refactor: WordPress.Security.EscapeOutput.OutputNotEscaped escaping (…

…#2269)

* refactor: `WordPress.Security.EscapeOutput.OutputNotEscaped` escaping

* refactor: phpcs fix

* refactor: phpcs fix

* fix: store list filter loading issue

templates/emails/plain/new-seller-registered.php

@@ -28,15 +28,15 @@
 echo "\n\n----------------------------------------\n\n";
 
 // translators: 1) seller name
-echo sprintf( esc_html__( 'Vendor: %s', 'dokan-lite' ), esc_html( $data['{seller_name}'] ) );
+printf( esc_html__( 'Vendor: %s', 'dokan-lite' ), esc_html( $data['{seller_name}'] ) );
 echo " \n";
 
 // translators: 1) store name
-echo sprintf( esc_html__( 'Vendor Store: %s', 'dokan-lite' ), $data['{store_name}'] );
+printf( esc_html__( 'Vendor Store: %s', 'dokan-lite' ), esc_html( $data['{store_name}'] ) );
 echo " \n";
 
 // translators: 1) seller edit url
-echo sprintf( esc_html__( 'To edit vendor access and details visit : %s', 'dokan-lite' ), esc_url( $data['{seller_edit}'] ) );
+printf( esc_html__( 'To edit vendor access and details visit : %s', 'dokan-lite' ), esc_url( $data['{seller_edit}'] ) );
 
 echo "\n\n----------------------------------------\n\n";
 

templates/emails/plain/reverse-withdrawal-invoice.php

@@ -24,19 +24,19 @@
 echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
 
 // translators: 1) store name
-printf( esc_html__( 'Hi %s,\n\n', 'dokan-lite' ), $seller_info->get_shop_name() );
+printf( esc_html__( 'Hi %s,\n\n', 'dokan-lite' ), esc_html( $seller_info->get_shop_name() ) );
 
 // translators: 1) invoice month 2) invoice year 3) store name
-printf( esc_html__( 'Your %1$s %2$s invoice is now available for store: %3$s.\n\n', 'dokan-lite' ), $data['{month}'], $data['{year}'], $seller_info->get_shop_name() );
+printf( esc_html__( 'Your %1$s %2$s invoice is now available for store: %3$s.\n\n', 'dokan-lite' ), esc_html( $data['{month}'] ), esc_html( $data['{year}'] ), esc_html( $seller_info->get_shop_name() ) );
 
 // translators: 1) store name
-printf( esc_html__( 'Summary for %1$s: \n\n', 'dokan-lite' ), $seller_info->get_shop_name() );
+printf( esc_html__( 'Summary for %1$s: \n\n', 'dokan-lite' ), esc_html( $seller_info->get_shop_name() ) );
 
 // translators: 1) invoice month 2) invoice year 3) due balance amount
-printf( esc_html__( 'Reverse withdrawal charges for %1$s %2$s: %3$s \n\n', 'dokan-lite' ), $data['{month}'], $data['{year}'], wc_price( $due_status['balance']['payable_amount'] ) );
+printf( esc_html__( 'Reverse withdrawal charges for %1$s %2$s: %3$s \n\n', 'dokan-lite' ), esc_html( $data['{month}'] ), esc_html( $data['{year}'] ), esc_html( wc_price( $due_status['balance']['payable_amount'] ) ) );
 
 // translators: 1) invoice due date
-printf( esc_html__( 'Due Date %1$s: \n\n', 'dokan-lite' ), 'immediate' === $due_status['due_date'] ? ucfirst( $due_status['due_date'] ) : dokan_format_date( $due_status['due_date'] ) );
+printf( esc_html__( 'Due Date %1$s: \n\n', 'dokan-lite' ), 'immediate' === $due_status['due_date'] ? esc_html( ucfirst( $due_status['due_date'] ) ) : esc_html( dokan_format_date( $due_status['due_date'] ) ) );
 
 printf(
     wp_kses(

templates/emails/plain/vendor-completed-order.php

@@ -17,7 +17,7 @@
 echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
 
 // translators: 1) order billing full name
-echo sprintf( __( 'You have received complete order from %s.', 'dokan-lite' ), $order->get_formatted_billing_full_name() ) . "\n\n";
+echo sprintf( esc_html__( 'You have received complete order from %s.', 'dokan-lite' ), esc_html( $order->get_formatted_billing_full_name() ) ) . "\n\n";
 echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
 
 esc_html_e( 'Product            | Quantity        | Price', 'dokan-lite' );

templates/emails/plain/vendor-new-order.php

@@ -17,7 +17,7 @@
 echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
 
 // translators: 1) order billing full name
-echo sprintf( __( 'You have received an order from %s.', 'dokan-lite' ), $order->get_formatted_billing_full_name() ) . "\n\n";
+echo sprintf( esc_html__( 'You have received an order from %s.', 'dokan-lite' ), esc_html( $order->get_formatted_billing_full_name() ) ) . "\n\n";
 echo "\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n";
 
 esc_html_e( 'Product            | Quantity        | Price', 'dokan-lite' );

templates/emails/plain/vendor-product-review.php

@@ -25,9 +25,9 @@
 printf(
 // translators: 1) product name, 2) customer name, 3) rating
     esc_html__( 'We are happy to inform you that your product %1$s has received a new review on our website. The review was written by %2$s and has a rating of %3$s out of 5 stars.', 'dokan-lite' ),
-    $data['{product_name}'],
-    $data['{customer_name}'],
-    $data['{rating}']
+    esc_html( $data['{product_name}'] ),
+    esc_html( $data['{customer_name}'] ),
+    esc_html( $data['{rating}'] )
 );
 echo " \n\n";
 

templates/emails/product-published.php

@@ -16,7 +16,7 @@
 <p>
     <?php
     // translators: 1) seller name
-    echo sprintf( __( 'Hello %s', 'dokan-lite' ), esc_html( $data['{store_name}'] ) );
+    printf( esc_html__( 'Hello %s', 'dokan-lite' ), esc_html( $data['{store_name}'] ) );
     ?>
 </p>
 <p>

templates/emails/reverse-withdrawal-invoice.php

@@ -29,7 +29,7 @@
 </p>
 <p>
     <?php
-    echo sprintf(
+    printf(
         // translators: 1) invoice month 2) invoice year 3) store name
         esc_html__( 'Your %1$s %2$s invoice is now available for store: %3$s.', 'dokan-lite' ),
         esc_html( $data['{month}'] ), esc_html( $data['{year}'] ), esc_html( $seller_info->get_shop_name() )
@@ -42,7 +42,7 @@
         <strong>
             <?php
             // translators: 1) store name
-            printf( esc_html__( 'Summary for %1$s: ', 'dokan-lite' ), $seller_info->get_shop_name() );
+            printf( esc_html__( 'Summary for %1$s: ', 'dokan-lite' ), esc_html( $seller_info->get_shop_name() ) );
             ?>
         </strong>
     </li>
@@ -62,7 +62,7 @@
         <strong>
             <?php esc_html_e( 'Due Date: ', 'dokan-lite' ); ?>
         </strong>
-        <?php echo 'immediate' === $due_status['due_date'] ? ucfirst( $due_status['due_date'] ) : dokan_format_date( $due_status['due_date'] ); ?>
+        <?php echo 'immediate' === $due_status['due_date'] ? esc_html( ucfirst( $due_status['due_date'] ) ) : esc_html( dokan_format_date( $due_status['due_date'] ) ); ?>
     </li>
 </ul>
 

templates/emails/vendor-completed-order.php

@@ -34,7 +34,7 @@
     <p>
         <?php
         // translators: 1) order billing full name
-        printf( __( 'You have received complete order from %s.', 'dokan-lite' ), esc_html( $order->get_formatted_billing_full_name() ) );
+        printf( esc_html__( 'You have received complete order from %s.', 'dokan-lite' ), esc_html( $order->get_formatted_billing_full_name() ) );
         ?>
     </p>
 
@@ -77,7 +77,7 @@
             if ( $item_totals ) {
                 $i = 0;
                 foreach ( $item_totals as $total ) {
-                    $i ++;
+                    ++$i;
                     ?>
                     <tr>
                         <th class="td" scope="row" colspan="2" style="text-align:<?php echo esc_attr( $text_align ); ?>; <?php echo ( 1 === $i ) ? 'border-top-width: 4px;' : ''; ?>"><?php echo wp_kses_post( $total['label'] ); ?></th>

templates/emails/vendor-new-order.php

@@ -33,7 +33,7 @@
     <p>
         <?php
         // translators: 1) order formatted billing full name
-        printf( __( 'You have received an order from %s.', 'dokan-lite' ), $order->get_formatted_billing_full_name() );
+        printf( esc_html__( 'You have received an order from %s.', 'dokan-lite' ), esc_html( $order->get_formatted_billing_full_name() ) );
         ?>
     </p>
 
@@ -78,7 +78,7 @@
             if ( $item_totals ) {
                 $i = 0;
                 foreach ( $item_totals as $total ) {
-                    $i ++;
+                    ++$i;
                     ?>
                     <tr>
                         <th class="td" scope="row" colspan="2" style="text-align:<?php echo esc_attr( $text_align ); ?>; <?php echo ( 1 === $i ) ? 'border-top-width: 4px;' : ''; ?>"><?php echo wp_kses_post( $total['label'] ); ?></th>

templates/emails/vendor-product-review.php

@@ -25,9 +25,9 @@
             // translators: 1) product name, 2) customer name, 3) rating
                 __( 'We are happy to inform you that your product <strong>%1$s</strong> has received a new review on our website. The review was written by <strong>%2$s</strong> and has a rating of <strong>%3$s</strong> out of 5 stars.', 'dokan-lite' )
             ),
-            $data['{product_name}'],
-            $data['{customer_name}'],
-            $data['{rating}']
+            esc_html( $data['{product_name}'] ),
+            esc_html( $data['{customer_name}'] ),
+            esc_html( $data['{rating}'] )
         );
         ?>
     </p>
@@ -42,7 +42,7 @@
         printf(
             '<a href="%1$s">%2$s</a>',
             esc_url( $data['{review_link}'] ),
-            $data['{product_name}']
+            esc_html( $data['{product_name}'] )
         );
         ?>
     </p>

templates/my-orders.php

@@ -49,7 +49,7 @@
                 </td>
                 <td class="order-date">
                     <time datetime="<?php echo esc_attr( $order_date->format( 'Y-m-dTH:i:s' ) ); ?>">
-                        <?php echo dokan_format_date( $order_date ); ?>
+                        <?php echo esc_html( dokan_format_date( $order_date ) ); ?>
                     </time>
                 </td>
                 <td class="order-status" style="text-align:left; white-space:nowrap;">

templates/reverse-withdrawal/transaction-listing.php

@@ -37,16 +37,16 @@
                 <td>
                     <?php
                     // translators: 1) transaction url 2) transaction id
-                    echo sprintf( '<a href="%1$s" target="_blank">%2$s</a>', $transaction['trn_url'], $transaction['trn_id'] )
+                    printf( '<a href="%1$s" target="_blank">%2$s</a>', esc_url( $transaction['trn_url'] ), esc_html( $transaction['trn_id'] ) )
                     ?>
                 </td>
                 <td><?php echo esc_html( $transaction['trn_date'] ); ?></td>
                 <td><?php echo esc_html( $transaction['trn_type'] ); ?></td>
                 <td><?php echo esc_html( $transaction['note'] ); ?></td>
-                <td><?php echo $transaction['debit'] === '' ? '--' : wc_price( $transaction['debit'] ); ?></td>
-                <td><?php echo $transaction['credit'] === '' ? '--' : wc_price( $transaction['credit'] ); ?></td>
+                <td><?php echo $transaction['debit'] === '' ? '--' : wp_kses_post( wc_price( $transaction['debit'] ) ); ?></td>
+                <td><?php echo $transaction['credit'] === '' ? '--' : wp_kses_post( wc_price( $transaction['credit'] ) ); ?></td>
                 <td>
-                    <?php echo $transaction['balance'] < 0 ? sprintf( '(%1$s)', wc_price( abs( $transaction['balance'] ) ) ) : wc_price( $transaction['balance'] ); ?>
+                    <?php echo $transaction['balance'] < 0 ? sprintf( '(%1$s)', wp_kses_post( wc_price( abs( $transaction['balance'] ) ) ) ) : wp_kses_post( wc_price( $transaction['balance'] ) ); ?>
                 </td>
             </tr>
             <?php
@@ -60,7 +60,7 @@
                 <td></td>
                 <td></td>
                 <td><b><?php esc_html_e( 'Balance:', 'dokan-lite' ); ?></b></td>
-                <td><b><?php echo wc_price( $current_balance ); ?></b></td>
+                <td><b><?php echo wp_kses_post( wc_price( $current_balance ) ); ?></b></td>
             </tr>
             <?php
         } else {

templates/store-lists-filter.php

@@ -25,7 +25,7 @@
         <p class="item store-count">
             <?php
             // translators: 1) number of stores
-            printf( _n( 'Total store showing: %s', 'Total stores showing: %s', $number_of_store, 'dokan-lite' ), number_format_i18n( $number_of_store ) );
+            printf( esc_html( _n( 'Total store showing: %s', 'Total stores showing: %s', $number_of_store, 'dokan-lite' ) ), esc_html( number_format_i18n( $number_of_store ) ) );
             ?>
         </p>
     </div>
@@ -48,12 +48,9 @@
             <label><?php esc_html_e( 'Sort by', 'dokan-lite' ); ?>:</label>
 
             <select name="stores_orderby" id="stores_orderby" aria-label="<?php esc_html_e( 'Sort by', 'dokan-lite' ); ?>">
-                <?php
-                foreach ( $sort_filters as $key => $filter ) {
-                    $optoins = "<option value='{$key}'" . selected( $sort_by, $key, false ) . ">{$filter}</option>";
-                    printf( $optoins );
-                }
-                ?>
+                <?php foreach ( $sort_filters as $key => $filter ) : ?>
+                    <option value="<?php echo esc_attr( $key ); ?>" <?php selected( $sort_by, $key ); ?> ><?php echo esc_html( $filter ); ?></option>
+                <?php endforeach; ?>
             </select>
         </form>
 

templates/sub-orders.php

@@ -28,11 +28,13 @@
      * @args WC_Order[] $sub_orders
      * @args array $statuses
      */
-    echo apply_filters(
-        'dokan_suborder_notice_to_customer',
-        esc_html__(
-            'This order has products from multiple vendors. So we divided this order into multiple vendor orders. Each order will be handled by their respective vendor independently.', 'dokan-lite'
-        ), $parent_order, $sub_orders, $statuses
+    echo esc_html(
+        apply_filters(
+            'dokan_suborder_notice_to_customer',
+            esc_html__(
+                'This order has products from multiple vendors. So we divided this order into multiple vendor orders. Each order will be handled by their respective vendor independently.', 'dokan-lite'
+            ), $parent_order, $sub_orders, $statuses
+        )
     );
     ?>
 </div>
@@ -53,14 +55,15 @@
     <tbody>
     <?php
     $now = dokan_current_datetime();
+    // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
     foreach ( $sub_orders as $order ) {
         $item_count = $order->get_item_count();
         $order_date = $order->get_date_created();
         $order_date = is_a( $order_date, 'WC_DateTime' ) ? $now->setTimestamp( $order_date->getTimestamp() ) : $now;
         ?>
             <tr class="order">
                 <td class="order-number">
-                    <a href="<?php echo esc_url(  is_callable( [ $order, 'get_view_order_url' ] ) ? $order->get_view_order_url() : '#' ); ?>">
+                    <a href="<?php echo esc_url( is_callable( [ $order, 'get_view_order_url' ] ) ? $order->get_view_order_url() : '#' ); ?>">
                         <?php echo esc_html( $order->get_order_number() ); ?>
                     </a>
                 </td>
@@ -74,7 +77,7 @@
                 </td>
                 <?php if ( function_exists( 'dokan_get_order_shipment_current_status' ) && 'on' === $allow_shipment && $wc_shipping_enabled ) : ?>
                     <td class="dokan-order-shipping-status" data-title="<?php esc_attr_e( 'Shipping Status', 'dokan-lite' ); ?>" >
-                        <?php echo dokan_get_order_shipment_current_status( $order->get_id() ); ?>
+                        <?php echo wp_kses_post( dokan_get_order_shipment_current_status( $order->get_id() ) ); ?>
                     </td>
                 <?php endif; ?>
                 <td class="order-total">

templates/vendor-store-info.php

@@ -29,7 +29,7 @@
         </div>
         <?php if ( $store_rating['count'] ) : ?>
             <?php // translators: %d reviews count ?>
-            <p class="dokan-ratings-count">(<?php echo sprintf( _n( '%s Review', '%s Reviews', $store_rating['count'], 'dokan-lite' ), number_format_i18n( $store_rating['count'] ) ); ?>)</p>
+            <p class="dokan-ratings-count">(<?php echo esc_html( sprintf( _n( '%s Review', '%s Reviews', $store_rating['count'], 'dokan-lite' ), esc_html( number_format_i18n( $store_rating['count'] ) ) ) ); ?>)</p>
         <?php endif; ?>
     </div>
 </div>