diff --git a/includes/class-newspack-blocks.php b/includes/class-newspack-blocks.php index a22bebbe1..5cc82f631 100644 --- a/includes/class-newspack-blocks.php +++ b/includes/class-newspack-blocks.php @@ -543,13 +543,15 @@ public static function image_size_for_orientation( $orientation = 'landscape' ) ), ); - foreach ( $sizes[ $orientation ] as $key => $dimensions ) { - $attachment = wp_get_attachment_image_src( - get_post_thumbnail_id( get_the_ID() ), - 'newspack-article-block-' . $orientation . '-' . $key - ); - if ( ! empty( $attachment ) && $dimensions[0] === $attachment[1] && $dimensions[1] === $attachment[2] ) { - return 'newspack-article-block-' . $orientation . '-' . $key; + if ( isset( $sizes[ $orientation ] ) ) { + foreach ( $sizes[ $orientation ] as $key => $dimensions ) { + $attachment = wp_get_attachment_image_src( + get_post_thumbnail_id( get_the_ID() ), + 'newspack-article-block-' . $orientation . '-' . $key + ); + if ( ! empty( $attachment ) && $dimensions[0] === $attachment[1] && $dimensions[1] === $attachment[2] ) { + return 'newspack-article-block-' . $orientation . '-' . $key; + } } } @@ -1494,5 +1496,32 @@ public static function get_color_for_contrast( $hex ) { return 'white'; } } + + /** + * Get an array of allowed HTML attributes for sanitizing image markup. + * For use with wp_kses: https://developer.wordpress.org/reference/functions/wp_kses/ + * + * @return array + */ + public static function get_sanitized_image_attributes() { + return [ + 'img' => [ + 'alt' => true, + 'class' => true, + 'data-*' => true, + 'decoding' => true, + 'height' => true, + 'loading' => true, + 'sizes' => true, + 'src' => true, + 'srcset' => true, + 'width' => true, + ], + 'noscript' => [], + 'a' => [ + 'href' => true, + ], + ]; + } } Newspack_Blocks::init(); diff --git a/src/blocks/carousel/view.php b/src/blocks/carousel/view.php index 1c48ac005..1b221341a 100644 --- a/src/blocks/carousel/view.php +++ b/src/blocks/carousel/view.php @@ -73,6 +73,10 @@ function newspack_blocks_render_block_carousel( $attributes ) { $hide_publish_date = apply_filters( 'newspack_listings_hide_publish_date', false ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound $show_author = $attributes['showAuthor'] && ! $hide_author; $show_date = $attributes['showDate'] && ! $hide_publish_date; + + // Validate the value of the "image fit" attribute. + $image_fits = [ 'cover', 'contain' ]; + $image_fit = in_array( $attributes['imageFit'], $image_fits, true ) ? $attributes['imageFit'] : $image_fits[0]; ?>
@@ -86,9 +90,9 @@ function newspack_blocks_render_block_carousel( $attributes ) { the_post_thumbnail( 'large', array( - 'object-fit' => $attributes['imageFit'], + 'object-fit' => $image_fit, 'layout' => 'fill', - 'class' => 'contain' === $attributes['imageFit'] ? 'image-fit-contain' : 'image-fit-cover', + 'class' => 'contain' === $image_fit ? 'image-fit-contain' : 'image-fit-cover', 'alt' => trim( wp_strip_all_tags( get_the_title( $post_id ) ) ), ) ); @@ -204,21 +208,7 @@ function newspack_blocks_render_block_carousel( $attributes ) { if ( $attributes['showAvatar'] ) : echo wp_kses( newspack_blocks_format_avatars( $authors ), - array( - 'img' => array( - 'class' => true, - 'src' => true, - 'alt' => true, - 'width' => true, - 'height' => true, - 'data-*' => true, - 'srcset' => true, - ), - 'noscript' => array(), - 'a' => array( - 'href' => true, - ), - ) + Newspack_Blocks::get_sanitized_image_attributes() ); endif; ?> @@ -259,8 +249,9 @@ function newspack_blocks_render_block_carousel( $attributes ) { ); } - $slides_per_view = absint( ! empty( $attributes['slidesPerView'] ) ? $attributes['slidesPerView'] : 1 ); + $slides_per_view = absint( $attributes['slidesPerView'] ?? 1 ); $slides_to_show = $slides_per_view <= $counter ? $slides_per_view : $counter; + $aspect_ratio = floatval( $attributes['aspectRatio'] ?? 0.75 ); if ( $is_amp ) { $selector = sprintf( @@ -272,14 +263,14 @@ function newspack_blocks_render_block_carousel( $attributes ) { $carousel = sprintf( '%9$s', - $attributes['slidesPerView'] * 1, - $attributes['aspectRatio'], - '(min-width: 1168px) ' . ( $attributes['aspectRatio'] / $slides_to_show * 100 ) . '% !important, (min-width: 782px) ' . ( $slides_to_show > 1 ? ( $attributes['aspectRatio'] / 2 * 100 ) . '% !important' : ( $attributes['aspectRatio'] * 100 ) . '% !important' ) . ', ' . ( $attributes['aspectRatio'] * 100 ) . '% !important', + esc_attr( $slides_per_view * 1 ), + esc_attr( $aspect_ratio ), + esc_attr( '(min-width: 1168px) ' . ( $aspect_ratio / $slides_to_show * 100 ) . '% !important, (min-width: 782px) ' . ( $slides_to_show > 1 ? ( $aspect_ratio / 2 * 100 ) . '% !important' : ( $aspect_ratio * 100 ) . '% !important' ) . ', ' . ( $aspect_ratio * 100 ) . '% !important' ), esc_attr__( 'Next Slide', 'newspack-blocks' ), esc_attr__( 'Previous Slide', 'newspack-blocks' ), $autoplay ? 'auto-advance="true" auto-advance-interval=' . esc_attr( $delay * 1000 ) : '', absint( $newspack_blocks_carousel_id ), - '(min-width: 1168px) ' . $slides_to_show . ', (min-width: 782px) ' . ( $slides_to_show > 1 ? 2 : 1 ) . ', ' . 1, + esc_attr( '(min-width: 1168px) ' . $slides_to_show . ', (min-width: 782px) ' . ( $slides_to_show > 1 ? 2 : 1 ) . ', ' . 1 ), $slides ); $autoplay_ui = $autoplay ? newspack_blocks_carousel_block_autoplay_ui_amp( $newspack_blocks_carousel_id ) : ''; @@ -304,9 +295,9 @@ function newspack_blocks_render_block_carousel( $attributes ) { } $data_attributes = [ 'data-current-post-id=' . $post_id, - 'data-slides-per-view=' . $attributes['slidesPerView'], + 'data-slides-per-view=' . esc_attr( $slides_per_view ), 'data-slide-count=' . $counter, - 'data-aspect-ratio=' . $attributes['aspectRatio'], + 'data-aspect-ratio=' . esc_attr( $aspect_ratio ), ]; if ( $autoplay && ! $is_amp ) { diff --git a/src/blocks/homepage-articles/templates/article.php b/src/blocks/homepage-articles/templates/article.php index 547a4d026..33c82bab7 100644 --- a/src/blocks/homepage-articles/templates/article.php +++ b/src/blocks/homepage-articles/templates/article.php @@ -29,7 +29,7 @@ function( $data ) { $post_link = Newspack_Blocks::get_post_link( $post_id ); if ( 'behind' === $attributes['mediaPosition'] && $attributes['showImage'] && has_post_thumbnail() ) { - $styles = 'min-height: ' . $attributes['minHeight'] . 'vh; padding-top: ' . ( $attributes['minHeight'] / 5 ) . 'vh;'; + $styles = 'min-height: ' . absint( $attributes['minHeight'] ) . 'vh; padding-top: ' . ( absint( $attributes['minHeight'] ) / 5 ) . 'vh;'; } $image_size = 'newspack-article-block-uncropped'; if ( has_post_thumbnail() && 'uncropped' !== $attributes['imageShape'] ) { @@ -231,21 +231,7 @@ class="" if ( $attributes['showAvatar'] ) : echo wp_kses( newspack_blocks_format_avatars( $authors ), - array( - 'img' => array( - 'class' => true, - 'src' => true, - 'alt' => true, - 'width' => true, - 'height' => true, - 'data-*' => true, - 'srcset' => true, - ), - 'noscript' => array(), - 'a' => array( - 'href' => true, - ), - ) + Newspack_Blocks::get_sanitized_image_attributes() ); endif; ?> diff --git a/src/blocks/homepage-articles/view.php b/src/blocks/homepage-articles/view.php index 700f48c79..c9cd6d6fc 100644 --- a/src/blocks/homepage-articles/view.php +++ b/src/blocks/homepage-articles/view.php @@ -25,7 +25,7 @@ function newspack_blocks_hpb_maximum_image_width() { $site_content_width = 1200; $is_image_half_width = in_array( $attributes['mediaPosition'], [ 'left', 'right' ], true ); if ( 'grid' === $attributes['postLayout'] ) { - $columns = $attributes['columns']; + $columns = absint( $attributes['columns'] ); if ( $is_image_half_width ) { // If the media position is on left or right, the image is 50% of the column width. $columns = $columns * 2; @@ -284,7 +284,14 @@ function newspack_blocks_register_homepage_articles() { function newspack_blocks_format_avatars( $author_info ) { $elements = array_map( function ( $author ) { - return sprintf( '%s', $author->url, $author->avatar ); + return sprintf( + '%s', + esc_url( $author->url ), + wp_kses( + $author->avatar, + Newspack_Blocks::get_sanitized_image_attributes() + ) + ); }, $author_info ); diff --git a/src/blocks/video-playlist/view.php b/src/blocks/video-playlist/view.php index fbdb8a4d0..61a16fba7 100644 --- a/src/blocks/video-playlist/view.php +++ b/src/blocks/video-playlist/view.php @@ -119,7 +119,9 @@ function( $block ) { } ); foreach ( $youtube_blocks as $youtube_block ) { - $videos[] = $youtube_block['attrs']['url']; + if ( isset( $youtube_block['attrs']['url'] ) ) { + $videos[] = esc_url( $youtube_block['attrs']['url'] ); + } } } diff --git a/src/templates/author-profile-card.php b/src/templates/author-profile-card.php index 0918498eb..6a5fb872b 100644 --- a/src/templates/author-profile-card.php +++ b/src/templates/author-profile-card.php @@ -60,20 +60,7 @@ function( $data ) { echo wp_kses( $author['avatar'], - [ - 'img' => [ - 'alt' => true, - 'class' => true, - 'data-*' => true, - 'decoding' => true, - 'height' => true, - 'loading' => true, - 'sizes' => true, - 'src' => true, - 'srcset' => true, - 'width' => true, - ], - ] + Newspack_Blocks::get_sanitized_image_attributes() ); if ( $show_archive_link ) :