XSS 対応

inc/call-to-action/package/class-vk-call-to-action.php

@@ -166,40 +166,49 @@ public static function save_custom_field( $post_id ) {
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_img'                => array(
-						'escape_type' => '',
+						'escape_type' => 'esc_url',
 					),
 					'vkExUnit_cta_img_position'       => array(
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_button_text'        => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => array( 'stripslashes', 'wp_kses_post' ),
 					),
 					'vkExUnit_cta_button_icon'        => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon_before' => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_button_icon_after'  => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => 'wp_kses_post',
 					),
 					'vkExUnit_cta_url'                => array(
-						'escape_type' => '',
+						'escape_type' => 'esc_url',
 					),
 					'vkExUnit_cta_url_blank'          => array(
 						'escape_type' => '',
 					),
 					'vkExUnit_cta_text'               => array(
-						'escape_type' => 'stripslashes',
+						'escape_type' => array( 'stripslashes', 'wp_kses_post' ),
 					),
 				);
 
 				// カスタムフィールドの保存.
 				foreach ( $custom_fields as $custom_field_name => $custom_field_options ) {
 
 					if ( isset( $_POST[ $custom_field_name ] ) ) {
-						if ( isset( $custom_field_name['escape_type'] ) && $custom_field_name['escape_type'] == 'stripslashes' ) {
-							$data = stripslashes( $_POST[ $custom_field_name ] );
+						if ( ! empty( $custom_field_name['escape_type'] ) ) {
+							if ( is_array( $custom_field_name['escape_type'] ) ) {
+								// エスケープ処理が複数ある場合
+								$data =  $_POST[ $custom_field_name ];
+								foreach ( $custom_field_name['escape_type'] as $escape ) {
+									$data = call_user_func( $escape, $data );
+								}
+							} else {
+								// エスケープ処理が一つの場合
+								$data = call_user_func( $custom_field_name['escape_type'], $_POST[ $custom_field_name ] );
+							}
 						} else {
 							$data = $_POST[ $custom_field_name ];
 						}
@@ -498,6 +507,91 @@ public static function get_cta_post( $id ) {
 			return $target;
 		}
 
+		/**
+		 * 許可する HTML
+		 */
+		public static function cta_allow_html() {
+			$allowed_html = array(
+				'div'  => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'h3' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'h4' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'h5' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'h6' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'style'     => array(),
+				),
+				'p'    => array(
+					'id'    => array(),
+					'class' => array(),
+					'style'     => array(),
+				),
+				'ul'   => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'ol'   => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'li'   => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'a'    => array(
+					'id'       => array(),
+					'class'    => array(),
+					'href'     => array(),
+					'target'   => array(),
+					'itemprop' => array(),
+					'style'     => array(),
+				),
+				'span' => array(
+					'id'        => array(),
+					'class'     => array(),
+					'itemprop'  => array(),
+					'itemscope' => array(),
+					'itemtype'  => array(),
+					'style'     => array(),
+				),
+				'i'    => array(
+					'id'    => array(),
+					'class' => array(),
+				),
+			);
+			return $allowed_html;
+		}
 
 		/**
 		 * CTAとして返す内容の処理
@@ -545,7 +639,7 @@ public static function render_cta_content( $id ) {
 			wp_reset_postdata();
 
 			// wp_kses_post でエスケープすると outerブロックが出力するstyle属性を無効化される.
-			return do_blocks( do_shortcode( $content ) );
+			return do_blocks( do_shortcode( wp_kses( $content, cta_allow_html() ) ) );
 		}
 
 		/**
@@ -717,7 +811,8 @@ public static function get_option( $show_label = false ) {
 			// ↓ これであかんの？
 			// $output_option = wp_parse_args( $option, $default );
 			if ( ! $option || ! is_array( $option ) ) {
-				return $default; }
+				return $default; 
+			}
 
 			$posttypes = array_merge(
 				array(

inc/contact-section/contact-section.php

@@ -241,16 +241,16 @@ public function options_page() {
 	}
 
 	public function option_sanitaize( $option ) {
-		$option['contact_txt']       = stripslashes( $option['contact_txt'] );
-		$option['tel_number']        = stripslashes( $option['tel_number'] );
-		$option['tel_icon']          = stripslashes( $option['tel_icon'] );
-		$option['contact_time']      = stripslashes( $option['contact_time'] );
-		$option['contact_link']      = stripslashes( $option['contact_link'] );
-		$option['button_text']       = stripslashes( $option['button_text'] );
-		$option['button_text_small'] = stripslashes( $option['button_text_small'] );
-		$option['short_text']        = stripslashes( $option['short_text'] );
+		$option['contact_txt']       = wp_kses_post( stripslashes( $option['contact_txt'] ) );
+		$option['tel_number']        = wp_kses_post( stripslashes( $option['tel_number'] ) );
+		$option['tel_icon']          = wp_kses_post( $option['tel_icon'] );
+		$option['contact_time']      = wp_kses_post( stripslashes( $option['contact_time'] ) );
+		$option['contact_link']      = esc_url ( $option['contact_link'] );
+		$option['button_text']       = wp_kses_post( stripslashes( $option['button_text'] ) );
+		$option['button_text_small'] = wp_kses_post( stripslashes( $option['button_text_small'] ) );
+		$option['short_text']        = wp_kses_post( stripslashes( $option['short_text'] ) );
 		$option['contact_image']     = esc_url( $option['contact_image'] );
-		$option['contact_html']      = stripslashes( $option['contact_html'] );
+		$option['contact_html']      = wp_kses_post( stripslashes( $option['contact_html'] ) );
 		return $option;
 	}
 
@@ -451,7 +451,7 @@ public static function render_widget_contact_btn_html() {
 			}
 			$cont .= '<i class="' . $class . '"></i> ';
 
-			$cont .= $options['short_text'];
+			$cont .= wp_kses_post( $options['short_text'] );
 
 			// Arrow Icon
 			$class = 'far fa-arrow-alt-circle-right';
@@ -462,7 +462,7 @@ public static function render_widget_contact_btn_html() {
 
 			$cont .= '</span>';
 			if ( isset( $options['button_text_small'] ) && $options['button_text_small'] ) {
-				$cont .= '<span class="contact_bt_subTxt contact_bt_subTxt_side">' . $options['button_text_small'] . '</span>';
+				$cont .= '<span class="contact_bt_subTxt contact_bt_subTxt_side">' . wp_kses_post( $options['button_text_small'] ) . '</span>';
 			}
 			$cont .= '</a>';
 		}

inc/other-widget/widget-3pr-area.php

@@ -137,13 +137,13 @@ function update( $new_instance, $old_instance ) {
 		$instance = $old_instance;
 
 		for ( $i = 1; $i <= 3; ) {
-			$instance[ 'label_' . $i ]              = $new_instance[ 'label_' . $i ];
-			$instance[ 'media_3pr_image_' . $i ]    = $new_instance[ 'media_3pr_image_' . $i ];
-			$instance[ 'media_3pr_alt_' . $i ]      = $new_instance[ 'media_3pr_alt_' . $i ];
-			$instance[ 'media_3pr_image_sp_' . $i ] = $new_instance[ 'media_3pr_image_sp_' . $i ];
-			$instance[ 'media_3pr_alt_sp_' . $i ]   = $new_instance[ 'media_3pr_alt_sp_' . $i ];
-			$instance[ 'summary_' . $i ]            = $new_instance[ 'summary_' . $i ];
-			$instance[ 'linkurl_' . $i ]            = $new_instance[ 'linkurl_' . $i ];
+			$instance[ 'label_' . $i ]              = wp_kses_post( stripslashes($new_instance[ 'label_' . $i ] ) );
+			$instance[ 'media_3pr_image_' . $i ]    = esc_url( $new_instance[ 'media_3pr_image_' . $i ] );
+			$instance[ 'media_3pr_alt_' . $i ]      = esc_html( stripslashes( $new_instance[ 'media_3pr_alt_' . $i ] ) );
+			$instance[ 'media_3pr_image_sp_' . $i ] = esc_url( $new_instance[ 'media_3pr_image_sp_' . $i ] );
+			$instance[ 'media_3pr_alt_sp_' . $i ]   = esc_html( stripslashes( $new_instance[ 'media_3pr_alt_sp_' . $i ] ) );
+			$instance[ 'summary_' . $i ]            = wp_kses_post( stripslashes( $new_instance[ 'summary_' . $i ] ) );
+			$instance[ 'linkurl_' . $i ]            = esc_url( $new_instance[ 'linkurl_' . $i ] );
 			$instance[ 'blank_' . $i ]              = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' );
 			$i++;
 		}
@@ -163,7 +163,7 @@ function widget( $args, $instance ) {
 
 				echo '<h1 class="subSection-title">';
 				if ( isset( $instance[ 'label_' . $i ] ) && $instance[ 'label_' . $i ] ) {
-					echo $instance[ 'label_' . $i ];
+					echo wp_kses_posts( $instance[ 'label_' . $i ] );
 				} else {
 					_e( '3PR area', 'vk-all-in-one-expansion-unit' );
 				}

inc/other-widget/widget-button.php

@@ -69,7 +69,7 @@ function widget( $args, $instance ) {
 
 		if ( $options['linkurl'] && $options['title'] ) : ?>
 		<div class="veu_button">
-			<a class="<?php echo implode( ' ', $classes ); ?>" href="<?php echo $options['linkurl']; ?>"<?php echo $blank; ?>>
+			<a class="<?php echo implode( ' ', $classes ); ?>" href="<?php echo esc_url( $options['linkurl'] ); ?>"<?php echo $blank; ?>>
 			<span class="button_mainText">
 
 			<?php
@@ -205,11 +205,11 @@ function form( $instance ) {
 
 	function update( $new_instance, $old_instance ) {
 		$opt                = array();
-		$opt['title']       = wp_kses_post( $new_instance['title'] );
-		$opt['icon_before'] = $new_instance['icon_before'];
-		$opt['icon_after']  = $new_instance['icon_after'];
-		$opt['subtext']     = $new_instance['subtext'];
-		$opt['linkurl']     = $new_instance['linkurl'];
+		$opt['title']       = wp_kses_post( stripslashes( $new_instance['title'] ) );
+		$opt['icon_before'] = wp_kses_post( $new_instance['icon_before'] );
+		$opt['icon_after']  = wp_kses_post( $new_instance['icon_after'] );
+		$opt['subtext']     = wp_kses_post( stripslashes( $new_instance['subtext'] ) );
+		$opt['linkurl']     = esc_url( $new_instance['linkurl'] );
 		$opt['blank']       = ( isset( $new_instance['blank'] ) && $new_instance['blank'] == 'true' );
 		$opt['size']        = in_array( $new_instance['size'], array( 'sm', 'lg' ) ) ? $new_instance['size'] : 'md';
 		$opt['color']       = in_array( $new_instance['color'], array_keys( self::button_otherlabels() ) ) ? $new_instance['color'] : static::$button_default;

inc/other-widget/widget-page.php

@@ -190,7 +190,7 @@ function form( $instance ) {
 	// 保存・更新する値
 	function update( $new_instance, $old_instance ) {
 		$instance                       = $old_instance;
-		$instance['title']              = $new_instance['title'];
+		$instance['title']              = wp_kses_post( stripslashes( $new_instance['title'] ) );
 		$instance['page_id']            = $new_instance['page_id'];
 		$instance['set_title']          = $new_instance['set_title'];
 		$instance['child_page_index']   = $new_instance['child_page_index'];
@@ -233,7 +233,7 @@ function display_page( $args, $instance ) {
 
 		echo PHP_EOL . '<div id="widget-page-' . $pageid . '" class="widget_pageContent entry-body">' . PHP_EOL;
 		if ( $widget_title['display'] ) {
-			echo $args['before_title'] . $widget_title['title'] . $args['after_title'] . PHP_EOL;
+			echo wp_kses_post( $args['before_title'] . $widget_title['title'] . $args['after_title'] ) . PHP_EOL;
 		}
 		echo apply_filters( 'the_content', $page->post_content );
 

inc/other-widget/widget-pr-blocks.php

@@ -206,14 +206,14 @@ public function update( $new_instance, $old_instance ) {
 		}
 
 		for ( $i = 1; $i <= 4; ) {
-			$instance[ 'label_' . $i ]            = $new_instance[ 'label_' . $i ];
-			$instance[ 'media_image_' . $i ]      = $new_instance[ 'media_image_' . $i ];
-			$instance[ 'media_alt_' . $i ]        = $new_instance[ 'media_alt_' . $i ];
-			$instance[ 'iconFont_class_' . $i ]   = $new_instance[ 'iconFont_class_' . $i ];
-			$instance[ 'iconFont_bgColor_' . $i ] = $new_instance[ 'iconFont_bgColor_' . $i ];
+			$instance[ 'label_' . $i ]            = wp_kses_post( stripslashes( $new_instance[ 'label_' . $i ] ) );
+			$instance[ 'media_image_' . $i ]      = esc_url( $new_instance[ 'media_image_' . $i ] );
+			$instance[ 'media_alt_' . $i ]        = esc_html( stripslashes( $new_instance[ 'media_alt_' . $i ] ) );
+			$instance[ 'iconFont_class_' . $i ]   = esc_html( $new_instance[ 'iconFont_class_' . $i ] );
+			$instance[ 'iconFont_bgColor_' . $i ] = esc_html( $new_instance[ 'iconFont_bgColor_' . $i ] );
 			$instance[ 'iconFont_bgType_' . $i ]  = $new_instance[ 'iconFont_bgType_' . $i ];
-			$instance[ 'summary_' . $i ]          = $new_instance[ 'summary_' . $i ];
-			$instance[ 'linkurl_' . $i ]          = $new_instance[ 'linkurl_' . $i ];
+			$instance[ 'summary_' . $i ]          = wp_kses_post( stripslashes( $new_instance[ 'summary_' . $i ] ) );
+			$instance[ 'linkurl_' . $i ]          = esc_url( $new_instance[ 'linkurl_' . $i ] );
 			$instance[ 'blank_' . $i ]            = ( isset( $new_instance[ 'blank_' . $i ] ) && $new_instance[ 'blank_' . $i ] == 'true' );
 			$i++;
 		}
@@ -285,7 +285,7 @@ public function widget( $args, $instance ) {
 				// title text
 				echo '<h1 class="prBlock_title">';
 				if ( isset( $instance[ 'label_' . $i ] ) && $instance[ 'label_' . $i ] ) {
-					echo $instance[ 'label_' . $i ];
+					echo wp_kses_post( $instance[ 'label_' . $i ] );
 				} else {
 					_e( 'PR Block', 'vk-all-in-one-expansion-unit' );
 				}

inc/other-widget/widget-profile.php

@@ -181,24 +181,24 @@ function form( $instance ) {
 	/*-------------------------------------------*/
 	function update( $new_instance, $old_instance ) {
 		$instance                    = $old_instance;
-		$instance['label']           = $new_instance['label'];
-		$instance['mediaFile']       = $new_instance['mediaFile'];
-		$instance['mediaAlt']        = $new_instance['mediaAlt'];
-		$instance['profile']         = $new_instance['profile'];
+		$instance['label']           = wp_kses_post( stripslashes($new_instance['label'] ) );
+		$instance['mediaFile']       = esc_url( $new_instance['mediaFile'] );
+		$instance['mediaAlt']        = esc_html( stripslashes( $new_instance['mediaAlt'] ) );
+		$instance['profile']         = wp_kses_post( stripslashes( $new_instance['profile'] ) );
 		$instance['mediaAlign_left'] = $new_instance['mediaAlign_left'];
 		$instance['mediaAlign']      = $new_instance['mediaAlign'];
 		$instance['mediaRound']      = $new_instance['mediaRound'];
-		$instance['mediaSize']       = $new_instance['mediaSize'];
+		$instance['mediaSize']       = esc_html( $new_instance['mediaSize'] );
 		$instance['mediaFloat']      = $new_instance['mediaFloat'];
 		$instance['facebook']        = esc_url( $new_instance['facebook'] );
 		$instance['twitter']         = esc_url( $new_instance['twitter'] );
-		$instance['mail']            = esc_attr( $new_instance['mail'] );
+		$instance['mail']            = esc_url( $new_instance['mail'] );
 		$instance['youtube']         = esc_url( $new_instance['youtube'] );
 		$instance['rss']             = esc_url( $new_instance['rss'] );
 		$instance['instagram']       = esc_url( $new_instance['instagram'] );
 		$instance['linkedin']        = esc_url( $new_instance['linkedin'] );
 		$instance['iconFont_bgType'] = $new_instance['iconFont_bgType'];
-		$instance['icon_color']      = $new_instance['icon_color'];
+		$instance['icon_color']      = esc_html( $new_instance['icon_color'] );
 		return $instance;
 	}	
 	/*-------------------------------------------*/
@@ -356,9 +356,7 @@ function widget( $args, $instance ) {
 		echo PHP_EOL . '<div class="veu_profile">' . PHP_EOL;
 
 		if ( isset( $instance['label'] ) && $instance['label'] ) {
-			echo $args['before_title'];
-			echo $instance['label'];
-			echo $args['after_title'];
+			echo wp_kses_post( $args['before_title'] . $instance['label'] . $args['after_title'] );
 		}
 		?>
 <div class="profile" >