Merge pull request #1101 from vektor-inc/fix/xss

XSS 対応
vektor-inc · Jul 29, 2024 · 850a496 · 850a496
2 parents 7f1a4ec + 807a5a4
commit 850a496
Show file tree

Hide file tree

Showing 15 changed files with 214 additions and 106 deletions.
diff --git a/admin/admin-active-setting-page.php b/admin/admin-active-setting-page.php
@@ -41,16 +41,16 @@
 ?>
 " >
 			<th scope='row' class='check-column'>
-				<label class='screen-reader-text' for='checkbox_active_<?php echo $package['name']; ?>' ><?php echo $package['title']; ?></label>
-				<input type="checkbox" name="vkExUnit_common_options[active_<?php echo $package['name']; ?>]" id="checkbox_active_<?php echo $package['name']; ?>" value="true" <?php if(!$package['hidden']){echo 'class="vew-module-checkbox"';}; ?>
+				<label class='screen-reader-text' for='checkbox_active_<?php echo esc_attr( $package['name'] ); ?>' ><?php echo esc_html( $package['title'] ); ?></label>
+				<input type="checkbox" name="vkExUnit_common_options[active_<?php echo asc_attr( $package['name'] ); ?>]" id="checkbox_active_<?php echo esc_attr( $package['name'] ); ?>" value="true" <?php if(!$package['hidden']){echo 'class="vew-module-checkbox"';}; ?>
 																						<?php
 																						if ( $active ) {
 																							echo 'checked'; }
 ?>
  />
 			</th>
 			<td class='plugin-title'>
-				<label for='checkbox_active_<?php echo $package['name']; ?>'><strong><?php echo $package['title']; ?></strong></label>
+				<label for='checkbox_active_<?php echo esc_attr( $package['name'] ); ?>'><strong><?php echo esc_html( $package['title'] ); ?></strong></label>
 
 				<?php
 				$count = '';
@@ -66,8 +66,8 @@
 				?>
 				<?php echo ( $count > 1 && $i >= 1 ) ? ' | ' : ''; ?>
 				<span>
-				<a href="<?php echo ( $att['url'] ) ? $att['url'] : admin_url() . 'admin.php?page=vkExUnit_main_setting'; ?>">
-				<?php echo $att['name']; ?>
+				<a href="<?php echo ( $att['url'] ) ? esc_html( $att['url'] ) : admin_url() . 'admin.php?page=vkExUnit_main_setting'; ?>">
+				<?php echo esc_html( $att['name'] ); ?>
 				</a></span>
 
 				<?php
@@ -82,9 +82,9 @@
 					<?php
 					if ( is_array( $package['description'] ) ) :
 						foreach ( $package['description'] as $desk ) {
-							echo $desk; } else :
+							echo wp_kses_post( $desk ); } else :
 													?>
-												<p><?php echo $package['description']; ?></p>
+												<p><?php echo wp_kses_post( $package['description'] ); ?></p>
 												<?php endif; ?>
 				</div><!-- [ /.plugin-description ] -->
 			</td>

diff --git a/admin/customizer.php b/admin/customizer.php
@@ -65,7 +65,7 @@ public function render_content() {
 		  <input type="text" value="<?php echo esc_attr( $this->value() ); ?>"<?php echo $style; ?> <?php $this->link(); ?> />
 			<?php echo wp_kses_post( $this->input_after ); ?>
 		  </div>
-		  <span><?php echo $this->description; ?></span>
+		  <span><?php echo wp_kses_post( $this->description ); ?></span>
 		</label>
 			<?php
 		} // public function render_content() {

diff --git a/inc/call-to-action/package/class-vk-call-to-action.php b/inc/call-to-action/package/class-vk-call-to-action.php
@@ -166,40 +166,49 @@ public static function save_custom_field( $post_id ) {
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_img'                => array(
-						'escape_type' => '',
+						'escape_type' => 'esc_url',
 					),
 					'vkExUnit_cta_img_position'       => array(
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_button_text'        => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => array( 'stripslashes', 'wp_kses_post' ),
 					),
 					'vkExUnit_cta_button_icon'        => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon_before' => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon_after'  => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_url'                => array(
-						'escape_type' => '',
+						'escape_type' => 'esc_url',
 					),
 					'vkExUnit_cta_url_blank'          => array(
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_text'               => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => array( 'stripslashes', 'wp_kses_post' ),
 					),
 				);
 
 				// カスタムフィールドの保存.
 				foreach ( $custom_fields as $custom_field_name => $custom_field_options ) {
 
 					if ( isset( $_POST[ $custom_field_name ] ) ) {
-						if ( isset( $custom_field_name['escape_type'] ) && $custom_field_name['escape_type'] == 'stripslashes' ) {
-							$data = stripslashes( $_POST[ $custom_field_name ] );
+						if ( ! empty( $custom_field_name['escape_type'] ) ) {
+							if ( is_array( $custom_field_name['escape_type'] ) ) {
+								// エスケープ処理が複数ある場合
+								$data =  $_POST[ $custom_field_name ];
+								foreach ( $custom_field_name['escape_type'] as $escape ) {
+									$data = call_user_func( $escape, $data );
+								}
+							} else {
+								// エスケープ処理が一つの場合
+								$data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] );
+							}
 						} else {
 							$data = $_POST[ $custom_field_name ];
 						}
@@ -462,8 +471,9 @@ public static function render_meta_box_cta() {
 			'itemtype'  => array(),
 		),
 		'i'    => array(
-			'id'    => array(),
-			'class' => array(),
+			'id'          => array(),
+			'class'       => array(),
+			'aria-hidden' => array()
 		),
 	);
 	?>
@@ -498,6 +508,92 @@ public static function get_cta_post( $id ) {
 			return $target;
 		}
 
+		/**
+		 * 許可する HTML
+		 */
+		public static function cta_allow_html() {
+			$allowed_html = array(
+				'div'  => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'h3' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'h4' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'h5' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'h6' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'p'    => array(
+					'id'    => array(),
+					'class' => array(),
+					'style'     => array(),
+				),
+				'ul'   => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'ol'   => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'li'   => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'a'    => array(
+					'id'       => array(),
+					'class'    => array(),
+					'href'     => array(),
+					'target'   => array(),
+					'itemprop' => array(),
+					'style'     => array(),
+				),
+				'span' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'i'    => array(
+					'id'          => array(),
+					'class'       => array(),
+					'aria-hidden' => array()
+				),
+			);
+			return $allowed_html;
+		}
 
 		/**
 		 * CTAとして返す内容の処理
@@ -545,7 +641,7 @@ public static function render_cta_content( $id ) {
 			wp_reset_postdata();
 
 			// wp_kses_post でエスケープすると outerブロックが出力するstyle属性を無効化される.
-			return do_blocks( do_shortcode( $content ) );
+			return do_blocks( do_shortcode( wp_kses( $content, cta_allow_html() ) ) );
 		}
 
 		/**
@@ -717,7 +813,8 @@ public static function get_option( $show_label = false ) {
 			// ↓ これであかんの？
 			// $output_option = wp_parse_args( $option, $default );
 			if ( ! $option || ! is_array( $option ) ) {
-				return $default; }
+				return $default; 
+			}
 
 			$posttypes = array_merge(
 				array(

diff --git a/inc/common-block.php b/inc/common-block.php
@@ -52,6 +52,7 @@ function veu_block_deprecated_alart() {
 
 		$text .= '</ol>';
 		$text .= '</div>';
+		// 入力由来でないのでエスケープ不要
 		echo $text;
 	}
 }

diff --git a/inc/contact-section/contact-section.php b/inc/contact-section/contact-section.php
@@ -241,16 +241,16 @@ public function options_page() {
 	}
 
 	public function option_sanitaize( $option ) {
-		$option['contact_txt']       = stripslashes( $option['contact_txt'] );
-		$option['tel_number']        = stripslashes( $option['tel_number'] );
-		$option['tel_icon']          = stripslashes( $option['tel_icon'] );
-		$option['contact_time']      = stripslashes( $option['contact_time'] );
-		$option['contact_link']      = stripslashes( $option['contact_link'] );
-		$option['button_text']       = stripslashes( $option['button_text'] );
-		$option['button_text_small'] = stripslashes( $option['button_text_small'] );
-		$option['short_text']        = stripslashes( $option['short_text'] );
+		$option['contact_txt']       = wp_kses_post( stripslashes( $option['contact_txt'] ) );
+		$option['tel_number']        = wp_kses_post( stripslashes( $option['tel_number'] ) );
+		$option['tel_icon']          = wp_kses( $option['tel_icon'] , array( 'i' => array( 'class' => array(), 'aria-hidden' => array() ) ) );
+		$option['contact_time']      = wp_kses_post( stripslashes( $option['contact_time'] ) );
+		$option['contact_link']      = esc_url ( $option['contact_link'] );
+		$option['button_text']       = wp_kses_post( stripslashes( $option['button_text'] ) );
+		$option['button_text_small'] = wp_kses_post( stripslashes( $option['button_text_small'] ) );
+		$option['short_text']        = wp_kses_post( stripslashes( $option['short_text'] ) );
 		$option['contact_image']     = esc_url( $option['contact_image'] );
-		$option['contact_html']      = stripslashes( $option['contact_html'] );
+		$option['contact_html']      = wp_kses_post( stripslashes( $option['contact_html'] ) );
 		return $option;
 	}
 
@@ -451,7 +451,7 @@ public static function render_widget_contact_btn_html() {
 			}
 			$cont .= '<i class="' . $class . '"></i> ';
 
-			$cont .= $options['short_text'];
+			$cont .= wp_kses_post( $options['short_text'] );
 
 			// Arrow Icon
 			$class = 'far fa-arrow-alt-circle-right';
@@ -462,7 +462,7 @@ public static function render_widget_contact_btn_html() {
 
 			$cont .= '</span>';
 			if ( isset( $options['button_text_small'] ) && $options['button_text_small'] ) {
-				$cont .= '<span class="contact_bt_subTxt contact_bt_subTxt_side">' . $options['button_text_small'] . '</span>';
+				$cont .= '<span class="contact_bt_subTxt contact_bt_subTxt_side">' . wp_kses_post( $options['button_text_small'] ) . '</span>';
 			}
 			$cont .= '</a>';
 		}

diff --git a/inc/insert-ads.php b/inc/insert-ads.php
@@ -125,7 +125,6 @@ public function print_google_auto_ad() {
 		$option = $this->get_option();
 		if ( $option['google-ads-active'] && $option['google-pub-id'] ) {
 
-			$overlay = ',overlays: {bottom: true}';
 ?><!-- [ <?php echo veu_get_name(); ?> GoogleAd ] -->
 <script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
 <script>
@@ -134,7 +133,7 @@ public function print_google_auto_ad() {
 		  enable_page_level_ads: true
 			<?php
 			if ( $option['google-ads-overlays-bottom'] ) {
-				echo $overlay;}
+				echo ',overlays: {bottom: true}';}
 ?>
 	 });
 </script>
@@ -230,7 +229,7 @@ public function render_configPage() {
 		$lang          = ( get_locale() == 'ja' ) ? 'ja' : 'en';
 		$Google_ad_url = 'https://support.google.com/adsense/answer/7478040?hl=' . $lang;
 		?>
-		[ <a href="<?php echo $Google_ad_url; ?>" target="_blank"><?php _e( 'About Google Auto ads', 'vk-all-in-one-expansion-unit' ); ?></a> ]
+		[ <a href="<?php echo esc_url( $Google_ad_url ); ?>" target="_blank"><?php _e( 'About Google Auto ads', 'vk-all-in-one-expansion-unit' ); ?></a> ]
 	</th>
 	<td>
 		<?php _e( 'If you would like to set to Google Auto ads,Please fill in Publisher ID.', 'vk-all-in-one-expansion-unit' ); ?>

diff --git a/inc/other-widget/widget-3pr-area.php b/inc/other-widget/widget-3pr-area.php
@@ -137,13 +137,13 @@ function update( $new_instance, $old_instance ) {
 		$instance = $old_instance;
 
 		for ( $i = 1; $i <= 3; ) {
-			$instance[ 'label_' . $i ]              = $new_instance[ 'label_' . $i ];
-			$instance[ 'media_3pr_image_' . $i ]    = $new_instance[ 'media_3pr_image_' . $i ];
-			$instance[ 'media_3pr_alt_' . $i ]      = $new_instance[ 'media_3pr_alt_' . $i ];
-			$instance[ 'media_3pr_image_sp_' . $i ] = $new_instance[ 'media_3pr_image_sp_' . $i ];
-			$instance[ 'media_3pr_alt_sp_' . $i ]   = $new_instance[ 'media_3pr_alt_sp_' . $i ];
-			$instance[ 'summary_' . $i ]            = $new_instance[ 'summary_' . $i ];
-			$instance[ 'linkurl_' . $i ]            = $new_instance[ 'linkurl_' . $i ];
+			$instance[ 'label_' . $i ]              = wp_kses_post( stripslashes($new_instance[ 'label_' . $i ] ) );
+			$instance[ 'media_3pr_image_' . $i ]    = esc_url( $new_instance[ 'media_3pr_image_' . $i ] );
+			$instance[ 'media_3pr_alt_' . $i ]      = esc_html( stripslashes( $new_instance[ 'media_3pr_alt_' . $i ] ) );
+			$instance[ 'media_3pr_image_sp_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_sp_' . $i ] );
+			$instance[ 'media_3pr_alt_sp_' . $i ]   = esc_html( stripslashes( $new_instance[ 'media_3pr_alt_sp_' . $i ] ) );
+			$instance[ 'summary_' . $i ]            = wp_kses_post( stripslashes( $new_instance[ 'summary_' . $i ] ) );
+			$instance[ 'linkurl_' . $i ]            = esc_url( $new_instance[ 'linkurl_' . $i ] );
 			$instance[ 'blank_' . $i ]              = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' );
 			$i++;
 		}
@@ -163,7 +163,7 @@ function widget( $args, $instance ) {
 
 				echo '<h1 class="subSection-title">';
 				if ( isset( $instance[ 'label_' . $i ] ) && $instance[ 'label_' . $i ] ) {
-					echo $instance[ 'label_' . $i ];
+					echo wp_kses_posts( $instance[ 'label_' . $i ] );
 				} else {
 					_e( '3PR area', 'vk-all-in-one-expansion-unit' );
 				}

diff --git a/inc/other-widget/widget-button.php b/inc/other-widget/widget-button.php
@@ -69,7 +69,7 @@ function widget( $args, $instance ) {
 
 		if ( $options['linkurl'] && $options['title'] ) : ?>
 		<div class="veu_button">
-			<a class="<?php echo implode( ' ', $classes ); ?>" href="<?php echo $options['linkurl']; ?>"<?php echo $blank; ?>>
+			<a class="<?php echo implode( ' ', $classes ); ?>" href="<?php echo esc_url( $options['linkurl'] ); ?>"<?php echo $blank; ?>>
 			<span class="button_mainText">
 
 			<?php
@@ -205,11 +205,11 @@ function form( $instance ) {
 
 	function update( $new_instance, $old_instance ) {
 		$opt                = array();
-		$opt['title']       = wp_kses_post( $new_instance['title'] );
-		$opt['icon_before'] = $new_instance['icon_before'];
-		$opt['icon_after']  = $new_instance['icon_after'];
-		$opt['subtext']     = $new_instance['subtext'];
-		$opt['linkurl']     = $new_instance['linkurl'];
+		$opt['title']       = wp_kses_post( stripslashes( $new_instance['title'] ) );
+		$opt['icon_before'] = wp_kses_post( $new_instance['icon_before'] );
+		$opt['icon_after']  = wp_kses_post( $new_instance['icon_after'] );
+		$opt['subtext']     = wp_kses_post( stripslashes( $new_instance['subtext'] ) );
+		$opt['linkurl']     = esc_url( $new_instance['linkurl'] );
 		$opt['blank']       = ( isset( $new_instance['blank'] ) && $new_instance['blank'] == 'true' );
 		$opt['size']        = in_array( $new_instance['size'], array( 'sm', 'lg' ) ) ? $new_instance['size'] : 'md';
 		$opt['color']       = in_array( $new_instance['color'], array_keys( self::button_otherlabels() ) ) ? $new_instance['color'] : static::$button_default;

diff --git a/inc/other-widget/widget-page.php b/inc/other-widget/widget-page.php
@@ -190,7 +190,7 @@ function form( $instance ) {
 	// 保存・更新する値
 	function update( $new_instance, $old_instance ) {
 		$instance                       = $old_instance;
-		$instance['title']              = $new_instance['title'];
+		$instance['title']              = wp_kses_post( stripslashes( $new_instance['title'] ) );
 		$instance['page_id']            = $new_instance['page_id'];
 		$instance['set_title']          = $new_instance['set_title'];
 		$instance['child_page_index']   = $new_instance['child_page_index'];
@@ -233,7 +233,7 @@ function display_page( $args, $instance ) {
 
 		echo PHP_EOL . '<div id="widget-page-' . $pageid . '" class="widget_pageContent entry-body">' . PHP_EOL;
 		if ( $widget_title['display'] ) {
-			echo $args['before_title'] . $widget_title['title'] . $args['after_title'] . PHP_EOL;
+			echo wp_kses_post( $args['before_title'] . $widget_title['title'] . $args['after_title'] ) . PHP_EOL;
 		}
 		echo apply_filters( 'the_content', $page->post_content );