Skip to content

Commit 76d0b51

Browse files
mtashjianjr-godaddymtashjianjr-godaddy
authored
Sanitize event time and error messages to prevent XSS (#2661)
1 parent 754ab94 commit 76d0b51

1 file changed

Lines changed: 17 additions & 17 deletions

File tree

src/blocks/events/index.php

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -99,8 +99,8 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
9999

100100
$event_time_string = sprintf(
101101
'<span class="wp-block-coblocks-events__time">%1$s - %2$s</span>',
102-
gmdate( 'g:ia', $start_date_string ),
103-
gmdate( 'g:ia', $end_date_string )
102+
esc_html( gmdate( 'g:ia', $start_date_string ) ),
103+
esc_html( gmdate( 'g:ia', $end_date_string ) )
104104
);
105105

106106
$events_layout .= coblocks_render_single_day_event_item(
@@ -117,8 +117,8 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
117117

118118
$event_time_string = sprintf(
119119
'<span class="wp-block-coblocks-events__time">%1$s - %2$s</span>',
120-
gmdate( 'g:ia', $start_date_string ),
121-
gmdate( 'g:ia', $end_date_string )
120+
esc_html( gmdate( 'g:ia', $start_date_string ) ),
121+
esc_html( gmdate( 'g:ia', $end_date_string ) )
122122
);
123123

124124
$events_layout .= coblocks_render_multi_day_event_item(
@@ -136,8 +136,8 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
136136

137137
$event_time_string = sprintf(
138138
'<span data-start-time=%1$s data-end-time=%2$s class="wp-block-coblocks-events__time wp-block-coblocks-events__time-formatted"></span>',
139-
gmdate( 'c', $start_date_string ),
140-
gmdate( 'c', $end_date_string )
139+
esc_html( gmdate( 'c', $start_date_string ) ),
140+
esc_html( gmdate( 'c', $end_date_string ) )
141141
);
142142

143143
$events_layout .= coblocks_render_single_day_event_item(
@@ -154,8 +154,8 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
154154

155155
$event_time_string = sprintf(
156156
'<span data-start-time=%1$s data-end-time=%2$s class="wp-block-coblocks-events__time wp-block-coblocks-events__time-formatted"></span>',
157-
gmdate( 'c', $start_date_string ),
158-
gmdate( 'c', $end_date_string )
157+
esc_html( gmdate( 'c', $start_date_string ) ),
158+
esc_html( gmdate( 'c', $end_date_string ) )
159159
);
160160

161161
$events_layout .= coblocks_render_multi_day_event_item(
@@ -188,8 +188,8 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
188188

189189
$events_layout .= '</div>';
190190

191-
$events_layout .= sprintf( '<button class="wp-coblocks-events-nav-button__prev" id="wp-coblocks-event-swiper-prev" style="visibility: hidden" aria-label="%s"/>', __( 'Previous post', 'coblocks' ) );
192-
$events_layout .= sprintf( '<button class="wp-coblocks-events-nav-button__next" id="wp-coblocks-event-swiper-next" style="visibility: hidden" aria-label="%s"/>', __( 'Next post', 'coblocks' ) );
191+
$events_layout .= sprintf( '<button class="wp-coblocks-events-nav-button__prev" id="wp-coblocks-event-swiper-prev" style="visibility: hidden" aria-label="%s"/>', esc_attr__( 'Previous post', 'coblocks' ) );
192+
$events_layout .= sprintf( '<button class="wp-coblocks-events-nav-button__next" id="wp-coblocks-event-swiper-next" style="visibility: hidden" aria-label="%s"/>', esc_attr__( 'Next post', 'coblocks' ) );
193193

194194
$events_layout .= '</div>';
195195

@@ -199,7 +199,7 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
199199

200200
} catch ( \Exception $e ) {
201201

202-
return '<div class="components-placeholder"><div class="notice notice-error">' . __( 'An error has occurred, check for calendar privileges to make sure it is public or try again later.', 'coblocks' ) . '</div></div>';
202+
return '<div class="components-placeholder"><div class="notice notice-error">' . esc_html__( 'An error has occurred, check for calendar privileges to make sure it is public or try again later.', 'coblocks' ) . '</div></div>';
203203

204204
}
205205
}
@@ -234,18 +234,18 @@ function coblocks_render_event_item(
234234
<span class="wp-block-coblocks-events__year">%3$s</span>
235235
</div>
236236
</div>',
237-
$date_range,
238-
$month,
239-
$year
237+
esc_html( $date_range ),
238+
esc_html( $month ),
239+
esc_html( $year ),
240240
);
241241

242242
$event_layout .= sprintf(
243243
'<div class="wp-block-coblocks-events__content">
244244
<span class="wp-block-coblocks-events__title">%1$s</span>
245245
<span class="wp-block-coblocks-events__description">%2$s</span>
246246
</div>',
247-
$title,
248-
$description
247+
esc_html( $title ),
248+
esc_html( $description )
249249
);
250250

251251
$event_layout .= sprintf(
@@ -254,7 +254,7 @@ function coblocks_render_event_item(
254254
<span class="wp-block-coblocks-events__location">%2$s</span>
255255
</div>',
256256
$time_string,
257-
$location
257+
esc_html( $location )
258258
);
259259

260260
return $event_layout;

0 commit comments

Comments
 (0)