API
2 weeks ago
Admin
1 month ago
Ajax
1 week ago
ExportImport
2 weeks ago
FormValidator
2 months ago
Frontend
1 week ago
Manager
2 weeks ago
API.php
1 month ago
Admin.php
2 months ago
Ajax.php
1 week ago
Apps.php
1 month ago
ContentManager.php
2 months ago
DbQueryUtils.php
1 month ago
ElementVisibilityConditions.php
2 months ago
Frontend.php
2 months ago
HelperFunctions.php
1 week ago
KirkiBase.php
2 months ago
PostsQueryUtils.php
2 months ago
Staging.php
2 months ago
View.php
2 weeks ago
View.php
308 lines
| 1 | <?php |
| 2 | |
| 3 | namespace Kirki; |
| 4 | |
| 5 | defined( 'ABSPATH' ) || exit; |
| 6 | |
| 7 | /** |
| 8 | * View class for HTML sanitization and escaping |
| 9 | * |
| 10 | * @since 1.0.0 |
| 11 | */ |
| 12 | class View { |
| 13 | |
| 14 | /** |
| 15 | * Get allowed html tags |
| 16 | * |
| 17 | * @return array |
| 18 | */ |
| 19 | public static function get_allowed_html_tags() { |
| 20 | $allowed_tags = wp_kses_allowed_html( 'post' ); |
| 21 | |
| 22 | $form_common_attributes = [ |
| 23 | 'id' => true, |
| 24 | 'class' => true, |
| 25 | 'name' => true, |
| 26 | 'value' => true, |
| 27 | 'title' => true, |
| 28 | 'style' => true, |
| 29 | 'disabled' => true, |
| 30 | 'readonly' => true, |
| 31 | 'required' => true, |
| 32 | 'hidden' => true, |
| 33 | 'tabindex' => true, |
| 34 | 'accesskey' => true, |
| 35 | 'autocomplete' => true, |
| 36 | 'autofocus' => true, |
| 37 | 'form' => true, |
| 38 | 'aria-label' => true, |
| 39 | 'aria-hidden' => true, |
| 40 | 'aria-describedby' => true, |
| 41 | 'data-*' => true, |
| 42 | 'xml:lang' => true, |
| 43 | ]; |
| 44 | |
| 45 | $input_attributes = array_merge($form_common_attributes, [ |
| 46 | 'type' => true, |
| 47 | 'placeholder' => true, |
| 48 | 'checked' => true, |
| 49 | 'maxlength' => true, |
| 50 | 'minlength' => true, |
| 51 | 'min' => true, |
| 52 | 'max' => true, |
| 53 | 'step' => true, |
| 54 | 'pattern' => true, |
| 55 | 'size' => true, |
| 56 | 'multiple' => true, |
| 57 | 'accept' => true, |
| 58 | 'src' => true, |
| 59 | 'alt' => true, |
| 60 | 'list' => true, |
| 61 | ]); |
| 62 | |
| 63 | $select_attributes = array_merge($form_common_attributes, [ |
| 64 | 'multiple' => true, |
| 65 | 'size' => true, |
| 66 | ]); |
| 67 | |
| 68 | $option_attributes = [ |
| 69 | 'value' => true, |
| 70 | 'selected' => true, |
| 71 | 'disabled' => true, |
| 72 | 'label' => true, |
| 73 | 'data-*' => true, |
| 74 | 'xml:lang' => true, |
| 75 | ]; |
| 76 | |
| 77 | $form_tags = [ |
| 78 | 'form' => [ |
| 79 | 'action' => true, |
| 80 | 'method' => true, |
| 81 | 'class' => true, |
| 82 | 'id' => true, |
| 83 | 'data-*' => true, |
| 84 | 'xml:lang' => true, |
| 85 | ], |
| 86 | 'input' => $input_attributes, |
| 87 | 'select' => $select_attributes, |
| 88 | 'option' => $option_attributes, |
| 89 | 'label' => [ |
| 90 | 'for' => true, |
| 91 | 'class' => true, |
| 92 | 'id' => true, |
| 93 | 'style' => true, |
| 94 | 'data-*' => true, |
| 95 | 'xml:lang' => true, |
| 96 | ], |
| 97 | 'fieldset' => [ |
| 98 | 'disabled' => true, |
| 99 | 'form' => true, |
| 100 | 'name' => true, |
| 101 | 'class' => true, |
| 102 | 'id' => true, |
| 103 | 'data-*' => true, |
| 104 | 'xml:lang' => true, |
| 105 | ], |
| 106 | 'legend' => [ |
| 107 | 'class' => true, |
| 108 | 'id' => true, |
| 109 | 'data-*' => true, |
| 110 | 'xml:lang' => true, |
| 111 | ], |
| 112 | ]; |
| 113 | |
| 114 | $svg_allowed_tags = [ |
| 115 | 'svg', |
| 116 | 'g', |
| 117 | 'path', |
| 118 | 'circle', |
| 119 | 'rect', |
| 120 | 'line', |
| 121 | 'ellipse', |
| 122 | 'polygon', |
| 123 | 'polyline', |
| 124 | 'text', |
| 125 | 'tspan', |
| 126 | 'defs', |
| 127 | 'linearGradient', |
| 128 | 'radialGradient', |
| 129 | 'stop', |
| 130 | 'desc', |
| 131 | 'use', |
| 132 | 'mask' |
| 133 | ]; |
| 134 | |
| 135 | $svg_common_attributes = [ |
| 136 | 'id' => true, |
| 137 | 'class' => true, |
| 138 | 'style' => true, |
| 139 | 'fill' => true, |
| 140 | 'fill-opacity' => true, |
| 141 | 'fill-rule' => true, |
| 142 | 'stroke' => true, |
| 143 | 'stroke-width' => true, |
| 144 | 'stroke-linecap' => true, |
| 145 | 'stroke-linejoin'=> true, |
| 146 | 'stroke-opacity' => true, |
| 147 | 'd' => true, |
| 148 | 'x' => true, |
| 149 | 'y' => true, |
| 150 | 'width' => true, |
| 151 | 'height' => true, |
| 152 | 'viewBox' => true, |
| 153 | 'viewbox' => true, |
| 154 | 'xmlns' => true, |
| 155 | 'transform' => true, |
| 156 | 'mask' => true, |
| 157 | 'maskUnits' => true, |
| 158 | 'maskunits' => true, |
| 159 | 'x1' => true, |
| 160 | 'y1' => true, |
| 161 | 'x2' => true, |
| 162 | 'y2' => true, |
| 163 | 'cx' => true, |
| 164 | 'cy' => true, |
| 165 | 'r' => true, |
| 166 | 'rx' => true, |
| 167 | 'ry' => true, |
| 168 | 'points' => true, |
| 169 | 'offset' => true, |
| 170 | 'stop-color' => true, |
| 171 | 'stop-opacity' => true, |
| 172 | 'xlink:href' => true, |
| 173 | ]; |
| 174 | |
| 175 | $svg_tags = array_fill_keys($svg_allowed_tags, $svg_common_attributes); |
| 176 | |
| 177 | $extra_tags = [ |
| 178 | 'iframe' => [ |
| 179 | 'src' => true, |
| 180 | 'width' => true, |
| 181 | 'height' => true, |
| 182 | 'frameborder' => true, |
| 183 | 'allow' => true, |
| 184 | 'allowfullscreen' => true, |
| 185 | 'loading' => true, |
| 186 | 'title' => true, |
| 187 | 'name' => true, |
| 188 | 'id' => true, |
| 189 | 'class' => true, |
| 190 | 'style' => true, |
| 191 | 'sandbox' => true, |
| 192 | 'referrerpolicy' => true, |
| 193 | 'scrolling' => true, |
| 194 | 'importance' => true, |
| 195 | 'data-*' => true, |
| 196 | 'xml:lang' => true, |
| 197 | ], |
| 198 | 'a' => [ |
| 199 | 'disabled' => true, |
| 200 | 'href' => true, |
| 201 | 'target' => true, |
| 202 | 'class' => true, |
| 203 | 'id' => true, |
| 204 | 'data-*' => true, |
| 205 | 'xml:lang' => true, |
| 206 | ], |
| 207 | 'style' => [ |
| 208 | 'type' => true, |
| 209 | ], |
| 210 | 'script' => [ |
| 211 | 'type' => true, |
| 212 | 'src' => true, |
| 213 | 'async' => true, |
| 214 | 'defer' => true, |
| 215 | 'integrity' => true, |
| 216 | 'crossorigin' => true, |
| 217 | 'data-*' => true, |
| 218 | ], |
| 219 | 'img' => [ |
| 220 | 'src' => true, |
| 221 | 'alt' => true, |
| 222 | 'width' => true, |
| 223 | 'height' => true, |
| 224 | 'srcset' => true, |
| 225 | 'sizes' => true, |
| 226 | 'loading' => true, |
| 227 | 'class' => true, |
| 228 | 'id' => true, |
| 229 | 'style' => true, |
| 230 | 'title' => true, |
| 231 | 'data-*' => true, |
| 232 | 'xml:lang' => true, |
| 233 | ], |
| 234 | 'video' => [ |
| 235 | 'src' => true, |
| 236 | 'controls' => true, |
| 237 | 'muted' => true, |
| 238 | 'autoplay' => true, |
| 239 | 'playsinline' => true, |
| 240 | 'poster' => true, |
| 241 | 'width' => true, |
| 242 | 'height' => true, |
| 243 | 'class' => true, |
| 244 | 'id' => true, |
| 245 | 'style' => true, |
| 246 | 'data-*' => true, |
| 247 | 'xml:lang' => true, |
| 248 | ], |
| 249 | ]; |
| 250 | |
| 251 | // Add Kirki-specific custom attributes to all elements |
| 252 | $kirki_custom_attributes = [ |
| 253 | 'collection' => true, |
| 254 | 'navigation' => true, |
| 255 | 'pages' => true, |
| 256 | 'number' => true, |
| 257 | 'hide' => true, |
| 258 | 'on' => true, |
| 259 | ]; |
| 260 | |
| 261 | // Merge custom attributes with all tags |
| 262 | foreach ( $allowed_tags as $tag => $tag_attributes ) { |
| 263 | if ( is_array( $tag_attributes ) ) { |
| 264 | $allowed_tags[ $tag ] = array_merge( $tag_attributes, $kirki_custom_attributes ); |
| 265 | } |
| 266 | } |
| 267 | |
| 268 | // Also add to extra tags |
| 269 | foreach ( $extra_tags as $tag => $tag_attributes ) { |
| 270 | if ( is_array( $tag_attributes ) ) { |
| 271 | $extra_tags[ $tag ] = array_merge( $tag_attributes, $kirki_custom_attributes ); |
| 272 | } |
| 273 | } |
| 274 | |
| 275 | $video_tags = [ |
| 276 | 'source' => [ |
| 277 | 'src' => true, |
| 278 | 'type' => true, |
| 279 | 'data-*' => true, |
| 280 | 'xml:lang' => true, |
| 281 | ] |
| 282 | ]; |
| 283 | |
| 284 | $allowed_tags = array_merge($allowed_tags, $svg_tags, $form_tags, $video_tags, $extra_tags); |
| 285 | |
| 286 | return $allowed_tags; |
| 287 | } |
| 288 | |
| 289 | /** |
| 290 | * return a string containing HTML by escaping any disallowed |
| 291 | * @param string $html The HTML to render. |
| 292 | * @return string |
| 293 | */ |
| 294 | public static function safe_html($html) { |
| 295 | return wp_kses($html, static::get_allowed_html_tags()); |
| 296 | } |
| 297 | |
| 298 | /** |
| 299 | * Safely render a string containing HTML by escaping any disallowed |
| 300 | * tags. |
| 301 | * @param string $html The HTML to render. |
| 302 | * |
| 303 | * @return void |
| 304 | */ |
| 305 | public static function echo_safe_html($html) { |
| 306 | echo wp_kses($html, static::get_allowed_html_tags()); |
| 307 | } |
| 308 | } |