From 16b62dab7bebeae6e6c4d1427d7cb23bf41712e9 Mon Sep 17 00:00:00 2001
From: Kamal Khan <shout@bhittani.com>
Date: Wed, 16 Dec 2020 14:40:39 +0500
Subject: [PATCH] Sanitize and escape data

---
 src/admin.php                   |  4 ++--
 src/ajax.php                    |  8 ++++----
 src/metabox.php                 |  2 +-
 views/active-stars.php          |  2 +-
 views/admin/content.php         |  2 +-
 views/admin/fields/checkbox.php |  4 ++--
 views/admin/fields/code.php     |  4 ++--
 views/admin/fields/number.php   |  8 ++++----
 views/admin/fields/radio.php    |  4 ++--
 views/admin/fields/select.php   |  6 +++---
 views/admin/fields/text.php     |  2 +-
 views/admin/fields/textarea.php |  4 ++--
 views/admin/index.php           |  8 ++++----
 views/inactive-stars.php        |  2 +-
 views/legend.php                | 10 +++++-----
 views/markup.php                |  2 +-
 views/metabox/content.php       |  8 ++++----
 views/star.php                  |  2 +-
 18 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/src/admin.php b/src/admin.php
index 711a28f..f137ec8 100644
--- a/src/admin.php
+++ b/src/admin.php
@@ -22,8 +22,8 @@ function get_admin_tabs()
 {
     $tabs = apply_plugin_filters('admin_tabs', []);
     $keys = array_keys($tabs);
-    $active = (isset($_GET['tab']) && $_GET['tab']) ? $_GET['tab'] : reset($keys);
-    $active = apply_plugin_filters('active_admin_tab', $active);
+    $tab = isset($_GET['tab']) ? sanitize_text_field($_GET['tab']) : reset($keys);
+    $active = apply_plugin_filters('active_admin_tab', $tab);
 
     return [$tabs, $active];
 }
diff --git a/src/ajax.php b/src/ajax.php
index 2b1ab59..6c55fc0 100644
--- a/src/ajax.php
+++ b/src/ajax.php
@@ -36,8 +36,8 @@ function ajax()
         ]));
     }
 
-    $id = $_POST['id'];
-    $slug = $_POST['slug'];
+    $id = sanitize_text_field($_POST['id']);
+    $slug = sanitize_text_field($_POST['slug']);
 
     if (! apply_plugin_filters('can_vote', true, $id, $slug)) {
         header('Content-Type: application/json; charset=utf-8', true, 401);
@@ -55,9 +55,9 @@ function ajax()
         ]));
     }
 
-    $best = $_POST['best'] ?: get_option(prefix('stars'));
+    $best = isset($_POST['best']) ? sanitize_text_field($_POST['best']): get_option(prefix('stars'));
     $best = max((int) $best, 1);
-    $score = $_POST['score'];
+    $score = sanitize_text_field($_POST['score']);
     $score = min(max((int) $score, 1), $best);
 
     do_plugin_action('vote', $score, $best, $id, $slug);
diff --git a/src/metabox.php b/src/metabox.php
index 12b1429..05269bd 100644
--- a/src/metabox.php
+++ b/src/metabox.php
@@ -91,7 +91,7 @@ function metabox_content($content, $post)
 function save_default_metabox($id)
 {
     if (isset($_POST[meta_prefix('status')])) {
-        update_post_meta($id, meta_prefix('status'), $_POST[meta_prefix('status')]);
+        update_post_meta($id, meta_prefix('status'), sanitize_text_field($_POST[meta_prefix('status')]));
     }
 
     if (isset($_POST[meta_prefix('reset')])
diff --git a/views/active-stars.php b/views/active-stars.php
index b6a8c49..5a6d4ce 100644
--- a/views/active-stars.php
+++ b/views/active-stars.php
@@ -1,4 +1,4 @@
-<div class="kksr-stars-active" style="width: <?= $width ?>px;">
+<div class="kksr-stars-active" style="width: <?= esc_attr($width) ?>px;">
     <?php for ($i = 1; $i <= $best; $i++) : ?>
         <div class="kksr-star">
             <?= \Bhittani\StarRating\view('active-star') ?>
diff --git a/views/admin/content.php b/views/admin/content.php
index 3c23cbb..2b92180 100644
--- a/views/admin/content.php
+++ b/views/admin/content.php
@@ -5,7 +5,7 @@
     }
 ?>
 
-<form method="POST" action="options.php?tab=<?= $active; ?>" style="margin: 2rem;">
+<form method="POST" action="options.php?tab=<?= esc_attr($active); ?>" style="margin: 2rem;">
     <?php submit_button(); ?>
     <?php settings_fields($slug); ?>
     <?php do_settings_sections($slug); ?>
diff --git a/views/admin/fields/checkbox.php b/views/admin/fields/checkbox.php
index 81848ff..fe91ef9 100644
--- a/views/admin/fields/checkbox.php
+++ b/views/admin/fields/checkbox.php
@@ -6,7 +6,7 @@
 ?>
 
 <label>
-    <input type="checkbox" name="<?= $name ?>" value="<?= $value ?>"
+    <input type="checkbox" name="<?= esc_attr($name) ?>" value="<?= esc_attr($value) ?>"
         <?= $checked ? 'checked="checked"' : '' ?>>
-    <?= $label ?>
+    <?= esc_html($label) ?>
 </label>
diff --git a/views/admin/fields/code.php b/views/admin/fields/code.php
index d92798b..0b8c060 100644
--- a/views/admin/fields/code.php
+++ b/views/admin/fields/code.php
@@ -5,5 +5,5 @@
     }
 ?>
 
-<textarea rows="15" cols="50" name="<?= $name ?>"
-    style="font-family: monospace; padding: .5rem;"><?= $value ?></textarea>
+<textarea rows="15" cols="50" name="<?= esc_attr($name) ?>"
+    style="font-family: monospace; padding: .5rem;"><?= esc_textarea($value) ?></textarea>
diff --git a/views/admin/fields/number.php b/views/admin/fields/number.php
index 076d2c0..95f6c82 100644
--- a/views/admin/fields/number.php
+++ b/views/admin/fields/number.php
@@ -5,8 +5,8 @@
     }
 ?>
 
-<input type="number" name="<?= $name ?>" value="<?= $value ?>"
-    <?= isset($min) ? "min=\"{$min}\"" : '' ?>
-    <?= isset($max) ? "max=\"{$max}\"" : '' ?>
-    <?= isset($step) ? "step=\"{$step}\"" : '' ?>
+<input type="number" name="<?= esc_attr($name) ?>" value="<?= esc_attr($value) ?>"
+    <?= isset($min) ? ('min="'. esc_attr($min).'"') : '' ?>
+    <?= isset($max) ? ('max="'. esc_attr($max).'"') : '' ?>
+    <?= isset($step) ? ('step="'. esc_attr($step).'"') : '' ?>
     style="width: 5rem;">
diff --git a/views/admin/fields/radio.php b/views/admin/fields/radio.php
index 9e1ac26..f159ca8 100644
--- a/views/admin/fields/radio.php
+++ b/views/admin/fields/radio.php
@@ -6,8 +6,8 @@
 ?>
 
 <label>
-    <input type="radio" name="<?= $name ?>" value="<?= $value ?>"
+    <input type="radio" name="<?= esc_attr($name) ?>" value="<?= esc_attr($value) ?>"
         <?= $checked ? 'checked="checked"' : '' ?>>
 
-    <?= $label ?>
+    <?= esc_html($label) ?>
 </label>
diff --git a/views/admin/fields/select.php b/views/admin/fields/select.php
index b7b5e92..7fee145 100644
--- a/views/admin/fields/select.php
+++ b/views/admin/fields/select.php
@@ -5,13 +5,13 @@
     }
 ?>
 
-<select name="<?= $name ?><?= (isset($multiple) && $multiple) ? '[]' : '' ?>"
+<select name="<?= esc_attr($name) ?><?= (isset($multiple) && $multiple) ? '[]' : '' ?>"
     style="min-width: 15rem; padding: .5rem;"
     <?= (isset($multiple) && $multiple) ? 'multiple="multiple"' : '' ?>>
     <?php foreach ($options as $option) : ?>
-        <option value="<?= $option['value'] ?>"
+        <option value="<?= esc_attr($option['value']) ?>"
             <?= $option['selected'] ? 'selected="selected"' : '' ?>>
-            <?= $option['label'] ?>
+            <?= esc_html($option['label']) ?>
         </option>
     <?php endforeach; ?>
 </select>
diff --git a/views/admin/fields/text.php b/views/admin/fields/text.php
index 70ea55e..09aa32b 100644
--- a/views/admin/fields/text.php
+++ b/views/admin/fields/text.php
@@ -5,5 +5,5 @@
     }
 ?>
 
-<input name="<?= $name ?>" value="<?= $value ?>"
+<input name="<?= esc_attr($name) ?>" value="<?= esc_attr($value) ?>"
     style="width: 15rem;">
diff --git a/views/admin/fields/textarea.php b/views/admin/fields/textarea.php
index 7017b2c..027b73b 100644
--- a/views/admin/fields/textarea.php
+++ b/views/admin/fields/textarea.php
@@ -5,5 +5,5 @@
     }
 ?>
 
-<textarea rows="15" cols="50" name="<?= $name ?>"
-    style="padding: .5rem;"><?= $value ?></textarea>
+<textarea rows="15" cols="50" name="<?= esc_attr($name) ?>"
+    style="padding: .5rem;"><?= esc_textarea($value) ?></textarea>
diff --git a/views/admin/index.php b/views/admin/index.php
index 3f36bc5..719c00b 100644
--- a/views/admin/index.php
+++ b/views/admin/index.php
@@ -9,22 +9,22 @@
     <?php settings_errors(); ?>
 
     <h1>
-        <?= $label; ?>
+        <?= esc_html($label); ?>
         <small style="
             color: gray;
             font-size: 80%;
             margin-left: .5rem;
             letter-spacing: -2px;
             font-family: monospace;">
-            <?= $version; ?>
+            <?= esc_html($version); ?>
         </small>
     </h1>
 
     <h2 class="nav-tab-wrapper">
         <?php foreach ($tabs as $tab => $label) : ?>
             <a class="nav-tab <?= $tab === $active ? 'nav-tab-active' : ''; ?>"
-                href="<?= admin_url('admin.php?page='.$_GET['page'].'&tab='.$tab); ?>">
-                <?= $label; ?>
+                href="<?= admin_url('admin.php?page='.sanitize_text_field($_GET['page']).'&tab='. esc_attr($tab)); ?>">
+                <?= esc_html($label); ?>
             </a>
         <?php endforeach; ?>
         <div style="float: left; margin-left: 10px;">
diff --git a/views/inactive-stars.php b/views/inactive-stars.php
index 9095528..f670ae0 100644
--- a/views/inactive-stars.php
+++ b/views/inactive-stars.php
@@ -1,6 +1,6 @@
 <div class="kksr-stars-inactive">
     <?php for ($i = 1; $i <= $best; $i++) : ?>
-        <div class="kksr-star" data-star="<?= $i ?>">
+        <div class="kksr-star" data-star="<?= esc_attr($i) ?>">
             <?= \Bhittani\StarRating\view('inactive-star') ?>
         </div>
     <?php endfor; ?>
diff --git a/views/legend.php b/views/legend.php
index 2b4e47a..4102871 100644
--- a/views/legend.php
+++ b/views/legend.php
@@ -1,15 +1,15 @@
 <div class="kksr-legend">
     <?php if ($count) : ?>
-        <strong class="kksr-score"><?= $score ?></strong>
+        <strong class="kksr-score"><?= esc_html($score) ?></strong>
         <span class="kksr-muted">/</span>
-        <strong><?= $best ?></strong>
+        <strong><?= esc_html($best) ?></strong>
         <span class="kksr-muted">(</span>
-        <strong class="kksr-count"><?= $count ?></strong>
+        <strong class="kksr-count"><?= esc_html($count) ?></strong>
         <span class="kksr-muted">
-            <?= _n('vote', 'votes', $count, 'kk-star-ratings') ?>
+            <?= _n('vote', 'votes', esc_html($count), 'kk-star-ratings') ?>
         </span>
         <span class="kksr-muted">)</span>
     <?php else : ?>
-        <span class="kksr-muted"><?= $greet ?></span>
+        <span class="kksr-muted"><?= esc_html($greet) ?></span>
     <?php endif; ?>
 </div>
diff --git a/views/markup.php b/views/markup.php
index 8ffd87e..e8692b2 100644
--- a/views/markup.php
+++ b/views/markup.php
@@ -1,5 +1,5 @@
 <div style="display: none;"
-    class="kk-star-ratings <?= $valign ? ("kksr-valign-{$valign}") : '' ?> <?= $align ? ("kksr-align-{$align}") : '' ?> <?= $disabled ? 'kksr-disabled' : '' ?>"
+    class="kk-star-ratings <?= $valign ? ('kksr-valign-'. esc_attr($valign)) : '' ?> <?= $align ? ('kksr-align-'. esc_attr($align)) : '' ?> <?= $disabled ? 'kksr-disabled' : '' ?>"
     data-id="<?= esc_attr($id) ?>"
     data-slug="<?= esc_attr($slug) ?>">
     <?= \Bhittani\StarRating\view('stars') ?>
diff --git a/views/metabox/content.php b/views/metabox/content.php
index 4b857c8..78e3c04 100644
--- a/views/metabox/content.php
+++ b/views/metabox/content.php
@@ -8,7 +8,7 @@
 <div class='components-base-control__field'>
     <div style="margin-top: 1rem;">
         <label class="components-base-control__label" style="margin-top: .75rem; margin-bottom: .25rem;">
-            <input type="checkbox" name="<?= $resetFieldName; ?>" value="1">
+            <input type="checkbox" name="<?= esc_attr($resetFieldName) ?>" value="1">
             <?php _e('Reset Ratings', 'kk-star-ratings'); ?>
         </label>
     </div>
@@ -21,15 +21,15 @@
 
     <div style="margin-top: 1rem;">
         <label class="components-base-control__label" style="margin-top: .5rem; margin-bottom: .25rem;">
-            <input type="radio" name="<?= $statusFieldName; ?>" value="" <?php checked($status, ''); ?>>
+            <input type="radio" name="<?= esc_attr($statusFieldName) ?>" value="" <?php checked($status, ''); ?>>
             <?php _e('Auto', 'kk-star-ratings'); ?>
         </label>
         <label class="components-base-control__label" style="margin-top: .5rem; margin-bottom: .25rem;">
-            <input type="radio" name="<?= $statusFieldName; ?>" value="enable" <?php checked($status, 'enable'); ?>>
+            <input type="radio" name="<?= esc_attr($statusFieldName) ?>" value="enable" <?php checked($status, 'enable'); ?>>
             <?php _e('Enable', 'kk-star-ratings'); ?>
         </label>
         <label class="components-base-control__label" style="margin-top: .5rem; margin-bottom: .25rem;">
-            <input type="radio" name="<?= $statusFieldName; ?>" value="disable" <?php checked($status, 'disable'); ?>>
+            <input type="radio" name="<?= esc_attr($statusFieldName) ?>" value="disable" <?php checked($status, 'disable'); ?>>
             <?php _e('Disable', 'kk-star-ratings'); ?>
         </label>
     </div>
diff --git a/views/star.php b/views/star.php
index 41614db..33eddd8 100644
--- a/views/star.php
+++ b/views/star.php
@@ -1 +1 @@
-<div class="kksr-icon" style="width: <?= $size ?>px; height: <?= $size ?>px;"></div>
+<div class="kksr-icon" style="width: <?= esc_attr($size) ?>px; height: <?= esc_attr($size) ?>px;"></div>