Merge pull request #917 from EvanHerman/sanitize-and-escape-all-settings

Sanitize and escapee all settings

admin/partials/ajax/add_field_to_form.php

@@ -53,7 +53,7 @@
 
 			<?php if ( $form_data['field_type'] == 'radio' || $form_data['field_type'] == 'dropdown' ) { ?>
 				<?php $choices = ( isset( $merge_field_data['options']['choices'] ) ) ? esc_attr( json_encode( $merge_field_data['options']['choices'] ) ) : ''; ?>
-				<input type="hidden" name="field[<?php echo esc_attr( $merge_field_data['tag'] ); ?>][choices]" value='<?php echo $choices; ?>' />
+				<input type="hidden" name="field[<?php echo esc_attr( $merge_field_data['tag'] ); ?>][choices]" value='<?php echo esc_attr( $choices ); ?>' />
 			<?php } ?>
 
 			<table class="form-table form-field-container">
@@ -194,7 +194,7 @@
 									$x = 0;
 									foreach ( $merge_field_data['options']['choices'] as $choice => $value ) { ?>
 										<label>
-											<input type="radio" name="field[<?php echo esc_attr( $merge_field_data['tag'] ); ?>][default_choice]" value="<?php echo $x; ?>" <?php checked( $pre_selected, $choice ); ?>><?php echo $value; ?>
+											<input type="radio" name="field[<?php echo esc_attr( $merge_field_data['tag'] ); ?>][default_choice]" value="<?php echo esc_attr( $x ); ?>" <?php checked( $pre_selected, $choice ); ?>><?php echo esc_html( $value ); ?>
 										</label>
 										<?php $x++;
 									} ?>
@@ -215,7 +215,7 @@
 									</label>
 								</td>
 								<td>
-								<input type="text" id="placeholder_<?php echo esc_attr( $field['merge'] ); ?>" class="widefat" name="field[<?php echo $field['merge']; ?>][placeholder]" value="<?php echo isset( $field['placeholder'] ) ? $field['placeholder'] : '' ; ?>" />
+								<input type="text" id="placeholder_<?php echo esc_attr( $field['merge'] ); ?>" class="widefat" name="field[<?php echo esc_attr( $field['merge'] ); ?>][placeholder]" value="<?php echo isset( $field['placeholder'] ) ? esc_attr( $field['placeholder'] ) : '' ; ?>" />
 									<p class="description"><small><?php _e( "Assign a default value to populate a placeholder for selection drop-down", 'yikes-inc-easy-mailchimp-extender' );?></small></p>
 								</td>
 							</tr>
@@ -231,7 +231,7 @@
 										<?php $pre_selected = ! empty( $merge_field_data['default_choice'] ) ? $merge_field_data['default_choice'] : 'no-default'; ?>
 										<option value="no-default" <?php selected( $pre_selected, $choice ); ?>>No Default</option>
 										<?php foreach ( $merge_field_data['options']['choices'] as $choice => $value ) { ?>
-											<option value="<?php echo $choice; ?>" <?php selected( $pre_selected, $choice ); ?>><?php echo stripslashes( $value ); ?></option>
+											<option value="<?php echo esc_attr( $choice ); ?>" <?php selected( $pre_selected, $choice ); ?>><?php echo stripslashes( $value ); ?></option>
 										<?php } ?>
 									</select>
 									<p class="description"><small><?php _e( "Which option should be selected by default?", 'yikes-inc-easy-mailchimp-extender' );?></small></p>
@@ -348,15 +348,15 @@
 													$format_name = 'phone_format';
 													break;
 											}
-											echo $type;
+											echo esc_html( $type );
 										?>
 										</label>
 									</td>
 									<td>
-										<strong><?php echo $format; ?></strong>
-										<input type="hidden" name="field[<?php echo esc_attr( $merge_field_data['tag'] ); ?>][<?php echo $format_name; ?>]" value="<?php echo $format; ?>" />
+										<strong><?php echo esc_html( $format ); ?></strong>
+										<input type="hidden" name="field[<?php echo esc_attr( $merge_field_data['tag'] ); ?>][<?php echo esc_attr( $format_name ); ?>]" value="<?php echo esc_attr( $format ); ?>" />
 										<p class="description"><small>
-											<?php printf( __( 'To change the %s please head over to <a href="%s" title="Mailchimp" target="_blank">Mailchimp</a>. If you alter the format, you should re-import this field.', 'yikes-inc-easy-mailchimp-extender' ), strtolower( $type ), esc_url( 'http://www.mailchimp.com' ) ); ?>
+											<?php printf( __( 'To change the %s please head over to <a href="%s" title="Mailchimp" target="_blank">Mailchimp</a>. If you alter the format, you should re-import this field.', 'yikes-inc-easy-mailchimp-extender' ), esc_html( strtolower( $type ) ), esc_url( 'http://www.mailchimp.com' ) ); ?>
 										</small></p>
 									</td>
 								</tr>

admin/partials/ajax/class.ajax.php

@@ -123,7 +123,7 @@ public function add_tags_to_form() {
 				wp_send_json_error( '1' );
 			}
 			$tags    = isset( $_POST['tags'] ) ? wp_unslash( $_POST['tags'] ) : array();
-			$list_id = isset( $_POST['list_id'] ) ? filter_var( wp_unslash( $_POST['list_id'] ), FILTER_SANITIZE_STRING ) : '';
+			$list_id = isset( $_POST['list_id'] ) ? htmlspecialchars( wp_unslash( $_POST['list_id'] ) ) : '';
 			$form_id = isset( $_POST['form_id'] ) ? filter_var( wp_unslash( $_POST['form_id'] ), FILTER_SANITIZE_NUMBER_INT ) : 0;
 
 			if ( empty( $tags ) || empty( $list_id ) || empty( $form_id ) ) {
@@ -137,7 +137,7 @@ public function add_tags_to_form() {
 			// This data came from $_POST so sanitize it.
 			foreach ( $tags as $tag ) {
 				$form_tags[ filter_var( $tag['tag_id'], FILTER_SANITIZE_NUMBER_INT ) ] = array(
-					'name' => filter_var( $tag['tag_name'], FILTER_SANITIZE_STRING ),
+					'name' => htmlspecialchars( $tag['tag_name'] ),
 					'id'   => filter_var( $tag['tag_id'], FILTER_SANITIZE_NUMBER_INT ),
 				);
 			}
@@ -156,7 +156,7 @@ public function remove_tag_from_form() {
 				wp_send_json_error( '1' );
 			}
 			$tag     = isset( $_POST['tag'] ) ? filter_var( wp_unslash( $_POST['tag'] ), FILTER_SANITIZE_NUMBER_INT ) : array();
-			$list_id = isset( $_POST['list_id'] ) ? filter_var( wp_unslash( $_POST['list_id'] ), FILTER_SANITIZE_STRING ) : '';
+			$list_id = isset( $_POST['list_id'] ) ? htmlspecialchars( wp_unslash( $_POST['list_id'] ) ) : '';
 			$form_id = isset( $_POST['form_id'] ) ? filter_var( wp_unslash( $_POST['form_id'] ), FILTER_SANITIZE_NUMBER_INT ) : 0;
 
 			if ( empty( $tag ) || empty( $list_id ) || empty( $form_id ) ) {

admin/partials/dashboard-widgets/templates/stats-list-template.php

@@ -31,7 +31,7 @@
 
 ?>
 <section id="yikes-easy-mc-widget-stat-holder">
-	<h3><?php echo $list['name']; ?> <small><a href="<?php echo esc_url_raw( admin_url( 'admin.php?page=yikes-mailchimp-view-list&list-id=' . $list['id'] . '' ) ); ?>" title="<?php _e( 'view List' , 'yikes-inc-easy-mailchimp-extender' ); ?>"><?php _e( 'view list' , 'yikes-inc-easy-mailchimp-extender' ); ?></a></small></h3>
+	<h3><?php echo esc_html( $list['name'] ); ?> <small><a href="<?php echo esc_url_raw( admin_url( 'admin.php?page=yikes-mailchimp-view-list&list-id=' . $list['id'] . '' ) ); ?>" title="<?php _e( 'view List' , 'yikes-inc-easy-mailchimp-extender' ); ?>"><?php _e( 'view list' , 'yikes-inc-easy-mailchimp-extender' ); ?></a></small></h3>
 
 	<table class="yikes-easy-mc-stats-table">
 		<thead class="yikes-easy-mc-hidden">
@@ -45,21 +45,21 @@
 		<tbody>
 			<tr class="yikes-easy-mc-table-stats-tr yikes-easy-mc-table-stats-tr-first">
 				<td title="<?php _e( 'Number of active subscribers.' , 'yikes-inc-easy-mailchimp-extender' ); ?>">
-					<p class="yikes-easy-mc-dashboard-stat"><?php echo $list['stats']['member_count']; ?></p>
+					<p class="yikes-easy-mc-dashboard-stat"><?php echo esc_html( $list['stats']['member_count'] ); ?></p>
 						<p class="yikes-easy-mc-stat-list-label"><?php _e( 'subscribers' , 'yikes-inc-easy-mailchimp-extender' ); ?></p>
 				</td>
 				<td title="<?php _e( 'Number of users who have unsusbscribed.' , 'yikes-inc-easy-mailchimp-extender' ); ?>">
-					<p class="yikes-easy-mc-dashboard-stat"><?php echo $list['stats']['unsubscribe_count']; ?></p>
+					<p class="yikes-easy-mc-dashboard-stat"><?php echo esc_html( $list['stats']['unsubscribe_count'] ); ?></p>
 						<p class="yikes-easy-mc-stat-list-label"><?php _e( 'unsubscribed' , 'yikes-inc-easy-mailchimp-extender' ); ?></p>
 				</td>
 			</tr>
 			<tr class="yikes-easy-mc-table-stats-tr  yikes-easy-mc-table-stats-tr-second">
 				<td title="<?php _e( 'Number of new subscribers since the last campaign was sent.' , 'yikes-inc-easy-mailchimp-extender' ); ?>">
-					<p class="yikes-easy-mc-dashboard-stat"><?php echo $list['stats']['member_count_since_send']; ?></p>
+					<p class="yikes-easy-mc-dashboard-stat"><?php echo esc_html( $list['stats']['member_count_since_send'] ); ?></p>
 						<p class="yikes-easy-mc-stat-list-label"><?php _e( 'new since send' , 'yikes-inc-easy-mailchimp-extender' ); ?></p>
 				</td>
 				<td title="<?php _e( 'Average number of subscribers per month.' , 'yikes-inc-easy-mailchimp-extender' ); ?>">
-					<p class="yikes-easy-mc-dashboard-stat"><?php echo $list['stats']['avg_sub_rate']; ?></p>
+					<p class="yikes-easy-mc-dashboard-stat"><?php echo esc_html( $list['stats']['avg_sub_rate'] ); ?></p>
 						<p class="yikes-easy-mc-stat-list-label"><?php _e( 'avg. sub. rate' , 'yikes-inc-easy-mailchimp-extender' ); ?></p>
 				</td>
 			</tr>