EPS-1063: UAE Lite remove the instace of //phpcs:ignore WordPress.Security in the repo #1064
Conversation
akshayurankar48
changed the title
|
|
||
| // If action coming from general settings page. | ||
| if ( isset( $_POST['option_page'] ) && 'general' === $_POST['option_page'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing | ||
| * Save analytics option to network. |
There was a problem hiding this comment.
Why code indentaions is always messed up?
There was a problem hiding this comment.
reverted this changes as it's from the analytics folder @sushmak02
| echo $header_content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped | ||
|
|
||
| if ( ! empty( $header_content ) ) { | ||
| echo wp_kses_post( $header_content ); // Properly escaped output |
There was a problem hiding this comment.
We need to confirm if the content is displaying correctly, prepare detailed testcases for this change
There was a problem hiding this comment.
yes @sushmak02
There was a problem hiding this comment.
@akshayurankar48 We can't escape this as it is breaking the search bar. The input field is not displaying on the front end.
|
|
||
| if ( ! empty( $footer_content ) ) { | ||
| echo "<div class='footer-width-fixer'>"; | ||
| echo wp_kses_post( $footer_content ); // Properly escaped output |
There was a problem hiding this comment.
@akshayurankar48 here as well We can't escape this as it is breaking the search bar. The input field is not displaying on the front end.
| echo $header_content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped | ||
|
|
||
| if ( ! empty( $header_content ) ) { | ||
| echo wp_kses_post( $header_content ); // Properly escaped output |
There was a problem hiding this comment.
@akshayurankar48 We can't escape this as it is breaking the search bar. The input field is not displaying on the front end.
|
|
||
| if ( ! empty( $footer_content ) ) { | ||
| echo "<div class='footer-width-fixer'>"; | ||
| echo wp_kses_post( $footer_content ); // Properly escaped output |
There was a problem hiding this comment.
@akshayurankar48 here as well We can't escape this as it is breaking the search bar. The input field is not displaying on the front end.
inc/class-hfe-settings-page.php
Outdated
| * | ||
| * @since 1.6.0 | ||
| * @return void | ||
| */ | ||
| public function hfe_settings_page() { | ||
| echo '<h1 class="hfe-heading-inline">'; | ||
| esc_attr_e( 'Elementor Header & Footer Builder ', 'header-footer-elementor' ); | ||
| esc_html_e( 'Elementor Header & Footer Builder', 'header-footer-elementor' ); |
There was a problem hiding this comment.
@akshayurankar48 Have you tested this at your end? I tried finding this, but I checked that this code is for an old version setting page that is not used now. So how can we check this?
| @@ -812,7 +812,7 @@ protected function render():void { | |||
| } | |||
| $output .= '</ul>'; | |||
|
|
|||
| echo $output; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped | |||
| echo wp_kses_post( $output ); | |||
There was a problem hiding this comment.
@akshayurankar48 we can't even escape that as it is breaking the icon for the widget. For example, Add a home icon or change the separator from text to icon and add separator icon with this fix it will not show.
|
|
||
| if ( ! empty( $before_footer_content ) ) { | ||
| echo "<div class='footer-width-fixer'>"; | ||
| echo wp_kses_post( $before_footer_content ); // Properly escaped output |
There was a problem hiding this comment.
@akshayurankar48 escaping this will also break icons in elementor. If I use search bar or elementor widget icon box to show before footer. It will not render there icons.
…ill not be render if escaped
As discussed with team the icons are not even escaped at elementor end and if we use different function it break at one or another instance of testing
|
Closing this PR as raised the new one to just add comment for instances - #1154 |
Description
Improvement: Enhanced the codebase to strengthen security measures.
Screenshots
Types of changes
How has this been tested?
Checklist: