VC-2957 apply fixes for resources/views

Author: pavelthq

visualcomposer/Helpers/Globals.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace VisualComposer\Helpers;
+
+if (!defined('ABSPATH')) {
+    header('Status: 403 Forbidden');
+    header('HTTP/1.1 403 Forbidden');
+    exit;
+}
+
+use VisualComposer\Framework\Illuminate\Support\Helper;
+use function VisualComposer\Framework\esc_html;
+
+class Output implements Helper
+{
+    public function printNotEscaped($content)
+    {
+        echo esc_html($content);
+    }
+
+    public function printEscaped($content)
+    {
+        echo \esc_html($content);
+    }
+}

visualcomposer/resources/views/editor/frontend/fe-update-wrapper.php

@@ -12,17 +12,19 @@
 }
 require_once ABSPATH . 'wp-admin/includes/admin.php';
 
+$globalsHelper = vchelper('Globals');
+$outputHelper = vchelper('Output');
 // @codingStandardsIgnoreStart
 global $title, $hook_suffix, $current_screen, $wp_locale, $pagenow, $wp_version,
        $update_title, $total_update_count, $parent_file, $typenow, $wp_meta_boxes;
 
 $hookSuffix = $hook_suffix;
-$wp_meta_boxes = [];
+$globalsHelper->set('wp_meta_boxes', []);
 if (empty($current_screen)) {
     set_current_screen();
 }
 // @codingStandardsIgnoreEnd
-$typenow = get_post_type();
+$globalsHelper->set('typenow', get_post_type());
 /**
  * @var $editableLink - link to editable content
  */
@@ -31,10 +33,10 @@
 wp_enqueue_media();
 ?>
 <!DOCTYPE html>
-<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
+<html xmlns="https://w3.org/1999/xhtml" <?php language_attributes(); ?>>
 <head>
-    <link rel="profile" href="http://gmpg.org/xfn/11" />
-    <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
+    <link rel="profile" href="https://gmpg.org/xfn/11" />
+    <meta http-equiv="Content-Type" content="<?php echo esc_attr(get_bloginfo('html_type', 'display')); ?>; charset=<?php echo esc_attr(get_bloginfo('charset', 'display')); ?>" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no, maximum-scale=1, user-scalable=0" />
     <title>Visual Composer: Update</title>
     <link rel="stylesheet"
@@ -57,8 +59,8 @@
     if (is_array($variables)) {
         foreach ($variables as $variable) {
             if (is_array($variable) && isset($variable['key'], $variable['value'])) {
-                $type = isset($variable['type']) ? $variable['type'] : 'variable';
-                evcview('partials/variableTypes/' . $type, $variable);
+                $variableType = isset($variable['type']) ? $variable['type'] : 'variable';
+                evcview('partials/variableTypes/' . $variableType, $variable);
             }
         }
         unset($variable);
@@ -72,10 +74,10 @@
     ?>
 </head>
 <body class="vcv-wb-editor vcv-is-disabled-outline">
-<script src="<?php echo get_site_url(null, 'index.php?vcv-script=vendor'); ?>"></script>
+<script src="<?php echo esc_url(get_site_url(null, 'index.php?vcv-script=vendor')); ?>"></script>
 
 <div class="vcv-settings" data-section="vcv-update">
-    <?php echo $content; ?>
+    <?php $outputHelper->printNotEscaped($content); ?>
 </div>
 <?php
 vcevent('vcv:frontend:postUpdate:render:footer', ['sourceId' => $sourceId]);
@@ -88,7 +90,7 @@
 if (is_array($extraOutput)) {
     foreach ($extraOutput as $output) {
         // @codingStandardsIgnoreLine
-        echo $output;
+        $outputHelper->printNotEscaped($output);
     }
     unset($output);
 }

visualcomposer/resources/views/editor/frontend/frontend.php

@@ -6,13 +6,14 @@
     exit;
 }
 require_once ABSPATH . 'wp-admin/includes/admin.php';
-
+$globalsHelper = vchelper('Globals');
+$outputHelper = vchelper('Output');
 // @codingStandardsIgnoreStart
 global $title, $hook_suffix, $current_screen, $wp_locale, $pagenow, $wp_version,
        $update_title, $total_update_count, $parent_file, $typenow, $wp_meta_boxes;
 
 $hookSuffix = $hook_suffix;
-$wp_meta_boxes = [];
+$globalsHelper->set('wp_meta_boxes', []);
 if (empty($current_screen)) {
     set_current_screen();
 }
@@ -21,7 +22,7 @@
     $current_screen->id = $sourceId;
 }
 // @codingStandardsIgnoreEnd
-$typenow = get_post_type();
+$globalsHelper->set('typenow', get_post_type());
 /**
  * @var $editableLink - link to editable content
  */
@@ -35,7 +36,7 @@
     <link rel="profile" href="http://gmpg.org/xfn/11" />
     <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no, maximum-scale=1, user-scalable=0" />
-    <title><?php echo sprintf(__('Visual Composer: %s', 'visualcomposer'), get_the_title()); ?></title>
+    <title><?php echo sprintf(__('Visual Composer: %s', 'visualcomposer'), esc_html(get_the_title())); ?></title>
     <link rel="stylesheet"
             href="//fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic&subset=latin,greek,greek-ext,cyrillic-ext,latin-ext,cyrillic">
     <?php
@@ -50,16 +51,16 @@
     if (is_array($extraOutput)) {
         foreach ($extraOutput as $output) {
             // @codingStandardsIgnoreLine
-            echo $output;
+            vcv_print_html($output);
         }
         unset($output);
     }
     $variables = vcfilter('vcv:editor:variables', [], ['sourceId' => $sourceId]);
     if (is_array($variables)) {
         foreach ($variables as $variable) {
             if (is_array($variable) && isset($variable['key'], $variable['value'])) {
-                $type = isset($variable['type']) ? $variable['type'] : 'variable';
-                evcview('partials/variableTypes/' . $type, $variable);
+                $variableType = isset($variable['type']) ? $variable['type'] : 'variable';
+                evcview('partials/variableTypes/' . $variableType, $variable);
             }
         }
         unset($variable);
@@ -71,8 +72,7 @@
 $extraOutput = vcfilter('vcv:frontend:body:extraOutput', [], ['sourceId' => $sourceId]);
 if (is_array($extraOutput)) {
     foreach ($extraOutput as $output) {
-        // @codingStandardsIgnoreLine
-        echo $output;
+        $outputHelper->printNotEscaped($output);
     }
     unset($output);
 }
@@ -90,8 +90,7 @@
                     </div>
                     <iframe class="vcv-layout-iframe"
                             src="<?php
-                            // @codingStandardsIgnoreLine
-                            echo $editableLink;
+                            echo esc_url($editableLink);
                             ?>" id="vcv-editor-iframe"
                             frameborder="0" scrolling="auto"></iframe>
                 </div>
@@ -129,8 +128,7 @@
 $extraOutput = vcfilter('vcv:frontend:footer:extraOutput', [], ['sourceId' => $sourceId]);
 if (is_array($extraOutput)) {
     foreach ($extraOutput as $output) {
-        // @codingStandardsIgnoreLine
-        echo $output;
+        $outputHelper->printNotEscaped($output);
     }
     unset($output);
 }

visualcomposer/resources/views/editor/templates/blank-template.php

@@ -34,7 +34,7 @@
             div.vcv-editor-theme-hf .vcv-layouts-html > * > [data-vce-full-width="true"]:not([data-vce-stretch-content="true"]) > [data-vce-element-content="true"],
             div.vcv-header > * > [data-vce-full-width="true"]:not([data-vce-stretch-content="true"]) > [data-vce-element-content="true"],
             div.vcv-footer > * > [data-vce-full-width="true"]:not([data-vce-stretch-content="true"]) > [data-vce-element-content="true"] {
-                max-width: <?php echo $customLayoutWidth . 'px' ?> !important;
+                max-width: <?php echo esc_attr($customLayoutWidth) . 'px' ?> !important;
             }
         }
     </style>

visualcomposer/resources/views/hub/elementsBundle.php

@@ -13,7 +13,7 @@
         <script id="vcv-hub-element-<?php echo esc_attr($key); ?>" src="<?php
         // @codingStandardsIgnoreLine
         $version = vcvenv('VCV_DEBUG') ? esc_attr($time) : esc_attr($optionsHelper->get('hubAction:element/' . $key, VCV_VERSION));
-        echo set_url_scheme($element['bundlePath']) . '?v=' . $version; ?>"></script>
+        echo esc_url(set_url_scheme($element['bundlePath']) . '?v=' . $version); ?>"></script>
         <?php
     endif;
 endforeach;

visualcomposer/resources/views/license/pages/license.php

@@ -15,27 +15,27 @@
     ['vcv-action' => 'license:deactivate:adminNonce', 'vcv-nonce' => $nonceHelper->admin()]
 );
 
-$activateHubUrl = esc_url(admin_url('admin.php?page=vcv-activate-license&vcv-ref=license-vcdashboard'));
-$upgradeLicenseUrl = esc_url(vcvenv('VCV_HUB_LICENSES_URL'));
+$activateHubUrl = admin_url('admin.php?page=vcv-activate-license&vcv-ref=license-vcdashboard');
+$upgradeLicenseUrl = vcvenv('VCV_HUB_LICENSES_URL');
 
 $expirationDate = vchelper('License')->getExpirationDate();
 if (!vchelper('License')->isPremiumActivated()) {
     echo sprintf(
         '<div class="vcv-description vcv-description--no-flex"><p class="description">%s</p>',
-        __(
+        esc_html__(
             'It seems you haven’t activated your Premium license to access elements, templates, and addons in the Visual Composer Hub.',
             'visualcomposer'
         )
     );
     echo sprintf(
         '<a href="%s" class="button vcv-license-btn-activate-hub">%s</a>',
-        $activateHubUrl,
-        __('Activate Premium', 'visualcomposer')
+        esc_url($activateHubUrl),
+        esc_html__('Activate Premium', 'visualcomposer')
     );
     echo sprintf(
         '<a href="%s" class="button vcv-license-btn-activate-hub vcv-license-btn-go-premium" target="_blank" rel="noopener noreferrer">%s</a>',
         esc_url(vchelper('Utm')->get('vcdashboard-license-go-premium')),
-        __('Go Premium', 'visualcomposer')
+        esc_html__('Go Premium', 'visualcomposer')
     );
     echo '</div>';
 
@@ -69,7 +69,7 @@
             <tbody>
             <tr>
                 <td><?php echo esc_html__('License key', 'visualcomposer') ?>:</td>
-                <td><?php echo vchelper('License')->getHiddenKey(); ?> <a href="<?php
+                <td><?php echo esc_html(vchelper('License')->getHiddenKey()); ?> <a href="<?php
                     echo esc_url(
                         $deactivateUrl
                     ); ?>" class="vcv-license-btn-deactivate"><?php
@@ -81,22 +81,31 @@
             </tr>
             <tr>
                 <td><?php echo esc_html__('License type', 'visualcomposer') ?>:</td>
-                <td><?php $type = vchelper('License')->getType();
-                    echo ucfirst($type);
-                    echo $type === 'free' ? (' - <a href="' . esc_url($upgradeLicenseUrl)
-                        . '" class="vcv-license-btn-upgrade">' . esc_html__(
+                <td><?php
+                $licenseType = vchelper('License')->getType();
+                echo esc_html(ucfirst($licenseType));
+                if ($licenseType === 'free') {
+                    echo sprintf(
+                        ' - <a href="%s" class="vcv-license-btn-upgrade">%s</a>',
+                        esc_url($upgradeLicenseUrl),
+                        esc_html__(
                             'Upgrade',
                             'visualcomposer'
-                        ) . '</a>') : ''; ?></td>
+                        )
+                    );
+                }
+                ?></td>
             </tr>
             <?php if (!empty($expirationDate)) : ?>
                 <tr>
                     <td><?php echo esc_html__('License expiration date', 'visualcomposer') ?>:</td>
                     <td><?php
-                        echo $expirationDate !== 'lifetime' ? gmdate(
-                            get_option('date_format') . ' ' . get_option('time_format'),
-                            $expirationDate
-                        ) : 'lifetime'; ?></td>
+                        echo esc_html(
+                            $expirationDate !== 'lifetime' ? gmdate(
+                                get_option('date_format') . ' ' . get_option('time_format'),
+                                $expirationDate
+                            ) : 'lifetime'
+                        ); ?></td>
                 </tr>
             <?php endif; ?>
             </tbody>

visualcomposer/resources/views/partials/script.php

@@ -7,10 +7,10 @@
 }
 /** @var string $value */
 /** @var string $key */
+$outputHelper = vchelper('Output');
 ?>
 <script id="vcv-<?php echo esc_attr(vchelper('Str')->slugify($key)); ?>">
     <?php
-    // @codingStandardsIgnoreLine
-    echo $value;
+    $outputHelper->printNotEscaped($value);
     ?>
 </script>

visualcomposer/resources/views/partials/style.php

@@ -7,10 +7,10 @@
 }
 /** @var string $value */
 /** @var string $key */
+$outputHelper = vchelper('Output');
 ?>
 <style id="vcv-style-<?php echo esc_attr(vchelper('Str')->slugify($key)); ?>">
     <?php
-    // @codingStandardsIgnoreLine
-    echo $value;
+    $outputHelper->printNotEscaped($value);
     ?>
 </style>

visualcomposer/resources/views/partials/teaser.php

@@ -13,19 +13,19 @@
 <div class="vcv-premium-teaser-inner">
     <div class="vcv-premium-teaser-image"></div>
     <header class="vcv-premium-teaser-header">
-        <h2 class="vcv-premium-teaser-heading"><?php echo $page['premiumTitle']; ?></h2>
+        <h2 class="vcv-premium-teaser-heading"><?php echo esc_html($page['premiumTitle']); ?></h2>
     </header>
     <div class="vcv-premium-teaser-content">
-        <p class="vcv-premium-teaser-text"><?php echo $page['premiumDescription']; ?></p>
+        <p class="vcv-premium-teaser-text"><?php echo esc_html($page['premiumDescription']); ?></p>
     </div>
     <div class="vcv-download-addon-button-container">
         <?php if (vchelper('License')->isPremiumActivated()) : ?>
-            <a class="vcv-premium-teaser-btn vcv-premium-teaser-download-addon-btn" data-vcv-action="download" data-vcv-action-bundle="<?php echo $page['premiumActionBundle']; ?>"><?php esc_html_e('Download Addon', 'visualcomposer'); ?></a>
+            <a class="vcv-premium-teaser-btn vcv-premium-teaser-download-addon-btn" data-vcv-action="download" data-vcv-action-bundle="<?php echo esc_attr($page['premiumActionBundle']); ?>"><?php esc_html_e('Download Addon', 'visualcomposer'); ?></a>
         <?php else : ?>
-            <a class="vcv-premium-teaser-btn" href="<?php echo $page['premiumUrl']; ?>" target="_blank" rel="noopener noreferrer"><?php esc_html_e('Go Premium', 'visualcomposer'); ?></a>
+            <a class="vcv-premium-teaser-btn" href="<?php echo esc_url($page['premiumUrl']); ?>" target="_blank" rel="noopener noreferrer"><?php esc_html_e('Go Premium', 'visualcomposer'); ?></a>
             <p class="vcv-premium-teaser-text">
                 <?php if (!empty($page['activationUrl'])) : ?>
-                    <?php esc_html_e('Already have a Premium license?', 'visualcomposer'); ?> <a href="<?php echo $page['activationUrl']; ?>" target="_blank" rel="noopener noreferrer"><?php esc_html_e('Activate here', 'visualcomposer'); ?></a>
+                    <?php esc_html_e('Already have a Premium license?', 'visualcomposer'); ?> <a href="<?php echo esc_url($page['activationUrl']); ?>" target="_blank" rel="noopener noreferrer"><?php esc_html_e('Activate here', 'visualcomposer'); ?></a>
                 <?php endif; ?>
             </p>
         <?php endif; ?>

visualcomposer/resources/views/settings/fields/css-editor/css-editor.php

@@ -7,9 +7,13 @@
 }
 
 /** @var array $globalSetting */
+$outputHelper = vchelper('Output');
 ?>
 
 <div class="vcv-ui-form-editor-container">
-    <textarea id="vcv-<?php echo $globalSetting['slug']; ?>" class="vcv-css-code-editor" name="vcv-<?php echo $globalSetting['slug']; ?>"><?php echo (isset($globalSetting['value'])) ? $globalSetting['value'] : ''; ?></textarea>
-    <textarea id="vcv-<?php echo $globalSetting['slug']; ?>-compiled" style="display:none;" name="vcv-<?php echo $globalSetting['slug']; ?>-compiled">not-changed</textarea>
+    <textarea id="vcv-<?php echo esc_attr($globalSetting['slug']); ?>" class="vcv-css-code-editor" name="vcv-<?php echo esc_attr($globalSetting['slug']); ?>"><?php $outputHelper->printNotEscaped(
+        isset($globalSetting['value']) ? $globalSetting['value'] : ''
+    );
+?></textarea>
+    <textarea id="vcv-<?php echo esc_attr($globalSetting['slug']); ?>-compiled" style="display:none;" name="vcv-<?php echo esc_attr($globalSetting['slug']); ?>-compiled">not-changed</textarea>
 </div>

visualcomposer/resources/views/settings/fields/customtoggle.php

@@ -18,8 +18,8 @@
     <label class="vcv-ui-form-switch">
         <input type="checkbox" value="<?php echo esc_attr($value); ?>" name="<?php echo esc_attr($name); ?>" <?php echo $isEnabled ? 'checked="checked"' : ''; ?> />
         <span class="vcv-ui-form-switch-indicator"></span>
-        <span class="vcv-ui-form-switch-label" data-vc-switch-on="<?php echo $onTitle; ?>"></span>
-        <span class="vcv-ui-form-switch-label" data-vc-switch-off="<?php echo $offTitle; ?>"></span>
+        <span class="vcv-ui-form-switch-label" data-vc-switch-on="<?php echo esc_attr($onTitle); ?>"></span>
+        <span class="vcv-ui-form-switch-label" data-vc-switch-off="<?php echo esc_attr($offTitle); ?>"></span>
     </label>
     <span><?php echo isset($title) ? esc_html($title) : ''; ?></span>
 </div>

visualcomposer/resources/views/settings/fields/dropdown.php

@@ -12,24 +12,28 @@
 /** @var string $class */
 /** @var string $emptyTitle */
 /** @var string $dataTitle */
+$outputHelper = vchelper('Output');
 ?>
 
-<div class="vcv-ui-form-group<?php echo isset($description) ? ' vcv-ui-form-switch-container-has-description' : ''; ?>" <?php echo isset($dataTitle) ? 'data-title="' . $dataTitle . '"' : ''; ?>>
-    <?php $createUrlAttribute = isset($createUrl) ? 'data-create-url="' . $createUrl . '"' : ''; ?>
-    <select class="vcv-ui-form-dropdown<?php echo isset($class) ? ' ' . $class : ''; ?>" <?php echo $createUrlAttribute ?> id="<?php echo $name; ?>" name="<?php echo $name; ?>">
+<div class="vcv-ui-form-group<?php echo isset($description) ? ' vcv-ui-form-switch-container-has-description' : ''; ?>" <?php
+echo isset($dataTitle) ? 'data-title="' . esc_attr($dataTitle) . '"' : ''; ?>>
+    <?php $createUrlAttribute = isset($createUrl) ? 'data-create-url="' . esc_url($createUrl) . '"' : ''; ?>
+    <select class="vcv-ui-form-dropdown<?php echo isset($class) ? ' ' . esc_attr($class) : ''; ?>" <?php $outputHelper->printNotEscaped($createUrlAttribute); ?> id="<?php echo esc_attr(
+        $name
+    ); ?>" name="<?php echo esc_attr($name); ?>">
         <?php if (isset($emptyTitle)) : ?>
-            <option value=""><?php echo $emptyTitle; ?></option>
+            <option value=""><?php echo esc_html($emptyTitle); ?></option>
         <?php endif; ?>
         <?php if (!empty($enabledOptions)) : ?>
             <?php foreach ($enabledOptions as $option) : ?>
                 <?php $selected = ($option['id'] === $value) ? 'selected' : ''; ?>
-                <?php $url = isset($option['url']) ? 'data-url="' . $option['url'] . '"' : ''; ?>
-                <option value="<?php echo $option['id']; ?>" <?php echo $url ?> <?php echo $selected; ?>><?php echo $option['title']; ?></option>
+                <?php $url = isset($option['url']) ? 'data-url="' . esc_url($option['url']) . '"' : ''; ?>
+                <option value="<?php echo esc_attr($option['id']); ?>" <?php $outputHelper->printNotEscaped($url) ?> <?php $outputHelper->printNotEscaped($selected); ?>><?php echo esc_html($option['title']); ?></option>
             <?php endforeach; ?>
         <?php endif; ?>
     </select>
 
     <?php if (isset($description)) { ?>
-        <p class="description"><?php echo $description; ?></p>
+        <p class="description"><?php esc_html($description); ?></p>
     <?php } ?>
 </div>