Skip to content

Commit

Permalink
Merge branch 'html-in-attributes' of github.com:fusioneng/Shortcake i…
Browse files Browse the repository at this point in the history 
…nto html-in-attributes
  • Loading branch information
@mattheu
mattheu committed Oct 7, 2015
2 parents 586c55f + 2906c29 commit fb975d7
Show file tree
Hide file tree
Showing 6 changed files with 72 additions and 32 deletions.
22 changes: 21 additions & 1 deletion inc/class-shortcode-ui.php
View file
Expand Up @@ -136,7 +136,27 @@ public function get_shortcodes() {
*
* @param array $shortcodes
*/
return apply_filters( 'shortcode_ui_shortcodes', $this->shortcodes );
$shortcodes = apply_filters( 'shortcode_ui_shortcodes', $this->shortcodes );

foreach ( $shortcodes as $shortcode => $args ) {

foreach ( $args['attrs'] as $key => $value ) {
foreach ( array( 'label', 'description' ) as $field ) {
if ( ! empty( $value[ $field ] ) ) {
$shortcodes[ $shortcode ]['attrs'][ $key ][ $field ] = wp_kses_post( $value[ $field ] );
}
}
}

foreach ( array( 'label', 'description' ) as $field ) {
if ( ! empty( $args['inner_content'][ $field ] ) ) {
$shortcodes[ $shortcode ]['inner_content'][ $field ] = wp_kses_post( $args['inner_content'][ $field ] );
}
}

}

return $shortcodes;
}

/**
Expand Down
4 changes: 2 additions & 2 deletions inc/fields/class-field-attachment.php
View file
Expand Up @@ -91,7 +91,7 @@ public function action_shortcode_ui_loaded_editor() {

<script type="text/html" id="tmpl-fusion-shortcake-field-attachment">
<div class="field-block shortcode-ui-field-attachment shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.attr }}">{{ data.label }}</label>
<label for="{{ data.attr }}">{{{ data.label }}}</label>
<div class="shortcake-attachment-preview attachment-preview attachment">
<button id="{{ data.attr }}" class="button button-small add">{{ data.addButton }}</button>
<button class="button button-small remove">&times;</button>
Expand All @@ -109,7 +109,7 @@ public function action_shortcode_ui_loaded_editor() {
<div class="edit-link"><a href="#"><?php esc_html_e( 'Edit Attachment', 'shortcode-ui' ); ?></a></div>
</div>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>
Expand Down
4 changes: 2 additions & 2 deletions inc/fields/class-field-color.php
View file
Expand Up @@ -110,10 +110,10 @@ public function load_template() {

<script type="text/html" id="tmpl-fusion-shortcake-field-color">
<div class="field-block shortcode-ui-field-color shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.attr }}">{{ data.label }}</label>
<label for="{{ data.attr }}">{{{ data.label }}}</label>
<input type="text" name="{{ data.attr }}" id="{{ data.attr }}" value="{{ data.value }}" data-default-color="{{ data.value }}" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>
Expand Down
4 changes: 2 additions & 2 deletions inc/fields/class-field-post-select.php
View file
Expand Up @@ -76,10 +76,10 @@ public function action_shortcode_ui_loaded_editor() {

<script type="text/html" id="tmpl-shortcode-ui-field-post-select">
<div class="field-block shortcode-ui-field-post-select shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="text" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value }}" class="shortcode-ui-post-select" />
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>
Expand Down
50 changes: 25 additions & 25 deletions inc/templates/edit-form.tpl.php
View file
Expand Up @@ -17,59 +17,59 @@

<script type="text/html" id="tmpl-shortcode-ui-field-text">
<div class="field-block shortcode-ui-field-text shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="text" class="regular-text" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value }}" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-url">
<div class="field-block shortcode-ui-field-url shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="url" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value }}" class="code" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-textarea">
<div class="field-block shortcode-ui-field-textarea shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<textarea name="{{ data.attr }}" id="{{ data.id }}" {{{ data.meta }}}>{{ data.value }}</textarea>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-select">
<div class="field-block shortcode-ui-field-select shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<select name="{{ data.attr }}" id="{{ data.id }}" {{{ data.meta }}}>
<# _.each( data.options, function( label, value ) { #>
<option value="{{ value }}" <# if ( value == data.value ){ print('selected'); } #>>{{ label }}</option>
<# }); #>
</select>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-radio">
<div class="field-block shortcode-ui-field-radio shortcode-ui-attribute-{{ data.attr }}">
<label>{{ data.label }}</label>
<label>{{{ data.label }}}</label>
<# _.each( data.options, function( label, value ) { #>
<label>
<input type="radio" name="{{ data.attr }}" value="{{ value }}" <# if ( value == data.value ) { print('checked'); } #> />
{{ label }}
</label>
<# }); #>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>
Expand All @@ -78,73 +78,73 @@
<div class="field-block shortcode-ui-field-checkbox shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">
<input type="checkbox" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value }}" <# if ( 'true' == data.value ){ print('checked'); } #>>
{{ data.label }}
{{{ data.label }}}
</label>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-email">
<div class="field-block shortcode-ui-field-email shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="email" class="regular-text" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value}}" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-number">
<div class="field-block shortcode-ui-field-number shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="number" class="regular-text" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value}}" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-hidden">
<div class="field-block shortcode-ui-field-hidden shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="hidden" name="{{ data.attr }}" id="{{ data.id }}" value="true" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-date">
<div class="field-block shortcode-ui-field-date shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<input type="date" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value }}" {{{ data.meta }}}/>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-content">
<div class="field-block shortcode-ui-content shortcode-ui-attribute-{{ data.attr }}">
<label for="inner_content">{{ data.label }}</label>
<label for="inner_content">{{{ data.label }}}</label>
<textarea id="inner_content" name="inner_content" class="content-edit" {{{ data.meta }}}>{{ data.value }}</textarea>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>

<script type="text/html" id="tmpl-shortcode-ui-field-range">
<div class="field-block shortcode-ui-field-range shortcode-ui-attribute-{{ data.attr }}">
<label for="{{ data.id }}">{{ data.label }}</label>
<label for="{{ data.id }}">{{{ data.label }}}</label>
<div class="field-range-container">
<input type="range" name="{{ data.attr }}" id="{{ data.id }}" value="{{ data.value}}" {{{ data.meta }}} />
<output class="range" for="{{ data.id }}" id="{{ data.id }}_indicator">{{ data.value }}</output>
</div>
<# if ( typeof data.description == 'string' ) { #>
<p class="description">{{ data.description }}</p>
<p class="description">{{{ data.description }}}</p>
<# } #>
</div>
</script>
</script>
20 changes: 20 additions & 0 deletions php-tests/test-shortcode-ui.php
View file
Expand Up @@ -39,7 +39,27 @@ public function test_filter_shortcode_atts_decode_encoded() {

// Expect value of $attr['test'] to be decoded.
$this->assertEquals( $attr['test'], $decoded );
}

public function test_register_shortcode_malicious_html() {
Shortcode_UI::get_instance()->register_shortcode_ui( 'foo', array(
'inner_content' => array(
'label' => '<script>gotcha()</script>',
'description' => '<iframe src="baddomain.com"></iframe>',
),
'attrs' => array(
array(
'attr' => 'bar',
'label' => '<strong>gotcha()</strong>',
'description' => '<script>banana()</script>',
),
),
) );
$shortcodes = Shortcode_UI::get_instance()->get_shortcodes();
$this->assertEquals( 'gotcha()', $shortcodes['foo']['inner_content']['label'] );
$this->assertEmpty( $shortcodes['foo']['inner_content']['description'] );
$this->assertEquals( '<strong>gotcha()</strong>', $shortcodes['foo']['attrs'][0]['label'] );
$this->assertEquals( 'banana()', $shortcodes['foo']['attrs'][0]['description'] );
}

}

0 comments on commit fb975d7

Please sign in to comment.