Skip to content

Commit 3d7ea6f

Browse files
escapemanueleoz-agent
escapemanuele
and
oz-agent
committed
Refine On This Day widget escaping and rendered markup
Co-Authored-By: Oz <oz-agent@warp.dev>
1 parent efd8b31 commit 3d7ea6f

1 file changed

Lines changed: 20 additions & 19 deletions

File tree

src/wp-admin/includes/class-wp-on-this-day.php

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ public static function register_widget() {
9595
sprintf(
9696
'<span class="on-this-day-title" data-otd-window-label="%s">%s</span>',
9797
esc_attr( self::get_window_label( self::get_window_days() ) ),
98-
__( 'On This Day' )
98+
esc_html__( 'On This Day' )
9999
),
100100
array( __CLASS__, 'render_dashboard_widget' )
101101
);
@@ -304,7 +304,7 @@ public static function get_window_label( $window_days ) {
304304
$start = current_datetime();
305305
$start_label = wp_date( 'F j', $start->getTimestamp(), $start->getTimezone() );
306306

307-
if ( self::MIN_WINDOW_DAYS === $window_days ) {
307+
if ( 1 === $window_days ) {
308308
return $start_label;
309309
}
310310

@@ -360,6 +360,9 @@ protected static function get_window_date_query_clauses( $window_days ) {
360360
/**
361361
* Renders the empty state shown when no matching posts exist.
362362
*
363+
* Outputs rendered HTML that has already been escaped at write time.
364+
* Callers must echo the captured buffer as-is to avoid double-escaping.
365+
*
363366
* @since 7.1.0
364367
*
365368
* @param int $window_days Number of days included in the date window.
@@ -387,7 +390,7 @@ protected static function render_empty_state( $window_days ) {
387390
esc_html( $start_label )
388391
);
389392

390-
if ( self::MIN_WINDOW_DAYS === $window_days ) {
393+
if ( 1 === $window_days ) {
391394
printf(
392395
/* translators: %s: Current date, e.g. "April 22". */
393396
esc_html__( 'You haven\'t published anything on %s in previous years. Write something today and check back next year!' ),
@@ -422,6 +425,9 @@ protected static function render_empty_state( $window_days ) {
422425
/**
423426
* Renders the grouped post list for the widget.
424427
*
428+
* Outputs rendered HTML that has already been escaped at write time.
429+
* Callers must echo the captured buffer as-is to avoid double-escaping.
430+
*
425431
* @since 7.1.0
426432
*
427433
* @param WP_Post[] $posts Posts to render, most recent first.
@@ -451,15 +457,13 @@ protected static function render_posts( $posts, $window_days ) {
451457
<li class="<?php echo esc_attr( $group_classes ); ?>">
452458
<p class="on-this-day-year-header">
453459
<span class="on-this-day-year-number"><?php echo esc_html( $year ); ?></span>
454-
<span class="on-this-day-year-ago">
455-
<?php
460+
<span class="on-this-day-year-ago"><?php
456461
printf(
457462
/* translators: %s: Number of years, e.g. "1 year ago" or "5 years ago". */
458463
esc_html( _n( '%s year ago', '%s years ago', $years_ago ) ),
459464
esc_html( number_format_i18n( $years_ago ) )
460465
);
461-
?>
462-
</span>
466+
?></span>
463467
</p>
464468
<ul class="on-this-day-post-list">
465469
<?php foreach ( $year_posts as $post ) : ?>
@@ -475,6 +479,9 @@ protected static function render_posts( $posts, $window_days ) {
475479
/**
476480
* Renders a single post row.
477481
*
482+
* Outputs rendered HTML that has already been escaped at write time.
483+
* Callers must echo the captured buffer as-is to avoid double-escaping.
484+
*
478485
* @since 7.1.0
479486
*
480487
* @param WP_Post $post Post object to render.
@@ -526,9 +533,7 @@ protected static function render_post( $post, $window_days ) {
526533
<span class="on-this-day-post-icon dashicons-before dashicons-edit" aria-hidden="true"></span>
527534
<?php endif; ?>
528535
<div class="on-this-day-post-body">
529-
<span class="screen-reader-text">
530-
<?php echo $is_private ? esc_html__( 'Private post' ) : esc_html__( 'Published post' ); ?>
531-
</span>
536+
<span class="screen-reader-text"><?php echo $is_private ? esc_html__( 'Private post' ) : esc_html__( 'Published post' ); ?></span>
532537

533538
<h4 class="on-this-day-post-title">
534539
<?php if ( $edit_link ) : ?>
@@ -543,9 +548,8 @@ protected static function render_post( $post, $window_days ) {
543548
<?php endif; ?>
544549

545550
<div class="on-this-day-post-meta">
546-
<time class="on-this-day-post-time" datetime="<?php echo esc_attr( $time_iso ); ?>">
547-
<?php
548-
if ( self::MIN_WINDOW_DAYS === $window_days ) {
551+
<time class="on-this-day-post-time" datetime="<?php echo esc_attr( $time_iso ); ?>"><?php
552+
if ( 1 === $window_days ) {
549553
echo esc_html( $time_str );
550554
} else {
551555
echo esc_html(
@@ -557,17 +561,14 @@ protected static function render_post( $post, $window_days ) {
557561
)
558562
);
559563
}
560-
?>
561-
</time>
564+
?></time>
562565

563566
<?php if ( ! empty( $categories ) ) : ?>
564567
<span class="on-this-day-post-sep" aria-hidden="true">&middot;</span>
565-
<span class="on-this-day-post-categories">
566-
<?php
568+
<span class="on-this-day-post-categories"><?php
567569
$names = wp_list_pluck( array_slice( $categories, 0, 3 ), 'name' );
568570
echo esc_html( implode( ', ', $names ) );
569-
?>
570-
</span>
571+
?></span>
571572
<?php endif; ?>
572573

573574
<?php if ( $is_private ) : ?>

0 commit comments

Comments
 (0)