always escape as if context is HTML, maybe escape as if context is attribute

Author: dannyvankooten

includes/class-dynamic-content-tags.php

@@ -11,7 +11,7 @@ abstract class MC4WP_Dynamic_Content_Tags
     /**
      * @var string The escape function for replacement values.
      */
-    protected $escape_function = null;
+    protected $escape_function = 'esc_html';
 
     /**
      * @var array Array of registered dynamic content tags
@@ -25,56 +25,56 @@ protected function register()
     {
         // Global tags can go here
         $this->tags['cookie'] = [
-            'description' => __('Data from a cookie.', 'mailchimp-for-wp'),
-            'callback'    => [ $this, 'get_cookie' ],
-            'example'     => "cookie name='my_cookie' default='Default Value'",
+        'description' => __('Data from a cookie.', 'mailchimp-for-wp'),
+        'callback'    => [ $this, 'get_cookie' ],
+        'example'     => "cookie name='my_cookie' default='Default Value'",
         ];
 
         $this->tags['email'] = [
-            'description' => __('The email address of the current visitor (if known).', 'mailchimp-for-wp'),
-            'callback'    => [ $this, 'get_email' ],
+        'description' => __('The email address of the current visitor (if known).', 'mailchimp-for-wp'),
+        'callback'    => [ $this, 'get_email' ],
         ];
 
         $this->tags['current_url'] = [
-            'description' => __('The URL of the page.', 'mailchimp-for-wp'),
-            'callback'    => 'mc4wp_get_request_url',
+        'description' => __('The URL of the page.', 'mailchimp-for-wp'),
+        'callback'    => 'mc4wp_get_request_url',
         ];
 
         $this->tags['current_path'] = [
-            'description' => __('The path of the page.', 'mailchimp-for-wp'),
-            'callback'    => 'mc4wp_get_request_path',
+        'description' => __('The path of the page.', 'mailchimp-for-wp'),
+        'callback'    => 'mc4wp_get_request_path',
         ];
 
         $this->tags['date'] = [
-            'description' => sprintf(__('The current date. Example: %s.', 'mailchimp-for-wp'), '<strong>' . gmdate('Y/m/d', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )) . '</strong>'),
-            'replacement' => gmdate('Y/m/d', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )),
+        'description' => sprintf(__('The current date. Example: %s.', 'mailchimp-for-wp'), '<strong>' . gmdate('Y/m/d', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )) . '</strong>'),
+        'replacement' => gmdate('Y/m/d', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )),
         ];
 
         $this->tags['time'] = [
-            'description' => sprintf(__('The current time. Example: %s.', 'mailchimp-for-wp'), '<strong>' . gmdate('H:i:s', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )) . '</strong>'),
-            'replacement' => gmdate('H:i:s', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )),
+        'description' => sprintf(__('The current time. Example: %s.', 'mailchimp-for-wp'), '<strong>' . gmdate('H:i:s', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )) . '</strong>'),
+        'replacement' => gmdate('H:i:s', time() + ( get_option('gmt_offset') * HOUR_IN_SECONDS )),
         ];
 
         $this->tags['language'] = [
-            'description' => sprintf(__('The site\'s language. Example: %s.', 'mailchimp-for-wp'), '<strong>' . get_locale() . '</strong>'),
-            'callback'    => 'get_locale',
+        'description' => sprintf(__('The site\'s language. Example: %s.', 'mailchimp-for-wp'), '<strong>' . get_locale() . '</strong>'),
+        'callback'    => 'get_locale',
         ];
 
         $this->tags['ip'] = [
-            'description' => sprintf(__('The visitor\'s IP address. Example: %s.', 'mailchimp-for-wp'), '<strong>' . mc4wp_get_request_ip_address() . '</strong>'),
-            'callback'    => 'mc4wp_get_request_ip_address',
+        'description' => sprintf(__('The visitor\'s IP address. Example: %s.', 'mailchimp-for-wp'), '<strong>' . mc4wp_get_request_ip_address() . '</strong>'),
+        'callback'    => 'mc4wp_get_request_ip_address',
         ];
 
         $this->tags['user'] = [
-            'description' => __('The property of the currently logged-in user.', 'mailchimp-for-wp'),
-            'callback'    => [ $this, 'get_user_property' ],
-            'example'     => "user property='user_email'",
+        'description' => __('The property of the currently logged-in user.', 'mailchimp-for-wp'),
+        'callback'    => [ $this, 'get_user_property' ],
+        'example'     => "user property='user_email'",
         ];
 
         $this->tags['post'] = [
-            'description' => __('Property of the current page or post.', 'mailchimp-for-wp'),
-            'callback'    => [ $this, 'get_post_property' ],
-            'example'     => "post property='ID'",
+        'description' => __('Property of the current page or post.', 'mailchimp-for-wp'),
+        'callback'    => [ $this, 'get_post_property' ],
+        'example'     => "post property='ID'",
         ];
     }
 
@@ -118,9 +118,8 @@ protected function replace_tag(array $matches)
                 $replacement = call_user_func($config['callback'], $attributes);
             }
 
-            if (is_callable($this->escape_function)) {
-                $replacement = call_user_func($this->escape_function, $replacement);
-            }
+            // escape replacement value
+            $replacement = call_user_func($this->escape_function, $replacement);
 
             return $replacement;
         }
@@ -131,15 +130,21 @@ protected function replace_tag(array $matches)
 
     /**
      * @param string $string The string containing dynamic content tags.
-     * @param string $escape_function Escape mode for the replacement value. Leave empty for no escaping.
+     * @param string $escape_function Escape mode for the replacement value.
      * @return string
      */
-    protected function replace($string, $escape_function = '')
+    private function replace($string, $escape_function = 'esc_html')
     {
+        // first, replace inside attributes
+        $this->escape_function = 'esc_attr';
+        $string = preg_replace_callback('/\=[\'"]?[^\'"]*\{(\w+)(\ +(?:(?!\{)[^}\n])+)*\
+    }/', [ $this, 'replace_tag' ], $string);
+
         $this->escape_function = $escape_function;
 
         // replace strings like this: {tagname attr="value"}
-        $string = preg_replace_callback('/\{(\w+)(\ +(?:(?!\{)[^}\n])+)*\}/', [ $this, 'replace_tag' ], $string);
+        $string = preg_replace_callback('/\{(\w+)(\ +(?:(?!\{)[^}\n])+)*\
+}/', [ $this, 'replace_tag' ], $string);
 
         // call again to take care of nested variables
         $string = preg_replace_callback('/\{(\w+)(\ +(?:(?!\{)[^}\n])+)*\}/', [ $this, 'replace_tag' ], $string);
@@ -193,7 +198,7 @@ protected function get_cookie($args = [])
         $default = isset($args['default']) ? $args['default'] : '';
 
         if (isset($_COOKIE[ $name ])) {
-            return esc_html(stripslashes($_COOKIE[ $name ]));
+            return $_COOKIE[ $name ];
         }
 
         return $default;
@@ -213,7 +218,7 @@ protected function get_user_property($args = [])
         $user     = wp_get_current_user();
 
         if ($user instanceof WP_User && isset($user->{$property})) {
-            return esc_html($user->{$property});
+            return $user->{$property};
         }
 
         return $default;
@@ -245,7 +250,7 @@ protected function get_post_property($args = [])
     protected function get_email()
     {
         if (! empty($_REQUEST['EMAIL'])) {
-            return strip_tags($_REQUEST['EMAIL']);
+            return sanitize_email($_REQUEST['EMAIL']);
         }
 
         // then , try logged-in user

includes/class-personal-data-exporter.php

@@ -55,15 +55,15 @@ public function replace_in_form_content($string, MC4WP_Form $form, MC4WP_Form_El
         $this->form         = $form;
         $this->form_element = $element;
 
-        $string = $this->replace($string);
+        $string = $this->replace_in_html($string);
         return $string;
     }
 
     public function replace_in_form_response($string, MC4WP_Form $form)
     {
         $this->form = $form;
 
-        $string = $this->replace($string);
+        $string = $this->replace_in_html($string);
         return $string;
     }
 
@@ -124,6 +124,6 @@ public function get_data(array $args = [])
             $value = join(', ', $value);
         }
 
-        return esc_html($value);
+        return $value;
     }
 }

includes/forms/class-form-tags.php

@@ -171,7 +171,7 @@ public function __construct($id, WP_Post $post, array $post_meta = [])
      */
     public function __get($name)
     {
-        $method_name = sprintf('get_%s', $name);
+        $method_name = "get_$name";
         if (method_exists($this, $method_name)) {
             return $this->$method_name();
         }

includes/forms/class-form.php

@@ -43,8 +43,7 @@ public function register()
     public function replace_in_checkbox_label($string, MC4WP_Integration $integration)
     {
         $this->integration = $integration;
-        $string            = $this->replace($string, 'esc_html');
-        return $string;
+        return $this->replace_in_html($string);
     }
 
     /**