- Timestamp:
- 04/28/2024 10:08:00 PM (5 months ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/bp-templates/bp-nouveau/includes/template-tags.php
r13743 r13820 187 187 */ 188 188 function bp_nouveau_template_message() { 189 // Escaping is made in `bp-core/bp-core-filters.php`. 190 // phpcs:ignore WordPress.Security.EscapeOutput 189 191 echo bp_nouveau_get_template_message(); 190 192 } … … 198 200 */ 199 201 function bp_nouveau_get_template_message() { 200 $bp_nouveau = bp_nouveau(); 202 $bp_nouveau = bp_nouveau(); 203 $template_message = ''; 204 $type = ''; 201 205 202 206 if ( ! empty( $bp_nouveau->user_feedback['message'] ) ) { 203 $user_feedback = $bp_nouveau->user_feedback['message']; 204 205 // @TODO: why is this treated differently? 206 foreach ( array( 'wp_kses_data', 'wp_unslash', 'wptexturize', 'convert_smilies', 'convert_chars' ) as $filter ) { 207 $user_feedback = call_user_func( $filter, $user_feedback ); 208 } 209 210 return '<p>' . $user_feedback . '</p>'; 207 $template_message = $bp_nouveau->user_feedback['message']; 208 $type = 'updated'; 211 209 212 210 } elseif ( ! empty( $bp_nouveau->template_message['message'] ) ) { 213 /** 214 * Filters the 'template_notices' feedback message content. 215 * 216 * @since 1.5.5 217 * 218 * @param string $template_message Feedback message content. 219 * @param string $type The type of message being displayed. 220 * Either 'updated' or 'error'. 221 */ 222 return apply_filters( 'bp_core_render_message_content', $bp_nouveau->template_message['message'], bp_nouveau_get_template_message_type() ); 223 } 211 $template_message = $bp_nouveau->template_message['message']; 212 $type = bp_nouveau_get_template_message_type(); 213 } 214 215 /** 216 * Filters the 'template_notices' feedback message content. 217 * 218 * @since 1.5.5 219 * 220 * @param string $template_message Feedback message content. 221 * @param string $type The type of message being displayed. 222 * Either 'updated' or 'error'. 223 */ 224 return apply_filters( 'bp_core_render_message_content', $template_message, $type ); 224 225 } 225 226 … … 1017 1018 */ 1018 1019 function bp_nouveau_nav_scope() { 1019 echo bp_nouveau_get_nav_scope(); // Escaped by bp_get_form_field_attributes(). 1020 // Escaping is made in `bp_get_form_field_attributes()`. 1021 // phpcs:ignore WordPress.Security.EscapeOutput 1022 echo bp_nouveau_get_nav_scope(); 1020 1023 } 1021 1024 /** … … 1917 1920 function bp_nouveau_search_form() { 1918 1921 $search_form_html = bp_buffer_template_part( 'common/search/search-form', null, false ); 1922 $allowed_html = array( 1923 'div' => array( 1924 'id' => true, 1925 'class' => true, 1926 'data-bp-search' => true, 1927 ), 1928 'form' => array( 1929 'action' => true, 1930 'method' => true, 1931 'id' => true, 1932 'class' => true, 1933 'role' => true, 1934 ), 1935 'label' => array( 1936 'for' => true, 1937 'class' => true, 1938 ), 1939 'input' => array( 1940 'type' => true, 1941 'id' => true, 1942 'name' => true, 1943 'placeholder' => true, 1944 'class' => true, 1945 ), 1946 'button' => array( 1947 'type' => true, 1948 'name' => true, 1949 'id' => true, 1950 'class' => true, 1951 ), 1952 'span' => array( 1953 'id' => true, 1954 'class' => true, 1955 'aria-hidden' => true, 1956 ), 1957 ); 1919 1958 1920 1959 $objects = bp_nouveau_get_search_objects(); 1921 1960 if ( empty( $objects['primary'] ) || empty( $objects['secondary'] ) ) { 1922 echo $search_form_html;1961 echo wp_kses( $search_form_html, $allowed_html ); 1923 1962 return; 1924 1963 } … … 1937 1976 * @param string $search_form_html The HTML output for the directory search form. 1938 1977 */ 1939 echo apply_filters( "bp_directory_{$objects['secondary']}_search_form", $search_form_html );1978 echo wp_kses( apply_filters( "bp_directory_{$objects['secondary']}_search_form", $search_form_html ), $allowed_html ); 1940 1979 1941 1980 if ( 'activity' === $objects['secondary'] ) { … … 1980 2019 * @param string $search_form_html The HTML output for the directory search form. 1981 2020 */ 1982 echo apply_filters( "bp_group_{$objects['secondary']}_search_form", $search_form_html );2021 echo wp_kses( apply_filters( "bp_group_{$objects['secondary']}_search_form", $search_form_html ), $allowed_html ); 1983 2022 1984 2023 } else { … … 1990 2029 * @param string $search_form_html HTML markup for the member search form. 1991 2030 */ 1992 echo apply_filters( 'bp_directory_members_search_form', $search_form_html );2031 echo wp_kses( apply_filters( 'bp_directory_members_search_form', $search_form_html ), $allowed_html ); 1993 2032 } 1994 2033 … … 2209 2248 */ 2210 2249 function bp_nouveau_filter_options() { 2211 echo bp_nouveau_get_filter_options(); // Escaped in inner functions. 2250 // Escaping is made in `bp_nouveau_get_filter_options()`. 2251 // phpcs:ignore WordPress.Security.EscapeOutput 2252 echo bp_nouveau_get_filter_options(); 2212 2253 } 2213 2254 … … 2415 2456 </p> 2416 2457 2417 <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p>2458 <p class="description indicator-hint"><?php echo esc_html( wp_get_password_hint() ); ?></p> 2418 2459 <?php 2419 2460 } else { … … 2433 2474 if ( 'radio' !== $type ) { 2434 2475 if ( $required ) { 2435 printf( $label_output, esc_attr( $name ), esc_html( $label ), __( '(required)', 'buddypress' ) ); 2476 // phpcs:ignore WordPress.Security.EscapeOutput 2477 printf( $label_output, esc_attr( $name ), esc_html( $label ), esc_html__( '(required)', 'buddypress' ) ); 2436 2478 } else { 2479 // phpcs:ignore WordPress.Security.EscapeOutput 2437 2480 printf( $label_output, esc_attr( $name ), esc_html( $label ) ); 2438 2481 } … … 2518 2561 esc_attr( $name ), 2519 2562 esc_attr( $id ), 2563 // phpcs:ignore WordPress.Security.EscapeOutput 2520 2564 $class, // Constructed safely above. 2521 2565 esc_attr( $value ), 2566 // phpcs:ignore WordPress.Security.EscapeOutput 2522 2567 $attribute_type // Constructed safely above. 2523 2568 ); … … 2526 2571 if ( 'radio' !== $type ) { 2527 2572 if ( 'signup_blog_url' !== $name ) { 2573 // phpcs:ignore WordPress.Security.EscapeOutput 2528 2574 print( $field_output ); // Constructed safely above. 2529 2575 2530 2576 // If it's the signup blog url, it's specific to Multisite config. 2531 2577 } elseif ( is_subdomain_install() ) { 2532 // Constructed safely above.2533 2578 printf( 2534 2579 '%1$s %2$s . %3$s', 2535 2580 is_ssl() ? 'https://' : 'http://', 2536 $field_output, 2537 bp_signup_get_subdomain_base() 2581 // phpcs:ignore WordPress.Security.EscapeOutput 2582 $field_output, // Constructed safely above. 2583 esc_url( bp_signup_get_subdomain_base() ) 2538 2584 ); 2539 2585 … … 2542 2588 printf( 2543 2589 '%1$s %2$s', 2544 home_url( '/' ), 2590 esc_url( home_url( '/' ) ), 2591 // phpcs:ignore WordPress.Security.EscapeOutput 2545 2592 $field_output // Constructed safely above. 2546 2593 ); … … 2550 2597 } else { 2551 2598 // $label_output and $field_output are constructed safely above. 2599 // phpcs:ignore WordPress.Security.EscapeOutput 2552 2600 printf( $label_output, esc_attr( $name ), $field_output . ' ' . esc_html( $label ) ); 2553 2601 } … … 2624 2672 2625 2673 // Output the submit button. 2674 // phpcs:disable WordPress.Security.EscapeOutput 2626 2675 if ( isset( $submit_data['wrapper'] ) && false === $submit_data['wrapper'] ) { 2627 2676 echo $submit_input; … … 2631 2680 printf( '<div class="submit">%s</div>', $submit_input ); 2632 2681 } 2682 // phpcs:enable 2633 2683 2634 2684 $nonce = $submit_data['nonce'];
Note: See TracChangeset
for help on using the changeset viewer.