From fc14b89683d29fcac1ff2508a0155304b7568056 Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 11:48:52 +0900
Subject: [PATCH 1/9] [Fix] Implement Custom Sanitization for Google Ads &
 Enhance XSS Protection

---
 .../package/class-veu-promotion-alert.php     | 788 ++++++++----------
 1 file changed, 364 insertions(+), 424 deletions(-)

diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php
index e84a3341..6f2386d9 100644
--- a/inc/promotion-alert/package/class-veu-promotion-alert.php
+++ b/inc/promotion-alert/package/class-veu-promotion-alert.php
@@ -5,115 +5,61 @@
 
 class VEU_Promotion_Alert {
 
-    /**
-     * Constructor Define
-     */
-    public static function init() {
+	/**
+	 * Constructor Define
+	 */
+	public static function init() {
 		add_action( 'veu_package_init', array( __CLASS__, 'option_init' ) );
 		add_action( 'save_post', array( __CLASS__, 'save_meta_box' ) );
-        // is_singular() で判定するため wp で実行
-        add_action( 'wp', array( __CLASS__, 'display_alert' ) );
-        add_action( 'wp_head', array( __CLASS__, 'inline_style' ), 5 );
-        add_action( 'after_setup_theme', array( __CLASS__, 'content_filter' ) );
+		// is_singular() で判定するため wp で実行
+		add_action( 'wp', array( __CLASS__, 'display_alert' ) );
+		add_action( 'wp_head', array( __CLASS__, 'inline_style' ), 5 );
+		add_action( 'after_setup_theme', array( __CLASS__, 'content_filter' ) );
 	}
 
-    /**
+	/**
 	 * HTML Allowed
 	 */
-	public static function kses_allowed() {
-		return array(
-			'div'    => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'h1'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'h2'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'h3'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'h4'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'h5'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'h6'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'p'      => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'ul'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'ol'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'li'     => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'i'      => array(
-				'id'          => array(),
-				'class'       => array(),
-				'style'       => array(),
-				'aria-hidden' => array()
-			),
-			'a'      => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-				'href'  => array(),
-			),
-			'span'   => array(
-				'id'    => array(),
-				'class' => array(),
-				'style' => array(),
-			),
-			'button' => array(
-				'id'    => array(),
-				'type'  => array(),
-				'class' => array(),
-				'style' => array(),
-				'href'  => array(),
-			),
-            'img'    => array(
-                'id'    => array(),
-                'class' => array(),
-                'style' => array(),
-                'src'   => array(),
-                'alt'   => array(),                
-            ),
-			'style'  => array(),
-            '!'    => array(),
+	public static function sanitize_alert_content($content) {
+    
+		// 1. <style>タグおよびその内容の削除
+		$content = preg_replace('/<style\b[^>]*>.*?<\/style>/is', '', $content);
+	
+		// 2. <script> および <ins> タグ内の内容を保持し、一時的にプレースホルダーに置き換え
+		$placeholders = [];
+		$content = preg_replace_callback(
+			'/(<script\b[^>]*>.*?<\/script>|<ins\b[^>]*>.*?<\/ins>)/is',
+			function($matches) use (&$placeholders) {
+				$placeholder = '%%PLACEHOLDER_' . count($placeholders) . '%%';
+				$placeholders[$placeholder] = $matches[0];
+				return $placeholder;
+			},
+			$content
 		);
-	}
-
-    	/**
+	
+		// 3. 基本的なタグのサニタイズ
+		$allowed_tags = array('div', 'p', 'a', 'img', 'span', 'i', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'ul', 'ol', 'li', 'button');
+		$allowed_attributes = array('id', 'class', 'style', 'href', 'target', 'src', 'alt', 'type', 'rel');
+	
+		$content = preg_replace_callback('/<(\/?)(\w+)([^>]*)>/i', function($matches) use ($allowed_tags, $allowed_attributes) {
+			if (in_array(strtolower($matches[2]), $allowed_tags)) {
+				$attributes = preg_replace('/(\b(?!' . implode('|', $allowed_attributes) . ')\w+)\s*=\s*("[^"]*"|\'[^\']*\')/', '', $matches[3]);
+				return "<{$matches[1]}{$matches[2]}{$attributes}>";
+			}
+			return '';
+		}, $content);
+	
+		// 4. プレースホルダーを元の <script> および <ins> タグに戻す
+		$content = str_replace(array_keys($placeholders), array_values($placeholders), $content);
+	
+		// 5. JavaScriptリンクの無効化
+		$content = preg_replace('/\s*on\w+\s*=\s*"[^"]*"|\s*on\w+\s*=\s*\'[^\']*\'/', '', $content);
+		$content = preg_replace('/\s*href\s*=\s*"javascript:[^"]*"|\s*href\s*=\s*\'javascript:[^\']*\'/', 'href="#"', $content);
+	
+		return $content;
+	}	
+	
+	/**
 	 * コンテンツにかけるフィルター
 	 */
 	public static function content_filter() {
@@ -128,140 +74,145 @@ public static function content_filter() {
 		add_filter( 'veu_promotion_alert_content', 'wp_replace_insecure_home_url' );
 	}
 
-    /**
-     * Get Post Types
-     */
-    public static function get_post_types() {
-
-        // 投稿タイプの事前準備
-        $post_types_default = array( 
-            array(
-                'label' => get_post_type_object( 'post' )->label,
-                'name'  => 'post'
-            ),
-            array(
-                'label' =>  get_post_type_object( 'page' )->label,
-                'name'  => 'page',
-            ),
-        );
-        $post_types_extra = array();
-        $extra_post_types   = get_post_types(
-            array(
-                'public'   => true,
-                '_builtin' => false
-            ),
-            'objects'
-        );
-        foreach ( $extra_post_types as $post_type ) {
-            $post_types_extra[] = array(
-                'label' => $post_type->label,
-                'name'  => $post_type->name
-            );
-        }
-        $post_types = array_merge( $post_types_default, $post_types_extra );
-        return $post_types;
-    }
-
-    /**
-     * Get Options
-     */
-    public static function get_options() {
-
-        // デフォルト値
-        $default = array(
-            'alert-text'     => '',
-            'alert-content'  => '',
-            'alert-hook'     => '',
-        );
-
-        // オプション取得
-        $options = get_option( 'vkExUnit_PA' );      
-        $options = wp_parse_args( $options, $default );
-
-        // 投稿タイプ毎に初期化
-        $post_types = self::get_post_types();
-        foreach ( $post_types as $post_type ) {
-            if ( empty( $options['alert-display'][ $post_type['name'] ] ) ) {
-                $options['alert-display'][ $post_type['name'] ] = 'hide';
-            }
-        }
-
-        return $options;
-    }
-
-
-    /**
-     * Add Setting Page
-     */
-    public static function option_init() {
-        vkExUnit_register_setting(
+	/**
+	 * Get Post Types
+	 */
+	public static function get_post_types() {
+
+		// 投稿タイプの事前準備
+		$post_types_default = array( 
+			array(
+				'label' => get_post_type_object( 'post' )->label,
+				'name'  => 'post'
+			),
+			array(
+				'label' =>  get_post_type_object( 'page' )->label,
+				'name'  => 'page',
+			),
+		);
+		$post_types_extra = array();
+		$extra_post_types   = get_post_types(
+			array(
+				'public'   => true,
+				'_builtin' => false
+			),
+			'objects'
+		);
+		foreach ( $extra_post_types as $post_type ) {
+			$post_types_extra[] = array(
+				'label' => $post_type->label,
+				'name'  => $post_type->name
+			);
+		}
+		$post_types = array_merge( $post_types_default, $post_types_extra );
+		return $post_types;
+	}
+
+	/**
+	 * Get Options
+	 */
+	public static function get_options() {
+
+		// デフォルト値
+		$default = array(
+			'alert-text'     => '',
+			'alert-content'  => '',
+			'alert-hook'     => '',
+		);
+
+		// オプション取得
+		$options = get_option( 'vkExUnit_PA' );      
+		$options = wp_parse_args( $options, $default );
+
+		// 投稿タイプ毎に初期化
+		$post_types = self::get_post_types();
+		foreach ( $post_types as $post_type ) {
+			if ( empty( $options['alert-display'][ $post_type['name'] ] ) ) {
+				$options['alert-display'][ $post_type['name'] ] = 'hide';
+			}
+		}
+
+		return $options;
+	}
+
+
+	/**
+	 * Add Setting Page
+	 */
+	public static function option_init() {
+		vkExUnit_register_setting(
 			__( 'Promotion Alert', 'vk-all-in-one-expansion-unit' ),           // tab label.
 			'vkExUnit_PA',                         // name attr
 			array( __CLASS__, 'sanitize_setting' ),      // sanitaise function name
 			array( __CLASS__, 'render_setting' )     // setting_page function name
 		);
-    }
-
-    /**
-     * Sanitize Space 
-     */
-    public static function sanitize_space( $input ) {
-        if ( preg_match( '/^(\s)+$/u', $input ) ) {
-            return '';
-        }
-        return $input;
-    }
-
-    /**
-     * Sanitize Setting
-     */
-    public static function sanitize_setting( $input ) {
-
-        // 投稿タイプを取得
-        $post_types = self::get_post_types();
-
-        // 許可されたHTMLタグ
-        $allowed_html = self::kses_allowed();
-
-        // サニタイズ
-        $options = array();
-        $options['alert-text']    = ! empty( $input['alert-text'] ) ?  self::sanitize_space( esc_html( $input['alert-text'] ) ) : '';
-        $options['alert-content'] = ! empty( $input['alert-content'] ) ? self::sanitize_space( stripslashes( htmlspecialchars( $input['alert-content'] ) ) ) : '';
-
-        foreach ( $post_types as $post_type ) {
-            $options['alert-display'][ $post_type['name'] ] = ! empty( $input['alert-display'][ $post_type['name'] ] ) ? 'display' : 'hide';
-        }
-        $options['alert-hook'] = ! empty( $input['alert-hook'] ) ? self::sanitize_space( esc_html( $input['alert-hook'] ) ) : '';
-        return $options;
-    }
-
-    /**
-     * Render Setting Page
-     */
-    public static function render_setting() {
-
-        // 投稿タイプを取得
-        $post_types = self::get_post_types();
-
-        // 許可されたHTMLタグ
-        $allowed_html = self::kses_allowed();
-
-        // オプションを取得
-        $options = self::get_options();
-        ?>
-        <h3><?php _e( 'Promotion Alert', 'vk-all-in-one-expansion-unit' ); ?></h3>
-        <div id="vkExUnit_PA" class="sectionBox">
+	}
+
+	/**
+	 * Sanitize Space 
+	 */
+	public static function sanitize_space( $input ) {
+		if ( preg_match( '/^(\s)+$/u', $input ) ) {
+			return '';
+		}
+		return $input;
+	}
+
+	/**
+	 * Sanitize Setting
+	 */
+	public static function sanitize_setting( $input ) {
+
+		// 投稿タイプを取得
+		$post_types = self::get_post_types();
+		
+		// サニタイズ処理
+		$options = array();
+		$options['alert-text'] = ! empty( $input['alert-text'] ) ? self::sanitize_space( esc_html( $input['alert-text'] ) ) : '';
+		
+		// alert-contentを許可リストに基づいてサニタイズ
+		if ( ! empty( $input['alert-content'] ) ) {
+			// サニタイズ前のデバッグ出力
+			error_log( 'Before wp_kses: ' . print_r( stripslashes( $input['alert-content'] ), true ) );
+			$options['alert-content'] = self::sanitize_alert_content( stripslashes( $input['alert-content'] ) );
+			// サニタイズ後のデバッグ出力
+			error_log( 'After wp_kses: ' . print_r( $options['alert-content'], true ) );
+		} else {
+			$options['alert-content'] = '';
+		}
+
+		foreach ( $post_types as $post_type ) {
+			$options['alert-display'][ $post_type['name'] ] = ! empty( $input['alert-display'][ $post_type['name'] ] ) ? 'display' : 'hide';
+		}
+
+		$options['alert-hook'] = ! empty( $input['alert-hook'] ) ? self::sanitize_space( esc_html( $input['alert-hook'] ) ) : '';
+		return $options;
+	}
+
+	/**
+	 * Render Setting Page
+	 */
+	public static function render_setting() {
+
+		// 投稿タイプを取得
+		$post_types = self::get_post_types();
+
+		// オプションを取得
+		$options = self::get_options();
+		?>
+		<h3><?php _e( 'Promotion Alert', 'vk-all-in-one-expansion-unit' ); ?></h3>
+		<div id="vkExUnit_PA" class="sectionBox">
 			<P>
 			<?php _e( 'If the article contains advertisements, it\'s necessary to provide a clear notation for general consumers to recognize.', 'vk-all-in-one-expansion-unit' ); ?>
 			<br>
 			<?php _e( 'By inputting here, you can automatically insert it at the beginning of the article.', 'vk-all-in-one-expansion-unit' ); ?>
 			</p>
-            <table class="form-table">
-                <tr>
-                    <th><?php _e( 'Alert Text', 'vk-all-in-one-expansion-unit' ); ?></th>
-                    <td>
+			<table class="form-table">
+				<tr>
+					<th><?php _e( 'Alert Text', 'vk-all-in-one-expansion-unit' ); ?></th>
+					<td>
 						<p>
-                        <input type="text" name="vkExUnit_PA[alert-text]" value="<?php echo esc_attr( $options['alert-text'] ); ?>" class="large-text">
+						<input type="text" name="vkExUnit_PA[alert-text]" value="<?php echo esc_attr( $options['alert-text'] ); ?>" class="large-text">
 						</p>
 						<p>Ex)</p>
 						<ul>
@@ -269,69 +220,69 @@ public static function render_setting() {
 						<li><?php _e( 'This article contains promotions.', 'vk-all-in-one-expansion-unit' ); ?></li>
 						<li><?php _e( 'This article is posted with products provided by ***.', 'vk-all-in-one-expansion-unit' ); ?></li>
 						</ul>
-                    </td>
-                </tr>
-                <tr>
-                    <th><?php _e( 'Custom Alert Content', 'vk-all-in-one-expansion-unit' ); ?></th>
-                    <td>
-                        <textarea name="vkExUnit_PA[alert-content]" style="width:100%;" rows="10"><?php echo $options['alert-content']; ?></textarea>
-                        <ul>
-                            <li><?php _e( 'If there is any input in "Custom Alert Content", "Alert Text" will not be displayed and will be overwritten by the content entered in "Custom Alert Content".', 'vk-all-in-one-expansion-unit' ); ?></li>
-                            <li><?php _e( 'You can insert HTML tags here. This is designed to be used by pasting content created in the Block Editor.', 'vk-all-in-one-expansion-unit' ); ?></li>
-                        </ul>
-                                
-                    </td>
-                </tr>
-                <tr>
-                    <th><?php _e( 'Display Post Types', 'vk-all-in-one-expansion-unit' ); ?></th>
-                    <td>
-                        <ul class="no-style">
-                        <?php foreach ( $post_types as $post_type ) : ?>
-                            <li>
-                                <label>
-                                    <input type="checkbox" name="vkExUnit_PA[alert-display][<?php echo esc_attr( $post_type['name'] ); ?>]" <?php checked( $options['alert-display'][ $post_type['name'] ], 'display' ); ?>>
-                                    <?php echo esc_html( $post_type['label'] ); ?>
-                                </label>
-                            </li>
-                        <?php endforeach; ?>
-                        </ul>
-                        <p><?php _e( 'Settings for individual articles take precedence over settings here.', 'vk-all-in-one-expansion-unit' ); ?></p>
-                    </td>
-                </tr>
-                </table>
-                <hr>
-                <table class="form-table">
-                <tr>
-                    <th><?php _e( 'Alert Hook ( Optional )', 'vk-all-in-one-expansion-unit' ); ?></th>
-                    <td>
-                        <p><?php _e( 'By default, it is output at the top of the content.', 'vk-all-in-one-expansion-unit' ); ?><br><?php _e( 'If you want to change the location of any action hook, enter the action hook name.', 'vk-all-in-one-expansion-unit' ); ?><br><?php _e( 'Ex) lightning_entry_body_prepend', 'vk-all-in-one-expansion-unit' ); ?></p>
-                        <input type="text" name="vkExUnit_PA[alert-hook]" value="<?php echo esc_attr( $options['alert-hook'] ); ?>" class="large-text">
-                    </td>                    
-                </tr>
-            </table>
-            <?php submit_button(); ?>
-        </div>
-        <?php
-    }
-
-    /**
-     * Save Meta Box
-     */
-    public static function save_meta_box( $post_id ) {
-
-        // Check if our nonce is set.
-        if ( ! isset( $_POST['veu_promotion_alert_nonce'] ) ) {
+					</td>
+				</tr>
+				<tr>
+					<th><?php _e( 'Custom Alert Content', 'vk-all-in-one-expansion-unit' ); ?></th>
+					<td>
+						<textarea name="vkExUnit_PA[alert-content]" style="width:100%;" rows="10"><?php echo $options['alert-content']; ?></textarea>
+						<ul>
+							<li><?php _e( 'If there is any input in "Custom Alert Content", "Alert Text" will not be displayed and will be overwritten by the content entered in "Custom Alert Content".', 'vk-all-in-one-expansion-unit' ); ?></li>
+							<li><?php _e( 'You can insert HTML tags here. This is designed to be used by pasting content created in the Block Editor.', 'vk-all-in-one-expansion-unit' ); ?></li>
+						</ul>
+								
+					</td>
+				</tr>
+				<tr>
+					<th><?php _e( 'Display Post Types', 'vk-all-in-one-expansion-unit' ); ?></th>
+					<td>
+						<ul class="no-style">
+						<?php foreach ( $post_types as $post_type ) : ?>
+							<li>
+								<label>
+									<input type="checkbox" name="vkExUnit_PA[alert-display][<?php echo esc_attr( $post_type['name'] ); ?>]" <?php checked( $options['alert-display'][ $post_type['name'] ], 'display' ); ?>>
+									<?php echo esc_html( $post_type['label'] ); ?>
+								</label>
+							</li>
+						<?php endforeach; ?>
+						</ul>
+						<p><?php _e( 'Settings for individual articles take precedence over settings here.', 'vk-all-in-one-expansion-unit' ); ?></p>
+					</td>
+				</tr>
+				</table>
+				<hr>
+				<table class="form-table">
+				<tr>
+					<th><?php _e( 'Alert Hook ( Optional )', 'vk-all-in-one-expansion-unit' ); ?></th>
+					<td>
+						<p><?php _e( 'By default, it is output at the top of the content.', 'vk-all-in-one-expansion-unit' ); ?><br><?php _e( 'If you want to change the location of any action hook, enter the action hook name.', 'vk-all-in-one-expansion-unit' ); ?><br><?php _e( 'Ex) lightning_entry_body_prepend', 'vk-all-in-one-expansion-unit' ); ?></p>
+						<input type="text" name="vkExUnit_PA[alert-hook]" value="<?php echo esc_attr( $options['alert-hook'] ); ?>" class="large-text">
+					</td>                    
+				</tr>
+			</table>
+			<?php submit_button(); ?>
+		</div>
+		<?php
+	}
+
+	/**
+	 * Save Meta Box
+	 */
+	public static function save_meta_box( $post_id ) {
+
+		// Check if our nonce is set.
+		if ( ! isset( $_POST['veu_promotion_alert_nonce'] ) ) {
 			return $post_id;
 		}
 
-        $nonce = $_POST['veu_promotion_alert_nonce'];
+		$nonce = $_POST['veu_promotion_alert_nonce'];
 
-        // Verify that the nonce is valid.
+		// Verify that the nonce is valid.
 		if ( ! wp_verify_nonce( $nonce, 'veu_promotion_alert' ) ) {
 			return $post_id;
 		}
 
-        /*
+		/*
 		 * If this is an autosave, our form has not been submitted,
 		 * so we don't want to do anything.
 		 */
@@ -339,7 +290,7 @@ public static function save_meta_box( $post_id ) {
 			return $post_id;
 		}
 
-        // Check the user's permissions.
+		// Check the user's permissions.
 		if ( 'page' == $_POST['post_type'] ) {
 			if ( ! current_user_can( 'edit_page', $post_id ) ) {
 				return $post_id;
@@ -350,155 +301,144 @@ public static function save_meta_box( $post_id ) {
 			}
 		}
 
-        /* OK, it's safe for us to save the data now. */
+		/* OK, it's safe for us to save the data now. */
 
 		// Sanitize the user input.
 		$mydata = sanitize_text_field( $_POST['veu_display_promotion_alert'] );
 
 		// Update the meta field.
 		update_post_meta( $post_id, 'veu_display_promotion_alert', $mydata );
-    }
-
-    /**
-     * Display Condition
-     */
-    public static function get_display_condition( $post_id ) {
-
-        // 通常は false
-        $return = false;
-
-        // カスタムフィールドを取得
-        $meta = get_post_meta( $post_id, 'veu_display_promotion_alert', true );
-        $meta = ! empty( $meta ) ? $meta : 'common';
-
-        // オプションを取得
-        $options = self::get_options();
-
-          // 投稿タイプを取得
-        $post_type = get_post_type( $post_id );
-
-        // 表示条件を判定
-        if ( 'display' === $meta ) {
-            // カスタムフィールドが display の場合は true
-            $return = true;
-        } elseif ( 'common' === $meta && ! empty( $options['alert-display'][ $post_type ] ) && 'display' === $options['alert-display'][ $post_type ] ) {
-            // カスタムフィールドが common でオプションが display の場合は true
-            $return = true;
-        }
-
-        return $return;        
-    }
-
-    /**
-     * Alert Content
-     */
-    public static function get_alert_content() {
-
-        // アラートを初期化
-        $alert = '';
-        $alert_content = '';
-
-        // 表示条件を判定
-        $display = self::get_display_condition( get_the_ID() );
-
-        // 表示条件が true の場合はアラートを表示
-        if ( ! empty( $display ) ) {
-
-            // オプションを取得
-            $options = self::get_options();
-
-            // アラートの中身を作成
-            if ( ! empty( $options['alert-content'] ) ) {
-                $alert_content  = '<div class="veu_promotion-alert__content--custom">';
-                $alert_content .= $options['alert-content'];
-                $alert_content .= '</div>';
-            } elseif ( ! empty( $options['alert-text'] ) ) {
-                $alert_content  = '<div class="veu_promotion-alert__content--text">';
-                $alert_content .= '<span class="veu_promotion-alert__icon"><i class="fa-solid fa-circle-info"></i></span>';
-                $alert_content .= '<span class="veu_promotion-alert__text">' . $options['alert-text'] . '</span>';
-                $alert_content .= '</div>';
-            }
-
-            if ( ! empty( $alert_content ) ) {
-                $alert = '<div class="veu_promotion-alert" data-nosnippet>' . $alert_content . '</div>';
-            }
-        }
-
-        return apply_filters( 'veu_promotion_alert_content', htmlspecialchars_decode( $alert ) );
-    }
-
-    /**
-     * Display Alert Content Filter Hook
-     */
-    public static function display_alert_filter( $content ) {
-
-        // アラートを取得
-        $alert = self::get_alert_content();
-
-        // 文頭にアラートを追加
-        $content = $alert . $content;
-       
-        return $content;       
-    }
-
-    /**
-     * Display Alert Content Action Hook
-     */
-    public static function display_alert_action() {
-
-        // アラートを取得
-        $alert = self::get_alert_content();
-        // 許可されたHTMLタグ
-        $allowed_html = self::kses_allowed();
-
-        echo wp_kses( $alert, $allowed_html );       
-    }
-
-    /**
-     * Display Alert
-     */
-    public static function display_alert() {
-
-        // オプションを取得
-        $options = self::get_options();
-        if ( is_singular() ) {
-            if ( ! empty( $options['alert-hook'] ) ) {
-                add_action( $options['alert-hook'], array( __CLASS__, 'display_alert_action' ) );
-            } else {
-                add_filter( 'the_content', array( __CLASS__, 'display_alert_filter' ) );           
-            }
-        }
-    }
-
-    /**
-     * Inline Style
-     */
-    public static function inline_style() {
-
-        $dynamic_css = '
-        .veu_promotion-alert__content--text {
-            border: 1px solid rgba(0,0,0,0.125);
-            padding: 0.5em 1em;
-            border-radius: var(--vk-size-radius);
-            margin-bottom: var(--vk-margin-block-bottom);
-            font-size: 0.875rem;
-        }
-        /* Alert Content部分に段落タグを入れた場合に最後の段落の余白を0にする */
-        .veu_promotion-alert__content--text p:last-of-type{
-            margin-bottom:0;
-            margin-top: 0;
-        }
-        ';
-    
-        // delete before after space
-        $dynamic_css = trim( $dynamic_css );
-        // convert tab and br to space
-        $dynamic_css = preg_replace( '/[\n\r\t]/', '', $dynamic_css );
-        // Change multiple spaces to single space
-        $dynamic_css = preg_replace( '/\s(?=\s)/', '', $dynamic_css );
-        wp_add_inline_style( 'vkExUnit_common_style', $dynamic_css );
-    }
-}
+	}
+
+	/**
+	 * Display Condition
+	 */
+	public static function get_display_condition( $post_id ) {
+
+		// 通常は false
+		$return = false;
+
+		// カスタムフィールドを取得
+		$meta = get_post_meta( $post_id, 'veu_display_promotion_alert', true );
+		$meta = ! empty( $meta ) ? $meta : 'common';
+
+		// オプションを取得
+		$options = self::get_options();
+
+		  // 投稿タイプを取得
+		$post_type = get_post_type( $post_id );
+
+		// 表示条件を判定
+		if ( 'display' === $meta ) {
+			// カスタムフィールドが display の場合は true
+			$return = true;
+		} elseif ( 'common' === $meta && ! empty( $options['alert-display'][ $post_type ] ) && 'display' === $options['alert-display'][ $post_type ] ) {
+			// カスタムフィールドが common でオプションが display の場合は true
+			$return = true;
+		}
+
+		return $return;        
+	}
 
+	/**
+	 * Alert Content
+	 */
+	public static function get_alert_content() {
+
+		if ( ! self::get_display_condition( get_the_ID() ) ) {
+			return '';
+		}
+
+		$alert = '';
+		$alert_content = '';
+		$options = self::get_options();
+	
+		if ( ! empty( $options['alert-content'] ) ) {
+			$alert_content  = '<div class="veu_promotion-alert__content--custom">';
+			// alert-contentにのみsanitize_alert_contentを適用
+			$alert_content .= self::sanitize_alert_content( $options['alert-content'] ); 
+			$alert_content .= '</div>';
+		} elseif ( ! empty( $options['alert-text'] ) ) {
+			$alert_content  = '<div class="veu_promotion-alert__content--text">';
+			$alert_content .= '<span class="veu_promotion-alert__icon"><i class="fa-solid fa-circle-info"></i></span>';
+			$alert_content .= '<span class="veu_promotion-alert__text">' . esc_html( $options['alert-text'] ) . '</span>';
+			$alert_content .= '</div>';
+		}
+
+		
+		
+		if ( ! empty( $alert_content ) ) {
+			$alert = '<div class="veu_promotion-alert" data-nosnippet>' . $alert_content . '</div>';
+		}
+
+		return apply_filters( 'veu_promotion_alert_content', htmlspecialchars_decode( $alert ) );
+	}
+
+	/**
+	 * Display Alert Content Filter Hook
+	 */
+	public static function display_alert_filter( $content ) {
+
+		// アラートを取得
+		$alert = self::get_alert_content();
+
+		// 文頭にアラートを追加
+		$content = $alert . $content;
+	   
+		return $content;       
+	}
 
+	/**
+	 * Display Alert Content Action Hook
+	 */
+	public static function display_alert_action() {
+		// アラートを取得し表示
+		$alert = self::get_alert_content();
+		echo self::sanitize_alert_content( $alert );       
+	}
 
+	/**
+	 * Display Alert
+	 */
+	public static function display_alert() {
+
+		// オプションを取得
+		$options = self::get_options();
+		if ( is_singular() ) {
+			if ( ! empty( $options['alert-hook'] ) ) {
+				add_action( $options['alert-hook'], array( __CLASS__, 'display_alert_action' ) );
+			} else {
+				add_filter( 'the_content', array( __CLASS__, 'display_alert_filter' ) );           
+			}
+		}
+	}
+
+	/**
+	 * Inline Style
+	 */
+	public static function inline_style() {
+
+		$dynamic_css = '
+		.veu_promotion-alert__content--text {
+			border: 1px solid rgba(0,0,0,0.125);
+			padding: 0.5em 1em;
+			border-radius: var(--vk-size-radius);
+			margin-bottom: var(--vk-margin-block-bottom);
+			font-size: 0.875rem;
+		}
+		/* Alert Content部分に段落タグを入れた場合に最後の段落の余白を0にする */
+		.veu_promotion-alert__content--text p:last-of-type{
+			margin-bottom:0;
+			margin-top: 0;
+		}
+		';
+	
+		// delete before after space
+		$dynamic_css = trim( $dynamic_css );
+		// convert tab and br to space
+		$dynamic_css = preg_replace( '/[\n\r\t]/', '', $dynamic_css );
+		// Change multiple spaces to single space
+		$dynamic_css = preg_replace( '/\s(?=\s)/', '', $dynamic_css );
+		wp_add_inline_style( 'vkExUnit_common_style', $dynamic_css );
+	}
+}

From e9031f539a43bda9eec7508a2f7c3b61da684c18 Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 11:49:20 +0900
Subject: [PATCH 2/9] Add test case

---
 tests/test-promotion-alert.php | 45 +++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/tests/test-promotion-alert.php b/tests/test-promotion-alert.php
index b93b5630..4d0918eb 100644
--- a/tests/test-promotion-alert.php
+++ b/tests/test-promotion-alert.php
@@ -459,6 +459,49 @@ public function test_get_alert_content() {
 				),
 				'correct' => '',
 			),
+			// XSS属性の削除をテスト
+			array(
+				'options' => array(
+					'alert-content' => '<div onmouseover="alert(\'XSS\')">Hover me!</div>',
+					'alert-display' => array('post' => 'display'),
+				),
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><div >Hover me!</div></div></div>',
+			),
+			array(
+				'options' => array(
+					'alert-content' => '<img src="#" onerror="alert(\'XSS\')"/>',
+					'alert-display' => array('post' => 'display'),
+				),
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><img decoding="async" src="#" /></div></div>',
+			),
+			array(
+				'options' => array(
+					'alert-content' => '<script src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-XXXXX" crossorigin="anonymous"></script>',
+					'alert-display' => array('post' => 'display'),
+				),
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><script src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-XXXXX" crossorigin="anonymous"></script></div></div>',
+			),
+			array(
+				'options' => array(
+					'alert-content' => '<a href="javascript:alert(\'XSS\')">Click me!</a>',
+					'alert-display' => array('post' => 'display'),
+				),
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><ahref="#">Click me!</a></div></div>',
+			),
+			array(
+				'options' => array(
+					'alert-content' => '<style>*{xss:expression(alert("XSS"))}</style>',
+					'alert-display' => array('post' => 'display'),
+				),
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"></div></div>',
+			),
+			array(
+				'options' => array(
+					'alert-content' => '<iframe src="javascript:alert(\'XSS\')"></iframe>',
+					'alert-display' => array('post' => 'display'),
+				),
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"></div></div>',
+			),
 		);
 
 		print PHP_EOL;
@@ -491,4 +534,4 @@ public function test_get_alert_content() {
 
 	}
 
-}
\ No newline at end of file
+}

From 076f3fc8f3f0531cc70885e986594801fdca2c5f Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 12:57:18 +0900
Subject: [PATCH 3/9] Add changelog

---
 readme.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/readme.txt b/readme.txt
index 9b0d14a1..278aad90 100644
--- a/readme.txt
+++ b/readme.txt
@@ -81,6 +81,8 @@ e.g.
 
 == Changelog ==
 
+[ Bug Fix ][ Promotion Alert ] Fixed filtering in Promotion Alert by adding data-nosnippet attribute to the div tag. 
+
 = 9.100.0 =
 [ Add setting ][ Category list ] Enable to specify ascending/descending order
 [ Specification Change ][ Twitter widget ] Added "Not recommended" to the name and added a note to the description.

From 27cc5a061189e8398bb9810ef6ca0cc85974087a Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 14:44:23 +0900
Subject: [PATCH 4/9] Undo kses_allowed

---
 .../package/class-veu-promotion-alert.php     | 227 ++++++++++++------
 1 file changed, 158 insertions(+), 69 deletions(-)

diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php
index 6f2386d9..b1b005e0 100644
--- a/inc/promotion-alert/package/class-veu-promotion-alert.php
+++ b/inc/promotion-alert/package/class-veu-promotion-alert.php
@@ -9,56 +9,127 @@ class VEU_Promotion_Alert {
 	 * Constructor Define
 	 */
 	public static function init() {
+		global $allowedposttags;
+		if ( isset( $allowedposttags['ins'] ) ) {
+			$allowedposttags['ins']['style'] = array();
+		}
 		add_action( 'veu_package_init', array( __CLASS__, 'option_init' ) );
 		add_action( 'save_post', array( __CLASS__, 'save_meta_box' ) );
 		// is_singular() で判定するため wp で実行
 		add_action( 'wp', array( __CLASS__, 'display_alert' ) );
 		add_action( 'wp_head', array( __CLASS__, 'inline_style' ), 5 );
 		add_action( 'after_setup_theme', array( __CLASS__, 'content_filter' ) );
+		add_filter( 'wp_kses_allowed_css', array( __CLASS__, 'promotion_alert_allowed_css' ) );
+		add_filter( 'wp_kses_allowed_html', array( __CLASS__, 'modify_wp_kses_allowed_html' ), 99, 2 );
+	}
+
+	/**
+	 * Allow data-nosnippet attribute on div tags for kses filtering.
+	 */
+	public static function modify_wp_kses_allowed_html( $allowed_tags, $context ) {
+		// 必要な属性やタグを追加
+		if ( 'post' === $context ) {
+			$allowed_tags['div']['data-nosnippet'] = true;
+		}
+		return $allowed_tags;
 	}
 
 	/**
 	 * HTML Allowed
 	 */
-	public static function sanitize_alert_content($content) {
-    
-		// 1. <style>タグおよびその内容の削除
-		$content = preg_replace('/<style\b[^>]*>.*?<\/style>/is', '', $content);
-	
-		// 2. <script> および <ins> タグ内の内容を保持し、一時的にプレースホルダーに置き換え
-		$placeholders = [];
-		$content = preg_replace_callback(
-			'/(<script\b[^>]*>.*?<\/script>|<ins\b[^>]*>.*?<\/ins>)/is',
-			function($matches) use (&$placeholders) {
-				$placeholder = '%%PLACEHOLDER_' . count($placeholders) . '%%';
-				$placeholders[$placeholder] = $matches[0];
-				return $placeholder;
-			},
-			$content
+	public static function kses_allowed() {
+		return array(
+			'div'    => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'h1'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'h2'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'h3'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'h4'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'h5'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'h6'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'p'      => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'ul'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'ol'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'li'     => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'i'      => array(
+				'id'          => array(),
+				'class'       => array(),
+				'style'       => array(),
+				'aria-hidden' => array()
+			),
+			'a'      => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+				'href'  => array(),
+			),
+			'span'   => array(
+				'id'    => array(),
+				'class' => array(),
+				'style' => array(),
+			),
+			'button' => array(
+				'id'    => array(),
+				'type'  => array(),
+				'class' => array(),
+				'style' => array(),
+				'href'  => array(),
+			),
+            'img'    => array(
+                'id'    => array(),
+                'class' => array(),
+                'style' => array(),
+                'src'   => array(),
+                'alt'   => array(),                
+            ),
+			'style'  => array(),
+            '!'    => array(),
 		);
-	
-		// 3. 基本的なタグのサニタイズ
-		$allowed_tags = array('div', 'p', 'a', 'img', 'span', 'i', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'ul', 'ol', 'li', 'button');
-		$allowed_attributes = array('id', 'class', 'style', 'href', 'target', 'src', 'alt', 'type', 'rel');
-	
-		$content = preg_replace_callback('/<(\/?)(\w+)([^>]*)>/i', function($matches) use ($allowed_tags, $allowed_attributes) {
-			if (in_array(strtolower($matches[2]), $allowed_tags)) {
-				$attributes = preg_replace('/(\b(?!' . implode('|', $allowed_attributes) . ')\w+)\s*=\s*("[^"]*"|\'[^\']*\')/', '', $matches[3]);
-				return "<{$matches[1]}{$matches[2]}{$attributes}>";
-			}
-			return '';
-		}, $content);
-	
-		// 4. プレースホルダーを元の <script> および <ins> タグに戻す
-		$content = str_replace(array_keys($placeholders), array_values($placeholders), $content);
-	
-		// 5. JavaScriptリンクの無効化
-		$content = preg_replace('/\s*on\w+\s*=\s*"[^"]*"|\s*on\w+\s*=\s*\'[^\']*\'/', '', $content);
-		$content = preg_replace('/\s*href\s*=\s*"javascript:[^"]*"|\s*href\s*=\s*\'javascript:[^\']*\'/', 'href="#"', $content);
-	
-		return $content;
-	}	
-	
+	}
+ 
 	/**
 	 * コンテンツにかけるフィルター
 	 */
@@ -163,8 +234,8 @@ public static function sanitize_space( $input ) {
 	 */
 	public static function sanitize_setting( $input ) {
 
-		// 投稿タイプを取得
-		$post_types = self::get_post_types();
+		// 許可されたHTMLタグのリストを取得
+		$allowed_html = self::kses_allowed();
 		
 		// サニタイズ処理
 		$options = array();
@@ -174,13 +245,15 @@ public static function sanitize_setting( $input ) {
 		if ( ! empty( $input['alert-content'] ) ) {
 			// サニタイズ前のデバッグ出力
 			error_log( 'Before wp_kses: ' . print_r( stripslashes( $input['alert-content'] ), true ) );
-			$options['alert-content'] = self::sanitize_alert_content( stripslashes( $input['alert-content'] ) );
+			$options['alert-content'] = wp_kses( stripslashes( $input['alert-content'] ), $allowed_html );
 			// サニタイズ後のデバッグ出力
 			error_log( 'After wp_kses: ' . print_r( $options['alert-content'], true ) );
 		} else {
 			$options['alert-content'] = '';
 		}
 
+		// 投稿タイプごとの設定をサニタイズ
+		$post_types = self::get_post_types();
 		foreach ( $post_types as $post_type ) {
 			$options['alert-display'][ $post_type['name'] ] = ! empty( $input['alert-display'][ $post_type['name'] ] ) ? 'display' : 'hide';
 		}
@@ -197,6 +270,9 @@ public static function render_setting() {
 		// 投稿タイプを取得
 		$post_types = self::get_post_types();
 
+		// 許可されたHTMLタグ
+		$allowed_html = self::kses_allowed();
+
 		// オプションを取得
 		$options = self::get_options();
 		?>
@@ -344,35 +420,44 @@ public static function get_display_condition( $post_id ) {
 	 * Alert Content
 	 */
 	public static function get_alert_content() {
-
-		if ( ! self::get_display_condition( get_the_ID() ) ) {
-			return '';
-		}
-
+		// アラートを初期化
 		$alert = '';
 		$alert_content = '';
-		$options = self::get_options();
 	
-		if ( ! empty( $options['alert-content'] ) ) {
-			$alert_content  = '<div class="veu_promotion-alert__content--custom">';
-			// alert-contentにのみsanitize_alert_contentを適用
-			$alert_content .= self::sanitize_alert_content( $options['alert-content'] ); 
-			$alert_content .= '</div>';
-		} elseif ( ! empty( $options['alert-text'] ) ) {
-			$alert_content  = '<div class="veu_promotion-alert__content--text">';
-			$alert_content .= '<span class="veu_promotion-alert__icon"><i class="fa-solid fa-circle-info"></i></span>';
-			$alert_content .= '<span class="veu_promotion-alert__text">' . esc_html( $options['alert-text'] ) . '</span>';
-			$alert_content .= '</div>';
-		}
-
-		
-		
-		if ( ! empty( $alert_content ) ) {
-			$alert = '<div class="veu_promotion-alert" data-nosnippet>' . $alert_content . '</div>';
+		// 表示条件を判定
+		$display = self::get_display_condition( get_the_ID() );
+	
+		// 表示条件が true の場合はアラートを表示
+		if ( ! empty( $display ) ) {
+	
+			// オプションを取得
+			$options = self::get_options();
+	
+			// 許可されたHTMLタグ
+			$allowed_html = self::kses_allowed();
+	
+			// アラートの中身を作成
+			if ( ! empty( $options['alert-content'] ) ) {
+				$alert_content  = '<div class="veu_promotion-alert__content--custom">';
+				$alert_content .= wp_kses( $options['alert-content'], $allowed_html );
+				$alert_content .= '</div>';
+			} elseif ( ! empty( $options['alert-text'] ) ) {
+				$alert_content  = '<div class="veu_promotion-alert__content--text">';
+				$alert_content .= '<span class="veu_promotion-alert__icon"><i class="fa-solid fa-circle-info"></i></span>';
+				$alert_content .= '<span class="veu_promotion-alert__text">' . esc_html( $options['alert-text'] ) . '</span>';
+				$alert_content .= '</div>';
+			}
+	
+			if ( ! empty( $alert_content ) ) {
+				// wp_ksesを通した後にdata-nosnippetを追加
+				$alert = wp_kses( '<div class="veu_promotion-alert">' . $alert_content . '</div>', $allowed_html );
+				$alert = str_replace('<div class="veu_promotion-alert">', '<div class="veu_promotion-alert" data-nosnippet>', $alert);
+			}
 		}
-
-		return apply_filters( 'veu_promotion_alert_content', htmlspecialchars_decode( $alert ) );
-	}
+	
+		// 許可されたHTMLタグで再度サニタイズ
+		return apply_filters( 'veu_promotion_alert_content', $alert );
+	}	 
 
 	/**
 	 * Display Alert Content Filter Hook
@@ -385,16 +470,20 @@ public static function display_alert_filter( $content ) {
 		// 文頭にアラートを追加
 		$content = $alert . $content;
 	   
-		return $content;       
+		return $content;
 	}
 
 	/**
 	 * Display Alert Content Action Hook
 	 */
 	public static function display_alert_action() {
-		// アラートを取得し表示
+
+		// アラートを取得
 		$alert = self::get_alert_content();
-		echo self::sanitize_alert_content( $alert );       
+		// 許可されたHTMLタグ
+		$allowed_html = self::kses_allowed();
+
+		echo wp_kses( $alert, $allowed_html );       
 	}
 
 	/**

From 568e144613c4aa1f10ed6cfc0423262486a49a24 Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 15:15:02 +0900
Subject: [PATCH 5/9] Delete unnecessary filter

---
 inc/promotion-alert/package/class-veu-promotion-alert.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php
index b1b005e0..9c74e987 100644
--- a/inc/promotion-alert/package/class-veu-promotion-alert.php
+++ b/inc/promotion-alert/package/class-veu-promotion-alert.php
@@ -19,8 +19,6 @@ public static function init() {
 		add_action( 'wp', array( __CLASS__, 'display_alert' ) );
 		add_action( 'wp_head', array( __CLASS__, 'inline_style' ), 5 );
 		add_action( 'after_setup_theme', array( __CLASS__, 'content_filter' ) );
-		add_filter( 'wp_kses_allowed_css', array( __CLASS__, 'promotion_alert_allowed_css' ) );
-		add_filter( 'wp_kses_allowed_html', array( __CLASS__, 'modify_wp_kses_allowed_html' ), 99, 2 );
 	}
 
 	/**

From 150e5670ecf19dbf41e04f67e650f225d3e87944 Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 15:30:06 +0900
Subject: [PATCH 6/9] Add: Removing XSS Attributes

---
 tests/test-promotion-alert.php | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/tests/test-promotion-alert.php b/tests/test-promotion-alert.php
index 4d0918eb..06272f37 100644
--- a/tests/test-promotion-alert.php
+++ b/tests/test-promotion-alert.php
@@ -465,7 +465,7 @@ public function test_get_alert_content() {
 					'alert-content' => '<div onmouseover="alert(\'XSS\')">Hover me!</div>',
 					'alert-display' => array('post' => 'display'),
 				),
-				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><div >Hover me!</div></div></div>',
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><div>Hover me!</div></div></div>',
 			),
 			array(
 				'options' => array(
@@ -479,21 +479,14 @@ public function test_get_alert_content() {
 					'alert-content' => '<script src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-XXXXX" crossorigin="anonymous"></script>',
 					'alert-display' => array('post' => 'display'),
 				),
-				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><script src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-XXXXX" crossorigin="anonymous"></script></div></div>',
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"></div></div>',
 			),
 			array(
 				'options' => array(
 					'alert-content' => '<a href="javascript:alert(\'XSS\')">Click me!</a>',
 					'alert-display' => array('post' => 'display'),
 				),
-				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><ahref="#">Click me!</a></div></div>',
-			),
-			array(
-				'options' => array(
-					'alert-content' => '<style>*{xss:expression(alert("XSS"))}</style>',
-					'alert-display' => array('post' => 'display'),
-				),
-				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"></div></div>',
+				'correct' => '<div class="veu_promotion-alert" data-nosnippet><div class="veu_promotion-alert__content--custom"><a href="alert(\'XSS\')">Click me!</a></div></div>',
 			),
 			array(
 				'options' => array(

From 523421762f71371545cc2330a68e14def3ea180d Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 15:35:08 +0900
Subject: [PATCH 7/9] Undo some code

---
 inc/promotion-alert/package/class-veu-promotion-alert.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php
index 9c74e987..3334caa5 100644
--- a/inc/promotion-alert/package/class-veu-promotion-alert.php
+++ b/inc/promotion-alert/package/class-veu-promotion-alert.php
@@ -232,8 +232,11 @@ public static function sanitize_space( $input ) {
 	 */
 	public static function sanitize_setting( $input ) {
 
-		// 許可されたHTMLタグのリストを取得
-		$allowed_html = self::kses_allowed();
+		 // 投稿タイプを取得
+	        $post_types = self::get_post_types();
+
+	        // 許可されたHTMLタグ
+        	$allowed_html = self::kses_allowed();
 		
 		// サニタイズ処理
 		$options = array();

From 1f19eb0c95a8a21f5d4b843949e8b9731be744bd Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Fri, 1 Nov 2024 15:36:14 +0900
Subject: [PATCH 8/9] Delete error_log

---
 inc/promotion-alert/package/class-veu-promotion-alert.php | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php
index 3334caa5..3034b33e 100644
--- a/inc/promotion-alert/package/class-veu-promotion-alert.php
+++ b/inc/promotion-alert/package/class-veu-promotion-alert.php
@@ -244,11 +244,7 @@ public static function sanitize_setting( $input ) {
 		
 		// alert-contentを許可リストに基づいてサニタイズ
 		if ( ! empty( $input['alert-content'] ) ) {
-			// サニタイズ前のデバッグ出力
-			error_log( 'Before wp_kses: ' . print_r( stripslashes( $input['alert-content'] ), true ) );
 			$options['alert-content'] = wp_kses( stripslashes( $input['alert-content'] ), $allowed_html );
-			// サニタイズ後のデバッグ出力
-			error_log( 'After wp_kses: ' . print_r( $options['alert-content'], true ) );
 		} else {
 			$options['alert-content'] = '';
 		}

From f63f50c8cf14d08a7bf5719b6198da208a139683 Mon Sep 17 00:00:00 2001
From: mtdkei <mtdkei@gmail.com>
Date: Tue, 5 Nov 2024 11:54:45 +0900
Subject: [PATCH 9/9] Delete unnecessary code

---
 .../package/class-veu-promotion-alert.php         | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/inc/promotion-alert/package/class-veu-promotion-alert.php b/inc/promotion-alert/package/class-veu-promotion-alert.php
index 3034b33e..50ea93fb 100644
--- a/inc/promotion-alert/package/class-veu-promotion-alert.php
+++ b/inc/promotion-alert/package/class-veu-promotion-alert.php
@@ -9,10 +9,6 @@ class VEU_Promotion_Alert {
 	 * Constructor Define
 	 */
 	public static function init() {
-		global $allowedposttags;
-		if ( isset( $allowedposttags['ins'] ) ) {
-			$allowedposttags['ins']['style'] = array();
-		}
 		add_action( 'veu_package_init', array( __CLASS__, 'option_init' ) );
 		add_action( 'save_post', array( __CLASS__, 'save_meta_box' ) );
 		// is_singular() で判定するため wp で実行
@@ -21,17 +17,6 @@ public static function init() {
 		add_action( 'after_setup_theme', array( __CLASS__, 'content_filter' ) );
 	}
 
-	/**
-	 * Allow data-nosnippet attribute on div tags for kses filtering.
-	 */
-	public static function modify_wp_kses_allowed_html( $allowed_tags, $context ) {
-		// 必要な属性やタグを追加
-		if ( 'post' === $context ) {
-			$allowed_tags['div']['data-nosnippet'] = true;
-		}
-		return $allowed_tags;
-	}
-
 	/**
 	 * HTML Allowed
 	 */