Escape output

admin/class-aesop-core-admin.php

@@ -193,13 +193,9 @@ public function generator_popup() {
 					<div class="aesop-select-wrap fix aesop-generator-left">
 						<select name="aesop-select" class="aesop-generator" id="aesop-generator-select">
 
-							<?php
-			foreach ( aesop_shortcodes() as $name => $shortcode ) {
-?>
-							<option value="<?php echo $name; ?>"><?php echo str_replace( '_', ' ', strtoupper( $name ) ); ?></option>
-							<?php
-			}
-?>
+							<?php foreach ( aesop_shortcodes() as $name => $shortcode ) : ?>
+							<option value="<?php echo esc_attr( $name ); ?>"><?php echo str_replace( '_', ' ', strtoupper( esc_html( $name ) ) ); ?></option>
+							<?php endforeach; ?>
 						</select>
 
 						<?php if ( ! defined( 'AI_CORE_WATERMARK' ) ) {

admin/includes/components/component-gallery.php

@@ -172,14 +172,14 @@ public function render_gallery_box( $post ) {
 		if ( ! empty( $get_image_ids ) ):
 			foreach ( $image_ids as $image_id ):
 
-				$image    = wp_get_attachment_image_src( $image_id, 'thumbnail', false );
+				$image = wp_get_attachment_image_src( $image_id, 'thumbnail', false );
 
 ?>
-				<li id="<?php echo $image_id;?>" class="ase-gallery-image">
+				<li id="<?php echo esc_attr( $image_id ); ?>" class="ase-gallery-image">
 					<i class="dashicons dashicons-no-alt" title="Delete From Gallery"></i>
 					<i class='dashicons dashicons-edit' title="Edit Image Caption"></i>
-		           	<img src="<?php echo $image[0];?>">
-		          </li>
+					<img src="<?php echo esc_url( $image[0] );?>">
+				</li>
 					<?php
 
 		endforeach;
@@ -456,7 +456,7 @@ public function upgrade_click_handle() {
 
 				  		var data = {
 				            action: 'upgrade_galleries',
-				            security: '<?php echo $nonce;?>'
+				            security: <?php echo json_encode( $nonce ); ?>
 				        };
 
 					  	jQuery.post(ajaxurl, data, function(response) {

admin/includes/components/component-map.php

@@ -140,14 +140,11 @@ public function render_map_box( $post ) {
 		echo '<div id="aesop-map" style="height:350px;"></div>';
 
 		$ase_map_locations   = get_post_meta( $post->ID, 'ase_map_component_locations' );
-		$ase_map_start_point  = get_post_meta( $post->ID, 'ase_map_component_start_point', true );
-		$get_map_zoom    = get_post_meta( $post->ID, 'ase_map_component_zoom', true );
+		$ase_map_start_point = get_post_meta( $post->ID, 'ase_map_component_start_point', true );
+		$get_map_zoom        = get_post_meta( $post->ID, 'ase_map_component_zoom', true );
 
-		$ase_map_start_point  = empty ( $ase_map_start_point ) ? array( 29.76, -95.38 ) : array( $ase_map_start_point['lat'], $ase_map_start_point['lng'] );
-		$ase_map_zoom    = empty ( $get_map_zoom ) ? 12 : $get_map_zoom;
-
-		$ase_map_start_point  = json_encode( $ase_map_start_point );
-		$ase_map_locations   = json_encode( $ase_map_locations );
+		$ase_map_start_point = empty ( $ase_map_start_point ) ? array( 29.76, -95.38 ) : array( $ase_map_start_point['lat'], $ase_map_start_point['lng'] );
+		$ase_map_zoom        = empty ( $get_map_zoom ) ? 12 : $get_map_zoom;
 
 		$tiles      = aesop_map_tile_provider( $post->ID );
 
@@ -157,7 +154,7 @@ public function render_map_box( $post ) {
 
 				jQuery(document).ready(function(){
 
-					var start_point = <?php echo $ase_map_start_point; ?>;
+					var start_point = <?php echo json_encode( $ase_map_start_point ); ?>;
 					var start_zoom = <?php echo absint( $ase_map_zoom ); ?>;
 
 					var map = L.map('aesop-map',{
@@ -175,12 +172,12 @@ public function render_map_box( $post ) {
 						setMapCenter(lat,lng);
   					});
 
-					L.tileLayer('<?php echo $tiles;?>', {
+					L.tileLayer('<?php echo json_encode( $tiles ); ?>', {
 						maxZoom: 20
 					}).addTo(map);
 
 					<?php if ( ! empty( $ase_map_locations ) ) : ?>
-						var ase_map_locations = <?php echo $ase_map_locations; ?>
+						var ase_map_locations = <?php echo json_encode( $ase_map_locations ); ?>
 					<?php endif; ?>
 
 					ase_map_locations.forEach(function(location) {
@@ -411,7 +408,7 @@ public function upgrade_map_notice() {
 
 			$out .= '</p></div>';
 
-			echo $out;
+			echo wp_kses( $out );
 
 		}
 	}
@@ -490,7 +487,7 @@ public function upgrade_marker_meta() {
 
 				$old_start_point = get_post_meta( $id, 'aesop_map_start', true );
 				if ( ! empty ( $old_start_point ) ) {
-					echo $old_start_point;
+					echo esc_html( $old_start_point );
 					$old_start_point = explode( ',', $old_start_point );
 					if ( count( $old_start_point ) == 2 ) {
 						$translated = array();
@@ -534,7 +531,7 @@ public function upgrade_click_handle() {
 
 				  		var data = {
 				            action: 'upgrade_marker_meta',
-				            security: '<?php echo $nonce;?>'
+				            security: <?php echo json_encode( $nonce );?>
 				        };
 
 					  	jQuery.post(ajaxurl, data, function(response) {
@@ -566,7 +563,7 @@ public function upgrade_mapboxid_notice() {
 
 			$out .= '</p></div>';
 
-			echo $out;
+			echo wp_kses( $out );
 
 		}
 	}
@@ -593,7 +590,7 @@ public function upgrade_mapbox_click_handle() {
 
 				  		var data = {
 				            action: 'upgrade_mapbox',
-				            security: '<?php echo $nonce;?>'
+				            security: <?php echo json_encode( $nonce ); ?>
 				        };
 
 					  	$.post(ajaxurl, data, function(response) {

public/includes/components/component-cbox.php

@@ -82,7 +82,7 @@ function aesop_content_shortcode( $atts, $content = null ) {
 
 		do_action( 'aesop_cbox_before' ); // action
 ?>
-				<div <?php echo aesop_component_data_atts( 'content', $unique, $atts, true );?> class="aesop-component aesop-content-component <?php echo sanitize_html_class( $classes ).' '.$has_img. ' '.$has_floater;?>" style="<?php echo $height;?>" >
+				<div <?php echo aesop_component_data_atts( 'content', $unique, $atts, true ); ?> class="aesop-component aesop-content-component <?php echo sanitize_html_class( $classes ) . ' ' . sanitize_html_class( $has_img ) . ' ' . sanitize_html_class( $has_floater ); ?>" style="<?php echo esc_attr( $height ); ?>" >
 
 					<?php if ( $atts['floatermedia'] && ! wp_is_mobile() ) { ?>
 						<!-- Aesop Content Component -->
@@ -120,17 +120,17 @@ function scrollParallax(){
 
 		echo do_action( 'aesop_cbox_inside_top' ); // action ?>
 
-					<div id="aesop-content-component-<?php echo $unique;?>" class="aesop-content-comp-wrap <?php echo $typeclass;?>" <?php echo $itemstyle;?>>
+					<div id="aesop-content-component-<?php echo esc_attr( $unique ); ?>" class="aesop-content-comp-wrap <?php echo sanitize_html_class( $typeclass ); ?>" <?php echo $itemstyle; ?>>
 
 						<?php echo do_action( 'aesop_cbox_content_inside_top' ); // action
 
 		if ( $atts['floatermedia'] && ! wp_is_mobile() ) { ?>
 
-							<div class="aesop-content-component-floater <?php echo $floaterposition;?>" data-speed="10"><?php echo aesop_component_media_filter( $atts['floatermedia'] );?></div>
+							<div class="aesop-content-component-floater <?php echo sanitize_html_class( $floaterposition ); ?>" data-speed="10"><?php echo aesop_component_media_filter( esc_html( $atts['floatermedia'] ) );?></div>
 
 						<?php } ?>
 
-						<div class="aesop-component-content-data aesop-content-comp-inner <?php echo $contentwidth;?>" <?php echo $innerstyle;?>>
+						<div class="aesop-component-content-data aesop-content-comp-inner <?php echo sanitize_html_class( $contentwidth ); ?>" <?php echo $innerstyle; ?>>
 
 							<?php echo do_action( 'aesop_cbox_content_inner_inside_top' ); // action ?>
 

public/includes/components/component-character.php

@@ -47,7 +47,7 @@ function aesop_character_shortcode( $atts, $content = null ) {
 					<?php do_action( 'aesop_character_inside_top' ); // action ?>
 
 					<div class="aesop-character-inner aesop-content">
-						<div class="aesop-character-float aesop-character-<?php echo esc_attr( $atts['align'] );?>" <?php echo $styles;?>>
+						<div class="aesop-character-float aesop-character-<?php echo esc_attr( $atts['align'] );?>" <?php echo $styles; ?>>
 
 							<?php do_action( 'aesop_character_inner_inside_top' ); // action ?>
 

public/includes/components/component-collections.php

@@ -44,7 +44,7 @@ function aesop_collection_shortcode( $atts ) {
 					<h4 class="aesop-story-collection-title"><span><?php echo esc_html( $atts['title'] );?></span></h4>
 				<?php } ?>
 
-					<div id="aesop-collection-<?php echo $unique;?>" class="aesop-collection-grid clearfix aesop-collection-grid-<?php echo absint( $col );?>col <?php echo sanitize_html_class( $splash_class );?>">
+					<div id="aesop-collection-<?php echo esc_attr( $unique ); ?>" class="aesop-collection-grid clearfix aesop-collection-grid-<?php echo absint( $col );?>col <?php echo sanitize_html_class( $splash_class );?>">
 
 						<?php
 
@@ -73,12 +73,12 @@ function aesop_collection_shortcode( $atts ) {
 
 					foreach ( $cats as $cat ) {
 
-						?><div class="aesop-collection-item aesop-collection-category-<?php echo $cat->slug;?>">
+						?><div class="aesop-collection-item aesop-collection-category-<?php echo esc_attr( $cat->slug ); ?>">
 											<?php do_action( 'aesop_collection_inside_category_item_top' ); // action ?>
 											<a class="aesop-collection-item-link" href="<?php echo get_category_link( $cat->term_id );?>">
 												<div class="aesop-collection-item-inner">
-													<h2 class="aesop-collection-entry-title" itemprop="title"><?php echo $cat->name;?></h2>
-													<div class="aesop-collection-item-excerpt"><?php echo $cat->category_description;?></div>
+													<h2 class="aesop-collection-entry-title" itemprop="title"><?php echo esc_html( $cat->name ); ?></h2>
+													<div class="aesop-collection-item-excerpt"><?php echo esc_html( $cat->category_description ); ?></div>
 												</div>
 												<div class="aesop-collection-item-img"></div>
 											</a>
@@ -121,7 +121,7 @@ function aesop_collection_shortcode( $atts ) {
 												<p class="aesop-collection-meta">Written by <?php echo get_the_author();?></p>
 												<div class="aesop-collection-item-excerpt"><?php echo wp_trim_words( get_the_excerpt(), 22, '...' );?></div>
 											</div>
-											<div class="aesop-collection-item-img" style="background-image:url(<?php echo $coverimg[0];?>);background-repeat:no-repeat;background-size:cover;"></div>
+											<div class="aesop-collection-item-img" style="background-image:url(<?php echo esc_url( $coverimg[0] ); ?>);background-repeat:no-repeat;background-size:cover;"></div>
 										</a>
 										<?php do_action( 'aesop_collection_inside_item_bottom' ); // action ?>
 									</div>

public/includes/components/component-gallery.php

@@ -182,10 +182,10 @@ public function aesop_grid_gallery( $gallery_id, $image_ids, $width ) {
 
 		foreach ( $image_ids as $image_id ):
 
-			$getimage   = wp_get_attachment_image( $image_id, 'aesop-grid-image', false, array( 'class' => 'aesop-grid-image' ) );
-		$getimagesrc    = wp_get_attachment_image_src( $image_id, 'full' );
-		$img_title     = get_post( $image_id )->post_title;
-		$caption   = get_post( $image_id )->post_excerpt;
+			$getimage    = wp_get_attachment_image( $image_id, 'aesop-grid-image', false, array( 'class' => 'aesop-grid-image' ) );
+			$getimagesrc = wp_get_attachment_image_src( $image_id, 'full' );
+			$img_title   = get_post( $image_id )->post_title;
+			$caption     = get_post( $image_id )->post_excerpt;
 
 ?>
 
@@ -194,7 +194,7 @@ public function aesop_grid_gallery( $gallery_id, $image_ids, $width ) {
 						<?php if ( $caption ) { ?>
 							<span class="aesop-grid-gallery-caption"><?php echo aesop_component_media_filter( $caption );?></span>
 						<?php } ?>
-						<span class="clearfix"><?php echo $getimage;?></span>
+						<span class="clearfix"><?php echo $getimage; ?></span>
 					</a>
 				</li>
 
@@ -242,7 +242,7 @@ public function aesop_stacked_gallery( $image_ids, $unique ) {
 			$caption   = get_post( $image_id )->post_excerpt;
 
 ?>
-           	<div class="aesop-stacked-img" style="background-image:url('<?php echo esc_url( $full[0] );?>');<?php echo $styles;?>">
+           	<div class="aesop-stacked-img" style="background-image:url('<?php echo esc_url( $full[0] ); ?>');<?php echo esc_attr( $styles ); ?>">
            		<?php if ( $caption ) { ?>
            			<div class="aesop-stacked-caption"><?php echo aesop_component_media_filter( $caption );?></div>
            		<?php } ?>
@@ -269,18 +269,18 @@ public function aesop_sequence_gallery( $image_ids ) {
 		foreach ( $image_ids as $image_id ):
 
 			$img     = wp_get_attachment_image_src( $image_id, $size, false, '' );
-		$alt     = get_post_meta( $image_id, '_wp_attachment_image_alt', true );
-		$caption = get_post( $image_id )->post_excerpt;
+			$alt     = get_post_meta( $image_id, '_wp_attachment_image_alt', true );
+			$caption = get_post( $image_id )->post_excerpt;
 
-		$lazy   = class_exists( 'AesopLazyLoader' ) && ! is_user_logged_in() ? sprintf( 'src="%s" data-src="%s" class="aesop-sequence-img aesop-lazy-img"', $lazy_holder, esc_url( $img[0] ) ) : sprintf( 'src="%s" class="aesop-sequence-img" ', esc_url( $img[0] ) );
+			$lazy    = class_exists( 'AesopLazyLoader' ) && ! is_user_logged_in() ? sprintf( 'src="%s" data-src="%s" class="aesop-sequence-img aesop-lazy-img"', $lazy_holder, esc_url( $img[0] ) ) : sprintf( 'src="%s" class="aesop-sequence-img" ', esc_url( $img[0] ) );
 
 ?>
            	<figure class="aesop-sequence-img-wrap">
 
-           		<img <?php echo $lazy;?> alt="<?php echo esc_attr( $alt );?>">
+           		<img <?php echo esc_attry( $lazy );?> alt="<?php echo esc_attr( $alt );?>">
 
            		<?php if ( $caption ) { ?>
-           			<figcaption class="aesop-content aesop-component-caption aesop-sequence-caption"><?php echo aesop_component_media_filter( $caption );?></figcaption>
+           			<figcaption class="aesop-content aesop-component-caption aesop-sequence-caption"><?php echo aesop_component_media_filter( esc_html( $caption ) ); ?></figcaption>
            		<?php } ?>
 
            	</figure>
@@ -358,7 +358,7 @@ public function aesop_photoset_gallery( $gallery_id, $image_ids, $width ) {
 
 			$lb_link    = $lightbox ? sprintf( 'data-highres="%s"', esc_url( $full[0] ) ) : null;
 
-			?><img src="<?php echo esc_url( $full[0] );?>" <?php echo $lb_link;?> data-caption="<?php echo esc_attr( $caption );?>" title="<?php echo esc_attr( $title );?>" alt="<?php echo esc_attr( $alt );?>"><?php
+			?><img src="<?php echo esc_url( $full[0] );?>" <?php echo esc_html( $lb_link ); ?> data-caption="<?php echo esc_attr( $caption );?>" title="<?php echo esc_attr( $title );?>" alt="<?php echo esc_attr( $alt );?>"><?php
 
 		}
 

public/includes/components/component-heading.php

@@ -38,11 +38,11 @@ function aesop_chapter_shortcode( $atts ) {
 		do_action( 'aesop_chapter_before' ); // action
 
 ?>
-			<div id="chapter-unique-<?php echo $unique;?>" <?php echo aesop_component_data_atts( 'chapter', $unique, $atts );?> class="aesop-article-chapter-wrap default-cover <?php echo $video_chapter_class;?> aesop-component <?php echo $img_style_class;?> <?php echo $full_class;?> " >
+			<div id="chapter-unique-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'chapter', $unique, $atts );?> class="aesop-article-chapter-wrap default-cover <?php echo sanitize_html_class( $video_chapter_class ); ?> aesop-component <?php echo sanitize_html_class( $img_style_class ); ?> <?php echo sanitize_html_class( $full_class ); ?> " >
 
 				<?php do_action( 'aesop_chapter_inside_top' ); // action ?>
 
-				<div class="aesop-article-chapter clearfix" <?php echo $img_style;?> >
+				<div class="aesop-article-chapter clearfix" <?php echo esc_attr( $img_style ); ?> >
 
 					<h2 class="aesop-cover-title" itemprop="title" data-title="<?php echo esc_attr( $atts['title'] );?>">
 						<span><?php echo esc_html( $atts['title'] );?></span>

public/includes/components/component-image.php

@@ -51,21 +51,21 @@ function aesop_image_shortcode( $atts ) {
 			<?php do_action( 'aesop_image_inside_top' ); // action ?>
 
 			<figure class="aesop-content">
-				<div class="aesop-image-component-image aesop-component-align-<?php echo sanitize_html_class( $atts['align'] );?> aesop-image-component-caption-<?php echo sanitize_html_class( $atts['captionposition'] );?>" <?php echo esc_attr( $offsetstyle );?>>
+				<div class="aesop-image-component-image aesop-component-align-<?php echo sanitize_html_class( $atts['align'] );?> aesop-image-component-caption-<?php echo sanitize_html_class( $atts['captionposition'] );?>" <?php echo $offsetstyle;?>>
 					<?php
 
 		do_action( 'aesop_image_inner_inside_top' ); // action
 
 		if ( 'on' == $atts['lightbox'] ) { ?>
 
-						<a class="aesop-lightbox" href="<?php echo $atts['img'];?>" title="<?php echo $atts['caption'];?>">
+						<a class="aesop-lightbox" href="<?php echo esc_url( $atts['img'] ); ?>" title="<?php echo esc_attr( $atts['caption'] ); ?>">
 							<p class="aesop-img-enlarge"><i class="aesopicon aesopicon-search-plus"></i> <?php _e( 'Enlarge', 'aesop-core' );?></p>
-							<img <?php echo $lazy;?> alt="<?php echo esc_attr( $alt );?>">
+							<img <?php echo $lazy; ?> alt="<?php echo esc_attr( $alt );?>">
 						</a>
 
 					<?php } else { ?>
 
-						<img <?php echo $lazy;?> alt="<?php echo esc_attr( $alt );?>">
+						<img <?php echo $lazy; ?> alt="<?php echo esc_attr( $alt );?>">
 
 					<?php }
 

public/includes/components/component-map.php

@@ -53,7 +53,7 @@ function aesop_map_shortcode( $atts ) {
 
 		} ?>
 
-			<div id="aesop-map-component" <?php echo aesop_component_data_atts( 'map', $unique, $atts );?> class="aesop-component aesop-map-component <?php echo sanitize_html_class( $classes );?> " <?php echo $height;?>>
+			<div id="aesop-map-component" <?php echo aesop_component_data_atts( 'map', $unique, $atts );?> class="aesop-component aesop-map-component <?php echo sanitize_html_class( $classes );?> " <?php echo esc_attr( $height ); ?>>
 
 				<?php
 		/**
@@ -139,30 +139,30 @@ public function aesop_map_loader() {
 					var map = L.map('aesop-map-component',{
 						scrollWheelZoom: false,
 						zoom: <?php echo wp_filter_nohtml_kses( round( $zoom ) );?>,
-						center: [<?php echo $start;?>]
+						center: [<?php echo json_encode( $start ); ?>]
 					});
 
-					L.tileLayer('<?php echo $tiles;?>', {
+					L.tileLayer('<?php echo json_encode( $tiles ); ?>', {
 						maxZoom: 20
 					}).addTo(map);
 
 					<?php
 			foreach ( $markers as $marker ):
 
 				$lat  = $marker['lat'];
-			$long  = $marker['lng'];
-			$text  = $marker['title'] ? $marker['title'] : null;
+				$long = $marker['lng'];
+				$text = $marker['title'] ? $marker['title'] : null;
 
-			$loc  = sprintf( '%s,%s', esc_attr( $lat ), esc_attr( $long ) );
+				$loc  = sprintf( '%s,%s', esc_attr( $lat ), esc_attr( $long ) );
 
 			// if market content is set run a popup
 			if ( $text ) { ?>
 
-							L.marker([<?php echo $loc;?>]).addTo(map).bindPopup('<?php echo aesop_component_media_filter( $text );?>').openPopup();
+							L.marker([<?php echo json_encode( $loc );?>]).addTo(map).bindPopup('<?php echo aesop_component_media_filter( $text );?>').openPopup();
 
 						<?php } else { ?>
 
-							L.marker([<?php echo $loc;?>]).addTo(map);
+							L.marker([<?php echo json_encode( $loc );?>]).addTo(map);
 
 						<?php }
 

public/includes/components/component-parallax.php

@@ -137,7 +137,7 @@ function scrollParallax(){
 					<a class="aesop-lb-link aesop-lightbox" rel="lightbox" title="<?php echo esc_attr( $atts['caption'] );?>" href="<?php echo esc_url( $atts['img'] );?>"><i class="aesopicon aesopicon-search-plus"></i></a>
 				<?php } ?>
 
-				<img class="aesop-parallax-sc-img <?php echo $laxclass;?>" src="<?php echo esc_url( $atts['img'] );?>" alt="<?php echo esc_attr( $auto_alt );?>" >
+				<img class="aesop-parallax-sc-img <?php echo sanitize_html_class( $laxclass ); ?>" src="<?php echo esc_url( $atts['img'] );?>" alt="<?php echo esc_attr( $auto_alt );?>" >
 
 				<?php if ( $atts['caption'] ) { ?>
 					<figcaption class="aesop-parallax-sc-caption-wrap <?php echo sanitize_html_class( $atts['captionposition'] );?>">

public/includes/components/component-quote.php

@@ -82,7 +82,7 @@ function aesop_quote_shortcode( $atts ) {
 
 		do_action( 'aesop_quote_before' ); // action
 ?>
-			<div id="aesop-quote-component-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'quote', $unique, $atts );?> class="aesop-component aesop-quote-component <?php echo $core_classes.' '.$css_classes;?>" <?php echo $style;?>>
+			<div id="aesop-quote-component-<?php echo esc_attr( $unique );?>" <?php echo aesop_component_data_atts( 'quote', $unique, $atts );?> class="aesop-component aesop-quote-component <?php echo sanitize_html_class( $core_classes ) . ' ' . sanitize_html_class( $css_classes ); ?>" <?php echo $style; ?>>
 
 				<?php if ( 'block' == $atts['type'] ): ?>
 					<!-- Aesop Core | Quote -->