Merge pull request #386 from lloc/raise-coverage

lloc · web-flow · commit 6509fa454be8 · 2024-09-23T15:58:59.000+01:00
Security fixes
diff --git a/.gitignore b/.gitignore
@@ -1,10 +1,12 @@
+.idea/
+.phpunit.result.cache
+.phpunit.cache
 composer.lock
 composer.phar
+multisite-language-switcher/
+multisite-language-switcher.zip
 package-lock.json
 phpunit.xml.bak
-.idea/
-.phpunit.result.cache
-.phpunit.cache
 tests/coverage/
 tests/playwright-results/
 tests/playwright-report/
diff --git a/includes/Map/HrefLang.php b/includes/Map/HrefLang.php
@@ -12,7 +12,7 @@
 class HrefLang {
 
 	/**
-	 * @var array<string, array<int, string>>
+	 * @var array<string, string>
 	 */
 	protected $map = array();
 
diff --git a/includes/MslsCustomColumn.php b/includes/MslsCustomColumn.php
@@ -94,7 +94,7 @@ public function td( $column_name, $item_id ): void {
 					printf(
 						'<span class="msls-icon-wrapper %1$s">%2$s</span>',
 						esc_attr( $this->options->get_icon_type() ),
-						$icon->get_a()
+						wp_kses_post( $icon->get_a() )
 					);
 
 					restore_current_blog();
diff --git a/includes/MslsOutput.php b/includes/MslsOutput.php
@@ -95,9 +95,9 @@ public function get( ?int $display, bool $filter = false, $exists = false ): arr
 	 * @return string
 	 */
 	public function get_alternate_links() {
-		$blogs    = msls_blog_collection();
-		$hreflang = new HrefLang( $blogs );
-		$options  = MslsOptions::create();
+		$blogs   = msls_blog_collection();
+		$hlObj   = new HrefLang( $blogs );
+		$options = MslsOptions::create();
 
 		$arr     = array();
 		$default = '';
@@ -110,13 +110,14 @@ public function get_alternate_links() {
 			}
 
 			$description = $blog->get_description();
+			$hreflang    = $hlObj->get( $blog->get_language() );
 
 			$format = '<link rel="alternate" hreflang="%s" href="%s" title="%s" />';
 			if ( '' === $default ) {
-				$default = sprintf( $format, 'x-default', $url, esc_attr( $description ) );
+				$default = sprintf( $format, 'x-default', esc_url( $url ), esc_attr( $description ) );
 			}
 
-			$arr[] = sprintf( $format, $hreflang->get( $blog->get_language() ), $url, esc_attr( $description ) );
+			$arr[] = sprintf( $format, esc_attr( $hreflang ), esc_url( $url ), esc_attr( $description ) );
 		}
 
 		if ( 1 === count( $arr ) ) {
diff --git a/includes/MslsPlugin.php b/includes/MslsPlugin.php
@@ -190,7 +190,7 @@ public function init_i18n_support(): void {
 	 */
 	public static function message_handler( $message, $css_class = 'error' ) {
 		if ( ! empty( $message ) ) {
-			printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', $css_class, $message );
+			printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', esc_attr( $css_class ), esc_html( $message ) );
 
 			return true;
 		}
diff --git a/includes/MslsPostTag.php b/includes/MslsPostTag.php
@@ -160,7 +160,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 
 			$this->maybe_set_linked_term( $mydata );
 
-			printf( $title_format, $this->get_select_title(), $type );
+			printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ), esc_attr( $type ) );
 
 			foreach ( $blogs as $blog ) {
 				switch_to_blog( $blog->userblog_id );
@@ -179,7 +179,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 					}
 				}
 
-				printf( $item_format, $blog->userblog_id, $icon, $language, $value, $title );
+				printf( wp_kses_post( $item_format ), esc_attr( $blog->userblog_id ), wp_kses_post( $icon ), esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );
 
 				restore_current_blog();
 			}
diff --git a/includes/MslsPostTagClassic.php b/includes/MslsPostTagClassic.php
@@ -77,7 +77,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 
 			$this->maybe_set_linked_term( $mydata );
 
-			printf( $title_format, $this->get_select_title() );
+			printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ) );
 
 			foreach ( $blogs as $blog ) {
 				$this->print_option( $blog, $type, $mydata, $item_format );
@@ -119,14 +119,14 @@ public function print_option( MslsBlog $blog, string $type, MslsOptionsTax $myda
 			foreach ( $terms as $term ) {
 				$options .= sprintf(
 					'<option value="%s" %s>%s</option>',
-					$term->term_id,
+					esc_attr( $term->term_id ),
 					selected( $term->term_id, $mydata->$language, false ),
-					$term->name
+					esc_html( $term->name )
 				);
 			}
 		}
 
-		printf( $item_format, $language, $icon, $options );
+		printf( wp_kses_post( $item_format ), esc_attr( $language ), wp_kses_post( $icon ), wp_kses_post( $options ) );
 
 		restore_current_blog();
 	}
diff --git a/tests/phpunit/MslsUnitTestCase.php b/tests/phpunit/MslsUnitTestCase.php
@@ -26,6 +26,7 @@ protected function setUp(): void {
 		Functions\when( 'esc_url' )->returnArg();
 		Functions\when( '__' )->returnArg();
 		Functions\when( 'wp_kses' )->returnArg();
+		Functions\when( 'wp_kses_post' )->returnArg();
 		Functions\when( 'sanitize_text_field' )->returnArg();
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -190,7 +190,7 @@ public function init_i18n_support(): void {`
`190`	`190`	`*/`
`191`	`191`	`public static function message_handler( $message, $css_class = 'error' ) {`
`192`	`192`	`if ( ! empty( $message ) ) {`
`193`		`- printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', $css_class, $message );`
	`193`	`+ printf( '<div id="msls-warning" class="%s"><p>%s</p></div>', esc_attr( $css_class ), esc_html( $message ) );`
`194`	`194`
`195`	`195`	`return true;`
`196`	`196`	`}`
Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo`
`160`	`160`
`161`	`161`	`$this->maybe_set_linked_term( $mydata );`
`162`	`162`
`163`		`- printf( $title_format, $this->get_select_title(), $type );`
	`163`	`+ printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ), esc_attr( $type ) );`
`164`	`164`
`165`	`165`	`foreach ( $blogs as $blog ) {`
`166`	`166`	`switch_to_blog( $blog->userblog_id );`
`@@ -179,7 +179,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo`
`179`	`179`	`}`
`180`	`180`	`}`
`181`	`181`
`182`		`- printf( $item_format, $blog->userblog_id, $icon, $language, $value, $title );`
	`182`	`+ printf( wp_kses_post( $item_format ), esc_attr( $blog->userblog_id ), wp_kses_post( $icon ), esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );`
`183`	`183`
`184`	`184`	`restore_current_blog();`
`185`	`185`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ protected function setUp(): void {`
`26`	`26`	`Functions\when( 'esc_url' )->returnArg();`
`27`	`27`	`Functions\when( '__' )->returnArg();`
`28`	`28`	`Functions\when( 'wp_kses' )->returnArg();`
	`29`	`+ Functions\when( 'wp_kses_post' )->returnArg();`
`29`	`30`	`Functions\when( 'sanitize_text_field' )->returnArg();`
`30`	`31`	`}`
`31`	`32`