Enhancement: implements development good practices to give form short…

…code (#7338)

includes/class-notices.php

@@ -638,6 +638,7 @@ public static function print_frontend_errors( $errors ) {
 	 * Print frontend notice.
 	 * Notice: notice type can be success/error/warning
 	 *
+     * @unreleased Escape attributes
 	 * @since  1.8.9
 	 * @access public
 	 *
@@ -691,11 +692,11 @@ public static function print_frontend_notice( $message, $echo = true, $notice_ty
 						</p>
 						%6$s
 					</div>',
-			$notice_type,
-			give_clean( $notice_args['dismissible'] ),
-			absint( $notice_args['dismiss_interval'] ),
-			give_clean( $notice_args['dismiss_type'] ),
-			$message,
+			esc_attr($notice_type),
+			esc_attr( $notice_args['dismissible'] ),
+			esc_attr( $notice_args['dismiss_interval'] ),
+			esc_attr( $notice_args['dismiss_type'] ),
+			esc_html($message),
 			$close_icon
 		);
 

includes/donors/class-give-donor-wall.php

@@ -82,6 +82,7 @@ public function setup_actions() {
 	/**
 	 * Displays donors in a grid layout.
 	 *
+     * @unreleased Sanitize attributes
      * @since 2.27.0 Moved AJAX nonce verification to ajax_handler method.
 	 * @since  2.2.0
 	 *
@@ -114,6 +115,7 @@ public function setup_actions() {
 	 * @return string|bool The markup of the form grid or false.
 	 */
 	public function render_shortcode( $atts ) {
+        $atts = give_clean($atts);
 
 		$give_settings = give_get_settings();
 

includes/login-register.php

@@ -51,8 +51,8 @@ function give_login_form( $login_redirect = '', $logout_redirect = '' ) {
 	give_get_template(
 		'shortcode-login',
 		array(
-			'give_login_redirect'  => esc_url($login_redirect),
-			'give_logout_redirect' => esc_url($logout_redirect),
+			'give_login_redirect'  => $login_redirect,
+			'give_logout_redirect' => $logout_redirect,
 		)
 	);
 

includes/shortcodes.php

@@ -25,6 +25,7 @@
  *
  * Displays a user's donation history.
  *
+ * @unreleased Sanitize attributes
  * @since 3.1.0 pass form id by reference in give_totals shortcode.
  * @since  1.0
  *
@@ -34,7 +35,7 @@
  * @return string|bool
  */
 function give_donation_history( $atts, $content = false ) {
-
+    $atts = give_clean($atts);
 	$donation_history_args = shortcode_atts(
 		[
 			'id'             => true,
@@ -132,6 +133,7 @@ function give_donation_history( $atts, $content = false ) {
  *
  * Show the Give donation form.
  *
+ * @unreleased Sanitize attributes
  * @since 3.4.0 Add additional validations to check if the form is valid and has the 'published' status.
  * @since 2.30.0 Add short-circuit filter to allow for custom output.
  * @since  1.0
@@ -142,6 +144,7 @@ function give_donation_history( $atts, $content = false ) {
  * @return string
  */
 function give_form_shortcode( $atts ) {
+    $atts = give_clean($atts);
 	$atts = shortcode_atts( give_get_default_form_shortcode_args(), $atts, 'give_form' );
 
     if('fullForm' === $atts['display_style']) {
@@ -210,6 +213,7 @@ function give_form_shortcode( $atts ) {
  *
  * Show the Give donation form goals.
  *
+ * @unreleased Sanitize attributes
  * @since 3.4.0 Add additional validations to check if the form is valid and has the 'published' status.
  * @since  1.0
  *
@@ -218,6 +222,7 @@ function give_form_shortcode( $atts ) {
  * @return string
  */
 function give_goal_shortcode( $atts ) {
+    $atts = give_clean($atts);
 	$atts = shortcode_atts(
 		[
 			'id'        => '',
@@ -266,6 +271,7 @@ function give_goal_shortcode( $atts ) {
  * Shows a login form allowing users to users to log in. This function simply
  * calls the give_login_form function to display the login form.
  *
+ * @unreleased Sanitize attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -275,7 +281,7 @@ function give_goal_shortcode( $atts ) {
  * @return string
  */
 function give_login_form_shortcode( $atts ) {
-
+    $atts = give_clean($atts);
 	$atts = shortcode_atts(
 		[
 			// Add backward compatibility for redirect attribute.
@@ -300,6 +306,7 @@ function give_login_form_shortcode( $atts ) {
  *
  * Shows a registration form allowing users to users to register for the site.
  *
+ * @unreleased Sanitize attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -309,6 +316,7 @@ function give_login_form_shortcode( $atts ) {
  * @return string
  */
 function give_register_form_shortcode( $atts ) {
+    $atts = give_clean($atts);
 	$atts = shortcode_atts(
 		[
 			'redirect' => '',
@@ -327,6 +335,7 @@ function give_register_form_shortcode( $atts ) {
  *
  * Shows a donation receipt.
  *
+ * @unreleased Sanitize and escape attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -337,6 +346,8 @@ function give_receipt_shortcode( $atts ) {
 
 	global $give_receipt_args;
 
+    $atts = give_clean($atts);
+
 	$give_receipt_args = shortcode_atts(
 		[
 			'error'          => __( 'You are missing the donation id to view this donation receipt.', 'give' ),
@@ -378,8 +389,8 @@ function give_receipt_shortcode( $atts ) {
 		return sprintf(
 			'<div id="give-receipt" data-shortcode="%1$s" data-receipt-type="%2$s" data-donation-key="%3$s" >%4$s</div>',
 			htmlspecialchars( wp_json_encode( $give_receipt_args ) ),
-			$receipt_type,
-			$donation_id,
+			esc_attr($receipt_type),
+			esc_attr($donation_id),
 			ob_get_clean()
 		);
 	}
@@ -400,6 +411,7 @@ function give_receipt_shortcode( $atts ) {
  * folder. Please visit the Give Documentation for more information on how the
  * templating system is used.
  *
+ * @unreleased Sanitize attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -408,6 +420,8 @@ function give_receipt_shortcode( $atts ) {
  */
 function give_profile_editor_shortcode( $atts ) {
 
+    $atts = give_clean($atts);
+
 	ob_start();
 
 	// Restrict access to donor profile, if donor and user are disconnected.
@@ -612,6 +626,7 @@ function give_process_profile_editor_updates( $data ) {
  *
  * Shows a donation total.
  *
+ * @unreleased Sanitize attributes
  * @since  2.1
  *
  * @param  array $atts Shortcode attributes.
@@ -641,6 +656,8 @@ function give_totals_shortcode( $atts ) {
 	// Total Goal.
 	$total_goal = give_maybe_sanitize_amount( $atts['total_goal'] );
 
+    $atts = give_clean($atts);
+
 	/**
 	 * Give Action fire before the shortcode is rendering is started.
 	 *
@@ -818,6 +835,7 @@ static function ($id) {
 /**
  * Displays donation forms in a grid layout.
  *
+ * @unreleased Sanitize attributes
  * @since  2.1.0
  *
  * @since 3.1.0 Use static function on array_map callback to pass the id as reference for _give_redirect_form_id to prevent warnings on PHP 8.0.1 or plus
@@ -855,7 +873,7 @@ static function ($id) {
  * @return string|bool The markup of the form grid or false.
  */
 function give_form_grid_shortcode( $atts ) {
-
+    $atts = give_clean($atts);
 	$give_settings = give_get_settings();
 
 	$atts = shortcode_atts(

src/MultiFormGoals/MultiFormGoal/Shortcode.php

@@ -26,11 +26,14 @@ public function addShortcode()
     /**
      * Returns Shortcode markup
      *
+     * @unreleased Sanitize attributes
      * @since 3.0.3 Use static function on array_map callback to pass the id as reference for _give_redirect_form_id to prevent warnings on PHP 8.0.1 or plus
      * @since 2.9.0
      **/
     public function renderCallback($attributes)
     {
+        $attributes = give_clean($attributes);
+
         $attributes = $this->parseAttributes(
             [
                 'ids' => [],

src/Views/IframeView.php

@@ -261,6 +261,8 @@ private function getIframeHTML()
     /**
      * Get button HTML.
      *
+     * @unreleased Escape attributes
+     *
      * @return string
      */
     private function getButtonHTML()
@@ -272,9 +274,9 @@ private function getButtonHTML()
 				class="js-give-embed-form-modal-opener"
 				data-form-id="%1$s"%3$s>%2$s</button>
 			</div>',
-            $this->uniqueId,
-            $this->buttonTitle,
-            $this->buttonColor ? " style=\"background-color: {$this->buttonColor}\"" : ''
+            esc_attr($this->uniqueId),
+            esc_html($this->buttonTitle),
+            $this->buttonColor ? ' style="background-color: ' . esc_attr($this->buttonColor) . '"' : ''
         );
     }