Skip to content

Commit

Permalink
fixed escaping, sanitization quiz shortcode
Browse files Browse the repository at this point in the history
  • Loading branch information
@randhirexpresstech
randhirexpresstech committed May 27, 2024
1 parent 0bdbae4 commit 0cfded2
Show file tree
Hide file tree
Showing 10 changed files with 23 additions and 23 deletions.
14 changes: 7 additions & 7 deletions php/classes/class-qmn-quiz-manager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1286,7 +1286,7 @@ public function display_pages( $options, $quiz_data ) {
<?php
$editor_text = $wp_embed->run_shortcode( $message_before );
$editor_text = preg_replace( '/\s*[\w\/:\.]*youtube.com\/watch\?v=([\w]+)([\w\*\-\?\&\;\%\=\.]*)/i', '<iframe width="420" height="315" src="//www.youtube.com/embed/$1" frameborder="0" allowfullscreen></iframe>', $editor_text );
echo do_shortcode( wp_kses_post( $editor_text ) );
echo wp_kses_post( do_shortcode( $editor_text ) );
?>
</div>
<?php
Expand Down Expand Up @@ -1315,7 +1315,7 @@ public function display_pages( $options, $quiz_data ) {
<?php
$editor_text = $wp_embed->run_shortcode( $message_before );
$editor_text = preg_replace( '/\s*[\w\/:\.]*youtube.com\/watch\?v=([\w]+)([\w\*\-\?\&\;\%\=\.]*)/i', '<iframe width="420" height="315" src="//www.youtube.com/embed/$1" frameborder="0" allowfullscreen></iframe>', $editor_text );
echo do_shortcode( wp_kses_post( $editor_text ) );
echo wp_kses_post( do_shortcode( $editor_text ) );
?>
</div>
<?php
Expand Down Expand Up @@ -1374,7 +1374,7 @@ public function display_pages( $options, $quiz_data ) {
<div class='qsm-after-message mlw_qmn_message_end'>
<?php
$message_after = apply_filters( 'mlw_qmn_template_variable_quiz_page', wpautop( $message_after ), $quiz_data );
echo do_shortcode( wp_kses_post( $message_after ) );
echo wp_kses_post( do_shortcode( $message_after ) );
?>
</div>
<?php
Expand Down Expand Up @@ -1469,7 +1469,7 @@ public function display_pages( $options, $quiz_data ) {
<div class='qsm-after-message mlw_qmn_message_end'>
<?php
$message_after = apply_filters( 'mlw_qmn_template_variable_quiz_page', wpautop( $message_after ), $quiz_data );
echo do_shortcode( wp_kses_post( $message_after ) );
echo wp_kses_post( do_shortcode( $message_after ) );
?>
</div>
<?php
Expand Down Expand Up @@ -1537,7 +1537,7 @@ public function display_begin_section( $qmn_quiz_options, $qmn_array_for_variabl
?>
<div class='mlw_qmn_message_before'>
<?php
echo do_shortcode( wp_kses_post( $editor_text ) );
echo wp_kses_post( do_shortcode( $editor_text ) );
?>
</div>
<?php
Expand Down Expand Up @@ -1673,7 +1673,7 @@ public function display_comment_section( $qmn_quiz_options, $qmn_array_for_varia
$message_comments = $mlwQuizMasterNext->pluginHelper->qsm_language_support( htmlspecialchars_decode( $qmn_quiz_options->message_comment, ENT_QUOTES ), "quiz_message_comment-{$qmn_quiz_options->quiz_id}" );
$message_comments = apply_filters( 'mlw_qmn_template_variable_quiz_page', wpautop( $message_comments ), $qmn_array_for_variables );
?>
<label for="mlwQuizComments" class="mlw_qmn_comment_section_text"><?php echo do_shortcode( wp_kses_post( $message_comments ) ); ?></label><br />
<label for="mlwQuizComments" class="mlw_qmn_comment_section_text"><?php echo wp_kses_post( do_shortcode( $message_comments ) ); ?></label><br />
<textarea cols="60" rows="10" id="mlwQuizComments" name="mlwQuizComments" class="qmn_comment_section"></textarea>
</div>
<?php
Expand Down Expand Up @@ -1711,7 +1711,7 @@ public function display_end_section( $qmn_quiz_options, $qmn_array_for_variables
<?php
$message_end = $mlwQuizMasterNext->pluginHelper->qsm_language_support( htmlspecialchars_decode( $qmn_quiz_options->message_end_template, ENT_QUOTES ), "quiz_message_end_template-{$qmn_quiz_options->quiz_id}" );
$message_end = apply_filters( 'mlw_qmn_template_variable_quiz_page', wpautop( $message_end ), $qmn_array_for_variables );
echo do_shortcode( wp_kses_post( $message_end ) );
echo wp_kses_post( do_shortcode( $message_end ) );
?>
</span>
<br /><br />
Expand Down
4 changes: 2 additions & 2 deletions php/classes/class-qsm-results-pages.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,12 +177,12 @@ public static function generate_pages( $response_data ) {

// Decodes special characters, runs through our template
// variables, and then outputs the text.
$page = wp_kses_post( htmlspecialchars_decode( $content, ENT_QUOTES) );
$page = htmlspecialchars_decode( $content, ENT_QUOTES);

//last chance to filter $page
$page = apply_filters( 'qsm_template_variable_results_page', $page, $response_data );

echo apply_filters( 'mlw_qmn_template_variable_results_page', $page, $response_data );
echo wp_kses_post( apply_filters( 'mlw_qmn_template_variable_results_page', $page, $response_data ) );
do_action( 'qsm_after_results_page', $response_data, $page_index );
?>
</div><?php
Expand Down
2 changes: 1 addition & 1 deletion php/question-types/qsm-question-type-multiple-choice-horizontal.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ function qmn_horizontal_multiple_choice_display( $id, $question, $answers ) {
} else {
$answer_text = trim( htmlspecialchars_decode($add_label_value." ". $answer[0], ENT_QUOTES ) );
$answer_text = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answer_text, 'answer-' . $id . '-' . $answer_index, 'QSM Answers' );
echo do_shortcode( wp_kses_post( $answer_text ) );
echo wp_kses_post( do_shortcode( $answer_text ) );
}
?>
</label>
Expand Down
2 changes: 1 addition & 1 deletion php/question-types/qsm-question-type-multiple-choice.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ function qmn_multiple_choice_display( $id, $question, $answers ) {
} else {
$answer_text = trim( htmlspecialchars_decode($add_label_value." ".$answer[0], ENT_QUOTES ) );
$answer_text = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answer_text, 'answer-' . $id . '-' . $answer_index, 'QSM Answers' );
echo do_shortcode( wp_kses_post($answer_text ) );
echo wp_kses_post( do_shortcode($answer_text ) );
}
?>
</label>
Expand Down
2 changes: 1 addition & 1 deletion php/question-types/qsm-question-type-multiple-response-horizontal.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ function qmn_horizontal_multiple_response_display( $id, $question, $answers ) {
} else {
$answer_text = trim( htmlspecialchars_decode( $add_label_value." ".$answer[0], ENT_QUOTES ) );
$answer_text = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answer_text, 'answer-' . $answer_text, 'QSM Answers' );
echo do_shortcode( wp_kses_post( $answer_text ) );
echo wp_kses_post( do_shortcode( $answer_text ) );
}
?>
</label>
Expand Down
2 changes: 1 addition & 1 deletion php/question-types/qsm-question-type-multiple-response.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ function qmn_multiple_response_display( $id, $question, $answers ) {
} else {
$answer_text = trim( htmlspecialchars_decode( $add_label_value." ". $answer[0], ENT_QUOTES ) );
$answer_text = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answer_text, 'answer-' . $id . '-' . $answer_index, 'QSM Answers' );
echo do_shortcode( wp_kses_post( $answer_text ) );
echo wp_kses_post( do_shortcode( $answer_text ) );
}
?>
</label>
Expand Down
2 changes: 1 addition & 1 deletion php/question-types/qsm-question-type-opt-in.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ function qmn_accept_display( $id, $question, $answers ) {
$question = $mlwQuizMasterNext->pluginHelper->get_question_setting( $id, 'question_title' );
}
$question = $mlwQuizMasterNext->pluginHelper->qsm_language_support( htmlspecialchars_decode( $question, ENT_QUOTES ), "question-description-{$id}", 'QSM Questions' );
echo do_shortcode( wp_kses_post( $question ) );
echo wp_kses_post( do_shortcode( $question ) );
?>
</span>
</label>
Expand Down
4 changes: 2 additions & 2 deletions php/question-types/qsm-question-type-polar.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ function qmn_polar_display( $id, $question, $answers ) {
<?php
} else {
$left_title = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answers[0][0], 'answer-' . $id . '-0', "QSM Answers" );
echo do_shortcode( wp_kses_post( $left_title ) );
echo wp_kses_post( do_shortcode( $left_title ) );
}
?> </div>
<div class='slider-main-wrapper'>
Expand Down Expand Up @@ -95,7 +95,7 @@ function qmn_polar_display( $id, $question, $answers ) {
<?php
} else {
$right_title = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answers[1][0], 'answer-' . $id . '-1', "QSM Answers" );
echo do_shortcode( wp_kses_post( $right_title ) );
echo wp_kses_post( do_shortcode( $right_title ) );
}
?></div>
</span>
Expand Down
2 changes: 1 addition & 1 deletion php/shortcodes.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ function qsm_display_recent_quizzes( $attrs ) {
} elseif ( $start_date && $start_date > $now && 'no' === $include_future_quizzes ) {
continue;
} else {
$title = $quiz->quiz_name;
$title = esc_html( $quiz->quiz_name );
$id = $quiz->quiz_id;
$url = do_shortcode( "[qsm_link id='$id'] Take Quiz [/qsm_link]" );
$result .= "<div class='ind-quiz'>
Expand Down
12 changes: 6 additions & 6 deletions php/template-variables.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1392,7 +1392,7 @@ function qsm_questions_answers_shortcode_to_text( $mlw_quiz_array, $qmn_question
$question_max_point = ( isset( $questions[ $answer['id'] ] ) ? qsm_get_question_maximum_points( $questions[ $answer['id'] ] ) : 0 );
$mlw_question_answer_display = str_replace( '%QUESTION_MAX_POINTS%', $question_max_point, $mlw_question_answer_display );

$mlw_question_answer_display = do_shortcode( wp_kses_post( $mlw_question_answer_display ) );
$mlw_question_answer_display = wp_kses_post( do_shortcode( $mlw_question_answer_display ) );

if ( $total_question_cnt == $qsm_question_cnt && false == $remove_border ) {
$extra_border_bottom_class = 'qsm-remove-border-bottom';
Expand All @@ -1401,7 +1401,7 @@ function qsm_questions_answers_shortcode_to_text( $mlw_quiz_array, $qmn_question
$question_obj = ( isset( $questions[ $answer['id'] ] ) ? $questions[ $answer['id'] ] : null );
$display = "<div class='qmn_question_answer $extra_border_bottom_class $question_answer_class'>" . apply_filters( 'qmn_variable_question_answers', $mlw_question_answer_display, $mlw_quiz_array, $question_obj ) . '</div>';

return $display;
return wp_kses_post( $display );
}

function qsm_get_question_maximum_points( $question = array() ) {
Expand Down Expand Up @@ -1530,7 +1530,7 @@ function qmn_polar_display_on_resultspage( $id, $question, $answers, $answer ) {
$input_text .= '<span class="qsm_image_caption">'.esc_html( $caption_text ).'</span>';
} else {
$left_title = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answers[0][0], "answer-" . $answers[0][0], "QSM Answers" );
$input_text .= do_shortcode( wp_kses_post( $left_title ) );
$input_text .= wp_kses_post( do_shortcode( $left_title ) );
}

$input_text .= "</div>";
Expand All @@ -1552,7 +1552,7 @@ function qmn_polar_display_on_resultspage( $id, $question, $answers, $answer ) {
$input_text .= '<span class="qsm_image_caption">'.esc_html( $caption_text ).'</span>';
} else {
$right_title = $mlwQuizMasterNext->pluginHelper->qsm_language_support( $answers[1][0], "answer-" . $answers[0][0], "QSM Answers" );
$input_text .= do_shortcode( wp_kses_post( $right_title ) );
$input_text .= wp_kses_post( do_shortcode( $right_title ) );
}
$input_text .= "</div>";
$question = $input_text;
Expand Down Expand Up @@ -1623,10 +1623,10 @@ function qsm_varibale_question_title_func( $question, $question_type = '', $new_

if ( '' !== $new_question_title ) {
$new_question_title = $mlwQuizMasterNext->pluginHelper->qsm_language_support( htmlspecialchars_decode( $new_question_title, ENT_QUOTES ), "Question-{$question_id}", 'QSM Questions' );
$question_display .= "<div class='mlw_qmn_new_question'>" . $new_question_title . '</div>';
$question_display .= "<div class='mlw_qmn_new_question'>" . esc_html( $new_question_title ) . '</div>';
$polar_extra_class .= ' qsm_remove_bold';
}
$question_display .= "<div class='mlw_qmn_question' >" . do_shortcode( $question_title ) . '</div>';

return $question_display;
return wp_kses_post( $question_display );
}

0 comments on commit 0cfded2

Please sign in to comment.