escape translated strings to prevent HTML injections

2025-06-05 21:59:25 +02:00 · 2025-05-23 18:08:28 +02:00
parent 516f08a6ac
commit 3e2aac7657
7 changed files with 49 additions and 17 deletions
--- a/source/includes/EventsListBlock.php
+++ b/source/includes/EventsListBlock.php
@@ -13,8 +13,8 @@ class EventsListBlock {
      ], '<wordpress-version>', array('in_footer' => true));
    register_block_type(NAME . '/events-list', [
      'api_version' => 2,
-      'title' => __('Events List', 'connector-mobilizon'),
-      'description' =>  __('A list of the upcoming events of the connected Mobilizon instance.', 'connector-mobilizon'),
+      'title' => esc_html__('Events List', 'connector-mobilizon'),
+      'description' =>  esc_html__('A list of the upcoming events of the connected Mobilizon instance.', 'connector-mobilizon'),
      'category' => 'widgets',
      'icon' => 'list-view',
      'supports' => [
--- a/source/includes/EventsListWidget.php
+++ b/source/includes/EventsListWidget.php
@@ -6,9 +6,9 @@ class EventsListWidget extends \WP_Widget {
  public function __construct() {
    parent::__construct(
      NAME . '-events-list',
-      NICE_NAME . ' ' . __('Events List', 'connector-mobilizon'),
+      NICE_NAME . ' ' . esc_html__('Events List', 'connector-mobilizon'),
      array(
-        'description' => __('A list of the upcoming events of the connected Mobilizon instance.', 'connector-mobilizon'),
+        'description' => esc_html__('A list of the upcoming events of the connected Mobilizon instance.', 'connector-mobilizon'),
      ),
    );
  }
@@ -49,7 +49,7 @@ class EventsListWidget extends \WP_Widget {
  }

  public function form($options) {
-    $title = !empty($options['title']) ? $options['title'] : __('Events', 'connector-mobilizon');
+    $title = !empty($options['title']) ? $options['title'] : esc_html__('Events', 'connector-mobilizon');
    $eventsCount = !empty($options['eventsCount']) ? $options['eventsCount'] : DEFAULT_EVENTS_COUNT;
    $groupName = !empty($options['groupName']) ? $options['groupName'] : '';
    
--- a/source/includes/Settings.php
+++ b/source/includes/Settings.php
@@ -31,14 +31,14 @@ class Settings {

    add_settings_section(
      self::$SETTINGS_SECTION_NAME,
-      __('General Settings', 'connector-mobilizon'),
+      esc_html__('General Settings', 'connector-mobilizon'),
      '',
      self::$PAGE_NAME
    );

    add_settings_field(
      self::$SETTING_FIELD_NAME_URL,
-      __('URL', 'connector-mobilizon'),
+      esc_html__('URL', 'connector-mobilizon'),
      'MobilizonConnector\Settings::output_field_url',
      self::$PAGE_NAME,
      self::$SETTINGS_SECTION_NAME,
@@ -48,7 +48,7 @@ class Settings {
    );
    add_settings_field(
      self::$SETTING_FIELD_NAME_IS_SHORT_OFFSET_NAME_SHOWN,
-      __('Display named offset', 'connector-mobilizon'),
+      esc_html__('Display named offset', 'connector-mobilizon'),
      'MobilizonConnector\Settings::output_field_is_short_offset_name_shown',
      self::$PAGE_NAME,
      self::$SETTINGS_SECTION_NAME,
@@ -74,7 +74,7 @@ class Settings {
      add_settings_error(
        self::$OPTION_NAME_URL,
        'wordpress_mobilizon_field_url_error',
-        __('The URL is invalid.', 'connector-mobilizon'),
+        esc_html__('The URL is invalid.', 'connector-mobilizon'),
        'error'
      );
    }
@@ -86,7 +86,7 @@ class Settings {

  public static function register_settings_page() {
    add_options_page(
-      NICE_NAME . ' ' . __('Settings', 'connector-mobilizon'),
+      NICE_NAME . ' ' . esc_html__('Settings', 'connector-mobilizon'),
      NICE_NAME,
      'manage_options',
      NAME . '-settings',