly allow nav tag for WP.com.
+								'nav'   => array(
+									'class' => array(),
+								),
 							)
 						)
 					);
@@ -1843,9 +1852,18 @@ public function load_user_courses_content( $user = false ) {
 
 				<?php
 				if ( '' != $complete_html ) {
-
-					echo wp_kses_post( $complete_html );
-
+					echo wp_kses(
+						$complete_html,
+						array_merge(
+							wp_kses_allowed_html( 'post' ),
+							array(
+								// Explicitly allow nav tag for WP.com.
+								'nav' => array(
+									'class' => array(),
+								),
+							)
+						)
+					);
 				} else {
 					?>
 
@@ -2221,7 +2239,7 @@ public function the_course_free_lesson_preview( $course_id ) {
 				<a href="<?php echo esc_url( get_permalink() ); ?>">
 					<?php esc_html_e( 'Preview this course', 'woothemes-sensei' ); ?>
 				</a>
-				- 
+				-
 				<?php
 					// translators: Placeholder is the number of preview lessons.
 					echo esc_html( sprintf( __( '(%d preview lessons)', 'woothemes-sensei' ), $preview_lesson_count ) );

diff --git a/includes/class-sensei-learners-main.php b/includes/class-sensei-learners-main.php
@@ -319,6 +319,10 @@ protected function get_row_data( $item ) {
 							'data-post-type'  => array(),
 							'data-user-id'    => array(),
 						),
+						// Explicitly allow form tag for WP.com.
+						'form'  => array(
+							'class' => array(),
+						),
 						'input' => array(
 							'class' => array(),
 							'type'  => array(),

diff --git a/includes/class-sensei-lesson.php b/includes/class-sensei-lesson.php
@@ -937,13 +937,13 @@ public function quiz_panel( $quiz_id = 0 ) {
 			array_merge(
 				wp_kses_allowed_html( 'post' ),
 				array(
-					'button' => array(
+					'button'   => array(
 						'class'                     => array(),
 						'data-uploader-button-text' => array(),
 						'data-uploader-title'       => array(),
 						'id'                        => array(),
 					),
-					'input'  => array(
+					'input'    => array(
 						'checked'     => array(),
 						'class'       => array(),
 						'id'          => array(),
@@ -956,13 +956,20 @@ public function quiz_panel( $quiz_id = 0 ) {
 						'type'        => array(),
 						'value'       => array(),
 					),
-					'option' => array(
+					'option'   => array(
 						'value' => array(),
 					),
-					'select' => array(
+					'select'   => array(
+						'class' => array(),
+						'id'    => array(),
+						'name'  => array(),
+					),
+					// Explicitly allow textarea tag for WP.com.
+					'textarea' => array(
 						'class' => array(),
 						'id'    => array(),
 						'name'  => array(),
+						'rows'  => array(),
 					),
 				)
 			)
@@ -1193,13 +1200,13 @@ public function quiz_panel_question( $question_type = '', $question_counter = 0,
 			array_merge(
 				wp_kses_allowed_html( 'post' ),
 				array(
-					'button' => array(
+					'button'   => array(
 						'class'                     => array(),
 						'data-uploader-button-text' => array(),
 						'data-uploader-title'       => array(),
 						'id'                        => array(),
 					),
-					'input'  => array(
+					'input'    => array(
 						'checked' => array(),
 						'class'   => array(),
 						'id'      => array(),
@@ -1210,6 +1217,13 @@ public function quiz_panel_question( $question_type = '', $question_counter = 0,
 						'type'    => array(),
 						'value'   => array(),
 					),
+					// Explicitly allow textarea tag for WP.com.
+					'textarea' => array(
+						'class' => array(),
+						'id'    => array(),
+						'name'  => array(),
+						'rows'  => array(),
+					),
 				)
 			)
 		);
@@ -1823,7 +1837,7 @@ public function quiz_panel_question_field( $question_type = '', $question_id = 0
 			array_merge(
 				wp_kses_allowed_html( 'post' ),
 				array(
-					'input' => array(
+					'input'    => array(
 						'checked' => array(),
 						'class'   => array(),
 						'id'      => array(),
@@ -1833,6 +1847,14 @@ public function quiz_panel_question_field( $question_type = '', $question_id = 0
 						'type'    => array(),
 						'value'   => array(),
 					),
+					// Explicitly allow textarea tag for WP.com.
+					'textarea' => array(
+						'class' => array(),
+						'cols'  => array(),
+						'id'    => array(),
+						'name'  => array(),
+						'rows'  => array(),
+					),
 				)
 			)
 		);
@@ -1866,7 +1888,22 @@ public function quiz_panel_question_feedback( $question_counter = 0, $question_i
 		$html .= '<textarea id="' . esc_attr( $field_name ) . '" name="' . esc_attr( $field_name ) . '" rows="4" cols="40" class="answer_feedback widefat">' . esc_textarea( $feedback ) . '</textarea>';
 		$html .= '</p>';
 
-		return wp_kses_post( $html );
+		return wp_kses(
+			$html,
+			array_merge(
+				wp_kses_allowed_html( 'post' ),
+				array(
+					// Explicitly allow textarea tag for WP.com.
+					'textarea' => array(
+						'class' => array(),
+						'cols'  => array(),
+						'id'    => array(),
+						'name'  => array(),
+						'rows'  => array(),
+					),
+				)
+			)
+		);
 	}
 
 	public function question_get_answer_id() {

diff --git a/includes/class-sensei-messages.php b/includes/class-sensei-messages.php
@@ -270,6 +270,13 @@ public function send_message_link( $post_id = 0, $user_id = 0 ) {
 			array_merge(
 				wp_kses_allowed_html( 'post' ),
 				array(
+					// Explicitly allow form tag for WP.com.
+					'form'     => array(
+						'action' => array(),
+						'class'  => array(),
+						'method' => array(),
+						'name'   => array(),
+					),
 					'input'    => array(
 						'class' => array(),
 						'name'  => array(),

diff --git a/includes/class-sensei-question.php b/includes/class-sensei-question.php
@@ -168,13 +168,13 @@ public function question_edit_panel() {
 			array_merge(
 				wp_kses_allowed_html( 'post' ),
 				array(
-					'button' => array(
+					'button'   => array(
 						'class'                     => array(),
 						'data-uploader-button-text' => array(),
 						'data-uploader-title'       => array(),
 						'id'                        => array(),
 					),
-					'input'  => array(
+					'input'    => array(
 						'checked'     => array(),
 						'class'       => array(),
 						'id'          => array(),
@@ -187,14 +187,21 @@ public function question_edit_panel() {
 						'type'        => array(),
 						'value'       => array(),
 					),
-					'option' => array(
+					'option'   => array(
 						'value' => array(),
 					),
-					'select' => array(
+					'select'   => array(
 						'class' => array(),
 						'id'    => array(),
 						'name'  => array(),
 					),
+					// Explicitly allow textarea tag for WP.com.
+					'textarea' => array(
+						'class' => array(),
+						'id'    => array(),
+						'name'  => array(),
+						'rows'  => array(),
+					),
 				)
 			)
 		);