diff --git a/includes/class-notices.php b/includes/class-notices.php index 475febf295..be3e980879 100644 --- a/includes/class-notices.php +++ b/includes/class-notices.php @@ -638,6 +638,7 @@ public static function print_frontend_errors( $errors ) { * Print frontend notice. * Notice: notice type can be success/error/warning * + * @unreleased Escape attributes * @since 1.8.9 * @access public * @@ -691,11 +692,11 @@ public static function print_frontend_notice( $message, $echo = true, $notice_ty

%6$s ', - $notice_type, - give_clean( $notice_args['dismissible'] ), - absint( $notice_args['dismiss_interval'] ), - give_clean( $notice_args['dismiss_type'] ), - $message, + esc_attr($notice_type), + esc_attr( $notice_args['dismissible'] ), + esc_attr( $notice_args['dismiss_interval'] ), + esc_attr( $notice_args['dismiss_type'] ), + esc_html($message), $close_icon ); diff --git a/includes/donors/class-give-donor-wall.php b/includes/donors/class-give-donor-wall.php index b9f39a74ea..74637371ca 100644 --- a/includes/donors/class-give-donor-wall.php +++ b/includes/donors/class-give-donor-wall.php @@ -82,6 +82,7 @@ public function setup_actions() { /** * Displays donors in a grid layout. * + * @unreleased Sanitize attributes * @since 2.27.0 Moved AJAX nonce verification to ajax_handler method. * @since 2.2.0 * @@ -114,6 +115,7 @@ public function setup_actions() { * @return string|bool The markup of the form grid or false. */ public function render_shortcode( $atts ) { + $atts = give_clean($atts); $give_settings = give_get_settings(); diff --git a/includes/login-register.php b/includes/login-register.php index 1b59fe274b..624870bfb1 100644 --- a/includes/login-register.php +++ b/includes/login-register.php @@ -51,8 +51,8 @@ function give_login_form( $login_redirect = '', $logout_redirect = '' ) { give_get_template( 'shortcode-login', array( - 'give_login_redirect' => esc_url($login_redirect), - 'give_logout_redirect' => esc_url($logout_redirect), + 'give_login_redirect' => $login_redirect, + 'give_logout_redirect' => $logout_redirect, ) ); diff --git a/includes/shortcodes.php b/includes/shortcodes.php index 8d73b11785..38045e86de 100644 --- a/includes/shortcodes.php +++ b/includes/shortcodes.php @@ -25,6 +25,7 @@ * * Displays a user's donation history. * + * @unreleased Sanitize attributes * @since 3.1.0 pass form id by reference in give_totals shortcode. * @since 1.0 * @@ -34,7 +35,7 @@ * @return string|bool */ function give_donation_history( $atts, $content = false ) { - + $atts = give_clean($atts); $donation_history_args = shortcode_atts( [ 'id' => true, @@ -132,6 +133,7 @@ function give_donation_history( $atts, $content = false ) { * * Show the Give donation form. * + * @unreleased Sanitize attributes * @since 3.4.0 Add additional validations to check if the form is valid and has the 'published' status. * @since 2.30.0 Add short-circuit filter to allow for custom output. * @since 1.0 @@ -142,6 +144,7 @@ function give_donation_history( $atts, $content = false ) { * @return string */ function give_form_shortcode( $atts ) { + $atts = give_clean($atts); $atts = shortcode_atts( give_get_default_form_shortcode_args(), $atts, 'give_form' ); if('fullForm' === $atts['display_style']) { @@ -210,6 +213,7 @@ function give_form_shortcode( $atts ) { * * Show the Give donation form goals. * + * @unreleased Sanitize attributes * @since 3.4.0 Add additional validations to check if the form is valid and has the 'published' status. * @since 1.0 * @@ -218,6 +222,7 @@ function give_form_shortcode( $atts ) { * @return string */ function give_goal_shortcode( $atts ) { + $atts = give_clean($atts); $atts = shortcode_atts( [ 'id' => '', @@ -266,6 +271,7 @@ function give_goal_shortcode( $atts ) { * Shows a login form allowing users to users to log in. This function simply * calls the give_login_form function to display the login form. * + * @unreleased Sanitize attributes * @since 1.0 * * @param array $atts Shortcode attributes. @@ -275,7 +281,7 @@ function give_goal_shortcode( $atts ) { * @return string */ function give_login_form_shortcode( $atts ) { - + $atts = give_clean($atts); $atts = shortcode_atts( [ // Add backward compatibility for redirect attribute. @@ -300,6 +306,7 @@ function give_login_form_shortcode( $atts ) { * * Shows a registration form allowing users to users to register for the site. * + * @unreleased Sanitize attributes * @since 1.0 * * @param array $atts Shortcode attributes. @@ -309,6 +316,7 @@ function give_login_form_shortcode( $atts ) { * @return string */ function give_register_form_shortcode( $atts ) { + $atts = give_clean($atts); $atts = shortcode_atts( [ 'redirect' => '', @@ -327,6 +335,7 @@ function give_register_form_shortcode( $atts ) { * * Shows a donation receipt. * + * @unreleased Sanitize and escape attributes * @since 1.0 * * @param array $atts Shortcode attributes. @@ -337,6 +346,8 @@ function give_receipt_shortcode( $atts ) { global $give_receipt_args; + $atts = give_clean($atts); + $give_receipt_args = shortcode_atts( [ 'error' => __( 'You are missing the donation id to view this donation receipt.', 'give' ), @@ -378,8 +389,8 @@ function give_receipt_shortcode( $atts ) { return sprintf( '
%4$s
', htmlspecialchars( wp_json_encode( $give_receipt_args ) ), - $receipt_type, - $donation_id, + esc_attr($receipt_type), + esc_attr($donation_id), ob_get_clean() ); } @@ -400,6 +411,7 @@ function give_receipt_shortcode( $atts ) { * folder. Please visit the Give Documentation for more information on how the * templating system is used. * + * @unreleased Sanitize attributes * @since 1.0 * * @param array $atts Shortcode attributes. @@ -408,6 +420,8 @@ function give_receipt_shortcode( $atts ) { */ function give_profile_editor_shortcode( $atts ) { + $atts = give_clean($atts); + ob_start(); // Restrict access to donor profile, if donor and user are disconnected. @@ -612,6 +626,7 @@ function give_process_profile_editor_updates( $data ) { * * Shows a donation total. * + * @unreleased Sanitize attributes * @since 2.1 * * @param array $atts Shortcode attributes. @@ -641,6 +656,8 @@ function give_totals_shortcode( $atts ) { // Total Goal. $total_goal = give_maybe_sanitize_amount( $atts['total_goal'] ); + $atts = give_clean($atts); + /** * Give Action fire before the shortcode is rendering is started. * @@ -818,6 +835,7 @@ static function ($id) { /** * Displays donation forms in a grid layout. * + * @unreleased Sanitize attributes * @since 2.1.0 * * @since 3.1.0 Use static function on array_map callback to pass the id as reference for _give_redirect_form_id to prevent warnings on PHP 8.0.1 or plus @@ -855,7 +873,7 @@ static function ($id) { * @return string|bool The markup of the form grid or false. */ function give_form_grid_shortcode( $atts ) { - + $atts = give_clean($atts); $give_settings = give_get_settings(); $atts = shortcode_atts( diff --git a/src/MultiFormGoals/MultiFormGoal/Shortcode.php b/src/MultiFormGoals/MultiFormGoal/Shortcode.php index 9c1724d305..f28da58190 100644 --- a/src/MultiFormGoals/MultiFormGoal/Shortcode.php +++ b/src/MultiFormGoals/MultiFormGoal/Shortcode.php @@ -26,11 +26,14 @@ public function addShortcode() /** * Returns Shortcode markup * + * @unreleased Sanitize attributes * @since 3.0.3 Use static function on array_map callback to pass the id as reference for _give_redirect_form_id to prevent warnings on PHP 8.0.1 or plus * @since 2.9.0 **/ public function renderCallback($attributes) { + $attributes = give_clean($attributes); + $attributes = $this->parseAttributes( [ 'ids' => [], diff --git a/src/Views/IframeView.php b/src/Views/IframeView.php index 1c4d530df9..c524136059 100644 --- a/src/Views/IframeView.php +++ b/src/Views/IframeView.php @@ -261,6 +261,8 @@ private function getIframeHTML() /** * Get button HTML. * + * @unreleased Escape attributes + * * @return string */ private function getButtonHTML() @@ -272,9 +274,9 @@ private function getButtonHTML() class="js-give-embed-form-modal-opener" data-form-id="%1$s"%3$s>%2$s ', - $this->uniqueId, - $this->buttonTitle, - $this->buttonColor ? " style=\"background-color: {$this->buttonColor}\"" : '' + esc_attr($this->uniqueId), + esc_html($this->buttonTitle), + $this->buttonColor ? ' style="background-color: ' . esc_attr($this->buttonColor) . '"' : '' ); }