Changeset 13820
- Timestamp:
- 04/28/2024 10:08:00 PM (8 months ago)
- Location:
- trunk/src
- Files:
-
- 32 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/bp-activity/bp-activity-template.php
r13816 r13820 1300 1300 1301 1301 /** 1302 * Returns the Allowed HTML tags for the activity action. 1303 * 1304 * @since 12.4.1 1305 * 1306 * @return array The Allowed HTML tags for the activity action. 1307 */ 1308 function bp_activity_action_allowed_html() { 1309 return array( 1310 'p' => true, 1311 'a' => array( 1312 'href' => true, 1313 'class' => true, 1314 'data-bp-tooltip' => true, 1315 ), 1316 'span' => array( 1317 'class' => true, 1318 'data-livestamp' => true, 1319 ), 1320 'img' => array( 1321 'src' => true, 1322 'loading' => true, 1323 'class' => true, 1324 'alt' => true, 1325 'height' => true, 1326 'width' => true, 1327 ), 1328 ); 1329 } 1330 1331 /** 1332 * Output Activity metadata. 1333 * 1334 * @since 12.4.1 1335 */ 1336 function bp_output_activity_meta( $content = '' ) { 1337 echo wp_kses( bp_insert_activity_meta( $content ), bp_activity_action_allowed_html() ); 1338 } 1339 1340 /** 1302 1341 * Output the activity action. 1303 1342 * … … 1307 1346 */ 1308 1347 function bp_activity_action( $args = array() ) { 1309 echo wp_kses( 1310 bp_get_activity_action( $args ), 1311 array( 1312 'p' => true, 1313 'a' => array( 1314 'href' => true, 1315 'class' => true, 1316 'data-bp-tooltip' => true, 1317 ), 1318 'span' => array( 1319 'class' => true, 1320 ), 1321 'img' => array( 1322 'src' => true, 1323 'loading' => true, 1324 'class' => true, 1325 'alt' => true, 1326 'height' => true, 1327 'width' => true, 1328 ), 1329 ) 1330 ); 1348 echo wp_kses( bp_get_activity_action( $args ), bp_activity_action_allowed_html() ); 1331 1349 } 1332 1350 -
trunk/src/bp-templates/bp-nouveau/buddypress/activity/widget.php
r13816 r13820 41 41 </cite> 42 42 43 <?php echo bp_insert_activity_meta(); ?>43 <?php bp_output_activity_meta(); ?> 44 44 45 45 </footer> -
trunk/src/bp-templates/bp-nouveau/buddypress/assets/emails/single-bp-email.php
r13692 r13820 166 166 do_action( 'bp_before_email_header' ); 167 167 168 echo bp_get_option( 'blogname');168 echo esc_html( bp_get_option( 'blogname' ) ); 169 169 170 170 /** … … 216 216 ?> 217 217 218 <span class="footer_text"><?php echo nl2br( stripslashes( $settings['footer_text']) ); ?></span>218 <span class="footer_text"><?php echo nl2br( esc_html( stripslashes( $settings['footer_text'] ) ) ); ?></span> 219 219 <br><br> 220 220 <a href="{{{unsubscribe}}}" style="text-decoration: underline;"><?php echo esc_html_x( 'unsubscribe', 'email', 'buddypress' ); ?></a> -
trunk/src/bp-templates/bp-nouveau/buddypress/assets/embeds/header-activity.php
r12082 r13820 29 29 <?php endif; ?> 30 30 31 <span class="bp-embed-timestamp"><a href="<?php bp_activity_thread_permalink(); ?>"><?php echo date_i18n( get_option( 'time_format' ) . ' - ' . get_option( 'date_format' ), strtotime( bp_get_activity_date_recorded() ) ); ?></a></span>31 <span class="bp-embed-timestamp"><a href="<?php bp_activity_thread_permalink(); ?>"><?php echo esc_html( date_i18n( get_option( 'time_format' ) . ' - ' . get_option( 'date_format' ), strtotime( bp_get_activity_date_recorded() ) ) ); ?></a></span> 32 32 </p> 33 33 </div> -
trunk/src/bp-templates/bp-nouveau/buddypress/blogs/confirm.php
r13530 r13820 19 19 sprintf( 20 20 /* translators: %s: the link of the new site */ 21 __( '%s is your new site.', 'buddypress' ),21 esc_html__( '%s is your new site.', 'buddypress' ), 22 22 sprintf( '<a href="%s">%s</a>', esc_url( $args['blog_url'] ), esc_url( $args['blog_url'] ) ) 23 23 ), 24 24 sprintf( 25 /* translators: 1: Login URL, 2: User name */26 __( '<a href="%1$s">Log in</a>as "%2$s" using your existing password.', 'buddypress' ),27 esc_url( $args['login_url'] ),25 /* translators: 1: Login link, 2: User name */ 26 esc_html__( '%1$s as "%2$s" using your existing password.', 'buddypress' ), 27 '<a href="' . esc_url( $args['login_url'] ) . '">' . esc_html__( 'Log in', 'buddypress' ) . '</a>', 28 28 esc_html( $args['user_name'] ) 29 29 ) -
trunk/src/bp-templates/bp-nouveau/buddypress/common/js-templates/messages/index.php
r13510 r13820 38 38 <input type="text" name="send_to" class="send-to-input" id="send-to-input" /> 39 39 40 <label for="subject"><?php _e( 'Subject', 'buddypress' ); ?></label>40 <label for="subject"><?php esc_html_e( 'Subject', 'buddypress' ); ?></label> 41 41 <input type="text" name="subject" id="subject"/> 42 42 … … 345 345 <?php bp_nouveau_messages_hook( 'before', 'reply_box' ); ?> 346 346 347 <label for="message_content" class="bp-screen-reader-text"><?php _e( 'Reply to Message', 'buddypress' ); ?></label>347 <label for="message_content" class="bp-screen-reader-text"><?php esc_html_e( 'Reply to Message', 'buddypress' ); ?></label> 348 348 <div id="bp-message-content"></div> 349 349 -
trunk/src/bp-templates/bp-nouveau/buddypress/common/js-templates/messages/search-form.php
r12184 r13820 9 9 <form action="" method="get" id="user_messages_search_form" class="bp-messages-search-form" data-bp-search="messages"> 10 10 <label for="user_messages_search" class="bp-screen-reader-text"> 11 <?php _e( 'Search Messages', 'buddypress' ); ?>11 <?php esc_html_e( 'Search Messages', 'buddypress' ); ?> 12 12 </label> 13 13 <input type="search" id="user_messages_search" placeholder="<?php echo esc_attr_x( 'Search', 'search placeholder text', 'buddypress' ); ?>"/> -
trunk/src/bp-templates/bp-nouveau/buddypress/groups/groups-loop.php
r13646 r13820 49 49 sprintf( 50 50 '<span data-livestamp="%1$s">%2$s</span>', 51 bp_core_get_iso8601_date( bp_get_group_last_active( 0, array( 'relative' => false) ) ),51 esc_attr( bp_core_get_iso8601_date( bp_get_group_last_active( 0, array( 'relative' => false ) ) ) ), 52 52 esc_html( bp_get_group_last_active() ) 53 53 ) -
trunk/src/bp-templates/bp-nouveau/buddypress/groups/single/admin/group-settings.php
r13156 r13820 71 71 <?php foreach ( $group_types as $type ) : ?> 72 72 <div class="checkbox"> 73 <label for="<?php printf( 'group-type-%s', $type->name); ?>">74 <input type="checkbox" name="group-types[]" id="<?php printf( 'group-type-%s', $type->name); ?>" value="<?php echo esc_attr( $type->name ); ?>" <?php bp_nouveau_group_type_checked( $type ); ?>/> <?php echo esc_html( $type->labels['name'] ); ?>73 <label for="<?php printf( 'group-type-%s', esc_attr( $type->name ) ); ?>"> 74 <input type="checkbox" name="group-types[]" id="<?php printf( 'group-type-%s', esc_attr( $type->name ) ); ?>" value="<?php echo esc_attr( $type->name ); ?>" <?php bp_nouveau_group_type_checked( $type ); ?>/> <?php echo esc_html( $type->labels['name'] ); ?> 75 75 <?php 76 76 if ( ! empty( $type->description ) ) { -
trunk/src/bp-templates/bp-nouveau/buddypress/groups/single/admin/manage-members.php
r13193 r13820 31 31 <li class="member-entry clearfix"> 32 32 33 <?php echo bp_core_fetch_avatar( array( 'item_id' => bp_get_member_user_id(), 'type' => 'thumb', 'width' => 30, 'height' => 30, 'alt' => '' ) ); ?> 33 <?php 34 // phpcs:ignore WordPress.Security.EscapeOutput 35 echo bp_core_fetch_avatar( array( 'item_id' => bp_get_member_user_id(), 'type' => 'thumb', 'width' => 30, 'height' => 30, 'alt' => '' ) ); 36 ?> 34 37 <p class="list-title member-name"> 35 38 <a href="<?php bp_member_permalink(); ?>"> <?php bp_member_name(); ?></a> … … 62 65 <li class="members-entry clearfix"> 63 66 64 <?php echo bp_core_fetch_avatar( array( 'item_id' => bp_get_member_user_id(), 'type' => 'thumb', 'width' => 30, 'height' => 30, 'alt' => '' ) ); ?> 67 <?php 68 // phpcs:ignore WordPress.Security.EscapeOutput 69 echo bp_core_fetch_avatar( array( 'item_id' => bp_get_member_user_id(), 'type' => 'thumb', 'width' => 30, 'height' => 30, 'alt' => '' ) ); 70 ?> 65 71 <p class="list-title member-name"> 66 72 <a href="<?php bp_member_permalink(); ?>"> <?php bp_member_name(); ?></a> -
trunk/src/bp-templates/bp-nouveau/buddypress/groups/single/cover-image-header.php
r13437 r13820 26 26 27 27 <?php if ( bp_nouveau_group_has_meta( 'status' ) ) : ?> 28 <p class="highlight group-status"><strong><?php echo esc_html( bp_nouveau_the_group_meta( array( 'keys' => 'status' )) ); ?></strong></p>28 <p class="highlight group-status"><strong><?php bp_nouveau_the_group_meta( array( 'keys' => 'status' ) ); ?></strong></p> 29 29 <?php endif; ?> 30 30 … … 36 36 sprintf( 37 37 '<span data-livestamp="%1$s">%2$s</span>', 38 bp_core_get_iso8601_date( bp_get_group_last_active( 0, array( 'relative' => false) ) ),38 esc_attr( bp_core_get_iso8601_date( bp_get_group_last_active( 0, array( 'relative' => false ) ) ) ), 39 39 esc_html( bp_get_group_last_active() ) 40 40 ) … … 61 61 <div class="item-meta"> 62 62 63 <?php echobp_nouveau_the_group_meta( array( 'keys' => 'extra' ) ); ?>63 <?php bp_nouveau_the_group_meta( array( 'keys' => 'extra' ) ); ?> 64 64 65 65 </div><!-- .item-meta --> -
trunk/src/bp-templates/bp-nouveau/buddypress/groups/single/default-front.php
r13095 r13820 15 15 16 16 <p> 17 <?php 18 printf( 19 /* translators: 1: link to the customizer option. 2: link to the customizer widgets section. */ 20 esc_html__( 'You can set your preferences for the %1$s or add %2$s to it.', 'buddypress' ), 21 bp_nouveau_groups_get_customizer_option_link(), 22 bp_nouveau_groups_get_customizer_widgets_link() 23 ); 24 ?> 17 <?php 18 printf( 19 /* translators: 1: link to the customizer option. 2: link to the customizer widgets section. */ 20 esc_html__( 'You can set your preferences for the %1$s or add %2$s to it.', 'buddypress' ), 21 // phpcs:disable WordPress.Security.EscapeOutput 22 bp_nouveau_groups_get_customizer_option_link(), // Escaped in `bp_nouveau_get_customizer_link()`. 23 bp_nouveau_groups_get_customizer_widgets_link() // Escaped in `bp_nouveau_get_customizer_link()`. 24 // phpcs:enable 25 ); 26 ?> 25 27 </p> 26 28 -
trunk/src/bp-templates/bp-nouveau/buddypress/groups/single/group-header.php
r13437 r13820 33 33 sprintf( 34 34 '<span data-livestamp="%1$s">%2$s</span>', 35 bp_core_get_iso8601_date( bp_get_group_last_active( 0, array( 'relative' => false) ) ),35 esc_attr( bp_core_get_iso8601_date( bp_get_group_last_active( 0, array( 'relative' => false ) ) ) ), 36 36 esc_html( bp_get_group_last_active() ) 37 37 ) … … 58 58 <div class="item-meta"> 59 59 60 <?php echobp_nouveau_the_group_meta( array( 'keys' => 'extra' ) ); ?>60 <?php bp_nouveau_the_group_meta( array( 'keys' => 'extra' ) ); ?> 61 61 62 62 </div><!-- .item-meta --> -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/default-front.php
r12595 r13820 19 19 /* translators: 1: link to the customizer option. 2: link to the customizer widgets section. */ 20 20 esc_html__( 'You can set the preferences of the %1$s or add %2$s to it.', 'buddypress' ), 21 bp_nouveau_members_get_customizer_option_link(), 22 bp_nouveau_members_get_customizer_widgets_link() 21 // phpcs:disable WordPress.Security.EscapeOutput 22 bp_nouveau_members_get_customizer_option_link(), // Escaped in `bp_nouveau_get_customizer_link()`. 23 bp_nouveau_members_get_customizer_widgets_link() // Escaped in `bp_nouveau_get_customizer_link()`. 24 // phpcs:enable 23 25 ); 24 26 ?> -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/groups/invites.php
r13437 r13820 36 36 <span class="small"> 37 37 <?php 38 printf( 39 /* translators: %s is the number of Group members */ 40 _n( 41 '%s member', 42 '%s members', 43 bp_get_group_total_members( false ), 44 'buddypress' 45 ), 46 number_format_i18n( bp_get_group_total_members( false ) ) 38 echo esc_html( 39 sprintf( 40 /* translators: %s is the number of Group members */ 41 _n( 42 '%s member', 43 '%s members', 44 bp_get_group_total_members( false ), 45 'buddypress' 46 ), 47 number_format_i18n( bp_get_group_total_members( false ) ) 48 ) 47 49 ); 48 50 ?> -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/parts/profile-visibility.php
r12156 r13820 19 19 printf( 20 20 /* translators: field visibility level, e.g. "...seen by: everyone". */ 21 __( 'This field may be seen by: %s', 'buddypress' ),22 '<span class="current-visibility-level">' . bp_get_the_profile_field_visibility_level_label() . '</span>'21 esc_html__( 'This field may be seen by: %s', 'buddypress' ), 22 '<span class="current-visibility-level">' . esc_html( bp_get_the_profile_field_visibility_level_label() ) . '</span>' 23 23 ); 24 24 ?> … … 43 43 printf( 44 44 esc_html__( 'This field may be seen by: %s', 'buddypress' ), 45 '<span class="current-visibility-level">' . bp_get_the_profile_field_visibility_level_label() . '</span>'45 '<span class="current-visibility-level">' . esc_html( bp_get_the_profile_field_visibility_level_label() ) . '</span>' 46 46 ); 47 47 ?> -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/profile.php
r13652 r13820 20 20 <?php bp_nouveau_member_hook( 'before', 'profile_content' ); ?> 21 21 22 <div class="profile <?php echo bp_current_action(); ?>">22 <div class="profile <?php echo esc_attr( bp_current_action() ); ?>"> 23 23 24 24 <?php -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/profile/edit.php
r12156 r13820 32 32 printf( 33 33 /* translators: %s = profile field group name */ 34 __( 'Editing "%s" Profile Group', 'buddypress' ),35 bp_get_the_profile_group_name()36 ) 34 esc_html__( 'Editing "%s" Profile Group', 'buddypress' ), 35 esc_html( bp_get_the_profile_group_name() ) 36 ); 37 37 ?> 38 38 </h3> -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/profile/profile-wp.php
r12156 r13820 18 18 printf( 19 19 /* Translators: a member's profile, e.g. "Paul's profile". */ 20 __( "%s's Profile", 'buddypress' ), 21 bp_get_displayed_user_fullname() 20 esc_html__( "%s's Profile", 'buddypress' ), 21 // phpcs:ignore WordPress.Security.EscapeOutput 22 bp_get_displayed_user_fullname() // Escaped in `bp-members/bp-members-filters.php`. 22 23 ); 23 24 } -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/settings/data.php
r13472 r13820 22 22 23 23 <p><?php esc_html_e( 'Your request for an export of personal data has been completed.', 'buddypress' ); ?></p> 24 <p><?php printf( esc_html__( 'You may download your personal data by clicking on the link below. For privacy and security, we will automatically delete the file on %s, so please download it before then.', 'buddypress' ), bp_settings_get_personal_data_expiration_date( $request) ); ?></p>24 <p><?php printf( esc_html__( 'You may download your personal data by clicking on the link below. For privacy and security, we will automatically delete the file on %s, so please download it before then.', 'buddypress' ), esc_html( bp_settings_get_personal_data_expiration_date( $request ) ) ); ?></p> 25 25 26 <p><strong><?php printf( '<a href="%1$s">%2$s</a>', bp_settings_get_personal_data_export_url( $request), esc_html__( 'Download personal data', 'buddypress' ) ); ?></strong></p>26 <p><strong><?php printf( '<a href="%1$s">%2$s</a>', esc_url( bp_settings_get_personal_data_export_url( $request ) ), esc_html__( 'Download personal data', 'buddypress' ) ); ?></strong></p> 27 27 28 28 <?php else : ?> … … 32 32 33 33 <form id="bp-data-export" method="post"> 34 <input type="hidden" name="bp-data-export-delete-request-nonce" value="<?php echo wp_create_nonce( 'bp-data-export-delete-request'); ?>" />35 <button type="submit" name="bp-data-export-nonce" value="<?php echo wp_create_nonce( 'bp-data-export'); ?>"><?php esc_html_e( 'Request new data export', 'buddypress' ); ?></button>34 <input type="hidden" name="bp-data-export-delete-request-nonce" value="<?php echo esc_attr( wp_create_nonce( 'bp-data-export-delete-request' ) ); ?>" /> 35 <button type="submit" name="bp-data-export-nonce" value="<?php echo esc_attr( wp_create_nonce( 'bp-data-export' ) ); ?>"><?php esc_html_e( 'Request new data export', 'buddypress' ); ?></button> 36 36 </form> 37 37 … … 40 40 <?php elseif ( 'request-confirmed' === $request->status ) : ?> 41 41 42 <p><?php printf( esc_html__( 'You previously requested an export of your personal data on %s.', 'buddypress' ), bp_settings_get_personal_data_confirmation_date( $request) ); ?></p>42 <p><?php printf( esc_html__( 'You previously requested an export of your personal data on %s.', 'buddypress' ), esc_html( bp_settings_get_personal_data_confirmation_date( $request ) ) ); ?></p> 43 43 <p><?php esc_html_e( 'You will receive a link to download your export via email once we are able to fulfill your request.', 'buddypress' ); ?></p> 44 44 … … 54 54 55 55 <form id="bp-data-export" method="post"> 56 <button type="submit" name="bp-data-export-nonce" value="<?php echo wp_create_nonce( 'bp-data-export'); ?>"><?php esc_html_e( 'Request personal data export', 'buddypress' ); ?></button>56 <button type="submit" name="bp-data-export-nonce" value="<?php echo esc_attr( wp_create_nonce( 'bp-data-export' ) ); ?>"><?php esc_html_e( 'Request personal data export', 'buddypress' ); ?></button> 57 57 </form> 58 58 -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/settings/group-invites.php
r13443 r13820 9 9 10 10 <h2 class="screen-heading group-invites-screen"> 11 <?php _e( 'Group Invites', 'buddypress' ); ?>11 <?php esc_html_e( 'Group Invites', 'buddypress' ); ?> 12 12 </h2> 13 13 -
trunk/src/bp-templates/bp-nouveau/buddypress/members/single/settings/notifications.php
r13443 r13820 10 10 11 11 <h2 class="screen-heading email-settings-screen"> 12 <?php _e( 'Email Notifications', 'buddypress' ); ?>12 <?php esc_html_e( 'Email Notifications', 'buddypress' ); ?> 13 13 </h2> 14 14 15 15 <p class="bp-help-text email-notifications-info"> 16 <?php _e( 'Set your email notification preferences.', 'buddypress' ); ?>16 <?php esc_html_e( 'Set your email notification preferences.', 'buddypress' ); ?> 17 17 </p> 18 18 -
trunk/src/bp-templates/bp-nouveau/includes/activity/template-tags.php
r13631 r13820 650 650 } 651 651 652 /** 653 * Filters the opening tag for the template that lists activity comments. 654 * 655 * @since 1.6.0 656 * 657 * @param string $value Opening tag for the HTML markup to use. 658 */ 659 echo apply_filters( 'bp_activity_recurse_comments_start_ul', '<ul>' ); 652 // phpcs:ignore WordPress.Security.EscapeOutput 653 echo apply_filters( 654 /** This filter is documented in bp-activity/bp-activity-template.php. */ 655 'bp_activity_recurse_comments_start_ul', 656 '<ul>' 657 ); 660 658 661 659 foreach ( (array) $comment->children as $comment_child ) { … … 683 681 } 684 682 685 /** 686 * Filters the closing tag for the template that list activity comments. 687 * 688 * @since 1.6.0 689 * 690 * @param string $value Closing tag for the HTML markup to use. 691 */ 692 echo apply_filters( 'bp_activity_recurse_comments_end_ul', '</ul>' ); 683 // phpcs:ignore WordPress.Security.EscapeOutput 684 echo apply_filters( 685 /** This filter is documented in bp-activity/bp-activity-template.php. */ 686 'bp_activity_recurse_comments_end_ul', 687 '</ul>' 688 ); 693 689 } 694 690 … … 699 695 */ 700 696 function bp_nouveau_activity_comment_action() { 701 echo bp_nouveau_get_activity_comment_action(); 697 echo wp_kses( 698 bp_nouveau_get_activity_comment_action(), 699 array( 700 'a' => array( 701 'href' => true, 702 'class' => true, 703 ), 704 'time' => array( 705 'datetime' => true, 706 'class' => true, 707 'data-bp-timestamp' => true, 708 ), 709 ) 710 ); 702 711 } 703 712 -
trunk/src/bp-templates/bp-nouveau/includes/activity/widgets.php
r13481 r13820 11 11 defined( 'ABSPATH' ) || exit; 12 12 13 _deprecated_file( basename( __FILE__ ), '12.0.0', '', __( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );13 _deprecated_file( basename( __FILE__ ), '12.0.0', '', esc_html__( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) ); -
trunk/src/bp-templates/bp-nouveau/includes/classes/class-bp-nouveau-object-nav-widget.php
r13481 r13820 11 11 defined( 'ABSPATH' ) || exit; 12 12 13 _deprecated_file( basename( __FILE__ ), '12.0.0', '', __( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );13 _deprecated_file( basename( __FILE__ ), '12.0.0', '', esc_html__( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) ); -
trunk/src/bp-templates/bp-nouveau/includes/functions.php
r13729 r13820 305 305 } 306 306 307 // Print the wrapper and its content.307 // phpcs:ignore WordPress.Security.EscapeOutput 308 308 printf( '<%1$s%2$s%3$s>%4$s</%1$s>', $container, $container_id, $container_classes, $output ); 309 309 } -
trunk/src/bp-templates/bp-nouveau/includes/groups/classes.php
r13469 r13820 431 431 public function __get( $key = '' ) { 432 432 /* translators: %s is the name of the function to use instead of the deprecated one */ 433 _doing_it_wrong( 'bp_nouveau_group_meta', sprintf( __( 'Please use %s instead', 'buddypress' ), 'bp_nouveau_the_group_meta( array( \'keys\' => \'' . $key. '\' ) )' ) , '7.0.0' );433 _doing_it_wrong( 'bp_nouveau_group_meta', sprintf( esc_html__( 'Please use %s instead', 'buddypress' ), 'bp_nouveau_the_group_meta( array( \'keys\' => \'' . esc_html( $key ) . '\' ) )' ) , '7.0.0' ); 434 434 435 435 // Backwards compatibility. -
trunk/src/bp-templates/bp-nouveau/includes/groups/template-tags.php
r13645 r13820 436 436 printf( 437 437 '<form action="%s" method="post" enctype="multipart/form-data">', 438 bp_get_group_creation_form_action()438 esc_url( bp_get_group_creation_form_action() ) 439 439 ); 440 440 } … … 449 449 ); 450 450 451 // The submit actions451 // phpcs:ignore WordPress.Security.EscapeOutput 452 452 echo $output; 453 453 … … 1089 1089 1090 1090 if ( ! bp_is_group() ) { 1091 // phpcs:ignore WordPress.Security.EscapeOutput 1091 1092 echo $group_meta->meta; 1092 1093 } else { … … 1139 1140 } 1140 1141 1142 // phpcs:ignore WordPress.Security.EscapeOutput 1141 1143 echo $meta; 1142 1144 } … … 1365 1367 * Defaults to the group currently being iterated on in the groups loop. 1366 1368 * @param int $length Optional. Length of returned string, including ellipsis. Default: 100. 1367 *1368 * @return string Excerpt.1369 1369 */ 1370 1370 function bp_nouveau_group_description_excerpt( $group = null, $length = null ) { 1371 echo bp_nouveau_get_group_description_excerpt( $group, $length ); 1371 // Escaping is made in `bp-groups/bp-groups-filters.php`. 1372 // phpcs:ignore WordPress.Security.EscapeOutput 1373 echo apply_filters( 1374 /** This filter is documented in bp-groups/bp-groups-template.php. */ 1375 'bp_get_group_description_excerpt', 1376 bp_nouveau_get_group_description_excerpt( $group, $length ) 1377 ); 1372 1378 } 1373 1379 -
trunk/src/bp-templates/bp-nouveau/includes/members/template-tags.php
r13652 r13820 479 479 */ 480 480 function bp_nouveau_member_meta() { 481 // Escaping is made in `bp_nouveau_get_member_meta()`. 482 // phpcs:ignore WordPress.Security.EscapeOutput 481 483 echo join( "\n", bp_nouveau_get_member_meta() ); 482 484 } … … 515 517 } else { 516 518 $meta = array( 517 'last_activity' => sprintf( '%s', bp_get_member_last_active() ),519 'last_activity' => sprintf( '%s', esc_html( bp_get_member_last_active() ) ), 518 520 ); 519 521 } … … 746 748 */ 747 749 function bp_nouveau_member_description_edit_link() { 750 // Escaping is made in `bp_nouveau_member_get_description_edit_link()`. 751 // phpcs:ignore WordPress.Security.EscapeOutput 748 752 echo bp_nouveau_member_get_description_edit_link(); 749 753 } -
trunk/src/bp-templates/bp-nouveau/includes/messages/template-tags.php
r13200 r13820 109 109 */ 110 110 function bp_nouveau_message_search_form() { 111 $search_form_html = bp_buffer_template_part( 'common/js-templates/messages/search-form', null, false );112 113 111 /** 114 112 * Filters the private message component search form. … … 118 116 * @param string $search_form_html HTML markup for the message search form. 119 117 */ 120 echo apply_filters( 'bp_message_search_form', $search_form_html ); 118 $search_form_html = apply_filters( 119 'bp_message_search_form', 120 bp_buffer_template_part( 'common/js-templates/messages/search-form', null, false ) 121 ); 122 123 echo wp_kses( 124 $search_form_html, 125 array( 126 'form' => array( 127 'action' => true, 128 'method' => true, 129 'id' => true, 130 'class' => true, 131 'data-bp-search' => true, 132 ), 133 'label' => array( 134 'for' => true, 135 'class' => true, 136 ), 137 'input' => array( 138 'type' => true, 139 'id' => true, 140 'name' => true, 141 'placeholder' => true, 142 'class' => true, 143 ), 144 'button' => array( 145 'type' => true, 146 'name' => true, 147 'id' => true, 148 'class' => true, 149 ), 150 'span' => array( 151 'class' => true, 152 'aria-hidden' => true, 153 ), 154 ) 155 ); 121 156 } -
trunk/src/bp-templates/bp-nouveau/includes/notifications/template-tags.php
r12473 r13820 16 16 */ 17 17 function bp_nouveau_notifications_filters() { 18 // Escaping is made in `bp_nouveau_get_notifications_filters()`. 19 // phpcs:ignore WordPress.Security.EscapeOutput 18 20 echo bp_nouveau_get_notifications_filters(); 19 21 } -
trunk/src/bp-templates/bp-nouveau/includes/template-tags.php
r13743 r13820 187 187 */ 188 188 function bp_nouveau_template_message() { 189 // Escaping is made in `bp-core/bp-core-filters.php`. 190 // phpcs:ignore WordPress.Security.EscapeOutput 189 191 echo bp_nouveau_get_template_message(); 190 192 } … … 198 200 */ 199 201 function bp_nouveau_get_template_message() { 200 $bp_nouveau = bp_nouveau(); 202 $bp_nouveau = bp_nouveau(); 203 $template_message = ''; 204 $type = ''; 201 205 202 206 if ( ! empty( $bp_nouveau->user_feedback['message'] ) ) { 203 $user_feedback = $bp_nouveau->user_feedback['message']; 204 205 // @TODO: why is this treated differently? 206 foreach ( array( 'wp_kses_data', 'wp_unslash', 'wptexturize', 'convert_smilies', 'convert_chars' ) as $filter ) { 207 $user_feedback = call_user_func( $filter, $user_feedback ); 208 } 209 210 return '<p>' . $user_feedback . '</p>'; 207 $template_message = $bp_nouveau->user_feedback['message']; 208 $type = 'updated'; 211 209 212 210 } elseif ( ! empty( $bp_nouveau->template_message['message'] ) ) { 213 /** 214 * Filters the 'template_notices' feedback message content. 215 * 216 * @since 1.5.5 217 * 218 * @param string $template_message Feedback message content. 219 * @param string $type The type of message being displayed. 220 * Either 'updated' or 'error'. 221 */ 222 return apply_filters( 'bp_core_render_message_content', $bp_nouveau->template_message['message'], bp_nouveau_get_template_message_type() ); 223 } 211 $template_message = $bp_nouveau->template_message['message']; 212 $type = bp_nouveau_get_template_message_type(); 213 } 214 215 /** 216 * Filters the 'template_notices' feedback message content. 217 * 218 * @since 1.5.5 219 * 220 * @param string $template_message Feedback message content. 221 * @param string $type The type of message being displayed. 222 * Either 'updated' or 'error'. 223 */ 224 return apply_filters( 'bp_core_render_message_content', $template_message, $type ); 224 225 } 225 226 … … 1017 1018 */ 1018 1019 function bp_nouveau_nav_scope() { 1019 echo bp_nouveau_get_nav_scope(); // Escaped by bp_get_form_field_attributes(). 1020 // Escaping is made in `bp_get_form_field_attributes()`. 1021 // phpcs:ignore WordPress.Security.EscapeOutput 1022 echo bp_nouveau_get_nav_scope(); 1020 1023 } 1021 1024 /** … … 1917 1920 function bp_nouveau_search_form() { 1918 1921 $search_form_html = bp_buffer_template_part( 'common/search/search-form', null, false ); 1922 $allowed_html = array( 1923 'div' => array( 1924 'id' => true, 1925 'class' => true, 1926 'data-bp-search' => true, 1927 ), 1928 'form' => array( 1929 'action' => true, 1930 'method' => true, 1931 'id' => true, 1932 'class' => true, 1933 'role' => true, 1934 ), 1935 'label' => array( 1936 'for' => true, 1937 'class' => true, 1938 ), 1939 'input' => array( 1940 'type' => true, 1941 'id' => true, 1942 'name' => true, 1943 'placeholder' => true, 1944 'class' => true, 1945 ), 1946 'button' => array( 1947 'type' => true, 1948 'name' => true, 1949 'id' => true, 1950 'class' => true, 1951 ), 1952 'span' => array( 1953 'id' => true, 1954 'class' => true, 1955 'aria-hidden' => true, 1956 ), 1957 ); 1919 1958 1920 1959 $objects = bp_nouveau_get_search_objects(); 1921 1960 if ( empty( $objects['primary'] ) || empty( $objects['secondary'] ) ) { 1922 echo $search_form_html;1961 echo wp_kses( $search_form_html, $allowed_html ); 1923 1962 return; 1924 1963 } … … 1937 1976 * @param string $search_form_html The HTML output for the directory search form. 1938 1977 */ 1939 echo apply_filters( "bp_directory_{$objects['secondary']}_search_form", $search_form_html );1978 echo wp_kses( apply_filters( "bp_directory_{$objects['secondary']}_search_form", $search_form_html ), $allowed_html ); 1940 1979 1941 1980 if ( 'activity' === $objects['secondary'] ) { … … 1980 2019 * @param string $search_form_html The HTML output for the directory search form. 1981 2020 */ 1982 echo apply_filters( "bp_group_{$objects['secondary']}_search_form", $search_form_html );2021 echo wp_kses( apply_filters( "bp_group_{$objects['secondary']}_search_form", $search_form_html ), $allowed_html ); 1983 2022 1984 2023 } else { … … 1990 2029 * @param string $search_form_html HTML markup for the member search form. 1991 2030 */ 1992 echo apply_filters( 'bp_directory_members_search_form', $search_form_html );2031 echo wp_kses( apply_filters( 'bp_directory_members_search_form', $search_form_html ), $allowed_html ); 1993 2032 } 1994 2033 … … 2209 2248 */ 2210 2249 function bp_nouveau_filter_options() { 2211 echo bp_nouveau_get_filter_options(); // Escaped in inner functions. 2250 // Escaping is made in `bp_nouveau_get_filter_options()`. 2251 // phpcs:ignore WordPress.Security.EscapeOutput 2252 echo bp_nouveau_get_filter_options(); 2212 2253 } 2213 2254 … … 2415 2456 </p> 2416 2457 2417 <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p>2458 <p class="description indicator-hint"><?php echo esc_html( wp_get_password_hint() ); ?></p> 2418 2459 <?php 2419 2460 } else { … … 2433 2474 if ( 'radio' !== $type ) { 2434 2475 if ( $required ) { 2435 printf( $label_output, esc_attr( $name ), esc_html( $label ), __( '(required)', 'buddypress' ) ); 2476 // phpcs:ignore WordPress.Security.EscapeOutput 2477 printf( $label_output, esc_attr( $name ), esc_html( $label ), esc_html__( '(required)', 'buddypress' ) ); 2436 2478 } else { 2479 // phpcs:ignore WordPress.Security.EscapeOutput 2437 2480 printf( $label_output, esc_attr( $name ), esc_html( $label ) ); 2438 2481 } … … 2518 2561 esc_attr( $name ), 2519 2562 esc_attr( $id ), 2563 // phpcs:ignore WordPress.Security.EscapeOutput 2520 2564 $class, // Constructed safely above. 2521 2565 esc_attr( $value ), 2566 // phpcs:ignore WordPress.Security.EscapeOutput 2522 2567 $attribute_type // Constructed safely above. 2523 2568 ); … … 2526 2571 if ( 'radio' !== $type ) { 2527 2572 if ( 'signup_blog_url' !== $name ) { 2573 // phpcs:ignore WordPress.Security.EscapeOutput 2528 2574 print( $field_output ); // Constructed safely above. 2529 2575 2530 2576 // If it's the signup blog url, it's specific to Multisite config. 2531 2577 } elseif ( is_subdomain_install() ) { 2532 // Constructed safely above.2533 2578 printf( 2534 2579 '%1$s %2$s . %3$s', 2535 2580 is_ssl() ? 'https://' : 'http://', 2536 $field_output, 2537 bp_signup_get_subdomain_base() 2581 // phpcs:ignore WordPress.Security.EscapeOutput 2582 $field_output, // Constructed safely above. 2583 esc_url( bp_signup_get_subdomain_base() ) 2538 2584 ); 2539 2585 … … 2542 2588 printf( 2543 2589 '%1$s %2$s', 2544 home_url( '/' ), 2590 esc_url( home_url( '/' ) ), 2591 // phpcs:ignore WordPress.Security.EscapeOutput 2545 2592 $field_output // Constructed safely above. 2546 2593 ); … … 2550 2597 } else { 2551 2598 // $label_output and $field_output are constructed safely above. 2599 // phpcs:ignore WordPress.Security.EscapeOutput 2552 2600 printf( $label_output, esc_attr( $name ), $field_output . ' ' . esc_html( $label ) ); 2553 2601 } … … 2624 2672 2625 2673 // Output the submit button. 2674 // phpcs:disable WordPress.Security.EscapeOutput 2626 2675 if ( isset( $submit_data['wrapper'] ) && false === $submit_data['wrapper'] ) { 2627 2676 echo $submit_input; … … 2631 2680 printf( '<div class="submit">%s</div>', $submit_input ); 2632 2681 } 2682 // phpcs:enable 2633 2683 2634 2684 $nonce = $submit_data['nonce'];
Note: See TracChangeset
for help on using the changeset viewer.