function decorate_mod($key, $mods, $col)
{
$data_key = 'data-key="' . esc_attr($key) . '"';
$data_col = 'data-col="' . esc_attr($col) . '"';
if (!array_key_exists($key, $mods)) {
return "<span class=\"ITM-list-data\" {$data_key} {$data_col}><small class=\"no-value\">" . __('(no value)', 'inherit-theme-mods') . '</small></span>';
}
$value = esc_html(maybe_serialize($mods[$key]));
$match_color = preg_match('/^#?([0-9,a-f,A-F]{3}|[0-9,a-f,A-F]{6})$/', $value);
$match_inmageURL = preg_match('/\\.(jpg|jpeg|png|gif)$/i', $value);
if (1 === $match_color) {
# display color if color string
$color_str = substr($value, 0, 1) === '#' ? $value : "#{$value}";
$style_attr = ITM_Util::style_attr(array('background-color' => $color_str));
# xss OK
$value = esc_html($value);
$value = "<div class=\"ITM-color-indication\" {$style_attr}></div><span class=\"ITM-list-data\" {$data_key} {$data_col}>{$value}</span>";
} else {
if (1 === $match_inmageURL) {
# display image if image url
$value = esc_url($value);
$value = "<img src=\"{$value}\" class=\"ITM-image-indication\" alt=\"\" /><br /><span class=\"ITM-list-data\" {$data_key} {$data_col}>{$value}</span>";
# xss OK
} else {
$value = "<span class=\"ITM-list-data ITM-serialized-text\" {$data_key} {$data_col}>" . esc_html($value) . '</span>';
}
}
return $value;
}
function test_build_style_attr_xss()
{
$xss_vulnerable_match = preg_match('/<script>.*/', ITM_Util::style_attr(array('background-color' => '#12345', 'color' => 'red', 'padding' => 0, '" ><script>alert(1);</script>' => '', 'aaa' => '" ><script>alert(1);</script>')));
$this->assertEquals(0, $xss_vulnerable_match);
}
