From 9ce916ac3b111f9deb36d1bf2f901d44de901323 Mon Sep 17 00:00:00 2001 From: drill-lancer Date: Wed, 24 Jul 2024 13:43:29 +0900 Subject: [PATCH 01/19] fix: XSS --- .../package/class-vk-call-to-action.php | 20 +++++++++---------- inc/contact-section/contact-section.php | 18 ++++++++--------- inc/other-widget/widget-3pr-area.php | 14 ++++++------- inc/other-widget/widget-button.php | 8 ++++---- inc/other-widget/widget-page.php | 2 +- inc/other-widget/widget-pr-blocks.php | 14 ++++++------- inc/other-widget/widget-profile.php | 12 +++++------ inc/sns/widget-fb-page-plugin.php | 6 +++--- 8 files changed, 47 insertions(+), 47 deletions(-) diff --git a/inc/call-to-action/package/class-vk-call-to-action.php b/inc/call-to-action/package/class-vk-call-to-action.php index cd18972bb..fe9f6cdba 100644 --- a/inc/call-to-action/package/class-vk-call-to-action.php +++ b/inc/call-to-action/package/class-vk-call-to-action.php @@ -166,31 +166,31 @@ public static function save_custom_field( $post_id ) { 'escape_type' => '', ), 'vkExUnit_cta_img' => array( - 'escape_type' => '', + 'escape_type' => 'esc_url', ), 'vkExUnit_cta_img_position' => array( 'escape_type' => '', ), 'vkExUnit_cta_button_text' => array( - 'escape_type' => 'stripslashes', + 'escape_type' => 'wp_kses_post', ), 'vkExUnit_cta_button_icon' => array( - 'escape_type' => 'stripslashes', + 'escape_type' => 'wp_kses_post', ), 'vkExUnit_cta_button_icon_before' => array( - 'escape_type' => 'stripslashes', + 'escape_type' => 'wp_kses_post', ), 'vkExUnit_cta_button_icon_after' => array( - 'escape_type' => 'stripslashes', + 'escape_type' => 'wp_kses_post', ), 'vkExUnit_cta_url' => array( - 'escape_type' => '', + 'escape_type' => 'esc_url', ), 'vkExUnit_cta_url_blank' => array( 'escape_type' => '', ), 'vkExUnit_cta_text' => array( - 'escape_type' => 'stripslashes', + 'escape_type' => 'wp_kses_post', ), ); @@ -198,8 +198,8 @@ public static function save_custom_field( $post_id ) { foreach ( $custom_fields as $custom_field_name => $custom_field_options ) { if ( isset( $_POST[ $custom_field_name ] ) ) { - if ( isset( $custom_field_name['escape_type'] ) && $custom_field_name['escape_type'] == 'stripslashes' ) { - $data = stripslashes( $_POST[ $custom_field_name ] ); + if ( ! empty( $custom_field_name['escape_type'] ) ) { + $data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] ); } else { $data = $_POST[ $custom_field_name ]; } @@ -545,7 +545,7 @@ public static function render_cta_content( $id ) { wp_reset_postdata(); // wp_kses_post でエスケープすると outerブロックが出力するstyle属性を無効化される. - return do_blocks( do_shortcode( $content ) ); + return do_blocks( do_shortcode( wp_kses_post( $content ) ) ); } /** diff --git a/inc/contact-section/contact-section.php b/inc/contact-section/contact-section.php index 12323910d..655c1c7b7 100644 --- a/inc/contact-section/contact-section.php +++ b/inc/contact-section/contact-section.php @@ -241,16 +241,16 @@ public function options_page() { } public function option_sanitaize( $option ) { - $option['contact_txt'] = stripslashes( $option['contact_txt'] ); - $option['tel_number'] = stripslashes( $option['tel_number'] ); - $option['tel_icon'] = stripslashes( $option['tel_icon'] ); - $option['contact_time'] = stripslashes( $option['contact_time'] ); - $option['contact_link'] = stripslashes( $option['contact_link'] ); - $option['button_text'] = stripslashes( $option['button_text'] ); - $option['button_text_small'] = stripslashes( $option['button_text_small'] ); - $option['short_text'] = stripslashes( $option['short_text'] ); + $option['contact_txt'] = wp_kses_post( $option['contact_txt'] ); + $option['tel_number'] = wp_kses_post( $option['tel_number'] ); + $option['tel_icon'] = wp_kses_post( $option['tel_icon'] ); + $option['contact_time'] = wp_kses_post( $option['contact_time'] ); + $option['contact_link'] = wp_kses_post( $option['contact_link'] ); + $option['button_text'] = wp_kses_post( $option['button_text'] ); + $option['button_text_small'] = wp_kses_post( $option['button_text_small'] ); + $option['short_text'] = wp_kses_post( $option['short_text'] ); $option['contact_image'] = esc_url( $option['contact_image'] ); - $option['contact_html'] = stripslashes( $option['contact_html'] ); + $option['contact_html'] = wp_kses_post( $option['contact_html'] ); return $option; } diff --git a/inc/other-widget/widget-3pr-area.php b/inc/other-widget/widget-3pr-area.php index 13185301d..b60b858b7 100644 --- a/inc/other-widget/widget-3pr-area.php +++ b/inc/other-widget/widget-3pr-area.php @@ -137,13 +137,13 @@ function update( $new_instance, $old_instance ) { $instance = $old_instance; for ( $i = 1; $i <= 3; ) { - $instance[ 'label_' . $i ] = $new_instance[ 'label_' . $i ]; - $instance[ 'media_3pr_image_' . $i ] = $new_instance[ 'media_3pr_image_' . $i ]; - $instance[ 'media_3pr_alt_' . $i ] = $new_instance[ 'media_3pr_alt_' . $i ]; - $instance[ 'media_3pr_image_sp_' . $i ] = $new_instance[ 'media_3pr_image_sp_' . $i ]; - $instance[ 'media_3pr_alt_sp_' . $i ] = $new_instance[ 'media_3pr_alt_sp_' . $i ]; - $instance[ 'summary_' . $i ] = $new_instance[ 'summary_' . $i ]; - $instance[ 'linkurl_' . $i ] = $new_instance[ 'linkurl_' . $i ]; + $instance[ 'label_' . $i ] = wp_kses_post( $new_instance[ 'label_' . $i ] ); + $instance[ 'media_3pr_image_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_' . $i ] ); + $instance[ 'media_3pr_alt_' . $i ] = esc_html( $new_instance[ 'media_3pr_alt_' . $i ] ); + $instance[ 'media_3pr_image_sp_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_sp_' . $i ] ); + $instance[ 'media_3pr_alt_sp_' . $i ] = esc_html( $new_instance[ 'media_3pr_alt_sp_' . $i ] ); + $instance[ 'summary_' . $i ] = wp_kses_post( $new_instance[ 'summary_' . $i ] ); + $instance[ 'linkurl_' . $i ] = esc_url( $new_instance[ 'linkurl_' . $i ] ); $instance[ 'blank_' . $i ] = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' ); $i++; } diff --git a/inc/other-widget/widget-button.php b/inc/other-widget/widget-button.php index 2c7003f40..fd897ae2a 100644 --- a/inc/other-widget/widget-button.php +++ b/inc/other-widget/widget-button.php @@ -206,10 +206,10 @@ function form( $instance ) { function update( $new_instance, $old_instance ) { $opt = array(); $opt['title'] = wp_kses_post( $new_instance['title'] ); - $opt['icon_before'] = $new_instance['icon_before']; - $opt['icon_after'] = $new_instance['icon_after']; - $opt['subtext'] = $new_instance['subtext']; - $opt['linkurl'] = $new_instance['linkurl']; + $opt['icon_before'] = wp_kses_post( $new_instance['icon_before'] ); + $opt['icon_after'] = wp_kses_post( $new_instance['icon_after'] ); + $opt['subtext'] = wp_kses_post( $new_instance['subtext'] ); + $opt['linkurl'] = esc_url( $new_instance['linkurl'] ); $opt['blank'] = ( isset( $new_instance['blank'] ) && $new_instance['blank'] == 'true' ); $opt['size'] = in_array( $new_instance['size'], array( 'sm', 'lg' ) ) ? $new_instance['size'] : 'md'; $opt['color'] = in_array( $new_instance['color'], array_keys( self::button_otherlabels() ) ) ? $new_instance['color'] : static::$button_default; diff --git a/inc/other-widget/widget-page.php b/inc/other-widget/widget-page.php index 5ef106024..3723d0614 100644 --- a/inc/other-widget/widget-page.php +++ b/inc/other-widget/widget-page.php @@ -190,7 +190,7 @@ function form( $instance ) { // 保存・更新する値 function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['title'] = $new_instance['title']; + $instance['title'] = wp_kses_post( $new_instance['title'] ); $instance['page_id'] = $new_instance['page_id']; $instance['set_title'] = $new_instance['set_title']; $instance['child_page_index'] = $new_instance['child_page_index']; diff --git a/inc/other-widget/widget-pr-blocks.php b/inc/other-widget/widget-pr-blocks.php index d5b43f560..5d437648c 100644 --- a/inc/other-widget/widget-pr-blocks.php +++ b/inc/other-widget/widget-pr-blocks.php @@ -206,14 +206,14 @@ public function update( $new_instance, $old_instance ) { } for ( $i = 1; $i <= 4; ) { - $instance[ 'label_' . $i ] = $new_instance[ 'label_' . $i ]; - $instance[ 'media_image_' . $i ] = $new_instance[ 'media_image_' . $i ]; - $instance[ 'media_alt_' . $i ] = $new_instance[ 'media_alt_' . $i ]; - $instance[ 'iconFont_class_' . $i ] = $new_instance[ 'iconFont_class_' . $i ]; - $instance[ 'iconFont_bgColor_' . $i ] = $new_instance[ 'iconFont_bgColor_' . $i ]; + $instance[ 'label_' . $i ] = wp_kses_post( $new_instance[ 'label_' . $i ] ); + $instance[ 'media_image_' . $i ] = esc_url( $new_instance[ 'media_image_' . $i ] ); + $instance[ 'media_alt_' . $i ] = esc_html( $new_instance[ 'media_alt_' . $i ] ); + $instance[ 'iconFont_class_' . $i ] = esc_html( $new_instance[ 'iconFont_class_' . $i ] ); + $instance[ 'iconFont_bgColor_' . $i ] = esc_html( $new_instance[ 'iconFont_bgColor_' . $i ] ); $instance[ 'iconFont_bgType_' . $i ] = $new_instance[ 'iconFont_bgType_' . $i ]; - $instance[ 'summary_' . $i ] = $new_instance[ 'summary_' . $i ]; - $instance[ 'linkurl_' . $i ] = $new_instance[ 'linkurl_' . $i ]; + $instance[ 'summary_' . $i ] = wp_kses_post( $new_instance[ 'summary_' . $i ] ); + $instance[ 'linkurl_' . $i ] = esc_url( $new_instance[ 'linkurl_' . $i ] ); $instance[ 'blank_' . $i ] = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' ); $i++; } diff --git a/inc/other-widget/widget-profile.php b/inc/other-widget/widget-profile.php index f302dfa46..8b9cba605 100644 --- a/inc/other-widget/widget-profile.php +++ b/inc/other-widget/widget-profile.php @@ -181,14 +181,14 @@ function form( $instance ) { /*-------------------------------------------*/ function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['label'] = $new_instance['label']; - $instance['mediaFile'] = $new_instance['mediaFile']; - $instance['mediaAlt'] = $new_instance['mediaAlt']; - $instance['profile'] = $new_instance['profile']; + $instance['label'] = wp_kses_post( $new_instance['label'] ); + $instance['mediaFile'] = esc_url( $new_instance['mediaFile'] ); + $instance['mediaAlt'] = esc_html( $new_instance['mediaAlt'] ); + $instance['profile'] = wp_kses_post( $new_instance['profile'] ); $instance['mediaAlign_left'] = $new_instance['mediaAlign_left']; $instance['mediaAlign'] = $new_instance['mediaAlign']; $instance['mediaRound'] = $new_instance['mediaRound']; - $instance['mediaSize'] = $new_instance['mediaSize']; + $instance['mediaSize'] = esc_html( $new_instance['mediaSize'] ); $instance['mediaFloat'] = $new_instance['mediaFloat']; $instance['facebook'] = esc_url( $new_instance['facebook'] ); $instance['twitter'] = esc_url( $new_instance['twitter'] ); @@ -198,7 +198,7 @@ function update( $new_instance, $old_instance ) { $instance['instagram'] = esc_url( $new_instance['instagram'] ); $instance['linkedin'] = esc_url( $new_instance['linkedin'] ); $instance['iconFont_bgType'] = $new_instance['iconFont_bgType']; - $instance['icon_color'] = $new_instance['icon_color']; + $instance['icon_color'] = esc_html( $new_instance['icon_color'] ); return $instance; } /*-------------------------------------------*/ diff --git a/inc/sns/widget-fb-page-plugin.php b/inc/sns/widget-fb-page-plugin.php index bfc5ea0d9..80ed7db30 100644 --- a/inc/sns/widget-fb-page-plugin.php +++ b/inc/sns/widget-fb-page-plugin.php @@ -51,9 +51,9 @@ function widget( $args, $instance ) { function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['label'] = $new_instance['label']; - $instance['page_url'] = $new_instance['page_url']; - $instance['height'] = $new_instance['height']; + $instance['label'] = wp_kses_post( $new_instance['label'] ); + $instance['page_url'] = esc_url( $new_instance['page_url'] ); + $instance['height'] = esc_html( $new_instance['height'] ); $instance['showFaces'] = $new_instance['showFaces']; $instance['hideCover'] = $new_instance['hideCover']; $instance['showPosts'] = $new_instance['showPosts']; From 011226c79177dfa2782e4f824e2ac8877e0eb94e Mon Sep 17 00:00:00 2001 From: drill-lancer Date: Wed, 24 Jul 2024 16:46:02 +0900 Subject: [PATCH 02/19] fix: escape --- inc/other-widget/widget-profile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/other-widget/widget-profile.php b/inc/other-widget/widget-profile.php index 8b9cba605..aff1e40b8 100644 --- a/inc/other-widget/widget-profile.php +++ b/inc/other-widget/widget-profile.php @@ -192,7 +192,7 @@ function update( $new_instance, $old_instance ) { $instance['mediaFloat'] = $new_instance['mediaFloat']; $instance['facebook'] = esc_url( $new_instance['facebook'] ); $instance['twitter'] = esc_url( $new_instance['twitter'] ); - $instance['mail'] = esc_attr( $new_instance['mail'] ); + $instance['mail'] = esc_url( $new_instance['mail'] ); $instance['youtube'] = esc_url( $new_instance['youtube'] ); $instance['rss'] = esc_url( $new_instance['rss'] ); $instance['instagram'] = esc_url( $new_instance['instagram'] ); From 384470eb83ab04b1cb04ba3386103bfc8960064b Mon Sep 17 00:00:00 2001 From: drill-lancer Date: Thu, 25 Jul 2024 11:27:28 +0900 Subject: [PATCH 03/19] fix: post_type_manager --- .../package/class.post-type-manager.php | 58 +++++++++++-------- 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/inc/post-type-manager/package/class.post-type-manager.php b/inc/post-type-manager/package/class.post-type-manager.php index 7260e769a..45076d46d 100644 --- a/inc/post-type-manager/package/class.post-type-manager.php +++ b/inc/post-type-manager/package/class.post-type-manager.php @@ -109,8 +109,9 @@ public static function add_meta_box_action() { /******************************************* * Supports(Required) */ - echo '

' . esc_html__( 'Supports(Required)', 'vk-all-in-one-expansion-unit' ) . '

'; + echo '

' . esc_html__( 'Supports ( Required )', 'vk-all-in-one-expansion-unit' ) . '

'; $post_type_items_value = get_post_meta( $post->ID, 'veu_post_type_items', true ); + echo '
    '; foreach ( $post_type_items_array as $key => $label ) { $checked = ( isset( $post_type_items_value[ $key ] ) && $post_type_items_value[ $key ] ) ? ' checked' : ''; @@ -323,33 +324,42 @@ public static function save_cf_value( $post_id ) { if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) { return $post_id; } + + $post_type_id = ! empty( $_POST['veu_post_type_id'] ) ? esc_html( strip_tags( $_POST['veu_post_type_id'] ) ) : ''; + $post_type_items = ! empty( $_POST['veu_post_type_items'] ) ? $_POST['veu_post_type_items'] : ''; + $menu_posttion = ! empty( $_POST['veu_menu_position'] ) ? esc_html( strip_tags( $_POST['veu_menu_position'] ) ) : ''; + $menu_icon = ! empty( $_POST['veu_menu_icon'] ) ? esc_html( strip_tags( $_POST['veu_menu_icon'] ) ) : ''; + $post_type_export_to_api = ! empty( $_POST['veu_post_type_export_to_api'] ) ? esc_html( $_POST['veu_post_type_export_to_api'] ) : ''; + $post_type_rewrite = ! empty( $_POST['veu_post_type_rewrite'] ) ? esc_html( $_POST['veu_post_type_rewrite'] ) : ''; + + if ( ! empty ( $_POST['veu_taxonomy'] ) ) { + $taxonomy = $_POST['veu_taxonomy']; + + for ( $i = 1; $i <= apply_filters( 'veu_post_type_taxonomies', 5 ); $i++ ) { + $taxonomy[$i]['slug'] = ! empty( $taxonomy[$i]['slug'] ) ? esc_html( strip_tags( $taxonomy[$i]['slug'] ) ) : ''; + $taxonomy[$i]['label'] = ! empty( $taxonomy[$i]['label'] ) ? esc_html( strip_tags( $taxonomy[$i]['label'] ) ) : ''; + $taxonomy[$i]['tag'] = ! empty( $taxonomy[$i]['tag'] ) ? esc_html( $taxonomy[$i]['tag'] ) : ''; + $taxonomy[$i]['rest_api'] = ! empty( $taxonomy[$i]['rest_api'] ) ? esc_html( $taxonomy[$i]['rest_api'] ) : ''; + } + } - // 保存しているカスタムフィールド. + // 保存しているカスタムフィールド. $fields = array( - 'veu_post_type_id', - 'veu_post_type_items', - 'veu_menu_position', - 'veu_menu_icon', - 'veu_post_type_export_to_api', - 'veu_post_type_rewrite', - 'veu_taxonomy', + 'veu_post_type_id' => $post_type_id, + 'veu_post_type_items' => $post_type_items, + 'veu_menu_position' => $menu_posttion, + 'veu_menu_icon' => $menu_icon, + 'veu_post_type_export_to_api' => $post_type_export_to_api, + 'veu_post_type_rewrite' => $post_type_rewrite, + 'veu_taxonomy' => $taxonomy, ); - foreach ( $fields as $key => $field ) { - $field_value = ( isset( $_POST[ $field ] ) ) ? $_POST[ $field ] : ''; - - // データが空だったら入れる. - if ( get_post_meta( $post_id, $field ) == '' ) { - add_post_meta( $post_id, $field, $field_value, true ); - - // 今入ってる値と違ってたらアップデートする. - } elseif ( get_post_meta( $post_id, $field, true ) !== $field_value ) { - update_post_meta( $post_id, $field, $field_value ); - - // 入力がなかったら消す. - } elseif ( '' === $field_value ) { - delete_post_meta( $post_id, $field, get_post_meta( $post_id, $field, true ) ); - } + foreach ( $fields as $field_name => $field_value ) { + if ( ! empty( $field_value ) ) { + update_post_meta( $post_id, $field_name, $field_value ); + } else { + delete_post_meta( $post_id, $field_name ); + } } // リライトルールを更新するように. From 564c846b59253027d623bf7fd23b039ac487c1de Mon Sep 17 00:00:00 2001 From: drill-lancer Date: Thu, 25 Jul 2024 12:44:18 +0900 Subject: [PATCH 04/19] fix: readme --- readme.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readme.txt b/readme.txt index 316648626..faed40de7 100644 --- a/readme.txt +++ b/readme.txt @@ -81,6 +81,8 @@ e.g. == Changelog == +[ Bug fix ] Fix XSS of Widgets, CTA, Custom Post Type Manager. + = 9.99.0 = [ Specification Change ] Foce Load JS from footer is abolished. [ Fix ] Add a title attribute on Google Tag Manager (noscript) From 1af6ee64ecef75568143a3f54d2a0f7edacbab99 Mon Sep 17 00:00:00 2001 From: drill-lancer Date: Mon, 29 Jul 2024 11:08:59 +0900 Subject: [PATCH 05/19] fix: stripslashes --- .../package/class-vk-call-to-action.php | 15 +++++++++++---- inc/contact-section/contact-section.php | 16 ++++++++-------- inc/other-widget/widget-3pr-area.php | 8 ++++---- inc/other-widget/widget-button.php | 4 ++-- inc/other-widget/widget-page.php | 2 +- inc/other-widget/widget-pr-blocks.php | 6 +++--- inc/other-widget/widget-profile.php | 6 +++--- inc/sns/widget-fb-page-plugin.php | 2 +- 8 files changed, 33 insertions(+), 26 deletions(-) diff --git a/inc/call-to-action/package/class-vk-call-to-action.php b/inc/call-to-action/package/class-vk-call-to-action.php index fe9f6cdba..e146138bc 100644 --- a/inc/call-to-action/package/class-vk-call-to-action.php +++ b/inc/call-to-action/package/class-vk-call-to-action.php @@ -172,7 +172,7 @@ public static function save_custom_field( $post_id ) { 'escape_type' => '', ), 'vkExUnit_cta_button_text' => array( - 'escape_type' => 'wp_kses_post', + 'escape_type' => array( 'stripslashes', 'wp_kses_post' ), ), 'vkExUnit_cta_button_icon' => array( 'escape_type' => 'wp_kses_post', @@ -190,7 +190,7 @@ public static function save_custom_field( $post_id ) { 'escape_type' => '', ), 'vkExUnit_cta_text' => array( - 'escape_type' => 'wp_kses_post', + 'escape_type' => array( 'stripslashes', 'wp_kses_post' ), ), ); @@ -198,8 +198,15 @@ public static function save_custom_field( $post_id ) { foreach ( $custom_fields as $custom_field_name => $custom_field_options ) { if ( isset( $_POST[ $custom_field_name ] ) ) { - if ( ! empty( $custom_field_name['escape_type'] ) ) { - $data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] ); + if ( ! empty( $custom_field_name['escape_type'] ) ) { + if ( is_array( $custom_field_name['escape_type'] ) ) { + $data = $_POST[ $custom_field_name ]; + foreach ( $custom_field_name['escape_type'] as $escape ) { + $data = call_user_func( $escape, $data ); + } + } else { + $data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] ); + } } else { $data = $_POST[ $custom_field_name ]; } diff --git a/inc/contact-section/contact-section.php b/inc/contact-section/contact-section.php index 655c1c7b7..5d02d227c 100644 --- a/inc/contact-section/contact-section.php +++ b/inc/contact-section/contact-section.php @@ -241,16 +241,16 @@ public function options_page() { } public function option_sanitaize( $option ) { - $option['contact_txt'] = wp_kses_post( $option['contact_txt'] ); - $option['tel_number'] = wp_kses_post( $option['tel_number'] ); + $option['contact_txt'] = wp_kses_post( stripslashes( $option['contact_txt'] ) ); + $option['tel_number'] = wp_kses_post( stripslashes( $option['tel_number'] ) ); $option['tel_icon'] = wp_kses_post( $option['tel_icon'] ); - $option['contact_time'] = wp_kses_post( $option['contact_time'] ); - $option['contact_link'] = wp_kses_post( $option['contact_link'] ); - $option['button_text'] = wp_kses_post( $option['button_text'] ); - $option['button_text_small'] = wp_kses_post( $option['button_text_small'] ); - $option['short_text'] = wp_kses_post( $option['short_text'] ); + $option['contact_time'] = wp_kses_post( stripslashes( $option['contact_time'] ) ); + $option['contact_link'] = esc_url ( $option['contact_link'] ); + $option['button_text'] = wp_kses_post( stripslashes( $option['button_text'] ) ); + $option['button_text_small'] = wp_kses_post( stripslashes( $option['button_text_small'] ) ); + $option['short_text'] = wp_kses_post( stripslashes( $option['short_text'] ) ); $option['contact_image'] = esc_url( $option['contact_image'] ); - $option['contact_html'] = wp_kses_post( $option['contact_html'] ); + $option['contact_html'] = wp_kses_post( stripslashes( $option['contact_html'] ) ); return $option; } diff --git a/inc/other-widget/widget-3pr-area.php b/inc/other-widget/widget-3pr-area.php index b60b858b7..819c89ecb 100644 --- a/inc/other-widget/widget-3pr-area.php +++ b/inc/other-widget/widget-3pr-area.php @@ -137,12 +137,12 @@ function update( $new_instance, $old_instance ) { $instance = $old_instance; for ( $i = 1; $i <= 3; ) { - $instance[ 'label_' . $i ] = wp_kses_post( $new_instance[ 'label_' . $i ] ); + $instance[ 'label_' . $i ] = wp_kses_post( stripslashes($new_instance[ 'label_' . $i ] ) ); $instance[ 'media_3pr_image_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_' . $i ] ); - $instance[ 'media_3pr_alt_' . $i ] = esc_html( $new_instance[ 'media_3pr_alt_' . $i ] ); + $instance[ 'media_3pr_alt_' . $i ] = esc_html( stripslashes( $new_instance[ 'media_3pr_alt_' . $i ] ) ); $instance[ 'media_3pr_image_sp_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_sp_' . $i ] ); - $instance[ 'media_3pr_alt_sp_' . $i ] = esc_html( $new_instance[ 'media_3pr_alt_sp_' . $i ] ); - $instance[ 'summary_' . $i ] = wp_kses_post( $new_instance[ 'summary_' . $i ] ); + $instance[ 'media_3pr_alt_sp_' . $i ] = esc_html( stripslashes( $new_instance[ 'media_3pr_alt_sp_' . $i ] ) ); + $instance[ 'summary_' . $i ] = wp_kses_post( stripslashes( $new_instance[ 'summary_' . $i ] ) ); $instance[ 'linkurl_' . $i ] = esc_url( $new_instance[ 'linkurl_' . $i ] ); $instance[ 'blank_' . $i ] = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' ); $i++; diff --git a/inc/other-widget/widget-button.php b/inc/other-widget/widget-button.php index fd897ae2a..254b250dc 100644 --- a/inc/other-widget/widget-button.php +++ b/inc/other-widget/widget-button.php @@ -205,10 +205,10 @@ function form( $instance ) { function update( $new_instance, $old_instance ) { $opt = array(); - $opt['title'] = wp_kses_post( $new_instance['title'] ); + $opt['title'] = wp_kses_post( stripslashes( $new_instance['title'] ) ); $opt['icon_before'] = wp_kses_post( $new_instance['icon_before'] ); $opt['icon_after'] = wp_kses_post( $new_instance['icon_after'] ); - $opt['subtext'] = wp_kses_post( $new_instance['subtext'] ); + $opt['subtext'] = wp_kses_post( stripslashes( $new_instance['subtext'] ) ); $opt['linkurl'] = esc_url( $new_instance['linkurl'] ); $opt['blank'] = ( isset( $new_instance['blank'] ) && $new_instance['blank'] == 'true' ); $opt['size'] = in_array( $new_instance['size'], array( 'sm', 'lg' ) ) ? $new_instance['size'] : 'md'; diff --git a/inc/other-widget/widget-page.php b/inc/other-widget/widget-page.php index 3723d0614..dbece6804 100644 --- a/inc/other-widget/widget-page.php +++ b/inc/other-widget/widget-page.php @@ -190,7 +190,7 @@ function form( $instance ) { // 保存・更新する値 function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['title'] = wp_kses_post( $new_instance['title'] ); + $instance['title'] = wp_kses_post( stripslashes( $new_instance['title'] ) ); $instance['page_id'] = $new_instance['page_id']; $instance['set_title'] = $new_instance['set_title']; $instance['child_page_index'] = $new_instance['child_page_index']; diff --git a/inc/other-widget/widget-pr-blocks.php b/inc/other-widget/widget-pr-blocks.php index 5d437648c..9d7df4c6f 100644 --- a/inc/other-widget/widget-pr-blocks.php +++ b/inc/other-widget/widget-pr-blocks.php @@ -206,13 +206,13 @@ public function update( $new_instance, $old_instance ) { } for ( $i = 1; $i <= 4; ) { - $instance[ 'label_' . $i ] = wp_kses_post( $new_instance[ 'label_' . $i ] ); + $instance[ 'label_' . $i ] = wp_kses_post( stripslashes( $new_instance[ 'label_' . $i ] ) ); $instance[ 'media_image_' . $i ] = esc_url( $new_instance[ 'media_image_' . $i ] ); - $instance[ 'media_alt_' . $i ] = esc_html( $new_instance[ 'media_alt_' . $i ] ); + $instance[ 'media_alt_' . $i ] = esc_html( stripslashes( $new_instance[ 'media_alt_' . $i ] ) ); $instance[ 'iconFont_class_' . $i ] = esc_html( $new_instance[ 'iconFont_class_' . $i ] ); $instance[ 'iconFont_bgColor_' . $i ] = esc_html( $new_instance[ 'iconFont_bgColor_' . $i ] ); $instance[ 'iconFont_bgType_' . $i ] = $new_instance[ 'iconFont_bgType_' . $i ]; - $instance[ 'summary_' . $i ] = wp_kses_post( $new_instance[ 'summary_' . $i ] ); + $instance[ 'summary_' . $i ] = wp_kses_post( stripslashes( $new_instance[ 'summary_' . $i ] ) ); $instance[ 'linkurl_' . $i ] = esc_url( $new_instance[ 'linkurl_' . $i ] ); $instance[ 'blank_' . $i ] = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' ); $i++; diff --git a/inc/other-widget/widget-profile.php b/inc/other-widget/widget-profile.php index aff1e40b8..b5b10c614 100644 --- a/inc/other-widget/widget-profile.php +++ b/inc/other-widget/widget-profile.php @@ -181,10 +181,10 @@ function form( $instance ) { /*-------------------------------------------*/ function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['label'] = wp_kses_post( $new_instance['label'] ); + $instance['label'] = wp_kses_post( stripslashes($new_instance['label'] ) ); $instance['mediaFile'] = esc_url( $new_instance['mediaFile'] ); - $instance['mediaAlt'] = esc_html( $new_instance['mediaAlt'] ); - $instance['profile'] = wp_kses_post( $new_instance['profile'] ); + $instance['mediaAlt'] = esc_html( stripslashes( $new_instance['mediaAlt'] ) ); + $instance['profile'] = wp_kses_post( stripslashes( $new_instance['profile'] ) ); $instance['mediaAlign_left'] = $new_instance['mediaAlign_left']; $instance['mediaAlign'] = $new_instance['mediaAlign']; $instance['mediaRound'] = $new_instance['mediaRound']; diff --git a/inc/sns/widget-fb-page-plugin.php b/inc/sns/widget-fb-page-plugin.php index 80ed7db30..b00ac6c88 100644 --- a/inc/sns/widget-fb-page-plugin.php +++ b/inc/sns/widget-fb-page-plugin.php @@ -51,7 +51,7 @@ function widget( $args, $instance ) { function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['label'] = wp_kses_post( $new_instance['label'] ); + $instance['label'] = wp_kses_post( stripslashes($new_instance['label'] ) ); $instance['page_url'] = esc_url( $new_instance['page_url'] ); $instance['height'] = esc_html( $new_instance['height'] ); $instance['showFaces'] = $new_instance['showFaces']; From cab8505e656e6ce98eefb1a08216d2f80e06bca1 Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 12:25:05 +0900 Subject: [PATCH 06/19] add escape --- inc/sns/widget-fb-page-plugin.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/inc/sns/widget-fb-page-plugin.php b/inc/sns/widget-fb-page-plugin.php index b00ac6c88..f4a0b9cd5 100644 --- a/inc/sns/widget-fb-page-plugin.php +++ b/inc/sns/widget-fb-page-plugin.php @@ -16,12 +16,12 @@ function __construct() { function widget( $args, $instance ) { - echo $args['before_widget']; + echo wp_kses_post( $args['before_widget'] ); echo '
    '; if ( isset( $instance['label'] ) && $instance['label'] ) { - echo $args['before_title']; - echo $instance['label']; - echo $args['after_title']; + echo wp_kses_post( $args['before_title'] ); + echo wp_kses_post( $instance['label'] ); + echo wp_kses_post( $args['after_title'] ); } $page_url = ( isset( $instance['page_url'] ) && $instance['page_url'] ) ? $instance['page_url'] : ''; @@ -32,10 +32,10 @@ function widget( $args, $instance ) { ?>
    -
    +
    - Facebook page + Facebook page
    @@ -43,7 +43,7 @@ function widget( $args, $instance ) { '; - echo $args['after_widget']; + echo wp_kses_post( $args['after_widget'] ); veu_set_facebook_script(); } // widget($args, $instance) From 8e270919cdae1eed492f6bb5267f05e4b5315a53 Mon Sep 17 00:00:00 2001 From: drill-lancer Date: Mon, 29 Jul 2024 14:14:06 +0900 Subject: [PATCH 07/19] fix: escape cta --- .../package/class-vk-call-to-action.php | 90 ++++++++++++++++++- 1 file changed, 88 insertions(+), 2 deletions(-) diff --git a/inc/call-to-action/package/class-vk-call-to-action.php b/inc/call-to-action/package/class-vk-call-to-action.php index e146138bc..8a4078083 100644 --- a/inc/call-to-action/package/class-vk-call-to-action.php +++ b/inc/call-to-action/package/class-vk-call-to-action.php @@ -505,6 +505,91 @@ public static function get_cta_post( $id ) { return $target; } + /** + * 許可する HTML + */ + public static function cta_allow_html() { + $allowed_html = array( + 'div' => array( + 'id' => array(), + 'class' => array(), + 'itemprop' => array(), + 'itemscope' => array(), + 'itemtype' => array(), + 'style' => array(), + ), + 'h3' => array( + 'id' => array(), + 'class' => array(), + 'style' => array(), + ), + 'h4' => array( + 'id' => array(), + 'class' => array(), + 'style' => array(), + ), + 'h5' => array( + 'id' => array(), + 'class' => array(), + 'style' => array(), + ), + 'h6' => array( + 'id' => array(), + 'class' => array(), + 'style' => array(), + ), + 'p' => array( + 'id' => array(), + 'class' => array(), + 'style' => array(), + ), + 'ul' => array( + 'id' => array(), + 'class' => array(), + 'itemprop' => array(), + 'itemscope' => array(), + 'itemtype' => array(), + 'style' => array(), + ), + 'ol' => array( + 'id' => array(), + 'class' => array(), + 'itemprop' => array(), + 'itemscope' => array(), + 'itemtype' => array(), + 'style' => array(), + ), + 'li' => array( + 'id' => array(), + 'class' => array(), + 'itemprop' => array(), + 'itemscope' => array(), + 'itemtype' => array(), + 'style' => array(), + ), + 'a' => array( + 'id' => array(), + 'class' => array(), + 'href' => array(), + 'target' => array(), + 'itemprop' => array(), + 'style' => array(), + ), + 'span' => array( + 'id' => array(), + 'class' => array(), + 'itemprop' => array(), + 'itemscope' => array(), + 'itemtype' => array(), + 'style' => array(), + ), + 'i' => array( + 'id' => array(), + 'class' => array(), + ), + ); + return $allowed_html; + } /** * CTAとして返す内容の処理 @@ -552,7 +637,7 @@ public static function render_cta_content( $id ) { wp_reset_postdata(); // wp_kses_post でエスケープすると outerブロックが出力するstyle属性を無効化される. - return do_blocks( do_shortcode( wp_kses_post( $content ) ) ); + return do_blocks( do_shortcode( wp_kses( $content, cta_allow_html() ) ) ); } /** @@ -724,7 +809,8 @@ public static function get_option( $show_label = false ) { // ↓ これであかんの? // $output_option = wp_parse_args( $option, $default ); if ( ! $option || ! is_array( $option ) ) { - return $default; } + return $default; + } $posttypes = array_merge( array( From 5f279eb1a1c873eda1e38cb62fcb3367126b0571 Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 14:37:53 +0900 Subject: [PATCH 08/19] =?UTF-8?q?=E3=82=B3=E3=83=A1=E3=83=B3=E3=83=88?= =?UTF-8?q?=E3=81=AE=E3=81=BF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- inc/call-to-action/package/class-vk-call-to-action.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/inc/call-to-action/package/class-vk-call-to-action.php b/inc/call-to-action/package/class-vk-call-to-action.php index 8a4078083..cbc88c253 100644 --- a/inc/call-to-action/package/class-vk-call-to-action.php +++ b/inc/call-to-action/package/class-vk-call-to-action.php @@ -200,13 +200,15 @@ public static function save_custom_field( $post_id ) { if ( isset( $_POST[ $custom_field_name ] ) ) { if ( ! empty( $custom_field_name['escape_type'] ) ) { if ( is_array( $custom_field_name['escape_type'] ) ) { + // エスケープ処理が複数ある場合 $data = $_POST[ $custom_field_name ]; foreach ( $custom_field_name['escape_type'] as $escape ) { $data = call_user_func( $escape, $data ); } } else { + // エスケープ処理が一つの場合 $data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] ); - } + } } else { $data = $_POST[ $custom_field_name ]; } From 8fdfa02dd0fcf542dab894f75e1aeb17a0897ea3 Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 14:47:22 +0900 Subject: [PATCH 09/19] add escape --- inc/other-widget/widget-button.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/other-widget/widget-button.php b/inc/other-widget/widget-button.php index 254b250dc..d49f9464d 100644 --- a/inc/other-widget/widget-button.php +++ b/inc/other-widget/widget-button.php @@ -69,7 +69,7 @@ function widget( $args, $instance ) { if ( $options['linkurl'] && $options['title'] ) : ?>
    - > + > Date: Mon, 29 Jul 2024 14:59:33 +0900 Subject: [PATCH 10/19] add escape --- inc/other-widget/widget-3pr-area.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/other-widget/widget-3pr-area.php b/inc/other-widget/widget-3pr-area.php index 819c89ecb..371b16ca3 100644 --- a/inc/other-widget/widget-3pr-area.php +++ b/inc/other-widget/widget-3pr-area.php @@ -163,7 +163,7 @@ function widget( $args, $instance ) { echo '

    '; if ( isset( $instance[ 'label_' . $i ] ) && $instance[ 'label_' . $i ] ) { - echo $instance[ 'label_' . $i ]; + echo wp_kses_posts( $instance[ 'label_' . $i ] ); } else { _e( '3PR area', 'vk-all-in-one-expansion-unit' ); } From dffea5827519cbf947cd37776f427ac78a61e52b Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 15:04:55 +0900 Subject: [PATCH 11/19] add escape --- inc/other-widget/widget-page.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/other-widget/widget-page.php b/inc/other-widget/widget-page.php index dbece6804..c2fb502f5 100644 --- a/inc/other-widget/widget-page.php +++ b/inc/other-widget/widget-page.php @@ -233,7 +233,7 @@ function display_page( $args, $instance ) { echo PHP_EOL . '
    ' . PHP_EOL; if ( $widget_title['display'] ) { - echo $args['before_title'] . $widget_title['title'] . $args['after_title'] . PHP_EOL; + echo wp_kses_post( $args['before_title'] . $widget_title['title'] . $args['after_title'] ) . PHP_EOL; } echo apply_filters( 'the_content', $page->post_content ); From c2f31cd43449f079953266bccc1fbf47f45000ac Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 15:40:58 +0900 Subject: [PATCH 12/19] add escape --- inc/other-widget/widget-pr-blocks.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/other-widget/widget-pr-blocks.php b/inc/other-widget/widget-pr-blocks.php index 9d7df4c6f..2fdec2d3d 100644 --- a/inc/other-widget/widget-pr-blocks.php +++ b/inc/other-widget/widget-pr-blocks.php @@ -285,7 +285,7 @@ public function widget( $args, $instance ) { // title text echo '

    '; if ( isset( $instance[ 'label_' . $i ] ) && $instance[ 'label_' . $i ] ) { - echo $instance[ 'label_' . $i ]; + echo wp_kses_post( $instance[ 'label_' . $i ] ); } else { _e( 'PR Block', 'vk-all-in-one-expansion-unit' ); } From 73bb9b11cf11fdf8ef831eff4736bc20f85c60ed Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 15:51:10 +0900 Subject: [PATCH 13/19] add escape --- inc/other-widget/widget-profile.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/inc/other-widget/widget-profile.php b/inc/other-widget/widget-profile.php index b5b10c614..bab0b88a1 100644 --- a/inc/other-widget/widget-profile.php +++ b/inc/other-widget/widget-profile.php @@ -356,9 +356,7 @@ function widget( $args, $instance ) { echo PHP_EOL . '
    ' . PHP_EOL; if ( isset( $instance['label'] ) && $instance['label'] ) { - echo $args['before_title']; - echo $instance['label']; - echo $args['after_title']; + echo wp_kses_post( $args['before_title'] . $instance['label'] . $args['after_title'] ); } ?>
    From 858985573a6810425dfbf2d7e74fae7ecb83f428 Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 17:17:26 +0900 Subject: [PATCH 14/19] add escape --- inc/contact-section/contact-section.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/contact-section/contact-section.php b/inc/contact-section/contact-section.php index 5d02d227c..2d225f1ad 100644 --- a/inc/contact-section/contact-section.php +++ b/inc/contact-section/contact-section.php @@ -451,7 +451,7 @@ public static function render_widget_contact_btn_html() { } $cont .= ' '; - $cont .= $options['short_text']; + $cont .= wp_kses_post( $options['short_text'] ); // Arrow Icon $class = 'far fa-arrow-alt-circle-right'; @@ -462,7 +462,7 @@ public static function render_widget_contact_btn_html() { $cont .= ''; if ( isset( $options['button_text_small'] ) && $options['button_text_small'] ) { - $cont .= '' . $options['button_text_small'] . ''; + $cont .= '' . wp_kses_post( $options['button_text_small'] ) . ''; } $cont .= ''; } From cfeaa1a30b9b8155e2982a07b086434a79fffc81 Mon Sep 17 00:00:00 2001 From: Taichi Maruyama Date: Mon, 29 Jul 2024 17:44:09 +0900 Subject: [PATCH 15/19] =?UTF-8?q?fix:=20tel=5Ficon=E3=81=AFfont=20awesome?= =?UTF-8?q?=E3=81=AE=E3=82=BF=E3=82=B0=E3=81=AE=E3=81=BF=E8=A8=B1=E5=8F=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- inc/contact-section/contact-section.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/contact-section/contact-section.php b/inc/contact-section/contact-section.php index 2d225f1ad..b2a417166 100644 --- a/inc/contact-section/contact-section.php +++ b/inc/contact-section/contact-section.php @@ -243,7 +243,7 @@ public function options_page() { public function option_sanitaize( $option ) { $option['contact_txt'] = wp_kses_post( stripslashes( $option['contact_txt'] ) ); $option['tel_number'] = wp_kses_post( stripslashes( $option['tel_number'] ) ); - $option['tel_icon'] = wp_kses_post( $option['tel_icon'] ); + $option['tel_icon'] = wp_kses( $option['tel_icon'] , array( 'i' => array( 'class' => array(), 'aria-hidden' => array() )) ); $option['contact_time'] = wp_kses_post( stripslashes( $option['contact_time'] ) ); $option['contact_link'] = esc_url ( $option['contact_link'] ); $option['button_text'] = wp_kses_post( stripslashes( $option['button_text'] ) ); From 7415bb7db3202ed3021c2c0745e03ca9b7467de0 Mon Sep 17 00:00:00 2001 From: Taichi Maruyama Date: Mon, 29 Jul 2024 17:44:46 +0900 Subject: [PATCH 16/19] fix: space --- inc/contact-section/contact-section.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/contact-section/contact-section.php b/inc/contact-section/contact-section.php index b2a417166..ded59b9eb 100644 --- a/inc/contact-section/contact-section.php +++ b/inc/contact-section/contact-section.php @@ -243,7 +243,7 @@ public function options_page() { public function option_sanitaize( $option ) { $option['contact_txt'] = wp_kses_post( stripslashes( $option['contact_txt'] ) ); $option['tel_number'] = wp_kses_post( stripslashes( $option['tel_number'] ) ); - $option['tel_icon'] = wp_kses( $option['tel_icon'] , array( 'i' => array( 'class' => array(), 'aria-hidden' => array() )) ); + $option['tel_icon'] = wp_kses( $option['tel_icon'] , array( 'i' => array( 'class' => array(), 'aria-hidden' => array() ) ) ); $option['contact_time'] = wp_kses_post( stripslashes( $option['contact_time'] ) ); $option['contact_link'] = esc_url ( $option['contact_link'] ); $option['button_text'] = wp_kses_post( stripslashes( $option['button_text'] ) ); From 911d533bef34e69401d879e1b9b54457c74a0e31 Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 17:45:15 +0900 Subject: [PATCH 17/19] add esc --- admin/admin-active-setting-page.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/admin/admin-active-setting-page.php b/admin/admin-active-setting-page.php index 6644fc5c4..c5dddb8b7 100644 --- a/admin/admin-active-setting-page.php +++ b/admin/admin-active-setting-page.php @@ -41,8 +41,8 @@ ?> " > - - + + - + 1 && $i >= 1 ) ? ' | ' : ''; ?> - - + + -

    +

    From 02a8bb18df0a26a3fe116b4423834752121c920b Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 18:07:58 +0900 Subject: [PATCH 18/19] allow area hidden --- inc/call-to-action/package/class-vk-call-to-action.php | 10 ++++++---- .../package/class-veu-promotion-alert.php | 7 ++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/inc/call-to-action/package/class-vk-call-to-action.php b/inc/call-to-action/package/class-vk-call-to-action.php index cbc88c253..119d1dca9 100644 --- a/inc/call-to-action/package/class-vk-call-to-action.php +++ b/inc/call-to-action/package/class-vk-call-to-action.php @@ -471,8 +471,9 @@ public static function render_meta_box_cta() { 'itemtype' => array(), ), 'i' => array( - 'id' => array(), - 'class' => array(), + 'id' => array(), + 'class' => array(), + 'aria-hidden' => array() ), ); ?> @@ -586,8 +587,9 @@ public static function cta_allow_html() { 'style' => array(), ), 'i' => array( - 'id' => array(), - 'class' => array(), + 'id' => array(), + 'class' => array(), + 'aria-hidden' => array() ), ); return $allowed_html; diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php index b397295c0..e84a3341a 100644 --- a/inc/promotion-alert/package/class-veu-promotion-alert.php +++ b/inc/promotion-alert/package/class-veu-promotion-alert.php @@ -78,9 +78,10 @@ public static function kses_allowed() { 'style' => array(), ), 'i' => array( - 'id' => array(), - 'class' => array(), - 'style' => array(), + 'id' => array(), + 'class' => array(), + 'style' => array(), + 'aria-hidden' => array() ), 'a' => array( 'id' => array(), From 807a5a4ce54ede1ebb076e7938a0df81030506c6 Mon Sep 17 00:00:00 2001 From: kurudrive Date: Mon, 29 Jul 2024 18:24:46 +0900 Subject: [PATCH 19/19] add esc --- admin/customizer.php | 2 +- inc/common-block.php | 1 + inc/insert-ads.php | 5 ++--- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/admin/customizer.php b/admin/customizer.php index 4287f988a..ce44e6273 100644 --- a/admin/customizer.php +++ b/admin/customizer.php @@ -65,7 +65,7 @@ public function render_content() { link(); ?> /> input_after ); ?>
    - description; ?> + description ); ?> '; $text .= '

    '; + // 入力由来でないのでエスケープ不要 echo $text; } } diff --git a/inc/insert-ads.php b/inc/insert-ads.php index d3d9047dc..ba33c495e 100644 --- a/inc/insert-ads.php +++ b/inc/insert-ads.php @@ -125,7 +125,6 @@ public function print_google_auto_ad() { $option = $this->get_option(); if ( $option['google-ads-active'] && $option['google-pub-id'] ) { - $overlay = ',overlays: {bottom: true}'; ?> @@ -230,7 +229,7 @@ public function render_configPage() { $lang = ( get_locale() == 'ja' ) ? 'ja' : 'en'; $Google_ad_url = 'https://support.google.com/adsense/answer/7478040?hl=' . $lang; ?> - [ ] + [ ]