XSS 対応

inc/call-to-action/package/class-vk-call-to-action.php

@@ -166,40 +166,40 @@ public static function save_custom_field( $post_id ) {
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_img'                => array(
-						'escape_type' => '',
+						'escape_type' => 'esc_url',
 					),
 					'vkExUnit_cta_img_position'       => array(
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_button_text'        => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon'        => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon_before' => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon_after'  => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_url'                => array(
-						'escape_type' => '',
+						'escape_type' => 'esc_url',
 					),
 					'vkExUnit_cta_url_blank'          => array(
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_text'               => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 				);
 
 				// カスタムフィールドの保存.
 				foreach ( $custom_fields as $custom_field_name => $custom_field_options ) {
 
 					if ( isset( $_POST[ $custom_field_name ] ) ) {
-						if ( isset( $custom_field_name['escape_type'] ) && $custom_field_name['escape_type'] == 'stripslashes' ) {
-							$data = stripslashes( $_POST[ $custom_field_name ] );
+						if ( ! empty( $custom_field_name['escape_type'] )  ) {
+							$data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] );
 						} else {
 							$data = $_POST[ $custom_field_name ];
 						}
@@ -545,7 +545,7 @@ public static function render_cta_content( $id ) {
 			wp_reset_postdata();
 
 			// wp_kses_post でエスケープすると outerブロックが出力するstyle属性を無効化される.
-			return do_blocks( do_shortcode( $content ) );
+			return do_blocks( do_shortcode( wp_kses_post( $content ) ) );
 		}
 
 		/**

inc/contact-section/contact-section.php

@@ -241,16 +241,16 @@ public function options_page() {
 	}
 
 	public function option_sanitaize( $option ) {
-		$option['contact_txt']       = stripslashes( $option['contact_txt'] );
-		$option['tel_number']        = stripslashes( $option['tel_number'] );
-		$option['tel_icon']          = stripslashes( $option['tel_icon'] );
-		$option['contact_time']      = stripslashes( $option['contact_time'] );
-		$option['contact_link']      = stripslashes( $option['contact_link'] );
-		$option['button_text']       = stripslashes( $option['button_text'] );
-		$option['button_text_small'] = stripslashes( $option['button_text_small'] );
-		$option['short_text']        = stripslashes( $option['short_text'] );
+		$option['contact_txt']       = wp_kses_post( $option['contact_txt'] );
+		$option['tel_number']        = wp_kses_post( $option['tel_number'] );
+		$option['tel_icon']          = wp_kses_post( $option['tel_icon'] );
+		$option['contact_time']      = wp_kses_post( $option['contact_time'] );
+		$option['contact_link']      = wp_kses_post( $option['contact_link'] );
+		$option['button_text']       = wp_kses_post( $option['button_text'] );
+		$option['button_text_small'] = wp_kses_post( $option['button_text_small'] );
+		$option['short_text']        = wp_kses_post( $option['short_text'] );
 		$option['contact_image']     = esc_url( $option['contact_image'] );
-		$option['contact_html']      = stripslashes( $option['contact_html'] );
+		$option['contact_html']      = wp_kses_post( $option['contact_html'] );
 		return $option;
 	}
 

inc/other-widget/widget-3pr-area.php

@@ -137,13 +137,13 @@ function update( $new_instance, $old_instance ) {
 		$instance = $old_instance;
 
 		for ( $i = 1; $i <= 3; ) {
-			$instance[ 'label_' . $i ]              = $new_instance[ 'label_' . $i ];
-			$instance[ 'media_3pr_image_' . $i ]    = $new_instance[ 'media_3pr_image_' . $i ];
-			$instance[ 'media_3pr_alt_' . $i ]      = $new_instance[ 'media_3pr_alt_' . $i ];
-			$instance[ 'media_3pr_image_sp_' . $i ] = $new_instance[ 'media_3pr_image_sp_' . $i ];
-			$instance[ 'media_3pr_alt_sp_' . $i ]   = $new_instance[ 'media_3pr_alt_sp_' . $i ];
-			$instance[ 'summary_' . $i ]            = $new_instance[ 'summary_' . $i ];
-			$instance[ 'linkurl_' . $i ]            = $new_instance[ 'linkurl_' . $i ];
+			$instance[ 'label_' . $i ]              = wp_kses_post( $new_instance[ 'label_' . $i ] );
+			$instance[ 'media_3pr_image_' . $i ]    = esc_url( $new_instance[ 'media_3pr_image_' . $i ] );
+			$instance[ 'media_3pr_alt_' . $i ]      = esc_html( $new_instance[ 'media_3pr_alt_' . $i ] );
+			$instance[ 'media_3pr_image_sp_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_sp_' . $i ] );
+			$instance[ 'media_3pr_alt_sp_' . $i ]   = esc_html( $new_instance[ 'media_3pr_alt_sp_' . $i ] );
+			$instance[ 'summary_' . $i ]            = wp_kses_post( $new_instance[ 'summary_' . $i ] );
+			$instance[ 'linkurl_' . $i ]            = esc_url( $new_instance[ 'linkurl_' . $i ] );
 			$instance[ 'blank_' . $i ]              = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' );
 			$i++;
 		}

inc/other-widget/widget-button.php

@@ -206,10 +206,10 @@ function form( $instance ) {
 	function update( $new_instance, $old_instance ) {
 		$opt                = array();
 		$opt['title']       = wp_kses_post( $new_instance['title'] );
-		$opt['icon_before'] = $new_instance['icon_before'];
-		$opt['icon_after']  = $new_instance['icon_after'];
-		$opt['subtext']     = $new_instance['subtext'];
-		$opt['linkurl']     = $new_instance['linkurl'];
+		$opt['icon_before'] = wp_kses_post( $new_instance['icon_before'] );
+		$opt['icon_after']  = wp_kses_post( $new_instance['icon_after'] );
+		$opt['subtext']     = wp_kses_post( $new_instance['subtext'] );
+		$opt['linkurl']     = esc_url( $new_instance['linkurl'] );
 		$opt['blank']       = ( isset( $new_instance['blank'] ) && $new_instance['blank'] == 'true' );
 		$opt['size']        = in_array( $new_instance['size'], array( 'sm', 'lg' ) ) ? $new_instance['size'] : 'md';
 		$opt['color']       = in_array( $new_instance['color'], array_keys( self::button_otherlabels() ) ) ? $new_instance['color'] : static::$button_default;

inc/other-widget/widget-page.php

@@ -190,7 +190,7 @@ function form( $instance ) {
 	// 保存・更新する値
 	function update( $new_instance, $old_instance ) {
 		$instance                       = $old_instance;
-		$instance['title']              = $new_instance['title'];
+		$instance['title']              = wp_kses_post( $new_instance['title'] );
 		$instance['page_id']            = $new_instance['page_id'];
 		$instance['set_title']          = $new_instance['set_title'];
 		$instance['child_page_index']   = $new_instance['child_page_index'];

inc/other-widget/widget-pr-blocks.php

@@ -206,14 +206,14 @@ public function update( $new_instance, $old_instance ) {
 		}
 
 		for ( $i = 1; $i <= 4; ) {
-			$instance[ 'label_' . $i ]            = $new_instance[ 'label_' . $i ];
-			$instance[ 'media_image_' . $i ]      = $new_instance[ 'media_image_' . $i ];
-			$instance[ 'media_alt_' . $i ]        = $new_instance[ 'media_alt_' . $i ];
-			$instance[ 'iconFont_class_' . $i ]   = $new_instance[ 'iconFont_class_' . $i ];
-			$instance[ 'iconFont_bgColor_' . $i ] = $new_instance[ 'iconFont_bgColor_' . $i ];
+			$instance[ 'label_' . $i ]            = wp_kses_post( $new_instance[ 'label_' . $i ] );
+			$instance[ 'media_image_' . $i ]      = esc_url( $new_instance[ 'media_image_' . $i ] );
+			$instance[ 'media_alt_' . $i ]        = esc_html( $new_instance[ 'media_alt_' . $i ] );
+			$instance[ 'iconFont_class_' . $i ]   = esc_html( $new_instance[ 'iconFont_class_' . $i ] );
+			$instance[ 'iconFont_bgColor_' . $i ] = esc_html( $new_instance[ 'iconFont_bgColor_' . $i ] );
 			$instance[ 'iconFont_bgType_' . $i ]  = $new_instance[ 'iconFont_bgType_' . $i ];
-			$instance[ 'summary_' . $i ]          = $new_instance[ 'summary_' . $i ];
-			$instance[ 'linkurl_' . $i ]          = $new_instance[ 'linkurl_' . $i ];
+			$instance[ 'summary_' . $i ]          = wp_kses_post( $new_instance[ 'summary_' . $i ] );
+			$instance[ 'linkurl_' . $i ]          = esc_url( $new_instance[ 'linkurl_' . $i ] );
 			$instance[ 'blank_' . $i ]            = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' );
 			$i++;
 		}

inc/other-widget/widget-profile.php

@@ -181,24 +181,24 @@ function form( $instance ) {
 	/*-------------------------------------------*/
 	function update( $new_instance, $old_instance ) {
 		$instance                    = $old_instance;
-		$instance['label']           = $new_instance['label'];
-		$instance['mediaFile']       = $new_instance['mediaFile'];
-		$instance['mediaAlt']        = $new_instance['mediaAlt'];
-		$instance['profile']         = $new_instance['profile'];
+		$instance['label']           = wp_kses_post( $new_instance['label'] );
+		$instance['mediaFile']       = esc_url( $new_instance['mediaFile'] );
+		$instance['mediaAlt']        = esc_html( $new_instance['mediaAlt'] );
+		$instance['profile']         = wp_kses_post( $new_instance['profile'] );
 		$instance['mediaAlign_left'] = $new_instance['mediaAlign_left'];
 		$instance['mediaAlign']      = $new_instance['mediaAlign'];
 		$instance['mediaRound']      = $new_instance['mediaRound'];
-		$instance['mediaSize']       = $new_instance['mediaSize'];
+		$instance['mediaSize']       = esc_html( $new_instance['mediaSize'] );
 		$instance['mediaFloat']      = $new_instance['mediaFloat'];
 		$instance['facebook']        = esc_url( $new_instance['facebook'] );
 		$instance['twitter']         = esc_url( $new_instance['twitter'] );
-		$instance['mail']            = esc_attr( $new_instance['mail'] );
+		$instance['mail']            = esc_url( $new_instance['mail'] );
 		$instance['youtube']         = esc_url( $new_instance['youtube'] );
 		$instance['rss']             = esc_url( $new_instance['rss'] );
 		$instance['instagram']       = esc_url( $new_instance['instagram'] );
 		$instance['linkedin']        = esc_url( $new_instance['linkedin'] );
 		$instance['iconFont_bgType'] = $new_instance['iconFont_bgType'];
-		$instance['icon_color']      = $new_instance['icon_color'];
+		$instance['icon_color']      = esc_html( $new_instance['icon_color'] );
 		return $instance;
 	}	
 	/*-------------------------------------------*/

inc/post-type-manager/package/class.post-type-manager.php

@@ -109,8 +109,9 @@ public static function add_meta_box_action() {
 			/*******************************************
 			 * Supports(Required)
 			 */
-			echo '<h4>' . esc_html__( 'Supports(Required)', 'vk-all-in-one-expansion-unit' ) . '</h4>';
+			echo '<h4>' . esc_html__( 'Supports ( Required )', 'vk-all-in-one-expansion-unit' ) . '</h4>';
 			$post_type_items_value = get_post_meta( $post->ID, 'veu_post_type_items', true );
+
 			echo '<ul>';
 			foreach ( $post_type_items_array as $key => $label ) {
 				$checked = ( isset( $post_type_items_value[ $key ] ) && $post_type_items_value[ $key ] ) ? ' checked' : '';
@@ -323,33 +324,42 @@ public static function save_cf_value( $post_id ) {
 			if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
 				return $post_id;
 			}
+
+			$post_type_id            = ! empty( $_POST['veu_post_type_id'] )            ? esc_html( strip_tags( $_POST['veu_post_type_id'] ) )  : '';
+			$post_type_items         = ! empty( $_POST['veu_post_type_items'] )         ? $_POST['veu_post_type_items']                         : '';
+			$menu_posttion           = ! empty( $_POST['veu_menu_position'] )           ? esc_html( strip_tags( $_POST['veu_menu_position'] ) ) : '';
+			$menu_icon               = ! empty( $_POST['veu_menu_icon'] )               ? esc_html( strip_tags( $_POST['veu_menu_icon'] ) )     : '';
+			$post_type_export_to_api = ! empty( $_POST['veu_post_type_export_to_api'] ) ? esc_html( $_POST['veu_post_type_export_to_api'] )     : '';
+			$post_type_rewrite       = ! empty( $_POST['veu_post_type_rewrite'] )       ? esc_html( $_POST['veu_post_type_rewrite'] )           : '';
+
+			if ( ! empty ( $_POST['veu_taxonomy'] ) ) {
+				$taxonomy      = $_POST['veu_taxonomy'];
+
+				for ( $i = 1; $i <= apply_filters( 'veu_post_type_taxonomies', 5 ); $i++ ) {
+					$taxonomy[$i]['slug']     = ! empty( $taxonomy[$i]['slug'] )     ? esc_html( strip_tags( $taxonomy[$i]['slug'] ) )  : '';
+					$taxonomy[$i]['label']    = ! empty( $taxonomy[$i]['label'] )    ? esc_html( strip_tags( $taxonomy[$i]['label'] ) ) : '';
+					$taxonomy[$i]['tag']      = ! empty( $taxonomy[$i]['tag'] )      ? esc_html( $taxonomy[$i]['tag'] )                 : '';
+					$taxonomy[$i]['rest_api'] = ! empty( $taxonomy[$i]['rest_api'] ) ? esc_html( $taxonomy[$i]['rest_api'] )            : '';						
+				}
+			}
 
-				// 保存しているカスタムフィールド.
+			// 保存しているカスタムフィールド.
 			$fields = array(
-				'veu_post_type_id',
-				'veu_post_type_items',
-				'veu_menu_position',
-				'veu_menu_icon',
-				'veu_post_type_export_to_api',
-				'veu_post_type_rewrite',
-				'veu_taxonomy',
+				'veu_post_type_id'            => $post_type_id,
+				'veu_post_type_items'         => $post_type_items,
+				'veu_menu_position'           => $menu_posttion,
+				'veu_menu_icon'               => $menu_icon,
+				'veu_post_type_export_to_api' => $post_type_export_to_api,
+				'veu_post_type_rewrite'       => $post_type_rewrite,
+				'veu_taxonomy'                => $taxonomy,
 			);
 
-			foreach ( $fields as $key => $field ) {
-					$field_value = ( isset( $_POST[ $field ] ) ) ? $_POST[ $field ] : '';
-
-					// データが空だったら入れる.
-				if ( get_post_meta( $post_id, $field ) == '' ) {
-					add_post_meta( $post_id, $field, $field_value, true );
-
-					// 今入ってる値と違ってたらアップデートする.
-				} elseif ( get_post_meta( $post_id, $field, true ) !== $field_value ) {
-					update_post_meta( $post_id, $field, $field_value );
-
-					// 入力がなかったら消す.
-				} elseif ( '' === $field_value ) {
-					delete_post_meta( $post_id, $field, get_post_meta( $post_id, $field, true ) );
-				}
+			foreach ( $fields as $field_name => $field_value ) {
+				if ( ! empty( $field_value ) ) {
+					update_post_meta( $post_id, $field_name, $field_value );
+				} else {
+					delete_post_meta(  $post_id, $field_name );
+				}				
 			}
 
 			// リライトルールを更新するように.

inc/sns/widget-fb-page-plugin.php

@@ -51,9 +51,9 @@ function widget( $args, $instance ) {
 
 	function update( $new_instance, $old_instance ) {
 		$instance              = $old_instance;
-		$instance['label']     = $new_instance['label'];
-		$instance['page_url']  = $new_instance['page_url'];
-		$instance['height']    = $new_instance['height'];
+		$instance['label']     = wp_kses_post( $new_instance['label'] );
+		$instance['page_url']  = esc_url( $new_instance['page_url'] );
+		$instance['height']    = esc_html( $new_instance['height'] );
 		$instance['showFaces'] = $new_instance['showFaces'];
 		$instance['hideCover'] = $new_instance['hideCover'];
 		$instance['showPosts'] = $new_instance['showPosts'];

readme.txt

@@ -81,6 +81,8 @@ e.g.
 
 == Changelog ==
 
+[ Bug fix ] Fix XSS of Widgets, CTA, Custom Post Type Manager.
+
 = 9.99.0 =
 [ Specification Change ] Foce Load JS from footer is abolished.
 [ Fix ] Add a title attribute on  Google Tag Manager (noscript)