From 40f0e812eeb3d7d185d511f4aa3bebb459fc8b59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Bouc=CC=8Cek?= <pan@jakubboucek.cz>
Date: Fri, 19 Mar 2021 13:02:18 +0100
Subject: [PATCH] Admin: Fix XSS in generated JS

---
 src/Admin.php | 46 +++++++++++++++++++++-------------------------
 1 file changed, 21 insertions(+), 25 deletions(-)

diff --git a/src/Admin.php b/src/Admin.php
index 10dc3ce..ae917fa 100644
--- a/src/Admin.php
+++ b/src/Admin.php
@@ -154,34 +154,30 @@ public function remove_quick_edit( $actions, $post ) {
 	public function publishing_actions() {
 		$mg_post_type = 'ssc_group';
 		global $post;
-		if ( $post && $post->post_type == $mg_post_type ) {
-			echo '<style type="text/css">
-			.misc-pub-section.misc-pub-visibility,
-			.misc-pub-section.curtime
-			{
-				display:none;
-			}
-			</style>';
-		} ?>
+
+		$group  = new Group();
+		$groups = $group->get_groups();
+
+		$outputGroups = [[ 'text' => __( 'Doesn\'t matter', 'simpleshop-cz' ), 'value' => '' ]];
+
+		foreach ( $groups as $value => $text ) {
+			$outputGroups[] = [ 'text' => $text, 'value' => (string)$value ];
+		}
+		?>
+
+		<?php if ( $post && $post->post_type === $mg_post_type ) : ?>
+            <style type="text/css">
+                .misc-pub-section.misc-pub-visibility,
+                .misc-pub-section.curtime {
+                    display: none;
+                }
+            </style>
+		<?php endif; ?>
 
         <!-- SSC TinyMCE Shortcode Plugin -->
         <script type='text/javascript'>
-            var sscContentGroups = [];
-            sscContentGroups.push({
-                text: '<?= esc_js( __( 'Doesn\'t matter', 'simpleshop-cz' ) )?>',
-                value: ''
-            });
-			<?php
-			$group = new Group();
-			$groups = $group->get_groups();
-			foreach ($groups as $key => $group) { ?>
-            sscContentGroups.push({
-                text: '<?= esc_js( $group ) ?>',
-                value: '<?= esc_js( $key ) ?>'
-            });
-			<?php }  ?>
+            var sscContentGroups = <?= wp_json_encode( $outputGroups ) ?>;
         </script>
-
 		<?php
 	}
 
@@ -319,7 +315,7 @@ public function enqueue_admin_scripts() {
 		wp_register_style( 'jquery-ui', 'https://code.jquery.com/ui/1.11.2/themes/smoothness/jquery-ui.css' );
 		wp_enqueue_style( 'jquery-ui' );
 
-		if ( 'profile' === $current_screen->id || 'user-edit' === $current_screen->id) {
+		if ( 'profile' === $current_screen->id || 'user-edit' === $current_screen->id ) {
 			wp_enqueue_script( 'jquery-ui-datepicker' );
 		}
 	}