From d899aa04a4a9c63cf6299b57ecd2ecce212aae7a Mon Sep 17 00:00:00 2001
From: Matt Harvey <harveym@gmail.com>
Date: Tue, 24 Mar 2015 12:39:11 -0700
Subject: [PATCH 1/5] Add escaping to the components that were missing it.

---
 admin/class-aesop-core-admin.php              | 12 +++------
 .../includes/components/component-gallery.php | 12 ++++-----
 admin/includes/components/component-map.php   | 26 +++++++++----------
 public/includes/components/component-cbox.php |  8 +++---
 .../components/component-character.php        |  2 +-
 .../components/component-collections.php      | 10 +++----
 .../includes/components/component-gallery.php | 24 ++++++++---------
 .../includes/components/component-heading.php |  4 +--
 .../includes/components/component-image.php   |  6 ++---
 public/includes/components/component-map.php  | 16 ++++++------
 .../components/component-parallax.php         |  2 +-
 .../includes/components/component-quote.php   |  2 +-
 .../includes/components/component-video.php   |  4 +--
 13 files changed, 62 insertions(+), 66 deletions(-)

diff --git a/admin/class-aesop-core-admin.php b/admin/class-aesop-core-admin.php
index aa64a1af..b85233ff 100755
--- a/admin/class-aesop-core-admin.php
+++ b/admin/class-aesop-core-admin.php
@@ -148,7 +148,7 @@ public function generator_button() {
 
 		$button = apply_filters( 'aesop_generator_button', $getbutton );
 
-		echo $button;
+		echo esc_html( $button );
 
 	}
 
@@ -193,13 +193,9 @@ public function generator_popup() {
 					<div class="aesop-select-wrap fix aesop-generator-left">
 						<select name="aesop-select" class="aesop-generator" id="aesop-generator-select">
 
-							<?php
-			foreach ( aesop_shortcodes() as $name => $shortcode ) {
-?>
-							<option value="<?php echo $name; ?>"><?php echo str_replace( '_', ' ', strtoupper( $name ) ); ?></option>
-							<?php
-			}
-?>
+							<?php foreach ( aesop_shortcodes() as $name => $shortcode ) : ?>
+							<option value="<?php echo esc_attr( $name ); ?>"><?php echo str_replace( '_', ' ', strtoupper( esc_html( $name ) ) ); ?></option>
+							<?php endforeach; ?>
 						</select>
 
 						<?php if ( ! defined( 'AI_CORE_WATERMARK' ) ) {
diff --git a/admin/includes/components/component-gallery.php b/admin/includes/components/component-gallery.php
index 12dd450d..abe3121e 100644
--- a/admin/includes/components/component-gallery.php
+++ b/admin/includes/components/component-gallery.php
@@ -172,14 +172,14 @@ public function render_gallery_box( $post ) {
 		if ( ! empty( $get_image_ids ) ):
 			foreach ( $image_ids as $image_id ):
 
-				$image    = wp_get_attachment_image_src( $image_id, 'thumbnail', false );
+				$image = wp_get_attachment_image_src( $image_id, 'thumbnail', false );
 
 ?>
-				<li id="<?php echo $image_id;?>" class="ase-gallery-image">
+				<li id="<?php echo esc_attr( $image_id ); ?>" class="ase-gallery-image">
 					<i class="dashicons dashicons-no-alt" title="Delete From Gallery"></i>
 					<i class='dashicons dashicons-edit' title="Edit Image Caption"></i>
-		           	<img src="<?php echo $image[0];?>">
-		          </li>
+					<img src="<?php echo esc_url( $image[0] );?>">
+				</li>
 					<?php
 
 		endforeach;
@@ -394,7 +394,7 @@ public function upgrade_galleries_notice() {
 
 			$out .= '</p></div>';
 
-			echo $out;
+			echo esc_html( $out );
 
 		}
 	}
@@ -456,7 +456,7 @@ public function upgrade_click_handle() {
 
 				  		var data = {
 				            action: 'upgrade_galleries',
-				            security: '<?php echo $nonce;?>'
+				            security: <?php echo json_encode( $nonce ); ?>
 				        };
 
 					  	jQuery.post(ajaxurl, data, function(response) {
diff --git a/admin/includes/components/component-map.php b/admin/includes/components/component-map.php
index 28ed764f..ae41e170 100644
--- a/admin/includes/components/component-map.php
+++ b/admin/includes/components/component-map.php
@@ -140,13 +140,13 @@ public function render_map_box( $post ) {
 		echo '<div id="aesop-map" style="height:350px;"></div>';
 
 		$ase_map_locations   = get_post_meta( $post->ID, 'ase_map_component_locations' );
-		$ase_map_start_point  = get_post_meta( $post->ID, 'ase_map_component_start_point', true );
-		$get_map_zoom    = get_post_meta( $post->ID, 'ase_map_component_zoom', true );
+		$ase_map_start_point = get_post_meta( $post->ID, 'ase_map_component_start_point', true );
+		$get_map_zoom        = get_post_meta( $post->ID, 'ase_map_component_zoom', true );
 
-		$ase_map_start_point  = empty ( $ase_map_start_point ) ? array( 29.76, -95.38 ) : array( $ase_map_start_point['lat'], $ase_map_start_point['lng'] );
-		$ase_map_zoom    = empty ( $get_map_zoom ) ? 12 : $get_map_zoom;
+		$ase_map_start_point = empty ( $ase_map_start_point ) ? array( 29.76, -95.38 ) : array( $ase_map_start_point['lat'], $ase_map_start_point['lng'] );
+		$ase_map_zoom        = empty ( $get_map_zoom ) ? 12 : $get_map_zoom;
 
-		$ase_map_start_point  = json_encode( $ase_map_start_point );
+		$ase_map_start_point = json_encode( $ase_map_start_point );
 		$ase_map_locations   = json_encode( $ase_map_locations );
 
 		$tiles      = aesop_map_tile_provider( $post->ID );
@@ -157,7 +157,7 @@ public function render_map_box( $post ) {
 
 				jQuery(document).ready(function(){
 
-					var start_point = <?php echo $ase_map_start_point; ?>;
+					var start_point = <?php echo json_encode( $ase_map_start_point ); ?>;
 					var start_zoom = <?php echo absint( $ase_map_zoom ); ?>;
 
 					var map = L.map('aesop-map',{
@@ -175,12 +175,12 @@ public function render_map_box( $post ) {
 						setMapCenter(lat,lng);
   					});
 
-					L.tileLayer('<?php echo $tiles;?>', {
+					L.tileLayer('<?php echo json_encode( $tiles ); ?>', {
 						maxZoom: 20
 					}).addTo(map);
 
 					<?php if ( ! empty( $ase_map_locations ) ) : ?>
-						var ase_map_locations = <?php echo $ase_map_locations; ?>
+						var ase_map_locations = <?php echo json_encode( $ase_map_locations ); ?>
 					<?php endif; ?>
 
 					ase_map_locations.forEach(function(location) {
@@ -411,7 +411,7 @@ public function upgrade_map_notice() {
 
 			$out .= '</p></div>';
 
-			echo $out;
+			echo esc_html( $out );
 
 		}
 	}
@@ -490,7 +490,7 @@ public function upgrade_marker_meta() {
 
 				$old_start_point = get_post_meta( $id, 'aesop_map_start', true );
 				if ( ! empty ( $old_start_point ) ) {
-					echo $old_start_point;
+					echo esc_html( $old_start_point );
 					$old_start_point = explode( ',', $old_start_point );
 					if ( count( $old_start_point ) == 2 ) {
 						$translated = array();
@@ -534,7 +534,7 @@ public function upgrade_click_handle() {
 
 				  		var data = {
 				            action: 'upgrade_marker_meta',
-				            security: '<?php echo $nonce;?>'
+				            security: <?php echo json_encode( $nonce );?>
 				        };
 
 					  	jQuery.post(ajaxurl, data, function(response) {
@@ -566,7 +566,7 @@ public function upgrade_mapboxid_notice() {
 
 			$out .= '</p></div>';
 
-			echo $out;
+			echo esc_html( $out );
 
 		}
 	}
@@ -593,7 +593,7 @@ public function upgrade_mapbox_click_handle() {
 
 				  		var data = {
 				            action: 'upgrade_mapbox',
-				            security: '<?php echo $nonce;?>'
+				            security: <?php echo json_encode( $nonce ); ?>
 				        };
 
 					  	$.post(ajaxurl, data, function(response) {
diff --git a/public/includes/components/component-cbox.php b/public/includes/components/component-cbox.php
index 43a6fd56..97b6ee19 100644
--- a/public/includes/components/component-cbox.php
+++ b/public/includes/components/component-cbox.php
@@ -82,7 +82,7 @@ function aesop_content_shortcode( $atts, $content = null ) {
 
 		do_action( 'aesop_cbox_before' ); // action
 ?>
-				<div <?php echo aesop_component_data_atts( 'content', $unique, $atts, true );?> class="aesop-component aesop-content-component <?php echo sanitize_html_class( $classes ).' '.$has_img. ' '.$has_floater;?>" style="<?php echo $height;?>" >
+				<div <?php echo aesop_component_data_atts( 'content', $unique, $atts, true ); ?> class="aesop-component aesop-content-component <?php echo sanitize_html_class( $classes ) . ' ' . sanitize_html_class( $has_img ) . ' ' . sanitize_html_class( $has_floater ); ?>" style="<?php echo esc_attr( $height ); ?>" >
 
 					<?php if ( $atts['floatermedia'] && ! wp_is_mobile() ) { ?>
 						<!-- Aesop Content Component -->
@@ -120,17 +120,17 @@ function scrollParallax(){
 
 		echo do_action( 'aesop_cbox_inside_top' ); // action ?>
 
-					<div id="aesop-content-component-<?php echo $unique;?>" class="aesop-content-comp-wrap <?php echo $typeclass;?>" <?php echo $itemstyle;?>>
+					<div id="aesop-content-component-<?php echo esc_attr( $unique ); ?>" class="aesop-content-comp-wrap <?php echo sanitize_html_class( $typeclass ); ?>" <?php echo esc_html( $itemstyle ); ?>>
 
 						<?php echo do_action( 'aesop_cbox_content_inside_top' ); // action
 
 		if ( $atts['floatermedia'] && ! wp_is_mobile() ) { ?>
 
-							<div class="aesop-content-component-floater <?php echo $floaterposition;?>" data-speed="10"><?php echo aesop_component_media_filter( $atts['floatermedia'] );?></div>
+							<div class="aesop-content-component-floater <?php echo sanitize_html_class( $floaterposition ); ?>" data-speed="10"><?php echo aesop_component_media_filter( esc_html( $atts['floatermedia'] ) );?></div>
 
 						<?php } ?>
 
-						<div class="aesop-component-content-data aesop-content-comp-inner <?php echo $contentwidth;?>" <?php echo $innerstyle;?>>
+						<div class="aesop-component-content-data aesop-content-comp-inner <?php echo sanitize_html_class( $contentwidth ); ?>" <?php echo esc_html( $innerstyle ); ?>>
 
 							<?php echo do_action( 'aesop_cbox_content_inner_inside_top' ); // action ?>
 
diff --git a/public/includes/components/component-character.php b/public/includes/components/component-character.php
index 67021175..2d143972 100644
--- a/public/includes/components/component-character.php
+++ b/public/includes/components/component-character.php
@@ -47,7 +47,7 @@ function aesop_character_shortcode( $atts, $content = null ) {
 					<?php do_action( 'aesop_character_inside_top' ); // action ?>
 
 					<div class="aesop-character-inner aesop-content">
-						<div class="aesop-character-float aesop-character-<?php echo esc_attr( $atts['align'] );?>" <?php echo $styles;?>>
+						<div class="aesop-character-float aesop-character-<?php echo esc_attr( $atts['align'] );?>" <?php echo esc_html( $styles ); ?>>
 
 							<?php do_action( 'aesop_character_inner_inside_top' ); // action ?>
 
diff --git a/public/includes/components/component-collections.php b/public/includes/components/component-collections.php
index 73fe912c..885d6b31 100644
--- a/public/includes/components/component-collections.php
+++ b/public/includes/components/component-collections.php
@@ -44,7 +44,7 @@ function aesop_collection_shortcode( $atts ) {
 					<h4 class="aesop-story-collection-title"><span><?php echo esc_html( $atts['title'] );?></span></h4>
 				<?php } ?>
 
-					<div id="aesop-collection-<?php echo $unique;?>" class="aesop-collection-grid clearfix aesop-collection-grid-<?php echo absint( $col );?>col <?php echo sanitize_html_class( $splash_class );?>">
+					<div id="aesop-collection-<?php echo esc_attr( $unique ); ?>" class="aesop-collection-grid clearfix aesop-collection-grid-<?php echo absint( $col );?>col <?php echo sanitize_html_class( $splash_class );?>">
 
 						<?php
 
@@ -73,12 +73,12 @@ function aesop_collection_shortcode( $atts ) {
 
 					foreach ( $cats as $cat ) {
 
-						?><div class="aesop-collection-item aesop-collection-category-<?php echo $cat->slug;?>">
+						?><div class="aesop-collection-item aesop-collection-category-<?php echo esc_attr( $cat->slug ); ?>">
 											<?php do_action( 'aesop_collection_inside_category_item_top' ); // action ?>
 											<a class="aesop-collection-item-link" href="<?php echo get_category_link( $cat->term_id );?>">
 												<div class="aesop-collection-item-inner">
-													<h2 class="aesop-collection-entry-title" itemprop="title"><?php echo $cat->name;?></h2>
-													<div class="aesop-collection-item-excerpt"><?php echo $cat->category_description;?></div>
+													<h2 class="aesop-collection-entry-title" itemprop="title"><?php echo esc_html( $cat->name ); ?></h2>
+													<div class="aesop-collection-item-excerpt"><?php echo esc_html( $cat->category_description ); ?></div>
 												</div>
 												<div class="aesop-collection-item-img"></div>
 											</a>
@@ -121,7 +121,7 @@ function aesop_collection_shortcode( $atts ) {
 												<p class="aesop-collection-meta">Written by <?php echo get_the_author();?></p>
 												<div class="aesop-collection-item-excerpt"><?php echo wp_trim_words( get_the_excerpt(), 22, '...' );?></div>
 											</div>
-											<div class="aesop-collection-item-img" style="background-image:url(<?php echo $coverimg[0];?>);background-repeat:no-repeat;background-size:cover;"></div>
+											<div class="aesop-collection-item-img" style="background-image:url(<?php echo esc_url( $coverimg[0] ); ?>);background-repeat:no-repeat;background-size:cover;"></div>
 										</a>
 										<?php do_action( 'aesop_collection_inside_item_bottom' ); // action ?>
 									</div>
diff --git a/public/includes/components/component-gallery.php b/public/includes/components/component-gallery.php
index e9a70180..d3dad7d6 100644
--- a/public/includes/components/component-gallery.php
+++ b/public/includes/components/component-gallery.php
@@ -182,10 +182,10 @@ public function aesop_grid_gallery( $gallery_id, $image_ids, $width ) {
 
 		foreach ( $image_ids as $image_id ):
 
-			$getimage   = wp_get_attachment_image( $image_id, 'aesop-grid-image', false, array( 'class' => 'aesop-grid-image' ) );
-		$getimagesrc    = wp_get_attachment_image_src( $image_id, 'full' );
-		$img_title     = get_post( $image_id )->post_title;
-		$caption   = get_post( $image_id )->post_excerpt;
+			$getimage    = wp_get_attachment_image( $image_id, 'aesop-grid-image', false, array( 'class' => 'aesop-grid-image' ) );
+			$getimagesrc = wp_get_attachment_image_src( $image_id, 'full' );
+			$img_title   = get_post( $image_id )->post_title;
+			$caption     = get_post( $image_id )->post_excerpt;
 
 ?>
 
@@ -194,7 +194,7 @@ public function aesop_grid_gallery( $gallery_id, $image_ids, $width ) {
 						<?php if ( $caption ) { ?>
 							<span class="aesop-grid-gallery-caption"><?php echo aesop_component_media_filter( $caption );?></span>
 						<?php } ?>
-						<span class="clearfix"><?php echo $getimage;?></span>
+						<span class="clearfix"><?php echo esc_html( $getimage ); ?></span>
 					</a>
 				</li>
 
@@ -242,7 +242,7 @@ public function aesop_stacked_gallery( $image_ids, $unique ) {
 			$caption   = get_post( $image_id )->post_excerpt;
 
 ?>
-           	<div class="aesop-stacked-img" style="background-image:url('<?php echo esc_url( $full[0] );?>');<?php echo $styles;?>">
+           	<div class="aesop-stacked-img" style="background-image:url('<?php echo esc_url( $full[0] ); ?>');<?php echo esc_attr( $styles ); ?>">
            		<?php if ( $caption ) { ?>
            			<div class="aesop-stacked-caption"><?php echo aesop_component_media_filter( $caption );?></div>
            		<?php } ?>
@@ -269,18 +269,18 @@ public function aesop_sequence_gallery( $image_ids ) {
 		foreach ( $image_ids as $image_id ):
 
 			$img     = wp_get_attachment_image_src( $image_id, $size, false, '' );
-		$alt     = get_post_meta( $image_id, '_wp_attachment_image_alt', true );
-		$caption = get_post( $image_id )->post_excerpt;
+			$alt     = get_post_meta( $image_id, '_wp_attachment_image_alt', true );
+			$caption = get_post( $image_id )->post_excerpt;
 
-		$lazy   = class_exists( 'AesopLazyLoader' ) && ! is_user_logged_in() ? sprintf( 'src="%s" data-src="%s" class="aesop-sequence-img aesop-lazy-img"', $lazy_holder, esc_url( $img[0] ) ) : sprintf( 'src="%s" class="aesop-sequence-img" ', esc_url( $img[0] ) );
+			$lazy    = class_exists( 'AesopLazyLoader' ) && ! is_user_logged_in() ? sprintf( 'src="%s" data-src="%s" class="aesop-sequence-img aesop-lazy-img"', $lazy_holder, esc_url( $img[0] ) ) : sprintf( 'src="%s" class="aesop-sequence-img" ', esc_url( $img[0] ) );
 
 ?>
            	<figure class="aesop-sequence-img-wrap">
 
-           		<img <?php echo $lazy;?> alt="<?php echo esc_attr( $alt );?>">
+           		<img <?php echo esc_attry( $lazy );?> alt="<?php echo esc_attr( $alt );?>">
 
            		<?php if ( $caption ) { ?>
-           			<figcaption class="aesop-content aesop-component-caption aesop-sequence-caption"><?php echo aesop_component_media_filter( $caption );?></figcaption>
+           			<figcaption class="aesop-content aesop-component-caption aesop-sequence-caption"><?php echo aesop_component_media_filter( esc_html( $caption ) ); ?></figcaption>
            		<?php } ?>
 
            	</figure>
@@ -358,7 +358,7 @@ public function aesop_photoset_gallery( $gallery_id, $image_ids, $width ) {
 
 			$lb_link    = $lightbox ? sprintf( 'data-highres="%s"', esc_url( $full[0] ) ) : null;
 
-			?><img src="<?php echo esc_url( $full[0] );?>" <?php echo $lb_link;?> data-caption="<?php echo esc_attr( $caption );?>" title="<?php echo esc_attr( $title );?>" alt="<?php echo esc_attr( $alt );?>"><?php
+			?><img src="<?php echo esc_url( $full[0] );?>" <?php echo esc_html( $lb_link ); ?> data-caption="<?php echo esc_attr( $caption );?>" title="<?php echo esc_attr( $title );?>" alt="<?php echo esc_attr( $alt );?>"><?php
 
 		}
 
diff --git a/public/includes/components/component-heading.php b/public/includes/components/component-heading.php
index ee3b0a3b..cab483fa 100644
--- a/public/includes/components/component-heading.php
+++ b/public/includes/components/component-heading.php
@@ -38,11 +38,11 @@ function aesop_chapter_shortcode( $atts ) {
 		do_action( 'aesop_chapter_before' ); // action
 
 ?>
-			<div id="chapter-unique-<?php echo $unique;?>" <?php echo aesop_component_data_atts( 'chapter', $unique, $atts );?> class="aesop-article-chapter-wrap default-cover <?php echo $video_chapter_class;?> aesop-component <?php echo $img_style_class;?> <?php echo $full_class;?> " >
+			<div id="chapter-unique-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'chapter', $unique, $atts );?> class="aesop-article-chapter-wrap default-cover <?php echo sanitize_html_class( $video_chapter_class ); ?> aesop-component <?php echo sanitize_html_class( $img_style_class ); ?> <?php echo sanitize_html_class( $full_class ); ?> " >
 
 				<?php do_action( 'aesop_chapter_inside_top' ); // action ?>
 
-				<div class="aesop-article-chapter clearfix" <?php echo $img_style;?> >
+				<div class="aesop-article-chapter clearfix" <?php echo esc_attr( $img_style ); ?> >
 
 					<h2 class="aesop-cover-title" itemprop="title" data-title="<?php echo esc_attr( $atts['title'] );?>">
 						<span><?php echo esc_html( $atts['title'] );?></span>
diff --git a/public/includes/components/component-image.php b/public/includes/components/component-image.php
index 1da6983f..5859754c 100644
--- a/public/includes/components/component-image.php
+++ b/public/includes/components/component-image.php
@@ -58,14 +58,14 @@ function aesop_image_shortcode( $atts ) {
 
 		if ( 'on' == $atts['lightbox'] ) { ?>
 
-						<a class="aesop-lightbox" href="<?php echo $atts['img'];?>" title="<?php echo $atts['caption'];?>">
+						<a class="aesop-lightbox" href="<?php echo esc_url( $atts['img'] ); ?>" title="<?php echo esc_attr( $atts['caption'] ); ?>">
 							<p class="aesop-img-enlarge"><i class="aesopicon aesopicon-search-plus"></i> <?php _e( 'Enlarge', 'aesop-core' );?></p>
-							<img <?php echo $lazy;?> alt="<?php echo esc_attr( $alt );?>">
+							<img <?php echo esc_attr( $lazy ); ?> alt="<?php echo esc_attr( $alt );?>">
 						</a>
 
 					<?php } else { ?>
 
-						<img <?php echo $lazy;?> alt="<?php echo esc_attr( $alt );?>">
+						<img <?php echo esc_attr( $lazy ); ?> alt="<?php echo esc_attr( $alt );?>">
 
 					<?php }
 
diff --git a/public/includes/components/component-map.php b/public/includes/components/component-map.php
index c49cbea7..6660acfe 100644
--- a/public/includes/components/component-map.php
+++ b/public/includes/components/component-map.php
@@ -53,7 +53,7 @@ function aesop_map_shortcode( $atts ) {
 
 		} ?>
 
-			<div id="aesop-map-component" <?php echo aesop_component_data_atts( 'map', $unique, $atts );?> class="aesop-component aesop-map-component <?php echo sanitize_html_class( $classes );?> " <?php echo $height;?>>
+			<div id="aesop-map-component" <?php echo aesop_component_data_atts( 'map', $unique, $atts );?> class="aesop-component aesop-map-component <?php echo sanitize_html_class( $classes );?> " <?php echo esc_attr( $height ); ?>>
 
 				<?php
 		/**
@@ -139,10 +139,10 @@ public function aesop_map_loader() {
 					var map = L.map('aesop-map-component',{
 						scrollWheelZoom: false,
 						zoom: <?php echo wp_filter_nohtml_kses( round( $zoom ) );?>,
-						center: [<?php echo $start;?>]
+						center: [<?php echo json_encode( $start ); ?>]
 					});
 
-					L.tileLayer('<?php echo $tiles;?>', {
+					L.tileLayer('<?php echo json_encode( $tiles ); ?>', {
 						maxZoom: 20
 					}).addTo(map);
 
@@ -150,19 +150,19 @@ public function aesop_map_loader() {
 			foreach ( $markers as $marker ):
 
 				$lat  = $marker['lat'];
-			$long  = $marker['lng'];
-			$text  = $marker['title'] ? $marker['title'] : null;
+				$long = $marker['lng'];
+				$text = $marker['title'] ? $marker['title'] : null;
 
-			$loc  = sprintf( '%s,%s', esc_attr( $lat ), esc_attr( $long ) );
+				$loc  = sprintf( '%s,%s', esc_attr( $lat ), esc_attr( $long ) );
 
 			// if market content is set run a popup
 			if ( $text ) { ?>
 
-							L.marker([<?php echo $loc;?>]).addTo(map).bindPopup('<?php echo aesop_component_media_filter( $text );?>').openPopup();
+							L.marker([<?php echo json_encode( $loc );?>]).addTo(map).bindPopup('<?php echo aesop_component_media_filter( $text );?>').openPopup();
 
 						<?php } else { ?>
 
-							L.marker([<?php echo $loc;?>]).addTo(map);
+							L.marker([<?php echo json_encode( $loc );?>]).addTo(map);
 
 						<?php }
 
diff --git a/public/includes/components/component-parallax.php b/public/includes/components/component-parallax.php
index 3dcf2fef..ff168ab7 100644
--- a/public/includes/components/component-parallax.php
+++ b/public/includes/components/component-parallax.php
@@ -137,7 +137,7 @@ function scrollParallax(){
 					<a class="aesop-lb-link aesop-lightbox" rel="lightbox" title="<?php echo esc_attr( $atts['caption'] );?>" href="<?php echo esc_url( $atts['img'] );?>"><i class="aesopicon aesopicon-search-plus"></i></a>
 				<?php } ?>
 
-				<img class="aesop-parallax-sc-img <?php echo $laxclass;?>" src="<?php echo esc_url( $atts['img'] );?>" alt="<?php echo esc_attr( $auto_alt );?>" >
+				<img class="aesop-parallax-sc-img <?php echo sanitize_html_class( $laxclass ); ?>" src="<?php echo esc_url( $atts['img'] );?>" alt="<?php echo esc_attr( $auto_alt );?>" >
 
 				<?php if ( $atts['caption'] ) { ?>
 					<figcaption class="aesop-parallax-sc-caption-wrap <?php echo sanitize_html_class( $atts['captionposition'] );?>">
diff --git a/public/includes/components/component-quote.php b/public/includes/components/component-quote.php
index 75eeacd3..c67ad208 100644
--- a/public/includes/components/component-quote.php
+++ b/public/includes/components/component-quote.php
@@ -82,7 +82,7 @@ function aesop_quote_shortcode( $atts ) {
 
 		do_action( 'aesop_quote_before' ); // action
 ?>
-			<div id="aesop-quote-component-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'quote', $unique, $atts );?> class="aesop-component aesop-quote-component <?php echo $core_classes.' '.$css_classes;?>" <?php echo $style;?>>
+			<div id="aesop-quote-component-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'quote', $unique, $atts );?> class="aesop-component aesop-quote-component <?php echo sanitize_html_class( $core_classes ) . ' ' . sanitize_html_class( $css_classes ); ?>" <?php echo esc_attr( $style ); ?>>
 
 				<?php if ( 'block' == $atts['type'] ): ?>
 					<!-- Aesop Core | Quote -->
diff --git a/public/includes/components/component-video.php b/public/includes/components/component-video.php
index d69efb99..742a96d1 100644
--- a/public/includes/components/component-video.php
+++ b/public/includes/components/component-video.php
@@ -86,7 +86,7 @@ function aesop_video_shortcode( $atts ) {
 
 	    	<?php do_action( 'aesop_video_inside_top' ); // action ?>
 
-	    	<div class="aesop-video-container aesop-video-container-<?php echo esc_attr( $unique );?> aesop-component-align-<?php echo sanitize_html_class( $atts['align'] );?> <?php echo sanitize_html_class( $atts['src'] );?>" <?php echo $widthstyle;?> >
+	    	<div class="aesop-video-container aesop-video-container-<?php echo esc_attr( $unique );?> aesop-component-align-<?php echo sanitize_html_class( $atts['align'] );?> <?php echo sanitize_html_class( $atts['src'] );?>" <?php echo esc_attr( $widthstyle ); ?>>
 
 				<?php
 		switch ( $atts['src'] ) {
@@ -124,7 +124,7 @@ function aesop_video_shortcode( $atts ) {
 ?>
 		    </div>
 
-	   	 	<?php echo $caption;
+	   	 	<?php echo esc_html( $caption );
 
 		do_action( 'aesop_video_inside_bottom' ); // action ?>
 		</div>

From 8cfe1ed433ee5d8d2f07cbf290593629ccce40ff Mon Sep 17 00:00:00 2001
From: Matt Harvey <harveym@gmail.com>
Date: Tue, 24 Mar 2015 12:42:52 -0700
Subject: [PATCH 2/5] Stop double encoding the map variables.

---
 admin/includes/components/component-map.php | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/admin/includes/components/component-map.php b/admin/includes/components/component-map.php
index ae41e170..8260a2a5 100644
--- a/admin/includes/components/component-map.php
+++ b/admin/includes/components/component-map.php
@@ -146,9 +146,6 @@ public function render_map_box( $post ) {
 		$ase_map_start_point = empty ( $ase_map_start_point ) ? array( 29.76, -95.38 ) : array( $ase_map_start_point['lat'], $ase_map_start_point['lng'] );
 		$ase_map_zoom        = empty ( $get_map_zoom ) ? 12 : $get_map_zoom;
 
-		$ase_map_start_point = json_encode( $ase_map_start_point );
-		$ase_map_locations   = json_encode( $ase_map_locations );
-
 		$tiles      = aesop_map_tile_provider( $post->ID );
 
 ?>

From 1491a5e91d2f5cfb22a9ad4f12d5fce7dafdf93e Mon Sep 17 00:00:00 2001
From: Matt Harvey <harveym@gmail.com>
Date: Fri, 3 Apr 2015 10:24:17 -0700
Subject: [PATCH 3/5] Do not escape HTML output that is already escaped.

---
 admin/class-aesop-core-admin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/class-aesop-core-admin.php b/admin/class-aesop-core-admin.php
index b85233ff..568f05b3 100755
--- a/admin/class-aesop-core-admin.php
+++ b/admin/class-aesop-core-admin.php
@@ -148,7 +148,7 @@ public function generator_button() {
 
 		$button = apply_filters( 'aesop_generator_button', $getbutton );
 
-		echo esc_html( $button );
+		echo wp_kses( $button );
 
 	}
 

From f82939d111e285ca98217588c40ed7b4b52408be Mon Sep 17 00:00:00 2001
From: Matt Harvey <harveym@gmail.com>
Date: Fri, 3 Apr 2015 14:36:22 -0700
Subject: [PATCH 4/5] Stop escaping output that is already escaped/has HTML/JS.

---
 admin/class-aesop-core-admin.php                   | 2 +-
 admin/includes/components/component-gallery.php    | 2 +-
 admin/includes/components/component-map.php        | 4 ++--
 public/includes/components/component-cbox.php      | 4 ++--
 public/includes/components/component-character.php | 2 +-
 public/includes/components/component-gallery.php   | 2 +-
 public/includes/components/component-image.php     | 6 +++---
 public/includes/components/component-quote.php     | 2 +-
 8 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/admin/class-aesop-core-admin.php b/admin/class-aesop-core-admin.php
index 568f05b3..94ef009f 100755
--- a/admin/class-aesop-core-admin.php
+++ b/admin/class-aesop-core-admin.php
@@ -148,7 +148,7 @@ public function generator_button() {
 
 		$button = apply_filters( 'aesop_generator_button', $getbutton );
 
-		echo wp_kses( $button );
+		echo ( $button );
 
 	}
 
diff --git a/admin/includes/components/component-gallery.php b/admin/includes/components/component-gallery.php
index abe3121e..a1d01cca 100644
--- a/admin/includes/components/component-gallery.php
+++ b/admin/includes/components/component-gallery.php
@@ -394,7 +394,7 @@ public function upgrade_galleries_notice() {
 
 			$out .= '</p></div>';
 
-			echo esc_html( $out );
+			echo $out;
 
 		}
 	}
diff --git a/admin/includes/components/component-map.php b/admin/includes/components/component-map.php
index 8260a2a5..13f561dd 100644
--- a/admin/includes/components/component-map.php
+++ b/admin/includes/components/component-map.php
@@ -408,7 +408,7 @@ public function upgrade_map_notice() {
 
 			$out .= '</p></div>';
 
-			echo esc_html( $out );
+			echo wp_kses( $out );
 
 		}
 	}
@@ -563,7 +563,7 @@ public function upgrade_mapboxid_notice() {
 
 			$out .= '</p></div>';
 
-			echo esc_html( $out );
+			echo wp_kses( $out );
 
 		}
 	}
diff --git a/public/includes/components/component-cbox.php b/public/includes/components/component-cbox.php
index 97b6ee19..aa76ada3 100644
--- a/public/includes/components/component-cbox.php
+++ b/public/includes/components/component-cbox.php
@@ -120,7 +120,7 @@ function scrollParallax(){
 
 		echo do_action( 'aesop_cbox_inside_top' ); // action ?>
 
-					<div id="aesop-content-component-<?php echo esc_attr( $unique ); ?>" class="aesop-content-comp-wrap <?php echo sanitize_html_class( $typeclass ); ?>" <?php echo esc_html( $itemstyle ); ?>>
+					<div id="aesop-content-component-<?php echo esc_attr( $unique ); ?>" class="aesop-content-comp-wrap <?php echo sanitize_html_class( $typeclass ); ?>" <?php echo $itemstyle; ?>>
 
 						<?php echo do_action( 'aesop_cbox_content_inside_top' ); // action
 
@@ -130,7 +130,7 @@ function scrollParallax(){
 
 						<?php } ?>
 
-						<div class="aesop-component-content-data aesop-content-comp-inner <?php echo sanitize_html_class( $contentwidth ); ?>" <?php echo esc_html( $innerstyle ); ?>>
+						<div class="aesop-component-content-data aesop-content-comp-inner <?php echo sanitize_html_class( $contentwidth ); ?>" <?php echo $innerstyle; ?>>
 
 							<?php echo do_action( 'aesop_cbox_content_inner_inside_top' ); // action ?>
 
diff --git a/public/includes/components/component-character.php b/public/includes/components/component-character.php
index 2d143972..eb82e26f 100644
--- a/public/includes/components/component-character.php
+++ b/public/includes/components/component-character.php
@@ -47,7 +47,7 @@ function aesop_character_shortcode( $atts, $content = null ) {
 					<?php do_action( 'aesop_character_inside_top' ); // action ?>
 
 					<div class="aesop-character-inner aesop-content">
-						<div class="aesop-character-float aesop-character-<?php echo esc_attr( $atts['align'] );?>" <?php echo esc_html( $styles ); ?>>
+						<div class="aesop-character-float aesop-character-<?php echo esc_attr( $atts['align'] );?>" <?php echo $styles; ?>>
 
 							<?php do_action( 'aesop_character_inner_inside_top' ); // action ?>
 
diff --git a/public/includes/components/component-gallery.php b/public/includes/components/component-gallery.php
index d3dad7d6..6eec933c 100644
--- a/public/includes/components/component-gallery.php
+++ b/public/includes/components/component-gallery.php
@@ -194,7 +194,7 @@ public function aesop_grid_gallery( $gallery_id, $image_ids, $width ) {
 						<?php if ( $caption ) { ?>
 							<span class="aesop-grid-gallery-caption"><?php echo aesop_component_media_filter( $caption );?></span>
 						<?php } ?>
-						<span class="clearfix"><?php echo esc_html( $getimage ); ?></span>
+						<span class="clearfix"><?php echo $getimage; ?></span>
 					</a>
 				</li>
 
diff --git a/public/includes/components/component-image.php b/public/includes/components/component-image.php
index 5859754c..60067de5 100644
--- a/public/includes/components/component-image.php
+++ b/public/includes/components/component-image.php
@@ -51,7 +51,7 @@ function aesop_image_shortcode( $atts ) {
 			<?php do_action( 'aesop_image_inside_top' ); // action ?>
 
 			<figure class="aesop-content">
-				<div class="aesop-image-component-image aesop-component-align-<?php echo sanitize_html_class( $atts['align'] );?> aesop-image-component-caption-<?php echo sanitize_html_class( $atts['captionposition'] );?>" <?php echo esc_attr( $offsetstyle );?>>
+				<div class="aesop-image-component-image aesop-component-align-<?php echo sanitize_html_class( $atts['align'] );?> aesop-image-component-caption-<?php echo sanitize_html_class( $atts['captionposition'] );?>" <?php echo $offsetstyle;?>>
 					<?php
 
 		do_action( 'aesop_image_inner_inside_top' ); // action
@@ -60,12 +60,12 @@ function aesop_image_shortcode( $atts ) {
 
 						<a class="aesop-lightbox" href="<?php echo esc_url( $atts['img'] ); ?>" title="<?php echo esc_attr( $atts['caption'] ); ?>">
 							<p class="aesop-img-enlarge"><i class="aesopicon aesopicon-search-plus"></i> <?php _e( 'Enlarge', 'aesop-core' );?></p>
-							<img <?php echo esc_attr( $lazy ); ?> alt="<?php echo esc_attr( $alt );?>">
+							<img <?php echo $lazy; ?> alt="<?php echo esc_attr( $alt );?>">
 						</a>
 
 					<?php } else { ?>
 
-						<img <?php echo esc_attr( $lazy ); ?> alt="<?php echo esc_attr( $alt );?>">
+						<img <?php echo $lazy; ?> alt="<?php echo esc_attr( $alt );?>">
 
 					<?php }
 
diff --git a/public/includes/components/component-quote.php b/public/includes/components/component-quote.php
index c67ad208..63c076ae 100644
--- a/public/includes/components/component-quote.php
+++ b/public/includes/components/component-quote.php
@@ -82,7 +82,7 @@ function aesop_quote_shortcode( $atts ) {
 
 		do_action( 'aesop_quote_before' ); // action
 ?>
-			<div id="aesop-quote-component-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'quote', $unique, $atts );?> class="aesop-component aesop-quote-component <?php echo sanitize_html_class( $core_classes ) . ' ' . sanitize_html_class( $css_classes ); ?>" <?php echo esc_attr( $style ); ?>>
+			<div id="aesop-quote-component-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'quote', $unique, $atts );?> class="aesop-component aesop-quote-component <?php echo sanitize_html_class( $core_classes ) . ' ' . sanitize_html_class( $css_classes ); ?>" <?php echo $style; ?>>
 
 				<?php if ( 'block' == $atts['type'] ): ?>
 					<!-- Aesop Core | Quote -->

From 456932d9b6083275ad98ea0f180532b91e49704c Mon Sep 17 00:00:00 2001
From: Matt Harvey <harveym@gmail.com>
Date: Tue, 7 Apr 2015 10:11:25 -0700
Subject: [PATCH 5/5] Remove errant ()s

---
 admin/class-aesop-core-admin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/class-aesop-core-admin.php b/admin/class-aesop-core-admin.php
index 94ef009f..b44eb3d0 100755
--- a/admin/class-aesop-core-admin.php
+++ b/admin/class-aesop-core-admin.php
@@ -148,7 +148,7 @@ public function generator_button() {
 
 		$button = apply_filters( 'aesop_generator_button', $getbutton );
 
-		echo ( $button );
+		echo $button;
 
 	}