From cc3e4a6b2bf18886f1459b1e5e6265794d6d2419 Mon Sep 17 00:00:00 2001
From: Glauber Silva <glauber.silva@givewp.com>
Date: Wed, 10 Apr 2024 10:19:14 -0300
Subject: [PATCH] Enhancement: implements development good practices to give
 form shortcode (#7338)

---
 includes/class-notices.php                    | 11 ++++----
 includes/donors/class-give-donor-wall.php     |  2 ++
 includes/login-register.php                   |  4 +--
 includes/shortcodes.php                       | 28 +++++++++++++++----
 .../MultiFormGoal/Shortcode.php               |  3 ++
 src/Views/IframeView.php                      |  8 ++++--
 6 files changed, 41 insertions(+), 15 deletions(-)

diff --git a/includes/class-notices.php b/includes/class-notices.php
index 475febf295..be3e980879 100644
--- a/includes/class-notices.php
+++ b/includes/class-notices.php
@@ -638,6 +638,7 @@ public static function print_frontend_errors( $errors ) {
 	 * Print frontend notice.
 	 * Notice: notice type can be success/error/warning
 	 *
+     * @unreleased Escape attributes
 	 * @since  1.8.9
 	 * @access public
 	 *
@@ -691,11 +692,11 @@ public static function print_frontend_notice( $message, $echo = true, $notice_ty
 						</p>
 						%6$s
 					</div>',
-			$notice_type,
-			give_clean( $notice_args['dismissible'] ),
-			absint( $notice_args['dismiss_interval'] ),
-			give_clean( $notice_args['dismiss_type'] ),
-			$message,
+			esc_attr($notice_type),
+			esc_attr( $notice_args['dismissible'] ),
+			esc_attr( $notice_args['dismiss_interval'] ),
+			esc_attr( $notice_args['dismiss_type'] ),
+			esc_html($message),
 			$close_icon
 		);
 
diff --git a/includes/donors/class-give-donor-wall.php b/includes/donors/class-give-donor-wall.php
index b9f39a74ea..74637371ca 100644
--- a/includes/donors/class-give-donor-wall.php
+++ b/includes/donors/class-give-donor-wall.php
@@ -82,6 +82,7 @@ public function setup_actions() {
 	/**
 	 * Displays donors in a grid layout.
 	 *
+     * @unreleased Sanitize attributes
      * @since 2.27.0 Moved AJAX nonce verification to ajax_handler method.
 	 * @since  2.2.0
 	 *
@@ -114,6 +115,7 @@ public function setup_actions() {
 	 * @return string|bool The markup of the form grid or false.
 	 */
 	public function render_shortcode( $atts ) {
+        $atts = give_clean($atts);
 
 		$give_settings = give_get_settings();
 
diff --git a/includes/login-register.php b/includes/login-register.php
index 1b59fe274b..624870bfb1 100644
--- a/includes/login-register.php
+++ b/includes/login-register.php
@@ -51,8 +51,8 @@ function give_login_form( $login_redirect = '', $logout_redirect = '' ) {
 	give_get_template(
 		'shortcode-login',
 		array(
-			'give_login_redirect'  => esc_url($login_redirect),
-			'give_logout_redirect' => esc_url($logout_redirect),
+			'give_login_redirect'  => $login_redirect,
+			'give_logout_redirect' => $logout_redirect,
 		)
 	);
 
diff --git a/includes/shortcodes.php b/includes/shortcodes.php
index 8d73b11785..38045e86de 100644
--- a/includes/shortcodes.php
+++ b/includes/shortcodes.php
@@ -25,6 +25,7 @@
  *
  * Displays a user's donation history.
  *
+ * @unreleased Sanitize attributes
  * @since 3.1.0 pass form id by reference in give_totals shortcode.
  * @since  1.0
  *
@@ -34,7 +35,7 @@
  * @return string|bool
  */
 function give_donation_history( $atts, $content = false ) {
-
+    $atts = give_clean($atts);
 	$donation_history_args = shortcode_atts(
 		[
 			'id'             => true,
@@ -132,6 +133,7 @@ function give_donation_history( $atts, $content = false ) {
  *
  * Show the Give donation form.
  *
+ * @unreleased Sanitize attributes
  * @since 3.4.0 Add additional validations to check if the form is valid and has the 'published' status.
  * @since 2.30.0 Add short-circuit filter to allow for custom output.
  * @since  1.0
@@ -142,6 +144,7 @@ function give_donation_history( $atts, $content = false ) {
  * @return string
  */
 function give_form_shortcode( $atts ) {
+    $atts = give_clean($atts);
 	$atts = shortcode_atts( give_get_default_form_shortcode_args(), $atts, 'give_form' );
 
     if('fullForm' === $atts['display_style']) {
@@ -210,6 +213,7 @@ function give_form_shortcode( $atts ) {
  *
  * Show the Give donation form goals.
  *
+ * @unreleased Sanitize attributes
  * @since 3.4.0 Add additional validations to check if the form is valid and has the 'published' status.
  * @since  1.0
  *
@@ -218,6 +222,7 @@ function give_form_shortcode( $atts ) {
  * @return string
  */
 function give_goal_shortcode( $atts ) {
+    $atts = give_clean($atts);
 	$atts = shortcode_atts(
 		[
 			'id'        => '',
@@ -266,6 +271,7 @@ function give_goal_shortcode( $atts ) {
  * Shows a login form allowing users to users to log in. This function simply
  * calls the give_login_form function to display the login form.
  *
+ * @unreleased Sanitize attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -275,7 +281,7 @@ function give_goal_shortcode( $atts ) {
  * @return string
  */
 function give_login_form_shortcode( $atts ) {
-
+    $atts = give_clean($atts);
 	$atts = shortcode_atts(
 		[
 			// Add backward compatibility for redirect attribute.
@@ -300,6 +306,7 @@ function give_login_form_shortcode( $atts ) {
  *
  * Shows a registration form allowing users to users to register for the site.
  *
+ * @unreleased Sanitize attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -309,6 +316,7 @@ function give_login_form_shortcode( $atts ) {
  * @return string
  */
 function give_register_form_shortcode( $atts ) {
+    $atts = give_clean($atts);
 	$atts = shortcode_atts(
 		[
 			'redirect' => '',
@@ -327,6 +335,7 @@ function give_register_form_shortcode( $atts ) {
  *
  * Shows a donation receipt.
  *
+ * @unreleased Sanitize and escape attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -337,6 +346,8 @@ function give_receipt_shortcode( $atts ) {
 
 	global $give_receipt_args;
 
+    $atts = give_clean($atts);
+
 	$give_receipt_args = shortcode_atts(
 		[
 			'error'          => __( 'You are missing the donation id to view this donation receipt.', 'give' ),
@@ -378,8 +389,8 @@ function give_receipt_shortcode( $atts ) {
 		return sprintf(
 			'<div id="give-receipt" data-shortcode="%1$s" data-receipt-type="%2$s" data-donation-key="%3$s" >%4$s</div>',
 			htmlspecialchars( wp_json_encode( $give_receipt_args ) ),
-			$receipt_type,
-			$donation_id,
+			esc_attr($receipt_type),
+			esc_attr($donation_id),
 			ob_get_clean()
 		);
 	}
@@ -400,6 +411,7 @@ function give_receipt_shortcode( $atts ) {
  * folder. Please visit the Give Documentation for more information on how the
  * templating system is used.
  *
+ * @unreleased Sanitize attributes
  * @since  1.0
  *
  * @param  array $atts Shortcode attributes.
@@ -408,6 +420,8 @@ function give_receipt_shortcode( $atts ) {
  */
 function give_profile_editor_shortcode( $atts ) {
 
+    $atts = give_clean($atts);
+
 	ob_start();
 
 	// Restrict access to donor profile, if donor and user are disconnected.
@@ -612,6 +626,7 @@ function give_process_profile_editor_updates( $data ) {
  *
  * Shows a donation total.
  *
+ * @unreleased Sanitize attributes
  * @since  2.1
  *
  * @param  array $atts Shortcode attributes.
@@ -641,6 +656,8 @@ function give_totals_shortcode( $atts ) {
 	// Total Goal.
 	$total_goal = give_maybe_sanitize_amount( $atts['total_goal'] );
 
+    $atts = give_clean($atts);
+
 	/**
 	 * Give Action fire before the shortcode is rendering is started.
 	 *
@@ -818,6 +835,7 @@ static function ($id) {
 /**
  * Displays donation forms in a grid layout.
  *
+ * @unreleased Sanitize attributes
  * @since  2.1.0
  *
  * @since 3.1.0 Use static function on array_map callback to pass the id as reference for _give_redirect_form_id to prevent warnings on PHP 8.0.1 or plus
@@ -855,7 +873,7 @@ static function ($id) {
  * @return string|bool The markup of the form grid or false.
  */
 function give_form_grid_shortcode( $atts ) {
-
+    $atts = give_clean($atts);
 	$give_settings = give_get_settings();
 
 	$atts = shortcode_atts(
diff --git a/src/MultiFormGoals/MultiFormGoal/Shortcode.php b/src/MultiFormGoals/MultiFormGoal/Shortcode.php
index 9c1724d305..f28da58190 100644
--- a/src/MultiFormGoals/MultiFormGoal/Shortcode.php
+++ b/src/MultiFormGoals/MultiFormGoal/Shortcode.php
@@ -26,11 +26,14 @@ public function addShortcode()
     /**
      * Returns Shortcode markup
      *
+     * @unreleased Sanitize attributes
      * @since 3.0.3 Use static function on array_map callback to pass the id as reference for _give_redirect_form_id to prevent warnings on PHP 8.0.1 or plus
      * @since 2.9.0
      **/
     public function renderCallback($attributes)
     {
+        $attributes = give_clean($attributes);
+
         $attributes = $this->parseAttributes(
             [
                 'ids' => [],
diff --git a/src/Views/IframeView.php b/src/Views/IframeView.php
index 1c4d530df9..c524136059 100644
--- a/src/Views/IframeView.php
+++ b/src/Views/IframeView.php
@@ -261,6 +261,8 @@ private function getIframeHTML()
     /**
      * Get button HTML.
      *
+     * @unreleased Escape attributes
+     *
      * @return string
      */
     private function getButtonHTML()
@@ -272,9 +274,9 @@ private function getButtonHTML()
 				class="js-give-embed-form-modal-opener"
 				data-form-id="%1$s"%3$s>%2$s</button>
 			</div>',
-            $this->uniqueId,
-            $this->buttonTitle,
-            $this->buttonColor ? " style=\"background-color: {$this->buttonColor}\"" : ''
+            esc_attr($this->uniqueId),
+            esc_html($this->buttonTitle),
+            $this->buttonColor ? ' style="background-color: ' . esc_attr($this->buttonColor) . '"' : ''
         );
     }