Changeset 13816
- Timestamp:
- 04/27/2024 05:51:41 PM (10 months ago)
- Location:
- trunk/src
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/bp-activity/bp-activity-admin.php
r13497 r13816 15 15 16 16 // Include WP's list table class. 17 if ( ! class_exists( 'WP_List_Table' ) ) require( ABSPATH . 'wp-admin/includes/class-wp-list-table.php' );17 if ( ! class_exists( 'WP_List_Table' ) ) require( ABSPATH . 'wp-admin/includes/class-wp-list-table.php' ); 18 18 19 19 // Per_page screen option. Has to be hooked in extremely early. 20 if ( is_admin() && ! empty( $_REQUEST['page'] ) && 'bp-activity' == $_REQUEST['page'] ) 20 if ( is_admin() && ! empty( $_REQUEST['page'] ) && 'bp-activity' == $_REQUEST['page'] ) { 21 21 add_filter( 'set-screen-option', 'bp_activity_admin_screen_options', 10, 3 ); 22 } 22 23 23 24 /** … … 77 78 78 79 // $parent_id is required. 79 if ( empty( $parent_id ) ) 80 if ( empty( $parent_id ) ) { 80 81 die( '-1' ); 82 } 81 83 82 84 // If $root_id not set (e.g. for root items), use $parent_id. 83 if ( empty( $root_id ) ) 85 if ( empty( $root_id ) ) { 84 86 $root_id = $parent_id; 87 } 85 88 86 89 // Check that a reply has been entered. 87 if ( empty( $_REQUEST['content'] ) ) 88 die( __( 'Error: Please type a reply.', 'buddypress' ) ); 90 if ( empty( $_REQUEST['content'] ) ) { 91 die( esc_html__( 'Error: Please type a reply.', 'buddypress' ) ); 92 } 89 93 90 94 // Check parent activity exists. 91 95 $parent_activity = new BP_Activity_Activity( $parent_id ); 92 if ( empty( $parent_activity->component ) ) 93 die( __( 'Error: The item you are trying to reply to cannot be found, or it has been deleted.', 'buddypress' ) ); 96 if ( empty( $parent_activity->component ) ) { 97 die( esc_html__( 'Error: The item you are trying to reply to cannot be found, or it has been deleted.', 'buddypress' ) ); 98 } 94 99 95 100 // @todo: Check if user is allowed to create new activity items 96 101 // if ( ! current_user_can( 'bp_new_activity' ) ) 97 if ( ! bp_current_user_can( 'bp_moderate' ) ) 102 if ( ! bp_current_user_can( 'bp_moderate' ) ) { 98 103 die( '-1' ); 104 } 99 105 100 106 // Add new activity comment. … … 589 595 590 596 // If an error occurred, pass back the activity ID that failed. 591 if ( $error ) 597 if ( $error ) { 592 598 $redirect_to = add_query_arg( 'error', $error, $redirect_to ); 593 else599 } else { 594 600 $redirect_to = add_query_arg( 'updated', $activity->id, $redirect_to ); 601 } 595 602 596 603 /** … … 689 696 printf( 690 697 /* translators: 1: activity type. 2: activity author. 3: activity date and time. */ 691 __( '"%1$s" activity submitted by %2$s on %3$s', 'buddypress' ),698 esc_html__( '"%1$s" activity submitted by %2$s on %3$s', 'buddypress' ), 692 699 esc_html( $activity_type ), 700 // phpcs:ignore WordPress.Security.EscapeOutput 693 701 bp_core_get_userlink( $activity->user_id ), 694 702 sprintf( 695 703 '<a href="%1$s">%2$s</a>', 696 704 esc_url( bp_activity_get_permalink( $activity->id, $activity ) ), 697 date_i18n( bp_get_option( 'date_format' ), strtotime( $activity->date_recorded) )705 esc_html( date_i18n( bp_get_option( 'date_format' ), strtotime( $activity->date_recorded ) ) ) 698 706 ) 699 707 ); … … 761 769 <?php 762 770 /* translators: %s: the activity ID */ 763 printf( __( 'Editing Activity (ID #%s)', 'buddypress' ), number_format_i18n( (int) $_REQUEST['aid']) );771 printf( esc_html__( 'Editing Activity (ID #%s)', 'buddypress' ), esc_html( number_format_i18n( (int) $_REQUEST['aid'] ) ) ); 764 772 ?> 765 773 </h1> … … 776 784 <div id="postdiv"> 777 785 <div id="bp_activity_action" class="activitybox"> 778 <h2><?php _e( 'Action', 'buddypress' ); ?></h2>786 <h2><?php esc_html_e( 'Action', 'buddypress' ); ?></h2> 779 787 <div class="inside"> 780 <label for="bp-activities-action" class="screen-reader-text"><?php 781 /* translators: accessibility text */ 782 _e( 'Edit activity action', 'buddypress' ); 783 ?></label> 788 <label for="bp-activities-action" class="screen-reader-text"> 789 <?php 790 /* translators: accessibility text */ 791 esc_html_e( 'Edit activity action', 'buddypress' ); 792 ?> 793 </label> 784 794 <?php wp_editor( stripslashes( $activity->action ), 'bp-activities-action', array( 'media_buttons' => false, 'textarea_rows' => 7, 'teeny' => true, 'quicktags' => array( 'buttons' => 'strong,em,link,block,del,ins,img,code,spell,close' ) ) ); ?> 785 795 </div> … … 787 797 788 798 <div id="bp_activity_content" class="activitybox"> 789 <h2><?php _e( 'Content', 'buddypress' ); ?></h2>799 <h2><?php esc_html_e( 'Content', 'buddypress' ); ?></h2> 790 800 <div class="inside"> 791 <label for="bp-activities-content" class="screen-reader-text"><?php 792 /* translators: accessibility text */ 793 _e( 'Edit activity content', 'buddypress' ); 794 ?></label> 801 <label for="bp-activities-content" class="screen-reader-text"> 802 <?php 803 /* translators: accessibility text */ 804 esc_html_e( 'Edit activity content', 'buddypress' ); 805 ?> 806 </label> 795 807 <?php wp_editor( stripslashes( $activity->content ), 'bp-activities-content', array( 'media_buttons' => false, 'teeny' => true, 'quicktags' => array( 'buttons' => 'strong,em,link,block,del,ins,img,code,spell,close' ) ) ); ?> 796 808 </div> … … 820 832 printf( 821 833 '%1$s <a href="%2$s">%3$s</a>', 822 __( 'No activity found with this ID.', 'buddypress' ),834 esc_html__( 'No activity found with this ID.', 'buddypress' ), 823 835 esc_url( bp_get_admin_url( 'admin.php?page=bp-activity' ) ), 824 __( 'Go back and try again.', 'buddypress' )836 esc_html__( 'Go back and try again.', 'buddypress' ) 825 837 ); 826 838 ?></p> … … 852 864 <div id="minor-publishing-actions"> 853 865 <div id="preview-action"> 854 <a class="button preview" href="<?php echo esc_ attr( bp_activity_get_permalink( $item->id, $item ) ); ?>" target="_blank"><?php_e( 'View Activity', 'buddypress' ); ?></a>866 <a class="button preview" href="<?php echo esc_url( bp_activity_get_permalink( $item->id, $item ) ); ?>" target="_blank"><?php esc_html_e( 'View Activity', 'buddypress' ); ?></a> 855 867 </div> 856 868 … … 860 872 <div id="misc-publishing-actions"> 861 873 <div class="misc-pub-section" id="comment-status-radio"> 862 <label class="approved" for="activity-status-approved"><input type="radio" name="activity_status" id="activity-status-approved" value="ham" <?php checked( $item->is_spam, 0 ); ?>><?php _e( 'Approved', 'buddypress' ); ?></label><br />863 <label class="spam" for="activity-status-spam"><input type="radio" name="activity_status" id="activity-status-spam" value="spam" <?php checked( $item->is_spam, 1 ); ?>><?php _e( 'Spam', 'buddypress' ); ?></label>874 <label class="approved" for="activity-status-approved"><input type="radio" name="activity_status" id="activity-status-approved" value="ham" <?php checked( $item->is_spam, 0 ); ?>><?php esc_html_e( 'Approved', 'buddypress' ); ?></label><br /> 875 <label class="spam" for="activity-status-spam"><input type="radio" name="activity_status" id="activity-status-spam" value="spam" <?php checked( $item->is_spam, 1 ); ?>><?php esc_html_e( 'Spam', 'buddypress' ); ?></label> 864 876 </div> 865 877 … … 873 885 <?php 874 886 /* translators: %s: the date the activity was submitted on */ 875 printf( __( 'Submitted on: %s', 'buddypress' ), '<strong>' . $date. '</strong>' );887 printf( esc_html__( 'Submitted on: %s', 'buddypress' ), '<strong>' . esc_html( $date ) . '</strong>' ); 876 888 ?> 877 </span> <a href="#edit_timestamp" class="edit-timestamp hide-if-no-js" tabindex='4'><?php _e( 'Edit', 'buddypress' ); ?></a>889 </span> <a href="#edit_timestamp" class="edit-timestamp hide-if-no-js" tabindex='4'><?php esc_html_e( 'Edit', 'buddypress' ); ?></a> 878 890 879 891 <div id='timestampdiv' class='hide-if-js'> … … 912 924 ?> 913 925 914 <label class="screen-reader-text" for="bp-activities-link"><?php 915 /* translators: accessibility text */ 916 _e( 'Link', 'buddypress' ); 917 ?></label> 926 <label class="screen-reader-text" for="bp-activities-link"> 927 <?php 928 /* translators: accessibility text */ 929 esc_html_e( 'Link', 'buddypress' ); 930 ?> 931 </label> 918 932 <input type="url" name="bp-activities-link" id="bp-activities-link" value="<?php echo esc_url( $item->primary_link ); ?>" aria-describedby="bp-activities-link-description" /> 919 <p id="bp-activities-link-description"><?php _e( 'Activity generated by posts and comments uses the link field for a permalink back to the content item.', 'buddypress' ); ?></p>933 <p id="bp-activities-link-description"><?php esc_html_e( 'Activity generated by posts and comments uses the link field for a permalink back to the content item.', 'buddypress' ); ?></p> 920 934 921 935 <?php … … 932 946 ?> 933 947 934 <label class="screen-reader-text" for="bp-activities-userid"><?php 935 /* translators: accessibility text */ 936 _e( 'Author ID', 'buddypress' ); 937 ?></label> 948 <label class="screen-reader-text" for="bp-activities-userid"> 949 <?php 950 /* translators: accessibility text */ 951 esc_html_e( 'Author ID', 'buddypress' ); 952 ?> 953 </label> 938 954 <input type="number" name="bp-activities-userid" id="bp-activities-userid" value="<?php echo esc_attr( $item->user_id ); ?>" min="1" /> 939 955 … … 1020 1036 sprintf( 1021 1037 /* translators: %s: the name of the activity type */ 1022 __( 'This activity item has a type (%s) that is not registered using bp_activity_set_action(), so no label is available.', 'buddypress' ),1023 $selected1038 esc_html__( 'This activity item has a type (%s) that is not registered using bp_activity_set_action(), so no label is available.', 'buddypress' ), 1039 esc_html( $selected ) 1024 1040 ), 1025 1041 '2.0.0' … … 1031 1047 ?> 1032 1048 1033 <label for="bp-activities-type" class="screen-reader-text"><?php 1034 /* translators: accessibility text */ 1035 esc_html_e( 'Select activity type', 'buddypress' ); 1036 ?></label> 1049 <label for="bp-activities-type" class="screen-reader-text"> 1050 <?php 1051 /* translators: accessibility text */ 1052 esc_html_e( 'Select activity type', 'buddypress' ); 1053 ?> 1054 </label> 1037 1055 <select name="bp-activities-type" id="bp-activities-type"> 1038 1056 <?php foreach ( $actions as $k => $v ) : ?> … … 1054 1072 ?> 1055 1073 1056 <label for="bp-activities-primaryid"><?php _e( 'Primary Item ID', 'buddypress' ); ?></label>1074 <label for="bp-activities-primaryid"><?php esc_html_e( 'Primary Item ID', 'buddypress' ); ?></label> 1057 1075 <input type="number" name="bp-activities-primaryid" id="bp-activities-primaryid" value="<?php echo esc_attr( $item->item_id ); ?>" min="0" /> 1058 1076 <br /> 1059 1077 1060 <label for="bp-activities-secondaryid"><?php _e( 'Secondary Item ID', 'buddypress' ); ?></label>1078 <label for="bp-activities-secondaryid"><?php esc_html_e( 'Secondary Item ID', 'buddypress' ); ?></label> 1061 1079 <input type="number" name="bp-activities-secondaryid" id="bp-activities-secondaryid" value="<?php echo esc_attr( $item->secondary_item_id ); ?>" min="0" /> 1062 1080 1063 <p><?php _e( 'These identify the object that created this activity. For example, the fields could reference a pair of site and comment IDs.', 'buddypress' ); ?></p>1081 <p><?php esc_html_e( 'These identify the object that created this activity. For example, the fields could reference a pair of site and comment IDs.', 'buddypress' ); ?></p> 1064 1082 1065 1083 <?php … … 1156 1174 <?php 1157 1175 /* translators: %s: the activity ID */ 1158 printf( __( 'Activity related to ID #%s', 'buddypress' ), number_format_i18n( (int) $_REQUEST['aid']) );1176 printf( esc_html__( 'Activity related to ID #%s', 'buddypress' ), esc_html( number_format_i18n( (int) $_REQUEST['aid'] ) ) ); 1159 1177 ?> 1160 1178 <?php else : ?> 1161 <?php _ex( 'Activity', 'Admin SWA page', 'buddypress' ); ?>1179 <?php echo esc_html_x( 'Activity', 'Admin SWA page', 'buddypress' ); ?> 1162 1180 <?php endif; ?> 1163 1181 … … 1166 1184 <?php 1167 1185 /* translators: %s: the activity search terms */ 1168 printf( __( 'Search results for “%s”', 'buddypress' ), wp_html_excerpt( esc_html( stripslashes( $_REQUEST['s'] ) ), 50 ) );1186 printf( esc_html__( 'Search results for “%s”', 'buddypress' ), esc_html( wp_html_excerpt( stripslashes( $_REQUEST['s'] ) ), 50 ) ); 1169 1187 ?> 1170 1188 </span> … … 1176 1194 <?php // If the user has just made a change to an activity item, display the status messages. ?> 1177 1195 <?php if ( !empty( $messages ) ) : ?> 1178 <div id="moderated" class="<?php echo ( ! empty( $_REQUEST['error'] ) ) ? 'error' : 'updated'; ?> notice is-dismissible"><p><?php echo implode( "<br/>\n", $messages); ?></p></div>1196 <div id="moderated" class="<?php echo ( ! empty( $_REQUEST['error'] ) ) ? 'error' : 'updated'; ?> notice is-dismissible"><p><?php echo implode( "<br/>\n", array_map( 'esc_html', $messages ) ); ?></p></div> 1179 1197 <?php endif; ?> 1180 1198 … … 1183 1201 1184 1202 <form id="bp-activities-form" action="" method="get"> 1185 <?php $bp_activity_list_table->search_box( __( 'Search all Activity', 'buddypress' ), 'bp-activity' ); ?>1203 <?php $bp_activity_list_table->search_box( esc_html__( 'Search all Activity', 'buddypress' ), 'bp-activity' ); ?> 1186 1204 <input type="hidden" name="page" value="<?php echo esc_attr( $plugin_page ); ?>" /> 1187 1205 <?php $bp_activity_list_table->display(); ?> … … 1194 1212 <form method="get" action=""> 1195 1213 1196 <h3 id="bp-replyhead"><?php _e( 'Reply to Activity', 'buddypress' ); ?></h3> 1197 <label for="bp-activities" class="screen-reader-text"><?php 1198 /* translators: accessibility text */ 1199 _e( 'Reply', 'buddypress' ); 1200 ?></label> 1214 <h3 id="bp-replyhead"><?php esc_html_e( 'Reply to Activity', 'buddypress' ); ?></h3> 1215 <label for="bp-activities" class="screen-reader-text"> 1216 <?php 1217 /* translators: accessibility text */ 1218 esc_html_e( 'Reply', 'buddypress' ); 1219 ?> 1220 </label> 1201 1221 <?php wp_editor( '', 'bp-activities', array( 'dfw' => false, 'media_buttons' => false, 'quicktags' => array( 'buttons' => 'strong,em,link,block,del,ins,img,code,spell,close' ), 'tinymce' => false, ) ); ?> 1202 1222 1203 1223 <p id="bp-replysubmit" class="submit"> 1204 <a href="#" class="cancel button-secondary alignleft"><?php _e( 'Cancel', 'buddypress' ); ?></a>1205 <a href="#" class="save button-primary alignright"><?php _e( 'Reply', 'buddypress' ); ?></a>1224 <a href="#" class="cancel button-secondary alignleft"><?php esc_html_e( 'Cancel', 'buddypress' ); ?></a> 1225 <a href="#" class="save button-primary alignright"><?php esc_html_e( 'Reply', 'buddypress' ); ?></a> 1206 1226 1207 1227 <img class="waiting" style="display:none;" src="<?php echo esc_url( admin_url( 'images/wpspin_light.gif' ) ); ?>" alt="" /> -
trunk/src/bp-activity/bp-activity-embeds.php
r13743 r13816 73 73 // Grab contents of CSS file and do some rudimentary CSS protection. 74 74 $css = file_get_contents( $css['file'] ); 75 $css = wp_kses( $css, array( "\'", '\"' ) ); 76 77 printf( '<style type="text/css">%s</style>', $css ); 75 76 printf( '<style type="text/css">%s</style>', wp_kses( $css, array( "\'", '\"' ) ) ); 78 77 } 79 78 add_action( 'embed_head', 'bp_activity_embed_add_inline_styles', 20 ); … … 122 121 */ 123 122 function bp_activity_embed_excerpt( $content = '' ) { 123 // Escaping is made in `bp-activity/bp-activity-filters.php`. 124 // phpcs:ignore WordPress.Security.EscapeOutput 124 125 echo bp_activity_get_embed_excerpt( $content ); 125 126 } … … 318 319 printf( '<div class="bp-activity-embed-display-media %s" style="max-width:%spx">%s</div>', 319 320 $thumb_width < $float_width ? 'two-col' : 'one-col', 320 $thumb_width < $float_width ? $width : $thumb_width, 321 $thumb_width < $float_width ? intval( $width ) : intval( $thumb_width ), 322 // phpcs:ignore WordPress.Security.EscapeOutput 321 323 $content 322 324 ); -
trunk/src/bp-activity/bp-activity-notifications.php
r13503 r13816 393 393 $reply = 'yes'; 394 394 } 395 396 395 ?> 397 396 … … 400 399 <tr> 401 400 <th class="icon"> </th> 402 <th class="title"><?php _e( 'Activity', 'buddypress' ) ?></th>403 <th class="yes"><?php _e( 'Yes', 'buddypress' ) ?></th>404 <th class="no"><?php _e( 'No', 'buddypress' )?></th>401 <th class="title"><?php esc_html_e( 'Activity', 'buddypress' ) ?></th> 402 <th class="yes"><?php esc_html_e( 'Yes', 'buddypress' ) ?></th> 403 <th class="no"><?php esc_html_e( 'No', 'buddypress' )?></th> 405 404 </tr> 406 405 </thead> … … 413 412 <?php 414 413 /* translators: %s: the displayed user username */ 415 printf( __( 'A member mentions you in an update using "@%s"', 'buddypress' ), bp_members_get_user_slug( bp_displayed_user_id() ) );414 printf( esc_html__( 'A member mentions you in an update using "@%s"', 'buddypress' ), esc_html( bp_members_get_user_slug( bp_displayed_user_id() ) ) ); 416 415 ?> 417 416 </td> 418 <td class="yes"><input type="radio" name="notifications[notification_activity_new_mention]" id="notification-activity-new-mention-yes" value="yes" <?php checked( $mention, 'yes', true ) ?>/><label for="notification-activity-new-mention-yes" class="bp-screen-reader-text"><?php 419 /* translators: accessibility text */ 420 esc_html_e( 'Yes, send email', 'buddypress' ); 421 ?></label></td> 422 <td class="no"><input type="radio" name="notifications[notification_activity_new_mention]" id="notification-activity-new-mention-no" value="no" <?php checked( $mention, 'no', true ) ?>/><label for="notification-activity-new-mention-no" class="bp-screen-reader-text"><?php 423 /* translators: accessibility text */ 424 esc_html_e( 'No, do not send email', 'buddypress' ); 425 ?></label></td> 417 <td class="yes"> 418 <input type="radio" name="notifications[notification_activity_new_mention]" id="notification-activity-new-mention-yes" value="yes" <?php checked( $mention, 'yes', true ) ?>/> 419 <label for="notification-activity-new-mention-yes" class="bp-screen-reader-text"> 420 <?php 421 /* translators: accessibility text */ 422 esc_html_e( 'Yes, send email', 'buddypress' ); 423 ?> 424 </label> 425 </td> 426 <td class="no"><input type="radio" name="notifications[notification_activity_new_mention]" id="notification-activity-new-mention-no" value="no" <?php checked( $mention, 'no', true ) ?>/> 427 <label for="notification-activity-new-mention-no" class="bp-screen-reader-text"> 428 <?php 429 /* translators: accessibility text */ 430 esc_html_e( 'No, do not send email', 'buddypress' ); 431 ?> 432 </label> 433 </td> 426 434 </tr> 427 435 <?php endif; ?> … … 429 437 <tr id="activity-notification-settings-replies"> 430 438 <td> </td> 431 <td><?php _e( "A member replies to an update or comment you've posted", 'buddypress' ) ?></td> 432 <td class="yes"><input type="radio" name="notifications[notification_activity_new_reply]" id="notification-activity-new-reply-yes" value="yes" <?php checked( $reply, 'yes', true ) ?>/><label for="notification-activity-new-reply-yes" class="bp-screen-reader-text"><?php 433 /* translators: accessibility text */ 434 esc_html_e( 'Yes, send email', 'buddypress' ); 435 ?></label></td> 436 <td class="no"><input type="radio" name="notifications[notification_activity_new_reply]" id="notification-activity-new-reply-no" value="no" <?php checked( $reply, 'no', true ) ?>/><label for="notification-activity-new-reply-no" class="bp-screen-reader-text"><?php 437 /* translators: accessibility text */ 438 esc_html_e( 'No, do not send email', 'buddypress' ); 439 ?></label></td> 439 <td><?php esc_html_e( "A member replies to an update or comment you've posted", 'buddypress' ) ?></td> 440 <td class="yes"> 441 <input type="radio" name="notifications[notification_activity_new_reply]" id="notification-activity-new-reply-yes" value="yes" <?php checked( $reply, 'yes', true ) ?>/> 442 <label for="notification-activity-new-reply-yes" class="bp-screen-reader-text"> 443 <?php 444 /* translators: accessibility text */ 445 esc_html_e( 'Yes, send email', 'buddypress' ); 446 ?> 447 </label> 448 </td> 449 <td class="no"><input type="radio" name="notifications[notification_activity_new_reply]" id="notification-activity-new-reply-no" value="no" <?php checked( $reply, 'no', true ) ?>/> 450 <label for="notification-activity-new-reply-no" class="bp-screen-reader-text"> 451 <?php 452 /* translators: accessibility text */ 453 esc_html_e( 'No, do not send email', 'buddypress' ); 454 ?> 455 </label> 456 </td> 440 457 </tr> 441 458 -
trunk/src/bp-activity/bp-activity-template.php
r13757 r13816 18 18 */ 19 19 function bp_activity_slug() { 20 echo bp_get_activity_slug();20 echo esc_url( bp_get_activity_slug() ); 21 21 } 22 22 /** … … 47 47 */ 48 48 function bp_activity_root_slug() { 49 echo bp_get_activity_root_slug();49 echo esc_url( bp_get_activity_root_slug() ); 50 50 } 51 51 /** … … 458 458 */ 459 459 function bp_activity_pagination_count() { 460 echo bp_get_activity_pagination_count();460 echo esc_html( bp_get_activity_pagination_count() ); 461 461 } 462 462 … … 495 495 */ 496 496 function bp_activity_pagination_links() { 497 // Escaping is done in WordPress's `paginate_links()` function. 498 // phpcs:ignore WordPress.Security.EscapeOutput 497 499 echo bp_get_activity_pagination_links(); 498 500 } … … 561 563 */ 562 564 function bp_activity_count() { 563 echo bp_get_activity_count();565 echo intval( bp_get_activity_count() ); 564 566 } 565 567 … … 593 595 */ 594 596 function bp_activity_per_page() { 595 echo bp_get_activity_per_page();597 echo intval( bp_get_activity_per_page() ); 596 598 } 597 599 … … 625 627 */ 626 628 function bp_activity_id() { 627 echo bp_get_activity_id();629 echo intval( bp_get_activity_id() ); 628 630 } 629 631 … … 657 659 */ 658 660 function bp_activity_item_id() { 659 echo bp_get_activity_item_id();661 echo intval( bp_get_activity_item_id() ); 660 662 } 661 663 … … 689 691 */ 690 692 function bp_activity_secondary_item_id() { 691 echo bp_get_activity_secondary_item_id();693 echo intval( bp_get_activity_secondary_item_id() ); 692 694 } 693 695 … … 721 723 */ 722 724 function bp_activity_date_recorded() { 723 echo bp_get_activity_date_recorded();725 echo esc_html( bp_get_activity_date_recorded() ); 724 726 } 725 727 … … 753 755 */ 754 756 function bp_activity_member_display_name() { 755 echo bp_get_activity_member_display_name();757 echo esc_html( bp_get_activity_member_display_name() ); 756 758 } 757 759 … … 789 791 */ 790 792 function bp_activity_object_name() { 791 echo bp_get_activity_object_name();793 echo esc_html( bp_get_activity_object_name() ); 792 794 } 793 795 … … 821 823 */ 822 824 function bp_activity_type() { 823 echo bp_get_activity_type();825 echo esc_html( bp_get_activity_type() ); 824 826 } 825 827 … … 878 880 * 879 881 */ 880 function bp_activity_action_name() { echobp_activity_type(); }882 function bp_activity_action_name() { bp_activity_type(); } 881 883 882 884 /** … … 902 904 */ 903 905 function bp_activity_user_id() { 904 echo bp_get_activity_user_id();906 echo intval( bp_get_activity_user_id() ); 905 907 } 906 908 … … 934 936 */ 935 937 function bp_activity_user_link() { 936 echo bp_get_activity_user_link();938 echo esc_url( bp_get_activity_user_link() ); 937 939 } 938 940 … … 975 977 */ 976 978 function bp_activity_avatar( $args = '' ) { 979 // phpcs:ignore WordPress.Security.EscapeOutput 977 980 echo bp_get_activity_avatar( $args ); 978 981 } … … 1016 1019 1017 1020 // Prepend some descriptive text to alt. 1018 $alt_default = __( 'Profile picture', 'buddypress' );1021 $alt_default = esc_html__( 'Profile picture', 'buddypress' ); 1019 1022 if ( ! empty( $dn_default ) ) { 1020 1023 /* translators: %s: member name */ 1021 $alt_default = sprintf( __( 'Profile picture of %s', 'buddypress' ), $dn_default );1024 $alt_default = sprintf( esc_html__( 'Profile picture of %s', 'buddypress' ), $dn_default ); 1022 1025 } 1023 1026 … … 1035 1038 ); 1036 1039 1037 extract( $r, EXTR_SKIP ); 1038 1039 if ( !isset( $height ) && !isset( $width ) ) { 1040 if ( ! isset( $r['height'] ) && ! isset( $r['width'] ) ) { 1040 1041 1041 1042 // Backpat. 1042 1043 if ( isset( $bp->avatar->full->height ) || isset( $bp->avatar->thumb->height ) ) { 1043 $ height = ( 'full' == $type) ? $bp->avatar->full->height : $bp->avatar->thumb->height;1044 $r['height'] = ( 'full' == $r['type'] ) ? $bp->avatar->full->height : $bp->avatar->thumb->height; 1044 1045 } else { 1045 $ height= 20;1046 $r['height'] = 20; 1046 1047 } 1047 1048 1048 1049 // Backpat. 1049 1050 if ( isset( $bp->avatar->full->width ) || isset( $bp->avatar->thumb->width ) ) { 1050 $ width = ( 'full' == $type) ? $bp->avatar->full->width : $bp->avatar->thumb->width;1051 $r['width'] = ( 'full' == $r['type'] ) ? $bp->avatar->full->width : $bp->avatar->thumb->width; 1051 1052 } else { 1052 $ width= 20;1053 $r['width'] = 20; 1053 1054 } 1054 1055 } … … 1066 1067 */ 1067 1068 $object = apply_filters( 'bp_get_activity_avatar_object_' . $current_activity_item->component, 'user' ); 1068 $item_id = !empty( $user_id ) ? $user_id : $current_activity_item->user_id; 1069 $item_id = $current_activity_item->user_id; 1070 1071 if ( ! empty( $r['user_id'] ) ) { 1072 $item_id = (int) $r['user_id']; 1073 } 1069 1074 1070 1075 /** … … 1078 1083 1079 1084 // If this is a user object pass the users' email address for Gravatar so we don't have to prefetch it. 1080 if ( 'user' == $object && empty( $ user_id ) && empty( $email) && isset( $current_activity_item->user_email ) ) {1081 $ email= $current_activity_item->user_email;1085 if ( 'user' == $object && empty( $r['user_id'] ) && empty( $r['email'] ) && isset( $current_activity_item->user_email ) ) { 1086 $r['email'] = $current_activity_item->user_email; 1082 1087 } 1083 1088 … … 1089 1094 * @param array $value HTML image element containing the activity avatar. 1090 1095 */ 1091 return apply_filters( 'bp_get_activity_avatar', bp_core_fetch_avatar( array( 1092 'item_id' => $item_id, 1093 'object' => $object, 1094 'type' => $type, 1095 'alt' => $alt, 1096 'class' => $class, 1097 'width' => $width, 1098 'height' => $height, 1099 'email' => $email 1100 ) ) ); 1096 return apply_filters( 'bp_get_activity_avatar', 1097 bp_core_fetch_avatar( 1098 array( 1099 'item_id' => $item_id, 1100 'object' => $object, 1101 'type' => $r['type'], 1102 'alt' => $r['alt'], 1103 'class' => $r['class'], 1104 'width' => $r['width'], 1105 'height' => $r['height'], 1106 'email' => $r['email'], 1107 ) 1108 ) 1109 ); 1101 1110 } 1102 1111 … … 1111 1120 */ 1112 1121 function bp_activity_secondary_avatar( $args = '' ) { 1122 // phpcs:ignore WordPress.Security.EscapeOutput 1113 1123 echo bp_get_activity_secondary_avatar( $args ); 1114 1124 } … … 1151 1161 ); 1152 1162 1153 extract( $r, EXTR_SKIP );1154 1155 1163 // Set item_id and object (default to user). 1156 1164 switch ( $activities_template->activity->component ) { … … 1172 1180 } 1173 1181 1174 if ( empty( $ alt) ) {1175 $ alt =__( 'Group logo', 'buddypress' );1182 if ( empty( $r['alt'] ) ) { 1183 $r['alt'] = esc_html__( 'Group logo', 'buddypress' ); 1176 1184 1177 1185 if ( ! empty( $name ) ) { 1178 1186 /* translators: %s: the Group name */ 1179 $ alt = sprintf(__( 'Group logo of %s', 'buddypress' ), $name );1187 $r['alt'] = sprintf( esc_html__( 'Group logo of %s', 'buddypress' ), $name ); 1180 1188 } 1181 1189 } … … 1187 1195 $link = home_url(); 1188 1196 1189 if ( empty( $ alt) ) {1197 if ( empty( $r['alt'] ) ) { 1190 1198 /* translators: %s: the blog name */ 1191 $ alt = sprintf( __( 'Profile picture of the author of the site %s', 'buddypress' ), get_blog_option( $item_id, 'blogname') );1199 $r['alt'] = sprintf( esc_html__( 'Profile picture of the author of the site %s', 'buddypress' ), esc_html( get_blog_option( $item_id, 'blogname' ) ) ); 1192 1200 } 1193 1201 … … 1198 1206 $link = bp_core_get_userlink( $item_id, false, true ); 1199 1207 1200 if ( empty( $ alt) ) {1208 if ( empty( $r['alt'] ) ) { 1201 1209 /* translators: %s: member name */ 1202 $ alt = sprintf(__( 'Profile picture of %s', 'buddypress' ), bp_core_get_user_displayname( $activities_template->activity->secondary_item_id ) );1210 $r['alt'] = sprintf( esc_html__( 'Profile picture of %s', 'buddypress' ), bp_core_get_user_displayname( $activities_template->activity->secondary_item_id ) ); 1203 1211 } 1204 1212 1205 1213 break; 1206 1214 default : 1207 $object = 'user';1208 $item_id = $activities_template->activity->user_id;1209 $ email= $activities_template->activity->user_email;1210 $link = bp_core_get_userlink( $item_id, false, true );1211 1212 if ( empty( $ alt) ) {1215 $object = 'user'; 1216 $item_id = $activities_template->activity->user_id; 1217 $r['email'] = $activities_template->activity->user_email; 1218 $link = bp_core_get_userlink( $item_id, false, true ); 1219 1220 if ( empty( $r['alt'] ) ) { 1213 1221 /* translators: %s: member name */ 1214 $ alt = sprintf( __( 'Profile picture of %s', 'buddypress' ), $activities_template->activity->display_name);1222 $r['alt'] = sprintf( esc_html__( 'Profile picture of %s', 'buddypress' ), esc_html( $activities_template->activity->display_name ) ); 1215 1223 } 1216 1224 … … 1229 1237 * @param string $object Component being displayed. 1230 1238 */ 1231 $object 1239 $object = apply_filters( 'bp_get_activity_secondary_avatar_object_' . $activities_template->activity->component, $object ); 1232 1240 1233 1241 /** … … 1246 1254 1247 1255 // Get the avatar. 1248 $avatar = bp_core_fetch_avatar( array( 1249 'item_id' => $item_id, 1250 'object' => $object, 1251 'type' => $type, 1252 'alt' => $alt, 1253 'class' => $class, 1254 'width' => $width, 1255 'height' => $height, 1256 'email' => $email 1257 ) ); 1258 1259 if ( !empty( $linked ) ) { 1256 $avatar = bp_core_fetch_avatar( 1257 array( 1258 'item_id' => $item_id, 1259 'object' => $object, 1260 'type' => $r['type'], 1261 'alt' => $r['alt'], 1262 'class' => $r['class'], 1263 'width' => $r['width'], 1264 'height' => $r['height'], 1265 'email' => $r['email'], 1266 ) 1267 ); 1268 1269 if ( ! empty( $r['linked'] ) ) { 1260 1270 1261 1271 /** … … 1279 1289 1280 1290 return sprintf( '<a href="%s" class="%s">%s</a>', 1281 $link,1282 $link_class,1291 esc_url( $link ), 1292 esc_attr( $r['link_class'] ), 1283 1293 $avatar 1284 1294 ); … … 1297 1307 */ 1298 1308 function bp_activity_action( $args = array() ) { 1299 echo bp_get_activity_action( $args ); 1309 echo wp_kses( 1310 bp_get_activity_action( $args ), 1311 array( 1312 'p' => true, 1313 'a' => array( 1314 'href' => true, 1315 'class' => true, 1316 'data-bp-tooltip' => true, 1317 ), 1318 'span' => array( 1319 'class' => true, 1320 ), 1321 'img' => array( 1322 'src' => true, 1323 'loading' => true, 1324 'class' => true, 1325 'alt' => true, 1326 'height' => true, 1327 'width' => true, 1328 ), 1329 ) 1330 ); 1300 1331 } 1301 1332 … … 1363 1394 */ 1364 1395 function bp_activity_content_body() { 1396 // Escaping is made in `bp-activity/bp-activity-filters.php`. 1397 // phpcs:ignore WordPress.Security.EscapeOutput 1365 1398 echo bp_get_activity_content_body(); 1366 1399 } … … 1608 1641 */ 1609 1642 function bp_activity_generated_content_part( $property = '' ) { 1643 // phpcs:ignore WordPress.Security.EscapeOutput 1610 1644 echo bp_activity_get_generated_content_part( $property ); 1611 1645 } … … 1664 1698 */ 1665 1699 function bp_activity_content() { 1700 // Escaping is made in `bp-activity/bp-activity-filters.php`. 1701 // phpcs:ignore WordPress.Security.EscapeOutput 1666 1702 echo bp_get_activity_content(); 1667 1703 } … … 1842 1878 */ 1843 1879 function bp_activity_parent_content( $args = '' ) { 1844 echo bp_get_activity_parent_content($args); 1880 // Escaping is made in `bp-activity/bp-activity-filters.php`. 1881 // phpcs:ignore WordPress.Security.EscapeOutput 1882 echo bp_get_activity_parent_content( $args ); 1845 1883 } 1846 1884 … … 1906 1944 */ 1907 1945 function bp_activity_parent_user_id() { 1908 echo bp_get_activity_parent_user_id();1946 echo intval( bp_get_activity_parent_user_id() ); 1909 1947 } 1910 1948 … … 1959 1997 */ 1960 1998 function bp_activity_is_favorite() { 1999 // phpcs:ignore WordPress.Security.EscapeOutput 1961 2000 echo bp_get_activity_is_favorite(); 1962 2001 } … … 1999 2038 sprintf( 2000 2039 /* translators: 1: the name of the function. 2: the name of the file. */ 2001 __( '%1$s no longer accepts arguments. See the inline documentation at %2$s for more details.', 'buddypress' ),2040 esc_html__( '%1$s no longer accepts arguments. See the inline documentation at %2$s for more details.', 'buddypress' ), 2002 2041 __FUNCTION__, 2003 2042 __FILE__ … … 2006 2045 } 2007 2046 2047 // phpcs:ignore WordPress.Security.EscapeOutput 2008 2048 echo bp_activity_get_comments(); 2009 2049 } … … 2032 2072 sprintf( 2033 2073 /* translators: 1: the name of the function. 2: the name of the file. */ 2034 __( '%1$s no longer accepts arguments. See the inline documentation at %2$s for more details.', 'buddypress' ),2074 esc_html__( '%1$s no longer accepts arguments. See the inline documentation at %2$s for more details.', 'buddypress' ), 2035 2075 __FUNCTION__, 2036 2076 __FILE__ … … 2070 2110 } 2071 2111 2072 /** 2073 * Filters the opening tag for the template that lists activity comments. 2074 * 2075 * @since 1.6.0 2076 * 2077 * @param string $value Opening tag for the HTML markup to use. 2078 */ 2079 echo apply_filters( 'bp_activity_recurse_comments_start_ul', '<ul>' ); 2112 // phpcs:ignore WordPress.Security.EscapeOutput 2113 echo apply_filters( 2114 /** 2115 * Filters the opening tag for the template that lists activity comments. 2116 * 2117 * @since 1.6.0 2118 * 2119 * @param string $value Opening tag for the HTML markup to use. 2120 */ 2121 'bp_activity_recurse_comments_start_ul', 2122 '<ul>' 2123 ); 2124 2080 2125 foreach ( (array) $comment->children as $comment_child ) { 2081 2126 … … 2108 2153 } 2109 2154 2110 /** 2111 * Filters the closing tag for the template that list activity comments. 2112 * 2113 * @since 1.6.0 2114 * 2115 * @param string $value Closing tag for the HTML markup to use. 2116 */ 2117 echo apply_filters( 'bp_activity_recurse_comments_end_ul', '</ul>' ); 2155 // phpcs:ignore WordPress.Security.EscapeOutput 2156 echo apply_filters( 2157 /** 2158 * Filters the closing tag for the template that list activity comments. 2159 * 2160 * @since 1.6.0 2161 * 2162 * @param string $value Closing tag for the HTML markup to use. 2163 */ 2164 'bp_activity_recurse_comments_end_ul', 2165 '</ul>' 2166 ); 2118 2167 } 2119 2168 … … 2153 2202 */ 2154 2203 function bp_activity_comment_id() { 2155 echo bp_get_activity_comment_id();2204 echo intval( bp_get_activity_comment_id() ); 2156 2205 } 2157 2206 … … 2188 2237 */ 2189 2238 function bp_activity_comment_user_id() { 2190 echo bp_get_activity_comment_user_id();2239 echo intval( bp_get_activity_comment_user_id() ); 2191 2240 } 2192 2241 … … 2223 2272 */ 2224 2273 function bp_activity_comment_user_link() { 2225 echo bp_get_activity_comment_user_link();2274 echo esc_url( bp_get_activity_comment_user_link() ); 2226 2275 } 2227 2276 … … 2254 2303 */ 2255 2304 function bp_activity_comment_name() { 2256 echo bp_get_activity_comment_name();2305 echo esc_html( bp_get_activity_comment_name() ); 2257 2306 } 2258 2307 … … 2296 2345 */ 2297 2346 function bp_activity_comment_date_recorded() { 2298 echo bp_get_activity_comment_date_recorded();2347 echo esc_html( bp_get_activity_comment_date_recorded() ); 2299 2348 } 2300 2349 … … 2327 2376 */ 2328 2377 function bp_activity_comment_date_recorded_raw() { 2329 echo bp_get_activity_comment_date_recorded_raw();2378 echo esc_html( bp_get_activity_comment_date_recorded_raw() ); 2330 2379 } 2331 2380 … … 2360 2409 */ 2361 2410 function bp_activity_comment_delete_link() { 2362 echo bp_get_activity_comment_delete_link();2411 echo esc_url( bp_get_activity_comment_delete_link() ); 2363 2412 } 2364 2413 … … 2399 2448 */ 2400 2449 function bp_activity_comment_content() { 2450 // Escaping is made in `bp-activity/bp-activity-filters.php`. 2451 // phpcs:ignore WordPress.Security.EscapeOutput 2401 2452 echo bp_get_activity_comment_content(); 2402 2453 } … … 2441 2492 */ 2442 2493 function bp_activity_comment_count() { 2443 echo bp_activity_get_comment_count();2494 echo intval( bp_activity_get_comment_count() ); 2444 2495 } 2445 2496 … … 2464 2515 sprintf( 2465 2516 /* translators: 1: the name of the function. 2: the name of the file. */ 2466 __( '%1$s no longer accepts arguments. See the inline documentation at %2$s for more details.', 'buddypress' ),2517 esc_html__( '%1$s no longer accepts arguments. See the inline documentation at %2$s for more details.', 'buddypress' ), 2467 2518 __FUNCTION__, 2468 2519 __FILE__ … … 2534 2585 */ 2535 2586 function bp_activity_comment_depth( $comment = 0 ) { 2536 echo bp_activity_get_comment_depth( $comment);2587 echo intval( bp_activity_get_comment_depth( $comment ) ); 2537 2588 } 2538 2589 … … 2601 2652 */ 2602 2653 function bp_activity_comment_link() { 2603 echo bp_get_activity_comment_link();2654 echo esc_url( bp_get_activity_comment_link() ); 2604 2655 } 2605 2656 … … 2648 2699 */ 2649 2700 function bp_activity_comment_form_nojs_display() { 2701 // phpcs:ignore WordPress.Security.EscapeOutput 2650 2702 echo bp_get_activity_comment_form_nojs_display(); 2651 2703 } … … 2752 2804 */ 2753 2805 function bp_activity_permalink_id() { 2754 echo bp_get_activity_permalink_id();2806 echo esc_html( bp_get_activity_permalink_id() ); 2755 2807 } 2756 2808 … … 2853 2905 */ 2854 2906 function bp_activity_favorite_link() { 2855 echo bp_get_activity_favorite_link();2907 echo esc_url( bp_get_activity_favorite_link() ); 2856 2908 } 2857 2909 … … 2895 2947 */ 2896 2948 function bp_activity_unfavorite_link() { 2897 echo bp_get_activity_unfavorite_link();2949 echo esc_url( bp_get_activity_unfavorite_link() ); 2898 2950 } 2899 2951 … … 2937 2989 */ 2938 2990 function bp_activity_css_class() { 2939 echo bp_get_activity_css_class();2991 echo esc_attr( bp_get_activity_css_class() ); 2940 2992 } 2941 2993 … … 2995 3047 */ 2996 3048 function bp_activity_delete_link() { 3049 // phpcs:ignore WordPress.Security.EscapeOutput 2997 3050 echo bp_get_activity_delete_link(); 2998 3051 } … … 3020 3073 } 3021 3074 3022 $link = '<a href="' . esc_url( $url ) . '" class="button item-button bp-secondary-action ' . $class . ' confirm" rel="nofollow">' .__( 'Delete', 'buddypress' ) . '</a>';3075 $link = '<a href="' . esc_url( $url ) . '" class="button item-button bp-secondary-action ' . esc_attr( $class ) . ' confirm" rel="nofollow">' . esc_html__( 'Delete', 'buddypress' ) . '</a>'; 3023 3076 3024 3077 /** … … 3096 3149 */ 3097 3150 function bp_activity_latest_update( $user_id = 0 ) { 3151 // Escaping is made in `bp-activity/bp-activity-filters.php`. 3152 // phpcs:ignore WordPress.Security.EscapeOutput 3098 3153 echo bp_get_activity_latest_update( $user_id ); 3099 3154 } … … 3163 3218 */ 3164 3219 function bp_activity_filter_links( $args = false ) { 3220 // phpcs:ignore WordPress.Security.EscapeOutput 3165 3221 echo bp_get_activity_filter_links( $args ); 3166 3222 } … … 3201 3257 3202 3258 // Skip the activity comment filter. 3203 if ( 'activity' == $component ) {3259 if ( 'activity' === $component ) { 3204 3260 continue; 3205 3261 } 3206 3262 3207 if ( isset( $_GET['afilter'] ) && $component == $_GET['afilter'] ) {3263 if ( isset( $_GET['afilter'] ) && $component === $_GET['afilter'] ) { 3208 3264 $selected = ' class="selected"'; 3209 3265 } else { … … 3250 3306 3251 3307 if ( isset( $_GET['afilter'] ) ) { 3252 $component_links[] = '<' . $tag . ' id="afilter-clear"><a href="' . esc_url( $link ) . '">' . __( 'Clear Filter', 'buddypress' ) . '</a></' . $tag . '>';3308 $component_links[] = '<' . $tag . ' id="afilter-clear"><a href="' . esc_url( $link ) . '">' . esc_html__( 'Clear Filter', 'buddypress' ) . '</a></' . $tag . '>'; 3253 3309 } 3254 3310 … … 3378 3434 */ 3379 3435 function bp_total_favorite_count_for_user( $user_id = 0 ) { 3380 echo bp_get_total_favorite_count_for_user( $user_id);3436 echo intval( bp_get_total_favorite_count_for_user( $user_id ) ); 3381 3437 } 3382 3438 … … 3428 3484 */ 3429 3485 function bp_total_mention_count_for_user( $user_id = 0 ) { 3430 echo bp_get_total_mention_count_for_user( $user_id);3486 echo intval( bp_get_total_mention_count_for_user( $user_id ) ); 3431 3487 } 3432 3488 … … 3540 3596 */ 3541 3597 function bp_mentioned_user_display_name( $user_id_or_username = false ) { 3598 // phpcs:ignore WordPress.Security.EscapeOutput 3542 3599 echo bp_get_mentioned_user_display_name( $user_id_or_username ); 3543 3600 } … … 3559 3616 // If user somehow has no name, return this really lame string. 3560 3617 if ( empty( $name ) ) { 3561 $name = __( 'a user', 'buddypress' );3618 $name = esc_html__( 'a user', 'buddypress' ); 3562 3619 } 3563 3620 … … 3583 3640 */ 3584 3641 function bp_send_public_message_button( $args = '' ) { 3642 // Escaping is done in `BP_Core_HTML_Element()`. 3643 // phpcs:ignore WordPress.Security.EscapeOutput 3585 3644 echo bp_get_send_public_message_button( $args ); 3586 3645 } … … 3662 3721 */ 3663 3722 function bp_activity_post_form_action() { 3664 echo bp_get_activity_post_form_action();3723 echo esc_url( bp_get_activity_post_form_action() ); 3665 3724 } 3666 3725 … … 3734 3793 3735 3794 // Get avatar for this user. 3736 $image_html = bp_core_fetch_avatar( array( 3737 'item_id' => $user_id, 3738 'height' => $r['height'], 3739 'html' => $r['html'], 3740 'type' => $r['type'], 3741 'width' => $r['width'] 3742 ) ); 3795 $image_html = bp_core_fetch_avatar( 3796 array( 3797 'item_id' => $user_id, 3798 'height' => $r['height'], 3799 'html' => $r['html'], 3800 'type' => $r['type'], 3801 'width' => $r['width'] 3802 ) 3803 ); 3743 3804 3744 3805 // If user has link & avatar, add them to the output array. … … 3754 3815 } 3755 3816 3756 /** 3757 * Filters the list of linked avatars for users who have commented on the current activity item. 3758 * 3759 * @since 1.7.0 3760 * 3761 * @param string $retval HTML markup for the list of avatars. 3762 * @param array $r Array of arguments used for each avatar. 3763 * @param array $output Array of each avatar found, before imploded into single string. 3764 */ 3765 echo apply_filters( 'bp_activity_comments_user_avatars', $retval, $r, $output ); 3817 // phpcs:ignore WordPress.Security.EscapeOutput 3818 echo apply_filters( 3819 /** 3820 * Filters the list of linked avatars for users who have commented on the current activity item. 3821 * 3822 * @since 1.7.0 3823 * 3824 * @param string $retval HTML markup for the list of avatars. 3825 * @param array $r Array of arguments used for each avatar. 3826 * @param array $output Array of each avatar found, before imploded into single string. 3827 */ 3828 'bp_activity_comments_user_avatars', 3829 $retval, 3830 $r, 3831 $output 3832 ); 3766 3833 } 3767 3834 … … 3842 3909 */ 3843 3910 function bp_displayed_user_mentionname() { 3844 echo bp_get_displayed_user_mentionname();3911 echo esc_html( bp_get_displayed_user_mentionname() ); 3845 3912 } 3846 3913 /** … … 3900 3967 switch ( $output ) { 3901 3968 case 'select' : 3969 // phpcs:ignore WordPress.Security.EscapeOutput 3902 3970 printf( '<option value="%1$s" %2$s>%3$s</option>', esc_attr( $type ), $selected, esc_html( $description ) ); 3903 3971 break; 3904 3972 case 'checkbox' : 3973 // phpcs:ignore WordPress.Security.EscapeOutput 3905 3974 printf( '<label style="" for="%1$s[]">%2$s<input type="checkbox" id="%1$s[]" name="%1$s[]" value="%3$s" %4$s/></label>', esc_attr( $args['checkbox_name'] ), esc_html( $description ), esc_attr( $args['checkbox_name'] ), esc_attr( $args['checkbox_name'] ), esc_attr( $type ), $checked ); 3906 3975 break; … … 3938 4007 */ 3939 4008 function bp_sitewide_activity_feed_link() { 3940 echo bp_get_sitewide_activity_feed_link();4009 echo esc_url( bp_get_sitewide_activity_feed_link() ); 3941 4010 } 3942 4011 … … 4054 4123 */ 4055 4124 function bp_activity_feed_item_guid() { 4056 echo bp_get_activity_feed_item_guid();4125 echo esc_html( bp_get_activity_feed_item_guid() ); 4057 4126 } 4058 4127 … … 4086 4155 */ 4087 4156 function bp_activity_feed_item_title() { 4157 // phpcs:ignore WordPress.Security.EscapeOutput 4088 4158 echo bp_get_activity_feed_item_title(); 4089 4159 } … … 4135 4205 */ 4136 4206 function bp_activity_feed_item_link() { 4137 echo bp_get_activity_feed_item_link();4207 echo esc_url( bp_get_activity_feed_item_link() ); 4138 4208 } 4139 4209 … … 4171 4241 */ 4172 4242 function bp_activity_feed_item_date() { 4173 echo bp_get_activity_feed_item_date();4243 echo esc_html( bp_get_activity_feed_item_date() ); 4174 4244 } 4175 4245 … … 4207 4277 */ 4208 4278 function bp_activity_feed_item_description() { 4279 // Escaping is made in `bp-activity/bp-activity-filters.php`. 4280 // phpcs:ignore WordPress.Security.EscapeOutput 4209 4281 echo bp_get_activity_feed_item_description(); 4210 4282 } … … 4251 4323 ?> 4252 4324 4253 <link rel="alternate" type="application/rss+xml" title="<?php bloginfo( 'name' ) ?> | <?php _e( 'Site Wide Activity RSS Feed', 'buddypress' ) ?>" href="<?php bp_sitewide_activity_feed_link() ?>" />4325 <link rel="alternate" type="application/rss+xml" title="<?php bloginfo( 'name' ) ?> | <?php esc_html_e( 'Site Wide Activity RSS Feed', 'buddypress' ) ?>" href="<?php bp_sitewide_activity_feed_link() ?>" /> 4254 4326 4255 4327 <?php … … 4266 4338 */ 4267 4339 function bp_activity_show_filters( $context = '' ) { 4340 // phpcs:ignore WordPress.Security.EscapeOutput 4268 4341 echo bp_get_activity_show_filters( $context ); 4269 4342 } -
trunk/src/bp-activity/classes/class-bp-activity-feed.php
r13757 r13816 168 168 // Check if id is valid. 169 169 if ( empty( $this->id ) ) { 170 _doing_it_wrong( 'BP_Activity_Feed', __( "RSS feed 'id' must be defined", 'buddypress' ), 'BP 1.8' );170 _doing_it_wrong( 'BP_Activity_Feed', esc_html__( "RSS feed 'id' must be defined", 'buddypress' ), 'BP 1.8' ); 171 171 return false; 172 172 } … … 318 318 if ( 'activity_comment' == bp_get_activity_action_name() ) : 319 319 ?> 320 <strong><?php _e( 'In reply to', 'buddypress' ) ?></strong> -320 <strong><?php esc_html_e( 'In reply to', 'buddypress' ) ?></strong> - 321 321 <?php bp_activity_parent_content() ?> 322 322 <?php … … 414 414 protected function output() { 415 415 $this->http_headers(); 416 echo '<?xml version="1.0" encoding="' . get_option( 'blog_charset') . '"?'.'>';416 echo '<?xml version="1.0" encoding="' . esc_attr( get_option( 'blog_charset' ) ) . '"?'.'>'; 417 417 418 418 /** … … 440 440 441 441 <channel> 442 <title><?php echo $this->title; ?></title>443 <link><?php echo $this->link; ?></link>444 <atom:link href="<?php self_link(); ?>" rel="self" type="application/rss+xml" />445 <description><?php echo $this->description?></description>446 <lastBuildDate><?php echo mysql2date( 'D, d M Y H:i:s O', bp_activity_get_last_updated(), false); ?></lastBuildDate>447 <generator>https://buddypress.org/?v=<?php bp_version(); ?></generator>442 <title><?php echo esc_html( $this->title ); ?></title> 443 <link><?php echo esc_url( $this->link ); ?></link> 444 <atom:link href="<?php esc_url( self_link() ); ?>" rel="self" type="application/rss+xml" /> 445 <description><?php echo esc_html( $this->description ); ?></description> 446 <lastBuildDate><?php echo esc_html( mysql2date( 'D, d M Y H:i:s O', bp_activity_get_last_updated(), false ) ); ?></lastBuildDate> 447 <generator>https://buddypress.org/?v=<?php esc_html( bp_get_version() ); ?></generator> 448 448 <language><?php bloginfo_rss( 'language' ); ?></language> 449 <ttl><?php echo $this->ttl; ?></ttl>450 <sy:updatePeriod><?php echo $this->update_period; ?></sy:updatePeriod>451 <sy:updateFrequency><?php echo $this->update_frequency; ?></sy:updateFrequency>449 <ttl><?php echo esc_html( $this->ttl ); ?></ttl> 450 <sy:updatePeriod><?php echo esc_html( $this->update_period ); ?></sy:updatePeriod> 451 <sy:updateFrequency><?php echo esc_html( $this->update_frequency ); ?></sy:updateFrequency> 452 452 <?php 453 453 … … 463 463 <item> 464 464 <guid isPermaLink="false"><?php bp_activity_feed_item_guid(); ?></guid> 465 <title><?php echo stripslashes( bp_get_activity_feed_item_title() ); ?></title>465 <title><?php echo esc_html( stripslashes( bp_get_activity_feed_item_title() ) ); ?></title> 466 466 <link><?php bp_activity_thread_permalink() ?></link> 467 <pubDate><?php echo mysql2date( 'D, d M Y H:i:s O', bp_get_activity_feed_item_date(), false); ?></pubDate>467 <pubDate><?php echo esc_html( mysql2date( 'D, d M Y H:i:s O', bp_get_activity_feed_item_date(), false ) ); ?></pubDate> 468 468 469 469 <?php if ( bp_get_activity_feed_item_description() ) : ?> -
trunk/src/bp-activity/classes/class-bp-activity-list-table.php
r13497 r13816 261 261 */ 262 262 function no_items() { 263 _e( 'No activities found.', 'buddypress' );263 esc_html_e( 'No activities found.', 'buddypress' ); 264 264 } 265 265 … … 272 272 $this->display_tablenav( 'top' ); ?> 273 273 274 <h2 class="screen-reader-text"><?php 275 /* translators: accessibility text */ 276 _e( 'Activities list', 'buddypress' ); 277 ?></h2> 278 279 <table class="wp-list-table <?php echo implode( ' ', $this->get_table_classes() ); ?>" cellspacing="0"> 274 <h2 class="screen-reader-text"> 275 <?php 276 /* translators: accessibility text */ 277 esc_html_e( 'Activities list', 'buddypress' ); 278 ?> 279 </h2> 280 281 <table class="wp-list-table <?php echo esc_attr( implode( ' ', $this->get_table_classes() ) ); ?>" cellspacing="0"> 280 282 <thead> 281 283 <tr> … … 309 311 static $even = false; 310 312 313 $row_classes = array(); 314 311 315 if ( $even ) { 312 $row_class = ' class="even"';316 $row_classes = array( 'even' ); 313 317 } else { 314 $row_class = ' class="alternate odd"';318 $row_classes = array( 'alternate', 'odd' ); 315 319 } 316 320 … … 321 325 } 322 326 323 echo '<tr' . $row_class . ' id="activity-' . esc_attr( $item['id'] ) . '" data-parent_id="' . esc_attr( $item['id'] ) . '" data-root_id="' . esc_attr( $root_id ) . '">'; 327 echo '<tr class="' . implode( ' ', array_map( 'sanitize_html_class', $row_classes ) ) . '" id="activity-' . esc_attr( $item['id'] ) . '" data-parent_id="' . esc_attr( $item['id'] ) . '" data-root_id="' . esc_attr( $root_id ) . '">'; 328 329 // Escapes are made into `self::single_row_columns()`. 330 // phpcs:ignore WordPress.Security.EscapeOutput 324 331 echo $this->single_row_columns( $item ); 325 332 echo '</tr>'; … … 336 343 $url_base = add_query_arg( array( 'page' => 'bp-activity' ), bp_get_admin_url( 'admin.php' ) ); ?> 337 344 338 <h2 class="screen-reader-text"><?php 339 /* translators: accessibility text */ 340 esc_html_e( 'Filter activities list', 'buddypress' ); 341 ?></h2> 345 <h2 class="screen-reader-text"> 346 <?php 347 /* translators: accessibility text */ 348 esc_html_e( 'Filter activities list', 'buddypress' ); 349 ?> 350 </h2> 342 351 343 352 <ul class="subsubsub"> … … 349 358 sprintf( 350 359 '<span class="count">(%s)</span>', 351 number_format_i18n( $this->all_count)360 esc_html( number_format_i18n( $this->all_count ) ) 352 361 ) 353 362 ); ?> … … 361 370 sprintf( 362 371 '<span class="count">(%s)</span>', 363 number_format_i18n( $this->spam_count)372 esc_html( number_format_i18n( $this->spam_count ) ) 364 373 ) 365 374 ); ?> … … 398 407 * @param array $actions Default available actions for bulk operations. 399 408 */ 400 return apply_filters( 'bp_activity_list_table_get_bulk_actions', array( 401 'bulk_spam' => __( 'Mark as Spam', 'buddypress' ), 402 'bulk_ham' => __( 'Not Spam', 'buddypress' ), 403 'bulk_delete' => __( 'Delete Permanently', 'buddypress' ), 404 ) ); 409 return apply_filters( 'bp_activity_list_table_get_bulk_actions', 410 array( 411 'bulk_spam' => __( 'Mark as Spam', 'buddypress' ), 412 'bulk_ham' => __( 'Not Spam', 'buddypress' ), 413 'bulk_delete' => __( 'Delete Permanently', 'buddypress' ), 414 ) 415 ); 405 416 } 406 417 … … 423 434 * @param array $value Array of slugs and titles for the columns. 424 435 */ 425 return apply_filters( 'bp_activity_list_table_get_columns', array( 426 'cb' => '<input name type="checkbox" />', 427 'author' => _x( 'Author', 'Admin SWA column header', 'buddypress' ), 428 'comment' => _x( 'Activity', 'Admin SWA column header', 'buddypress' ), 429 'action' => _x( 'Action', 'Admin SWA column header', 'buddypress' ), 430 'response' => _x( 'In Response To', 'Admin SWA column header', 'buddypress' ), 431 ) ); 436 return apply_filters( 'bp_activity_list_table_get_columns', 437 array( 438 'cb' => '<input name type="checkbox" />', 439 'author' => _x( 'Author', 'Admin SWA column header', 'buddypress' ), 440 'comment' => _x( 'Activity', 'Admin SWA column header', 'buddypress' ), 441 'action' => _x( 'Action', 'Admin SWA column header', 'buddypress' ), 442 'response' => _x( 'In Response To', 'Admin SWA column header', 'buddypress' ), 443 ) 444 ); 432 445 } 433 446 … … 472 485 473 486 <div class="alignleft actions"> 474 <label for="activity-type" class="screen-reader-text"><?php 475 /* translators: accessibility text */ 476 _e( 'Filter by activity type', 'buddypress' ); 477 ?></label> 487 <label for="activity-type" class="screen-reader-text"> 488 <?php 489 /* translators: accessibility text */ 490 esc_html_e( 'Filter by activity type', 'buddypress' ); 491 ?> 492 </label> 478 493 <select name="activity_type" id="activity-type"> 479 <option value="" <?php selected( ! $selected ); ?>><?php _e( 'View all actions', 'buddypress' ); ?></option>494 <option value="" <?php selected( ! $selected ); ?>><?php esc_html_e( 'View all actions', 'buddypress' ); ?></option> 480 495 481 496 <?php foreach ( $activity_actions as $component => $actions ) : ?> … … 573 588 function column_cb( $item ) { 574 589 /* translators: accessibility text */ 575 printf( '<label class="screen-reader-text" for="aid-%1$d">' . __( 'Select activity item %1$d', 'buddypress' ) . '</label><input type="checkbox" name="aid[]" value="%1$d" id="aid-%1$d" />', $item['id']);590 printf( '<label class="screen-reader-text" for="aid-%1$d">' . esc_html__( 'Select activity item %1$d', 'buddypress' ) . '</label><input type="checkbox" name="aid[]" value="%1$d" id="aid-%1$d" />', intval( $item['id'] ) ); 576 591 } 577 592 … … 586 601 */ 587 602 function column_author( $item ) { 588 echo '<strong>' . get_avatar( $item['user_id'], '32' ) . ' ' . bp_core_get_userlink( $item['user_id'] ) . '</strong>'; 603 $avatar = get_avatar( $item['user_id'], '32' ); 604 605 printf( 606 '<strong>%1$s %2$s</strong>', 607 wp_kses( 608 $avatar, 609 array( 610 'img' => array( 611 'alt' => true, 612 'src' => true, 613 'srcset' => true, 614 'class' => true, 615 'height' => true, 616 'width' => true, 617 ) 618 ) 619 ), 620 // phpcs:ignore WordPress.Security.EscapeOutput 621 bp_core_get_userlink( $item['user_id'] ) 622 ); 589 623 } 590 624 … … 602 636 603 637 if ( isset( $actions[ $item['type'] ] ) ) { 604 echo $actions[ $item['type'] ];638 echo esc_html( $actions[ $item['type'] ] ); 605 639 } else { 606 640 /* translators: %s: the name of the activity type */ 607 printf( __( 'Unregistered action - %s', 'buddypress' ), $item['type']);641 printf( esc_html__( 'Unregistered action - %s', 'buddypress' ), esc_html( $item['type'] ) ); 608 642 } 609 643 } … … 622 656 function column_comment( $item ) { 623 657 // Determine what type of item (row) we're dealing with. 624 if ( $item['is_spam'] ) 658 if ( $item['is_spam'] ) { 625 659 $item_status = 'spam'; 626 else660 } else { 627 661 $item_status = 'all'; 662 } 628 663 629 664 // Preorder items: Reply | Edit | Spam | Delete Permanently. … … 682 717 printf( 683 718 /* translators: %s: activity date and time */ 684 __( 'Submitted on %s', 'buddypress' ),719 esc_html__( 'Submitted on %s', 'buddypress' ), 685 720 sprintf( 686 721 '<a href="%1$s">%2$s</a>', 687 bp_activity_get_permalink( $item['id']),722 esc_url( bp_activity_get_permalink( $item['id'] ) ), 688 723 sprintf( 689 724 /* translators: 1: activity date, 2: activity time */ 690 __( '%1$s at %2$s', 'buddypress' ),691 date_i18n( bp_get_option( 'date_format' ), strtotime( $item['date_recorded']) ),692 get_date_from_gmt( $item['date_recorded'], bp_get_option( 'time_format') )725 esc_html__( '%1$s at %2$s', 'buddypress' ), 726 esc_html( date_i18n( bp_get_option( 'date_format' ), strtotime( $item['date_recorded'] ) ) ), 727 esc_html( get_date_from_gmt( $item['date_recorded'], bp_get_option( 'time_format' ) ) ) 693 728 ) 694 729 ) … … 714 749 } 715 750 716 /** 717 * Filter here to add extra output to the activity content into the Administration. 718 * 719 * @since 2.4.0 720 * 721 * @param string $content The activity content. 722 * @param array $item The activity object converted into an array. 723 */ 724 echo apply_filters( 'bp_activity_admin_comment_content', $content, $item ) . ' ' . $this->row_actions( $actions ); 751 // phpcs:disable WordPress.Security.EscapeOutput 752 echo apply_filters( 753 /** 754 * Filter here to add extra output to the activity content into the Administration. 755 * 756 * @since 2.4.0 757 * 758 * @param string $content The activity content. 759 * @param array $item The activity object converted into an array. 760 */ 761 'bp_activity_admin_comment_content', 762 $content, 763 $item 764 ); 765 766 echo ' ' . $this->row_actions( $actions ); 767 // phpcs:enable 725 768 } 726 769 … … 745 788 $activity_permalink = ''; 746 789 if ( ! $item['is_spam'] ) { 747 $activity_permalink = '<a href="' . bp_activity_get_permalink( $item['id'], (object) $item ) . '" class="comments-view-item-link">' .__( 'View Activity', 'buddypress' ) . '</a>';790 $activity_permalink = '<a href="' . esc_url( bp_activity_get_permalink( $item['id'], (object) $item ) ) . '" class="comments-view-item-link">' . esc_html__( 'View Activity', 'buddypress' ) . '</a>'; 748 791 } 749 792 … … 757 800 */ 758 801 if ( empty( $item['item_id'] ) || ! in_array( $item['type'], apply_filters( 'bp_activity_admin_root_activity_types', array( 'activity_comment' ), $item ) ) ) { 802 // phpcs:ignore WordPress.Security.EscapeOutput 759 803 echo $activity_permalink; 760 804 761 $comment_count = ! empty( $item['children'] ) ? bp_activity_recurse_comment_count( (object) $item ) : 0;805 $comment_count = ! empty( $item['children'] ) ? bp_activity_recurse_comment_count( (object) $item ) : 0; 762 806 $root_activity_url = bp_get_admin_url( 'admin.php?page=bp-activity&aid=' . $item['id'] ); 763 807 764 808 // If the activity has comments, display a link to the activity's permalink, with its comment count in a speech bubble. 765 809 if ( $comment_count ) { 766 printf( '<a href="%1$s" class="post-com-count post-com-count-approved"><span class="comment-count comment-count-approved">%2$s</span></a>', esc_url( $root_activity_url ), number_format_i18n( $comment_count) );810 printf( '<a href="%1$s" class="post-com-count post-com-count-approved"><span class="comment-count comment-count-approved">%2$s</span></a>', esc_url( $root_activity_url ), esc_html( number_format_i18n( $comment_count ) ) ); 767 811 } 768 812 769 813 // For non-root activities, display a link to the replied-to activity's author's profile. 770 814 } else { 771 echo '<strong>' . get_avatar( $this->get_activity_user_id( $item['item_id'] ), '32' ) . ' ' . bp_core_get_userlink( $this->get_activity_user_id( $item['item_id'] ) ) . '</strong><br />'; 815 $avatar = get_avatar( $this->get_activity_user_id( $item['item_id'] ), '32' ); 816 printf( 817 '<strong>%1$s %2$s</strong><br />', 818 wp_kses( 819 $avatar, 820 array( 821 'img' => array( 822 'alt' => true, 823 'src' => true, 824 'srcset' => true, 825 'class' => true, 826 'height' => true, 827 'width' => true, 828 ) 829 ) 830 ), 831 // phpcs:ignore WordPress.Security.EscapeOutput 832 bp_core_get_userlink( $this->get_activity_user_id( $item['item_id'] ) ) 833 ); 834 835 // phpcs:ignore WordPress.Security.EscapeOutput 772 836 echo $activity_permalink; 773 837 } 774 838 ?> 775 776 839 </div> 777 778 840 <?php 779 841 } … … 829 891 * activities as orphans, use the logged in user's ID to avoid errors. 830 892 */ 831 if ( empty( $activity['activities'] ) ) 893 if ( empty( $activity['activities'] ) ) { 832 894 return bp_loggedin_user_id(); 895 } 833 896 834 897 // Store the new activity/user ID mapping for any later re-use. … … 854 917 * @return bool $can_comment 855 918 */ 856 protected function can_comment( $item 919 protected function can_comment( $item ) { 857 920 $can_comment = bp_activity_type_supports( $item['type'], 'comment-reply' ); 858 921 -
trunk/src/bp-activity/classes/class-bp-activity-oembed-extension.php
r13517 r13816 157 157 * 158 158 * @since 2.6.0 159 * 159 * 160 160 * @global BP_Activity_Template $activities_template The Activity template loop. 161 161 * … … 321 321 <?php 322 322 printf( 323 _n( 324 /* translators: accessibility text */ 325 '%s <span class="screen-reader-text">Comment</span>', 326 /* translators: accessibility text */ 327 '%s <span class="screen-reader-text">Comments</span>', 328 $count, 329 'buddypress' 323 wp_kses( 324 _n( 325 /* translators: accessibility text */ 326 '%s <span class="screen-reader-text">Comment</span>', 327 /* translators: accessibility text */ 328 '%s <span class="screen-reader-text">Comments</span>', 329 intval( $count ), 330 'buddypress' 331 ), 332 array( 333 'span' => array( 334 'class' => true, 335 ), 336 ) 330 337 ), 331 number_format_i18n( $count)338 esc_html( number_format_i18n( $count ) ) 332 339 ); 333 340 ?> -
trunk/src/bp-activity/classes/class-bp-activity-template.php
r13404 r13816 174 174 // Backward compatibility with old method of passing arguments. 175 175 if ( !is_array( $args ) || count( $function_args ) > 1 ) { 176 _deprecated_argument( __METHOD__, '1.6', sprintf( __( 'Arguments passed to %1$s should be in an associative array. See the inline documentation at %2$s for more details.', 'buddypress' ), __METHOD__, __FILE__ ) );176 _deprecated_argument( __METHOD__, '1.6', sprintf( esc_html__( 'Arguments passed to %1$s should be in an associative array. See the inline documentation at %2$s for more details.', 'buddypress' ), __METHOD__, __FILE__ ) ); 177 177 178 178 $old_args_keys = array( -
trunk/src/bp-activity/classes/class-bp-akismet.php
r13466 r13816 108 108 $b[ $k ] = $item; 109 109 if ( $k == 'edit' ) 110 $b['history'] = '<a href="' . esc_url( bp_get_admin_url( 'admin.php?page=bp-activity&action=edit&aid=' . $activity['id'] ) ) . '#bp_activity_history"> '. __( 'History', 'buddypress' ) . '</a>';110 $b['history'] = '<a href="' . esc_url( bp_get_admin_url( 'admin.php?page=bp-activity&action=edit&aid=' . $activity['id'] ) ) . '#bp_activity_history"> '. esc_html__( 'History', 'buddypress' ) . '</a>'; 111 111 } 112 112 … … 114 114 } 115 115 116 if ( $desc ) 117 echo '<span class="akismet-status"><a href="' . esc_url( bp_get_admin_url( 'admin.php?page=bp-activity&action=edit&aid=' . $activity['id'] ) ) . '#bp_activity_history">' . htmlspecialchars( $desc ) . '</a></span>'; 116 if ( $desc ) { 117 echo '<span class="akismet-status"><a href="' . esc_url( bp_get_admin_url( 'admin.php?page=bp-activity&action=edit&aid=' . $activity['id'] ) ) . '#bp_activity_history">' . esc_html( $desc ) . '</a></span>'; 118 } 118 119 119 120 /** -
trunk/src/bp-templates/bp-nouveau/buddypress/activity/widget.php
r12982 r13816 28 28 29 29 <cite> 30 <a href="<?php bp_activity_user_link(); ?>" class="bp-tooltip" data-bp-tooltip="<?php echo esc_attr( bp_ activity_member_display_name() ); ?>">30 <a href="<?php bp_activity_user_link(); ?>" class="bp-tooltip" data-bp-tooltip="<?php echo esc_attr( bp_get_activity_member_display_name() ); ?>"> 31 31 <?php 32 32 bp_activity_avatar(
Note: See TracChangeset
for help on using the changeset viewer.