Skip to content

Commit

Permalink
Security fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
lloc committed Sep 23, 2024
1 parent a171eb7 commit 305c994
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 12 deletions.
8 changes: 5 additions & 3 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
.idea/
.phpunit.result.cache
.phpunit.cache
composer.lock
composer.phar
multisite-language-switcher/
multisite-language-switcher.zip
package-lock.json
phpunit.xml.bak
.idea/
.phpunit.result.cache
.phpunit.cache
tests/coverage/
tests/playwright-results/
tests/playwright-report/
Expand Down
2 changes: 1 addition & 1 deletion includes/Map/HrefLang.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
class HrefLang {

/**
* @var array<string, array<int, string>>
* @var array<string, string>
*/
protected $map = array();

Expand Down
11 changes: 6 additions & 5 deletions includes/MslsOutput.php
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,9 @@ public function get( ?int $display, bool $filter = false, $exists = false ): arr
* @return string
*/
public function get_alternate_links() {
$blogs = msls_blog_collection();
$hreflang = new HrefLang( $blogs );
$options = MslsOptions::create();
$blogs = msls_blog_collection();
$hlObj = new HrefLang( $blogs );
$options = MslsOptions::create();

$arr = array();
$default = '';
Expand All @@ -110,13 +110,14 @@ public function get_alternate_links() {
}

$description = $blog->get_description();
$hreflang = $hlObj->get( $blog->get_language() );

$format = '<link rel="alternate" hreflang="%s" href="%s" title="%s" />';
if ( '' === $default ) {
$default = sprintf( $format, 'x-default', $url, esc_attr( $description ) );
$default = sprintf( $format, 'x-default', esc_url( $url ), esc_attr( $description ) );
}

$arr[] = sprintf( $format, $hreflang->get( $blog->get_language() ), $url, esc_attr( $description ) );
$arr[] = sprintf( $format, esc_attr( $hreflang ), esc_url( $url ), esc_attr( $description ) );
}

if ( 1 === count( $arr ) ) {
Expand Down
2 changes: 1 addition & 1 deletion includes/MslsPlugin.php
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ public function init_i18n_support(): void {
*/
public static function message_handler( $message, $css_class = 'error' ) {
if ( ! empty( $message ) ) {
printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', $css_class, $message );
printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', esc_attr( $css_class ), esc_html( $message ) );

return true;
}
Expand Down
4 changes: 2 additions & 2 deletions includes/MslsPostTag.php
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo

$this->maybe_set_linked_term( $mydata );

printf( $title_format, $this->get_select_title(), $type );
printf( $title_format, esc_html( $this->get_select_title() ), esc_attr( $type ) );

Check failure on line 163 in includes/MslsPostTag.php

View workflow job for this annotation

GitHub Actions / test

WordPress.Security.EscapeOutput.OutputNotEscaped

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$title_format'.

foreach ( $blogs as $blog ) {
switch_to_blog( $blog->userblog_id );
Expand All @@ -179,7 +179,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
}
}

printf( $item_format, $blog->userblog_id, $icon, $language, $value, $title );
printf( $item_format, esc_attr( $blog->userblog_id ), $icon, esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );

Check failure on line 182 in includes/MslsPostTag.php

View workflow job for this annotation

GitHub Actions / test

WordPress.Security.EscapeOutput.OutputNotEscaped

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$item_format'.

Check failure on line 182 in includes/MslsPostTag.php

View workflow job for this annotation

GitHub Actions / test

WordPress.Security.EscapeOutput.OutputNotEscaped

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$icon'.

restore_current_blog();
}
Expand Down

0 comments on commit 305c994

Please sign in to comment.