move the rest of the data sanitization to the sanitization class, and…

… fix wysiwyg display issues

helpers/cmb_Meta_Box_Sanitize.php

@@ -46,18 +46,19 @@ public static function checkbox( $text ) {
 	/**
 	 * Validate url in a meta value
 	 * @since  1.0.1
-	 * @param  string  $meta Meta value
+	 * @param  string $meta  Meta value
+	 * @param  array  $field Field config array
 	 * @return string        Empty string or escaped url
 	 */
-	public static function text_url( $meta ) {
+	public static function text_url( $meta, $field ) {
 
-		$protocols = isset( cmb_Meta_Box::$field['protocols'] ) ? (array) cmb_Meta_Box::$field['protocols'] : null;
+		$protocols = isset( $field['protocols'] ) ? (array) $field['protocols'] : null;
 		if ( is_array( $meta ) ) {
 			foreach ( $meta as $key => $value ) {
-				$meta[ $key ] = $value ? esc_url_raw( $value, $protocols ) : cmb_Meta_Box::$field['default'];
+				$meta[ $key ] = $value ? esc_url_raw( $value, $protocols ) : $field['default'];
 			}
 		} else {
-			$meta = $meta ? esc_url_raw( $meta, $protocols ) : cmb_Meta_Box::$field['default'];
+			$meta = $meta ? esc_url_raw( $meta, $protocols ) : $field['default'];
 		}
 
 		return $meta;
@@ -76,8 +77,8 @@ public static function oembed( $meta ) {
 	/**
 	 * Validate email in a meta value
 	 * @since  1.0.1
-	 * @param  string  $meta Meta value
-	 * @return string        Empty string or validated email
+	 * @param  string $meta Meta value
+	 * @return string       Empty string or validated email
 	 */
 	public static function text_email( $meta ) {
 
@@ -97,8 +98,8 @@ public static function text_email( $meta ) {
 	/**
 	 * Validate money in a meta value
 	 * @since  1.0.1
-	 * @param  string  $meta Meta value
-	 * @return string        Empty string or validated money value
+	 * @param  string $meta Meta value
+	 * @return string       Empty string or validated money value
 	 */
 	public static function text_money( $meta ) {
 		if ( is_array( $meta ) ) {
@@ -112,11 +113,21 @@ public static function text_money( $meta ) {
 		return $meta;
 	}
 
+	/**
+	 * Converts text date to timestamp
+	 * @since  1.0.2
+	 * @param  string $meta Meta value
+	 * @return string       Timestring
+	 */
+	public static function text_date_timestamp( $meta ) {
+		return strtotime( $meta );;
+	}
+
 	/**
 	 * Datetime to timestamp
 	 * @since  1.0.1
-	 * @param  string  $meta Meta value
-	 * @return string        Timestring
+	 * @param  string $meta Meta value
+	 * @return string       Timestring
 	 */
 	public static function text_datetime_timestamp( $meta ) {
 
@@ -135,8 +146,8 @@ public static function text_datetime_timestamp( $meta ) {
 	/**
 	 * Datetime to imestamp with timezone
 	 * @since  1.0.1
-	 * @param  string  $meta Meta value
-	 * @return string        Timestring
+	 * @param  string $meta Meta value
+	 * @return string       Timestring
 	 */
 	public static function text_datetime_timestamp_timezone( $meta ) {
 
@@ -166,21 +177,78 @@ public static function text_datetime_timestamp_timezone( $meta ) {
 	/**
 	 * Sanitize textareas and wysiwyg fields
 	 * @since  1.0.1
-	 * @param  string  $meta Meta value
-	 * @return string        Sanitized data
+	 * @param  string $meta Meta value
+	 * @return string       Sanitized data
 	 */
 	public static function textarea( $meta ) {
 		return wp_kses_post( $meta );
 	}
 
 	/**
-	 * Default fallback if field's 'sanitization_cb' is NOT defined, or field type does not have a corresponding validation method
+	 * Sanitize code textareas
+	 * @since  1.0.2
+	 * @param  string $meta Meta value
+	 * @return string       Sanitized data
+	 */
+	public static function textarea_code( $meta ) {
+		return htmlspecialchars_decode( stripslashes( $meta ) );
+	}
+
+	/**
+	 * Sanitize code textareas
+	 * @since  1.0.2
+	 * @param  string $meta  Meta value
+	 * @param  array  $field Field config array
+	 * @return string        Sanitized data
+	 */
+	public static function file( $meta, $field ) {
+		$_id_name = $field['id'] .'_id';
+		// get _id old value
+		$_id_old = cmb_Meta_Box::get_data( $_id_name );
+
+		// If specified NOT to save the file ID
+		if ( isset( $field['save_id'] ) && ! $field['save_id'] ) {
+			$_new_id = '';
+		} else {
+			// otherwise get the file ID
+			$_new_id = isset( $_POST[ $_id_name ] ) ? $_POST[ $_id_name ] : null;
+
+			// If there is no ID saved yet, try to get it from the url
+			if ( isset( $_POST[ $field['id'] ] ) && $_POST[ $field['id'] ] && ! $_new_id ) {
+				$_new_id = cmb_Meta_Box::image_id_from_url( esc_url_raw( $_POST[ $field['id'] ] ) );
+			}
+
+		}
+
+		if ( $_new_id && $_new_id != $_id_old ) {
+			$updated[] = $_id_name;
+			cmb_Meta_Box::update_data( $_new_id, $_id_name );
+		} elseif ( '' == $_new_id && $_id_old ) {
+			$updated[] = $_id_name;
+			cmb_Meta_Box::remove_data( $_id_name, $old );
+		}
+
+		return self::default_sanitization( $meta );
+	}
+
+	/**
+	 * Catchall method if field's 'sanitization_cb' is NOT defined, or field type does not have a corresponding validation method
 	 * @since  1.0.0
 	 * @param  string $name      Non-existent method name
 	 * @param  array  $arguments All arguments passed to the method
 	 */
 	public function __call( $name, $arguments ) {
 		list( $meta_value, $field ) = $arguments;
+		return self::default_sanitization( $meta_value, $field );
+	}
+
+	/**
+	 * Default fallback sanitization method. Applies filters.
+	 * @since  1.0.2
+	 * @param  mixed $meta_value Meta value
+	 * @param  array $field      Field config array
+	 */
+	public static function default_sanitization( $meta_value, $field ) {
 
 		$object_type = cmb_Meta_Box::get_object_type();
 		$object_id   = cmb_Meta_Box::get_object_id();
@@ -195,11 +263,14 @@ public function __call( $name, $arguments ) {
 		// we'll fallback to 'sanitize_text_field', or 'wp_kses_post`
 		switch ( $field['type'] ) {
 			case 'wysiwyg':
+				// $cb = 'wp_kses';
+				// break;
 			case 'textarea_small':
 				$cb = array( 'cmb_Meta_Box_Sanitize', 'textarea' );
-
+				break;
 			default:
 				$cb = 'sanitize_text_field';
+				break;
 		}
 
 		// Handle repeatable fields array

helpers/cmb_Meta_Box_types.php

@@ -245,7 +245,7 @@ public static function esc( $meta_value, $func = '' ) {
 		// Check if the field has a registered escaping callback
 		$cb = cmb_Meta_Box::maybe_callback( $field, 'escape_cb' );
 		if ( false === $cb ) {
-			// If requestion NO escaping, return meta value
+			// If requesting NO escaping, return meta value
 			return $meta_value;
 		} elseif ( $cb ) {
 			// Ok, callback is good, let's run it.
@@ -452,7 +452,7 @@ public static function title( $field, $meta, $object_id, $object_type ) {
 	}
 
 	public static function wysiwyg( $field, $meta ) {
-		wp_editor( self::esc( $meta, 'esc_textarea' ), $field['id'], isset( $field['options'] ) ? $field['options'] : array() );
+		wp_editor( html_entity_decode( self::esc( $meta, 'esc_html' ) ), $field['id'], isset( $field['options'] ) ? $field['options'] : array() );
 		echo self::desc( true );
 	}
 
@@ -513,7 +513,7 @@ public static function taxonomy_multicheck_inline( $field, $meta ) {
 
 	public static function file_list( $field, $meta, $object_id ) {
 
-		// echo '<input class="cmb_upload_file cmb_upload_list" type="hidden" size="45" id="', $field['id'], '" name="', $field['id'], '" value="', self::esc( $meta, 'esc_url' ), '" />';
+		echo '<input class="cmb_upload_file cmb_upload_list" type="hidden" size="45" id="', $field['id'], '" name="', $field['id'], '" value="" />';
 		echo '<input class="cmb_upload_button button cmb_upload_list" type="button" value="'. __( 'Add or Upload File', 'cmb' ) .'" />', self::desc( true );
 
 		echo '<ul id="', $field['id'], '_status" class="cmb_media_status attach_list">';

init.php

@@ -528,49 +528,8 @@ public static function save_fields( $meta_box, $object_id, $object_type = '' ) {
 				$new = array_filter( $new );
 			}
 
-			switch ( $field['type'] ) {
-				case 'textarea':
-				case 'textarea_small':
-					$new = esc_textarea( $new );
-					break;
-				case 'textarea_code':
-					$new = htmlspecialchars_decode( stripslashes( $new ) );
-					break;
-				case 'text_date_timestamp':
-					$new = strtotime( $new );
-					break;
-				case 'file':
-					$_id_name = $field['id'] .'_id';
-					// get _id old value
-					$_id_old = self::get_data( $_id_name );
-
-					// If specified NOT to save the file ID
-					if ( isset( $field['save_id'] ) && ! $field['save_id'] ) {
-						$_new_id = '';
-					} else {
-						// otherwise get the file ID
-						$_new_id = isset( $_POST[ $_id_name ] ) ? $_POST[ $_id_name ] : null;
-
-						// If there is no ID saved yet, try to get it from the url
-						if ( isset( $_POST[ $field['id'] ] ) && $_POST[ $field['id'] ] && ! $_new_id ) {
-							$_new_id = self::image_id_from_url( esc_url_raw( $_POST[ $field['id'] ] ) );
-						}
-
-					}
-
-					if ( $_new_id && $_new_id != $_id_old ) {
-						$updated[] = $_id_name;
-						self::update_data( $_new_id, $_id_name );
-					} elseif ( '' == $_new_id && $_id_old ) {
-						$updated[] = $_id_name;
-						self::remove_data( $_id_name, $old );
-					}
-					break;
-				default:
-					// Check if this metabox field has a registered validation callback
-					$new = self::sanitization_cb( $new );
-					break;
-			}
+			// Check if this metabox field has a registered validation callback, or perform default sanitization
+			$new = self::sanitization_cb( $new );
 
 			if ( $field['multiple'] ) {