Some extra escaping block parameters - CHANGED

AyeCode · Nov 19, 2021 · fe12e01 · fe12e01
1 parent fffdf91
commit fe12e01
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 5 deletions.
diff --git a/change-log.txt b/change-log.txt
@@ -1,3 +1,6 @@
+= 1.0.28 =
+* Some extra escaping block parameters - CHANGED
+
 = 1.0.27 =
 * Category settings loads only 10 categories on CPT change - FIXED
 * Hook added to filter class & attributes for Elementor widget output - ADDED

diff --git a/wp-super-duper.php b/wp-super-duper.php
@@ -1274,16 +1274,15 @@ private function add_name_from_key( $options, $arguments = false ) {
 		 */
 		public function register_shortcode() {
 			add_shortcode( $this->base_id, array( $this, 'shortcode_output' ) );
-			add_action( 'wp_ajax_super_duper_output_shortcode', array( __CLASS__, 'render_shortcode' ) );
+			add_action( 'wp_ajax_super_duper_output_shortcode', array( $this, 'render_shortcode' ) );
 		}
 
 		/**
 		 * Render the shortcode via ajax so we can return it to Gutenberg.
 		 *
 		 * @since 1.0.0
 		 */
-		public static function render_shortcode() {
-
+		public function render_shortcode() {
 			check_ajax_referer( 'super_duper_output_shortcode', '_ajax_nonce', true );
 			if ( ! current_user_can( 'manage_options' ) ) {
 				wp_die();
@@ -1299,6 +1298,7 @@ public static function render_shortcode() {
 			}
 
 			if ( isset( $_POST['shortcode'] ) && $_POST['shortcode'] ) {
+				$is_preview = $this->is_preview();
 				$shortcode_name   = sanitize_title_with_dashes( $_POST['shortcode'] );
 				$attributes_array = isset( $_POST['attributes'] ) && $_POST['attributes'] ? $_POST['attributes'] : array();
 				$attributes       = '';
@@ -1307,14 +1307,29 @@ public static function render_shortcode() {
 						if ( is_array( $value ) ) {
 							$value = implode( ",", $value );
 						}
-						$attributes .= " " . sanitize_title_with_dashes( $key ) . "='" . wp_slash( $value ) . "' ";
+
+						if ( ! empty( $value ) ) {
+							$value = wp_unslash( $value );
+
+							// Encode [ and ].
+							if ( $is_preview ) {
+								$value = $this->encode_shortcodes( $value );
+							}
+						}
+						$attributes .= " " . sanitize_title_with_dashes( $key ) . "='" . esc_attr( $value ) . "' ";
 					}
 				}
 
 				$shortcode = "[" . $shortcode_name . " " . $attributes . "]";
 
-				echo do_shortcode( $shortcode );
+				$content = do_shortcode( $shortcode );
 
+				// Decode [ and ].
+				if ( ! empty( $content ) && $is_preview ) {
+					$content = $this->decode_shortcodes( $content );
+				}
+
+				echo $content;
 			}
 			wp_die();
 		}
@@ -1328,6 +1343,8 @@ public static function render_shortcode() {
 		 * @return string
 		 */
 		public function shortcode_output( $args = array(), $content = '' ) {
+			$_instance = $args;
+
 			$args = $this->argument_values( $args );
 
 			// add extra argument so we know its a output to gutenberg
@@ -1339,6 +1356,23 @@ public function shortcode_output( $args = array(), $content = '' ) {
 				$args['html'] = $content;
 			}
 
+			if ( ! $this->is_preview() ) {
+				/**
+				 * Filters the settings for a particular widget args.
+				 *
+				 * @since 1.0.28
+				 *
+				 * @param array          $args      The current widget instance's settings.
+				 * @param WP_Super_Duper $widget    The current widget settings.
+				 * @param array          $_instance An array of default widget arguments.
+				 */
+				$args = apply_filters( 'wp_super_duper_widget_display_callback', $args, $this, $_instance );
+
+				if ( ! is_array( $args ) ) {
+					return $args;
+				}
+			}
+
 			$class = isset( $this->options['widget_ops']['classname'] ) ? esc_attr( $this->options['widget_ops']['classname'] ) : '';
 			$class .= " sdel-".$this->get_instance_hash();
 
@@ -3211,5 +3245,82 @@ public function get_instance_style($rules = array()){
 
 			return $css;
 		}
+
+		/**
+		 * Encode shortcodes tags.
+		 *
+		 * @since 1.0.28
+		 *
+		 * @param string $content Content to search for shortcode tags.
+		 * @return string Content with shortcode tags removed.
+		 */
+		public function encode_shortcodes( $content ) {
+			// Avoids existing encoded tags.
+			$trans   = array(
+				'&#91;' => '&#091;',
+				'&#93;' => '&#093;',
+				'&amp;#91;' => '&#091;',
+				'&amp;#93;' => '&#093;',
+				'&lt;' => '&0lt;',
+				'&gt;' => '&0gt;',
+				'&amp;lt;' => '&0lt;',
+				'&amp;gt;' => '&0gt;',
+			);
+
+			$content = strtr( $content, $trans );
+
+			$trans   = array(
+				'[' => '&#91;',
+				']' => '&#93;',
+				'<' => '&lt;',
+				'>' => '&gt;',
+				'"' => '&quot;',
+				"'" => '&apos;',
+			);
+
+			$content = strtr( $content, $trans );
+
+			return $content;
+		}
+
+		/**
+		 * Remove encoded shortcod tags.
+		 *
+		 * @since 1.0.28
+		 *
+		 * @param string $content Content to search for shortcode tags.
+		 * @return string Content with decoded shortcode tags.
+		 */
+		public function decode_shortcodes( $content ) {
+			$trans   = array(
+				'&#91;' => '[',
+				'&#93;' => ']',
+				'&amp;#91;' => '[',
+				'&amp;#93;' => ']',
+				'&lt;' => '<',
+				'&gt;' => '>',
+				'&amp;lt;' => '<',
+				'&amp;gt;' => '>',
+				'&quot;' => '"',
+				'&apos;' => "'",
+			);
+
+			$content = strtr( $content, $trans );
+
+			$trans   = array(
+				'&#091;' => '&#91;',
+				'&#093;' => '&#93;',
+				'&amp;#091;' => '&#91;',
+				'&amp;#093;' => '&#93;',
+				'&0lt;' => '&lt;',
+				'&0gt;' => '&gt;',
+				'&amp;0lt;' => '&lt;',
+				'&amp;0gt;' => '&gt;',
+			);
+
+			$content = strtr( $content, $trans );
+
+			return $content;
+		}
 	}
 }