function decorate_mod($key, $mods, $col) { $data_key = 'data-key="' . esc_attr($key) . '"'; $data_col = 'data-col="' . esc_attr($col) . '"'; if (!array_key_exists($key, $mods)) { return "<span class=\"ITM-list-data\" {$data_key} {$data_col}><small class=\"no-value\">" . __('(no value)', 'inherit-theme-mods') . '</small></span>'; } $value = esc_html(maybe_serialize($mods[$key])); $match_color = preg_match('/^#?([0-9,a-f,A-F]{3}|[0-9,a-f,A-F]{6})$/', $value); $match_inmageURL = preg_match('/\\.(jpg|jpeg|png|gif)$/i', $value); if (1 === $match_color) { # display color if color string $color_str = substr($value, 0, 1) === '#' ? $value : "#{$value}"; $style_attr = ITM_Util::style_attr(array('background-color' => $color_str)); # xss OK $value = esc_html($value); $value = "<div class=\"ITM-color-indication\" {$style_attr}></div><span class=\"ITM-list-data\" {$data_key} {$data_col}>{$value}</span>"; } else { if (1 === $match_inmageURL) { # display image if image url $value = esc_url($value); $value = "<img src=\"{$value}\" class=\"ITM-image-indication\" alt=\"\" /><br /><span class=\"ITM-list-data\" {$data_key} {$data_col}>{$value}</span>"; # xss OK } else { $value = "<span class=\"ITM-list-data ITM-serialized-text\" {$data_key} {$data_col}>" . esc_html($value) . '</span>'; } } return $value; }
function test_build_style_attr_xss() { $xss_vulnerable_match = preg_match('/<script>.*/', ITM_Util::style_attr(array('background-color' => '#12345', 'color' => 'red', 'padding' => 0, '" ><script>alert(1);</script>' => '', 'aaa' => '" ><script>alert(1);</script>'))); $this->assertEquals(0, $xss_vulnerable_match); }