Add missing output escaping

This commit is contained in:
Alex Kirk 2023-07-18 06:30:06 +02:00
parent 0f54ea465e
commit ab6aefe446

View file

@ -27,8 +27,12 @@ class Mention {
public static function the_content( $the_content ) { public static function the_content( $the_content ) {
$protected_tags = array(); $protected_tags = array();
$protect = function( $m ) use ( &$protected_tags ) { $protect = function( $m ) use ( &$protected_tags ) {
$c = count( $protected_tags ); $c = \rand( 100000, 999999 );
$protect = '!#!#PROTECT' . $c . '#!#!'; $protect = '!#!#PROTECT' . $c . '#!#!';
while ( isset( $protected_tags[ $protect ] ) ) {
$c = \rand( 100000, 999999 );
$protect = '!#!#PROTECT' . $c . '#!#!';
}
$protected_tags[ $protect ] = $m[0]; $protected_tags[ $protect ] = $m[0];
return $protect; return $protect;
}; };
@ -78,8 +82,7 @@ class Mention {
if ( ! empty( $metadata['preferredUsername'] ) ) { if ( ! empty( $metadata['preferredUsername'] ) ) {
$username = $metadata['preferredUsername']; $username = $metadata['preferredUsername'];
} }
$username = '@<span>' . $username . '</span>'; return \sprintf( '<a rel="mention" class="u-url mention" href="%s">@<span>%s</span></a>', esc_url( $metadata['url'] ), esc_html( $username ) );
return \sprintf( '<a rel="mention" class="u-url mention" href="%s">%s</a>', $metadata['url'], $username );
} }
return $result[0]; return $result[0];