Merge pull request #60 from DotCamp/fix-xss

Fix xss issues in all blocks
DotCamp · May 29, 2024 · d668dca · d668dca
2 parents 078944c + 45a0b70
commit d668dca
Show file tree

Hide file tree

Showing 29 changed files with 311 additions and 311 deletions.
diff --git a/src/blocks/advanced-heading/block.php b/src/blocks/advanced-heading/block.php
@@ -4,7 +4,7 @@ function ub_render_advanced_heading_block( $attributes ) {
 	extract( $attributes );
 	$classes                  = array( 'ub_advanced_heading' );
 	$ids                      = array();
-	$ids[]                    = 'ub-advanced-heading-' . $blockID;
+	$ids[]                    = 'ub-advanced-heading-' . esc_attr($blockID);
 	$block_wrapper_attributes = get_block_wrapper_attributes(
 		array(
 			'class' => implode( ' ', $classes ),
@@ -16,7 +16,7 @@ function ub_render_advanced_heading_block( $attributes ) {
 	$cleaned_content = preg_replace( '/<img[^>]+>/i', '', $content );
 	$cleaned_content = preg_replace( '/<script[^>]*?>.*?<\/script>/is', '', $cleaned_content );
 
-	$final_content = '<' . $level . ' ' . $block_wrapper_attributes . ' data-blockid="' . $blockID . '">' . $cleaned_content . '</' . $level . '>';
+	$final_content = '<' . esc_attr($level) . ' ' . $block_wrapper_attributes . ' data-blockid="' . esc_attr($blockID) . '">' . $cleaned_content . '</' . esc_attr($level) . '>';
 
 	return wp_kses_post( $final_content );
 }

diff --git a/src/blocks/advanced-video/block.php b/src/blocks/advanced-video/block.php
@@ -3,7 +3,7 @@ function ub_render_advanced_video_block($attributes){
     require_once dirname(dirname(__DIR__)) . '/common.php';
     extract($attributes);
     $classes = array( 'ub-advanced-video-container' );
-    $ids = array( 'ub-advanced-video-'.$blockID.'' );
+    $ids = array( 'ub-advanced-video-'. esc_attr($blockID) .'' );
 
     $block_wrapper_attributes = get_block_wrapper_attributes(
 		array(
@@ -15,15 +15,15 @@ function ub_render_advanced_video_block($attributes){
     return '<div ' . $block_wrapper_attributes . ' >' .
 
     (!in_array($videoSource, ['local', 'unknown', 'videopress']) && $thumbnail !== '' ?
-    ('<div class="ub-advanced-video-thumbnail" style="height:' . $height .'px; width:' . $width . '%;">' .
+    ('<div class="ub-advanced-video-thumbnail" style="height:' . esc_attr($height) .'px; width:' . esc_attr($width) . '%;">' .
         '<img class="ub-advanced-video-thumbnail-image" height="100%" width="100%" src="' . esc_url($thumbnail) . '">' .
-        '<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 60 60" xml:space="preserve" width="' . ($width / 10) . '%">' .
+        '<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 60 60" xml:space="preserve" width="' . $width / 10 . '%">' .
             '<g><path d="M45.563,29.174l-22-15c-0.307-0.208-0.703-0.231-1.031-0.058C22.205,14.289,22,14.629,22,15v30c0,0.371,0.205,0.711,0.533,0.884C22.679,45.962,22.84,46,23,46c0.197,0,0.394-0.059,0.563-0.174l22-15C45.836,30.64,46,30.331,46,30S45.836,29.36,45.563,29.174z M24,43.107V16.893L43.225,30L24,43.107z"/>' .
             '<path d="M30,0C13.458,0,0,13.458,0,30s13.458,30,30,30s30-13.458,30-30S46.542,0,30,0z M30,58C14.561,58,2,45.439,2,30S14.561,2,30,2s28,12.561,28,28S45.439,58,30,58z"/></g>' .
         '</svg></div>') : ''
             ) .
     '<div class="ub-advanced-video-embed' .
-        ($autofit && in_array($videoSource, ['youtube', 'vimeo', 'dailymotion']) ? (' ub-advanced-video-autofit-' . $videoSource) : ''   ) . '"' .
+        ($autofit && in_array($videoSource, ['youtube', 'vimeo', 'dailymotion']) ? (' ub-advanced-video-autofit-' . esc_attr($videoSource) ) : ''   ) . '"' .
         ($thumbnail !== '' && !in_array($videoSource, ['local', 'unknown', 'videopress']) ? ' hidden' : '') . '>'
     . $videoEmbedCode . ($autofit && $videoSource === 'vimeo' ? '<script src="https://player.vimeo.com/api/player.js"></script>' : '') . '</div></div>';
 }
@@ -58,4 +58,4 @@ function ub_advanced_video_add_frontend_assets() {
 
 add_action( 'wp_enqueue_scripts', 'ub_advanced_video_add_frontend_assets' );
 
-add_action('init', 'ub_register_advanced_video_block');
+add_action('init', 'ub_register_advanced_video_block');
diff --git a/src/blocks/button/block.php b/src/blocks/button/block.php
@@ -51,40 +51,40 @@ function ub_render_button_block($attributes){
 
     $iconSize = array('small' => 25, 'medium' => 30, 'large' => 35, 'larger' => 40);
 
-    $buttonDisplay = (!isset($buttons) || count($buttons) === 0 ? '<div class="ub-button-container align-button-' . $align . (isset($className) ? ' ' . esc_attr($className) : '') . '"' . (!isset($blockID) || $blockID === '' ? ' ': ' id="ub-button-' . $blockID . '"') . '>
+    $buttonDisplay = (!isset($buttons) || count($buttons) === 0 ? '<div class="ub-button-container align-button-' . esc_attr($align) . (isset($className) ? ' ' . esc_attr($className) : '') . '"' . (!isset($blockID) || $blockID === '' ? ' ': ' id="ub-button-' . esc_attr($blockID) . '"') . '>
     <a href="' . esc_url($url) . '" target="' . ($openInNewTab ? '_blank' : '_self') . '"
     rel="noopener noreferrer' . ($addNofollow ? ' nofollow' : '').'"
-    class="ub-button-block-main ub-button-' . $size .
+    class="ub-button-block-main ub-button-' . esc_attr($size) .
     ($buttonWidth === 'full' ? ' ub-button-full-width' :
-        ($buttonWidth === 'flex' ? ' ub-button-flex-' . $size : '')) . '">
+        ($buttonWidth === 'flex' ? ' ub-button-flex-' . esc_attr($size) : '')) . '">
     <div class="ub-button-content-holder">' .
         ($chosenIcon !== '' ? '<span class="ub-button-icon-holder"><svg xmlns="http://www.w3.org/2000/svg"
-        height="' . $iconSize[$size] . '", width="' . $iconSize[$size] . '"
+        height="' . esc_attr($iconSize[$size]) . '", width="' . esc_attr($iconSize[$size]) . '"
         viewBox="0, 0, ' . Ultimate_Blocks_IconSet::generate_fontawesome_icon($chosenIcon)[0] . ', ' . Ultimate_Blocks_IconSet::generate_fontawesome_icon($chosenIcon)[1]
         .'"><path fill="currentColor" d="' . Ultimate_Blocks_IconSet::generate_fontawesome_icon($chosenIcon)[2] . '"></svg></span>': '')
-        .'<span class="ub-button-block-btn">' . $buttonText . '</span>
+        .'<span class="ub-button-block-btn">' . esc_html($buttonText) . '</span>
     </div></a></div>' : join('', array_map('ub_buttons_parse', $buttons)));
     $classes = array();
     if(isset($buttons) && count($buttons) > 0){
         $classes[] = 'ub-buttons';
         if($align === ''){
             $classes[] = 'align-button-center';
         } else{
-            $classes[] = 'align-button-' . $align . '';
+            $classes[] = 'align-button-' . esc_attr($align) . '';
         }
     } else {
         $classes[] = 'ub-button';
     }
-    $classes[] = 'orientation-button-' . $orientation . '';
+    $classes[] = 'orientation-button-' . esc_attr($orientation) . '';
     if($isFlexWrap){
         $classes[] = 'ub-flex-wrap';
     }
     $block_attributes = get_block_wrapper_attributes(
             array(
-                'class' => implode(" ", $classes)
+                'class' => esc_attr(implode(" ", $classes))
             )
     );
-    return '<div '. $block_attributes . ' ' .(!isset($blockID) || $blockID === '' ? ' ': ' id="ub-button-' . $blockID . '"') . '>' .$buttonDisplay . '</div>';
+    return '<div '. $block_attributes . ' ' .(!isset($blockID) || $blockID === '' ? ' ': ' id="ub-button-' . esc_attr($blockID) . '"') . '>' . $buttonDisplay . '</div>';
 }
 
 function ub_button_add_frontend_assets() {

diff --git a/src/blocks/call-to-action/block.php b/src/blocks/call-to-action/block.php
@@ -9,23 +9,23 @@ function ub_render_call_to_action_block($attributes){
 			'class' => implode(' ', $classes),
 		)
     );
-    return '<div ' . $block_wrapper_attributes . ' ' . ($blockID !== '' ? ' id="ub_call_to_action_' . $blockID . '"' :
-                'style="background-color: ' . $ctaBackgroundColor . '; border-width: ' . $ctaBorderSize . 'px; border-color: ' . $ctaBorderColor . '"' ) . '>
+    return '<div ' . $block_wrapper_attributes . ' ' . ($blockID !== '' ? ' id="ub_call_to_action_' . esc_attr($blockID) . '"' :
+                'style="background-color: ' . esc_attr($ctaBackgroundColor) . '; border-width: ' . esc_attr($ctaBorderSize) . 'px; border-color: ' . esc_attr($ctaBorderColor) . '"' ) . '>
                 <div class="ub_call_to_action_headline">
-                    <' . ($useHeadingTag ? $selectedHeadingTag : 'p') . ' class="ub_call_to_action_headline_text"' . ($blockID === '' ?
-                    ' style="font-size: ' . $headFontSize . 'px; color: ' . $headColor . '; text-align: ' . $headAlign . ';"' : '') . '>' .
-                        $ub_call_to_action_headline_text . '</' . ($useHeadingTag ? $selectedHeadingTag : 'p') . '></div>
+                    <' . ($useHeadingTag ? esc_attr($selectedHeadingTag) : 'p') . ' class="ub_call_to_action_headline_text"' . ($blockID === '' ?
+                    ' style="font-size: ' . esc_attr($headFontSize) . 'px; color: ' . esc_attr($headColor) . '; text-align: ' . esc_attr($headAlign) . ';"' : '') . '>' .
+                        esc_html($ub_call_to_action_headline_text) . '</' . ($useHeadingTag ? esc_attr($selectedHeadingTag) : 'p') . '></div>
                 <div class="ub_call_to_action_content">
                     <p class="ub_cta_content_text"' .
-                        ($blockID === '' ? ' style="font-size: ' . $contentFontSize . 'px; color: ' . $contentColor . '; text-align: ' . $contentAlign . ';"' : '') . '>' .
-                         $ub_cta_content_text . '</p></div>
+                        ($blockID === '' ? ' style="font-size: ' . esc_attr($contentFontSize) . 'px; color: ' . esc_attr($contentColor) . '; text-align: ' . esc_attr($contentAlign) . ';"' : '') . '>' .
+                         esc_html($ub_cta_content_text) . '</p></div>
                 <div class="ub_call_to_action_button">
                     <a href="' . esc_url($url) . '" target="_' . ($openInNewTab ? 'blank' : 'self' )
                         .'" rel="' . ($addNofollow ? 'nofollow ' : '') . ($linkIsSponsored ? 'sponsored ' : '') . 'noopener noreferrer"
-                        class="ub_cta_button"' . ($blockID === '' ? ' style="background-color: ' . $buttonColor . '; width: ' . $buttonWidth . 'px;"' : '') . '>
+                        class="ub_cta_button"' . ($blockID === '' ? ' style="background-color: ' . esc_attr($buttonColor) . '; width: ' . esc_attr($buttonWidth) . 'px;"' : '') . '>
                         <p class="ub_cta_button_text"' . ($blockID === '' ? ' style="color: ' .
-                        $buttonTextColor . '; font-size: ' . $buttonFontSize . 'px;"' : '') . '>' .
-                            $ub_cta_button_text . '</p></a></div></div>';
+                        $buttonTextColor . '; font-size: ' . esc_attr($buttonFontSize) . 'px;"' : '') . '>' .
+                            esc_html($ub_cta_button_text) . '</p></a></div></div>';
 }
 
 function ub_register_call_to_action_block() {
@@ -37,4 +37,4 @@ function ub_register_call_to_action_block() {
 	}
 }
 
-add_action('init', 'ub_register_call_to_action_block');
+add_action('init', 'ub_register_call_to_action_block');
diff --git a/src/blocks/click-to-tweet/block.php b/src/blocks/click-to-tweet/block.php
@@ -40,8 +40,8 @@ function ub_render_click_to_tweet_block( $attributes ) {
 
     $output = '';
     if($blockID === ''){
-        $output .= sprintf('<div class="wp-block-ub-click-to-tweet ub_click_to_tweet%1$s" style="border-color: %2$s;">', (isset($className) ? ' ' . esc_attr($className) : ''), $borderColor );
-        $output .= sprintf( '<div class="ub_tweet" style="font-size: %1$spx; color: %2$s">', $tweetFontSize, $tweetColor );
+        $output .= sprintf('<div class="wp-block-ub-click-to-tweet ub_click_to_tweet%1$s" style="border-color: %2$s;">', (isset($className) ? ' ' . esc_attr($className) : ''), esc_attr($borderColor) );
+        $output .= sprintf( '<div class="ub_tweet" style="font-size: %1$spx; color: %2$s">', esc_attr($tweetFontSize), esc_attr($tweetColor) );
     }
     else{
         $output .= sprintf('<div class="wp-block-ub-click-to-tweet ub_click_to_tweet%1$s" id="%2$s">', (isset($className) ? ' ' . esc_attr($className) : ''), esc_attr('ub_click_to_tweet_' . $blockID ));
@@ -53,7 +53,7 @@ function ub_render_click_to_tweet_block( $attributes ) {
 	$output .= sprintf( '<div class="ub_click_tweet">' );
 	$output .= sprintf( '<span>');
 	$output .= sprintf( '<i></i>');
-	$output .= sprintf( '<a target="_blank" href="%1$s">' . __( 'Click to Tweet', 'ultimate-blocks' ) . '</a>',  $url  );
+	$output .= sprintf( '<a target="_blank" href="%1$s">' . __( 'Click to Tweet', 'ultimate-blocks' ) . '</a>',  esc_url($url)  );
 	$output .= sprintf( '</span>');
 	$output .= sprintf( '</div>');
     $output .= sprintf( '</div>');

diff --git a/src/blocks/content-filter/block.php b/src/blocks/content-filter/block.php
@@ -30,9 +30,9 @@ function ub_render_content_filter_entry_block($attributes, $content, $block){
     $block_attributes  = isset($block->parsed_block['attrs']) ? $block->parsed_block['attrs'] : array();
     $styles = ub_get_content_filter_panel_styles($block_attributes);
 
-    return '<div class="ub-content-filter-panel'.(isset($className) ? ' ' . esc_attr($className) : '').
+    return '<div class="ub-content-filter-panel'.(isset($className) ? ' ' . $className : '').
         ($initiallyShow ? '' : ' ub-hide').'" style="'. $styles .'" data-selectedFilters="'.json_encode($selectedFilters).
-        '">'.$content.'</div>';
+        '">'. $content .'</div>';
 }
 
 function ub_register_content_filter_entry_block(){
@@ -87,14 +87,14 @@ function ub_render_content_filter_block($attributes, $content){
     foreach((array)$newFilterArray as $key1 => $filterGroup){
         $filterList .= '<div class="ub-content-filter-category"
         data-canUseMultiple="' . json_encode($filterGroup['canUseMultiple']) . '">
-        <div class="ub-content-filter-category-name">' . $filterGroup['category'] . '</div>';
+        <div class="ub-content-filter-category-name">' . esc_html($filterGroup['category']) . '</div>';
         $filters = '<div class="ub-content-filter-buttons-wrapper">';
         foreach($filterGroup['filters'] as $key2 => $tag){
             $filters .= '<div data-tagIsSelected="false" data-categoryNumber="' . $key1 . '"
-            data-filterNumber="' . $key2 . '" ' . ($blockID === '' ? 'data-normalColor="' . $buttonColor . '" data-normalTextColor="' . $buttonTextColor .
-            '" data-activeColor="' . $activeButtonColor . '" data-activeTextColor="' . $activeButtonTextColor .
-            '"style="background-color: ' . $buttonColor.'; color: ' . $buttonTextColor . '"' : '') . ' class="ub-content-filter-tag">' .
-            $tag.'</div>';
+            data-filterNumber="' . $key2 . '" ' . ($blockID === '' ? 'data-normalColor="' . esc_attr($buttonColor) . '" data-normalTextColor="' . esc_attr($buttonTextColor) .
+            '" data-activeColor="' . esc_attr($activeButtonColor) . '" data-activeTextColor="' . esc_attr($activeButtonTextColor) .
+            '"style="background-color: ' . esc_attr($buttonColor) .'; color: ' . esc_attr($buttonTextColor) . '"' : '') . ' class="ub-content-filter-tag">' .
+            esc_html($tag) . '</div>';
         }
         $filterList .= $filters . '</div>';
         $filterList .= '</div>';
@@ -112,10 +112,10 @@ function ub_render_content_filter_block($attributes, $content){
             )
     );
 return '<div ' . $block_attributes .
-        '"'. ($blockID === '' ? : ' id="ub-content-filter-' . $blockID . '"') .
+        '"'. ($blockID === '' ? : ' id="ub-content-filter-' . esc_attr($blockID) . '"') .
         ' data-currentSelection="'.json_encode($currentSelection).
         '" data-initiallyShowAll="'.json_encode($initiallyShowAll).
-        '" data-matchingOption="'.$matchingOption.'">'. 
+        '" data-matchingOption="'. esc_attr($matchingOption) .'">'.
     $filterList . $content . '</div>';
 }
 
@@ -125,7 +125,7 @@ function ub_register_content_filter_block(){
         register_block_type_from_metadata( dirname(dirname(dirname(__DIR__))) . '/dist/blocks/content-filter/block.json', array(
             'attributes' => $defaultValues['ub/content-filter-block']['attributes'],
                 'render_callback' => 'ub_render_content_filter_block'));
-        
+
     }
 
 }
@@ -151,4 +151,4 @@ function ub_content_filter_add_frontend_assets() {
 
 add_action( 'wp_enqueue_scripts', 'ub_content_filter_add_frontend_assets' );
 add_action('init', 'ub_register_content_filter_entry_block');
-add_action('init', 'ub_register_content_filter_block');
+add_action('init', 'ub_register_content_filter_block');
diff --git a/src/blocks/content-toggle/block.php b/src/blocks/content-toggle/block.php
@@ -46,8 +46,8 @@ function ub_content_toggle_add_frontend_assets() {
 function ub_render_content_toggle_block( $attributes, $content ) {
 	extract( $attributes );
 
-	return '<div class="wp-block-ub-content-toggle' . ( isset( $className ) ? ' ' . esc_attr( $className ) : '' )
-			. '" ' . ( $blockID === '' ? '' : 'id="ub-content-toggle-' . $blockID . '"' ) .
+	return '<div class="wp-block-ub-content-toggle' . ( isset( $className ) ? ' ' .  $className  : '' )
+			. '" ' . ( $blockID === '' ? '' : 'id="ub-content-toggle-' . esc_attr($blockID) . '"' ) .
 			( $preventCollapse ? ' data-preventcollapse="true"' : '' ) .
 			( $showOnlyOne ? ' data-showonlyone="true"' : '' ) . ' data-mobilecollapse="' . json_encode( $collapsedOnMobile ) . '" data-desktopcollapse="' . json_encode( $collapsed ) . '">'
 			. $content . '</div>';
@@ -67,19 +67,19 @@ function ub_render_content_toggle_panel_block( $attributes, $content, $block_obj
 	}
 	$should_collapsed = $collapsed && ! $defaultOpen;
 
-	return '<div ' . ( $toggleID === '' ? '' : 'id="' . $toggleID . '" ' ) . 'class="' . $border_class . $classNamePrefix . '-accordion' . ( isset( $className ) ? ' ' . esc_attr( $className ) : '' ) . '"'
-			. ( $parentID === '' ? ' style="border-color: ' . $theme . ';"' : '' ) . '>
+	return '<div ' . ( $toggleID === '' ? '' : 'id="' . esc_attr($toggleID) . '" ' ) . 'class="' . $border_class . $classNamePrefix . '-accordion' . ( isset( $className ) ? ' ' .  $className  : '' ) . '"'
+			. ( $parentID === '' ? ' style="border-color: ' . esc_attr($theme) . ';"' : '' ) . '>
                 <div class="' . $classNamePrefix . '-accordion-title-wrap"'
-			. ( $parentID === '' ? ' style="background-color: ' . $theme . ';"' : '' ) . ( $preventCollapse ? ' aria-disabled="true"' : '' )
-			.  '" aria-controls="ub-content-toggle-panel-' . $index . '-' . $parentID . '" tabindex="0">
-                    <' . $titleTag . ' class="' . $classNamePrefix . '-accordion-title ub-content-toggle-title-' . $parentID . '"'
-			. ( $parentID === '' ? ' style="color:' . $titleColor . ';"' : '' ) . '>' . $panelTitle . '</' . $titleTag . '>' .
-			( $toggleIcon === 'none' ? '' : '<div class="' . $classNamePrefix . '-accordion-toggle-wrap ' . esc_attr( $toggleLocation ) .
-											'"><span class="' . $classNamePrefix . '-accordion-state-indicator ' . $icon_class .
+			. ( $parentID === '' ? ' style="background-color: ' . esc_attr($theme) . ';"' : '' ) . ( $preventCollapse ? ' aria-disabled="true"' : '' )
+			.  '" aria-controls="ub-content-toggle-panel-' . esc_attr($index) . '-' . esc_attr($parentID) . '" tabindex="0">
+                    <' . esc_attr($titleTag) . ' class="' . $classNamePrefix . '-accordion-title ub-content-toggle-title-' . esc_attr($parentID) . '"'
+			. ( $parentID === '' ? ' style="color:' . esc_attr($titleColor) . ';"' : '' ) . '>' . esc_html($panelTitle) . '</' . esc_attr($titleTag) . '>' .
+			( $toggleIcon === 'none' ? '' : '<div class="' . $classNamePrefix . '-accordion-toggle-wrap ' .  esc_attr($toggleLocation)  .
+											'"><span class="' . $classNamePrefix . '-accordion-state-indicator ' . esc_attr($icon_class) .
 											( $should_collapsed ? '' : ' open' ) . '"></span>
                     </div>' ) .
 			'</div><div role="region" '. 'aria-expanded="'. (json_encode(! $should_collapsed)) .'" class="' . $classNamePrefix . '-accordion-content-wrap' .
-			( $should_collapsed ? ' ub-hide' : '' ) . '" id="ub-content-toggle-panel-' . $index . '-' . $parentID . '">' . $content
+			( $should_collapsed ? ' ub-hide' : '' ) . '" id="ub-content-toggle-panel-' . esc_attr($index) . '-' . esc_attr($parentID) . '">' . $content
 			. '</div></div>';
 }
 
@@ -166,7 +166,7 @@ function ub_content_toggle_filter( $block_content, $block ) {
 			)
 		);
 		$panel = array();
-		
+
 		if( !empty($parsedBlockContent) && gettype($parsedBlockContent) !== "boolean" ){
 			$panel = $parsedBlockContent->find( '.toggleroot>.wp-block-ub-content-toggle-accordion>.wp-block-ub-content-toggle-accordion-content-wrap' );
 		}