refactor: WordPress.Security.EscapeOutput.OutputNotEscaped, WordPress.Security.EscapeOutput.ExceptionNotEscaped escaping

includes/Admin/Hooks.php

@@ -96,7 +96,7 @@
             data-minimum_input_length="0"
             data-data='<?php echo wp_json_encode( $user ); ?>'
         >
-        </select> <?php echo wc_help_tip( __( 'You can search vendors and assign them.', 'dokan-lite' ) ); ?>
+        </select> <?php echo wp_kses( wc_help_tip( esc_html__( 'You can search vendors and assign them.', 'dokan-lite' ) ), wp_kses_allowed_html( 'user_description' ) ); ?>
         <?php
     }
 
@@ -165,7 +165,7 @@
      *
      * @return void
      */
     public function override_product_author_by_admin( $product_id, $post ) {
         $product          = wc_get_product( $product_id );
         $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? intval( wp_unslash( $_POST['dokan_product_author_override'] ) ) : 0; // phpcs:ignore
 

includes/Admin/SetupWizard.php

@@ -515,7 +515,7 @@ public function dokan_setup_withdraw() {
                                     <div class="wc-wizard-service-description">
                                         <?php
                                         // translators: %s: withdraw method name
-                                        printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), dokan_withdraw_get_method_title( $key ) );
+                                        printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), esc_html( dokan_withdraw_get_method_title( $key ) ) );
                                         ?>
                                     </div>
                                     <div class="dokan-wizard-service-enable">
@@ -732,8 +732,8 @@ public function dokan_setup_withdraw_save() {
 
         $options                          = get_option( 'dokan_withdraw', [] );
         $options['withdraw_methods']      = ! empty( $_POST['withdraw_methods'] ) ? wc_clean( wp_unslash( $_POST['withdraw_methods'] ) ) : [];
-        $options['withdraw_limit']        = ! empty( $_POST['withdraw_limit'] ) ? (float) wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) < 0 ? 0 : wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) : 0;
         $options['withdraw_order_status'] = ! empty( $_POST['withdraw_order_status'] ) ? wc_clean( wp_unslash( $_POST['withdraw_order_status'] ) ) : [];
+        $options['withdraw_limit']        = ! empty( $_POST['withdraw_limit'] ) ? (float) wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) < 0 ? 0 : wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) : 0;
 
         /**
          * Filter dokan_withdraw options before saving in setup wizard

includes/Admin/SetupWizardNoWC.php

@@ -129,7 +129,7 @@ public function install_woocommerce() {
         delete_transient( '_wc_activation_redirect' );
 
         if ( is_wp_error( $installed ) ) {
-            wp_die( $installed->get_error_message(), __( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
+            wp_die( esc_html( $installed->get_error_message() ), esc_html__( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
         }
 
         set_transient( 'dokan_setup_wizard_no_wc', true, 15 * MINUTE_IN_SECONDS );
@@ -228,15 +228,15 @@ public static function add_wc_html_step_start() {
     public static function save_wc_store_setup_data() {
         check_admin_referer( 'dokan-setup' );
 
-        $address        = isset( $_POST['store_address'] ) ? wc_clean( wp_unslash( $_POST['store_address'] ) ) : '';
-        $address_2      = isset( $_POST['store_address_2'] ) ? wc_clean( wp_unslash( $_POST['store_address_2'] ) ) : '';
-        $city           = isset( $_POST['store_city'] ) ? wc_clean( wp_unslash( $_POST['store_city'] ) ) : '';
-        $country        = isset( $_POST['store_country'] ) ? wc_clean( wp_unslash( $_POST['store_country'] ) ) : '';
-        $state          = isset( $_POST['store_state'] ) ? wc_clean( wp_unslash( $_POST['store_state'] ) ) : '*';
-        $postcode       = isset( $_POST['store_postcode'] ) ? wc_clean( wp_unslash( $_POST['store_postcode'] ) ) : '';
-        $currency_code  = isset( $_POST['currency_code'] ) ? wc_clean( wp_unslash( $_POST['currency_code'] ) ) : '';
-        $product_type   = isset( $_POST['product_type'] ) ? wc_clean( wp_unslash( $_POST['product_type'] ) ) : '';
-        $sell_in_person = isset( $_POST['sell_in_person'] ) && ( 'on' === wc_clean( wp_unslash( $_POST['sell_in_person'] ) ) );
+        $address        = isset( $_POST['store_address'] ) ? sanitize_text_field( wp_unslash( $_POST['store_address'] ) ) : '';
+        $address_2      = isset( $_POST['store_address_2'] ) ? sanitize_text_field( wp_unslash( $_POST['store_address_2'] ) ) : '';
+        $city           = isset( $_POST['store_city'] ) ? sanitize_text_field( wp_unslash( $_POST['store_city'] ) ) : '';
+        $country        = isset( $_POST['store_country'] ) ? sanitize_text_field( wp_unslash( $_POST['store_country'] ) ) : '';
+        $state          = isset( $_POST['store_state'] ) ? sanitize_text_field( wp_unslash( $_POST['store_state'] ) ) : '*';
+        $postcode       = isset( $_POST['store_postcode'] ) ? sanitize_text_field( wp_unslash( $_POST['store_postcode'] ) ) : '';
+        $currency_code  = isset( $_POST['currency_code'] ) ? sanitize_text_field( wp_unslash( $_POST['currency_code'] ) ) : '';
+        $product_type   = isset( $_POST['product_type'] ) ? sanitize_text_field( wp_unslash( $_POST['product_type'] ) ) : '';
+        $sell_in_person = isset( $_POST['sell_in_person'] ) && ( 'on' === sanitize_text_field( wp_unslash( $_POST['sell_in_person'] ) ) );
 
         update_option( 'woocommerce_store_address', $address );
         update_option( 'woocommerce_store_address_2', $address_2 );

includes/Admin/SetupWizardWCAdmin.php

@@ -287,7 +287,7 @@ class="switch-input"
                     type="checkbox"
                     name="wc-wizard-service-<?php echo esc_attr( $item_id ); ?>-enabled"
                     value="yes" <?php checked( $should_enable_toggle ); ?>
-                    data-plugins="<?php echo wc_esc_json( wp_json_encode( $plugins ) ); ?>"
+                    data-plugins="<?php echo wc_esc_json( wp_json_encode( $plugins ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>"
                 >
                 <label for="wc-wizard-service-<?php echo esc_attr( $item_id ); ?>-enabled" class="switch-label"></label>
 
@@ -331,7 +331,7 @@ class="<?php echo esc_attr( 'payment-' . $setting['type'] . '-input' ); ?>"
                                     placeholder="<?php echo esc_attr( $setting['placeholder'] ); ?>"
                                     <?php echo ( $setting['required'] ) ? 'required' : ''; ?>
                                     <?php echo $is_checkbox ? checked( isset( $checked ) && $checked, true, false ) : ''; ?>
-                                    data-plugins="<?php echo wc_esc_json( wp_json_encode( isset( $setting['plugins'] ) ? $setting['plugins'] : null ) ); ?>"
+                                    data-plugins="<?php echo wc_esc_json( wp_json_encode( isset( $setting['plugins'] ) ? $setting['plugins'] : null ) ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>"
                                 />
                                 <?php if ( ! empty( $setting['description'] ) ) : ?>
                                     <span class="wc-wizard-service-settings-description"><?php echo esc_html( $setting['description'] ); ?></span>

includes/Ajax.php

@@ -265,8 +265,8 @@
 
                         include dirname( __DIR__ ) . '/templates/orders/order-download-permission-html.php';
 
-                        $loop ++;
-                        $file_count ++;
+                        ++$loop;
+                        ++$file_count;
                     }
                 }
             }
@@ -414,7 +414,7 @@
                 echo 'customer-note';
             }
             echo '"><div class="note_content">';
-            echo wpautop( wptexturize( $note ) ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( wpautop( wptexturize( $note ) ) );
             echo '</div><p class="meta"><a href="#" class="delete_note">' . esc_html__( 'Delete note', 'dokan-lite' ) . '</a></p>';
             echo '</li>';
         }
@@ -484,7 +484,7 @@
             echo '<li rel="' . esc_attr( $comment_id ) . '" class="note ';
             echo 'customer-note';
             echo '"><div class="note_content">';
-            echo wpautop( wptexturize( $ship_info ) ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( wpautop( wptexturize( $ship_info ) ) );
             echo '</div><p class="meta"><a href="#" class="delete_note">' . esc_html__( 'Delete', 'dokan-lite' ) . '</a></p>';
             echo '</li>';
 
@@ -692,6 +692,7 @@
 
         $drop_down_tags = apply_filters(
             'dokan_search_product_tags_for_vendor_products', [
+                'taxonomy'   => 'product_tag',
                 'name__like' => $name,
                 'hide_empty' => 0,
                 'orderby'    => 'name',
@@ -701,7 +702,7 @@
             ]
         );
 
-        $product_tags = get_terms( 'product_tag', $drop_down_tags );
+        $product_tags = get_terms( $drop_down_tags );
 
         if ( $product_tags ) {
             foreach ( $product_tags as $pro_term ) {
@@ -873,7 +874,7 @@
      *
      * @return int attachment ID
      */
     final public function insert_attachment( $object, $cropped ) {
         $attachment_id = wp_insert_attachment( $object, $cropped );
         $metadata      = wp_generate_attachment_metadata( $attachment_id, $cropped );
         $metadata      = apply_filters( 'wp_header_image_attachment_metadata', $metadata );

includes/Customizer/HeadingControl.php

@@ -28,7 +28,9 @@ protected function render_content() {
         <?php } ?>
 
         <?php if ( ! empty( $this->description ) ) { ?>
-            <span class="description customize-control-description"><?php echo $this->description; ?></span>
+            <span class="description customize-control-description">
+                <?php echo wp_kses( $this->description, wp_kses_allowed_html( 'user_description' ) ); ?>
+            </span>
         <?php } ?>
         <?php
     }

includes/Customizer/RadioImageControl.php

@@ -80,7 +80,7 @@ public function render_content() {
                     <label for="<?php echo esc_attr( $this->id ) . esc_attr( $value ); ?>">
                         <?php
                         if ( isset( $label['svg'] ) ) {
-                            echo $label['svg'];
+                            echo $label['svg']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                         } else {
                             ?>
                             <img src="<?php echo esc_html( $label['src'] ); ?>" alt="<?php echo esc_attr( $label['label'] ); ?>" title="<?php echo esc_attr( $label['label'] ); ?>">

includes/Order/Admin/Hooks.php

@@ -158,7 +158,7 @@
         }
 
         if ( ! empty( $output ) ) {
-            echo apply_filters( "dokan_manage_shop_order_custom_columns_{$col}", $output, $order );
+            echo wp_kses_post( apply_filters( "dokan_manage_shop_order_custom_columns_{$col}", $output, $order ) );
         }
     }
 
@@ -176,7 +176,7 @@
      *
      * @return array
      */
     public function admin_shop_order_row_classes( $classes, $class, $post_id ) {
         if ( ! OrderUtil::is_order( $post_id ) ) {
             return $classes;
         }

includes/PageViews.php

@@ -19,31 +19,13 @@ public function __construct() {
     }
 
     public function load_scripts() {
-        $nonce = wp_create_nonce( 'dokan_pageview' );
-
-        echo '<script type="text/javascript">
-            jQuery(document).ready( function($) {
-                if(localStorage){
-                    let new_date = new Date().toISOString().slice(0, 10);
-                    let dokan_pageview_count = JSON.parse(localStorage.getItem("dokan_pageview_count"));
-                    let post_id = ' . get_the_ID() . ';
-
-                    if ( dokan_pageview_count === null || ( dokan_pageview_count.today && dokan_pageview_count.today !== new_date ) ) {
-                        dokan_pageview_count = { "today": new_date, "post_ids": [] };
-                    }
-                    if ( ! dokan_pageview_count.post_ids.includes( post_id )  ) {
-                        var data = {
-                            action: "dokan_pageview",
-                            _ajax_nonce: "' . esc_html( $nonce ) . '",
-                            post_id: ' . get_the_ID() . ',
-                        }
-                        $.post( "' . esc_url( admin_url( 'admin-ajax.php' ) ) . '", data );
-                        dokan_pageview_count.post_ids.push( post_id );
-                        localStorage.setItem("dokan_pageview_count", JSON.stringify(dokan_pageview_count));
-                    }
-                }
-            } );
-            </script>';
+        dokan_get_template_part(
+            'page-views', false, array(
+                'nonce' => wp_create_nonce( 'dokan_pageview' ),
+                'post_id' => get_the_ID(),
+                'ajax_url' => admin_url( 'admin-ajax.php' ),
+            )
+        );
     }
 
     public function load_views() {
@@ -81,5 +63,4 @@ public function update_ajax() {
 
         wp_die();
     }
-
 }

includes/REST/ProductController.php

@@ -1202,7 +1202,7 @@
      *
      * @return array                   Links for the given post.
      */
     protected function prepare_links( $object, $request ) {
         $links = [
             'self'       => [
                 'href' => rest_url( sprintf( '/%s/%s/%d', $this->namespace, $this->base, $object->get_id() ) ),
@@ -1505,7 +1505,7 @@
 
                     if ( is_wp_error( $upload ) ) {
                         if ( ! apply_filters( 'woocommerce_rest_suppress_image_upload_error', false, $upload, $product->get_id(), $images ) ) {
-                            throw new WC_REST_Exception( 'woocommerce_product_image_upload_error', $upload->get_error_message(), 400 );
+                            throw new WC_REST_Exception( 'woocommerce_product_image_upload_error', esc_html( $upload->get_error_message() ), 400 );
                         } else {
                             continue;
                         }
@@ -1516,7 +1516,7 @@
 
                 if ( ! wp_attachment_is_image( $attachment_id ) ) {
                     /* translators: %s: attachment id */
-                    throw new WC_REST_Exception( 'woocommerce_product_invalid_image_id', sprintf( __( '#%s is an invalid image ID.', 'dokan-lite' ), $attachment_id ), 400 );
+                    throw new WC_REST_Exception( 'woocommerce_product_invalid_image_id', sprintf( esc_html__( '#%s is an invalid image ID.', 'dokan-lite' ), esc_html( $attachment_id ) ), 400 );
                 }
 
                 if ( isset( $image['position'] ) && 0 === absint( $image['position'] ) ) {
@@ -2308,5 +2308,4 @@
 
         return $this->add_additional_fields_schema( $schema );
     }
-
 }

includes/ReverseWithdrawal/ReverseWithdrawal.php

@@ -28,7 +28,7 @@ class ReverseWithdrawal {
      */
     public function __clone() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**
@@ -38,7 +38,7 @@ public function __clone() {
      */
     public function __wakeup() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**

includes/Traits/ChainableContainer.php

@@ -18,7 +18,7 @@ trait ChainableContainer {
      */
     public function __clone() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Cloning is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**
@@ -28,7 +28,7 @@ public function __clone() {
      */
     public function __wakeup() {
         $message = ' Backtrace: ' . wp_debug_backtrace_summary();
-        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION );
+        _doing_it_wrong( __METHOD__, $message . esc_html__( 'Unserializing instances of this class is forbidden.', 'dokan-lite' ), DOKAN_PLUGIN_VERSION ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
     }
 
     /**

includes/Widgets/BestSellingProducts.php

@@ -37,9 +37,10 @@ public function widget( $args, $instance ) {
 
         $r = dokan_get_best_selling_products( $no_of_product, $vendor_id, $paged, $hide_outofstock );
 
-        echo $args['before_widget']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+        echo $args['before_widget']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped,WordPress.Security.EscapeOutput.OutputNotEscaped
+
         if ( ! empty( $title ) ) {
-            echo $args['before_title'] . $title . $args['after_title']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo $args['before_title'] . $title . $args['after_title']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped,WordPress.Security.EscapeOutput.OutputNotEscaped
         }
 
         dokan_get_template_part(
@@ -49,7 +50,7 @@ public function widget( $args, $instance ) {
             )
         );
 
-        echo $args['after_widget']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+        echo $args['after_widget']; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped,WordPress.Security.EscapeOutput.OutputNotEscaped
 
         wp_reset_postdata();
     }