Fix "All output should be run through an escaping function" warnings.

pronamic · May 15, 2024 · d8651c6 · d8651c6
1 parent 877acb2
commit d8651c6
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/src/Facades/Http.php b/src/Facades/Http.php
@@ -36,7 +36,12 @@ class Http {
 	 */
 	private static function result( $result, $handler ) {
 		if ( $result instanceof \WP_Error ) {
-			throw new \Pronamic\WordPress\Http\Exceptions\Exception( $result->get_error_message(), new Request( $handler->method(), $handler->url(), $handler->args() ) );
+			$exception = new \Pronamic\WordPress\Http\Exceptions\Exception(
+				\esc_html( $result->get_error_message() ),
+				new Request( $handler->method(), $handler->url(), $handler->args() )
+			);
+
+			throw $exception;
 		}
 
 		return new Response( $result );

diff --git a/src/Response.php b/src/Response.php
@@ -87,8 +87,8 @@ public function json() {
 			throw new \Exception(
 				\sprintf(
 					'Response is empty, HTTP response: "%s %s".',
-					\wp_remote_retrieve_response_code( $this->array ),
-					\wp_remote_retrieve_response_message( $this->array )
+					\esc_html( \wp_remote_retrieve_response_code( $this->array ) ),
+					\esc_html( \wp_remote_retrieve_response_message( $this->array ) )
 				)
 			);
 		}
@@ -103,12 +103,12 @@ public function json() {
 			throw new \Exception(
 				\sprintf(
 					'Could not JSON decode response, HTTP response: "%s %s", HTTP body length: "%d", JSON error: "%s".',
-					\wp_remote_retrieve_response_code( $this->array ),
-					\wp_remote_retrieve_response_message( $this->array ),
-					\strlen( $body ),
-					\json_last_error_msg()
+					\esc_html( \wp_remote_retrieve_response_code( $this->array ) ),
+					\esc_html( \wp_remote_retrieve_response_message( $this->array ) ),
+					\esc_html( \strlen( $body ) ),
+					\esc_html( \json_last_error_msg() )
 				),
-				$json_error
+				(int) $json_error
 			);
 		}
 
@@ -164,7 +164,7 @@ public function simplexml() {
 		// Throw exception.
 		$message = \implode( \PHP_EOL, $messages );
 
-		throw new \InvalidArgumentException( $message );
+		throw new \InvalidArgumentException( \esc_html( $message ) );
 	}
 
 	/**
@@ -189,7 +189,7 @@ public static function array_from_file( $file ) {
 		$response = \file_get_contents( $file, true );
 
 		if ( false === $response ) {
-			throw new \Exception( \sprintf( 'Could not load HTTP response from file: %s', $file ) );
+			throw new \Exception( \sprintf( 'Could not load HTTP response from file: %s', \esc_html( $file ) ) );
 		}
 
 		$processed_response = \WP_Http::processResponse( $response );