CPCS Update

.github/workflows/buildzip.yml

@@ -18,7 +18,7 @@ jobs:
           git archive -o switch-to-classicpress.zip --prefix switch-to-classicpress/ HEAD
           ls
       - name: Upload artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
             name: switch-to-classicpress
             path: switch-to-classicpress.zip

lib/admin-page.php

@@ -137,6 +137,71 @@
 add_action( 'admin_head-tools_page_switch-to-classicpress', 'classicpress_print_admin_styles' );
 add_action( 'admin_head-index_page_switch-to-classicpress', 'classicpress_print_admin_styles' );
 
+/**
+ * set wp_kses() allowed tags
+ *
+ * @since 1.5.2
+ */
+$allowed_tags = array(
+	'a' => array(
+		'class' => array(),
+		'href'  => array(),
+		'rel'   => array(),
+		'title' => array(),
+	),
+	'b' => array(),
+	'blockquote' => array(
+		'cite'  => array(),
+	),
+	'code' => array(),
+	'del' => array(
+		'datetime' => array(),
+		'title' => array(),
+	),
+	'dd' => array(),
+	'div' => array(
+		'class' => array(),
+		'title' => array(),
+		'style' => array(),
+	),
+	'dl' => array(),
+	'dt' => array(),
+	'em' => array(),
+	'h1' => array(),
+	'h2' => array(),
+	'h3' => array(),
+	'h4' => array(),
+	'h5' => array(),
+	'h6' => array(),
+	'i' => array(),
+	'img' => array(
+		'alt'    => array(),
+		'class'  => array(),
+		'height' => array(),
+		'src'    => array(),
+		'width'  => array(),
+	),
+	'li' => array(
+		'class' => array(),
+	),
+	'ol' => array(
+		'class' => array(),
+	),
+	'p' => array(
+		'class' => array(),
+	),
+	'span' => array(
+		'class' => array(),
+		'title' => array(),
+		'style' => array(),
+	),
+	'strike' => array(),
+	'strong' => array(),
+	'ul' => array(
+		'class' => array(),
+	),
+);
+
 /**
  * Remove the WP update nag from the Switch to ClassicPress page.
  *
@@ -196,6 +261,7 @@
  * @since 0.1.0
  */
 function classicpress_show_admin_page() {
+	global $allowed_tags;
 ?>
 <div class="wrap">
 	<h1><?php esc_html_e( 'Switch to ClassicPress', 'switch-to-classicpress' ); ?></h1>
@@ -209,30 +275,30 @@
 	}
 
 ?>
-	<h2><?php _e( 'Feedback and Support', 'switch-to-classicpress' ); ?></h2>
+	<h2><?php esc_html_e( 'Feedback and Support', 'switch-to-classicpress' ); ?></h2>
 
 	<p class="cp-migration-info">
-		<?php _e(
+		<?php esc_html_e(
 			"Do you have feedback about this plugin, or about ClassicPress itself? Need help with something? We'd love to know what you think!",
 			'switch-to-classicpress'
 		); ?>
 	</p>
 	<ul class="cp-migration-info">
 		<li><?php printf(
-			__(
-				/* translators: 1: link with instructions to join our Forum, 2: link to join ClassicPress Slack */
+			wp_kses( __(
+				/* translators: 1: link to the ClassicPress Forum, 2: link to join the ClassicPress Zulip */
 				'For support, suggestions for improvement, or general discussion about how the plugin works, visit us in our <a href="%1$s">support forum</a> or <a href="%2$s">Zulip chat</a>.',
 				'switch-to-classicpress'
-			),
+			), $allowed_tags ),
 			'https://forums.classicpress.net/c/support/migration-plugin',
 			'https://classicpress.zulipchat.com/register/'
 		); ?></li>
 		<li><?php printf(
-			__(
+			wp_kses( __(
 				/* translators: link to create a new GitHub issue for this plugin */
 				'For <strong>specific</strong> bug reports or suggestions, <a href="%s">add a new issue on GitHub</a>.',
 				'switch-to-classicpress'
-			),
+			), $allowed_tags ),
 			'https://github.com/ClassicPress/ClassicPress-Migration-Plugin/issues/new'
 		); ?></li>
 	</ul>
@@ -257,10 +323,11 @@
  * @return bool Whether to show the controls to proceed with the migration.
  */
 function classicpress_check_can_migrate() {
-	// First: Run a series of checks for conditions that are inherent to this
-	// WordPress install and this user session.
+	global $allowed_tags;
+// First: Run a series of checks for conditions that are inherent to this
+// WordPress install and this user session.
 
-	// Check: Are we already on ClassicPress?
+// Check: Are we already on ClassicPress?
 	if ( function_exists( 'classicpress_version' ) ) {
 		global $cp_version;
 		if ( is_multisite() ) {
@@ -273,36 +340,42 @@
 ?>
 		<div class="notice notice-success">
 <?php
+$show_cp_ver = preg_replace('#[+-].*$#', '', $cp_version);
 if (strpos($cp_version, 'migration')) {
-			_e(
-				"<h2>You're almost done switching to ClassicPress v".preg_replace('#[+-].*$#', '', $cp_version)."!</h2>",
+			echo '<h2>';
+			printf( esc_html__(
+				"You're almost done switching to ClassicPress v%s!",
 				'switch-to-classicpress'
-			);
-			_e(
-				"<strong class='cp-emphasis'>You must visit the <a href='".$reinstall_url."'>Updates Page</a> and Press the Re-Install Now button to complete the migration process!</strong>",
+			), esc_html($show_cp_ver) );
+			echo "</h2><strong class='cp-emphasis'>";
+			printf( wp_kses( __(
+				"You must visit the <a href='%s'>Updates Page</a> and Press the Re-Install Now button to complete the migration process!",
 				'switch-to-classicpress'
-			);
+			), $allowed_tags ), esc_url($reinstall_url) );
+			echo '</strong>';
 } else {
-			_e(
-				"<h2>Good job, you're running ClassicPress v".preg_replace('#[+-].*$#', '', $cp_version)."!</h2>",
+			echo '<h2>';
+			printf( esc_html__(
+				"Good job, you're running ClassicPress v%s!",
 				'switch-to-classicpress'
-			);
+			), esc_html($show_cp_ver) );
+			echo '</h2>';
 }
 ?>
-			<p>
-				<?php _e(
-					"<strong>This Plugin is also an Advanced Version Control Tool for Development and Troubleshooting.</strong>",
+			<p><strong>
+				<?php esc_html_e(
+					"This Plugin is also an Advanced Version Control Tool for Development and Troubleshooting.",
 					'switch-to-classicpress'
 				); ?>
-			</p>
+			</strong></p>
 			<p>
 				<?php echo sprintf(
 					/* translators: %s: URL to plugins page */
-					__(
+					wp_kses( __(
 						'If no longer needed you can <a href="%s">delete the plugin</a>.',
 						'switch-to-classicpress'
-					),
-					$delete_plugin_url
+					), $allowed_tags ),
+					esc_url($delete_plugin_url)
 				); ?>
 			</p>
 		</div>
@@ -323,10 +396,10 @@
 				); ?>
 			</p>
 			<p>
-				<?php _e(
-					'In order to switch to ClassicPress, you\'ll need to <a href="https://move.wordpress.com/">move to a self-hosted WordPress site</a> first.',
+				<?php wp_kses( __(
+					'In order to switch to ClassicPress, you\'ll need a <a href="https://move.wordpress.com/">Hosted WordPress</a> site first.',
 					'switch-to-classicpress'
-				); ?>
+				), $allowed_tags ); ?>
 			</p>
 		</div>
 <?php
@@ -361,8 +434,8 @@
 ?>
 		<div class="notice notice-error">
 			<p>
-				<?php echo $cp_api_object->get_error_message(); ?>
-				<?php echo json_encode( $cp_api_object->get_error_data() ); ?>
+				<?php echo esc_attr( $cp_api_object->get_error_message() ); ?>
+				<?php echo wp_json_encode( $cp_api_object->get_error_data() ); ?>
 			</p>
 		</div>
 <?php
@@ -372,7 +445,7 @@
 	// The first round of checks has passed.  Now, run a second round related
 	// to conditions that the user (or at least the hosting provider) has
 	// control over, and display the results in a table.
-
+	
 	$preflight_checks = array();
 	$icon_preflight_pass = (
 		'<div class="cp-preflight-icon cp-pass">'
@@ -424,53 +497,53 @@
 		 */
 		if ( apply_filters( 'classicpress_ignore_wp_version', false ) ) {
 			$preflight_checks['wp_version'] = true;
-			echo "<tr>\n<td>$icon_preflight_warn</td>\n<td>\n";
+			echo "<tr>\n<td> wp_kses( $icon_preflight_warn, $allowed_tags ) </td>\n<td>\n";
 			echo "<p>\n";
-			echo $wp_version_check_intro_message;
-			_e(
-				'The preflight check for supported WordPress versions has been <strong class="cp-emphasis">disabled</strong>.',
+			echo wp_kses( $wp_version_check_intro_message, $allowed_tags );
+			esc_html_e(
+				'The preflight check for supported WordPress versions has been disabled.',
 				'switch-to-classicpress'
 			);
 			echo "<br>\n";
-			_e(
+			esc_html_e(
 				'We cannot guarantee that the migration process is going to work, and it may even leave your current installation partially broken.',
 				'switch-to-classicpress'
 			);
-			echo "<br>\n";
-			_e(
-				'<strong class="cp-emphasis">Proceed at your own risk!</strong>',
+			echo "<br>\n<strong class='cp-emphasis'>";
+			esc_html_e(
+				'Proceed at your own risk!',
 				'switch-to-classicpress'
 			);
-			echo "<br>\n";
+			echo "</strong><br>\n";
 		} else {
 			$preflight_checks['wp_version'] = false;
 			echo "<tr>\n<td>$icon_preflight_fail</td>\n<td>\n";
 			echo "<p>\n";
-			echo $wp_version_check_intro_message;
+			echo wp_kses( $wp_version_check_intro_message, $allowed_tags );
 		}
 	} else {
 		$preflight_checks['wp_version'] = true;
 		if ( substr( $wp_version, 0, 1 ) === '5' ) {
-			echo "<tr>\n<td>$icon_preflight_warn</td>\n<td>\n";
+			echo "<tr>\n<td> wp_kses( $icon_preflight_warn, $allowed_tags ) </td>\n<td>\n";
 		} else {
-			echo "<tr>\n<td>$icon_preflight_pass</td>\n<td>\n";
+			echo "<tr>\n<td> wp_kses( $icon_preflight_pass, $allowed_tags ) </td>\n<td>\n";
 		}
-		echo "<p>\n";
-		echo $wp_version_check_intro_message;
+		echo "HERE<p>\n";
+		echo wp_kses( $wp_version_check_intro_message, $allowed_tags );
 	}
-	printf( __(
+	printf( esc_html__(
 		/* translators: current WordPress version */
-		'You are running WordPress version <strong>%s</strong>.',
+		'You are running WordPress version %s.',
 		'switch-to-classicpress'
 	), $wp_version );
 	if ( substr( $wp_version, 0, 1 ) === '5' && $preflight_checks['wp_version'] ) {
 		echo "<br>\n";
-		_e(
-			'Migration is supported, but content edited in the new WordPress block editor may not be fully compatible with ClassicPress.',
+		esc_html_e(
+			'Migration is supported, but content edited in the WordPress block editor may not be fully compatible with ClassicPress.',
 			'switch-to-classicpress'
 		);
 		echo "<br>\n";
-		_e(
+		esc_html_e(
 			'After the migration, we recommend reviewing each recently edited post or page and restoring to an earlier revision if needed.',
 			'switch-to-classicpress'
 		);
@@ -491,45 +564,45 @@
 		( is_child_theme() && in_array( $theme->parent()->stylesheet, (array) $cp_api_parameters['themes'] ) )
 	) {
 		$preflight_checks['theme'] = false;
-		echo "<tr>\n<td>$icon_preflight_fail</td>\n<td>\n<p>\n";
-		printf( __(
+		echo "<tr>\n<td> wp_kses( $icon_preflight_fail, $allowed_tags ) </td>\n<td>\n<p>\n";
+		printf( esc_html__(
 			/* translators: active theme name */
-			'It looks like you are using the <strong>%1$s</strong> theme. Unfortunately, %1$s is known to be incompatible with ClassicPress.%2$s',
+			'It looks like you are using the %1$s theme. Unfortunately, %1$s is known to be incompatible with ClassicPress.%2$s',
 			'switch-to-classicpress'
 		), $theme->name, $fse_info );
 		echo "<br>\n";
-		_e(
+		esc_attr_e(
 			$theme_info,
 			'switch-to-classicpress'
 		);
 //	} elseif ( version_compare( $theme->get( 'RequiresWP' ), '5.0' ) >= 0 ) {
 	} elseif ( in_array( 'full-site-editing', $theme->tags ) ) {
 		$preflight_checks['theme'] = false;
-		echo "<tr>\n<td>$icon_preflight_fail</td>\n<td>\n<p>\n";
-		printf( __(
+		echo "<tr>\n<td> wp_kses( $icon_preflight_fail, $allowed_tags ) </td>\n<td>\n<p>\n";
+		printf( esc_html__(
 			/* translators: active theme name */
 			'It looks like you are using the <strong>%1$s</strong> theme. Unfortunately, %1$s is probably using FSE functions and may not be compatible with ClassicPress.%2$s',
 			'switch-to-classicpress'
 //		), $theme->name, $theme->get( 'RequiresWP' ) );
 		), $theme->name, $fse_info );
 		echo "<br>\n";
-		_e(
+		esc_attr_e(
 			$theme_info,
 			'switch-to-classicpress'
 		);
 	} elseif ( $theme->name == $theme_name ) {
 		$preflight_checks['theme'] = true;
-		echo "<tr>\n<td>$icon_preflight_pass</td>\n<td>\n<p>\n";
-		printf( __(
-			'It looks like you are using the <strong>%1$s</strong> theme.<br>%1$s is the suggested theme to use when migrating from ClassicPress to WordPress.',
+		echo "<tr>\n<td> wp_kses( $icon_preflight_pass, $allowed_tags ) </td>\n<td>\n<p>\n";
+		printf( esc_html__(
+			'It looks like you are using the %1$s theme - %1$s is the suggested theme to use when migrating from ClassicPress to WordPress.',
 			'switch-to-classicpress'
 		), $theme->name );
 	} else {
 		$preflight_checks['theme'] = true;
 		echo "<tr>\n<td>$icon_preflight_warn</td>\n<td>\n<p>\n";
-		printf( __(
+		printf( esc_html__(
 			/* translators: active theme name */
-			'It looks like you are using the <strong>%1$s</strong> theme. We are not aware of any incompatibilities between %1$s and ClassicPress.',
+			'It looks like you are using the %1$s theme. We are not aware of any incompatibilities between %1$s and ClassicPress.',
 			'switch-to-classicpress'
 		), $theme->name );
 		echo "<br>\n";
@@ -622,12 +695,12 @@
 			'We have detected one or more plugins that may require Blocks or fail to declare a compatible WordPress version.'.$plugin_info,
 			'switch-to-classicpress'
 		);
-		echo "<br>\n";
+		echo "<br>\n<li>";
 		 _e(
-			'<li>The safest way of switching to ClassicPress is to (temporarily) deactivate the following plugin(s):</li>',
+			'The safest way of switching to ClassicPress is to (temporarily) deactivate the following plugin(s):',
 			'switch-to-classicpress'
 		);
-		//echo "<br>\n";
+		echo "</li>";
 		/* translators: List of conflicting plugin names */
 		printf( __(
 			'<strong>%s<strong>',
@@ -1041,7 +1114,7 @@
 					$php_version_49 = '7.5';
 					if ( version_compare( PHP_VERSION, $php_version_49, 'lt' ) ) {
 						_e(
 							'<p><strong class="cp-emphasis">* MIGRATING TO WP v4.9 SHOULD BE A LAST RESORT AND IS DONE AT YOUR OWN RISK!</strong></p>',
 							'switch-to-classicpress'
 						);
 					}