access.php
1 year ago
checks.php
1 year ago
colors.php
1 year ago
data-presets.php
1 year ago
date-time.php
1 year ago
debug.php
1 year ago
education.php
1 year ago
escape-sanitize.php
1 year ago
filesystem-media.php
1 year ago
form-fields.php
1 year ago
forms.php
1 year ago
list.php
1 year ago
payments.php
1 year ago
plugins.php
1 year ago
privacy.php
1 year ago
providers.php
1 year ago
unused.php
1 year ago
utilities.php
1 year ago
escape-sanitize.php
489 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Helper functions to clean and sanitize data, escape it and prepare the output. |
| 4 | * |
| 5 | * @since 1.8.0 |
| 6 | */ |
| 7 | |
| 8 | use WPForms\Helpers\Templates; |
| 9 | |
| 10 | /** |
| 11 | * Decode special characters, both alpha- (<) and numeric-based ('). |
| 12 | * Sanitize recursively, preserve new lines. |
| 13 | * Handle all the possible mixed variations of < and `<` that can be processed into tags. |
| 14 | * |
| 15 | * @since 1.4.1 |
| 16 | * @since 1.6.0 Sanitize recursively, preserve new lines. |
| 17 | * |
| 18 | * @param string $string Raw string to decode. |
| 19 | * |
| 20 | * @return string |
| 21 | */ |
| 22 | function wpforms_decode_string( $string ) { |
| 23 | |
| 24 | if ( ! is_string( $string ) ) { |
| 25 | return $string; |
| 26 | } |
| 27 | |
| 28 | /* |
| 29 | * Sanitization should be done first, so tags are stripped and < is converted to < etc. |
| 30 | * This iteration may do nothing when the string already comes with < and > only. |
| 31 | */ |
| 32 | $string = wpforms_sanitize_text_deeply( $string, true ); |
| 33 | |
| 34 | // Now we need to convert the string without tags: < back to < (same for quotes). |
| 35 | $string = wp_kses_decode_entities( html_entity_decode( $string, ENT_QUOTES ) ); |
| 36 | |
| 37 | // And now we need to sanitize AGAIN, to avoid unwanted tags that appeared after decoding. |
| 38 | return wpforms_sanitize_text_deeply( $string, true ); |
| 39 | } |
| 40 | |
| 41 | /** |
| 42 | * Sanitize key, primarily used for looking up options. |
| 43 | * |
| 44 | * @since 1.3.9 |
| 45 | * |
| 46 | * @param string $key Key name. |
| 47 | * |
| 48 | * @return string |
| 49 | */ |
| 50 | function wpforms_sanitize_key( $key = '' ) { |
| 51 | |
| 52 | return preg_replace( '/[^a-zA-Z0-9_\-\.\:\/]/', '', $key ); |
| 53 | } |
| 54 | |
| 55 | /** |
| 56 | * Sanitize hex color. |
| 57 | * |
| 58 | * @since 1.2.1 |
| 59 | * |
| 60 | * @param string $color Color value. |
| 61 | * |
| 62 | * @return string |
| 63 | */ |
| 64 | function wpforms_sanitize_hex_color( $color ) { |
| 65 | |
| 66 | if ( empty( $color ) ) { |
| 67 | return ''; |
| 68 | } |
| 69 | |
| 70 | // 3 or 6 hex digits, or the empty string. |
| 71 | if ( preg_match( '|^#([A-Fa-f0-9]{3}){1,2}$|', $color ) ) { |
| 72 | return $color; |
| 73 | } |
| 74 | |
| 75 | return ''; |
| 76 | } |
| 77 | |
| 78 | /** |
| 79 | * Sanitize error message, primarily used during form frontend output. |
| 80 | * |
| 81 | * @since 1.3.7 |
| 82 | * @since 1.7.6 Expand list of allowed HTML tags and attributes. |
| 83 | * |
| 84 | * @param string $error Error message. |
| 85 | * |
| 86 | * @return string |
| 87 | */ |
| 88 | function wpforms_sanitize_error( $error = '' ) { |
| 89 | |
| 90 | $allow = [ |
| 91 | 'a' => [ |
| 92 | 'href' => [], |
| 93 | 'title' => [], |
| 94 | 'target' => [], |
| 95 | 'rel' => [], |
| 96 | ], |
| 97 | 'br' => [], |
| 98 | 'em' => [], |
| 99 | 'strong' => [], |
| 100 | 'del' => [], |
| 101 | 'p' => [ |
| 102 | 'style' => [], |
| 103 | ], |
| 104 | 'blockquote' => [], |
| 105 | 'ul' => [], |
| 106 | 'ol' => [], |
| 107 | 'li' => [], |
| 108 | 'span' => [ |
| 109 | 'style' => [], |
| 110 | ], |
| 111 | ]; |
| 112 | |
| 113 | return wp_kses( $error, $allow ); |
| 114 | } |
| 115 | |
| 116 | /** |
| 117 | * Sanitize a string, that can be a multiline. |
| 118 | * |
| 119 | * @uses wpforms_sanitize_text_deeply() |
| 120 | * |
| 121 | * @since 1.4.1 |
| 122 | * |
| 123 | * @param string $string String to deeply sanitize. |
| 124 | * |
| 125 | * @return string Sanitized string, or empty string if not a string provided. |
| 126 | */ |
| 127 | function wpforms_sanitize_textarea_field( $string ) { |
| 128 | |
| 129 | return wpforms_sanitize_text_deeply( $string, true ); |
| 130 | } |
| 131 | |
| 132 | /** |
| 133 | * Deeply sanitize the string, preserve newlines if needed. |
| 134 | * Prevent maliciously prepared strings from containing HTML tags. |
| 135 | * |
| 136 | * @since 1.6.0 |
| 137 | * |
| 138 | * @param string $string String to deeply sanitize. |
| 139 | * @param bool $keep_newlines Whether to keep newlines. Default: false. |
| 140 | * |
| 141 | * @return string Sanitized string, or empty string if not a string provided. |
| 142 | */ |
| 143 | function wpforms_sanitize_text_deeply( $string, $keep_newlines = false ) { |
| 144 | |
| 145 | if ( is_object( $string ) || is_array( $string ) ) { |
| 146 | return ''; |
| 147 | } |
| 148 | |
| 149 | $string = (string) $string; |
| 150 | $keep_newlines = (bool) $keep_newlines; |
| 151 | |
| 152 | $new_value = _sanitize_text_fields( $string, $keep_newlines ); |
| 153 | |
| 154 | if ( strlen( $new_value ) !== strlen( $string ) ) { |
| 155 | $new_value = wpforms_sanitize_text_deeply( $new_value, $keep_newlines ); |
| 156 | } |
| 157 | |
| 158 | return $new_value; |
| 159 | } |
| 160 | |
| 161 | /** |
| 162 | * Sanitize an HTML string with a set of allowed HTML tags. |
| 163 | * |
| 164 | * @since 1.7.0 |
| 165 | * |
| 166 | * @param string $value String to sanitize. |
| 167 | * |
| 168 | * @return string Sanitized string. |
| 169 | */ |
| 170 | function wpforms_sanitize_richtext_field( $value ) { |
| 171 | |
| 172 | $count = 1; |
| 173 | $value = convert_invalid_entities( $value ); |
| 174 | |
| 175 | // Remove 'script' and 'style' tags recursively. |
| 176 | while ( $count ) { |
| 177 | $value = preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $value, - 1, $count ); |
| 178 | } |
| 179 | |
| 180 | // Make sure we have allowed tags only. |
| 181 | $value = wp_kses( $value, wpforms_get_allowed_html_tags_for_richtext_field() ); |
| 182 | |
| 183 | // Make sure that all tags are balanced. |
| 184 | return force_balance_tags( $value ); |
| 185 | } |
| 186 | |
| 187 | /** |
| 188 | * Escaping for Rich Text field values. |
| 189 | * |
| 190 | * @since 1.7.0 |
| 191 | * @since 1.9.1 Removed new lines after adding paragraphs and breaks tags. |
| 192 | * |
| 193 | * @param string $value Text to escape. |
| 194 | * |
| 195 | * @return string Escaped text. |
| 196 | */ |
| 197 | function wpforms_esc_richtext_field( $value ) { |
| 198 | |
| 199 | $value = wpautop( wpforms_sanitize_richtext_field( $value ) ); |
| 200 | |
| 201 | return trim( str_replace( [ "\r\n", "\r", "\n" ], '', $value ) ); |
| 202 | } |
| 203 | |
| 204 | /** |
| 205 | * Retrieve allowed HTML tags for Rich Text field. |
| 206 | * |
| 207 | * @since 1.7.0 |
| 208 | * |
| 209 | * @return array Array of allowed tags. |
| 210 | */ |
| 211 | function wpforms_get_allowed_html_tags_for_richtext_field() { |
| 212 | |
| 213 | $allowed_tags = array_fill_keys( |
| 214 | [ |
| 215 | 'img', |
| 216 | 'h1', |
| 217 | 'h2', |
| 218 | 'h3', |
| 219 | 'h4', |
| 220 | 'h5', |
| 221 | 'h6', |
| 222 | 'p', |
| 223 | 'a', |
| 224 | 'ul', |
| 225 | 'ol', |
| 226 | 'li', |
| 227 | 'dl', |
| 228 | 'dt', |
| 229 | 'dd', |
| 230 | 'hr', |
| 231 | 'br', |
| 232 | 'code', |
| 233 | 'pre', |
| 234 | 'strong', |
| 235 | 'b', |
| 236 | 'em', |
| 237 | 'i', |
| 238 | 'blockquote', |
| 239 | 'cite', |
| 240 | 'q', |
| 241 | 'del', |
| 242 | 'span', |
| 243 | 'small', |
| 244 | 'table', |
| 245 | 'thead', |
| 246 | 'tbody', |
| 247 | 'th', |
| 248 | 'tr', |
| 249 | 'td', |
| 250 | 'abbr', |
| 251 | 'address', |
| 252 | 'sub', |
| 253 | 'sup', |
| 254 | 'ins', |
| 255 | 'figure', |
| 256 | 'figcaption', |
| 257 | 'div', |
| 258 | ], |
| 259 | array_fill_keys( |
| 260 | [ 'align', 'class', 'id', 'style', 'src', 'rel', 'alt', 'href', 'target', 'width', 'height', 'title', 'cite', 'start', 'reversed', 'datetime' ], |
| 261 | [] |
| 262 | ) |
| 263 | ); |
| 264 | |
| 265 | /** |
| 266 | * Allowed HTML tags for Rich Text field. |
| 267 | * |
| 268 | * @since 1.7.0 |
| 269 | * |
| 270 | * @param array $allowed_tags Allowed HTML tags. |
| 271 | */ |
| 272 | $tags = (array) apply_filters( 'wpforms_get_allowed_html_tags_for_richtext_field', $allowed_tags ); |
| 273 | |
| 274 | // Force unset iframes, script and style no matter when we get back |
| 275 | // from apply_filters, as they are a huge security risk. |
| 276 | unset( $tags['iframe'], $tags['script'], $tags['style'] ); |
| 277 | |
| 278 | return $tags; |
| 279 | } |
| 280 | |
| 281 | /** |
| 282 | * Sanitize an array, that consists of values as strings. |
| 283 | * After that - merge all array values into multiline string. |
| 284 | * |
| 285 | * @since 1.4.1 |
| 286 | * |
| 287 | * @param array $array Data to sanitize. |
| 288 | * |
| 289 | * @return mixed If not an array is passed (or empty var) - return unmodified var. Otherwise - a merged array into multiline string. |
| 290 | */ |
| 291 | function wpforms_sanitize_array_combine( $array ) { |
| 292 | |
| 293 | if ( empty( $array ) || ! is_array( $array ) ) { |
| 294 | return $array; |
| 295 | } |
| 296 | |
| 297 | return implode( "\n", array_map( 'sanitize_text_field', $array ) ); |
| 298 | } |
| 299 | |
| 300 | /** |
| 301 | * Format, sanitize, and return/echo HTML element ID, classes, attributes, |
| 302 | * and data attributes. |
| 303 | * |
| 304 | * @since 1.3.7 |
| 305 | * |
| 306 | * @param string $id HTML id attribute value. |
| 307 | * @param array $class A list of classnames for the class attribute. |
| 308 | * @param array $datas Data attributes. |
| 309 | * @param array $atts Any additional HTML attributes and their values. |
| 310 | * @param bool $echo Whether to echo the output or just return it. Defaults to return. |
| 311 | * |
| 312 | * @return string|void |
| 313 | */ |
| 314 | function wpforms_html_attributes( $id = '', $class = [], $datas = [], $atts = [], $echo = false ) { |
| 315 | |
| 316 | $id = trim( $id ); |
| 317 | $parts = []; |
| 318 | |
| 319 | if ( ! empty( $id ) ) { |
| 320 | $id = sanitize_html_class( $id ); |
| 321 | |
| 322 | if ( ! empty( $id ) ) { |
| 323 | $parts[] = 'id="' . $id . '"'; |
| 324 | } |
| 325 | } |
| 326 | |
| 327 | if ( ! empty( $class ) ) { |
| 328 | $class = wpforms_sanitize_classes( $class, true ); |
| 329 | |
| 330 | if ( ! empty( $class ) ) { |
| 331 | $parts[] = 'class="' . $class . '"'; |
| 332 | } |
| 333 | } |
| 334 | |
| 335 | if ( ! empty( $datas ) ) { |
| 336 | foreach ( $datas as $data => $val ) { |
| 337 | $parts[] = 'data-' . sanitize_html_class( $data ) . '="' . esc_attr( $val ) . '"'; |
| 338 | } |
| 339 | } |
| 340 | |
| 341 | if ( ! empty( $atts ) ) { |
| 342 | foreach ( $atts as $att => $val ) { |
| 343 | if ( '0' === (string) $val || ! empty( $val ) ) { |
| 344 | if ( $att[0] === '[' ) { |
| 345 | // Handle special case for bound attributes in AMP. |
| 346 | $escaped_att = '[' . sanitize_html_class( trim( $att, '[]' ) ) . ']'; |
| 347 | } else { |
| 348 | $escaped_att = sanitize_html_class( $att ); |
| 349 | } |
| 350 | $parts[] = $escaped_att . '="' . esc_attr( $val ) . '"'; |
| 351 | } |
| 352 | } |
| 353 | } |
| 354 | |
| 355 | $output = implode( ' ', $parts ); |
| 356 | |
| 357 | if ( $echo ) { |
| 358 | echo trim( $output ); // phpcs:ignore |
| 359 | } else { |
| 360 | return trim( $output ); |
| 361 | } |
| 362 | } |
| 363 | |
| 364 | /** |
| 365 | * Sanitize string of CSS classes. |
| 366 | * |
| 367 | * @since 1.2.1 |
| 368 | * |
| 369 | * @param array|string $classes CSS classes. |
| 370 | * @param bool $convert True will convert strings to array and vice versa. |
| 371 | * |
| 372 | * @return string|array |
| 373 | */ |
| 374 | function wpforms_sanitize_classes( $classes, $convert = false ) { |
| 375 | |
| 376 | $array = is_array( $classes ); |
| 377 | $css = []; |
| 378 | |
| 379 | if ( ! empty( $classes ) ) { |
| 380 | if ( ! $array ) { |
| 381 | $classes = explode( ' ', trim( $classes ) ); |
| 382 | } |
| 383 | foreach ( array_unique( $classes ) as $class ) { |
| 384 | if ( ! empty( $class ) ) { |
| 385 | $css[] = sanitize_html_class( $class ); |
| 386 | } |
| 387 | } |
| 388 | } |
| 389 | |
| 390 | if ( $array ) { |
| 391 | return $convert ? implode( ' ', $css ) : $css; |
| 392 | } |
| 393 | |
| 394 | return $convert ? $css : implode( ' ', $css ); |
| 395 | } |
| 396 | |
| 397 | /** |
| 398 | * Include a template - alias to \WPForms\Helpers\Template::get_html. |
| 399 | * Use 'require' if $args are passed or 'load_template' if not. |
| 400 | * |
| 401 | * @since 1.5.6 |
| 402 | * |
| 403 | * @param string $template_name Template name. |
| 404 | * @param array $args Arguments. |
| 405 | * @param bool $extract Extract arguments. |
| 406 | * |
| 407 | * @throws RuntimeException If extract() tries to modify the scope. |
| 408 | * |
| 409 | * @return string Compiled HTML. |
| 410 | */ |
| 411 | function wpforms_render( $template_name, $args = [], $extract = false ) { |
| 412 | |
| 413 | return Templates::get_html( $template_name, $args, $extract ); |
| 414 | } |
| 415 | |
| 416 | /** |
| 417 | * Alias for default readonly function. |
| 418 | * |
| 419 | * @since 1.6.9 |
| 420 | * |
| 421 | * @param mixed $readonly One of the values to compare. |
| 422 | * @param mixed $current The other value to compare if not just true. |
| 423 | * @param bool $echo Whether to echo or just return the string. |
| 424 | * |
| 425 | * @return string HTML attribute or empty string. |
| 426 | */ |
| 427 | function wpforms_readonly( $readonly, $current = true, $echo = true ) { |
| 428 | |
| 429 | if ( function_exists( 'wp_readonly' ) ) { |
| 430 | return wp_readonly( $readonly, $current, $echo ); |
| 431 | } |
| 432 | |
| 433 | return __checked_selected_helper( $readonly, $current, $echo, 'readonly' ); |
| 434 | } |
| 435 | |
| 436 | /** |
| 437 | * Get the required label text, with a filter. |
| 438 | * |
| 439 | * @since 1.4.4 |
| 440 | * |
| 441 | * @return string |
| 442 | */ |
| 443 | function wpforms_get_required_label() { |
| 444 | |
| 445 | return apply_filters( 'wpforms_required_label', esc_html__( 'This field is required.', 'wpforms-lite' ) ); |
| 446 | } |
| 447 | |
| 448 | /** |
| 449 | * Get the required field label HTML, with a filter. |
| 450 | * |
| 451 | * @since 1.4.8 |
| 452 | * |
| 453 | * @return string |
| 454 | */ |
| 455 | function wpforms_get_field_required_label() { |
| 456 | |
| 457 | $label_html = apply_filters_deprecated( |
| 458 | 'wpforms_field_required_label', |
| 459 | [ ' <span class="wpforms-required-label">*</span>' ], |
| 460 | '1.4.8 of the WPForms plugin', |
| 461 | 'wpforms_get_field_required_label' |
| 462 | ); |
| 463 | |
| 464 | return apply_filters( 'wpforms_get_field_required_label', $label_html ); |
| 465 | } |
| 466 | |
| 467 | /** |
| 468 | * Escape unselected choices for radio/checkbox fields. |
| 469 | * |
| 470 | * @since 1.8.3 |
| 471 | * |
| 472 | * @param string $formatted_field HTML field. |
| 473 | * |
| 474 | * @return string |
| 475 | */ |
| 476 | function wpforms_esc_unselected_choices( $formatted_field ) { |
| 477 | |
| 478 | $allowed_html = wp_kses_allowed_html( 'post' ); |
| 479 | |
| 480 | $allowed_html['input'] = [ |
| 481 | 'type' => [], |
| 482 | 'disabled' => [], |
| 483 | 'checked' => [], |
| 484 | ]; |
| 485 | $allowed_html['label'] = []; |
| 486 | |
| 487 | return wp_kses( $formatted_field, $allowed_html ); |
| 488 | } |
| 489 |