Merge pull request #324 from thomasgriffin/feature/escape-some-more

Escape some more output
TGMPA · Apr 24, 2015 · 708e1ca · 708e1ca
2 parents e8f1b7c + 4f8ae29
commit 708e1ca
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/class-tgm-plugin-activation.php b/class-tgm-plugin-activation.php
@@ -752,7 +752,7 @@ public function notices() {
 						$source       = $this->_get_plugin_data_from_name( $plugin_group_single_name, 'source' );
 
 						if ( $external_url && preg_match( '|^http(s)?://|', $external_url ) ) {
-							$linked_plugin_groups[] = '<a href="' . esc_url( $external_url ) . '" target="_blank">' . $plugin_group_single_name . '</a>';
+							$linked_plugin_groups[] = '<a href="' . esc_url( $external_url ) . '" target="_blank">' . esc_html( $plugin_group_single_name ) . '</a>';
 						}
 						elseif ( ! $source || preg_match( '|^http://wordpress.org/extend/plugins/|', $source ) ) {
 							$url = add_query_arg(
@@ -766,7 +766,7 @@ public function notices() {
 								self_admin_url( 'plugin-install.php' )
 							);
 
-							$linked_plugin_groups[] = '<a href="' . esc_url( $url ) . '" class="thickbox">' . $plugin_group_single_name . '</a>';
+							$linked_plugin_groups[] = '<a href="' . esc_url( $url ) . '" class="thickbox">' . esc_html( $plugin_group_single_name ) . '</a>';
 						}
 						else {
 							$linked_plugin_groups[] = $plugin_group_single_name; // No hyperlink.
@@ -793,7 +793,7 @@ public function notices() {
 					array(
 						'install'  => ( current_user_can( 'install_plugins' ) )  ? $show_install_link  : '',
 						'activate' => ( current_user_can( 'activate_plugins' ) ) ? $show_activate_link : '',
-						'dismiss'  => $this->dismissable ? '<a class="dismiss-notice" href="' . esc_url( add_query_arg( 'tgmpa-dismiss', 'dismiss_admin_notices' ) ) . '" target="_parent">' . $this->strings['dismiss'] . '</a>' : '',
+						'dismiss'  => $this->dismissable ? '<a class="dismiss-notice" href="' . esc_url( add_query_arg( 'tgmpa-dismiss', 'dismiss_admin_notices' ) ) . '" target="_parent">' . esc_html( $this->strings['dismiss'] ) . '</a>' : '',
 					)
 				);
 
@@ -1251,7 +1251,7 @@ protected function _gather_plugin_data() {
 				$source       = $this->_get_plugin_data_from_name( $plugin['name'], 'source' );
 
 				if ( $external_url && preg_match( '|^http(s)?://|', $external_url ) ) {
-					$table_data[ $i ]['plugin'] = '<strong><a href="' . esc_url( $external_url ) . '" target="_blank">' . $plugin['name'] . '</a></strong>';
+					$table_data[ $i ]['plugin'] = '<strong><a href="' . esc_url( $external_url ) . '" target="_blank">' . esc_html( $plugin['name'] ) . '</a></strong>';
 				}
 				elseif ( ! $source || preg_match( '|^http://wordpress.org/extend/plugins/|', $source ) ) {
 					$url = add_query_arg(
@@ -1265,7 +1265,7 @@ protected function _gather_plugin_data() {
 						self_admin_url( 'plugin-install.php' )
 					);
 
-					$table_data[ $i ]['plugin'] = '<strong><a href="' . esc_url( $url ) . '" class="thickbox">' . $plugin['name'] . '</a></strong>';
+					$table_data[ $i ]['plugin'] = '<strong><a href="' . esc_url( $url ) . '" class="thickbox">' . esc_html( $plugin['name'] ) . '</a></strong>';
 				}
 				else {
 					$table_data[ $i ]['plugin'] = '<strong>' . $plugin['name'] . '</strong>'; // No hyperlink.
@@ -1413,9 +1413,9 @@ public function column_plugin( $item ) {
 
 				$actions = array(
 					'install' => sprintf(
-						'<a href="%1$s">' . esc_attr_x( 'Install %2$s', '%2$s = plugin name in screen reader markup', 'tgmpa' ) . '</a>',
+						'<a href="%1$s">' . esc_html_x( 'Install %2$s', '%2$s = plugin name in screen reader markup', 'tgmpa' ) . '</a>',
 						esc_url( $install_nonce_url ),
-						'<span class="screen-reader-text">' . $item['sanitized_plugin'] . '</span>'
+						'<span class="screen-reader-text">' . esc_html( $item['sanitized_plugin'] ) . '</span>'
 					),
 				);
 			}
@@ -1435,9 +1435,9 @@ public function column_plugin( $item ) {
 
 				$actions = array(
 					'activate' => sprintf(
-						'<a href="%1$s">' . esc_attr_x( 'Activate %2$s', '%2$s = plugin name in screen reader markup', 'tgmpa' ) . '</a>',
+						'<a href="%1$s">' . esc_html_x( 'Activate %2$s', '%2$s = plugin name in screen reader markup', 'tgmpa' ) . '</a>',
 						esc_url( $activate_url ),
-						'<span class="screen-reader-text">' . $item['sanitized_plugin'] . '</span>'
+						'<span class="screen-reader-text">' . esc_html( $item['sanitized_plugin'] ) . '</span>'
 					),
 				);
 			}
@@ -1471,7 +1471,7 @@ public function column_cb( $item ) {
 				$plugin_url = urlencode( $plugin_url );
 			}
 
-			$value = $item['file_path'] . ',' . $plugin_url . ',' . $item['sanitized_plugin'];
+			$value      = $item['file_path'] . ',' . $plugin_url . ',' . $item['sanitized_plugin'];
 			return sprintf( '<input type="checkbox" name="%1$s[]" value="%2$s" id="%3$s" />', esc_attr( $this->_args['singular'] ), esc_attr( $value ), esc_attr( $item['sanitized_plugin'] ) );
 
 		}