I have got a comment from someone superior to me who wants me to escape some comment in two php snippets which I have posted below. The problem is I don't know how to do that. Can anyone help me by modifying the snippets.
Comment I got:
Comment #1:
Validate and/or sanitize untrusted data before entering into the database. All untrusted data should be escaped before output.
Code Snippet #1:
<?php
if ( get_header_image() && !('blank' == get_header_textcolor()) ) {
echo '<div class="site-branding header-background-image" style="background-image: url(' . get_header_image() . ')">';
} else {
echo '<div class="site-branding">';
}
?>
Code Snippet #2:
<?php
printf(
/* translators: %1$s = text link: sangeet, URL: http://wordpress.org/themes/sangeet/, %2$s = text link: Kiran Kumar Dash, URL: https://twitter.com/TheKiranDash */
__( 'Theme: %1$s by %2$s', 'sangeet' ),
'' . esc_attr( 'sangeet', 'sangeet' ) . '',
'' . esc_attr__( 'Kiran Kumar Dash', 'sangeet' ) . '' );
?>
Comment #2:
esc all get_permalink() in content.php
Code snippet #3
<?php
if ( !is_single() ) {
echo '<div class="index-box">';
if ( has_post_thumbnail()) {
echo '<div class="small-index-thumbnail clear">';
echo '<a href="' . get_permalink() . '" title="' . __('Read ', 'sangeet') . get_the_title() . '" rel="bookmark">';
echo the_post_thumbnail('index-thumb');
echo '</a>';
echo '</div>';
}
}
?>
My approach:
I used esc_url to esc the get_permalink() in the snippet. Shall I use esc_all? Or esc_url is just fine.
<?php
if ( !is_single() ) {
echo '<div class="index-box">';
if ( has_post_thumbnail()) {
echo '<div class="small-index-thumbnail clear">';
echo '<a href="' . esc_url(get_permalink()) . '" title="' . __('Read ', 'sangeet') . get_the_title() . '" rel="bookmark">';
echo the_post_thumbnail('index-thumb');
echo '</a>';
echo '</div>';
}
}
?>
As requested:
PS. I didnt write this, only advanced it.
Usage:
$user = sanctify($_GET['user']);
Function:
function sanctify($data){
// Fix &entity\n;
$data = str_replace(array('&','<','>'), array('&','<','>'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
$data = str_replace('"','',str_replace("'","",$data));
do{
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);
// we are done...
return $data;
}
Related
I'm trying to create a WP shortcode that would include both html and php. For example, something like that (that does not work):
function my_first_shortcode() {
$content = <<<EOT
<h1>Some title</h1>
<p><?php the_field('description'); ?></p>
EOT;
return $content;
}
add_shortcode('my_shortcode', 'my_first_shortcode');
The the_field('name_of_field'); normally outputs the content of the specified variable/field (Advanced Custom Fields).
Is the HEREDOC way the right way of doing that? If so, how would I do it? It'd be also great if I could pass variables to the shortcode.
Thank you
First, you can't write PHP tags inside HEREDOC.
You can use it like that:
$the_field = 'the_field';
$content = <<<EOT
<h1>Some title</h1>
<p>{$the_field('description')}</p>
EOT;
In order to pass attributes to a shortcode it's very simple.
for example we have the shortcode:
[my_shortcode att_1="some_value" att_2="some_value"]
function my_first_shortcode($atts)
{
$att_1 = $atts['att_1'];
$att_2 = $atts['att_2'];
}
add_shortcode('my_shortcode', 'my_first_shortcode');
I always prefer to use output buffering for my shortcodes, example below.
function my_first_shortcode() {
ob_start(); ?>
<h1>Some title</h1>
<p><?php echo the_field('description'); ?></p>
<?php
return ob_get_contents();
}
add_shortcode('my_shortcode', 'my_first_shortcode');
add_shortcode('location_start_your_application_group', 'start_your_application_group');
function start_your_application_group() {
ob_start();
$start_your_application_group = '';
$start_your_application_group .= '<section class="start-your-application">';
if ( have_rows( 'start_your_application_group', 'option' ) ) :
while ( have_rows( 'start_your_application_group', 'option' ) ) : the_row();
$heading = get_sub_field( 'heading' );
$content = get_sub_field( 'content' );
if ( $heading !== '' ) {
$start_your_application_group .= '<h3 class="start-your-application__heading">' . $heading . '</h3>';
}
if ( $content !== '' ) {
$start_your_application_group .= '<div class="start-your-application__content">' . $content . '</div>';
}
$image = get_sub_field( 'image' );
if ( $image ) {
$start_your_application_group .= '<div class="start-your-application__image-container"><img class="start-your-application__image" src="' . esc_url($image['url']) .'" alt="' . $image['alt'] . '" /></div>';
}
endwhile;
endif;
$start_your_application_group .= '</section>';
$start_your_application_group = ob_get_clean();
return $start_your_application_group;
}
Hello friends i want so image and description in categories list widget for showing description i use below code:
in function.php
function wpb_catlist_desc() {
$string = '<ul>';
$catlist = get_terms( 'category' );
if ( ! empty( $catlist ) ) {
foreach ( $catlist as $key => $item ) {
$string .= '<li>'. $item->name . '<br />';
$string .= '<em>'. $item->description . '</em> </li>';
}
}
$string .= '</ul>';
return $string;
}
add_shortcode('wpb_categories', 'wpb_catlist_desc');
and in class-wp-widget-categories.php
echo do_shortcode('[wpb_categories]');
it is showing categories name and his description now i want to show categories image also. any one please help me how can i get that. i had try Categories Images plugin for show images but can't able to show
Image get z_taxonomy_image_url($id) and z_taxonomy_image($id)
if(z_taxonomy_image_url($item->term_id))
{
$string .= '<img src ="'.z_taxonomy_image_url($item->term_id).'" style="width: 20%;">';
}
You can get the image using following code and append it to $string.
$catlist = get_terms( 'category' ); // get category list
$string ="<ul>";
foreach ( $catlist as $key => $item )
{
$thumbnail_id = get_woocommerce_term_meta( $item->term_id, 'thumbnail_id', true );
$image = wp_get_attachment_url( $thumbnail_id );
if ( $image ) {
$image_dis='<img src="' . $image . '" alt="' . $cat->name . '" />';
}
$string .= '<li>'. $item->name . '<br />';
$string .= $image_dis . '<br />';
$string .= '<em>'. $item->description . '</em> </li>';
}
$string .="</ul>";
echo $string;
I have this function connected to a short code that is supposed to return all stored social profiles. For now it only outputs the first social profile, even though it got two more. I think there is something wrong with the way this code returns the output, I just don't know how to solve it.
function ichi_social_profiles() {
if( $social_profiles = Youxi()->option->get( 'social_profiles' ) ):
?><div class="site-social-profiles">
<ul class="plain-list"><?php
foreach( $social_profiles as $profile ):
$profile = wp_parse_args( $profile, array(
'title' => '',
'url' => '#',
'icon' => 'socicon socicon-500px',
'new_tab' => 0
) );
$output = '<li>';
$output .= '<a href="' . esc_url( $profile['url'] ) . '" title="' . esc_attr( $profile['title'] ) . '"' . ( wp_validate_boolean( $profile['new_tab'] ) ? ' target="_blank"' : '' ) . '>';
$output .= '<span class="' . esc_attr( $profile['icon'] ) . '"></span>';
$output .= '</a>';
$output .= '</li>';
return $output;
endforeach;
?></ul>
</div><?php endif;
}
add_shortcode('some-ikon', 'ichi_social_profiles');
The return statement is too early, inside of the foreach loop, and it is only returning the contents of $output. Also, the div tag, the ul tag and rest of the HTML are being echoed on the page, instead of being returned by the function.
I would set $output = '' at the beginning of the function before the if statement, and append HTML to it as you go, then just return $output at the end, after the endif.
The WordPress Codex has some examples that may also help, though some are much more complex:
https://codex.wordpress.org/Shortcode_API
SOLUTION
I added ob_start() to the beginning of the function before any echo call.
at the end of the function I added:
$response = ob_get_contents();
ob_end_clean();
return $response;
I have some problem in WooCommerce Admin Order menu. I want to add some content in the column but I don't know where I can make it.
This is some example screenshoot about my woocommerce admin order view :
I want to add phone number bellow email address in Order column.
Please help me to do that.
Thank you.
I've had to do this once, i've followed this tutorial :
https://code.tutsplus.com/articles/add-a-custom-column-in-posts-and-custom-post-types-admin-screen--wp-24934
add_action('manage_shop_order_posts_custom_column', 'match_order_woocommerce_custom_order_columns', 2);
function match_order_woocommerce_custom_order_columns( $column ) {
remove_action('manage_shop_order_posts_custom_column', 'woocommerce_custom_order_columns', 2);
global $post, $woocommerce;
$order = new WC_Order( $post->ID );
switch ($column) {
case "order_title" :
if ($order->user_id) $user_info = get_userdata($order->user_id);
if (isset($user_info) && $user_info) :
$user = '<a href="user-edit.php?user_id=' . esc_attr( $user_info->ID ) . '">';
if ($user_info->first_name || $user_info->last_name) $user .= $user_info->first_name.' '.$user_info->last_name;
else $user .= esc_html( $user_info->display_name );
$user .= '</a>';
else :
$user = __('Guest', 'woocommerce');
endif;
echo '<strong>'.sprintf( __('Order %s', 'woocommerce'), $order->get_order_number() ).'</strong> ' . __('made by', 'woocommerce') . ' ' . $user;
if ($order->billing_email) :
echo '<small class="meta">'.__('Email:', 'woocommerce') . ' ' . ''.esc_html( $order->billing_email ).'</small>';
endif;
if ($order->billing_phone) :
echo '<small class="meta">'.__('Tel:', 'woocommerce') . ' ' . esc_html( $order->billing_phone ) . '</small>';
endif;
break;
}
}
Please try this snippet in your active theme's functions.php
Hello I would like to make part of the output translatable in my shortcode but I don't know how to do it.
I tried several times but even if I managed to add the code, it was displayed outside of the div that outputs the variables so won't work..
My code without translation string is:
add_shortcode('cv', 'vp_cv');
function vp_cv($atts, $content=null) {
extract(shortcode_atts(array(
'number' => 6
), $atts));
global $post;
$output .= '<div class="container">';
$query = new WP_Query('post_type=resume&posts_per_page=' . $number . '&cat=' . $categories);
while($query->have_posts() ) : $query->the_post();
$year = get_post_meta($post->ID, 'resume_year', true);
$title = get_the_title();
$client = get_post_meta($post->ID, 'resume_client', true);
$address = get_post_meta($post->ID, 'resume_address', true);
$output .= '<p class="year">' . $year . '</p>';
$output .= '<p class="cv-title">' . $title . '</p>';
$output .= '<p class="cv-client"> <strong> Client:</strong> ' . $client . '</p>';
$output .= '<p class="cv-address"> <strong> Address:</strong> ' . $address. '</p>';
endwhile;
$output .= '</div>
<div class="clearboth"></div>';
return $output;
}
I'd like to add to the client and address a translatable string like:
<?php _e('Client:','ikos');?>
And it must result inside the tags
Thanks!
Assuming that you're loading text domain correctly, try this:
<?php
// ....
$output .= '<p class="cv-client"> <strong> ' . __( 'Client: ', 'ikos' ) . ' </strong> ' . $client . '</p>';
$output .= '<p class="cv-address"> <strong> ' . __( 'Address: ', 'ikos' ) . ' </strong> ' . $address. '</p>';
// ....
?>
Using __( 'Translatable string', 'your-text-domain' ); return the string translated without echo.
Using _e( 'Translatable string', 'your-text-domain' ); echoes the translated string.
Try it, hope it helps! If something is not clear feel free to ask.