Skip to content

Commit 5ba1f58

Browse files
author
bfintal@gmail.com
committed
added more string escaping
1 parent 6da2f00 commit 5ba1f58

1 file changed

Lines changed: 14 additions & 4 deletions

File tree

src/block/posts/index.php

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,10 +71,13 @@ function generate_render_item_from_stackable_posts_block( $post, $attributes, $t
7171
if ( $category_highlighted ) {
7272
preg_match_all( '/<a href="([^"]*)"[^>]*>([^<]*)<\/a>/', $category, $matches );
7373
foreach ( $matches[0] as $i=>$match ) {
74-
$href = $matches[1][$i];
75-
$category_title = $matches[2][$i];
76-
$category = str_replace( "<a href=\"$href\"", "<a class=\"stk-button\" href=\"$href\"", $category );
77-
$category = str_replace( ">$category_title<", "><span class=\"stk-button__inner-text\">$category_title</span><", $category );
74+
$original_href = $matches[1][$i];
75+
$original_title = $matches[2][$i];
76+
// Escape values to prevent XSS
77+
$escaped_href = esc_url( $original_href );
78+
$escaped_title = esc_html( $original_title );
79+
$category = str_replace( "<a href=\"$original_href\"", "<a class=\"stk-button\" href=\"$escaped_href\"", $category );
80+
$category = str_replace( ">$original_title<", "><span class=\"stk-button__inner-text\">$escaped_title</span><", $category );
7881
}
7982
}
8083

@@ -84,6 +87,8 @@ function generate_render_item_from_stackable_posts_block( $post, $attributes, $t
8487
// Separator.
8588
if ( strpos( $new_template, '!#metaSeparator!#' ) !== false ) {
8689
$separator = Stackable_Posts_Block::meta_separators[ $meta_separator ];
90+
// Escape separator output to prevent XSS
91+
$separator = esc_html( $separator );
8792
$new_template = str_replace( '!#metaSeparator!#', $separator, $new_template );
8893
}
8994

@@ -104,6 +109,9 @@ function generate_render_item_from_stackable_posts_block( $post, $attributes, $t
104109
$date_format = 'F j, Y';
105110
}
106111
$date = wp_date( $date_format, $post_date->getTimestamp() );
112+
// Escape date output to prevent XSS
113+
$datetime = esc_attr( $datetime );
114+
$date = esc_html( $date );
107115
$new_template = str_replace( '!#dateTime!#', $datetime, $new_template );
108116
$new_template = str_replace( '!#date!#', $date, $new_template );
109117
}
@@ -112,6 +120,8 @@ function generate_render_item_from_stackable_posts_block( $post, $attributes, $t
112120
if ( strpos( $new_template, '!#commentsNum!#' ) !== false ) {
113121
$num = get_comments_number( $post_id );
114122
$num = sprintf( _n( '%d comment', '%d comments', $num, STACKABLE_I18N ), $num );
123+
// Escape comments number output to prevent XSS
124+
$num = esc_html( $num );
115125
$new_template = str_replace( '!#commentsNum!#', $num, $new_template );
116126
}
117127

0 commit comments

Comments
 (0)