Changeset 3469313
- Timestamp:
- 02/25/2026 10:21:00 AM (4 weeks ago)
- Location:
- pixtypes
- Files:
-
- 68 edited
- 1 copied
-
tags/2.0.0 (copied) (copied from pixtypes/trunk)
-
tags/2.0.0/README.md (modified) (1 diff)
-
tags/2.0.0/class-pixtypes.php (modified) (2 diffs)
-
tags/2.0.0/core/bootstrap.php (modified) (1 diff)
-
tags/2.0.0/core/classes/HTMLTag.php (modified) (1 diff)
-
tags/2.0.0/core/classes/Processor.php (modified) (1 diff)
-
tags/2.0.0/core/classes/forms/FormField.php (modified) (1 diff)
-
tags/2.0.0/core/core.php (modified) (2 diffs)
-
tags/2.0.0/core/tests/bootstrap.php (modified) (2 diffs)
-
tags/2.0.0/core/views/form-partials/fields/color.php (modified) (1 diff)
-
tags/2.0.0/core/views/form-partials/fields/counter.php (modified) (1 diff)
-
tags/2.0.0/core/views/form-partials/fields/group.php (modified) (1 diff)
-
tags/2.0.0/core/views/form-partials/fields/postbox.php (modified) (2 diffs)
-
tags/2.0.0/core/views/form-partials/fields/select.php (modified) (1 diff)
-
tags/2.0.0/core/views/form-partials/fields/switch.php (modified) (1 diff)
-
tags/2.0.0/core/views/form-partials/fields/tabular-group.php (modified) (3 diffs)
-
tags/2.0.0/core/views/form-partials/fields/text.php (modified) (1 diff)
-
tags/2.0.0/features/metaboxes/cmb-field-select2-v2/cmb-field-select2.php (modified) (5 diffs)
-
tags/2.0.0/features/metaboxes/cmb-field-select2/cmb-field-select2.php (modified) (4 diffs)
-
tags/2.0.0/features/metaboxes/css/style.css (modified) (1 diff)
-
tags/2.0.0/features/metaboxes/fields/gallery.php (modified) (2 diffs)
-
tags/2.0.0/features/metaboxes/fields/gmap_pins.php (modified) (3 diffs)
-
tags/2.0.0/features/metaboxes/fields/image.php (modified) (2 diffs)
-
tags/2.0.0/features/metaboxes/fields/pix_builder.php (modified) (11 diffs)
-
tags/2.0.0/features/metaboxes/fields/playlist.php (modified) (2 diffs)
-
tags/2.0.0/features/metaboxes/fields/portfolio-gallery.php (modified) (1 diff)
-
tags/2.0.0/features/metaboxes/init.php (modified) (48 diffs)
-
tags/2.0.0/features/metaboxes/js/pixgallery.js (modified) (1 diff)
-
tags/2.0.0/features/metaboxes/js/piximage.js (modified) (1 diff)
-
tags/2.0.0/features/metaboxes/js/pixplaylist.js (modified) (1 diff)
-
tags/2.0.0/features/metaboxes/metaboxes.php (modified) (5 diffs)
-
tags/2.0.0/pixtypes.php (modified) (4 diffs)
-
tags/2.0.0/plugin-config.php (modified) (2 diffs)
-
tags/2.0.0/readme.txt (modified) (2 diffs)
-
tags/2.0.0/views/admin.php (modified) (3 diffs)
-
trunk/README.md (modified) (1 diff)
-
trunk/class-pixtypes.php (modified) (2 diffs)
-
trunk/core/bootstrap.php (modified) (1 diff)
-
trunk/core/classes/HTMLTag.php (modified) (1 diff)
-
trunk/core/classes/Processor.php (modified) (1 diff)
-
trunk/core/classes/forms/FormField.php (modified) (1 diff)
-
trunk/core/core.php (modified) (2 diffs)
-
trunk/core/tests/bootstrap.php (modified) (2 diffs)
-
trunk/core/views/form-partials/fields/color.php (modified) (1 diff)
-
trunk/core/views/form-partials/fields/counter.php (modified) (1 diff)
-
trunk/core/views/form-partials/fields/group.php (modified) (1 diff)
-
trunk/core/views/form-partials/fields/postbox.php (modified) (2 diffs)
-
trunk/core/views/form-partials/fields/select.php (modified) (1 diff)
-
trunk/core/views/form-partials/fields/switch.php (modified) (1 diff)
-
trunk/core/views/form-partials/fields/tabular-group.php (modified) (3 diffs)
-
trunk/core/views/form-partials/fields/text.php (modified) (1 diff)
-
trunk/features/metaboxes/cmb-field-select2-v2/cmb-field-select2.php (modified) (5 diffs)
-
trunk/features/metaboxes/cmb-field-select2/cmb-field-select2.php (modified) (4 diffs)
-
trunk/features/metaboxes/css/style.css (modified) (1 diff)
-
trunk/features/metaboxes/fields/gallery.php (modified) (2 diffs)
-
trunk/features/metaboxes/fields/gmap_pins.php (modified) (3 diffs)
-
trunk/features/metaboxes/fields/image.php (modified) (2 diffs)
-
trunk/features/metaboxes/fields/pix_builder.php (modified) (11 diffs)
-
trunk/features/metaboxes/fields/playlist.php (modified) (2 diffs)
-
trunk/features/metaboxes/fields/portfolio-gallery.php (modified) (1 diff)
-
trunk/features/metaboxes/init.php (modified) (48 diffs)
-
trunk/features/metaboxes/js/pixgallery.js (modified) (1 diff)
-
trunk/features/metaboxes/js/piximage.js (modified) (1 diff)
-
trunk/features/metaboxes/js/pixplaylist.js (modified) (1 diff)
-
trunk/features/metaboxes/metaboxes.php (modified) (5 diffs)
-
trunk/pixtypes.php (modified) (4 diffs)
-
trunk/plugin-config.php (modified) (2 diffs)
-
trunk/readme.txt (modified) (2 diffs)
-
trunk/views/admin.php (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
pixtypes/tags/2.0.0/README.md
r1744797 r3469313 139 139 ``` 140 140 141 === Old Change Log === 142 143 1.3.5 144 Improved the multicheck field 145 146 1.3.2 147 WordPress 4.3 compatibility 148 Fixed Sticky buttons for the PixBuilder field 149 150 1.3.1 151 152 Allow portfolio to be a jetpack compatible type 153 Small fixes to the gallery field 154 155 1.2.10 156 157 Show / Hide options bug fix 158 159 1.2.9 160 161 Gmap pins added 162 163 1.2.6 164 165 Builder field added 166 Support for wp 4.0 167 Small fixes 168 169 1.2.2 170 171 Small fixes to metaboxes 172 173 1.2.1 174 175 Github Updater slug fix 176 And small fixes... 177 178 1.2.0 179 180 Ajax Update 181 Gallery Metabox works now even if there is no wp-editor on page 182 And small fixes... 183 184 1.1.0 185 186 Add admin panel 187 Fixes 188 189 1.0.0 - Here we go 141 ## Development Notes 142 Gulp 3.x doesn't work on Node.js 12.x or above. You have to downgrade Node.js to 11.5.0 143 ``` 144 nvm install 11.15.0 145 nvm use 11.15.0 # Just in case it didn't automatically select the 11.15.0 as the main node. 146 nvm uninstall 13.1.0 147 npm rebuild node-sass 148 ``` -
pixtypes/tags/2.0.0/class-pixtypes.php
r2127881 r3469313 106 106 * Ajax Callbacks - only for logged in users 107 107 */ 108 add_action( 'wp_ajax_unset_pixtypes', array( &$this, 'ajax_unset_pixtypes' ) );108 add_action( 'wp_ajax_unset_pixtypes', array( $this, 'ajax_unset_pixtypes' ) ); 109 109 } 110 110 … … 649 649 function ajax_unset_pixtypes() { 650 650 $result = array( 'success' => false, 'msg' => 'Incorrect nonce' ); 651 652 if ( ! current_user_can( 'manage_options' ) ) { 653 wp_send_json_error( 'Unauthorized' ); 654 } 655 651 656 if ( ! wp_verify_nonce( $_POST['_ajax_nonce'], 'unset_pixtype' ) ) { 652 echo json_encode( $result );657 echo wp_json_encode( $result ); 653 658 die(); 654 659 } 655 660 656 661 if ( isset( $_POST['theme_slug'] ) ) { 657 $key = $_POST['theme_slug'];662 $key = sanitize_key( $_POST['theme_slug'] ); 658 663 $options = get_option( 'pixtypes_settings' ); 659 664 if ( isset( $options['themes'][ $key ] ) ) { 660 665 unset( $options['themes'][ $key ] ); 661 666 update_option( 'pixtypes_settings', $options ); 662 $result['msg'] = 'Settings for ' . ucfirst( $key) . ' have been cleaned up!';667 $result['msg'] = 'Settings for ' . esc_html( ucfirst( $key ) ) . ' have been cleaned up!'; 663 668 $result['success'] = true; 664 669 } 665 670 } 666 671 667 echo json_encode( $result );672 echo wp_json_encode( $result ); 668 673 exit; 669 674 } -
pixtypes/tags/2.0.0/core/bootstrap.php
r1115891 r3469313 1 1 <?php defined('ABSPATH') or die; 2 2 3 // ensure EXT is defined4 if ( ! defined(' EXT')) {5 define(' EXT', '.php');3 // ensure PIXTYPES_EXT is defined 4 if ( ! defined('PIXTYPES_EXT')) { 5 define('PIXTYPES_EXT', '.php'); 6 6 } 7 7 8 8 $basepath = dirname(__FILE__).DIRECTORY_SEPARATOR; 9 require $basepath.'core'. EXT;9 require $basepath.'core'.PIXTYPES_EXT; 10 10 11 11 // load classes -
pixtypes/tags/2.0.0/core/classes/HTMLTag.php
r1744797 r3469313 57 57 if ( ! empty($value)) { 58 58 if (is_array($value)) { 59 $htmlvalue = implode(' ', $value);59 $htmlvalue = esc_attr( implode(' ', $value) ); 60 60 $attr_segments[] = "$key=\"$htmlvalue\""; 61 61 } 62 62 else { // value is not an array 63 $attr_segments[] = "$key=\" $value\"";63 $attr_segments[] = "$key=\"" . esc_attr( $value ) . "\""; 64 64 } 65 65 } 66 66 else { // empty html tag; ie. no value html tag 67 $attr_segments[] = $key;67 $attr_segments[] = esc_attr( $key ); 68 68 } 69 69 } -
pixtypes/tags/2.0.0/core/classes/Processor.php
r1744797 r3469313 155 155 $plugin_cleanup = $this->meta->get('cleanup', array()); 156 156 157 // Only process expected fields — discard any extra $_POST keys. 158 $allowed_keys = array_keys( $this->fields->metadata_array() ); 159 $input = array_intersect_key( $input, array_flip( $allowed_keys ) ); 160 157 161 foreach ($this->fields->metadata_array() as $key => $field) { 158 162 -
pixtypes/tags/2.0.0/core/classes/forms/FormField.php
r1744797 r3469313 70 70 foreach ($template_paths as $path) { 71 71 $dirpath = rtrim($path, '\\/').DIRECTORY_SEPARATOR; 72 if (file_exists($dirpath.$pattern. EXT)) {73 return $this->render_template_file($dirpath.$pattern. EXT);72 if (file_exists($dirpath.$pattern.PIXTYPES_EXT)) { 73 return $this->render_template_file($dirpath.$pattern.PIXTYPES_EXT); 74 74 } 75 75 } -
pixtypes/tags/2.0.0/core/core.php
r1275567 r3469313 21 21 static function defaults() { 22 22 if (self::$defaults === null) { 23 self::$defaults = include self::corepath().'defaults'. EXT;23 self::$defaults = include self::corepath().'defaults'.PIXTYPES_EXT; 24 24 } 25 25 … … 269 269 270 270 foreach ($priority_list as $file => $priority) { 271 if (strpos($file, EXT)) {271 if (strpos($file, PIXTYPES_EXT)) { 272 272 require $file; 273 273 } -
pixtypes/tags/2.0.0/core/tests/bootstrap.php
r1115891 r3469313 1 1 <?php defined('ABSPATH') or die; 2 2 3 // ensure EXT is defined4 if ( ! defined(' EXT')) {5 define(' EXT', '.php');3 // ensure PIXTYPES_EXT is defined 4 if ( ! defined('PIXTYPES_EXT')) { 5 define('PIXTYPES_EXT', '.php'); 6 6 } 7 7 … … 9 9 10 10 $basepath = realpath('..').DIRECTORY_SEPARATOR; 11 require $basepath.'bootstrap'. EXT;11 require $basepath.'bootstrap'.PIXTYPES_EXT; -
pixtypes/tags/2.0.0/core/views/form-partials/fields/color.php
r1115891 r3469313 10 10 11 11 $type = 'color'; 12 include 'text'. EXT;12 include 'text'.PIXTYPES_EXT; 13 13 -
pixtypes/tags/2.0.0/core/views/form-partials/fields/counter.php
r1115891 r3469313 37 37 <input <?php echo $field->htmlattributes($attrs) ?> class="small-text" /> 38 38 <?php else: # standard field ?> 39 <label for="<?php echo $idname?>">39 <label for="<?php echo esc_attr( $idname ) ?>"> 40 40 <input <?php echo $field->htmlattributes($attrs) ?> /> 41 <?php echo $label?>41 <?php echo esc_html( $label ) ?> 42 42 </label> 43 43 <?php endif; ?> -
pixtypes/tags/2.0.0/core/views/form-partials/fields/group.php
r1115891 r3469313 22 22 $fieldexample = $field->getmeta('group-example', null); 23 23 $fieldnote = $field->getmeta('group-note', null); ?> 24 <div class="field" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . $fieldname. '"'; ?> >24 <div class="field" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . esc_attr( $fieldname ) . '"'; ?> > 25 25 <?php echo $field->render(); 26 26 if ( ! empty($fieldnote)): ?> 27 <span class="field-note"><?php echo $fieldnote?></span>27 <span class="field-note"><?php echo esc_html( $fieldnote ) ?></span> 28 28 <?php endif; ?> 29 29 </div> -
pixtypes/tags/2.0.0/core/views/form-partials/fields/postbox.php
r1115891 r3469313 12 12 <div class="postbox"> 13 13 <div class="handlediv" title="Click to toggle"><br></div> 14 <h3 class="hndle"><span><?php echo $label?></span></h3>14 <h3 class="hndle"><span><?php echo esc_html( $label ) ?></span></h3> 15 15 16 16 <div class="inside"> … … 24 24 $show_group = $field->getmeta('show_group', null); ?> 25 25 26 <div class="row" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . $fieldname. '"'; ?>>26 <div class="row" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . esc_attr( $fieldname ) . '"'; ?>> 27 27 <?php if ( ! empty($fielddesc)): ?> 28 <div class="field-desc"><?php echo $fielddesc?></div>28 <div class="field-desc"><?php echo esc_html( $fielddesc ) ?></div> 29 29 <?php endif; 30 30 echo $field->render(); 31 31 if ( ! empty($fieldnote)): ?> 32 <span class="note"><?php echo $fieldnote?></span>32 <span class="note"><?php echo esc_html( $fieldnote ) ?></span> 33 33 <?php endif; ?> 34 34 </div> -
pixtypes/tags/2.0.0/core/views/form-partials/fields/select.php
r1115891 r3469313 24 24 <?php foreach ($this->getmeta('options', array()) as $key => $label): ?> 25 25 <option <?php if ($key == $selected): ?>selected<?php endif; ?> 26 value="<?php echo $key?>">27 <?php echo $label?>26 value="<?php echo esc_attr( $key ) ?>"> 27 <?php echo esc_html( $label ) ?> 28 28 </option> 29 29 <?php endforeach; ?> -
pixtypes/tags/2.0.0/core/views/form-partials/fields/switch.php
r1115891 r3469313 55 55 <div class="switch"> 56 56 <input <?php echo $field->htmlattributes($attrs) ?> /> 57 <label for="<?php echo $idname ?>"><?php echo $processed_label?></label>57 <label for="<?php echo esc_attr( $idname ) ?>"><?php echo wp_kses_post( $processed_label ) ?></label> 58 58 </div> 59 59 <?php else: # rendering != 'inline' ?> 60 <label for="<?php echo $idname?>">60 <label for="<?php echo esc_attr( $idname ) ?>"> 61 61 <input <?php echo $field->htmlattributes($attrs) ?> /> 62 <?php echo $processed_label?>62 <?php echo wp_kses_post( $processed_label ) ?> 63 63 </label> 64 64 <?php endif; ?> -
pixtypes/tags/2.0.0/core/views/form-partials/fields/tabular-group.php
r1115891 r3469313 12 12 <tr valign="top"> 13 13 <th scope="row"> 14 <?php echo $label?>14 <?php echo esc_html( $label ) ?> 15 15 </th> 16 16 <td> … … 18 18 19 19 <legend class="screen-reader-text"> 20 <span><?php echo $label?></span>20 <span><?php echo esc_html( $label ) ?></span> 21 21 </legend> 22 22 … … 28 28 <?php if ($field->hasmeta('note')): ?> 29 29 <small> 30 <em>(<?php echo $field->getmeta('note') ?>)</em>30 <em>(<?php echo esc_html( $field->getmeta('note') ) ?>)</em> 31 31 </small> 32 32 <?php endif; ?> -
pixtypes/tags/2.0.0/core/views/form-partials/fields/text.php
r1115891 r3469313 24 24 <?php elseif ($rendering == 'blocks'): ?> 25 25 <div class="text"> 26 <label id="<?php echo $name ?>"><?php echo $label?></label>26 <label id="<?php echo esc_attr( $name ) ?>"><?php echo esc_html( $label ) ?></label> 27 27 <input <?php echo $field->htmlattributes($attrs) ?> /> 28 <span><?php echo $desc?></span>28 <span><?php echo esc_html( $desc ) ?></span> 29 29 </div> 30 30 <?php else: # ?> 31 31 <div> 32 <p><?php echo $desc?></p>33 <label id="<?php echo $name?>">34 <?php echo $label?>32 <p><?php echo esc_html( $desc ) ?></p> 33 <label id="<?php echo esc_attr( $name ) ?>"> 34 <?php echo esc_html( $label ) ?> 35 35 <input <?php echo $field->htmlattributes($attrs) ?>/> 36 36 </label> -
pixtypes/tags/2.0.0/features/metaboxes/cmb-field-select2-v2/cmb-field-select2.php
r2124639 r3469313 34 34 */ 35 35 function pw_select_v2( $field, $meta ) { 36 echo '<select name="', $field['id'], '" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" class="select2">';36 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2">'; 37 37 echo '<option></option>'; 38 38 if ( isset( $field['options'] ) && ! empty( $field['options'] ) ) { … … 41 41 $opt_value = is_array( $option ) && array_key_exists( 'value', $option ) ? $option['value'] : $option_key; 42 42 43 echo '<option value="', $opt_value, '" ', selected( $meta == $opt_value ) ,'>', $opt_label, '</option>';43 echo '<option value="', esc_attr( $opt_value ), '" ', selected( $meta == $opt_value ) ,'>', esc_html( $opt_label ), '</option>'; 44 44 } 45 45 } … … 53 53 $options = array(); 54 54 55 echo '<select name="', $field['id'], '[]" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" class="select2">';55 echo '<select name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2">'; 56 56 echo '<option></option>'; 57 57 if ( isset( $field['options'] ) && ! empty( $field['options'] ) ) { … … 60 60 $opt_value = is_array( $option ) && array_key_exists( 'value', $option ) ? $option['value'] : $option_key; 61 61 62 echo '<option value="', $opt_value, '" ', selected( $meta == $opt_value ) ,'>', $opt_label, '</option>';62 echo '<option value="', esc_attr( $opt_value ), '" ', selected( $meta == $opt_value ) ,'>', esc_html( $opt_label ), '</option>'; 63 63 } 64 64 } … … 86 86 } 87 87 88 echo '<select name="', $field['id'], '[]" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" data-allow-clear="false" multiple class="select2">';88 echo '<select name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" data-allow-clear="false" multiple class="select2">'; 89 89 90 90 if ( ! empty( $cpt_posts ) ) { 91 91 foreach ( $cpt_posts as $post ) { 92 echo '<option value="', $post->ID, '" ', selected( in_array( $post->ID, $meta ), true ) ,'>', $post->post_title, '</option>';92 echo '<option value="', esc_attr( $post->ID ), '" ', selected( in_array( $post->ID, $meta ), true ) ,'>', esc_html( $post->post_title ), '</option>'; 93 93 } 94 94 } -
pixtypes/tags/2.0.0/features/metaboxes/cmb-field-select2/cmb-field-select2.php
r1410208 r3469313 34 34 */ 35 35 function pw_select( $field, $meta ) { 36 echo '<select name="', $field['id'], '" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" class="select2">';36 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2">'; 37 37 echo '<option></option>'; 38 38 if ( isset( $field['options'] ) && ! empty( $field['options'] ) ) { … … 41 41 $opt_value = is_array( $option ) && array_key_exists( 'value', $option ) ? $option['value'] : $option_key; 42 42 43 echo '<option value="', $opt_value, '" ', selected( $meta == $opt_value ) ,'>', $opt_label, '</option>';43 echo '<option value="', esc_attr( $opt_value ), '" ', selected( $meta == $opt_value ) ,'>', esc_html( $opt_label ), '</option>'; 44 44 } 45 45 } … … 71 71 } 72 72 73 echo '<input type="hidden" name="' . $field['id'] . '" id="' . $field['id'] . '" data-placeholder="' . $field['desc'] . '" class="select2" value="' . $meta. '" />';73 echo '<input type="hidden" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2" value="' . esc_attr( $meta ) . '" />'; 74 74 } 75 75 … … 108 108 } 109 109 110 echo '<input type="hidden" name="' . $field['id'] . '" id="' . $field['id'] . '" data-placeholder="' . $field['desc'] . '" class="select2" value="' . $meta. '" />';110 echo '<input type="hidden" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2" value="' . esc_attr( $meta ) . '" />'; 111 111 } 112 112 -
pixtypes/tags/2.0.0/features/metaboxes/css/style.css
r1944663 r3469313 3220 3220 color: #DDD; } 3221 3221 .cmb_metabox .selector-wrapper > select { 3222 width: 100%; } 3222 width: 100%; 3223 -webkit-appearance: none; 3224 -moz-appearance: none; 3225 appearance: none; } 3223 3226 3224 3227 .cmb_metabox .cmb-type-multicheck { -
pixtypes/tags/2.0.0/features/metaboxes/fields/gallery.php
r1591155 r3469313 12 12 wp_localize_script( 'pixgallery', 'locals', array( 13 13 'ajax_url' => admin_url( 'admin-ajax.php' ), 14 'nonce' => wp_create_nonce( 'pixtypes_gallery_preview' ), 14 15 'pixtypes_l18n' => array( 15 16 'confirmClearGallery' => esc_html__( 'Are you sure you want to clear this gallery?', 'pixtypes' ), … … 20 21 <ul></ul> 21 22 <a class="open_pixgallery" href="#"> 22 <input type="hidden" name="<?php echo $field['id']; ?>" id="pixgalleries" value="<?php echo '' !== $meta ? $meta : $field['std']?>"/>23 <input type="hidden" name="<?php echo esc_attr( $field['id'] ); ?>" id="pixgalleries" value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>"/> 23 24 <div><i class="icon dashicons dashicons-images-alt2"></i> 24 25 <span><?php esc_html_e( 'Add Image', 'pixtypes' ); ?></span></div> -
pixtypes/tags/2.0.0/features/metaboxes/fields/gmap_pins.php
r1591155 r3469313 17 17 global $post; ?> 18 18 <div class="gmap_pins_container"> 19 <ul class="gmap_pins" data-field_name="<?php echo $field['id']; ?>">19 <ul class="gmap_pins" data-field_name="<?php echo esc_attr( $field['id'] ); ?>"> 20 20 <?php if ( empty( $meta ) ) { 21 21 $meta = array( … … 36 36 <fieldset class="pin_location_url"> 37 37 <label 38 for="<?php echo $field['id']; ?>[<?php echo $key ?>][location_url]">#<?php echo $key. ' ' . esc_html__( 'Location URL', 'pixtypes' ); ?></label>39 <input type="text" name="<?php echo $field['id']; ?>[<?php echo $key?>][location_url]"40 value="<?php echo $pin['location_url']; ?>"/>38 for="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][location_url]">#<?php echo esc_html( $key ) . ' ' . esc_html__( 'Location URL', 'pixtypes' ); ?></label> 39 <input type="text" name="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][location_url]" 40 value="<?php echo esc_attr( $pin['location_url'] ); ?>"/> 41 41 </fieldset> 42 42 <fieldset class="pin_name"> 43 43 <label 44 for="<?php echo $field['id']; ?>[<?php echo $key?>][name]"><?php esc_html_e( 'Name', 'pixtypes' ); ?></label>45 <input type="text" name="<?php echo $field['id']; ?>[<?php echo $key?>][name]"46 value="<?php echo $pin['name']; ?>"/>44 for="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][name]"><?php esc_html_e( 'Name', 'pixtypes' ); ?></label> 45 <input type="text" name="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][name]" 46 value="<?php echo esc_attr( $pin['name'] ); ?>"/> 47 47 </fieldset> 48 48 <span class="pin_delete"></span> … … 54 54 55 55 <?php if ( isset( $field['desc'] ) && ! empty( $field['desc'] ) ) { ?> 56 <span class="cmb_metabox_description"><?php echo $field['desc']; ?></span>56 <span class="cmb_metabox_description"><?php echo wp_kses_post( $field['desc'] ); ?></span> 57 57 <?php } ?> 58 58 </div> -
pixtypes/tags/2.0.0/features/metaboxes/fields/image.php
r1591155 r3469313 12 12 wp_localize_script( 'piximage', 'locals', array( 13 13 'ajax_url' => admin_url( 'admin-ajax.php' ), 14 'nonce' => wp_create_nonce( 'pixtypes_gallery_preview' ), 14 15 'pixtypes_l18n' => array( 15 16 'setThumbnailImageTitle' => esc_html__( 'Choose Image', 'pixtypes' ), … … 20 21 21 22 $class = empty( $field['class'] ) ? '' : $field['class']; ?> 22 <div id="<?php echo $field['id']; ?>" class="piximage_field hidden <?php echo $class; ?>">23 <div id="<?php echo esc_attr( $field['id'] ); ?>" class="piximage_field hidden <?php echo esc_attr( $class ); ?>"> 23 24 <ul></ul> 24 25 <a class="open_piximage" href="#"> 25 <input type="hidden" name="<?php echo $field['id']; ?>" class="piximage_id"26 value="<?php echo '' !== $meta ? $meta : $field['std']?>"/>26 <input type="hidden" name="<?php echo esc_attr( $field['id'] ); ?>" class="piximage_id" 27 value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>"/> 27 28 <div><i class="icon dashicons dashicons-images-alt2"></i> 28 <span><?php echo empty ( $field['button_text'] ) ? esc_html__( 'Add Image', 'pixtypes' ) : $field['button_text']; ?></span>29 <span><?php echo empty ( $field['button_text'] ) ? esc_html__( 'Add Image', 'pixtypes' ) : esc_html( $field['button_text'] ); ?></span> 29 30 </div> 30 31 <span 31 class="clear_image"><?php echo empty ( $field['clear_text'] ) ? esc_html__( 'Clear', 'pixtypes' ) : $field['clear_text']; ?></span>32 class="clear_image"><?php echo empty ( $field['clear_text'] ) ? esc_html__( 'Clear', 'pixtypes' ) : esc_html( $field['clear_text'] ); ?></span> 32 33 </a> 33 34 </div> -
pixtypes/tags/2.0.0/features/metaboxes/fields/pix_builder.php
r2124639 r3469313 5 5 6 6 if( isset( $field['gridster_params'] ) ) { 7 $gridster_params = ' data-params=\'' . json_encode( $field['gridster_params']) . '\'';7 $gridster_params = ' data-params=\'' . esc_attr( wp_json_encode( $field['gridster_params'] ) ) . '\''; 8 8 } 9 9 … … 24 24 if ( $post_type !== 'page' ) { 25 25 echo '<style> 26 .post-type-' . $post_type. ' #postdivrich {26 .post-type-' . esc_html( sanitize_html_class( $post_type ) ) . ' #postdivrich { 27 27 display: none !important; 28 28 } … … 30 30 } 31 31 32 echo '<input type="hidden" name="', $field['id'], '" id="pix_builder" value="', '' !== $meta ? htmlspecialchars( $meta ) : $content, '" ' . $gridster_params . ' ' . ( $base64_decode ? 'data-base64_encoded="true"' : '' ) .' />'; ?>32 echo '<input type="hidden" name="', esc_attr( $field['id'] ), '" id="pix_builder" value="', '' !== $meta ? esc_attr( $meta ) : esc_attr( $content ), '" ' . $gridster_params . ' ' . ( $base64_decode ? 'data-base64_encoded="true"' : '' ) .' />'; ?> 33 33 <div class="pixbuilder-controls"> 34 34 <button class="add_block button button-primary button-large" … … 78 78 79 79 if ( isset( $attach[0] ) && ! empty( $attach[0] ) ) { 80 $content = '<img class="image_preview" src="' . $attach[0]. '">';81 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . $block->content. '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</span></a>';80 $content = '<img class="image_preview" src="' . esc_url( $attach[0] ) . '">'; 81 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . esc_attr( $block->content ) . '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</span></a>'; 82 82 } 83 83 } else { 84 84 $content = '<img class="image_preview">'; 85 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . $block->content. '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</pan></a>';85 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . esc_attr( $block->content ) . '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</pan></a>'; 86 86 } 87 87 } … … 115 115 } 116 116 } ?> 117 <li id="block_<?php echo $block->id ?>" class="block-type--<?php echo $block->type; ?> item"118 data-type="<?php echo $block->type ?>" data-row="<?php echo $block->row?>"119 data-col="<?php echo $block->col ?>" data-sizex="<?php echo $block->size_x?>"120 data-sizey="<?php echo $block->size_y?>">117 <li id="block_<?php echo esc_attr( $block->id ); ?>" class="block-type--<?php echo esc_attr( $block->type ); ?> item" 118 data-type="<?php echo esc_attr( $block->type ); ?>" data-row="<?php echo esc_attr( $block->row ); ?>" 119 data-col="<?php echo esc_attr( $block->col ); ?>" data-sizex="<?php echo esc_attr( $block->size_x ); ?>" 120 data-sizey="<?php echo esc_attr( $block->size_y ); ?>"> 121 121 <div class="item__controls"> 122 122 <ul class="nav nav--controls"> … … 131 131 class="position__ui-cell top <?php echo 0 == intval($block->position['top']) ? '' : 'active'; ?>"> 132 132 <div class="position__ui-handle" 133 data-step="<?php echo $block->position['top']; ?>"><?php esc_html_e( 'top', 'pixtypes' ); ?></div>133 data-step="<?php echo esc_attr( $block->position['top'] ); ?>"><?php esc_html_e( 'top', 'pixtypes' ); ?></div> 134 134 </div> 135 135 </div> … … 138 138 class="position__ui-cell left <?php echo 0 == intval($block->position['left']) ? '' : 'active'; ?>"> 139 139 <div class="position__ui-handle" 140 data-step="<?php echo $block->position['left']; ?>"><?php esc_html_e( 'left', 'pixtypes' ); ?></div>141 </div> 142 <div class="position__ui-cell middle <?php echo $middle_status; ?>">140 data-step="<?php echo esc_attr( $block->position['left'] ); ?>"><?php esc_html_e( 'left', 'pixtypes' ); ?></div> 141 </div> 142 <div class="position__ui-cell middle <?php echo esc_attr( $middle_status ); ?>"> 143 143 <div class="position__ui-handle">middle</div> 144 144 </div> … … 146 146 class="position__ui-cell right <?php echo 0 == intval($block->position['right']) ? '' : 'active'; ?>"> 147 147 <div class="position__ui-handle" 148 data-step="<?php echo $block->position['right']; ?>"><?php esc_html_e( 'right', 'pixtypes' ); ?></div>148 data-step="<?php echo esc_attr( $block->position['right'] ); ?>"><?php esc_html_e( 'right', 'pixtypes' ); ?></div> 149 149 </div> 150 150 </div> … … 153 153 class="position__ui-cell bottom <?php echo 0 == intval($block->position['bottom']) ? '' : 'active'; ?>"> 154 154 <div class="position__ui-handle" 155 data-step="<?php echo $block->position['bottom']; ?>"><?php esc_html_e( 'bottom', 'pixtypes' ); ?></div>155 data-step="<?php echo esc_attr( $block->position['bottom'] ); ?>"><?php esc_html_e( 'bottom', 'pixtypes' ); ?></div> 156 156 </div> 157 157 </div> … … 164 164 </ul> 165 165 </div> 166 <div class="item__content block_content <?php echo $empty_class; ?>">166 <div class="item__content block_content <?php echo esc_attr( $empty_class ); ?>"> 167 167 <?php echo $content ?> 168 168 </div> … … 175 175 </div> 176 176 </div> 177 <?php add_action( 'admin_footer', ' my_admin_footer_function' );178 function my_admin_footer_function() { ?>177 <?php add_action( 'admin_footer', 'pixtypes_admin_footer_function' ); 178 function pixtypes_admin_footer_function() { ?> 179 179 <div class="pix_builder_editor_modal_container" style="display:none"> 180 180 <div class="modal_wrapper"> -
pixtypes/tags/2.0.0/features/metaboxes/fields/playlist.php
r1591155 r3469313 11 11 wp_localize_script( 'pixplaylist', 'playlist_locals', array( 12 12 'ajax_url' => admin_url( 'admin-ajax.php' ), 13 'nonce' => wp_create_nonce( 'pixtypes_playlist_preview' ), 13 14 'playlist_type' => $playlist_type, 14 15 'pixtypes_l18n' => array( … … 20 21 <ul></ul> 21 22 <a class="open_pixvideos" href="#"> 22 <input type="hidden" name="<?php echo $field['id'] ?>" id="pixplaylist" value="<?php echo '' !== $meta ? $meta : $field['std']; ?>"/>23 <input type="hidden" name="<?php echo esc_attr( $field['id'] ); ?>" id="pixplaylist" value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>"/> 23 24 <div><i class="icon dashicons dashicons-format-video"></i> <span><?php esc_html_e('Add Video', 'pixtypes' ); ?></span></div> 24 25 <span class="clear_gallery"><?php esc_html_e( 'Clear', 'pixtypes' ); ?></span> -
pixtypes/tags/2.0.0/features/metaboxes/fields/portfolio-gallery.php
r1115891 r3469313 65 65 } 66 66 67 echo '<input type="hidden" name="'. $field['id'].'" id="portfolio_gallery_val" />'; ?>67 echo '<input type="hidden" name="'. esc_attr( $field['id'] ) .'" id="portfolio_gallery_val" />'; ?> 68 68 69 69 <div id="wpgrade_portfolio_editor_modal" style="display: none"> -
pixtypes/tags/2.0.0/features/metaboxes/init.php
r2956824 r3469313 116 116 global $pagenow; 117 117 if ( $upload && in_array( $pagenow, array( 'page.php', 'page-new.php', 'post.php', 'post-new.php' ) ) ) { 118 add_action( 'admin_head', array( &$this, 'add_post_enctype' ) );118 add_action( 'admin_head', array( $this, 'add_post_enctype' ) ); 119 119 } 120 120 … … 122 122 $this->add(); 123 123 } else { 124 add_action( 'admin_menu', array( &$this, 'add' ) );125 } 126 127 add_action( 'save_post', array( &$this, 'save' ) );128 129 add_action( 'admin_head', array( &$this, 'fold_display' ) );130 131 add_filter( 'cmb_show_on', array( &$this, 'add_for_id' ), 10, 2 );132 //add_filter( 'cmb_show_on', array( &$this, 'add_for_page_template' ), 10, 2 );133 //add_filter( 'cmb_show_on', array( &$this, 'add_for_specific_select_value' ), 10, 2 );124 add_action( 'admin_menu', array( $this, 'add' ) ); 125 } 126 127 add_action( 'save_post', array( $this, 'save' ) ); 128 129 add_action( 'admin_head', array( $this, 'fold_display' ) ); 130 131 add_filter( 'cmb_show_on', array( $this, 'add_for_id' ), 10, 2 ); 132 //add_filter( 'cmb_show_on', array( $this, 'add_for_page_template' ), 10, 2 ); 133 //add_filter( 'cmb_show_on', array( $this, 'add_for_specific_select_value' ), 10, 2 ); 134 134 135 135 //add_filter('_wp_post_revision_field_post_content', array( $this, 'pixtypes_fix_builder_revisions_display'), 915, 4 ); … … 172 172 $this->_meta_box['id'], 173 173 $this->_meta_box['title'], 174 array( &$this, 'show' ),174 array( $this, 'show' ), 175 175 $page, 176 176 $this->_meta_box['context'], … … 195 195 // If we're showing it based on ID, get the current ID 196 196 if ( isset( $_GET['post'] ) ) { 197 $post_id = $_GET['post'];197 $post_id = absint( $_GET['post'] ); 198 198 } elseif ( isset( $_POST['post_ID'] ) ) { 199 $post_id = $_POST['post_ID'];199 $post_id = absint( $_POST['post_ID'] ); 200 200 } 201 201 if ( ! isset( $post_id ) ) { … … 223 223 // Get the current ID 224 224 if ( isset( $_GET['post'] ) ) { 225 $post_id = $_GET['post'];225 $post_id = absint( $_GET['post'] ); 226 226 } elseif ( isset( $_POST['post_ID'] ) ) { 227 $post_id = $_POST['post_ID'];227 $post_id = absint( $_POST['post_ID'] ); 228 228 } 229 229 if ( ! ( isset( $post_id ) || is_page() ) ) { … … 254 254 // Get the current ID 255 255 if ( isset( $_GET['post'] ) ) { 256 $post_id = $_GET['post'];256 $post_id = absint( $_GET['post'] ); 257 257 } elseif ( isset( $_POST['post_ID'] ) ) { 258 $post_id = $_POST['post_ID'];258 $post_id = absint( $_POST['post_ID'] ); 259 259 } 260 260 … … 369 369 370 370 // Use nonce for verification 371 echo '<input type="hidden" name="wp_meta_box_nonce" value="', wp_create_nonce( basename( __FILE__ )), '" />';371 echo '<input type="hidden" name="wp_meta_box_nonce" value="', wp_create_nonce( 'pixtypes_save_metabox' ), '" />'; 372 372 373 373 // load assets only when we have a metabox on page 374 cmb_enqueue_scripts();374 pixtypes_cmb_enqueue_scripts(); 375 375 376 376 echo '<ul class="form-table cmb_metabox">'; … … 435 435 $on = $display_on['on']; 436 436 437 $requires .= 'data-when_key="' . $on['field']. '"';437 $requires .= 'data-when_key="' . esc_attr( $on['field'] ) . '"'; 438 438 439 439 if ( is_array( $on['value'] ) ) { 440 $requires .= 'data-has_value=\'' . json_encode( $on['value']) . '\'';440 $requires .= 'data-has_value=\'' . esc_attr( wp_json_encode( $on['value'] ) ) . '\''; 441 441 } else { 442 $requires .= 'data-has_value="' . $on['value']. '"';442 $requires .= 'data-has_value="' . esc_attr( $on['value'] ) . '"'; 443 443 } 444 444 } 445 445 } 446 446 447 echo '<li class="' . $classes. '" ' . $requires . '>';447 echo '<li class="' . esc_attr( $classes ) . '" ' . $requires . '>'; 448 448 } 449 449 … … 452 452 if ( isset( $this->_meta_box['show_names'] ) && $this->_meta_box['show_names'] == true ) { 453 453 if ( isset( $field['show_names'] ) && $field['show_names'] == true ) { 454 echo '<h3><label for="', $field['id'], '">', $field['name'], '</label></h3>';454 echo '<h3><label for="', esc_attr( $field['id'] ), '">', esc_html( $field['name'] ), '</label></h3>'; 455 455 } 456 456 } 457 457 } 458 458 if ( ! empty($field['desc']) ) { 459 echo "<div>" . $field['desc']. "</div>";459 echo "<div>" . wp_kses_post( $field['desc'] ) . "</div>"; 460 460 } 461 461 echo '</div>'; … … 469 469 470 470 case 'text': 471 echo '<input class="cmb_text" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';471 echo '<input class="cmb_text" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 472 472 break; 473 473 case 'text_small': 474 echo '<input class="cmb_text cmb_text_small" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';474 echo '<input class="cmb_text cmb_text_small" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 475 475 break; 476 476 case 'text_medium': 477 echo '<input class="cmb_text cmb_text_medium" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';477 echo '<input class="cmb_text cmb_text_medium" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 478 478 break; 479 479 … … 483 483 if ( isset( $field['html_args'] ) && ! empty( $field['html_args'] ) ) { 484 484 foreach ( $field['html_args'] as $key => $att ) { 485 $atts .= $key . '="' . $att. '" ';485 $atts .= esc_attr( $key ) . '="' . esc_attr( $att ) . '" '; 486 486 } 487 487 } ?> 488 <input class="cmb_text_range" type="range" name="<?php echo $field['id']; ?>"489 id="<?php echo $field['id']?>"490 value="<?php echo '' !== $meta ? $meta : $field['std']; ?>" <?php echo $atts?>491 style="background-size: <?php echo 0 !== $meta ? $meta : $field['std']; ?>% 100%;"492 oninput="<?php echo $field['id'] . '_output.value = ' . $field['id'] . '.value'; ?>"/>493 <output name="<?php echo $field['id'] ?>_output" id="<?php echo $field['id']; ?>_output">494 <?php echo '' !== $meta ? $meta : $field['std']; ?>488 <input class="cmb_text_range" type="range" name="<?php echo esc_attr( $field['id'] ); ?>" 489 id="<?php echo esc_attr( $field['id'] ); ?>" 490 value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>" <?php echo $atts; ?> 491 style="background-size: <?php echo esc_attr( 0 !== $meta ? $meta : $field['std'] ); ?>% 100%;" 492 oninput="<?php echo esc_attr( $field['id'] . '_output.value = ' . $field['id'] . '.value' ); ?>"/> 493 <output name="<?php echo esc_attr( $field['id'] ); ?>_output" id="<?php echo esc_attr( $field['id'] ); ?>_output"> 494 <?php echo esc_html( '' !== $meta ? $meta : $field['std'] ); ?> 495 495 </output> 496 496 <?php break; 497 497 case 'text_date': 498 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';498 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 499 499 break; 500 500 case 'text_date_timestamp': 501 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'], '" />';501 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'] ), '" />'; 502 502 break; 503 503 504 504 case 'text_datetime_timestamp': 505 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', $field['id'], '[date]" id="', $field['id'], '_date" value="', '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'], '" />';506 echo '<input class="cmb_timepicker text_time" type="text" name="', $field['id'], '[time]" id="', $field['id'], '_time" value="', '' !== $meta ? date( 'h:i A', $meta ) : $field['std'], '" />';505 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', esc_attr( $field['id'] ), '[date]" id="', esc_attr( $field['id'] ), '_date" value="', esc_attr( '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'] ), '" />'; 506 echo '<input class="cmb_timepicker text_time" type="text" name="', esc_attr( $field['id'] ), '[time]" id="', esc_attr( $field['id'] ), '_time" value="', esc_attr( '' !== $meta ? date( 'h:i A', $meta ) : $field['std'] ), '" />'; 507 507 break; 508 508 case 'text_time': 509 echo '<input class="cmb_timepicker text_time" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';509 echo '<input class="cmb_timepicker text_time" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 510 510 break; 511 511 case 'text_money': 512 echo '$ <input class="cmb_text_money" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';512 echo '$ <input class="cmb_text_money" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 513 513 break; 514 514 case 'colorpicker': … … 523 523 $meta = "#"; 524 524 } 525 echo '<input class="cmb_colorpicker cmb_text_small" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';525 echo '<input class="cmb_colorpicker cmb_text_small" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 526 526 break; 527 527 case 'textarea': 528 echo '<textarea class="cmb_textarea" name="', $field['id'], '" id="', $field['id'], '" cols="60" rows="10">', $meta, '</textarea>';528 echo '<textarea class="cmb_textarea" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" cols="60" rows="10">', esc_textarea( $meta ), '</textarea>'; 529 529 break; 530 530 case 'textarea_small': 531 echo '<textarea class="cmb_textarea" name="', $field['id'], '" id="', $field['id'], '" cols="60" rows="4">', $meta, '</textarea>';531 echo '<textarea class="cmb_textarea" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" cols="60" rows="4">', esc_textarea( $meta ), '</textarea>'; 532 532 break; 533 533 case 'textarea_code': 534 534 $rows = $cols = ''; 535 535 if( isset( $field['rows'] ) && ! empty( $field['rows'] ) ) { 536 $rows = 'rows="' . $field['rows']. '"';536 $rows = 'rows="' . esc_attr( $field['rows'] ) . '"'; 537 537 } 538 538 539 539 if( isset( $field['cols'] ) && ! empty( $field['cols'] ) ) { 540 $cols = 'cols="' . $field['cols']. '"';540 $cols = 'cols="' . esc_attr( $field['cols'] ) . '"'; 541 541 } else { 542 542 $cols = 'style="width: 100%"'; 543 543 } 544 544 545 echo '<textarea name="', $field['id'], '" id="', $field['id'], '" ' . $cols .' ' . $rows . ' class="cmb_textarea cmb_textarea_code">', $meta, '</textarea>';545 echo '<textarea name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" ' . $cols .' ' . $rows . ' class="cmb_textarea cmb_textarea_code">', esc_textarea( $meta ), '</textarea>'; 546 546 break; 547 547 case 'select': … … 552 552 553 553 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 554 echo '<select name="', $field['id'], '" id="', $field['id'], '">';554 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 555 555 556 556 foreach ( $field['options'] as $option ) { … … 562 562 $option['value'] = 0; 563 563 } 564 echo '<option value="', $option['value'], '"', $meta == $option['value'] ? ' selected="selected"' : '', '>', $option['name'], '</option>';564 echo '<option value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' selected="selected"' : '', '>', esc_html( $option['name'] ), '</option>'; 565 565 } 566 566 echo '</select>'; … … 571 571 572 572 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 573 echo '<select name="', $field['id'], '" id="', $field['id'], '">';573 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 574 574 $args = array( 575 575 'posts_per_page' => - 1, … … 581 581 if ( ! empty( $cpt_posts ) ) { 582 582 foreach ( $cpt_posts as $post ) { 583 echo '<option value="', $post->ID, '"', $meta == $post->ID ? ' selected="selected"' : '', '>', $post->post_title, '</option>';583 echo '<option value="', esc_attr( $post->ID ), '"', $meta == $post->ID ? ' selected="selected"' : '', '>', esc_html( $post->post_title ), '</option>'; 584 584 } 585 585 } … … 590 590 case 'select_cpt_term': 591 591 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 592 echo '<select name="', $field['id'], '" id="', $field['id'], '">';592 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 593 593 $cpt_terms = get_terms( $field['taxonomy'], 'orderby=count&hide_empty=0' ); 594 594 if ( ! empty( $cpt_terms ) ) { 595 595 foreach ( $cpt_terms as $term ) { 596 echo '<option value="', $term->slug, '"', $meta == $term->slug ? ' selected="selected"' : '', '>', $term->name, '</option>';596 echo '<option value="', esc_attr( $term->slug ), '"', $meta == $term->slug ? ' selected="selected"' : '', '>', esc_html( $term->name ), '</option>'; 597 597 } 598 598 } … … 607 607 $i = 1; 608 608 foreach ( $field['options'] as $option ) { 609 echo '<div class="cmb_radio_inline_option"><input type="radio" name="', $field['id'], '" id="', $field['id'], $i, '" value="', $option['value'], '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', $option['name'], '</label></div>';609 echo '<div class="cmb_radio_inline_option"><input type="radio" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', esc_html( $option['name'] ), '</label></div>'; 610 610 $i ++; 611 611 } … … 619 619 $i = 1; 620 620 foreach ( $field['options'] as $option ) { 621 echo '<li><input type="radio" name="', $field['id'], '" id="', $field['id'], $i, '" value="', $option['value'], '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', $option['name']. '</label></li>';621 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', esc_html( $option['name'] ) . '</label></li>'; 622 622 $i ++; 623 623 } … … 625 625 break; 626 626 case 'checkbox': 627 echo '<input type="checkbox" name="', $field['id'], '" id="', $field['id'], '"', ( $meta === 'on' ) ? ' checked="checked"' : '', ' />';627 echo '<input type="checkbox" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '"', ( $meta === 'on' ) ? ' checked="checked"' : '', ' />'; 628 628 break; 629 629 case 'multicheck': … … 637 637 // Append `[]` to the name to get multiple values 638 638 // Use in_array() to check whether the current option should be checked 639 echo '<li><input type="checkbox" name="', $field['id'], '[]" id="', $field['id'], $i, '" value="', $value, '"', in_array( $value, $meta ) ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', $name, '</label></li>';639 echo '<li><input type="checkbox" name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $value ), '"', in_array( $value, $meta ) ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', esc_html( $name ), '</label></li>'; 640 640 $i ++; 641 641 } … … 644 644 case 'title': 645 645 if ( isset( $field['value']) ) { 646 echo '<div class="cmb_metabox_title" id="', $field['id'], '">', $field['value'], '</div>';646 echo '<div class="cmb_metabox_title" id="', esc_attr( $field['id'] ), '">', esc_html( $field['value'] ), '</div>'; 647 647 } 648 648 break; … … 653 653 654 654 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 655 echo '<select name="', $field['id'], '" id="', $field['id'], '">';655 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 656 656 $names = wp_get_object_terms( $post->ID, $field['taxonomy'] ); 657 657 $terms = get_terms( $field['taxonomy'], 'hide_empty=0' ); 658 658 foreach ( $terms as $term ) { 659 659 if ( ! is_wp_error( $names ) && ! empty( $names ) && ! strcmp( $term->slug, $names[0]->slug ) ) { 660 echo '<option value="' . $term->slug . '" selected>' . $term->name. '</option>';660 echo '<option value="' . esc_attr( $term->slug ) . '" selected>' . esc_html( $term->name ) . '</option>'; 661 661 } else { 662 echo '<option value="' . $term->slug . ' ', $meta == $term->slug ? $meta : ' ', ' ">' . $term->name. '</option>';662 echo '<option value="' . esc_attr( $term->slug ) . ' ', $meta == $term->slug ? esc_attr( $meta ) : ' ', ' ">' . esc_html( $term->name ) . '</option>'; 663 663 } 664 664 } … … 672 672 foreach ( $terms as $term ) { 673 673 if ( ! is_wp_error( $names ) && ! empty( $names ) && ! strcmp( $term->slug, $names[0]->slug ) ) { 674 echo '<li><input type="radio" name="', $field['id'], '" value="' . $term->slug . '" checked>' . $term->name. '</li>';674 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" value="' . esc_attr( $term->slug ) . '" checked>' . esc_html( $term->name ) . '</li>'; 675 675 } else { 676 echo '<li><input type="radio" name="', $field['id'], '" value="' . $term->slug . ' ', $meta == $term->slug ? $meta : ' ', ' ">' . $term->name. '</li>';676 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" value="' . esc_attr( $term->slug ) . ' ', $meta == $term->slug ? esc_attr( $meta ) : ' ', ' ">' . esc_html( $term->name ) . '</li>'; 677 677 } 678 678 } … … 684 684 $terms = get_terms( $field['taxonomy'], 'hide_empty=0' ); 685 685 foreach ( $terms as $term ) { 686 echo '<li><input type="checkbox" name="', $field['id'], '[]" id="', $field['id'], '" value="', $term->name, '"';686 echo '<li><input type="checkbox" name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $term->name ), '"'; 687 687 foreach ( $names as $name ) { 688 688 if ( $term->slug == $name->slug ) { … … 690 690 }; 691 691 } 692 echo ' /><label>', $term->name, '</label></li>';692 echo ' /><label>', esc_html( $term->name ), '</label></li>'; 693 693 } 694 694 echo '</ul>'; 695 695 break; 696 696 case 'file_list': 697 echo '<input class="cmb_upload_file" type="text" size="36" name="', $field['id'], '" value="" />';697 echo '<input class="cmb_upload_file" type="text" size="36" name="', esc_attr( $field['id'] ), '" value="" />'; 698 698 echo '<input class="cmb_upload_button button" type="button" value="Upload File" />'; 699 699 $args = array( … … 720 720 $input_type_url = "text"; 721 721 } 722 echo '<input class="cmb_upload_file" type="' . $input_type_url . '" size="45" id="', $field['id'], '" name="', $field['id'], '" value="', $meta, '" />';722 echo '<input class="cmb_upload_file" type="' . esc_attr( $input_type_url ) . '" size="45" id="', esc_attr( $field['id'] ), '" name="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 723 723 echo '<input class="cmb_upload_button button" type="button" value="Upload File" />'; 724 echo '<input class="cmb_upload_file_id" type="hidden" id="', $field['id'], '_id" name="', $field['id'], '_id" value="', get_post_meta( $post->ID, $field['id'] . "_id", true), '" />';725 echo '<div id="', $field['id'], '_status" class="cmb_media_status">';724 echo '<input class="cmb_upload_file_id" type="hidden" id="', esc_attr( $field['id'] ), '_id" name="', esc_attr( $field['id'] ), '_id" value="', esc_attr( get_post_meta( $post->ID, $field['id'] . "_id", true ) ), '" />'; 725 echo '<div id="', esc_attr( $field['id'] ), '_status" class="cmb_media_status">'; 726 726 if ( $meta != '' ) { 727 727 $check_image = preg_match( '/(^.*\.jpg|jpeg|png|gif|ico*)/i', $meta ); 728 728 if ( $check_image ) { 729 729 echo '<div class="img_status">'; 730 echo '<img src="', $meta, '" alt="" />';731 echo '<a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove Image</a>';730 echo '<img src="', esc_url( $meta ), '" alt="" />'; 731 echo '<a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove Image</a>'; 732 732 echo '</div>'; 733 733 } else { … … 736 736 $title = $parts[ $i ]; 737 737 } 738 echo 'File: <strong>', $title, '</strong> (<a href="', $meta, '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove</a>)';738 echo 'File: <strong>', esc_html( $title ), '</strong> (<a href="', esc_url( $meta ), '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove</a>)'; 739 739 } 740 740 } … … 747 747 $input_type_url = "text"; 748 748 } 749 echo '<input class="cmb_upload_file attachment" type="' . $input_type_url . '" size="45" id="', $field['id'], '" name="', $field['id'], '" value=\'', $meta, '\' />';749 echo '<input class="cmb_upload_file attachment" type="' . esc_attr( $input_type_url ) . '" size="45" id="', esc_attr( $field['id'] ), '" name="', esc_attr( $field['id'] ), '" value=\'', esc_attr( $meta ), '\' />'; 750 750 echo '<input class="cmb_upload_button button" type="button" value="Upload File" />'; 751 echo '<input class="cmb_upload_file_id" type="hidden" id="', $field['id'], '_id" name="', $field['id'], '_id" value="', get_post_meta( $post->ID, $field['id'] . "_id", true), '" />';752 echo '<div id="', $field['id'], '_status" class="cmb_media_status">';751 echo '<input class="cmb_upload_file_id" type="hidden" id="', esc_attr( $field['id'] ), '_id" name="', esc_attr( $field['id'] ), '_id" value="', esc_attr( get_post_meta( $post->ID, $field['id'] . "_id", true ) ), '" />'; 752 echo '<div id="', esc_attr( $field['id'] ), '_status" class="cmb_media_status">'; 753 753 if ( $meta != '' ) { 754 754 $check_image = preg_match( '/(^.*\.jpg|jpeg|png|gif|ico*)/i', $meta ); … … 756 756 echo '<div class="img_status">'; 757 757 $meta_img = (array) json_decode( $meta ); 758 echo '<img src="' . $meta_img["link"]. '" alt="" />';759 echo '<a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove Image</a>';758 echo '<img src="' . esc_url( $meta_img["link"] ) . '" alt="" />'; 759 echo '<a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove Image</a>'; 760 760 echo '</div>'; 761 761 } else { … … 764 764 $title = $parts[ $i ]; 765 765 } 766 echo 'File: <strong>', $title, '</strong> (<a href="', $meta, '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove</a>)';766 echo 'File: <strong>', esc_html( $title ), '</strong> (<a href="', esc_url( $meta ), '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove</a>)'; 767 767 } 768 768 } … … 848 848 849 849 case 'oembed': 850 echo '<input class="cmb_oembed" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';850 echo '<input class="cmb_oembed" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 851 851 echo '<p class="cmb-spinner spinner"></p>'; 852 echo '<div id="', $field['id'], '_status" class="cmb_media_status ui-helper-clearfix embed_wrap">';852 echo '<div id="', esc_attr( $field['id'] ), '_status" class="cmb_media_status ui-helper-clearfix embed_wrap">'; 853 853 if ( $meta != '' ) { 854 854 $check_embed = $GLOBALS['wp_embed']->run_shortcode( '[embed]' . esc_url( $meta ) . '[/embed]' ); … … 856 856 echo '<div class="embed_status">'; 857 857 echo $check_embed; 858 echo '<a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove Embed</a>';858 echo '<a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove Embed</a>'; 859 859 echo '</div>'; 860 860 } else { … … 872 872 $i = 1; 873 873 foreach ( $field['options'] as $option ) { 874 echo '<li><input type="radio" name="', $field['id'], '" id="', $field['id'], $i, '" value="', $option['value'], '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', '<span>' . $option['value']. '</span>' . '</label></li>';874 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', '<span>' . esc_html( $option['value'] ) . '</span>' . '</label></li>'; 875 875 $i ++; 876 876 } … … 920 920 (function ($) { 921 921 $(document).ready(function () { 922 var metabox = $('#<?php echo $this->_meta_box['id']; ?>');922 var metabox = $('#<?php echo esc_js( $this->_meta_box['id'] ); ?>'); 923 923 metabox.addClass('display_on') 924 924 .attr('data-action', '<?php echo 'show'; ?>') 925 .attr('data-when_key', '<?php echo $display_on['on']['field']; ?>')926 .attr('data-has_value', '<?php echo $display_on['on']['value']; ?>');925 .attr('data-when_key', '<?php echo esc_js( $display_on['on']['field'] ); ?>') 926 .attr('data-has_value', '<?php echo esc_js( $display_on['on']['value'] ); ?>'); 927 927 }); 928 928 })(jQuery); … … 937 937 938 938 // verify nonce 939 if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( $_POST['wp_meta_box_nonce'], basename( __FILE__ )) ) {939 if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( $_POST['wp_meta_box_nonce'], 'pixtypes_save_metabox' ) ) { 940 940 return $post_id; 941 941 } … … 1053 1053 * Adding scripts and styles 1054 1054 */ 1055 function cmb_register_scripts( $hook ) {1055 function pixtypes_cmb_register_scripts( $hook ) { 1056 1056 1057 1057 global $pixtypes_plugin; … … 1106 1106 } 1107 1107 1108 add_action( 'admin_enqueue_scripts', ' cmb_register_scripts', 10 );1109 1110 function cmb_enqueue_scripts(){1108 add_action( 'admin_enqueue_scripts', 'pixtypes_cmb_register_scripts', 10 ); 1109 1110 function pixtypes_cmb_enqueue_scripts(){ 1111 1111 wp_enqueue_script( 'cmb-timepicker' ); 1112 1112 wp_enqueue_script( 'cmb-scripts' ); … … 1114 1114 } 1115 1115 1116 function cmb_editor_footer_scripts() {1117 if ( isset( $_GET['cmb_force_send'] ) && 'true' == $_GET['cmb_force_send'] ) {1118 $label = $_GET['cmb_send_label'];1116 function pixtypes_cmb_editor_footer_scripts() { 1117 if ( isset( $_GET['cmb_force_send'] ) && 'true' === $_GET['cmb_force_send'] ) { 1118 $label = isset( $_GET['cmb_send_label'] ) ? sanitize_text_field( $_GET['cmb_send_label'] ) : ''; 1119 1119 if ( empty( $label ) ) { 1120 1120 $label = esc_html__( 'Select File', 'pixtypes' ); … … 1122 1122 <script type="text/javascript"> 1123 1123 jQuery(function ($) { 1124 $('td.savesend input').val( '<?php echo esc_html( $label , 'pixtypes' ); ?>');1124 $('td.savesend input').val(<?php echo wp_json_encode( $label ); ?>); 1125 1125 }); 1126 1126 </script> … … 1129 1129 } 1130 1130 1131 add_action( 'admin_print_footer_scripts', ' cmb_editor_footer_scripts', 99 );1131 add_action( 'admin_print_footer_scripts', 'pixtypes_cmb_editor_footer_scripts', 99 ); 1132 1132 1133 1133 // Force 'Insert into Post' button from Media Library 1134 add_filter( 'get_media_item_args', ' cmb_force_send' );1135 function cmb_force_send( $args ) {1134 add_filter( 'get_media_item_args', 'pixtypes_cmb_force_send' ); 1135 function pixtypes_cmb_force_send( $args ) { 1136 1136 1137 1137 // if the Gallery tab is opened from a custom meta box field, add Insert Into Post button … … 1184 1184 } 1185 1185 1186 add_action( 'wp_ajax_cmb_oembed_handler', ' cmb_oembed_ajax_results' );1186 add_action( 'wp_ajax_cmb_oembed_handler', 'pixtypes_cmb_oembed_ajax_results' ); 1187 1187 /** 1188 1188 * Handles our oEmbed ajax request 1189 1189 */ 1190 function cmb_oembed_ajax_results() {1190 function pixtypes_cmb_oembed_ajax_results() { 1191 1191 1192 1192 // verify our nonce … … 1208 1208 // Post ID is needed to check for embeds 1209 1209 if ( isset( $_REQUEST['post_id'] ) ) { 1210 $GLOBALS['post'] = get_post( $_REQUEST['post_id']);1210 $GLOBALS['post'] = get_post( absint( $_REQUEST['post_id'] ) ); 1211 1211 } 1212 1212 // ping WordPress for an embed … … 1217 1217 if ( $check_embed && $check_embed != $fallback ) { 1218 1218 // Embed data 1219 $return = '<div class="embed_status">' . $check_embed . '<a href="#" class="cmb_remove_file_button" rel="' . $_REQUEST['field_id']. '">' . esc_html__( 'Remove Embed', 'pixtypes' ) . '</a></div>';1219 $return = '<div class="embed_status">' . $check_embed . '<a href="#" class="cmb_remove_file_button" rel="' . esc_attr( sanitize_text_field( $_REQUEST['field_id'] ) ) . '">' . esc_html__( 'Remove Embed', 'pixtypes' ) . '</a></div>'; 1220 1220 // set our response id 1221 1221 $found = 'found'; … … 1239 1239 1240 1240 // create an ajax call which will return a preview to the current gallery 1241 function ajax_pixgallery_preview() { 1241 function pixtypes_ajax_pixgallery_preview() { 1242 check_ajax_referer( 'pixtypes_gallery_preview', 'nonce' ); 1243 1244 if ( ! current_user_can( 'upload_files' ) ) { 1245 wp_send_json_error( 'Unauthorized' ); 1246 } 1247 1242 1248 $result = array( 'success' => false, 'output' => '' ); 1243 1249 1244 if ( isset( $_REQUEST['attachments_ids'] ) ) { 1245 $ids = $_REQUEST['attachments_ids']; 1246 } 1250 $ids = isset( $_REQUEST['attachments_ids'] ) ? sanitize_text_field( $_REQUEST['attachments_ids'] ) : ''; 1251 1247 1252 if ( empty( $ids ) ) { 1248 echo json_encode( $result );1253 echo wp_json_encode( $result ); 1249 1254 exit; 1250 1255 } 1251 1256 1252 $ids = rtrim( $ids, ',');1253 $ids = explode( ',',$ids );1257 $ids = array_map( 'absint', explode( ',', rtrim( $ids, ',' ) ) ); 1258 $ids = array_filter( $ids ); 1254 1259 1255 1260 $size = 'thumbnail'; … … 1261 1266 foreach ( $ids as $id ) { 1262 1267 $attach = wp_get_attachment_image_src( $id, $size, false ); 1263 1264 $result["output"] .= '<li><img src="' . $attach[0] . '" /></li>'; 1268 if ( $attach ) { 1269 $result["output"] .= '<li><img src="' . esc_url( $attach[0] ) . '" /></li>'; 1270 } 1265 1271 } 1266 1272 $result["success"] = true; 1267 echo json_encode( $result );1273 echo wp_json_encode( $result ); 1268 1274 exit; 1269 1275 } 1270 1276 1271 add_action( 'wp_ajax_ajax_pixgallery_preview', 'ajax_pixgallery_preview' ); 1272 1273 function ajax_pixplaylist_preview() { 1274 1275 if ( isset( $_REQUEST['attachments_ids'] ) ) { 1276 $ids = $_REQUEST['attachments_ids']; 1277 } 1277 add_action( 'wp_ajax_ajax_pixgallery_preview', 'pixtypes_ajax_pixgallery_preview' ); 1278 1279 function pixtypes_ajax_pixplaylist_preview() { 1280 check_ajax_referer( 'pixtypes_playlist_preview', 'nonce' ); 1281 1282 if ( ! current_user_can( 'upload_files' ) ) { 1283 wp_send_json_error( 'Unauthorized' ); 1284 } 1285 1286 $ids = isset( $_REQUEST['attachments_ids'] ) ? sanitize_text_field( $_REQUEST['attachments_ids'] ) : ''; 1278 1287 1279 1288 if ( empty( $ids ) ) { … … 1282 1291 } 1283 1292 1284 $ids = explode( ',', $ids ); 1293 $ids = array_map( 'absint', explode( ',', $ids ) ); 1294 $ids = array_filter( $ids ); 1285 1295 1286 1296 $result = ''; 1287 1297 foreach ( $ids as $id ) { 1288 $result .= '<li><span class="dashicons dashicons-format-video"></span><span class="attachment_title">' . get_the_title( $id) . '</span></li>';1298 $result .= '<li><span class="dashicons dashicons-format-video"></span><span class="attachment_title">' . esc_html( get_the_title( $id ) ) . '</span></li>'; 1289 1299 } 1290 1300 … … 1293 1303 } 1294 1304 1295 add_action( 'wp_ajax_pixplaylist_preview', ' ajax_pixplaylist_preview' );1305 add_action( 'wp_ajax_pixplaylist_preview', 'pixtypes_ajax_pixplaylist_preview' ); 1296 1306 1297 1307 -
pixtypes/tags/2.0.0/features/metaboxes/js/pixgallery.js
r2487861 r3469313 121 121 if ( ids !== '' ) { 122 122 $.ajax({ 123 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: ids },123 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: ids, nonce: locals.nonce}, 124 124 beforeSend: function () { 125 125 $('.open_pixgallery i').removeClass('dashicons-images-alt2'); -
pixtypes/tags/2.0.0/features/metaboxes/js/piximage.js
r2487861 r3469313 129 129 if ( id != '' && id != '-1' ) { 130 130 $.ajax({ 131 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: id },131 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: id, nonce: locals.nonce}, 132 132 beforeSend: function () { 133 133 $elem.find('.open_piximage i').removeClass('dashicons-images-alt2'); -
pixtypes/tags/2.0.0/features/metaboxes/js/pixplaylist.js
r2487861 r3469313 108 108 data: { 109 109 action: 'pixplaylist_preview', 110 attachments_ids: ids 110 attachments_ids: ids, 111 nonce: playlist_locals.nonce 111 112 }, 112 113 success: function( response ) { -
pixtypes/tags/2.0.0/features/metaboxes/metaboxes.php
r1745422 r3469313 10 10 11 11 12 function load_metaboxes_fromdb( $meta_boxes ) {12 function pixtypes_load_metaboxes_fromdb( $meta_boxes ) { 13 13 // make sure we are in good working order 14 14 if ( empty( $meta_boxes ) ) { … … 40 40 return $meta_boxes; 41 41 } 42 add_filter( 'cmb_meta_boxes', ' load_metaboxes_fromdb', 1 );42 add_filter( 'cmb_meta_boxes', 'pixtypes_load_metaboxes_fromdb', 1 ); 43 43 44 44 /** … … 49 49 * @return array 50 50 */ 51 function gather_metaboxes_dynamically( $meta_boxes ) {51 function pixtypes_gather_metaboxes_dynamically( $meta_boxes ) { 52 52 // make sure we are in good working order 53 53 if ( empty( $meta_boxes ) ) { … … 57 57 return apply_filters( 'pixelgrade_filter_metaboxes', $meta_boxes ); 58 58 } 59 add_filter( 'cmb_meta_boxes', ' gather_metaboxes_dynamically', 10 );59 add_filter( 'cmb_meta_boxes', 'pixtypes_gather_metaboxes_dynamically', 10 ); 60 60 61 61 /* 62 62 * Initialize the metabox class. 63 63 */ 64 function cmb_initialize_cmb_meta_boxes() {64 function pixtypes_cmb_initialize_meta_boxes() { 65 65 66 66 if ( ! class_exists( 'cmb_Meta_Box' ) ) { … … 72 72 73 73 } 74 add_action( 'init', ' cmb_initialize_cmb_meta_boxes', 9999 );74 add_action( 'init', 'pixtypes_cmb_initialize_meta_boxes', 9999 ); -
pixtypes/tags/2.0.0/pixtypes.php
r2956824 r3469313 4 4 * Plugin URI: https://wordpress.org/plugins/pixtypes/ 5 5 * Description: Custom post types and meta-boxes needed by your themes. 6 * Version: 1.4.166 * Version: 2.0.0 7 7 * Author: Pixelgrade 8 8 * Author URI: https://pixelgrade.com 9 9 * Author Email: [email protected] 10 * Requires at least: 4.9.9 11 * Tested up to: 6.3.0 10 * Requires at least: 6.0 11 * Tested up to: 6.7 12 * Requires PHP: 7.4 12 13 * Text Domain: pixtypes 13 14 * License: GPL-2.0 or later. … … 21 22 } 22 23 23 // ensure EXT is defined24 if ( ! defined( ' EXT' ) ) {25 define( ' EXT', '.php' );24 // ensure PIXTYPES_EXT is defined 25 if ( ! defined( 'PIXTYPES_EXT' ) ) { 26 define( 'PIXTYPES_EXT', '.php' ); 26 27 } 27 28 28 require 'core/bootstrap' . EXT;29 require 'core/bootstrap' . PIXTYPES_EXT; 29 30 30 $config = include 'plugin-config' . EXT;31 $config = include 'plugin-config' . PIXTYPES_EXT; 31 32 // set textdomain 32 33 pixtypes::settextdomain( $config['textdomain'] ); … … 35 36 // ---------------- 36 37 37 $defaults = include 'plugin-defaults' . EXT;38 $defaults = include 'plugin-defaults' . PIXTYPES_EXT; 38 39 39 40 $current_data = get_option( $config['settings-key'] ); … … 61 62 62 63 global $pixtypes_plugin; 63 $pixtypes_plugin = PixTypesPlugin::get_instance( ' 1.4.15' );64 $pixtypes_plugin = PixTypesPlugin::get_instance( '2.0.0' ); -
pixtypes/tags/2.0.0/plugin-config.php
r1591155 r3469313 3 3 $basepath = dirname( __FILE__ ) . DIRECTORY_SEPARATOR; 4 4 5 $debug = false; 6 if ( isset( $_GET['debug'] ) && $_GET['debug'] == 'true' ) { 7 $debug = true; 8 } 5 $debug = defined( 'WP_DEBUG' ) && WP_DEBUG; 9 6 10 7 $options = get_option( 'pixtypes_settings' ); … … 30 27 'fields' => array( 31 28 'hiddens' 32 => include 'settings/hiddens' . EXT,29 => include 'settings/hiddens' . PIXTYPES_EXT, 33 30 'post_types' 34 => include 'settings/post_types' . EXT,31 => include 'settings/post_types' . PIXTYPES_EXT, 35 32 'taxonomies' 36 => include 'settings/taxonomies' . EXT,33 => include 'settings/taxonomies' . PIXTYPES_EXT, 37 34 ), 38 35 -
pixtypes/tags/2.0.0/readme.txt
r2956824 r3469313 2 2 Contributors: pixelgrade, babbardel, vlad.olaru, razvanonofrei 3 3 Tags: custom, post-types, metadata, builder, gallery 4 Requires at least: 4.9.95 Tested up to: 6. 3.06 Requires PHP: 5.3.07 Stable tag: 1.4.164 Requires at least: 6.0 5 Tested up to: 6.9.1 6 Requires PHP: 7.4 7 Stable tag: 2.0.0 8 8 License: GPLv2 or later 9 9 License URI: http://www.gnu.org/licenses/gpl-2.0.html … … 24 24 25 25 == Changelog == 26 27 = 2.0.0 = 28 * Security: Fixed Stored XSS vulnerability in HTML attribute rendering (HTMLTag class). 29 * Security: Fixed Reflected XSS via field_id parameter in oEmbed handler. 30 * Security: Fixed XSS via cmb_send_label using proper JS escaping (wp_json_encode). 31 * Security: Added nonce verification and capability checks to gallery AJAX preview handler. 32 * Security: Added nonce verification and capability checks to playlist AJAX preview handler. 33 * Security: Added capability check (manage_options) to theme settings cleanup AJAX handler. 34 * Security: Removed URL-controllable debug mode; now tied to WP_DEBUG constant. 35 * Security: Added output escaping throughout admin views and form templates. 36 * Security: Restricted POST input processing to expected fields only. 37 * Security: Sanitized all $_GET/$_POST/$_REQUEST superglobal usage with appropriate functions. 38 * Security: Updated nonce action strings to use specific identifiers. 39 * Improvement: Prefixed all global functions with pixtypes_ to prevent namespace collisions. 40 * Improvement: Removed deprecated &$this reference patterns for PHP 8 compatibility. 41 * Improvement: Updated minimum requirements to WordPress 6.0 and PHP 7.4. 42 * Improvement: Replaced EXT constant with PIXTYPES_EXT to avoid conflicts. 26 43 27 44 = 1.4.16 = -
pixtypes/tags/2.0.0/views/admin.php
r2895213 r3469313 13 13 */ 14 14 15 $config = include pixtypes::pluginpath() . 'plugin-config' . EXT;15 $config = include pixtypes::pluginpath() . 'plugin-config' . PIXTYPES_EXT; 16 16 17 17 // invoke processor … … 62 62 <?php echo $f->endform() ?> 63 63 64 <?php elseif ( $status['state'] == 'error'): ?>64 <?php elseif ( 'error' === $status['state'] ): ?> 65 65 66 66 <h3><?php esc_html_e( 'Critical Error', 'pixtypes' ); ?></h3> 67 67 68 <p><?php echo $status['message']?></p>68 <p><?php echo esc_html( $status['message'] ); ?></p> 69 69 70 70 <?php endif; ?> … … 89 89 if ( isset( $options['themes'] ) && count( $options['themes'] ) > 1 ) { 90 90 foreach ( $options['themes'] as $key => $theme ) { 91 echo '<li><button class="button delete-action" type="submit" name="unset_pixtype" value="' . $key . '">' . esc_html__( 'Clean-up after', 'pixtypes' ) . ' ' . ucfirst( $key) . '</button></li>';91 echo '<li><button class="button delete-action" type="submit" name="unset_pixtype" value="' . esc_attr( $key ) . '">' . esc_html__( 'Clean-up after', 'pixtypes' ) . ' ' . esc_html( ucfirst( $key ) ) . '</button></li>'; 92 92 } 93 93 } ?> -
pixtypes/trunk/README.md
r1744797 r3469313 139 139 ``` 140 140 141 === Old Change Log === 142 143 1.3.5 144 Improved the multicheck field 145 146 1.3.2 147 WordPress 4.3 compatibility 148 Fixed Sticky buttons for the PixBuilder field 149 150 1.3.1 151 152 Allow portfolio to be a jetpack compatible type 153 Small fixes to the gallery field 154 155 1.2.10 156 157 Show / Hide options bug fix 158 159 1.2.9 160 161 Gmap pins added 162 163 1.2.6 164 165 Builder field added 166 Support for wp 4.0 167 Small fixes 168 169 1.2.2 170 171 Small fixes to metaboxes 172 173 1.2.1 174 175 Github Updater slug fix 176 And small fixes... 177 178 1.2.0 179 180 Ajax Update 181 Gallery Metabox works now even if there is no wp-editor on page 182 And small fixes... 183 184 1.1.0 185 186 Add admin panel 187 Fixes 188 189 1.0.0 - Here we go 141 ## Development Notes 142 Gulp 3.x doesn't work on Node.js 12.x or above. You have to downgrade Node.js to 11.5.0 143 ``` 144 nvm install 11.15.0 145 nvm use 11.15.0 # Just in case it didn't automatically select the 11.15.0 as the main node. 146 nvm uninstall 13.1.0 147 npm rebuild node-sass 148 ``` -
pixtypes/trunk/class-pixtypes.php
r2127881 r3469313 106 106 * Ajax Callbacks - only for logged in users 107 107 */ 108 add_action( 'wp_ajax_unset_pixtypes', array( &$this, 'ajax_unset_pixtypes' ) );108 add_action( 'wp_ajax_unset_pixtypes', array( $this, 'ajax_unset_pixtypes' ) ); 109 109 } 110 110 … … 649 649 function ajax_unset_pixtypes() { 650 650 $result = array( 'success' => false, 'msg' => 'Incorrect nonce' ); 651 652 if ( ! current_user_can( 'manage_options' ) ) { 653 wp_send_json_error( 'Unauthorized' ); 654 } 655 651 656 if ( ! wp_verify_nonce( $_POST['_ajax_nonce'], 'unset_pixtype' ) ) { 652 echo json_encode( $result );657 echo wp_json_encode( $result ); 653 658 die(); 654 659 } 655 660 656 661 if ( isset( $_POST['theme_slug'] ) ) { 657 $key = $_POST['theme_slug'];662 $key = sanitize_key( $_POST['theme_slug'] ); 658 663 $options = get_option( 'pixtypes_settings' ); 659 664 if ( isset( $options['themes'][ $key ] ) ) { 660 665 unset( $options['themes'][ $key ] ); 661 666 update_option( 'pixtypes_settings', $options ); 662 $result['msg'] = 'Settings for ' . ucfirst( $key) . ' have been cleaned up!';667 $result['msg'] = 'Settings for ' . esc_html( ucfirst( $key ) ) . ' have been cleaned up!'; 663 668 $result['success'] = true; 664 669 } 665 670 } 666 671 667 echo json_encode( $result );672 echo wp_json_encode( $result ); 668 673 exit; 669 674 } -
pixtypes/trunk/core/bootstrap.php
r1115891 r3469313 1 1 <?php defined('ABSPATH') or die; 2 2 3 // ensure EXT is defined4 if ( ! defined(' EXT')) {5 define(' EXT', '.php');3 // ensure PIXTYPES_EXT is defined 4 if ( ! defined('PIXTYPES_EXT')) { 5 define('PIXTYPES_EXT', '.php'); 6 6 } 7 7 8 8 $basepath = dirname(__FILE__).DIRECTORY_SEPARATOR; 9 require $basepath.'core'. EXT;9 require $basepath.'core'.PIXTYPES_EXT; 10 10 11 11 // load classes -
pixtypes/trunk/core/classes/HTMLTag.php
r1744797 r3469313 57 57 if ( ! empty($value)) { 58 58 if (is_array($value)) { 59 $htmlvalue = implode(' ', $value);59 $htmlvalue = esc_attr( implode(' ', $value) ); 60 60 $attr_segments[] = "$key=\"$htmlvalue\""; 61 61 } 62 62 else { // value is not an array 63 $attr_segments[] = "$key=\" $value\"";63 $attr_segments[] = "$key=\"" . esc_attr( $value ) . "\""; 64 64 } 65 65 } 66 66 else { // empty html tag; ie. no value html tag 67 $attr_segments[] = $key;67 $attr_segments[] = esc_attr( $key ); 68 68 } 69 69 } -
pixtypes/trunk/core/classes/Processor.php
r1744797 r3469313 155 155 $plugin_cleanup = $this->meta->get('cleanup', array()); 156 156 157 // Only process expected fields — discard any extra $_POST keys. 158 $allowed_keys = array_keys( $this->fields->metadata_array() ); 159 $input = array_intersect_key( $input, array_flip( $allowed_keys ) ); 160 157 161 foreach ($this->fields->metadata_array() as $key => $field) { 158 162 -
pixtypes/trunk/core/classes/forms/FormField.php
r1744797 r3469313 70 70 foreach ($template_paths as $path) { 71 71 $dirpath = rtrim($path, '\\/').DIRECTORY_SEPARATOR; 72 if (file_exists($dirpath.$pattern. EXT)) {73 return $this->render_template_file($dirpath.$pattern. EXT);72 if (file_exists($dirpath.$pattern.PIXTYPES_EXT)) { 73 return $this->render_template_file($dirpath.$pattern.PIXTYPES_EXT); 74 74 } 75 75 } -
pixtypes/trunk/core/core.php
r1275567 r3469313 21 21 static function defaults() { 22 22 if (self::$defaults === null) { 23 self::$defaults = include self::corepath().'defaults'. EXT;23 self::$defaults = include self::corepath().'defaults'.PIXTYPES_EXT; 24 24 } 25 25 … … 269 269 270 270 foreach ($priority_list as $file => $priority) { 271 if (strpos($file, EXT)) {271 if (strpos($file, PIXTYPES_EXT)) { 272 272 require $file; 273 273 } -
pixtypes/trunk/core/tests/bootstrap.php
r1115891 r3469313 1 1 <?php defined('ABSPATH') or die; 2 2 3 // ensure EXT is defined4 if ( ! defined(' EXT')) {5 define(' EXT', '.php');3 // ensure PIXTYPES_EXT is defined 4 if ( ! defined('PIXTYPES_EXT')) { 5 define('PIXTYPES_EXT', '.php'); 6 6 } 7 7 … … 9 9 10 10 $basepath = realpath('..').DIRECTORY_SEPARATOR; 11 require $basepath.'bootstrap'. EXT;11 require $basepath.'bootstrap'.PIXTYPES_EXT; -
pixtypes/trunk/core/views/form-partials/fields/color.php
r1115891 r3469313 10 10 11 11 $type = 'color'; 12 include 'text'. EXT;12 include 'text'.PIXTYPES_EXT; 13 13 -
pixtypes/trunk/core/views/form-partials/fields/counter.php
r1115891 r3469313 37 37 <input <?php echo $field->htmlattributes($attrs) ?> class="small-text" /> 38 38 <?php else: # standard field ?> 39 <label for="<?php echo $idname?>">39 <label for="<?php echo esc_attr( $idname ) ?>"> 40 40 <input <?php echo $field->htmlattributes($attrs) ?> /> 41 <?php echo $label?>41 <?php echo esc_html( $label ) ?> 42 42 </label> 43 43 <?php endif; ?> -
pixtypes/trunk/core/views/form-partials/fields/group.php
r1115891 r3469313 22 22 $fieldexample = $field->getmeta('group-example', null); 23 23 $fieldnote = $field->getmeta('group-note', null); ?> 24 <div class="field" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . $fieldname. '"'; ?> >24 <div class="field" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . esc_attr( $fieldname ) . '"'; ?> > 25 25 <?php echo $field->render(); 26 26 if ( ! empty($fieldnote)): ?> 27 <span class="field-note"><?php echo $fieldnote?></span>27 <span class="field-note"><?php echo esc_html( $fieldnote ) ?></span> 28 28 <?php endif; ?> 29 29 </div> -
pixtypes/trunk/core/views/form-partials/fields/postbox.php
r1115891 r3469313 12 12 <div class="postbox"> 13 13 <div class="handlediv" title="Click to toggle"><br></div> 14 <h3 class="hndle"><span><?php echo $label?></span></h3>14 <h3 class="hndle"><span><?php echo esc_html( $label ) ?></span></h3> 15 15 16 16 <div class="inside"> … … 24 24 $show_group = $field->getmeta('show_group', null); ?> 25 25 26 <div class="row" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . $fieldname. '"'; ?>>26 <div class="row" <?php if ( $fieldconfig['type'] == 'group' ) echo 'id="' . esc_attr( $fieldname ) . '"'; ?>> 27 27 <?php if ( ! empty($fielddesc)): ?> 28 <div class="field-desc"><?php echo $fielddesc?></div>28 <div class="field-desc"><?php echo esc_html( $fielddesc ) ?></div> 29 29 <?php endif; 30 30 echo $field->render(); 31 31 if ( ! empty($fieldnote)): ?> 32 <span class="note"><?php echo $fieldnote?></span>32 <span class="note"><?php echo esc_html( $fieldnote ) ?></span> 33 33 <?php endif; ?> 34 34 </div> -
pixtypes/trunk/core/views/form-partials/fields/select.php
r1115891 r3469313 24 24 <?php foreach ($this->getmeta('options', array()) as $key => $label): ?> 25 25 <option <?php if ($key == $selected): ?>selected<?php endif; ?> 26 value="<?php echo $key?>">27 <?php echo $label?>26 value="<?php echo esc_attr( $key ) ?>"> 27 <?php echo esc_html( $label ) ?> 28 28 </option> 29 29 <?php endforeach; ?> -
pixtypes/trunk/core/views/form-partials/fields/switch.php
r1115891 r3469313 55 55 <div class="switch"> 56 56 <input <?php echo $field->htmlattributes($attrs) ?> /> 57 <label for="<?php echo $idname ?>"><?php echo $processed_label?></label>57 <label for="<?php echo esc_attr( $idname ) ?>"><?php echo wp_kses_post( $processed_label ) ?></label> 58 58 </div> 59 59 <?php else: # rendering != 'inline' ?> 60 <label for="<?php echo $idname?>">60 <label for="<?php echo esc_attr( $idname ) ?>"> 61 61 <input <?php echo $field->htmlattributes($attrs) ?> /> 62 <?php echo $processed_label?>62 <?php echo wp_kses_post( $processed_label ) ?> 63 63 </label> 64 64 <?php endif; ?> -
pixtypes/trunk/core/views/form-partials/fields/tabular-group.php
r1115891 r3469313 12 12 <tr valign="top"> 13 13 <th scope="row"> 14 <?php echo $label?>14 <?php echo esc_html( $label ) ?> 15 15 </th> 16 16 <td> … … 18 18 19 19 <legend class="screen-reader-text"> 20 <span><?php echo $label?></span>20 <span><?php echo esc_html( $label ) ?></span> 21 21 </legend> 22 22 … … 28 28 <?php if ($field->hasmeta('note')): ?> 29 29 <small> 30 <em>(<?php echo $field->getmeta('note') ?>)</em>30 <em>(<?php echo esc_html( $field->getmeta('note') ) ?>)</em> 31 31 </small> 32 32 <?php endif; ?> -
pixtypes/trunk/core/views/form-partials/fields/text.php
r1115891 r3469313 24 24 <?php elseif ($rendering == 'blocks'): ?> 25 25 <div class="text"> 26 <label id="<?php echo $name ?>"><?php echo $label?></label>26 <label id="<?php echo esc_attr( $name ) ?>"><?php echo esc_html( $label ) ?></label> 27 27 <input <?php echo $field->htmlattributes($attrs) ?> /> 28 <span><?php echo $desc?></span>28 <span><?php echo esc_html( $desc ) ?></span> 29 29 </div> 30 30 <?php else: # ?> 31 31 <div> 32 <p><?php echo $desc?></p>33 <label id="<?php echo $name?>">34 <?php echo $label?>32 <p><?php echo esc_html( $desc ) ?></p> 33 <label id="<?php echo esc_attr( $name ) ?>"> 34 <?php echo esc_html( $label ) ?> 35 35 <input <?php echo $field->htmlattributes($attrs) ?>/> 36 36 </label> -
pixtypes/trunk/features/metaboxes/cmb-field-select2-v2/cmb-field-select2.php
r2124639 r3469313 34 34 */ 35 35 function pw_select_v2( $field, $meta ) { 36 echo '<select name="', $field['id'], '" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" class="select2">';36 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2">'; 37 37 echo '<option></option>'; 38 38 if ( isset( $field['options'] ) && ! empty( $field['options'] ) ) { … … 41 41 $opt_value = is_array( $option ) && array_key_exists( 'value', $option ) ? $option['value'] : $option_key; 42 42 43 echo '<option value="', $opt_value, '" ', selected( $meta == $opt_value ) ,'>', $opt_label, '</option>';43 echo '<option value="', esc_attr( $opt_value ), '" ', selected( $meta == $opt_value ) ,'>', esc_html( $opt_label ), '</option>'; 44 44 } 45 45 } … … 53 53 $options = array(); 54 54 55 echo '<select name="', $field['id'], '[]" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" class="select2">';55 echo '<select name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2">'; 56 56 echo '<option></option>'; 57 57 if ( isset( $field['options'] ) && ! empty( $field['options'] ) ) { … … 60 60 $opt_value = is_array( $option ) && array_key_exists( 'value', $option ) ? $option['value'] : $option_key; 61 61 62 echo '<option value="', $opt_value, '" ', selected( $meta == $opt_value ) ,'>', $opt_label, '</option>';62 echo '<option value="', esc_attr( $opt_value ), '" ', selected( $meta == $opt_value ) ,'>', esc_html( $opt_label ), '</option>'; 63 63 } 64 64 } … … 86 86 } 87 87 88 echo '<select name="', $field['id'], '[]" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" data-allow-clear="false" multiple class="select2">';88 echo '<select name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" data-allow-clear="false" multiple class="select2">'; 89 89 90 90 if ( ! empty( $cpt_posts ) ) { 91 91 foreach ( $cpt_posts as $post ) { 92 echo '<option value="', $post->ID, '" ', selected( in_array( $post->ID, $meta ), true ) ,'>', $post->post_title, '</option>';92 echo '<option value="', esc_attr( $post->ID ), '" ', selected( in_array( $post->ID, $meta ), true ) ,'>', esc_html( $post->post_title ), '</option>'; 93 93 } 94 94 } -
pixtypes/trunk/features/metaboxes/cmb-field-select2/cmb-field-select2.php
r1410208 r3469313 34 34 */ 35 35 function pw_select( $field, $meta ) { 36 echo '<select name="', $field['id'], '" id="', $field['id'], '" data-placeholder="' . $field['desc']. '" class="select2">';36 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2">'; 37 37 echo '<option></option>'; 38 38 if ( isset( $field['options'] ) && ! empty( $field['options'] ) ) { … … 41 41 $opt_value = is_array( $option ) && array_key_exists( 'value', $option ) ? $option['value'] : $option_key; 42 42 43 echo '<option value="', $opt_value, '" ', selected( $meta == $opt_value ) ,'>', $opt_label, '</option>';43 echo '<option value="', esc_attr( $opt_value ), '" ', selected( $meta == $opt_value ) ,'>', esc_html( $opt_label ), '</option>'; 44 44 } 45 45 } … … 71 71 } 72 72 73 echo '<input type="hidden" name="' . $field['id'] . '" id="' . $field['id'] . '" data-placeholder="' . $field['desc'] . '" class="select2" value="' . $meta. '" />';73 echo '<input type="hidden" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2" value="' . esc_attr( $meta ) . '" />'; 74 74 } 75 75 … … 108 108 } 109 109 110 echo '<input type="hidden" name="' . $field['id'] . '" id="' . $field['id'] . '" data-placeholder="' . $field['desc'] . '" class="select2" value="' . $meta. '" />';110 echo '<input type="hidden" name="' . esc_attr( $field['id'] ) . '" id="' . esc_attr( $field['id'] ) . '" data-placeholder="' . esc_attr( $field['desc'] ) . '" class="select2" value="' . esc_attr( $meta ) . '" />'; 111 111 } 112 112 -
pixtypes/trunk/features/metaboxes/css/style.css
r1944663 r3469313 3220 3220 color: #DDD; } 3221 3221 .cmb_metabox .selector-wrapper > select { 3222 width: 100%; } 3222 width: 100%; 3223 -webkit-appearance: none; 3224 -moz-appearance: none; 3225 appearance: none; } 3223 3226 3224 3227 .cmb_metabox .cmb-type-multicheck { -
pixtypes/trunk/features/metaboxes/fields/gallery.php
r1591155 r3469313 12 12 wp_localize_script( 'pixgallery', 'locals', array( 13 13 'ajax_url' => admin_url( 'admin-ajax.php' ), 14 'nonce' => wp_create_nonce( 'pixtypes_gallery_preview' ), 14 15 'pixtypes_l18n' => array( 15 16 'confirmClearGallery' => esc_html__( 'Are you sure you want to clear this gallery?', 'pixtypes' ), … … 20 21 <ul></ul> 21 22 <a class="open_pixgallery" href="#"> 22 <input type="hidden" name="<?php echo $field['id']; ?>" id="pixgalleries" value="<?php echo '' !== $meta ? $meta : $field['std']?>"/>23 <input type="hidden" name="<?php echo esc_attr( $field['id'] ); ?>" id="pixgalleries" value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>"/> 23 24 <div><i class="icon dashicons dashicons-images-alt2"></i> 24 25 <span><?php esc_html_e( 'Add Image', 'pixtypes' ); ?></span></div> -
pixtypes/trunk/features/metaboxes/fields/gmap_pins.php
r1591155 r3469313 17 17 global $post; ?> 18 18 <div class="gmap_pins_container"> 19 <ul class="gmap_pins" data-field_name="<?php echo $field['id']; ?>">19 <ul class="gmap_pins" data-field_name="<?php echo esc_attr( $field['id'] ); ?>"> 20 20 <?php if ( empty( $meta ) ) { 21 21 $meta = array( … … 36 36 <fieldset class="pin_location_url"> 37 37 <label 38 for="<?php echo $field['id']; ?>[<?php echo $key ?>][location_url]">#<?php echo $key. ' ' . esc_html__( 'Location URL', 'pixtypes' ); ?></label>39 <input type="text" name="<?php echo $field['id']; ?>[<?php echo $key?>][location_url]"40 value="<?php echo $pin['location_url']; ?>"/>38 for="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][location_url]">#<?php echo esc_html( $key ) . ' ' . esc_html__( 'Location URL', 'pixtypes' ); ?></label> 39 <input type="text" name="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][location_url]" 40 value="<?php echo esc_attr( $pin['location_url'] ); ?>"/> 41 41 </fieldset> 42 42 <fieldset class="pin_name"> 43 43 <label 44 for="<?php echo $field['id']; ?>[<?php echo $key?>][name]"><?php esc_html_e( 'Name', 'pixtypes' ); ?></label>45 <input type="text" name="<?php echo $field['id']; ?>[<?php echo $key?>][name]"46 value="<?php echo $pin['name']; ?>"/>44 for="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][name]"><?php esc_html_e( 'Name', 'pixtypes' ); ?></label> 45 <input type="text" name="<?php echo esc_attr( $field['id'] ); ?>[<?php echo esc_attr( $key ); ?>][name]" 46 value="<?php echo esc_attr( $pin['name'] ); ?>"/> 47 47 </fieldset> 48 48 <span class="pin_delete"></span> … … 54 54 55 55 <?php if ( isset( $field['desc'] ) && ! empty( $field['desc'] ) ) { ?> 56 <span class="cmb_metabox_description"><?php echo $field['desc']; ?></span>56 <span class="cmb_metabox_description"><?php echo wp_kses_post( $field['desc'] ); ?></span> 57 57 <?php } ?> 58 58 </div> -
pixtypes/trunk/features/metaboxes/fields/image.php
r1591155 r3469313 12 12 wp_localize_script( 'piximage', 'locals', array( 13 13 'ajax_url' => admin_url( 'admin-ajax.php' ), 14 'nonce' => wp_create_nonce( 'pixtypes_gallery_preview' ), 14 15 'pixtypes_l18n' => array( 15 16 'setThumbnailImageTitle' => esc_html__( 'Choose Image', 'pixtypes' ), … … 20 21 21 22 $class = empty( $field['class'] ) ? '' : $field['class']; ?> 22 <div id="<?php echo $field['id']; ?>" class="piximage_field hidden <?php echo $class; ?>">23 <div id="<?php echo esc_attr( $field['id'] ); ?>" class="piximage_field hidden <?php echo esc_attr( $class ); ?>"> 23 24 <ul></ul> 24 25 <a class="open_piximage" href="#"> 25 <input type="hidden" name="<?php echo $field['id']; ?>" class="piximage_id"26 value="<?php echo '' !== $meta ? $meta : $field['std']?>"/>26 <input type="hidden" name="<?php echo esc_attr( $field['id'] ); ?>" class="piximage_id" 27 value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>"/> 27 28 <div><i class="icon dashicons dashicons-images-alt2"></i> 28 <span><?php echo empty ( $field['button_text'] ) ? esc_html__( 'Add Image', 'pixtypes' ) : $field['button_text']; ?></span>29 <span><?php echo empty ( $field['button_text'] ) ? esc_html__( 'Add Image', 'pixtypes' ) : esc_html( $field['button_text'] ); ?></span> 29 30 </div> 30 31 <span 31 class="clear_image"><?php echo empty ( $field['clear_text'] ) ? esc_html__( 'Clear', 'pixtypes' ) : $field['clear_text']; ?></span>32 class="clear_image"><?php echo empty ( $field['clear_text'] ) ? esc_html__( 'Clear', 'pixtypes' ) : esc_html( $field['clear_text'] ); ?></span> 32 33 </a> 33 34 </div> -
pixtypes/trunk/features/metaboxes/fields/pix_builder.php
r2124639 r3469313 5 5 6 6 if( isset( $field['gridster_params'] ) ) { 7 $gridster_params = ' data-params=\'' . json_encode( $field['gridster_params']) . '\'';7 $gridster_params = ' data-params=\'' . esc_attr( wp_json_encode( $field['gridster_params'] ) ) . '\''; 8 8 } 9 9 … … 24 24 if ( $post_type !== 'page' ) { 25 25 echo '<style> 26 .post-type-' . $post_type. ' #postdivrich {26 .post-type-' . esc_html( sanitize_html_class( $post_type ) ) . ' #postdivrich { 27 27 display: none !important; 28 28 } … … 30 30 } 31 31 32 echo '<input type="hidden" name="', $field['id'], '" id="pix_builder" value="', '' !== $meta ? htmlspecialchars( $meta ) : $content, '" ' . $gridster_params . ' ' . ( $base64_decode ? 'data-base64_encoded="true"' : '' ) .' />'; ?>32 echo '<input type="hidden" name="', esc_attr( $field['id'] ), '" id="pix_builder" value="', '' !== $meta ? esc_attr( $meta ) : esc_attr( $content ), '" ' . $gridster_params . ' ' . ( $base64_decode ? 'data-base64_encoded="true"' : '' ) .' />'; ?> 33 33 <div class="pixbuilder-controls"> 34 34 <button class="add_block button button-primary button-large" … … 78 78 79 79 if ( isset( $attach[0] ) && ! empty( $attach[0] ) ) { 80 $content = '<img class="image_preview" src="' . $attach[0]. '">';81 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . $block->content. '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</span></a>';80 $content = '<img class="image_preview" src="' . esc_url( $attach[0] ) . '">'; 81 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . esc_attr( $block->content ) . '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</span></a>'; 82 82 } 83 83 } else { 84 84 $content = '<img class="image_preview">'; 85 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . $block->content. '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</pan></a>';85 $controls_content = '<a class="open_media" href="#" class="wp-gallery" data-attachment_id="' . esc_attr( $block->content ) . '"><span>' . esc_html__( 'Set Image', 'pixtypes' ) . '</pan></a>'; 86 86 } 87 87 } … … 115 115 } 116 116 } ?> 117 <li id="block_<?php echo $block->id ?>" class="block-type--<?php echo $block->type; ?> item"118 data-type="<?php echo $block->type ?>" data-row="<?php echo $block->row?>"119 data-col="<?php echo $block->col ?>" data-sizex="<?php echo $block->size_x?>"120 data-sizey="<?php echo $block->size_y?>">117 <li id="block_<?php echo esc_attr( $block->id ); ?>" class="block-type--<?php echo esc_attr( $block->type ); ?> item" 118 data-type="<?php echo esc_attr( $block->type ); ?>" data-row="<?php echo esc_attr( $block->row ); ?>" 119 data-col="<?php echo esc_attr( $block->col ); ?>" data-sizex="<?php echo esc_attr( $block->size_x ); ?>" 120 data-sizey="<?php echo esc_attr( $block->size_y ); ?>"> 121 121 <div class="item__controls"> 122 122 <ul class="nav nav--controls"> … … 131 131 class="position__ui-cell top <?php echo 0 == intval($block->position['top']) ? '' : 'active'; ?>"> 132 132 <div class="position__ui-handle" 133 data-step="<?php echo $block->position['top']; ?>"><?php esc_html_e( 'top', 'pixtypes' ); ?></div>133 data-step="<?php echo esc_attr( $block->position['top'] ); ?>"><?php esc_html_e( 'top', 'pixtypes' ); ?></div> 134 134 </div> 135 135 </div> … … 138 138 class="position__ui-cell left <?php echo 0 == intval($block->position['left']) ? '' : 'active'; ?>"> 139 139 <div class="position__ui-handle" 140 data-step="<?php echo $block->position['left']; ?>"><?php esc_html_e( 'left', 'pixtypes' ); ?></div>141 </div> 142 <div class="position__ui-cell middle <?php echo $middle_status; ?>">140 data-step="<?php echo esc_attr( $block->position['left'] ); ?>"><?php esc_html_e( 'left', 'pixtypes' ); ?></div> 141 </div> 142 <div class="position__ui-cell middle <?php echo esc_attr( $middle_status ); ?>"> 143 143 <div class="position__ui-handle">middle</div> 144 144 </div> … … 146 146 class="position__ui-cell right <?php echo 0 == intval($block->position['right']) ? '' : 'active'; ?>"> 147 147 <div class="position__ui-handle" 148 data-step="<?php echo $block->position['right']; ?>"><?php esc_html_e( 'right', 'pixtypes' ); ?></div>148 data-step="<?php echo esc_attr( $block->position['right'] ); ?>"><?php esc_html_e( 'right', 'pixtypes' ); ?></div> 149 149 </div> 150 150 </div> … … 153 153 class="position__ui-cell bottom <?php echo 0 == intval($block->position['bottom']) ? '' : 'active'; ?>"> 154 154 <div class="position__ui-handle" 155 data-step="<?php echo $block->position['bottom']; ?>"><?php esc_html_e( 'bottom', 'pixtypes' ); ?></div>155 data-step="<?php echo esc_attr( $block->position['bottom'] ); ?>"><?php esc_html_e( 'bottom', 'pixtypes' ); ?></div> 156 156 </div> 157 157 </div> … … 164 164 </ul> 165 165 </div> 166 <div class="item__content block_content <?php echo $empty_class; ?>">166 <div class="item__content block_content <?php echo esc_attr( $empty_class ); ?>"> 167 167 <?php echo $content ?> 168 168 </div> … … 175 175 </div> 176 176 </div> 177 <?php add_action( 'admin_footer', ' my_admin_footer_function' );178 function my_admin_footer_function() { ?>177 <?php add_action( 'admin_footer', 'pixtypes_admin_footer_function' ); 178 function pixtypes_admin_footer_function() { ?> 179 179 <div class="pix_builder_editor_modal_container" style="display:none"> 180 180 <div class="modal_wrapper"> -
pixtypes/trunk/features/metaboxes/fields/playlist.php
r1591155 r3469313 11 11 wp_localize_script( 'pixplaylist', 'playlist_locals', array( 12 12 'ajax_url' => admin_url( 'admin-ajax.php' ), 13 'nonce' => wp_create_nonce( 'pixtypes_playlist_preview' ), 13 14 'playlist_type' => $playlist_type, 14 15 'pixtypes_l18n' => array( … … 20 21 <ul></ul> 21 22 <a class="open_pixvideos" href="#"> 22 <input type="hidden" name="<?php echo $field['id'] ?>" id="pixplaylist" value="<?php echo '' !== $meta ? $meta : $field['std']; ?>"/>23 <input type="hidden" name="<?php echo esc_attr( $field['id'] ); ?>" id="pixplaylist" value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>"/> 23 24 <div><i class="icon dashicons dashicons-format-video"></i> <span><?php esc_html_e('Add Video', 'pixtypes' ); ?></span></div> 24 25 <span class="clear_gallery"><?php esc_html_e( 'Clear', 'pixtypes' ); ?></span> -
pixtypes/trunk/features/metaboxes/fields/portfolio-gallery.php
r1115891 r3469313 65 65 } 66 66 67 echo '<input type="hidden" name="'. $field['id'].'" id="portfolio_gallery_val" />'; ?>67 echo '<input type="hidden" name="'. esc_attr( $field['id'] ) .'" id="portfolio_gallery_val" />'; ?> 68 68 69 69 <div id="wpgrade_portfolio_editor_modal" style="display: none"> -
pixtypes/trunk/features/metaboxes/init.php
r2956824 r3469313 116 116 global $pagenow; 117 117 if ( $upload && in_array( $pagenow, array( 'page.php', 'page-new.php', 'post.php', 'post-new.php' ) ) ) { 118 add_action( 'admin_head', array( &$this, 'add_post_enctype' ) );118 add_action( 'admin_head', array( $this, 'add_post_enctype' ) ); 119 119 } 120 120 … … 122 122 $this->add(); 123 123 } else { 124 add_action( 'admin_menu', array( &$this, 'add' ) );125 } 126 127 add_action( 'save_post', array( &$this, 'save' ) );128 129 add_action( 'admin_head', array( &$this, 'fold_display' ) );130 131 add_filter( 'cmb_show_on', array( &$this, 'add_for_id' ), 10, 2 );132 //add_filter( 'cmb_show_on', array( &$this, 'add_for_page_template' ), 10, 2 );133 //add_filter( 'cmb_show_on', array( &$this, 'add_for_specific_select_value' ), 10, 2 );124 add_action( 'admin_menu', array( $this, 'add' ) ); 125 } 126 127 add_action( 'save_post', array( $this, 'save' ) ); 128 129 add_action( 'admin_head', array( $this, 'fold_display' ) ); 130 131 add_filter( 'cmb_show_on', array( $this, 'add_for_id' ), 10, 2 ); 132 //add_filter( 'cmb_show_on', array( $this, 'add_for_page_template' ), 10, 2 ); 133 //add_filter( 'cmb_show_on', array( $this, 'add_for_specific_select_value' ), 10, 2 ); 134 134 135 135 //add_filter('_wp_post_revision_field_post_content', array( $this, 'pixtypes_fix_builder_revisions_display'), 915, 4 ); … … 172 172 $this->_meta_box['id'], 173 173 $this->_meta_box['title'], 174 array( &$this, 'show' ),174 array( $this, 'show' ), 175 175 $page, 176 176 $this->_meta_box['context'], … … 195 195 // If we're showing it based on ID, get the current ID 196 196 if ( isset( $_GET['post'] ) ) { 197 $post_id = $_GET['post'];197 $post_id = absint( $_GET['post'] ); 198 198 } elseif ( isset( $_POST['post_ID'] ) ) { 199 $post_id = $_POST['post_ID'];199 $post_id = absint( $_POST['post_ID'] ); 200 200 } 201 201 if ( ! isset( $post_id ) ) { … … 223 223 // Get the current ID 224 224 if ( isset( $_GET['post'] ) ) { 225 $post_id = $_GET['post'];225 $post_id = absint( $_GET['post'] ); 226 226 } elseif ( isset( $_POST['post_ID'] ) ) { 227 $post_id = $_POST['post_ID'];227 $post_id = absint( $_POST['post_ID'] ); 228 228 } 229 229 if ( ! ( isset( $post_id ) || is_page() ) ) { … … 254 254 // Get the current ID 255 255 if ( isset( $_GET['post'] ) ) { 256 $post_id = $_GET['post'];256 $post_id = absint( $_GET['post'] ); 257 257 } elseif ( isset( $_POST['post_ID'] ) ) { 258 $post_id = $_POST['post_ID'];258 $post_id = absint( $_POST['post_ID'] ); 259 259 } 260 260 … … 369 369 370 370 // Use nonce for verification 371 echo '<input type="hidden" name="wp_meta_box_nonce" value="', wp_create_nonce( basename( __FILE__ )), '" />';371 echo '<input type="hidden" name="wp_meta_box_nonce" value="', wp_create_nonce( 'pixtypes_save_metabox' ), '" />'; 372 372 373 373 // load assets only when we have a metabox on page 374 cmb_enqueue_scripts();374 pixtypes_cmb_enqueue_scripts(); 375 375 376 376 echo '<ul class="form-table cmb_metabox">'; … … 435 435 $on = $display_on['on']; 436 436 437 $requires .= 'data-when_key="' . $on['field']. '"';437 $requires .= 'data-when_key="' . esc_attr( $on['field'] ) . '"'; 438 438 439 439 if ( is_array( $on['value'] ) ) { 440 $requires .= 'data-has_value=\'' . json_encode( $on['value']) . '\'';440 $requires .= 'data-has_value=\'' . esc_attr( wp_json_encode( $on['value'] ) ) . '\''; 441 441 } else { 442 $requires .= 'data-has_value="' . $on['value']. '"';442 $requires .= 'data-has_value="' . esc_attr( $on['value'] ) . '"'; 443 443 } 444 444 } 445 445 } 446 446 447 echo '<li class="' . $classes. '" ' . $requires . '>';447 echo '<li class="' . esc_attr( $classes ) . '" ' . $requires . '>'; 448 448 } 449 449 … … 452 452 if ( isset( $this->_meta_box['show_names'] ) && $this->_meta_box['show_names'] == true ) { 453 453 if ( isset( $field['show_names'] ) && $field['show_names'] == true ) { 454 echo '<h3><label for="', $field['id'], '">', $field['name'], '</label></h3>';454 echo '<h3><label for="', esc_attr( $field['id'] ), '">', esc_html( $field['name'] ), '</label></h3>'; 455 455 } 456 456 } 457 457 } 458 458 if ( ! empty($field['desc']) ) { 459 echo "<div>" . $field['desc']. "</div>";459 echo "<div>" . wp_kses_post( $field['desc'] ) . "</div>"; 460 460 } 461 461 echo '</div>'; … … 469 469 470 470 case 'text': 471 echo '<input class="cmb_text" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';471 echo '<input class="cmb_text" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 472 472 break; 473 473 case 'text_small': 474 echo '<input class="cmb_text cmb_text_small" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';474 echo '<input class="cmb_text cmb_text_small" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 475 475 break; 476 476 case 'text_medium': 477 echo '<input class="cmb_text cmb_text_medium" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';477 echo '<input class="cmb_text cmb_text_medium" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 478 478 break; 479 479 … … 483 483 if ( isset( $field['html_args'] ) && ! empty( $field['html_args'] ) ) { 484 484 foreach ( $field['html_args'] as $key => $att ) { 485 $atts .= $key . '="' . $att. '" ';485 $atts .= esc_attr( $key ) . '="' . esc_attr( $att ) . '" '; 486 486 } 487 487 } ?> 488 <input class="cmb_text_range" type="range" name="<?php echo $field['id']; ?>"489 id="<?php echo $field['id']?>"490 value="<?php echo '' !== $meta ? $meta : $field['std']; ?>" <?php echo $atts?>491 style="background-size: <?php echo 0 !== $meta ? $meta : $field['std']; ?>% 100%;"492 oninput="<?php echo $field['id'] . '_output.value = ' . $field['id'] . '.value'; ?>"/>493 <output name="<?php echo $field['id'] ?>_output" id="<?php echo $field['id']; ?>_output">494 <?php echo '' !== $meta ? $meta : $field['std']; ?>488 <input class="cmb_text_range" type="range" name="<?php echo esc_attr( $field['id'] ); ?>" 489 id="<?php echo esc_attr( $field['id'] ); ?>" 490 value="<?php echo esc_attr( '' !== $meta ? $meta : $field['std'] ); ?>" <?php echo $atts; ?> 491 style="background-size: <?php echo esc_attr( 0 !== $meta ? $meta : $field['std'] ); ?>% 100%;" 492 oninput="<?php echo esc_attr( $field['id'] . '_output.value = ' . $field['id'] . '.value' ); ?>"/> 493 <output name="<?php echo esc_attr( $field['id'] ); ?>_output" id="<?php echo esc_attr( $field['id'] ); ?>_output"> 494 <?php echo esc_html( '' !== $meta ? $meta : $field['std'] ); ?> 495 495 </output> 496 496 <?php break; 497 497 case 'text_date': 498 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';498 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 499 499 break; 500 500 case 'text_date_timestamp': 501 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'], '" />';501 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'] ), '" />'; 502 502 break; 503 503 504 504 case 'text_datetime_timestamp': 505 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', $field['id'], '[date]" id="', $field['id'], '_date" value="', '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'], '" />';506 echo '<input class="cmb_timepicker text_time" type="text" name="', $field['id'], '[time]" id="', $field['id'], '_time" value="', '' !== $meta ? date( 'h:i A', $meta ) : $field['std'], '" />';505 echo '<input class="cmb_text_small cmb_datepicker" type="text" name="', esc_attr( $field['id'] ), '[date]" id="', esc_attr( $field['id'] ), '_date" value="', esc_attr( '' !== $meta ? date( 'm\/d\/Y', $meta ) : $field['std'] ), '" />'; 506 echo '<input class="cmb_timepicker text_time" type="text" name="', esc_attr( $field['id'] ), '[time]" id="', esc_attr( $field['id'] ), '_time" value="', esc_attr( '' !== $meta ? date( 'h:i A', $meta ) : $field['std'] ), '" />'; 507 507 break; 508 508 case 'text_time': 509 echo '<input class="cmb_timepicker text_time" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';509 echo '<input class="cmb_timepicker text_time" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 510 510 break; 511 511 case 'text_money': 512 echo '$ <input class="cmb_text_money" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';512 echo '$ <input class="cmb_text_money" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 513 513 break; 514 514 case 'colorpicker': … … 523 523 $meta = "#"; 524 524 } 525 echo '<input class="cmb_colorpicker cmb_text_small" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', $meta, '" />';525 echo '<input class="cmb_colorpicker cmb_text_small" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 526 526 break; 527 527 case 'textarea': 528 echo '<textarea class="cmb_textarea" name="', $field['id'], '" id="', $field['id'], '" cols="60" rows="10">', $meta, '</textarea>';528 echo '<textarea class="cmb_textarea" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" cols="60" rows="10">', esc_textarea( $meta ), '</textarea>'; 529 529 break; 530 530 case 'textarea_small': 531 echo '<textarea class="cmb_textarea" name="', $field['id'], '" id="', $field['id'], '" cols="60" rows="4">', $meta, '</textarea>';531 echo '<textarea class="cmb_textarea" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" cols="60" rows="4">', esc_textarea( $meta ), '</textarea>'; 532 532 break; 533 533 case 'textarea_code': 534 534 $rows = $cols = ''; 535 535 if( isset( $field['rows'] ) && ! empty( $field['rows'] ) ) { 536 $rows = 'rows="' . $field['rows']. '"';536 $rows = 'rows="' . esc_attr( $field['rows'] ) . '"'; 537 537 } 538 538 539 539 if( isset( $field['cols'] ) && ! empty( $field['cols'] ) ) { 540 $cols = 'cols="' . $field['cols']. '"';540 $cols = 'cols="' . esc_attr( $field['cols'] ) . '"'; 541 541 } else { 542 542 $cols = 'style="width: 100%"'; 543 543 } 544 544 545 echo '<textarea name="', $field['id'], '" id="', $field['id'], '" ' . $cols .' ' . $rows . ' class="cmb_textarea cmb_textarea_code">', $meta, '</textarea>';545 echo '<textarea name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" ' . $cols .' ' . $rows . ' class="cmb_textarea cmb_textarea_code">', esc_textarea( $meta ), '</textarea>'; 546 546 break; 547 547 case 'select': … … 552 552 553 553 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 554 echo '<select name="', $field['id'], '" id="', $field['id'], '">';554 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 555 555 556 556 foreach ( $field['options'] as $option ) { … … 562 562 $option['value'] = 0; 563 563 } 564 echo '<option value="', $option['value'], '"', $meta == $option['value'] ? ' selected="selected"' : '', '>', $option['name'], '</option>';564 echo '<option value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' selected="selected"' : '', '>', esc_html( $option['name'] ), '</option>'; 565 565 } 566 566 echo '</select>'; … … 571 571 572 572 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 573 echo '<select name="', $field['id'], '" id="', $field['id'], '">';573 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 574 574 $args = array( 575 575 'posts_per_page' => - 1, … … 581 581 if ( ! empty( $cpt_posts ) ) { 582 582 foreach ( $cpt_posts as $post ) { 583 echo '<option value="', $post->ID, '"', $meta == $post->ID ? ' selected="selected"' : '', '>', $post->post_title, '</option>';583 echo '<option value="', esc_attr( $post->ID ), '"', $meta == $post->ID ? ' selected="selected"' : '', '>', esc_html( $post->post_title ), '</option>'; 584 584 } 585 585 } … … 590 590 case 'select_cpt_term': 591 591 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 592 echo '<select name="', $field['id'], '" id="', $field['id'], '">';592 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 593 593 $cpt_terms = get_terms( $field['taxonomy'], 'orderby=count&hide_empty=0' ); 594 594 if ( ! empty( $cpt_terms ) ) { 595 595 foreach ( $cpt_terms as $term ) { 596 echo '<option value="', $term->slug, '"', $meta == $term->slug ? ' selected="selected"' : '', '>', $term->name, '</option>';596 echo '<option value="', esc_attr( $term->slug ), '"', $meta == $term->slug ? ' selected="selected"' : '', '>', esc_html( $term->name ), '</option>'; 597 597 } 598 598 } … … 607 607 $i = 1; 608 608 foreach ( $field['options'] as $option ) { 609 echo '<div class="cmb_radio_inline_option"><input type="radio" name="', $field['id'], '" id="', $field['id'], $i, '" value="', $option['value'], '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', $option['name'], '</label></div>';609 echo '<div class="cmb_radio_inline_option"><input type="radio" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', esc_html( $option['name'] ), '</label></div>'; 610 610 $i ++; 611 611 } … … 619 619 $i = 1; 620 620 foreach ( $field['options'] as $option ) { 621 echo '<li><input type="radio" name="', $field['id'], '" id="', $field['id'], $i, '" value="', $option['value'], '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', $option['name']. '</label></li>';621 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', esc_html( $option['name'] ) . '</label></li>'; 622 622 $i ++; 623 623 } … … 625 625 break; 626 626 case 'checkbox': 627 echo '<input type="checkbox" name="', $field['id'], '" id="', $field['id'], '"', ( $meta === 'on' ) ? ' checked="checked"' : '', ' />';627 echo '<input type="checkbox" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '"', ( $meta === 'on' ) ? ' checked="checked"' : '', ' />'; 628 628 break; 629 629 case 'multicheck': … … 637 637 // Append `[]` to the name to get multiple values 638 638 // Use in_array() to check whether the current option should be checked 639 echo '<li><input type="checkbox" name="', $field['id'], '[]" id="', $field['id'], $i, '" value="', $value, '"', in_array( $value, $meta ) ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', $name, '</label></li>';639 echo '<li><input type="checkbox" name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $value ), '"', in_array( $value, $meta ) ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', esc_html( $name ), '</label></li>'; 640 640 $i ++; 641 641 } … … 644 644 case 'title': 645 645 if ( isset( $field['value']) ) { 646 echo '<div class="cmb_metabox_title" id="', $field['id'], '">', $field['value'], '</div>';646 echo '<div class="cmb_metabox_title" id="', esc_attr( $field['id'] ), '">', esc_html( $field['value'] ), '</div>'; 647 647 } 648 648 break; … … 653 653 654 654 echo '<div class="selector-wrapper dashicons-before dashicons-arrow-down-alt2">'; 655 echo '<select name="', $field['id'], '" id="', $field['id'], '">';655 echo '<select name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '">'; 656 656 $names = wp_get_object_terms( $post->ID, $field['taxonomy'] ); 657 657 $terms = get_terms( $field['taxonomy'], 'hide_empty=0' ); 658 658 foreach ( $terms as $term ) { 659 659 if ( ! is_wp_error( $names ) && ! empty( $names ) && ! strcmp( $term->slug, $names[0]->slug ) ) { 660 echo '<option value="' . $term->slug . '" selected>' . $term->name. '</option>';660 echo '<option value="' . esc_attr( $term->slug ) . '" selected>' . esc_html( $term->name ) . '</option>'; 661 661 } else { 662 echo '<option value="' . $term->slug . ' ', $meta == $term->slug ? $meta : ' ', ' ">' . $term->name. '</option>';662 echo '<option value="' . esc_attr( $term->slug ) . ' ', $meta == $term->slug ? esc_attr( $meta ) : ' ', ' ">' . esc_html( $term->name ) . '</option>'; 663 663 } 664 664 } … … 672 672 foreach ( $terms as $term ) { 673 673 if ( ! is_wp_error( $names ) && ! empty( $names ) && ! strcmp( $term->slug, $names[0]->slug ) ) { 674 echo '<li><input type="radio" name="', $field['id'], '" value="' . $term->slug . '" checked>' . $term->name. '</li>';674 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" value="' . esc_attr( $term->slug ) . '" checked>' . esc_html( $term->name ) . '</li>'; 675 675 } else { 676 echo '<li><input type="radio" name="', $field['id'], '" value="' . $term->slug . ' ', $meta == $term->slug ? $meta : ' ', ' ">' . $term->name. '</li>';676 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" value="' . esc_attr( $term->slug ) . ' ', $meta == $term->slug ? esc_attr( $meta ) : ' ', ' ">' . esc_html( $term->name ) . '</li>'; 677 677 } 678 678 } … … 684 684 $terms = get_terms( $field['taxonomy'], 'hide_empty=0' ); 685 685 foreach ( $terms as $term ) { 686 echo '<li><input type="checkbox" name="', $field['id'], '[]" id="', $field['id'], '" value="', $term->name, '"';686 echo '<li><input type="checkbox" name="', esc_attr( $field['id'] ), '[]" id="', esc_attr( $field['id'] ), '" value="', esc_attr( $term->name ), '"'; 687 687 foreach ( $names as $name ) { 688 688 if ( $term->slug == $name->slug ) { … … 690 690 }; 691 691 } 692 echo ' /><label>', $term->name, '</label></li>';692 echo ' /><label>', esc_html( $term->name ), '</label></li>'; 693 693 } 694 694 echo '</ul>'; 695 695 break; 696 696 case 'file_list': 697 echo '<input class="cmb_upload_file" type="text" size="36" name="', $field['id'], '" value="" />';697 echo '<input class="cmb_upload_file" type="text" size="36" name="', esc_attr( $field['id'] ), '" value="" />'; 698 698 echo '<input class="cmb_upload_button button" type="button" value="Upload File" />'; 699 699 $args = array( … … 720 720 $input_type_url = "text"; 721 721 } 722 echo '<input class="cmb_upload_file" type="' . $input_type_url . '" size="45" id="', $field['id'], '" name="', $field['id'], '" value="', $meta, '" />';722 echo '<input class="cmb_upload_file" type="' . esc_attr( $input_type_url ) . '" size="45" id="', esc_attr( $field['id'] ), '" name="', esc_attr( $field['id'] ), '" value="', esc_attr( $meta ), '" />'; 723 723 echo '<input class="cmb_upload_button button" type="button" value="Upload File" />'; 724 echo '<input class="cmb_upload_file_id" type="hidden" id="', $field['id'], '_id" name="', $field['id'], '_id" value="', get_post_meta( $post->ID, $field['id'] . "_id", true), '" />';725 echo '<div id="', $field['id'], '_status" class="cmb_media_status">';724 echo '<input class="cmb_upload_file_id" type="hidden" id="', esc_attr( $field['id'] ), '_id" name="', esc_attr( $field['id'] ), '_id" value="', esc_attr( get_post_meta( $post->ID, $field['id'] . "_id", true ) ), '" />'; 725 echo '<div id="', esc_attr( $field['id'] ), '_status" class="cmb_media_status">'; 726 726 if ( $meta != '' ) { 727 727 $check_image = preg_match( '/(^.*\.jpg|jpeg|png|gif|ico*)/i', $meta ); 728 728 if ( $check_image ) { 729 729 echo '<div class="img_status">'; 730 echo '<img src="', $meta, '" alt="" />';731 echo '<a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove Image</a>';730 echo '<img src="', esc_url( $meta ), '" alt="" />'; 731 echo '<a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove Image</a>'; 732 732 echo '</div>'; 733 733 } else { … … 736 736 $title = $parts[ $i ]; 737 737 } 738 echo 'File: <strong>', $title, '</strong> (<a href="', $meta, '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove</a>)';738 echo 'File: <strong>', esc_html( $title ), '</strong> (<a href="', esc_url( $meta ), '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove</a>)'; 739 739 } 740 740 } … … 747 747 $input_type_url = "text"; 748 748 } 749 echo '<input class="cmb_upload_file attachment" type="' . $input_type_url . '" size="45" id="', $field['id'], '" name="', $field['id'], '" value=\'', $meta, '\' />';749 echo '<input class="cmb_upload_file attachment" type="' . esc_attr( $input_type_url ) . '" size="45" id="', esc_attr( $field['id'] ), '" name="', esc_attr( $field['id'] ), '" value=\'', esc_attr( $meta ), '\' />'; 750 750 echo '<input class="cmb_upload_button button" type="button" value="Upload File" />'; 751 echo '<input class="cmb_upload_file_id" type="hidden" id="', $field['id'], '_id" name="', $field['id'], '_id" value="', get_post_meta( $post->ID, $field['id'] . "_id", true), '" />';752 echo '<div id="', $field['id'], '_status" class="cmb_media_status">';751 echo '<input class="cmb_upload_file_id" type="hidden" id="', esc_attr( $field['id'] ), '_id" name="', esc_attr( $field['id'] ), '_id" value="', esc_attr( get_post_meta( $post->ID, $field['id'] . "_id", true ) ), '" />'; 752 echo '<div id="', esc_attr( $field['id'] ), '_status" class="cmb_media_status">'; 753 753 if ( $meta != '' ) { 754 754 $check_image = preg_match( '/(^.*\.jpg|jpeg|png|gif|ico*)/i', $meta ); … … 756 756 echo '<div class="img_status">'; 757 757 $meta_img = (array) json_decode( $meta ); 758 echo '<img src="' . $meta_img["link"]. '" alt="" />';759 echo '<a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove Image</a>';758 echo '<img src="' . esc_url( $meta_img["link"] ) . '" alt="" />'; 759 echo '<a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove Image</a>'; 760 760 echo '</div>'; 761 761 } else { … … 764 764 $title = $parts[ $i ]; 765 765 } 766 echo 'File: <strong>', $title, '</strong> (<a href="', $meta, '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove</a>)';766 echo 'File: <strong>', esc_html( $title ), '</strong> (<a href="', esc_url( $meta ), '" target="_blank" rel="external">Download</a> / <a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove</a>)'; 767 767 } 768 768 } … … 848 848 849 849 case 'oembed': 850 echo '<input class="cmb_oembed" type="text" name="', $field['id'], '" id="', $field['id'], '" value="', '' !== $meta ? $meta : $field['std'], '" />';850 echo '<input class="cmb_oembed" type="text" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] ), '" value="', esc_attr( '' !== $meta ? $meta : $field['std'] ), '" />'; 851 851 echo '<p class="cmb-spinner spinner"></p>'; 852 echo '<div id="', $field['id'], '_status" class="cmb_media_status ui-helper-clearfix embed_wrap">';852 echo '<div id="', esc_attr( $field['id'] ), '_status" class="cmb_media_status ui-helper-clearfix embed_wrap">'; 853 853 if ( $meta != '' ) { 854 854 $check_embed = $GLOBALS['wp_embed']->run_shortcode( '[embed]' . esc_url( $meta ) . '[/embed]' ); … … 856 856 echo '<div class="embed_status">'; 857 857 echo $check_embed; 858 echo '<a href="#" class="cmb_remove_file_button" rel="', $field['id'], '">Remove Embed</a>';858 echo '<a href="#" class="cmb_remove_file_button" rel="', esc_attr( $field['id'] ), '">Remove Embed</a>'; 859 859 echo '</div>'; 860 860 } else { … … 872 872 $i = 1; 873 873 foreach ( $field['options'] as $option ) { 874 echo '<li><input type="radio" name="', $field['id'], '" id="', $field['id'], $i, '" value="', $option['value'], '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', $field['id'], $i, '">', '<span>' . $option['value']. '</span>' . '</label></li>';874 echo '<li><input type="radio" name="', esc_attr( $field['id'] ), '" id="', esc_attr( $field['id'] . $i ), '" value="', esc_attr( $option['value'] ), '"', $meta == $option['value'] ? ' checked="checked"' : '', ' /><label for="', esc_attr( $field['id'] . $i ), '">', '<span>' . esc_html( $option['value'] ) . '</span>' . '</label></li>'; 875 875 $i ++; 876 876 } … … 920 920 (function ($) { 921 921 $(document).ready(function () { 922 var metabox = $('#<?php echo $this->_meta_box['id']; ?>');922 var metabox = $('#<?php echo esc_js( $this->_meta_box['id'] ); ?>'); 923 923 metabox.addClass('display_on') 924 924 .attr('data-action', '<?php echo 'show'; ?>') 925 .attr('data-when_key', '<?php echo $display_on['on']['field']; ?>')926 .attr('data-has_value', '<?php echo $display_on['on']['value']; ?>');925 .attr('data-when_key', '<?php echo esc_js( $display_on['on']['field'] ); ?>') 926 .attr('data-has_value', '<?php echo esc_js( $display_on['on']['value'] ); ?>'); 927 927 }); 928 928 })(jQuery); … … 937 937 938 938 // verify nonce 939 if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( $_POST['wp_meta_box_nonce'], basename( __FILE__ )) ) {939 if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( $_POST['wp_meta_box_nonce'], 'pixtypes_save_metabox' ) ) { 940 940 return $post_id; 941 941 } … … 1053 1053 * Adding scripts and styles 1054 1054 */ 1055 function cmb_register_scripts( $hook ) {1055 function pixtypes_cmb_register_scripts( $hook ) { 1056 1056 1057 1057 global $pixtypes_plugin; … … 1106 1106 } 1107 1107 1108 add_action( 'admin_enqueue_scripts', ' cmb_register_scripts', 10 );1109 1110 function cmb_enqueue_scripts(){1108 add_action( 'admin_enqueue_scripts', 'pixtypes_cmb_register_scripts', 10 ); 1109 1110 function pixtypes_cmb_enqueue_scripts(){ 1111 1111 wp_enqueue_script( 'cmb-timepicker' ); 1112 1112 wp_enqueue_script( 'cmb-scripts' ); … … 1114 1114 } 1115 1115 1116 function cmb_editor_footer_scripts() {1117 if ( isset( $_GET['cmb_force_send'] ) && 'true' == $_GET['cmb_force_send'] ) {1118 $label = $_GET['cmb_send_label'];1116 function pixtypes_cmb_editor_footer_scripts() { 1117 if ( isset( $_GET['cmb_force_send'] ) && 'true' === $_GET['cmb_force_send'] ) { 1118 $label = isset( $_GET['cmb_send_label'] ) ? sanitize_text_field( $_GET['cmb_send_label'] ) : ''; 1119 1119 if ( empty( $label ) ) { 1120 1120 $label = esc_html__( 'Select File', 'pixtypes' ); … … 1122 1122 <script type="text/javascript"> 1123 1123 jQuery(function ($) { 1124 $('td.savesend input').val( '<?php echo esc_html( $label , 'pixtypes' ); ?>');1124 $('td.savesend input').val(<?php echo wp_json_encode( $label ); ?>); 1125 1125 }); 1126 1126 </script> … … 1129 1129 } 1130 1130 1131 add_action( 'admin_print_footer_scripts', ' cmb_editor_footer_scripts', 99 );1131 add_action( 'admin_print_footer_scripts', 'pixtypes_cmb_editor_footer_scripts', 99 ); 1132 1132 1133 1133 // Force 'Insert into Post' button from Media Library 1134 add_filter( 'get_media_item_args', ' cmb_force_send' );1135 function cmb_force_send( $args ) {1134 add_filter( 'get_media_item_args', 'pixtypes_cmb_force_send' ); 1135 function pixtypes_cmb_force_send( $args ) { 1136 1136 1137 1137 // if the Gallery tab is opened from a custom meta box field, add Insert Into Post button … … 1184 1184 } 1185 1185 1186 add_action( 'wp_ajax_cmb_oembed_handler', ' cmb_oembed_ajax_results' );1186 add_action( 'wp_ajax_cmb_oembed_handler', 'pixtypes_cmb_oembed_ajax_results' ); 1187 1187 /** 1188 1188 * Handles our oEmbed ajax request 1189 1189 */ 1190 function cmb_oembed_ajax_results() {1190 function pixtypes_cmb_oembed_ajax_results() { 1191 1191 1192 1192 // verify our nonce … … 1208 1208 // Post ID is needed to check for embeds 1209 1209 if ( isset( $_REQUEST['post_id'] ) ) { 1210 $GLOBALS['post'] = get_post( $_REQUEST['post_id']);1210 $GLOBALS['post'] = get_post( absint( $_REQUEST['post_id'] ) ); 1211 1211 } 1212 1212 // ping WordPress for an embed … … 1217 1217 if ( $check_embed && $check_embed != $fallback ) { 1218 1218 // Embed data 1219 $return = '<div class="embed_status">' . $check_embed . '<a href="#" class="cmb_remove_file_button" rel="' . $_REQUEST['field_id']. '">' . esc_html__( 'Remove Embed', 'pixtypes' ) . '</a></div>';1219 $return = '<div class="embed_status">' . $check_embed . '<a href="#" class="cmb_remove_file_button" rel="' . esc_attr( sanitize_text_field( $_REQUEST['field_id'] ) ) . '">' . esc_html__( 'Remove Embed', 'pixtypes' ) . '</a></div>'; 1220 1220 // set our response id 1221 1221 $found = 'found'; … … 1239 1239 1240 1240 // create an ajax call which will return a preview to the current gallery 1241 function ajax_pixgallery_preview() { 1241 function pixtypes_ajax_pixgallery_preview() { 1242 check_ajax_referer( 'pixtypes_gallery_preview', 'nonce' ); 1243 1244 if ( ! current_user_can( 'upload_files' ) ) { 1245 wp_send_json_error( 'Unauthorized' ); 1246 } 1247 1242 1248 $result = array( 'success' => false, 'output' => '' ); 1243 1249 1244 if ( isset( $_REQUEST['attachments_ids'] ) ) { 1245 $ids = $_REQUEST['attachments_ids']; 1246 } 1250 $ids = isset( $_REQUEST['attachments_ids'] ) ? sanitize_text_field( $_REQUEST['attachments_ids'] ) : ''; 1251 1247 1252 if ( empty( $ids ) ) { 1248 echo json_encode( $result );1253 echo wp_json_encode( $result ); 1249 1254 exit; 1250 1255 } 1251 1256 1252 $ids = rtrim( $ids, ',');1253 $ids = explode( ',',$ids );1257 $ids = array_map( 'absint', explode( ',', rtrim( $ids, ',' ) ) ); 1258 $ids = array_filter( $ids ); 1254 1259 1255 1260 $size = 'thumbnail'; … … 1261 1266 foreach ( $ids as $id ) { 1262 1267 $attach = wp_get_attachment_image_src( $id, $size, false ); 1263 1264 $result["output"] .= '<li><img src="' . $attach[0] . '" /></li>'; 1268 if ( $attach ) { 1269 $result["output"] .= '<li><img src="' . esc_url( $attach[0] ) . '" /></li>'; 1270 } 1265 1271 } 1266 1272 $result["success"] = true; 1267 echo json_encode( $result );1273 echo wp_json_encode( $result ); 1268 1274 exit; 1269 1275 } 1270 1276 1271 add_action( 'wp_ajax_ajax_pixgallery_preview', 'ajax_pixgallery_preview' ); 1272 1273 function ajax_pixplaylist_preview() { 1274 1275 if ( isset( $_REQUEST['attachments_ids'] ) ) { 1276 $ids = $_REQUEST['attachments_ids']; 1277 } 1277 add_action( 'wp_ajax_ajax_pixgallery_preview', 'pixtypes_ajax_pixgallery_preview' ); 1278 1279 function pixtypes_ajax_pixplaylist_preview() { 1280 check_ajax_referer( 'pixtypes_playlist_preview', 'nonce' ); 1281 1282 if ( ! current_user_can( 'upload_files' ) ) { 1283 wp_send_json_error( 'Unauthorized' ); 1284 } 1285 1286 $ids = isset( $_REQUEST['attachments_ids'] ) ? sanitize_text_field( $_REQUEST['attachments_ids'] ) : ''; 1278 1287 1279 1288 if ( empty( $ids ) ) { … … 1282 1291 } 1283 1292 1284 $ids = explode( ',', $ids ); 1293 $ids = array_map( 'absint', explode( ',', $ids ) ); 1294 $ids = array_filter( $ids ); 1285 1295 1286 1296 $result = ''; 1287 1297 foreach ( $ids as $id ) { 1288 $result .= '<li><span class="dashicons dashicons-format-video"></span><span class="attachment_title">' . get_the_title( $id) . '</span></li>';1298 $result .= '<li><span class="dashicons dashicons-format-video"></span><span class="attachment_title">' . esc_html( get_the_title( $id ) ) . '</span></li>'; 1289 1299 } 1290 1300 … … 1293 1303 } 1294 1304 1295 add_action( 'wp_ajax_pixplaylist_preview', ' ajax_pixplaylist_preview' );1305 add_action( 'wp_ajax_pixplaylist_preview', 'pixtypes_ajax_pixplaylist_preview' ); 1296 1306 1297 1307 -
pixtypes/trunk/features/metaboxes/js/pixgallery.js
r2487861 r3469313 121 121 if ( ids !== '' ) { 122 122 $.ajax({ 123 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: ids },123 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: ids, nonce: locals.nonce}, 124 124 beforeSend: function () { 125 125 $('.open_pixgallery i').removeClass('dashicons-images-alt2'); -
pixtypes/trunk/features/metaboxes/js/piximage.js
r2487861 r3469313 129 129 if ( id != '' && id != '-1' ) { 130 130 $.ajax({ 131 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: id },131 type: "post", url: locals.ajax_url, data: {action: 'ajax_pixgallery_preview', attachments_ids: id, nonce: locals.nonce}, 132 132 beforeSend: function () { 133 133 $elem.find('.open_piximage i').removeClass('dashicons-images-alt2'); -
pixtypes/trunk/features/metaboxes/js/pixplaylist.js
r2487861 r3469313 108 108 data: { 109 109 action: 'pixplaylist_preview', 110 attachments_ids: ids 110 attachments_ids: ids, 111 nonce: playlist_locals.nonce 111 112 }, 112 113 success: function( response ) { -
pixtypes/trunk/features/metaboxes/metaboxes.php
r1745422 r3469313 10 10 11 11 12 function load_metaboxes_fromdb( $meta_boxes ) {12 function pixtypes_load_metaboxes_fromdb( $meta_boxes ) { 13 13 // make sure we are in good working order 14 14 if ( empty( $meta_boxes ) ) { … … 40 40 return $meta_boxes; 41 41 } 42 add_filter( 'cmb_meta_boxes', ' load_metaboxes_fromdb', 1 );42 add_filter( 'cmb_meta_boxes', 'pixtypes_load_metaboxes_fromdb', 1 ); 43 43 44 44 /** … … 49 49 * @return array 50 50 */ 51 function gather_metaboxes_dynamically( $meta_boxes ) {51 function pixtypes_gather_metaboxes_dynamically( $meta_boxes ) { 52 52 // make sure we are in good working order 53 53 if ( empty( $meta_boxes ) ) { … … 57 57 return apply_filters( 'pixelgrade_filter_metaboxes', $meta_boxes ); 58 58 } 59 add_filter( 'cmb_meta_boxes', ' gather_metaboxes_dynamically', 10 );59 add_filter( 'cmb_meta_boxes', 'pixtypes_gather_metaboxes_dynamically', 10 ); 60 60 61 61 /* 62 62 * Initialize the metabox class. 63 63 */ 64 function cmb_initialize_cmb_meta_boxes() {64 function pixtypes_cmb_initialize_meta_boxes() { 65 65 66 66 if ( ! class_exists( 'cmb_Meta_Box' ) ) { … … 72 72 73 73 } 74 add_action( 'init', ' cmb_initialize_cmb_meta_boxes', 9999 );74 add_action( 'init', 'pixtypes_cmb_initialize_meta_boxes', 9999 ); -
pixtypes/trunk/pixtypes.php
r2956824 r3469313 4 4 * Plugin URI: https://wordpress.org/plugins/pixtypes/ 5 5 * Description: Custom post types and meta-boxes needed by your themes. 6 * Version: 1.4.166 * Version: 2.0.0 7 7 * Author: Pixelgrade 8 8 * Author URI: https://pixelgrade.com 9 9 * Author Email: [email protected] 10 * Requires at least: 4.9.9 11 * Tested up to: 6.3.0 10 * Requires at least: 6.0 11 * Tested up to: 6.7 12 * Requires PHP: 7.4 12 13 * Text Domain: pixtypes 13 14 * License: GPL-2.0 or later. … … 21 22 } 22 23 23 // ensure EXT is defined24 if ( ! defined( ' EXT' ) ) {25 define( ' EXT', '.php' );24 // ensure PIXTYPES_EXT is defined 25 if ( ! defined( 'PIXTYPES_EXT' ) ) { 26 define( 'PIXTYPES_EXT', '.php' ); 26 27 } 27 28 28 require 'core/bootstrap' . EXT;29 require 'core/bootstrap' . PIXTYPES_EXT; 29 30 30 $config = include 'plugin-config' . EXT;31 $config = include 'plugin-config' . PIXTYPES_EXT; 31 32 // set textdomain 32 33 pixtypes::settextdomain( $config['textdomain'] ); … … 35 36 // ---------------- 36 37 37 $defaults = include 'plugin-defaults' . EXT;38 $defaults = include 'plugin-defaults' . PIXTYPES_EXT; 38 39 39 40 $current_data = get_option( $config['settings-key'] ); … … 61 62 62 63 global $pixtypes_plugin; 63 $pixtypes_plugin = PixTypesPlugin::get_instance( ' 1.4.15' );64 $pixtypes_plugin = PixTypesPlugin::get_instance( '2.0.0' ); -
pixtypes/trunk/plugin-config.php
r1591155 r3469313 3 3 $basepath = dirname( __FILE__ ) . DIRECTORY_SEPARATOR; 4 4 5 $debug = false; 6 if ( isset( $_GET['debug'] ) && $_GET['debug'] == 'true' ) { 7 $debug = true; 8 } 5 $debug = defined( 'WP_DEBUG' ) && WP_DEBUG; 9 6 10 7 $options = get_option( 'pixtypes_settings' ); … … 30 27 'fields' => array( 31 28 'hiddens' 32 => include 'settings/hiddens' . EXT,29 => include 'settings/hiddens' . PIXTYPES_EXT, 33 30 'post_types' 34 => include 'settings/post_types' . EXT,31 => include 'settings/post_types' . PIXTYPES_EXT, 35 32 'taxonomies' 36 => include 'settings/taxonomies' . EXT,33 => include 'settings/taxonomies' . PIXTYPES_EXT, 37 34 ), 38 35 -
pixtypes/trunk/readme.txt
r2956824 r3469313 2 2 Contributors: pixelgrade, babbardel, vlad.olaru, razvanonofrei 3 3 Tags: custom, post-types, metadata, builder, gallery 4 Requires at least: 4.9.95 Tested up to: 6. 3.06 Requires PHP: 5.3.07 Stable tag: 1.4.164 Requires at least: 6.0 5 Tested up to: 6.9.1 6 Requires PHP: 7.4 7 Stable tag: 2.0.0 8 8 License: GPLv2 or later 9 9 License URI: http://www.gnu.org/licenses/gpl-2.0.html … … 24 24 25 25 == Changelog == 26 27 = 2.0.0 = 28 * Security: Fixed Stored XSS vulnerability in HTML attribute rendering (HTMLTag class). 29 * Security: Fixed Reflected XSS via field_id parameter in oEmbed handler. 30 * Security: Fixed XSS via cmb_send_label using proper JS escaping (wp_json_encode). 31 * Security: Added nonce verification and capability checks to gallery AJAX preview handler. 32 * Security: Added nonce verification and capability checks to playlist AJAX preview handler. 33 * Security: Added capability check (manage_options) to theme settings cleanup AJAX handler. 34 * Security: Removed URL-controllable debug mode; now tied to WP_DEBUG constant. 35 * Security: Added output escaping throughout admin views and form templates. 36 * Security: Restricted POST input processing to expected fields only. 37 * Security: Sanitized all $_GET/$_POST/$_REQUEST superglobal usage with appropriate functions. 38 * Security: Updated nonce action strings to use specific identifiers. 39 * Improvement: Prefixed all global functions with pixtypes_ to prevent namespace collisions. 40 * Improvement: Removed deprecated &$this reference patterns for PHP 8 compatibility. 41 * Improvement: Updated minimum requirements to WordPress 6.0 and PHP 7.4. 42 * Improvement: Replaced EXT constant with PIXTYPES_EXT to avoid conflicts. 26 43 27 44 = 1.4.16 = -
pixtypes/trunk/views/admin.php
r2895213 r3469313 13 13 */ 14 14 15 $config = include pixtypes::pluginpath() . 'plugin-config' . EXT;15 $config = include pixtypes::pluginpath() . 'plugin-config' . PIXTYPES_EXT; 16 16 17 17 // invoke processor … … 62 62 <?php echo $f->endform() ?> 63 63 64 <?php elseif ( $status['state'] == 'error'): ?>64 <?php elseif ( 'error' === $status['state'] ): ?> 65 65 66 66 <h3><?php esc_html_e( 'Critical Error', 'pixtypes' ); ?></h3> 67 67 68 <p><?php echo $status['message']?></p>68 <p><?php echo esc_html( $status['message'] ); ?></p> 69 69 70 70 <?php endif; ?> … … 89 89 if ( isset( $options['themes'] ) && count( $options['themes'] ) > 1 ) { 90 90 foreach ( $options['themes'] as $key => $theme ) { 91 echo '<li><button class="button delete-action" type="submit" name="unset_pixtype" value="' . $key . '">' . esc_html__( 'Clean-up after', 'pixtypes' ) . ' ' . ucfirst( $key) . '</button></li>';91 echo '<li><button class="button delete-action" type="submit" name="unset_pixtype" value="' . esc_attr( $key ) . '">' . esc_html__( 'Clean-up after', 'pixtypes' ) . ' ' . esc_html( ucfirst( $key ) ) . '</button></li>'; 92 92 } 93 93 } ?>
Note: See TracChangeset
for help on using the changeset viewer.