Ensure that output is always escaped late, not early

sheabunge · sheabunge · commit 94548d2ee130 · 2022-05-06T09:53:20.000+10:00
diff --git a/php/admin-menus/class-edit-menu.php b/php/admin-menus/class-edit-menu.php
@@ -341,14 +341,13 @@ private function save_posted_snippet() {
 	function render_description_editor( Code_Snippet $snippet ) {
 		$settings = code_snippets_get_settings();
 		$settings = $settings['description_editor'];
-		$heading = __( 'Description', 'code-snippets' );
 
 		/* Hack to remove space between heading and editor tabs */
-		if ( ! $settings['media_buttons'] && 'false' !== get_user_option( 'rich_editing' ) ) {
-			$heading = "<div>$heading</div>";
-		}
+		$inline_heading = ! $settings['media_buttons'] && 'false' !== get_user_option( 'rich_editing' );
 
-		echo '<h2><label for="snippet_description">', $heading, '</label></h2>';
+		echo '<h2><label for="snippet_description">', $inline_heading ? '<div>' : '';
+		esc_html_e( 'Description', 'code-snippets' );
+		echo $inline_heading ? '</div>' : '', '</label></h2>';
 
 		remove_editor_styles(); // stop custom theme styling interfering with the editor
 
diff --git a/php/settings/render-fields.php b/php/settings/render-fields.php
@@ -18,22 +18,23 @@ function code_snippets_checkbox_field( $atts ) {
 	$saved_value = code_snippets_get_setting( $atts['section'], $atts['id'] );
 	$input_name = sprintf( 'code_snippets_settings[%s][%s]', $atts['section'], $atts['id'] );
 
-	$output = sprintf(
+	if ( ! empty( $atts['label'] ) ) {
+		printf( '<label for="%s">', esc_attr( $input_name ) );
+	}
+
+	printf(
 		'<input type="checkbox" name="%s"%s>',
 		esc_attr( $input_name ),
 		checked( $saved_value, true, false )
 	);
 
-	// Output the checkbox field, optionally with label
-	if ( isset( $atts['label'] ) ) {
-		printf( '<label for="%s">%s %s</label>', esc_attr( $input_name ), $output, $atts['label'] );
-	} else {
-		echo $output;
+	if ( ! empty( $atts['label'] ) ) {
+		echo esc_html( $atts['label'] ), '</label>';
 	}
 
 	// Add field description if it is set
 	if ( ! empty( $atts['desc'] ) ) {
-		echo '<p class="description">' . $atts['desc'] . '</p>';
+		echo '<p class="description">' . esc_html( $atts['desc'] ) . '</p>';
 	}
 }
 
@@ -64,11 +65,11 @@ function code_snippets_number_field( $atts ) {
 	echo '>';
 
 	if ( ! empty( $atts['label'] ) ) {
-		echo ' ' . $atts['label'];
+		echo ' ' . esc_html( $atts['label'] );
 	}
 
 	// Add field description if it is set
 	if ( ! empty( $atts['desc'] ) ) {
-		echo '<p class="description">' . $atts['desc'] . '</p>';
+		echo '<p class="description">' . esc_html( $atts['desc'] ) . '</p>';
 	}
 }
diff --git a/php/settings/settings-fields.php b/php/settings/settings-fields.php
@@ -76,11 +76,7 @@ function code_snippets_get_settings_fields() {
 		'complete_uninstall' => array(
 			'name'    => __( 'Complete Uninstall', 'code-snippets' ),
 			'type'    => 'checkbox',
-			'label'   => sprintf(
-				/* translators: %s: URL for Plugins admin menu */
-				__( 'When the plugin is deleted from the <a href="%s">Plugins</a> menu, also delete all snippets and plugin settings.', 'code-snippets' ),
-				self_admin_url( 'plugins.php' )
-			),
+			'label'   => __( 'When the plugin is deleted from the Plugins menu, also delete all snippets and plugin settings.', 'code-snippets' ),
 			'default' => false,
 		),
 	);
diff --git a/php/views/edit.php b/php/views/edit.php
@@ -64,7 +64,8 @@
 
 		?></h1>
 
-	<form method="post" id="snippet-form" action="" style="margin-top: 10px;" class="<?php echo implode( ' ', $classes ); ?>">
+	<form method="post" id="snippet-form" action="" style="margin-top: 10px;"
+	      class="<?php echo implode( ' ', $classes ); ?>">
 		<?php
 		/* Output the hidden fields */
 
@@ -80,7 +81,9 @@
 		<div id="titlediv">
 			<div id="titlewrap">
 				<label for="title" style="display: none;"><?php _e( 'Name', 'code-snippets' ); ?></label>
-				<input id="title" type="text" autocomplete="off" name="snippet_name" value="<?php echo esc_attr( $snippet->name ); ?>" placeholder="<?php _e( 'Enter title here', 'code-snippets' ); ?>">
+				<input id="title" type="text" autocomplete="off" name="snippet_name"
+				       value="<?php echo esc_attr( $snippet->name ); ?>"
+				       placeholder="<?php _e( 'Enter title here', 'code-snippets' ); ?>">
 			</div>
 		</div>
 
@@ -91,7 +94,8 @@
 		<h2><label for="snippet_code"><?php _e( 'Code', 'code-snippets' ); ?></label></h2>
 
 		<div class="snippet-editor">
-			<textarea id="snippet_code" name="snippet_code" rows="200" spellcheck="false" style="font-family: monospace; width: 100%;"><?php
+			<textarea id="snippet_code" name="snippet_code" rows="200" spellcheck="false"
+			          style="font-family: monospace; width: 100%;"><?php
 				echo esc_textarea( $snippet->code );
 				?></textarea>
 
@@ -104,15 +108,15 @@
 				<?php
 
 				$keys = array(
-					'Cmd'    => esc_html_x( 'Cmd', 'keyboard key', 'code-snippets' ),
-					'Ctrl'   => esc_html_x( 'Ctrl', 'keyboard key', 'code-snippets' ),
-					'Shift'  => esc_html_x( 'Shift', 'keyboard key', 'code-snippets' ),
-					'Option' => esc_html_x( 'Option', 'keyboard key', 'code-snippets' ),
-					'Alt'    => esc_html_x( 'Alt', 'keyboard key', 'code-snippets' ),
-					'F'      => esc_html_x( 'F', 'keyboard key', 'code-snippets' ),
-					'G'      => esc_html_x( 'G', 'keyboard key', 'code-snippets' ),
-					'R'      => esc_html_x( 'R', 'keyboard key', 'code-snippets' ),
-					'S'      => esc_html_x( 'S', 'keyboard key', 'code-snippets' ),
+					'Cmd'    => _x( 'Cmd', 'keyboard key', 'code-snippets' ),
+					'Ctrl'   => _x( 'Ctrl', 'keyboard key', 'code-snippets' ),
+					'Shift'  => _x( 'Shift', 'keyboard key', 'code-snippets' ),
+					'Option' => _x( 'Option', 'keyboard key', 'code-snippets' ),
+					'Alt'    => _x( 'Alt', 'keyboard key', 'code-snippets' ),
+					'F'      => _x( 'F', 'keyboard key', 'code-snippets' ),
+					'G'      => _x( 'G', 'keyboard key', 'code-snippets' ),
+					'R'      => _x( 'R', 'keyboard key', 'code-snippets' ),
+					'S'      => _x( 'S', 'keyboard key', 'code-snippets' ),
 				);
 
 				?>
@@ -122,45 +126,54 @@
 						<tr>
 							<td><?php esc_html_e( 'Save changes', 'code-snippets' ); ?></td>
 							<td>
-								<kbd class="pc-key"><?php echo $keys['Ctrl']; ?></kbd><kbd class="mac-key"><?php
-									echo $keys['Cmd']; ?></kbd>&hyphen;<kbd><?php echo $keys['S']; ?></kbd>
+								<kbd class="pc-key"><?php echo esc_html( $keys['Ctrl'] ); ?></kbd><kbd class="mac-key"><?php
+									echo esc_html( $keys['Cmd'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['S'] ); ?></kbd>
 							</td>
 						</tr>
 						<tr>
 							<td><?php esc_html_e( 'Begin searching', 'code-snippets' ); ?></td>
 							<td>
-								<kbd class="pc-key"><?php echo $keys['Ctrl']; ?></kbd><kbd class="mac-key"><?php
-									echo $keys['Cmd']; ?></kbd>&hyphen;<kbd><?php echo $keys['F']; ?></kbd>
+								<kbd class="pc-key"><?php echo esc_html( $keys['Ctrl'] ); ?></kbd><kbd class="mac-key"><?php
+									echo esc_html( $keys['Cmd'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['F'] ); ?></kbd>
 							</td>
 						</tr>
 						<tr>
 							<td><?php esc_html_e( 'Find next', 'code-snippets' ); ?></td>
 							<td>
-								<kbd class="pc-key"><?php echo $keys['Ctrl']; ?></kbd><kbd class="mac-key"><?php echo $keys['Cmd']; ?></kbd>&hyphen;<kbd><?php echo $keys['G']; ?></kbd>
+								<kbd class="pc-key"><?php echo esc_html( $keys['Ctrl'] ); ?></kbd><kbd
+										class="mac-key"><?php echo esc_html( $keys['Cmd'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['G'] ); ?></kbd>
 							</td>
 						</tr>
 						<tr>
 							<td><?php esc_html_e( 'Find previous', 'code-snippets' ); ?></td>
 							<td>
-								<kbd><?php echo $keys['Shift']; ?></kbd>-<kbd class="pc-key"><?php echo $keys['Ctrl']; ?></kbd><kbd class="mac-key"><?php echo $keys['Cmd']; ?></kbd>&hyphen;<kbd><?php echo $keys['G']; ?></kbd>
+								<kbd><?php echo esc_html( $keys['Shift'] ); ?></kbd>-<kbd
+										class="pc-key"><?php echo esc_html( $keys['Ctrl'] ); ?></kbd><kbd
+										class="mac-key"><?php echo esc_html( $keys['Cmd'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['G'] ); ?></kbd>
 							</td>
 						</tr>
 						<tr>
 							<td><?php esc_html_e( 'Replace', 'code-snippets' ); ?></td>
 							<td>
-								<kbd><?php echo $keys['Shift']; ?></kbd>&hyphen;<kbd class="pc-key"><?php echo $keys['Ctrl']; ?></kbd><kbd class="mac-key"><?php echo $keys['Cmd']; ?></kbd>&hyphen;<kbd><?php echo $keys['F']; ?></kbd>
+								<kbd><?php echo esc_html( $keys['Shift'] ); ?></kbd>&hyphen;<kbd
+										class="pc-key"><?php echo esc_html( $keys['Ctrl'] ); ?></kbd><kbd
+										class="mac-key"><?php echo esc_html( $keys['Cmd'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['F'] ); ?></kbd>
 							</td>
 						</tr>
 						<tr>
 							<td><?php esc_html_e( 'Replace all', 'code-snippets' ); ?></td>
 							<td>
-								<kbd><?php echo $keys['Shift']; ?></kbd>&hyphen;<kbd class="pc-key"><?php echo $keys['Ctrl']; ?></kbd><kbd class="mac-key"><?php echo $keys['Cmd']; ?></kbd><span class="mac-key">&hyphen;</span><kbd class="mac-key"><?php echo $keys['Option']; ?></kbd>&hyphen;<kbd><?php echo $keys['R']; ?></kbd>
+								<kbd><?php echo esc_html( $keys['Shift'] ); ?></kbd>&hyphen;<kbd
+										class="pc-key"><?php echo esc_html( $keys['Ctrl'] ); ?></kbd><kbd
+										class="mac-key"><?php echo esc_html( $keys['Cmd'] ); ?></kbd><span
+										class="mac-key">&hyphen;</span><kbd
+										class="mac-key"><?php echo esc_html( $keys['Option'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['R'] ); ?></kbd>
 							</td>
 						</tr>
 						<tr>
 							<td><?php esc_html_e( 'Persistent search', 'code-snippets' ); ?></td>
 							<td>
-								<kbd><?php echo $keys['Alt']; ?></kbd>&hyphen;<kbd><?php echo $keys['F']; ?></kbd>
+								<kbd><?php echo esc_html( $keys['Alt'] ); ?></kbd>&hyphen;<kbd><?php echo esc_html( $keys['F'] ); ?></kbd>
 							</td>
 						</tr>
 					</table>
