escape values at the time they are output to pass WordPress.com scripts

niallkennedy · niallkennedy · commit 0daae307ac17 · 2013-12-29T04:14:19.000Z
diff --git a/admin/settings-debug.php b/admin/settings-debug.php
@@ -198,7 +198,7 @@ public static function app_section() {
 			return;
 
 		echo '<section id="debug-app">';
-		echo '<header><h3><a href="' . self::get_app_edit_base_uri( $facebook_loader->credentials['app_id'] ) . '" target="_blank">' . esc_html( sprintf( __( 'App %s', 'facebook' ), $facebook_loader->credentials['app_id'] ) ) . '</a></h3></header>';
+		echo '<header><h3><a href="' . esc_url( self::get_app_edit_base_uri( $facebook_loader->credentials['app_id'] ), array('http', 'https') ) . '" target="_blank">' . esc_html( sprintf( __( 'App %s', 'facebook' ), $facebook_loader->credentials['app_id'] ) ) . '</a></h3></header>';
 
 		self::app_editors( $facebook_loader->credentials['app_id'] );
 		self::app_details( $facebook_loader->credentials['app_id'] );
@@ -284,12 +284,12 @@ public static function app_editors( $app_id ) {
 		if ( $wordpress_users_display_count === 1 ) {
 			$ask_string = $wordpress_users_display[0];
 		} else if ( $wordpress_users_display_count === 2 ) {
-			$ask_string = $wordpress_users_display[0] . ' ' . _x( 'or', 'bridge between two options: this or that or these', 'facebook' ) . ' ' . $wordpress_users_display[1];
+			$ask_string = $wordpress_users_display[0] . ' ' . esc_html( _x( 'or', 'bridge between two options: this or that or these', 'facebook' ) ) . ' ' . $wordpress_users_display[1];
 		} else {
-			$ask_string = ', ' . _x( 'or', 'bridge between two options: this or that or these', 'facebook' ) . ' ' . array_pop( $wordpress_users_display );
+			$ask_string = ', ' . esc_html( _x( 'or', 'bridge between two options: this or that or these', 'facebook' ) ) . ' ' . array_pop( $wordpress_users_display );
 			$ask_string = implode( ', ', $wordpress_users_display ) . $ask_string;
 		}
-		echo '<p>' . sprintf( __( '%s can change these application settings on Facebook.', 'facebook' ), $ask_string ) . '</p>';
+		echo '<p>' . sprintf( esc_html( __( '%s can change these application settings on Facebook.', 'facebook' ) ), $ask_string ) . '</p>';
 	}
 
 	/**
@@ -315,14 +315,16 @@ public static function app_details( $app_id ) {
 
 		// link to the relevant Facebook app editor screen
 		$app_edit_base_uri = self::get_app_edit_base_uri( $app_id );
+		$app_details_uri = $app_edit_base_uri . 'appdetails/';
+		$app_summary_uri = $app_edit_base_uri . 'summary/';
 
 		echo '<table id="facebook-app-login-fields">';
 		echo '<caption>' . esc_html( __( 'Facebook Login', 'facebook' ) ) . '</caption>';
 		echo '<thead><tr><th>' . esc_html( _x( 'Setting', 'Table column header. The Facebook application setting.', 'facebook' ) ) . '</th><th>' . esc_html( _x( 'Value', 'Facebook application setting retrieved from Facebook servers.', 'facebook' ) ) . '</th></tr></thead>';
 		echo '<tbody>';
 
 		// app name
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/#name" target="_blank">' . esc_html( __( 'App name', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri . '#name', array('http', 'https') ) . '" target="_blank">' . esc_html( __( 'App name', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['name'] ) && $app_details['name'] ) {
 			echo '>"' . esc_html( $app_details['name'] ) . '"';
 		} else {
@@ -338,7 +340,7 @@ public static function app_details( $app_id ) {
 		echo '</td></tr>';
 
 		// app domains able to act on behalf of the application
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'summary/" target="_blank">' . esc_html( __( 'App Domains', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_summary_uri, array('http', 'https') ) . '" target="_blank">' . esc_html( __( 'App Domains', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['app_domains'] ) && ! empty( $app_details['app_domains'] ) ) {
 			echo '><ul>';
 			foreach( $app_details['app_domains'] as $app_domain ) {
@@ -352,18 +354,17 @@ public static function app_details( $app_id ) {
 		echo '</td></tr>';
 
 		// Website with Facebook Login
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'summary/#site_url_input" target="_blank">' . esc_html( __( 'Website', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_summary_uri .'#site_url_input', array('http', 'https') ) . '" target="_blank">' . esc_html( __( 'Website', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['website_url'] ) && $app_details['website_url'] ) {
-			$app_details['website_url'] = esc_url( $app_details['website_url'], array( 'http', 'https' ) );
-			echo '><a href="' . $app_details['website_url'] . '" target="_blank">' . $app_details['website_url'] . '</a>';
+			echo '><a href="' . esc_url( $app_details['website_url'], array( 'http', 'https' ) ) . '" target="_blank">' . esc_html( $app_details['website_url'] ) . '</a>';
 		} else {
 			echo ' class="error-message">';
 			echo esc_html( sprintf( __( 'Not set. Consider using: %s', 'facebook' ), home_url( '/' ) ) );
 		}
 		echo '</td></tr>';
 
 		// One-line description
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/" target="_blank">' . esc_html( __( 'One-line description', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri, array('http', 'https') ) . '" target="_blank">' . esc_html( __( 'One-line description', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['auth_dialog_headline'] ) && $app_details['auth_dialog_headline'] ) {
 			echo '>"' . esc_html( $app_details['auth_dialog_headline'] ) . '"';
 		} else {
@@ -379,36 +380,35 @@ public static function app_details( $app_id ) {
 		echo '</td></tr>';
 
 		// publish permissions explanation
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/" target="_blank">' . esc_html( _x( 'Publish permissions explanation', 'Explain the reason for requesting publish permissions from a Facebook user', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri, array('http', 'https') ) . '" target="_blank">' . esc_html( _x( 'Publish permissions explanation', 'Explain the reason for requesting publish permissions from a Facebook user', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['auth_dialog_perms_explanation'] ) && $app_details['auth_dialog_perms_explanation'] )
 			echo '>"' . esc_html( $app_details['auth_dialog_perms_explanation'] ) . '"';
 		else
 			echo ' class="error-message">' . esc_html( sprintf( __( 'Not set. Consider using: %s', 'facebook' ), '"' . __( 'Publish new posts to your Facebook Timeline or Page.', 'facebook' ) . '"' ) );
 		echo '</td></tr>';
 
 		// Privacy Policy
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/#privacy_url" target="_blank">' . esc_html( __( 'Privacy Policy', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri . '#privacy_url', array('http', 'https') ) . '" target="_blank">' . esc_html( __( 'Privacy Policy', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['privacy_policy_url'] ) && $app_details['privacy_policy_url'] ) {
-			$app_details['privacy_policy_url'] = esc_url( $app_details['privacy_policy_url'], array( 'http', 'https' ) );
-			echo '><a href="' . $app_details['privacy_policy_url'] . '" target="_blank">' . $app_details['privacy_policy_url'] . '</a>';
+			echo '><a href="' . esc_url( $app_details['privacy_policy_url'], array( 'http', 'https' ) ) . '" target="_blank">' . esc_html( $app_details['privacy_policy_url'] ) . '</a>';
 		} else {
 			echo ' class="error-message">' . esc_html( __( 'Not set.', 'facebook' ) ) . ' ' . esc_html( _x( 'Create a new page?', 'Create a new WordPress page', 'facebook' ) );
 		}
 		echo '</td></tr>';
 
 		// Terms of Service
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/#tos_url" target="_blank">' . esc_html( __( 'Terms of Service', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri . '#tos_url', array('http', 'https') ) . '" target="_blank">' . esc_html( __( 'Terms of Service', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['terms_of_service_url'] ) && $app_details['terms_of_service_url'] ) {
 			$app_details['terms_of_service_url'] = esc_url( $app_details['terms_of_service_url'], array( 'http', 'https' ) );
-			echo '><a href="' . $app_details['terms_of_service_url'] . '" target="_blank">' . $app_details['terms_of_service_url'] . '</a>';
+			echo '><a href="' . esc_url( $app_details['terms_of_service_url'], array( 'http', 'https' ) ) . '" target="_blank">' . esc_html( $app_details['terms_of_service_url'] ) . '</a>';
 		} else {
 			echo ' class="error-message">';
 			echo esc_html( __( 'Not set.', 'facebook' ) ) . ' ' . esc_html( _x( 'Create a new page?', 'Create a new WordPress page', 'facebook' ) );
 		}
 		echo '</td></tr>';
 
 		// Logo
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/" target="_blank">' . esc_html( _x( 'Logo', 'Facebook application logo', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri, array('http', 'https') ) . '" target="_blank">' . esc_html( _x( 'Logo', 'Facebook application logo', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['logo_url'] ) && $app_details['logo_url'] ) {
 			echo '><img alt="' . esc_attr( __( 'Facebook application logo', 'facebook' ) ) . '" src="' . esc_url( $app_details['logo_url'], array( 'http', 'https' ) ) . '" />';
 		} else {
@@ -417,7 +417,7 @@ public static function app_details( $app_id ) {
 		echo '</td></tr>';
 
 		// Icon
-		echo '<tr><th><a href="' . $app_edit_base_uri . 'appdetails/" target="_blank">' . esc_html( _x( 'Icon', 'Facebook application icon', 'facebook' ) ) . '</a></th><td';
+		echo '<tr><th><a href="' . esc_url( $app_details_uri, array('http', 'https') ) . '" target="_blank">' . esc_html( _x( 'Icon', 'Facebook application icon', 'facebook' ) ) . '</a></th><td';
 		if ( isset( $app_details['icon_url'] ) && $app_details['icon_url'] ) {
 			echo '><img alt="' . esc_attr( __( 'Facebook application icon', 'facebook' ) ) . '" src="' . esc_url( $app_details['icon_url'], array( 'http', 'https' ) ) . '" />';
 		} else {
@@ -550,8 +550,7 @@ public static function post_to_page_section() {
 			$page_link = $post_to_page['link'];
 		else
 			$page_link = 'https://www.facebook.com/' . $post_to_page['id'];
-		$page_link = esc_url( $page_link, array( 'http', 'https' ) );
-		echo '<p>' . sprintf( esc_html( _x( 'Publishing to %s.', 'publishing to a page name on Facebook.com', 'facebook' ) ), '<a href="' . $page_link . '">' . esc_html( $post_to_page['name'] ) . '</a>' );
+		echo '<p>' . sprintf( esc_html( _x( 'Publishing to %s.', 'publishing to a page name on Facebook.com', 'facebook' ) ), '<a href="' . esc_url( $page_link, array( 'http', 'https' ) ) . '">' . esc_html( $post_to_page['name'] ) . '</a>' );
 		unset( $page_link );
 		if ( isset( $post_to_page['set_by_user'] ) ) {
 			if ( get_current_user_id() == $post_to_page['set_by_user'] ) {
diff --git a/admin/settings-social-plugin.php b/admin/settings-social-plugin.php
@@ -131,7 +131,7 @@ public static function color_scheme_choices( $name, $existing_value = 'light' )
 			// provides a hint of final display. May change but possibly helpful in making a decision
 			if ( isset( self::$color_scheme_styles[$color_scheme] ) )
 				$checkboxes .= ' style="padding:0.5em;' . self::$color_scheme_styles[$color_scheme] . '"';
-			$checkboxes .= '><input type="radio" name="' . $name . '" value="' . $color_scheme . '"' . checked( $existing_value, $color_scheme, false ) . ' />';
+			$checkboxes .= '><input type="radio" name="' . $name . '" value="' . esc_attr( $color_scheme ) . '"' . checked( $existing_value, $color_scheme, false ) . ' />';
 			$checkboxes .= ' ' . esc_html( __( $color_scheme, 'facebook' ) ) . '</label> ';
 		}
 		return rtrim( $checkboxes );
diff --git a/open-graph-protocol.php b/open-graph-protocol.php
@@ -103,7 +103,7 @@ public static function meta_elements( $property, $content ) {
 					self::meta_elements( $property . ':' . $structured_property, $content_value );
 			}
 		} else {
-			echo '<meta property="' . $property . '" content="' . esc_attr( $content ) . '"';
+			echo '<meta property="' . esc_attr( $property ) . '" content="' . esc_attr( $content ) . '"';
 
 			// do not use trailing slash if HTML5
 			// http://wiki.whatwg.org/wiki/FAQ#Should_I_close_empty_elements_with_.2F.3E_or_.3E.3F

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ public static function color_scheme_choices( $name, $existing_value = 'light' )`
`131`	`131`	`// provides a hint of final display. May change but possibly helpful in making a decision`
`132`	`132`	`if ( isset( self::$color_scheme_styles[$color_scheme] ) )`
`133`	`133`	`$checkboxes .= ' style="padding:0.5em;' . self::$color_scheme_styles[$color_scheme] . '"';`
`134`		`- $checkboxes .= '><input type="radio" name="' . $name . '" value="' . $color_scheme . '"' . checked( $existing_value, $color_scheme, false ) . ' />';`
	`134`	`+ $checkboxes .= '><input type="radio" name="' . $name . '" value="' . esc_attr( $color_scheme ) . '"' . checked( $existing_value, $color_scheme, false ) . ' />';`
`135`	`135`	`$checkboxes .= ' ' . esc_html( __( $color_scheme, 'facebook' ) ) . '</label> ';`
`136`	`136`	`}`
`137`	`137`	`return rtrim( $checkboxes );`
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ public static function meta_elements( $property, $content ) {`
`103`	`103`	`self::meta_elements( $property . ':' . $structured_property, $content_value );`
`104`	`104`	`}`
`105`	`105`	`} else {`
`106`		`- echo '<meta property="' . $property . '" content="' . esc_attr( $content ) . '"';`
	`106`	`+ echo '<meta property="' . esc_attr( $property ) . '" content="' . esc_attr( $content ) . '"';`
`107`	`107`
`108`	`108`	`// do not use trailing slash if HTML5`
`109`	`109`	`// http://wiki.whatwg.org/wiki/FAQ#Should_I_close_empty_elements_with_.2F.3E_or_.3E.3F`