improved escaping and sanitizing of widget settings and slider options

functions.php

@@ -14,77 +14,76 @@
 
 
 if ( ! function_exists( 'palm_beach_setup' ) ) :
-/**
- * Sets up theme defaults and registers support for various WordPress features.
- *
- * Note that this function is hooked into the after_setup_theme hook, which
- * runs before the init hook. The init hook is too late for some features, such
- * as indicating support for post thumbnails.
- */
-function palm_beach_setup() {
-
-	// Make theme available for translation. Translations can be filed in the /languages/ directory.
-	load_theme_textdomain( 'palm-beach', get_template_directory() . '/languages' );
-
-	// Add default posts and comments RSS feed links to head.
-	add_theme_support( 'automatic-feed-links' );
-
-	// Let WordPress manage the document title.
-	add_theme_support( 'title-tag' );
-
-	// Enable support for Post Thumbnails on posts and pages.
-	add_theme_support( 'post-thumbnails' );
-
-	// Set detfault Post Thumbnail size.
-	set_post_thumbnail_size( 600, 375, true );
-
-	// Add Header Image Size.
-	add_image_size( 'palm-beach-header-image', 1920, 720, true );
-
-	// Add different thumbnail sizes for Magazine Post widgets.
-	add_image_size( 'palm-beach-thumbnail-small', 120, 75, true );
-	add_image_size( 'palm-beach-thumbnail-medium', 360, 225, true );
+	/**
+	 * Sets up theme defaults and registers support for various WordPress features.
+	 *
+	 * Note that this function is hooked into the after_setup_theme hook, which
+	 * runs before the init hook. The init hook is too late for some features, such
+	 * as indicating support for post thumbnails.
+	 */
+	function palm_beach_setup() {
+
+		// Make theme available for translation. Translations can be filed in the /languages/ directory.
+		load_theme_textdomain( 'palm-beach', get_template_directory() . '/languages' );
+
+		// Add default posts and comments RSS feed links to head.
+		add_theme_support( 'automatic-feed-links' );
+
+		// Let WordPress manage the document title.
+		add_theme_support( 'title-tag' );
+
+		// Enable support for Post Thumbnails on posts and pages.
+		add_theme_support( 'post-thumbnails' );
+
+		// Set detfault Post Thumbnail size.
+		set_post_thumbnail_size( 600, 375, true );
+
+		// Add Header Image Size.
+		add_image_size( 'palm-beach-header-image', 1920, 720, true );
+
+		// Add different thumbnail sizes for Magazine Post widgets.
+		add_image_size( 'palm-beach-thumbnail-small', 120, 75, true );
+		add_image_size( 'palm-beach-thumbnail-medium', 360, 225, true );
+
+		// Register Navigation Menu.
+		register_nav_menu( 'primary', esc_html__( 'Main Navigation', 'palm-beach' ) );
+
+		// Switch default core markup for search form, comment form, and comments to output valid HTML5.
+		add_theme_support( 'html5', array(
+			'comment-form',
+			'comment-list',
+			'gallery',
+			'caption',
+		) );
+
+		// Set up the WordPress core custom background feature.
+		add_theme_support( 'custom-background', apply_filters( 'palm_beach_custom_background_args', array( 'default-color' => 'ffffff' ) ) );
+
+		// Set up the WordPress core custom logo feature.
+		add_theme_support( 'custom-logo', apply_filters( 'palm_beach_custom_logo_args', array(
+			'height' => 40,
+			'width' => 200,
+			'flex-height' => true,
+			'flex-width' => true,
+		) ) );
+
+		// Set up the WordPress core custom header feature.
+		add_theme_support('custom-header', apply_filters( 'palm_beach_custom_header_args', array(
+			'header-text' => false,
+			'width'	=> 1920,
+			'height' => 360,
+		) ) );
+
+		// Add Theme Support for wooCommerce.
+		add_theme_support( 'woocommerce' );
+
+		// Add extra theme styling to the visual editor.
+		add_editor_style( array( 'css/editor-style.css', palm_beach_google_fonts_url() ) );
+
+		// Add Theme Support for Selective Refresh in Customizer.
+		add_theme_support( 'customize-selective-refresh-widgets' );
 
-	// Register Navigation Menu.
-	register_nav_menu( 'primary', esc_html__( 'Main Navigation', 'palm-beach' ) );
-
-	// Switch default core markup for search form, comment form, and comments to output valid HTML5.
-	add_theme_support( 'html5', array(
-		'search-form',
-		'comment-form',
-		'comment-list',
-		'gallery',
-		'caption',
-	) );
-
-	// Set up the WordPress core custom background feature.
-	add_theme_support( 'custom-background', apply_filters( 'palm_beach_custom_background_args', array( 'default-color' => 'ffffff' ) ) );
-
-	// Set up the WordPress core custom logo feature.
-	add_theme_support( 'custom-logo', apply_filters( 'palm_beach_custom_logo_args', array(
-		'height' => 40,
-		'width' => 200,
-		'flex-height' => true,
-		'flex-width' => true,
-	) ) );
-
-	// Set up the WordPress core custom header feature.
-	add_theme_support('custom-header', apply_filters( 'palm_beach_custom_header_args', array(
-		'header-text' => false,
-		'width'	=> 1920,
-		'height' => 360,
-	) ) );
-
-	// Add Theme Support for wooCommerce.
-	add_theme_support( 'woocommerce' );
-
-	// Add extra theme styling to the visual editor.
-	add_editor_style( array( 'css/editor-style.css', palm_beach_google_fonts_url() ) );
-
-	// Add Theme Support for Selective Refresh in Customizer.
-	add_theme_support( 'customize-selective-refresh-widgets' );
-
-}
+	}
 endif;
 add_action( 'after_setup_theme', 'palm_beach_setup' );
 

inc/addons.php

@@ -46,37 +46,22 @@ function palm_beach_theme_addons_scripts() {
 	) {
 
 		// Enqueue Widget Bundle stylesheet.
-		wp_enqueue_style( 'themezee-widget-bundle', get_template_directory_uri() . '/css/themezee-widget-bundle.css', array(), '20160421' );
+		wp_enqueue_style( 'palm-beach-widget-bundle', get_template_directory_uri() . '/css/themezee-widget-bundle.css', array(), '20160421' );
 
 	}
 
 	// Load Related Posts stylesheet only on single posts.
 	if ( is_singular( 'post' ) ) {
 
 		// Enqueue Related Post stylesheet.
-		wp_enqueue_style( 'themezee-related-posts', get_template_directory_uri() . '/css/themezee-related-posts.css', array(), '20160421' );
+		wp_enqueue_style( 'palm-beach-related-posts', get_template_directory_uri() . '/css/themezee-related-posts.css', array(), '20160421' );
 
 	}
 
 }
 add_action( 'wp_enqueue_scripts', 'palm_beach_theme_addons_scripts' );
 
 
-/**
- * Add custom image sizes for theme addons
- */
-function palm_beach_theme_addons_image_sizes() {
-
-	// Add Widget Bundle thumbnail.
-	add_image_size( 'tzwb-thumbnail', 80, 60, true );
-
-	// Add Related Posts thumbnail.
-	add_image_size( 'themezee-related-posts', 480, 300, true );
-
-}
-add_action( 'after_setup_theme', 'palm_beach_theme_addons_image_sizes' );
-
-
 /**
  * Custom render function for Infinite Scroll.
  */

inc/slider.php

@@ -21,14 +21,14 @@ function palm_beach_slider_scripts() {
 	// Register and enqueue FlexSlider JS and CSS if necessary.
 	if ( true === $theme_options['slider_blog'] or true === $theme_options['slider_magazine'] or is_page_template( 'template-slider.php' ) ) :
 
-		// FlexSlider CSS.
-		wp_enqueue_style( 'palm-beach-flexslider', get_template_directory_uri() . '/css/flexslider.css' );
-
 		// FlexSlider JS.
-		wp_enqueue_script( 'flexslider', get_template_directory_uri() .'/js/jquery.flexslider-min.js', array( 'jquery' ), '2.6.0' );
+		wp_enqueue_script( 'jquery-flexslider', get_template_directory_uri() . '/js/jquery.flexslider-min.js', array( 'jquery' ), '2.6.0' );
 
 		// Register and enqueue slider setup.
-		wp_enqueue_script( 'palm-beach-post-slider', get_template_directory_uri() .'/js/slider.js', array( 'flexslider' ) );
+		wp_enqueue_script( 'palm-beach-slider', get_template_directory_uri() . '/js/slider.js', array( 'jquery-flexslider' ) );
+
+		// Register and enqueue slider CSS.
+		wp_enqueue_style( 'palm-beach-slider', get_template_directory_uri() . '/css/flexslider.css' );
 
 	endif;
 
@@ -61,13 +61,13 @@ function palm_beach_slider_options() {
 	$params = array();
 
 	// Set slider animation.
-	$params['animation'] = $theme_options['slider_animation'];
+	$params['animation'] = ( 'fade' === $theme_options['slider_animation'] ) ? 'fade' : 'slide';
 
 	// Set slider speed.
-	$params['speed'] = $theme_options['slider_speed'];
+	$params['speed'] = absint( $theme_options['slider_speed'] );
 
 	// Passing parameters to Flexslider.
-	wp_localize_script( 'palm-beach-post-slider', 'palm_beach_slider_params', $params );
+	wp_localize_script( 'palm-beach-slider', 'palm_beach_slider_params', $params );
 
 }
 add_action( 'wp_enqueue_scripts', 'palm_beach_slider_options' );

inc/theme-info.php

@@ -80,7 +80,7 @@ function palm_beach_theme_info_page() {
 							<?php printf( esc_html__( '%s makes use of the Customizer for all theme settings. Click on "Customize Theme" to open the Customizer now.', 'palm-beach' ), $theme->get( 'Name' ) ); ?>
 						</p>
 						<p>
-							<a href="<?php echo admin_url( 'customize.php' ); ?>" class="button button-primary"><?php esc_html_e( 'Customize Theme', 'palm-beach' ); ?></a>
+							<a href="<?php echo wp_customize_url(); ?>" class="button button-primary"><?php esc_html_e( 'Customize Theme', 'palm-beach' ); ?></a>
 						</p>
 					</div>
 
@@ -146,10 +146,12 @@ function palm_beach_theme_info_page() {
 
 		<div id="theme-author">
 
-			<p><?php printf( esc_html__( '%1$s is proudly brought to you by %2$s. If you like this theme, %3$s :)', 'palm-beach' ),
-				$theme->get( 'Name' ),
-				'<a target="_blank" href="' . __( 'https://themezee.com/', 'palm-beach' ) . '?utm_source=theme-info&utm_medium=footer&utm_campaign=palm-beach" title="ThemeZee">ThemeZee</a>',
-				'<a target="_blank" href="' . __( 'https://wordpress.org/support/theme/palm-beach/reviews/?filter=5', 'palm-beach' ) . '" title="' . esc_attr__( 'Review Palm Beach', 'palm-beach' ) . '">' . esc_html__( 'rate it', 'palm-beach' ) . '</a>'); ?>
+			<p>
+				<?php printf( esc_html__( '%1$s is proudly brought to you by %2$s. If you like this theme, %3$s :)', 'palm-beach' ),
+					$theme->get( 'Name' ),
+					'<a target="_blank" href="' . __( 'https://themezee.com/', 'palm-beach' ) . '?utm_source=theme-info&utm_medium=footer&utm_campaign=palm-beach" title="ThemeZee">ThemeZee</a>',
+					'<a target="_blank" href="' . __( 'https://wordpress.org/support/theme/palm-beach/reviews/?filter=5', 'palm-beach' ) . '" title="' . esc_attr__( 'Review Palm Beach', 'palm-beach' ) . '">' . esc_html__( 'rate it', 'palm-beach' ) . '</a>'
+				); ?>
 			</p>
 
 		</div>
@@ -172,7 +174,7 @@ function palm_beach_theme_info_page_css( $hook ) {
 	}
 
 	// Embed theme info css style.
-	wp_enqueue_style( 'palm-beach-theme-info-css', get_template_directory_uri() .'/css/theme-info.css' );
+	wp_enqueue_style( 'palm-beach-theme-info-css', get_template_directory_uri() . '/css/theme-info.css' );
 
 }
 add_action( 'admin_enqueue_scripts', 'palm_beach_theme_info_page_css' );

inc/widgets/widget-magazine-posts-columns.php

@@ -195,7 +195,7 @@ function magazine_posts( $settings, $category_id ) {
 
 				$posts_query->the_post();
 
-				set_query_var( 'palm_beach_post_meta', (bool)$settings['post_meta'] );
+				set_query_var( 'palm_beach_post_meta', (bool) $settings['post_meta'] );
 				set_query_var( 'palm_beach_post_excerpt', true );
 
 				if ( true === $settings['highlight_post'] and ( isset( $i ) and 0 === $i ) ) :
@@ -246,7 +246,7 @@ function category_title( $args, $settings, $category_id, $category_title ) {
 
 				// Display Widget Title with link to category archive.
 				echo '<div class="widget-header">';
-				echo '<h3 class="widget-title"><a class="category-archive-link" href="'. $link_url .'" title="'. $link_title . '">'. $widget_title . '</a></h3>';
+				echo '<h3 class="widget-title"><a class="category-archive-link" href="' . $link_url . '" title="' . $link_title . '">' . $widget_title . '</a></h3>';
 				echo '</div>';
 
 			else :
@@ -298,7 +298,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'category_one_title' ); ?>"><?php esc_html_e( 'Left Category Title:', 'palm-beach' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'category_one_title' ); ?>" name="<?php echo $this->get_field_name( 'category_one_title' ); ?>" type="text" value="<?php echo $settings['category_one_title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'category_one_title' ); ?>" name="<?php echo $this->get_field_name( 'category_one_title' ); ?>" type="text" value="<?php echo esc_attr( $settings['category_one_title'] ); ?>" />
 			</label>
 		</p>
 
@@ -319,7 +319,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'category_two_title' ); ?>"><?php esc_html_e( 'Right Category Title:', 'palm-beach' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'category_two_title' ); ?>" name="<?php echo $this->get_field_name( 'category_two_title' ); ?>" type="text" value="<?php echo $settings['category_two_title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'category_two_title' ); ?>" name="<?php echo $this->get_field_name( 'category_two_title' ); ?>" type="text" value="<?php echo esc_attr( $settings['category_two_title'] ); ?>" />
 			</label>
 		</p>
 
@@ -340,7 +340,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'number' ); ?>"><?php esc_html_e( 'Number of posts:', 'palm-beach' ); ?>
-				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo (int) $settings['number']; ?>" size="3" />
+				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo absint( $settings['number'] ); ?>" size="3" />
 			</label>
 		</p>
 

inc/widgets/widget-magazine-posts-grid.php

@@ -254,7 +254,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php esc_html_e( 'Title:', 'palm-beach' ); ?>
-				<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo $settings['title']; ?>" />
+				<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $settings['title'] ); ?>" />
 			</label>
 		</p>
 
@@ -283,7 +283,7 @@ function form( $instance ) {
 
 		<p>
 			<label for="<?php echo $this->get_field_id( 'number' ); ?>"><?php esc_html_e( 'Number of posts:', 'palm-beach' ); ?>
-				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo $settings['number']; ?>" size="3" />
+				<input id="<?php echo $this->get_field_id( 'number' ); ?>" name="<?php echo $this->get_field_name( 'number' ); ?>" type="text" value="<?php echo absint( $settings['number'] ); ?>" size="3" />
 			</label>
 		</p>
 

readme.txt

@@ -26,6 +26,9 @@ For more information about Palm Beach please go to https://themezee.com/themes/p
 
 == Changelog ==
 
+= 1.0.3 =
+* improved escaping and sanitizing of widget settings and slider options
+
 = 1.0.2 =
 * fixed mobile menus on RTL language sites
 * moved Theme Links to Theme Options panel dropdown

search.php

@@ -13,7 +13,7 @@
 
 	<header class="page-header clearfix">
 
-		<h1 class="archive-title"><?php printf( esc_html__( 'Search Results for: %s', 'palm-beach' ), '<span>' . esc_html( get_search_query() ) . '</span>' ); ?></h1>
+		<h1 class="archive-title"><?php printf( esc_html__( 'Search Results for: %s', 'palm-beach' ), '<span>' . get_search_query() . '</span>' ); ?></h1>
 		<p><?php get_search_form(); ?></p>
 
 	</header>

searchform.php

@@ -12,7 +12,7 @@
 		<span class="screen-reader-text"><?php echo esc_html_x( 'Search for:', 'label', 'palm-beach' ); ?></span>
 		<input type="search" class="search-field"
 			placeholder="<?php echo esc_attr_x( 'Search &hellip;', 'placeholder', 'palm-beach' ); ?>"
-			value="<?php echo esc_html( get_search_query() ); ?>" name="s"
+			value="<?php echo get_search_query(); ?>" name="s"
 			title="<?php echo esc_attr_x( 'Search for:', 'label', 'palm-beach' ); ?>" />
 	</label>
 	<button type="submit" class="search-submit">

style.css

@@ -4,11 +4,11 @@ Theme URI: https://themezee.com/themes/palm-beach/
 Author: ThemeZee
 Author URI: https://themezee.com
 Description: Palm Beach is a professional WordPress theme perfectly suited for a travel magazine. It features a stunning fullscreen slider, beautiful typography and a three-column grid-layout for posts. Head off on vacation now!
-Version: 1.0.2
+Version: 1.0.3
 License: GNU General Public License v2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 Text Domain: palm-beach
-Tags: two-columns, custom-background, custom-header, custom-menu, editor-style, rtl-language-support, grid-layout, blog, news, featured-image-header, featured-images, flexible-header, custom-colors, full-width-template, sticky-post, threaded-comments, translation-ready, theme-options, one-column, left-sidebar, right-sidebar, three-columns
+Tags: two-columns, custom-background, custom-header, custom-menu, editor-style, rtl-language-support, grid-layout, blog, news, featured-image-header, featured-images, flexible-header, full-width-template, threaded-comments, translation-ready, theme-options, one-column, left-sidebar, right-sidebar, three-columns
 
 This theme, like WordPress, is licensed under the GPL.
 Use it to make something cool, have fun, and share what you've learned with others.