Skip to content

Commit

Permalink
fixed XSS vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
nk-o committed Dec 21, 2024
1 parent 07e4201 commit 5cc59ad
Showing 1 changed file with 23 additions and 9 deletions.
32 changes: 23 additions & 9 deletions classes/class-blocks.php
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,20 @@ public function post_class( $classes, $class, $post_id ) {
return $classes;
}

/**
* Returns the admin URL for the current post type edit page.
*
* @param array $params Extra URL params.
* @return string
*/
public function get_admin_url( $params = array() ) {
if ( ! isset( $params['paged'] ) && isset( $_GET['paged'] ) ) {
$params['paged'] = intval( $_GET['paged'] );
}

return add_query_arg( $params, admin_url( 'edit.php?post_type=lazyblocks' ) );
}

/**
* Add featured image in lazyblocks list
*
Expand All @@ -335,44 +349,44 @@ public function post_row_actions( $actions = array(), $post = null ) {
array(
'duplicate' => sprintf(
'<a href="%1$s" aria-label="%2$s">%3$s</a>',
add_query_arg(
$this->get_admin_url(
array(
'lazyblocks_duplicate_block' => $post->ID,
'lazyblocks_duplicate_block' => intval( $post->ID ),
'lazyblocks_duplicate_block_nonce' => wp_create_nonce( 'lzb-duplicate-block-nonce' ),
)
),
sprintf(
// translators: %1$ - post title.
esc_html__( 'Duplicate “%1$s”', 'lazy-blocks' ),
esc_attr__( 'Duplicate “%1$s”', 'lazy-blocks' ),
get_the_title( $post->ID )
),
esc_html__( 'Duplicate', 'lazy-blocks' )
),
'export' => sprintf(
'<a href="%1$s" aria-label="%2$s">%3$s</a>',
add_query_arg(
$this->get_admin_url(
array(
'lazyblocks_export_block' => $post->ID,
'lazyblocks_export_block' => intval( $post->ID ),
)
),
sprintf(
// translators: %1$ - post title.
esc_html__( 'Export “%1$s”', 'lazy-blocks' ),
esc_attr__( 'Export “%1$s”', 'lazy-blocks' ),
get_the_title( $post->ID )
),
esc_html__( 'Export', 'lazy-blocks' )
),
'activate' => sprintf(
'<a href="%1$s" aria-label="%2$s" class="%3$s">%4$s</a>',
add_query_arg(
$this->get_admin_url(
array(
( 'publish' === $post->post_status ? 'lazyblocks_deactivate_block' : 'lazyblocks_activate_block' ) => $post->ID,
( 'publish' === $post->post_status ? 'lazyblocks_deactivate_block' : 'lazyblocks_activate_block' ) => intval( $post->ID ),
'lazyblocks_activate_block_nonce' => wp_create_nonce( 'lzb-activate-block-nonce' ),
)
),
sprintf(
// translators: %1$ - post title.
'publish' === $post->post_status ? esc_html__( 'Deactivate “%1$s”', 'lazy-blocks' ) : esc_html__( 'Activate “%1$s”', 'lazy-blocks' ),
'publish' === $post->post_status ? esc_attr__( 'Deactivate “%1$s”', 'lazy-blocks' ) : esc_attr__( 'Activate “%1$s”', 'lazy-blocks' ),
get_the_title( $post->ID )
),
'publish' === $post->post_status ? 'lazyblocks-deactivate-block' : 'lazyblocks-activate-block',
Expand Down

0 comments on commit 5cc59ad

Please sign in to comment.