Fix WordPress.Security.EscapeOutput errors in payment and email templ… (#62)

marcusquinn · superdav42 · web-flow · commit 19458f612ef8 · 2025-04-22T17:05:12.000-06:00
* Fix WordPress.Security.EscapeOutput errors in payment and email templates

---------

Co-authored-by: David Stone &lt;david@nnucomputerwhiz.com&gt;
diff --git a/views/dashboard-widgets/limits-and-quotas.php b/views/dashboard-widgets/limits-and-quotas.php
@@ -7,14 +7,14 @@
 ?>
 <div class="wu-styling <?php echo esc_attr($className); ?>">
 
-	<div class="<?php echo wu_env_picker('', 'wu-widget-inset'); ?>">
+	<div class="<?php echo esc_attr(wu_env_picker('', 'wu-widget-inset')); ?>">
 
 	<!-- Title Element -->
-	<div class="wu-p-4 wu-flex wu-items-center <?php echo wu_env_picker('', 'wu-bg-gray-100 wu-border-solid wu-border-0 wu-border-b wu-border-gray-200'); ?>">
+	<div class="wu-p-4 wu-flex wu-items-center <?php echo esc_attr(wu_env_picker('', 'wu-bg-gray-100 wu-border-solid wu-border-0 wu-border-b wu-border-gray-200')); ?>">
 
 		<?php if ($title) : ?>
 
-		<h3 class="wu-m-0 <?php echo wu_env_picker('', 'wu-widget-title'); ?>">
+		<h3 class="wu-m-0 <?php echo esc_attr(wu_env_picker('', 'wu-widget-title')); ?>">
 
 			<?php echo esc_html($title); ?>
 
@@ -25,7 +25,7 @@
 	</div>
 	<!-- Title Element - End -->
 
-	<ul class="wu-list-none wu-m-0 wu-p-4 wu-grid wu-gap-2 wu-row-gap-0 lg:wu-grid-cols-<?php echo esc_attr((int) $columns); ?> <?php echo wu_env_picker('', 'wu-p-4'); ?>">
+	<ul class="wu-list-none wu-m-0 wu-p-4 wu-grid wu-gap-2 wu-row-gap-0 lg:wu-grid-cols-<?php echo esc_attr((int) $columns); ?> <?php echo esc_attr(wu_env_picker('', 'wu-p-4')); ?>">
 
 		<?php if ($post_type_limits->is_enabled()) : ?>
 
@@ -66,7 +66,7 @@
 
 				<span class="wu-w-full wu-bg-gray-200 wu-rounded-full wu-h-1 wu-block wu-my-2">
 
-					<span class="<?php echo esc_attr(wu_get_random_color($index)); ?> wu-rounded-full wu-h-1 wu-block wu-my-1" style="width: <?php echo $width; ?>%;"></span>
+					<span class="<?php echo esc_attr(wu_get_random_color($index)); ?> wu-rounded-full wu-h-1 wu-block wu-my-1" style="width: <?php echo esc_attr($width); ?>%;"></span>
 
 				</span>
 
@@ -115,21 +115,21 @@
 
 			<?php esc_html_e('Unique Visits', 'wp-multisite-waas'); ?>
 
-			<?php echo wu_tooltip(sprintf(__('Next Reset: %s', 'wp-multisite-waas'), date_i18n(get_option('date_format', 'd/m/Y'), strtotime('last day of this month')))); ?>
+			<?php echo wu_tooltip(sprintf(esc_html__('Next Reset: %s', 'wp-multisite-waas'), date_i18n(get_option('date_format', 'd/m/Y'), strtotime('last day of this month')))); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
 
 			</div>
 
 			<span class="wu-w-full wu-bg-gray-200 wu-rounded-full wu-h-1 wu-block wu-my-3">
 
-			<span class="wu-bg-orange-500 wu-rounded-full wu-h-1 wu-block wu-my-1" style="width: <?php echo $visits_width; ?>%;"></span>
+			<span class="wu-bg-orange-500 wu-rounded-full wu-h-1 wu-block wu-my-1" style="width: <?php echo esc_attr($visits_width); ?>%;"></span>
 
 			</span>
 
 			<div class="wu-text-xs wu-text-gray-600 wu-align-middle">
 
 			<?php echo number_format($visits_count); ?>
 			/
-			<?php echo $visit_limitations->get_limit() == 0 ? __('Unlimited', 'wp-multisite-waas') : number_format((int) $visit_limitations->get_limit()); ?>
+			<?php echo $visit_limitations->get_limit() == 0 ? esc_html__('Unlimited', 'wp-multisite-waas') : esc_html(number_format((int) $visit_limitations->get_limit())); ?>
 
 			</div>
 
diff --git a/views/dynamic-styles/template-previewer.php b/views/dynamic-styles/template-previewer.php
@@ -6,23 +6,23 @@
  */
 ?>
 body #switcher {
-	background-color: #<?php echo $bg_color->getHex(); ?>;
-	border-bottom: 5px solid <?php echo $bg_color->isDark() ? '#f9f9f9' : '#333'; ?>;
+	background-color: #<?php echo esc_attr($bg_color->getHex()); ?>;
+	border-bottom: 5px solid <?php echo esc_attr($bg_color->isDark() ? '#f9f9f9' : '#333'); ?>;
 }
 
 #template_selector {
-	color: <?php echo $bg_color->isDark() ? '#dfdfdf' : '#555'; ?>;
+	color: <?php echo esc_attr($bg_color->isDark() ? '#dfdfdf' : '#555'); ?>;
 }
 
 .responsive a {
-	color: <?php echo $bg_color->isDark() ? '#fff' : '#444'; ?>
+	color: <?php echo esc_attr($bg_color->isDark() ? '#fff' : '#444'); ?>
 }
 
 .responsive a.active, .responsive a:hover {
-	color: <?php echo $bg_color->isDark() ? '#fff' : '#444'; ?>
+	color: <?php echo esc_attr($bg_color->isDark() ? '#fff' : '#444'); ?>
 }
 
 .select-template a, .mobile-selector a {
-	background-color: #<?php echo $button_bg_color->getHex(); ?>;
-	color: <?php echo $button_bg_color->isDark() ? '#fff' : '#444'; ?>;
+	background-color: #<?php echo esc_attr($button_bg_color->getHex()); ?>;
+	color: <?php echo esc_attr($button_bg_color->isDark() ? '#fff' : '#444'); ?>;
 }
diff --git a/views/emails/admin/domain-created.php b/views/emails/admin/domain-created.php
@@ -7,7 +7,7 @@
 ?>
 <p><?php esc_html_e('Hey there', 'wp-multisite-waas'); ?></p>
 
-<p><?php printf(__('A new domain, %2$s, was added to the site %3$s.', 'wp-multisite-waas'), '{{customer_name}}', '{{domain_domain}}', '{{site_title}}'); ?></p>
+<p><?php printf(esc_html__('A new domain, %2$s, was added to the site %3$s.', 'wp-multisite-waas'), '{{customer_name}}', '{{domain_domain}}', '{{site_title}}'); ?></p>
 
 <h2><b><?php esc_html_e('Domain', 'wp-multisite-waas'); ?></b></h2>
 
diff --git a/views/emails/admin/payment-received.php b/views/emails/admin/payment-received.php
@@ -7,7 +7,7 @@
 ?>
 <p><?php esc_html_e('Hey there', 'wp-multisite-waas'); ?></p>
 
-<p><?php printf(__('We have great news! You received %1$s from %2$s (%3$s) for %4$s.', 'wp-multisite-waas'), '{{payment_total}}', '{{customer_name}}', '{{customer_user_email}}', '{{payment_product_names}}'); ?></p>
+<p><?php printf(esc_html__('We have great news! You received %1$s from %2$s (%3$s) for %4$s.', 'wp-multisite-waas'), '{{payment_total}}', '{{customer_name}}', '{{customer_user_email}}', '{{payment_product_names}}'); ?></p>
 
 <p><a href="{{payment_invoice_url}}" style="text-decoration: none;" rel="nofollow"><?php esc_html_e('Download Invoice', 'wp-multisite-waas'); ?></a></p>
 
diff --git a/views/events/widget-initiator.php b/views/events/widget-initiator.php
@@ -15,7 +15,7 @@
 
 		<?php if ($object->get_initiator() == 'manual') : ?>
 
-		<a href='<?php echo wu_network_admin_url('wp-ultimo-edit-customer', ['id' => $object->get_author_id()]); ?>' class='wu-table-card wu-text-gray-700 wu-p-2 wu-flex wu-flex-grow wu-rounded wu-items-center wu-border wu-border-solid wu-border-gray-300 wu-no-underline'>
+		<a href='<?php echo esc_url(wu_network_admin_url('wp-ultimo-edit-customer', ['id' => $object->get_author_id()])); ?>' class='wu-table-card wu-text-gray-700 wu-p-2 wu-flex wu-flex-grow wu-rounded wu-items-center wu-border wu-border-solid wu-border-gray-300 wu-no-underline'>
 
 			<div class="wu-flex wu-relative wu-h-7 wu-w-7 wu-rounded-full wu-ring-2 wu-ring-white wu-bg-gray-300 wu-items-center wu-justify-center wu-mr-3">
 
@@ -32,13 +32,13 @@
 				]
 			);
 
-			echo $avatar;
+			echo $avatar; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 
 			?>
 
-			<span role="tooltip" aria-label="<?php echo $object->get_initiator() . ' - ' . $object->get_severity_label(); ?>" class="wu-absolute wu-rounded-full wu--mb-2 wu--mr-2 wu-flex wu-items-center wu-justify-center wu-font-mono wu-bottom-0 wu-right-0 wu-font-bold wu-h-3 wu-w-3 wu-uppercase wu-text-2xs wu-p-1 wu-border-solid wu-border-2 wu-border-white <?php echo $object->get_severity_class(); ?>">
+			<span role="tooltip" aria-label="<?php echo esc_attr($object->get_initiator().' - '.$object->get_severity_label()); ?>" class="wu-absolute wu-rounded-full wu--mb-2 wu--mr-2 wu-flex wu-items-center wu-justify-center wu-font-mono wu-bottom-0 wu-right-0 wu-font-bold wu-h-3 wu-w-3 wu-uppercase wu-text-2xs wu-p-1 wu-border-solid wu-border-2 wu-border-white <?php echo esc_attr($object->get_severity_class()); ?>">
 
-				<?php echo substr($object->get_severity_label(), 0, 1); ?>
+				<?php echo esc_html(substr($object->get_severity_label(), 0, 1)); ?>
 
 			</span>
 
@@ -62,9 +62,9 @@
 
 				<span class="dashicons-wu-tools wu-text-gray-700 wu-text-xl"></span>
 
-				<span role="tooltip" aria-label="<?php echo $object->get_initiator() . ' - ' . $object->get_severity_label(); ?>" class="wu-absolute wu-rounded-full wu--mb-2 wu--mr-2 wu-flex wu-items-center wu-justify-center wu-font-mono wu-bottom-0 wu-right-0 wu-font-bold wu-h-3 wu-w-3 wu-uppercase wu-text-2xs wu-p-1 wu-border-solid wu-border-2 wu-border-white <?php echo $object->get_severity_class(); ?>">
+				<span role="tooltip" aria-label="<?php echo esc_attr($object->get_initiator().' - '.$object->get_severity_label()); ?>" class="wu-absolute wu-rounded-full wu--mb-2 wu--mr-2 wu-flex wu-items-center wu-justify-center wu-font-mono wu-bottom-0 wu-right-0 wu-font-bold wu-h-3 wu-w-3 wu-uppercase wu-text-2xs wu-p-1 wu-border-solid wu-border-2 wu-border-white <?php echo esc_attr($object->get_severity_class()); ?>">
 
-				<?php echo substr($object->get_severity_label(), 0, 1); ?>
+				<?php echo esc_html(substr($object->get_severity_label(), 0, 1)); ?>
 
 				</span>
 
@@ -98,11 +98,11 @@
 
 		switch ($type) {
 			case 'membership':
-				echo $base_list_table->column_membership($object);
+				echo $base_list_table->column_membership($object); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				break;
 
 			case 'payment':
-				echo $base_list_table->column_payment($object);
+				echo $base_list_table->column_payment($object); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				break;
 		}
 
diff --git a/views/payments/line-item-actions.php b/views/payments/line-item-actions.php
@@ -47,7 +47,7 @@
 
 		<span class="wu-ml-2 wu-text-gray-700">
 
-		<?php echo wu_format_currency($payment->get_refund_total(), $payment->get_currency()); ?>
+		<?php echo esc_html(wu_format_currency($payment->get_refund_total(), $payment->get_currency())); ?>
 
 		</span>
 
@@ -63,7 +63,7 @@
 
 		<span class="wu-ml-2">
 
-		<?php echo wu_format_currency($payment->get_total(), $payment->get_currency()); ?>
+		<?php echo esc_html(wu_format_currency($payment->get_total(), $payment->get_currency())); ?>
 
 		</span>
 
diff --git a/views/payments/tax-details.php b/views/payments/tax-details.php
@@ -14,15 +14,15 @@
 
 			<?php foreach ($tax_breakthrough as $tax_rate => $tax_total) : ?>
 			<tr>
-			<td><?php echo $tax_rate; ?>%</td>
-			<td><?php echo wu_format_currency($tax_total); ?></td>
+			<td><?php echo esc_html($tax_rate); ?>%</td>
+			<td><?php echo esc_html(wu_format_currency($tax_total)); ?></td>
 			</tr>
 		<?php endforeach; ?>
 
 			<?php if ( ! empty($payment)) : ?>
 			<tr>
 			<td><span class="wu-font-bold wu-uppercase wu-text-xs wu-text-gray-700"><?php esc_html_e('Total', 'wp-multisite-waas'); ?></span></td>
-			<td><?php echo wu_format_currency($payment->get_tax_total()); ?></td>
+			<td><?php echo esc_html(wu_format_currency($payment->get_tax_total())); ?></td>
 			</tr>
 		<?php endif; ?>
 

Original file line number	Diff line number	Diff line change
`@@ -6,23 +6,23 @@`
`6`	`6`	`*/`
`7`	`7`	`?>`
`8`	`8`	`body #switcher {`
`9`		`- background-color: #<?php echo $bg_color->getHex(); ?>;`
`10`		`- border-bottom: 5px solid <?php echo $bg_color->isDark() ? '#f9f9f9' : '#333'; ?>;`
	`9`	`+ background-color: #<?php echo esc_attr($bg_color->getHex()); ?>;`
	`10`	`+ border-bottom: 5px solid <?php echo esc_attr($bg_color->isDark() ? '#f9f9f9' : '#333'); ?>;`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`#template_selector {`
`14`		`- color: <?php echo $bg_color->isDark() ? '#dfdfdf' : '#555'; ?>;`
	`14`	`+ color: <?php echo esc_attr($bg_color->isDark() ? '#dfdfdf' : '#555'); ?>;`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`.responsive a {`
`18`		`- color: <?php echo $bg_color->isDark() ? '#fff' : '#444'; ?>`
	`18`	`+ color: <?php echo esc_attr($bg_color->isDark() ? '#fff' : '#444'); ?>`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`.responsive a.active, .responsive a:hover {`
`22`		`- color: <?php echo $bg_color->isDark() ? '#fff' : '#444'; ?>`
	`22`	`+ color: <?php echo esc_attr($bg_color->isDark() ? '#fff' : '#444'); ?>`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`.select-template a, .mobile-selector a {`
`26`		`- background-color: #<?php echo $button_bg_color->getHex(); ?>;`
`27`		`- color: <?php echo $button_bg_color->isDark() ? '#fff' : '#444'; ?>;`
	`26`	`+ background-color: #<?php echo esc_attr($button_bg_color->getHex()); ?>;`
	`27`	`+ color: <?php echo esc_attr($button_bg_color->isDark() ? '#fff' : '#444'); ?>;`
`28`	`28`	`}`