Adding output escape logic to add classes.

Open-Web-Analytics · Sep 17, 2021 · a9b98d4 · a9b98d4
1 parent 9911746
commit a9b98d4
Show file tree

Hide file tree

Showing 12 changed files with 352 additions and 127 deletions.
diff --git a/owa-plugin.php b/owa-plugin.php
@@ -166,7 +166,7 @@ function _init() {
 			// remove this if uneeded
 			if ( ! $this->isOwaReadyToTrack() ) {
 
-				$this->adminMsgs[] = ['Open Web Analytics requires a valid <b>API Key</b>, <b>Endpoint</b>, and <b>Site ID</b> before tracking can begin.', 'notice-warning'];
+				$this->adminMsgs[] = ['message' => 'Open Web Analytics requires a valid <b>API Key</b>, <b>Endpoint</b>, and <b>Site ID</b> before tracking can begin.', 'class' => 'notice-warning'];
 
 			}
 
@@ -175,14 +175,50 @@ function _init() {
 		}
 
 	}
+
+	function addNag( $message, $class = '' ) {
+
+
+		$defaults = [
+
+			'class' => 'notice-warning'
+		];
+
+		if ( $message ) {
+
+			$msg = ['message' => $message, 'class' => $class];				
+
+			wp_parse_args( $msg, $defaults );
+
+			$this->adminMsgs[] = $msg;
+		}
+
+	}
 
 	function showNag( $msg ) {
 
+
+		$allowed_html = array(
+		    'a'      => array(
+		        'href'  => array(),
+		        'title' => array(),
+		    ),
+		    'br'     => array(),
+		    'em'     => array(),
+		    'strong' => array(),
+		    'b'		=> array(),
+		);
+
+
 		if ( $this->adminMsgs ) {
-			
+
 			foreach ( $this->adminMsgs as $msg ) {
 
-				_e( sprintf( '<BR><div class="notice %s"><p>%s</p></div>', esc_attr( $msg[1] ), $msg[0] ) );	
+				$message =  wp_kses( $msg['message'], $allowed_html );
+
+				$class = esc_attr( $msg['class'] );
+
+				_e( sprintf( '<BR><div class="notice %s"><p>%s</p></div>', $class, $message ) );	
 			}	
 		}
 	}
@@ -205,7 +241,7 @@ private function initOptions() {
 
 		// fetch plugin options from DB and override defaults.
 		$options = get_option( 'owa_wp' );
-		//echo 'options from DB: '. print_r( $options, true );
+
 		if ( $options ) {
 
 			$this->options = array_merge($this->options, $options);
@@ -512,7 +548,7 @@ function insertTrackingTag() {
 		// convert cmds to string and pass to tracking tag template	
 		$options = $this->cmdsToString();
 
-		echo sprintf( $this->getTrackerSnippetTemplate(), $options );
+		_e( sprintf( $this->getTrackerSnippetTemplate(), $options ) );
 
 	}	
 
@@ -1099,24 +1135,44 @@ public function getOwaTrackerInstance() {
 	 * Callback for reporting dashboard/pages 
 	 */
 	function pageController( $params = array() ) {
-
-		$url = $this->getOption('owaEndpoint');
-
+
 		// insert link to OWA endpoint	
 
 		if ( ! current_user_can( 'manage_options' ) ) {
 
         	wp_die(__( 'You do not have sufficient permissions to access this page!' ) );
 		}
-
-		echo '<div class="wrap">';
-		echo	'<div class="icon32" id="icon-options-general"><br></div>';
-		echo	sprintf('<h2>%s</h2>', 'Analytics' );
-		echo	'Click the link below to view analytics in your OWA instance.';
+
+
+		$allowed_html = [
+		    'div'      => [
+		        'class'  	=> [],
+		        'id'		=> [],
+		        'style'		=> []
+
+		    ],
+		    'a'			=> [
+			    'href'		=> [],
+			    'target'	=> []
+		    ],
+		    'h2'     => [],
+		    'em'     => []
+		];
+
+		$url = esc_url( $this->getOption('owaEndpoint') );
+
+		$out = '';
+		$out .= '<div class="wrap">';
+		$out .=	'<div class="icon32" id="icon-options-general"><br></div>';
+		$out .=	sprintf('<h2>%s</h2>', 'Analytics' );
+		$out .=	'Click the link below to view analytics in your OWA instance.';
 
-		echo sprintf('<div style="margin-top: 50px;"><a href="%s" target="_new">Launch your OWA Dashboard</a>', $url);
+		$out .= sprintf('<div style="margin-top: 50px;"><a href="%s" target="_new">Launch your OWA Dashboard</a>', $url);
+
+		$out .= '</div>';
+
+		_e( wp_kses( $out, $allowed_html ) );
 
-		echo '</div>';
 	}
 
 	/**

diff --git a/src/settings/field.php b/src/settings/field.php
@@ -16,6 +16,8 @@ class field {
 
 	public $options;
 
+	public $allowed_html;
+
 	//
 	 // name of the validator callback to be used
 	 //
@@ -44,6 +46,47 @@ public function __construct( $params = '', $options ) {
 
 		);
 
+		$this->allowed_html = [
+
+			'label'		=> [
+				'for'		=> []
+			],
+			'input'		=> [
+
+				'class'		=> [],
+				'id'		=> [],
+				'value'		=> [],
+				'type'		=> [],
+				'checked'	=> [],
+				'size'		=> [],
+				'name'		=> []
+			],
+			'p'		=> [
+
+				'class'		=> []
+			],
+
+			'select'		=> [
+
+				'id'		=> [],
+				'name'		=> []
+			],
+
+			'option'		=> [
+
+				'value'		=> [],
+				'selected'	=> []
+			],
+
+			'textarea'		=> [
+
+				'name'		=> [],
+				'rows'		=> [],
+				'cols'		=> []
+
+			]
+		];
+
 		$params = util::setDefaultParams( $defaults, $params );
 
 		$this->options = $options;
@@ -128,6 +171,11 @@ public function getErrorMessage() {
 
 		return $this->get('error_message');
 	}
+
+	public function out( $string ) {
+
+		_e( wp_kses( $string, $this->allowed_html ) );
+	}
 }
 
 

diff --git a/src/settings/fields/boolean_field.php b/src/settings/fields/boolean_field.php
@@ -47,24 +47,24 @@ public function render( $attrs ) {
 			$off_checked = 'checked';
 		}
 
-		echo sprintf(
+		$this->out( sprintf(
 			'<label for="%s_on"><input class="" name="%s" id="%s_on" value="1" type="radio" %s> On</label>&nbsp; &nbsp; ', 
 
 			esc_attr( $attrs['dom_id'] ),
 			esc_attr( $attrs['name'] ), 
 			esc_attr( $attrs['dom_id'] ),
 			$on_checked
-		);
+		) );
 
-		echo sprintf(
+		$this->out( sprintf(
 			'<label for="%s_off"><input class="" name="%s" id="%s" value="0" type="radio" %s> Off</label>', 
 			esc_attr( $attrs['dom_id'] ),
 			esc_attr( $attrs['name'] ), 
 			esc_attr( $attrs['dom_id'] ),
 			$off_checked
-		);
+		) );
 
-		echo sprintf('<p class="description">%s</p>', $attrs['description']);
+		$this->out( sprintf('<p class="description">%s</p>', $attrs['description'] ) );
 	}
 }
 

diff --git a/src/settings/fields/booleanarray.php b/src/settings/fields/booleanarray.php
@@ -19,7 +19,7 @@ public function render ( $attrs ) {
 			$values = array();
 		}
 
-		echo sprintf('<p class="description">%s</p>', $attrs['description']);
+		$this->out( sprintf( '<p class="description">%s</p>', $attrs['description'] ) );
 
 		foreach ( $defaults as $dvalue ) {
 
@@ -35,14 +35,14 @@ public function render ( $attrs ) {
 
 			$dvalue_label = apply_filters( $this->get('id').'_field_value_label', $dvalue );
 
-			echo sprintf(
+			$this->out( sprintf(
 				'<p><input name="%s[]" id="%s" value="%s" type="checkbox" %s> %s</p>', 
 				esc_attr( $attrs['name'] ), 
 				esc_attr( $attrs['dom_id'] ),
 				esc_attr( $dvalue ),
 				$checked,
 				esc_html( $dvalue_label )
-			);
+			) );
 		}
 	}
 

diff --git a/src/settings/fields/onoffarray.php b/src/settings/fields/onoffarray.php
@@ -21,7 +21,7 @@ public function render ( $attrs ) {
 			$values = $defaults;
 		}
 
-		echo sprintf('<p class="description">%s</p>', $attrs['description']);
+		$this->out( sprintf('<p class="description">%s</p>', $attrs['description'] ) );
 
 		foreach ( $options as $k => $label ) {
 
@@ -49,25 +49,25 @@ public function render ( $attrs ) {
 
 			//$dvalue_label = apply_filters( $this->get('id').'_field_value_label', $ovalue );
 
-			echo sprintf(
+			$this->out( sprintf(
 				'<p>%s: <label for="%s_on"><input class="" name="%s[%s]" id="%s_on" value="1" type="radio" %s> On</label>&nbsp; &nbsp; ', 
 				$label,
 				esc_attr( $attrs['dom_id'] ),
 				esc_attr( $attrs['name'] ), 
 				esc_attr( $k ),
 				esc_attr( $attrs['dom_id'] ),
 				$on_checked
-			);
+			) );
 
-			echo sprintf(
+			$this->out( sprintf(
 				'<label for="%s_off"><input class="" name="%s[%s]" id="%s" value="0" type="radio" %s> Off</label></p>', 
 
 				esc_attr( $attrs['dom_id'] ),
 				esc_attr( $attrs['name'] ), 
 				esc_attr( $k ),
 				esc_attr( $attrs['dom_id'] ),
 				$off_checked
-			);
+			) );
 		}
 	}
 

diff --git a/src/settings/fields/select.php b/src/settings/fields/select.php
@@ -32,30 +32,27 @@ public function render( $attrs ) {
 
 				$opts .= sprintf(
 					'<option value="%s" %s>%s</option> \n',
-					$option['siteId'],
-					$selected_attr,
-					$option['label']
+					esc_attr( $option['siteId'] ),
+					esc_html( $selected_attr ),
+					esc_html( $option['label'] )
 				);
-
 			}
+
 		} else {
 
 			$opts = '<option value="">No options are available.</option>';
 		}
 
-		echo sprintf(
+		$this->out( sprintf(
 			'<select id="%s" name="%s">%s</select>', 
 
 			esc_attr( $attrs['dom_id'] ),
 			esc_attr( $attrs['name'] ), 
 			$opts
-		);
+		) );
 
-		echo sprintf('<p class="description">%s</p>', $attrs['description']);
-
+		$this->out( sprintf( '<p class="description">%s</p>', $attrs['description'] ) );	
 	}
 }
-
-
 
 ?>
diff --git a/src/settings/fields/text.php b/src/settings/fields/text.php
@@ -24,15 +24,15 @@ public function render( $attrs ) {
 			$size = 30;
 		}
 
-		echo sprintf(
+		$this->out( sprintf(
 			'<input name="%s" id="%s" value="%s" type="text" size="%s" /> ', 
 			esc_attr( $attrs['name'] ), 
 			esc_attr( $attrs['dom_id'] ),
 			esc_attr( $value ),
-			$size 
-		);
+			esc_attr( $size ) 
+		) );
 
-		echo sprintf('<p class="description">%s</p>', $attrs['description']);
+		$this->out( sprintf('<p class="description">%s</p>', $attrs['description'] ) );
 	}	
 
 	public function sanitize( $value ) {

diff --git a/src/settings/fields/textarea.php b/src/settings/fields/textarea.php
@@ -10,15 +10,15 @@ public function render( $attrs ) {
 	//print_r();
 		$value = $this->options[ $attrs['id'] ];
 
-		echo sprintf(
+		$this->out( sprintf(
 			'<textarea name="%s" rows="%s" cols="%s" />%s</textarea> ', 
 			esc_attr( $attrs['name'] ), 
 			esc_attr( $attrs['rows'] ),
 			esc_attr( $attrs['cols'] ),
-			esc_attr( $value ) 
-		);
+			esc_textarea( $value ) 
+		) );
 
-		echo sprintf('<p class="description">%s</p>', $attrs['description']);
+		$this->out( sprintf('<p class="description">%s</p>', $attrs['description'] ) );
 	}	
 
 	public function sanitize( $value ) {