WordPress/create-block-theme
1
0
Fork 0
mirror of https://github.com/WordPress/create-block-theme.git synced 2025-08-17 14:51:20 +08:00
Code Issues Projects Packages Wiki Activity Actions

Update escaping function (#683)

Browse source 
* Update escaping function

* update tests

* add method specific for attributes

* update tests

* Updates to only use wp_kses_post when strings contain html

* remove wp_kses_post as escaping function

* update tests

---------

Co-authored-by: Grant Kinney <hi@grant.mk>
This commit is contained in:
Matias Benedetto 2024-09-03 08:39:21 -03:00 committed by GitHub
parent bbe5ca5dcb
commit 6973cf8690
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 185 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

40
includes/create-theme/theme-locale.php
View file

@ -5,26 +5,58 @@
class CBT_Theme_Locale {
/**
* Escape a string for localization.
* Escape text for localization.
*
* @param string $string The string to escape.
* @return string The escaped string.
*/
public static function escape_string( $string ) {
private static function escape_text_content( $string ) {
// Avoid escaping if the text is not a string.
if ( ! is_string( $string ) ) {
return $string;
}
// Check if string is empty.
if ( '' === $string ) {
return $string;
}
// Check if the text is already escaped.
if ( str_starts_with( $string, '<?php' ) ) {
return $string;
}
$string = addcslashes( $string, "'" );
return "<?php esc_html_e('" . $string . "', '" . wp_get_theme()->get( 'TextDomain' ) . "');?>";
}
/**
* Escape an html element attribute for localization.
*
* @param string $string The string to escape.
* @return string The escaped string.
*/
private static function escape_attribute( $string ) {
// Avoid escaping if the text is not a string.
if ( ! is_string( $string ) ) {
return $string;
}
// Check if string is empty.
if ( '' === $string ) {
return $string;
}
// Check if the text is already escaped.
if ( str_starts_with( $string, '<?php' ) ) {
return $string;
}
$string = addcslashes( $string, "'" );
return "<?php esc_attr_e('" . $string . "', '" . wp_get_theme()->get( 'TextDomain' ) . "');?>";
}
/**
* Get a replacement pattern for escaping the text from the html content of a block.
*
@ -109,7 +141,7 @@ class CBT_Theme_Locale {
return preg_replace_callback(
$pattern,
function( $matches ) {
return $matches[1] . self::escape_string( $matches[2] ) . $matches[3];
return $matches[1] . self::escape_text_content( $matches[2] ) . $matches[3];
},
$content
);
@ -125,7 +157,7 @@ class CBT_Theme_Locale {
return preg_replace_callback(
$pattern,
function( $matches ) {
return 'alt="' . self::escape_string( $matches[1] ) . '"';
return 'alt="' . self::escape_attribute( $matches[1] ) . '"';
},
$content
);

2
includes/create-theme/theme-patterns.php
View file

@ -38,7 +38,7 @@ class CBT_Theme_Patterns {
public static function escape_text_for_pattern( $text ) {
if ( $text && trim( $text ) !== '' ) {
$escaped_text = addslashes( $text );
return "<?php echo esc_attr_e( '" . $escaped_text . "', '" . wp_get_theme()->get( 'Name' ) . "' ); ?>";
return "<?php esc_attr_e('" . $escaped_text . "', '" . wp_get_theme()->get( 'Name' ) . "');?>";
}
}

58
tests/CbtThemeLocale/escapeAttribute.php Normal file
View file

@ -0,0 +1,58 @@
<?php
require_once __DIR__ . '/base.php';
/**
* Tests for the CBT_Theme_Locale::escape_attribute method.
*
* @package Create_Block_Theme
* @covers CBT_Theme_Locale::escape_attribute
* @group locale
*/
class CBT_Theme_Locale_EscapeAttribute extends CBT_Theme_Locale_UnitTestCase {
protected function call_private_method( $method_name, $args = array() ) {
$reflection = new ReflectionClass( 'CBT_Theme_Locale' );
$method = $reflection->getMethod( $method_name );
$method->setAccessible( true );
return $method->invokeArgs( null, $args );
}
public function test_escape_attribute() {
$string = 'This is a test attribute.';
$escaped_string = $this->call_private_method( 'escape_attribute', array( $string ) );
$expected_string = "<?php esc_attr_e('This is a test attribute.', '" . wp_get_theme()->get( 'TextDomain' ) . "');?>";
$this->assertEquals( $expected_string, $escaped_string );
}
public function test_escape_attribute_with_single_quote() {
$string = "This is a test attribute with a single quote '";
$escaped_string = $this->call_private_method( 'escape_attribute', array( $string ) );
$expected_string = "<?php esc_attr_e('This is a test attribute with a single quote \\'', '" . wp_get_theme()->get( 'TextDomain' ) . "');?>";
$this->assertEquals( $expected_string, $escaped_string );
}
public function test_escape_attribute_with_double_quote() {
$string = 'This is a test attribute with a double quote "';
$escaped_string = $this->call_private_method( 'escape_attribute', array( $string ) );
$expected_string = "<?php esc_attr_e('This is a test attribute with a double quote \"', '" . wp_get_theme()->get( 'TextDomain' ) . "');?>";
$this->assertEquals( $expected_string, $escaped_string );
}
public function test_escape_attribute_with_empty_string() {
$string = '';
$escaped_string = $this->call_private_method( 'escape_attribute', array( $string ) );
$this->assertEquals( $string, $escaped_string );
}
public function test_escape_attribute_with_already_escaped_string() {
$string = "<?php esc_attr_e('This is already escaped.', '" . wp_get_theme()->get( 'TextDomain' ) . "');?>";
$escaped_string = $this->call_private_method( 'escape_attribute', array( $string ) );
$this->assertEquals( $string, $escaped_string );
}
public function test_escape_attribute_with_non_string() {
$string = null;
$escaped_string = $this->call_private_method( 'escape_attribute', array( $string ) );
$this->assertEquals( $string, $escaped_string );
}
}

48
tests/CbtThemeLocale/escapeString.php
View file

@ -1,48 +0,0 @@
<?php
require_once __DIR__ . '/base.php';
/**
* Tests for the CBT_Theme_Locale::escape_string method.
*
* @package Create_Block_Theme
* @covers CBT_Theme_Locale::escape_string
* @group locale
*/
class CBT_Theme_Locale_EscapeString extends CBT_Theme_Locale_UnitTestCase {
public function test_escape_string() {
$string = 'This is a test text.';
$escaped_string = CBT_Theme_Locale::escape_string( $string );
$this->assertEquals( "<?php esc_html_e('This is a test text.', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_string_with_single_quote() {
$string = "This is a test text with a single quote '";
$escaped_string = CBT_Theme_Locale::escape_string( $string );
$this->assertEquals( "<?php esc_html_e('This is a test text with a single quote \\'', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_string_with_double_quote() {
$string = 'This is a test text with a double quote "';
$escaped_string = CBT_Theme_Locale::escape_string( $string );
$this->assertEquals( "<?php esc_html_e('This is a test text with a double quote \"', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_string_with_html() {
$string = '<p>This is a test text with HTML.</p>';
$escaped_string = CBT_Theme_Locale::escape_string( $string );
$this->assertEquals( "<?php esc_html_e('<p>This is a test text with HTML.</p>', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_string_with_already_escaped_string() {
$string = "<?php esc_html_e('This is a test text.', 'test-locale-theme');?>";
$escaped_string = CBT_Theme_Locale::escape_string( $string );
$this->assertEquals( $string, $escaped_string );
}
public function test_escape_string_with_non_string() {
$string = null;
$escaped_string = CBT_Theme_Locale::escape_string( $string );
$this->assertEquals( $string, $escaped_string );
}
}

56
tests/CbtThemeLocale/escapeTextContent.php Normal file
View file

@ -0,0 +1,56 @@
<?php
require_once __DIR__ . '/base.php';
/**
* Tests for the CBT_Theme_Locale::escape_text_content method.
*
* @package Create_Block_Theme
* @covers CBT_Theme_Locale::escape_text_content
* @group locale
*/
class CBT_Theme_Locale_EscapeTextContent extends CBT_Theme_Locale_UnitTestCase {
protected function call_private_method( $method_name, $args = array() ) {
$reflection = new ReflectionClass( 'CBT_Theme_Locale' );
$method = $reflection->getMethod( $method_name );
$method->setAccessible( true );
return $method->invokeArgs( null, $args );
}
public function test_escape_text_content() {
$string = 'This is a test text.';
$escaped_string = $this->call_private_method( 'escape_text_content', array( $string ) );
$this->assertEquals( "<?php esc_html_e('This is a test text.', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_text_content_with_single_quote() {
$string = "This is a test text with a single quote '";
$escaped_string = $this->call_private_method( 'escape_text_content', array( $string ) );
$this->assertEquals( "<?php esc_html_e('This is a test text with a single quote \\'', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_text_content_with_double_quote() {
$string = 'This is a test text with a double quote "';
$escaped_string = $this->call_private_method( 'escape_text_content', array( $string ) );
$this->assertEquals( "<?php esc_html_e('This is a test text with a double quote \"', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_text_content_with_html() {
$string = '<p>This is a test text with HTML.</p>';
$escaped_string = $this->call_private_method( 'escape_text_content', array( $string ) );
$this->assertEquals( "<?php esc_html_e('<p>This is a test text with HTML.</p>', 'test-locale-theme');?>", $escaped_string );
}
public function test_escape_text_content_with_already_escaped_string() {
$string = "<?php esc_html_e('This is a test text.', 'test-locale-theme');?>";
$escaped_string = $this->call_private_method( 'escape_text_content', array( $string ) );
$this->assertEquals( $string, $escaped_string );
}
public function test_escape_text_content_with_non_string() {
$string = null;
$escaped_string = $this->call_private_method( 'escape_text_content', array( $string ) );
$this->assertEquals( $string, $escaped_string );
}
}

10
tests/CbtThemeLocale/escapeTextContentOfBlocks.php
View file

@ -130,7 +130,7 @@ class CBT_Theme_Locale_EscapeTextContentOfBlocks extends CBT_Theme_Locale_UnitTe
<!-- /wp:image -->',
'expected_markup' =>
'<!-- wp:image {"sizeSlug":"large","linkDestination":"none","className":"is-style-rounded"} -->
<figure class="wp-block-image size-large is-style-rounded"><img src="http://localhost/wp1/wp-content/themes/twentytwentyfour/assets/images/windows.webp" alt="<?php esc_html_e(\'Windows of a building in Nuremberg, Germany\', \'test-locale-theme\');?>"/></figure>
<figure class="wp-block-image size-large is-style-rounded"><img src="http://localhost/wp1/wp-content/themes/twentytwentyfour/assets/images/windows.webp" alt="<?php esc_attr_e(\'Windows of a building in Nuremberg, Germany\', \'test-locale-theme\');?>"/></figure>
<!-- /wp:image -->',
),
@ -143,7 +143,7 @@ class CBT_Theme_Locale_EscapeTextContentOfBlocks extends CBT_Theme_Locale_UnitTe
<!-- /wp:cover -->',
'expected_markup' =>
'<!-- wp:cover {"url":"http://localhost/wp1/wp-content/uploads/2024/05/image.jpeg","id":39,"alt":"Alternative text for cover image","dimRatio":50,"customOverlayColor":"#1d2b2f","layout":{"type":"constrained"}} -->
<div class="wp-block-cover"><span aria-hidden="true" class="wp-block-cover__background has-background-dim" style="background-color:#1d2b2f"></span><img class="wp-block-cover__image-background wp-image-39" alt="<?php esc_html_e(\'Alternative text for cover image\', \'test-locale-theme\');?>" src="http://localhost/wp1/wp-content/uploads/2024/05/image.jpeg" data-object-fit="cover"/><div class="wp-block-cover__inner-container"><!-- wp:paragraph {"align":"center","placeholder":"Write title…","fontSize":"large"} -->
<div class="wp-block-cover"><span aria-hidden="true" class="wp-block-cover__background has-background-dim" style="background-color:#1d2b2f"></span><img class="wp-block-cover__image-background wp-image-39" alt="<?php esc_attr_e(\'Alternative text for cover image\', \'test-locale-theme\');?>" src="http://localhost/wp1/wp-content/uploads/2024/05/image.jpeg" data-object-fit="cover"/><div class="wp-block-cover__inner-container"><!-- wp:paragraph {"align":"center","placeholder":"Write title…","fontSize":"large"} -->
<p class="has-text-align-center has-large-font-size"><?php esc_html_e(\'This is a cover caption\', \'test-locale-theme\');?></p>
<!-- /wp:paragraph --></div></div>
<!-- /wp:cover -->',
@ -158,7 +158,7 @@ class CBT_Theme_Locale_EscapeTextContentOfBlocks extends CBT_Theme_Locale_UnitTe
<!-- /wp:media-text -->',
'expected_markup' =>
'<!-- wp:media-text {"mediaId":39,"mediaLink":"http://localhost/wp1/image/","mediaType":"image"} -->
<div class="wp-block-media-text is-stacked-on-mobile"><figure class="wp-block-media-text__media"><img src="http://localhost/wp1/wp-content/uploads/2024/05/image.jpeg" alt="<?php esc_html_e(\'This is alt text\', \'test-locale-theme\');?>" class="wp-image-39 size-full"/></figure><div class="wp-block-media-text__content"><!-- wp:paragraph {"placeholder":"Content…"} -->
<div class="wp-block-media-text is-stacked-on-mobile"><figure class="wp-block-media-text__media"><img src="http://localhost/wp1/wp-content/uploads/2024/05/image.jpeg" alt="<?php esc_attr_e(\'This is alt text\', \'test-locale-theme\');?>" class="wp-image-39 size-full"/></figure><div class="wp-block-media-text__content"><!-- wp:paragraph {"placeholder":"Content…"} -->
<p><?php esc_html_e(\'Media text content test.\', \'test-locale-theme\');?></p>
<!-- /wp:paragraph --></div></div>
<!-- /wp:media-text -->',
@ -189,7 +189,3 @@ class CBT_Theme_Locale_EscapeTextContentOfBlocks extends CBT_Theme_Locale_UnitTe
);
}
}

43
tests/test-theme-templates.php
View file

@ -6,7 +6,7 @@
class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
/**
* Ensure that the string in a template is replaced with the appropraite PHP code
* Ensure that the string in a template is replaced with the appropriate PHP code
*/
public function test_paragraphs_are_localized() {
$template = new stdClass();
@ -16,6 +16,14 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
$this->assertStringNotContainsString( '<p>This is text to localize</p>', $new_template->content );
}
public function test_empty_paragraphs_are_not_localized() {
$template = new stdClass();
$template->content = '<!-- wp:paragraph --><p></p><!-- /wp:paragraph -->';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( '<p></p>', $new_template->content );
$this->assertStringNotContainsString( 'esc_html_e', $new_template->content );
}
/**
* Ensure that escape_text_in_template is not called when the localizeText flag is set to false
*/
@ -37,7 +45,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
</div>
<!-- /wp:group -->';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( 'This is text to localize', $new_template->content );
$this->assertStringContainsString( "<?php esc_html_e('This is text to localize', '');?>", $new_template->content );
$this->assertStringNotContainsString( '<p>This is text to localize</p>', $new_template->content );
}
@ -49,7 +57,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
</div>
<!-- /wp:button -->';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( 'This is text to localize', $new_template->content );
$this->assertStringContainsString( "<?php esc_html_e('This is text to localize', '');?>", $new_template->content );
$this->assertStringNotContainsString( '<a class="wp-block-button__link wp-element-button">This is text to localize</a>', $new_template->content );
}
@ -61,7 +69,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
<!-- /wp:heading -->
';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( 'This is a heading to localize.', $new_template->content );
$this->assertStringContainsString( "<?php esc_html_e('This is a heading to localize.', '');?>", $new_template->content );
$this->assertStringNotContainsString( '<h2 class="wp-block-heading">This is a heading to localize.</h2>', $new_template->content );
}
@ -135,8 +143,8 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
<!-- /wp:heading -->';
$escaped_template = CBT_Theme_Templates::escape_text_in_template( $template );
/* That looks like a mess, but what it should look like for REAL is <?php echo esc_attr_e( '"This" is a \'test\'', '' ); ?> */
$this->assertStringContainsString( '<?php esc_html_e(\'"This" is a \\\'test\\\'\', \'\');?>', $escaped_template->content );
/* That looks like a mess, but what it should look like for REAL is <?php esc_html_e('"This" is a \'test\'', '');?> */
$this->assertStringContainsString( "<?php esc_html_e('\"This\" is a \\'test\\'', '');?>", $escaped_template->content );
}
public function test_properly_encode_lessthan_and_greaterthan() {
@ -146,7 +154,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
<!-- /wp:heading -->';
$escaped_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( '<?php esc_html_e(\'&lt;This> is a &lt;test&gt;\', \'\');?>', $escaped_template->content );
$this->assertStringContainsString( "<?php esc_html_e('&lt;This> is a &lt;test&gt;', '');?>", $escaped_template->content );
}
public function test_properly_encode_html_markup() {
@ -156,7 +164,18 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
<!-- /wp:paragraph -->';
$escaped_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( '<?php esc_html_e(\'<strong>Bold</strong> text has feelings &lt;&gt; TOO\', \'\');?>', $escaped_template->content );
$this->assertStringContainsString( "<?php esc_html_e('<strong>Bold</strong> text has feelings &lt;&gt; TOO', '');?>", $escaped_template->content );
}
public function test_empty_alt_text_is_not_localized() {
$template = new stdClass();
$template->content = '
<!-- wp:image -->
<figure class="wp-block-image"><img src="http://example.com/file.jpg" alt="" /></figure>
<!-- /wp:image -->
';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( 'alt=""', $new_template->content );
}
public function test_localize_alt_text_from_image() {
@ -167,7 +186,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
<!-- /wp:image -->
';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( 'alt="<?php esc_html_e(\'This is alt text\', \'\');?>"', $new_template->content );
$this->assertStringContainsString( 'alt="<?php esc_attr_e(\'This is alt text\', \'\');?>"', $new_template->content );
}
public function test_localize_alt_text_from_cover() {
@ -187,7 +206,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
// Check the markup attribute
$this->assertStringContainsString( 'alt="<?php esc_html_e(\'This is alt text\', \'\');?>"', $new_template->content );
$this->assertStringContainsString( 'alt="<?php esc_attr_e(\'This is alt text\', \'\');?>"', $new_template->content );
}
public function test_localize_quote() {
@ -296,7 +315,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
<!-- /wp:media-text -->';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( "<?php esc_html_e('Content to Localize', '');?>", $new_template->content );
$this->assertStringContainsString( "<?php esc_html_e('Alt Text Is Here', '');?>", $new_template->content );
$this->assertStringContainsString( "<?php esc_attr_e('Alt Text Is Here', '');?>", $new_template->content );
}
public function test_localize_cover_block_children() {
@ -314,7 +333,7 @@ class Test_Create_Block_Theme_Templates extends WP_UnitTestCase {
';
$new_template = CBT_Theme_Templates::escape_text_in_template( $template );
$this->assertStringContainsString( '<p><?php esc_html_e(\'This is text to localize\', \'\');?></p>', $new_template->content );
$this->assertStringContainsString( "<p><?php esc_html_e('This is text to localize', '');?></p>", $new_template->content );
}
public function test_localize_nested_cover_block_children() {