Merge pull request #679 from WebDevStudios/feature/add-more-escaping

Add more escaping

comments.php

@@ -33,7 +33,7 @@
 					/* translators: the number of comments */
 					esc_html( _nx( '%1$s thought on “%2$s”', '%1$s thoughts on “%2$s”', get_comments_number(), 'comments title', '_s' ) ),
 					number_format_i18n( get_comments_number() ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- XSS OK.
-					'<span>' . get_the_title() . '</span>' // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- XSS OK.
+					'<span>' . wp_kses_post( get_the_title() ) . '</span>' // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- XSS OK.
 				);
 			?>
 		</h3>

inc/template-tags.php

@@ -77,7 +77,7 @@ function _s_entry_footer() {
 		sprintf(
 			/* translators: %s: Name of current post */
 			esc_html__( 'Edit %s', '_s' ),
-			the_title( '<span class="screen-reader-text">"', '"</span>', false )
+			wp_kses_post( get_the_title( '<span class="screen-reader-text">"', '"</span>', false ) )
 		),
 		'<span class="edit-link">',
 		'</span>'
@@ -255,7 +255,7 @@ function _s_get_the_title( $args = [] ) {
 	$args = wp_parse_args( $args, $defaults );
 
 	// Trim the title.
-	return wp_trim_words( get_the_title( get_the_ID() ), $args['length'], $args['more'] );
+	return wp_kses_post( wp_trim_words( get_the_title( get_the_ID() ), $args['length'], $args['more'] ) );
 }
 
 /**

template-parts/content-password-protected.php

@@ -16,8 +16,27 @@
 
 		<div class="entry-content">
 			<?php
-				 // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-				echo get_the_password_form();
+			echo wp_kses(
+				get_the_password_form(),
+				[
+					'p'     => [],
+					'label' => [
+						'for' => [],
+					],
+					'form'  => [
+						'action' => [],
+						'class'  => [],
+						'method' => [],
+					],
+					'input' => [
+						'id'    => [],
+						'name'  => [],
+						'size'  => [],
+						'type'  => [],
+						'value' => [],
+					],
+				]
+			);
 			?>
 		</div><!-- .entry-content -->