sanitize output

This commit is contained in:
Matthias Pfefferle 2023-05-11 14:20:35 +02:00
parent 154b0018af
commit 77873d12b3
3 changed files with 22 additions and 28 deletions

View file

@ -42,8 +42,8 @@ class Shortcodes {
foreach ( $tags as $tag ) { foreach ( $tags as $tag ) {
$hash_tags[] = \sprintf( $hash_tags[] = \sprintf(
'<a rel="tag" class="u-tag u-category" href="%s">#%s</a>', '<a rel="tag" class="u-tag u-category" href="%s">#%s</a>',
\get_tag_link( $tag ), \esc_url( \get_tag_link( $tag ) ),
$tag->slug \esc_html( $tag->slug )
); );
} }
@ -66,7 +66,7 @@ class Shortcodes {
return ''; return '';
} }
return \get_the_title( $post_id ); return \esc_html( \get_the_title( $post_id ) );
} }
@ -170,7 +170,7 @@ class Shortcodes {
} }
} }
return \apply_filters( 'the_excerpt', $excerpt ); return $excerpt;
} }
/** /**
@ -189,21 +189,11 @@ class Shortcodes {
return ''; return '';
} }
$atts = shortcode_atts(
array( 'apply_filters' => 'yes' ),
$atts,
$tag
);
$content = \get_post_field( 'post_content', $post ); $content = \get_post_field( 'post_content', $post );
if ( 'yes' === $atts['apply_filters'] ) {
$content = \apply_filters( 'the_content', $content );
} else {
$content = do_blocks( $content ); $content = do_blocks( $content );
$content = wptexturize( $content ); $content = wptexturize( $content );
$content = wp_filter_content_tags( $content ); $content = wp_filter_content_tags( $content );
}
// replace script and style elements // replace script and style elements
$content = \preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $content ); $content = \preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $content );
@ -343,7 +333,11 @@ class Shortcodes {
$hash_tags = array(); $hash_tags = array();
foreach ( $categories as $category ) { foreach ( $categories as $category ) {
$hash_tags[] = \sprintf( '<a rel="tag" class="u-tag u-category" href="%s">#%s</a>', \get_category_link( $category ), $category->slug ); $hash_tags[] = \sprintf(
'<a rel="tag" class="u-tag u-category" href="%s">#%s</a>',
\esc_url( \get_category_link( $category ) ),
\esc_html( $category->slug )
);
} }
return \implode( ' ', $hash_tags ); return \implode( ' ', $hash_tags );
@ -365,13 +359,13 @@ class Shortcodes {
return ''; return '';
} }
$name = \get_the_author_meta( 'display_name', $post->post_author ); $name = \esc_html( \get_the_author_meta( 'display_name', $post->post_author ) );
if ( ! $name ) { if ( ! $name ) {
return ''; return '';
} }
return $name; return \esc_html( $name );
} }
/** /**
@ -422,7 +416,7 @@ class Shortcodes {
* @return string * @return string
*/ */
public static function blogname( $atts, $content, $tag ) { public static function blogname( $atts, $content, $tag ) {
return \get_bloginfo( 'name' ); return \esc_html( \get_bloginfo( 'name' ) );
} }
/** /**
@ -435,7 +429,7 @@ class Shortcodes {
* @return string * @return string
*/ */
public static function blogdesc( $atts, $content, $tag ) { public static function blogdesc( $atts, $content, $tag ) {
return \get_bloginfo( 'description' ); return \esc_html( \get_bloginfo( 'description' ) );
} }
/** /**
@ -464,7 +458,7 @@ class Shortcodes {
return ''; return '';
} }
return $date; return \esc_html( $date );
} }
/** /**
@ -493,7 +487,7 @@ class Shortcodes {
return ''; return '';
} }
return $date; return \esc_html( $date );
} }
/** /**
@ -522,6 +516,6 @@ class Shortcodes {
return ''; return '';
} }
return $date; return \esc_html( $date );
} }
} }

View file

@ -51,7 +51,7 @@ class Webfinger {
} }
// try to access author URL // try to access author URL
$response = \wp_remote_get( $response = \wp_safe_remote_get(
$url, $url,
array( array(
'headers' => array( 'Accept' => 'application/activity+json' ), 'headers' => array( 'Accept' => 'application/activity+json' ),

View file

@ -9,8 +9,8 @@
'<dl>' . '<dl>' .
'<dt><code>[ap_title]</code></dt>' . '<dt><code>[ap_title]</code></dt>' .
'<dd>' . \wp_kses( __( 'The post\'s title.', 'activitypub' ), 'default' ) . '</dd>' . '<dd>' . \wp_kses( __( 'The post\'s title.', 'activitypub' ), 'default' ) . '</dd>' .
'<dt><code>[ap_content apply_filters="yes"]</code></dt>' . '<dt><code>[ap_content]</code></dt>' .
'<dd>' . \wp_kses( __( 'The post\'s content. With <code>apply_filters</code> you can decide if filters should be applied or not (default is <code>yes</code>). The values can be <code>yes</code> or <code>no</code>. <code>apply_filters</code> attribute is optional.', 'activitypub' ), 'default' ) . '</dd>' . '<dd>' . \wp_kses( __( 'The post\'s content.', 'activitypub' ), 'default' ) . '</dd>' .
'<dt><code>[ap_excerpt lenght="400"]</code></dt>' . '<dt><code>[ap_excerpt lenght="400"]</code></dt>' .
'<dd>' . \wp_kses( __( 'The post\'s excerpt (default 400 chars). <code>length</code> attribute is optional.', 'activitypub' ), 'default' ) . '</dd>' . '<dd>' . \wp_kses( __( 'The post\'s excerpt (default 400 chars). <code>length</code> attribute is optional.', 'activitypub' ), 'default' ) . '</dd>' .
'<dt><code>[ap_permalink type="url"]</code></dt>' . '<dt><code>[ap_permalink type="url"]</code></dt>' .