0

I'm trying to build a custom Elementor Widget (https://developers.elementor.com/creating-a-new-widget/). In the render() function, I can put the HTML thats being rendered in the frontend.

Now I have a project set up that uses codesniffer to force wordpress coding standards.

I have the following code for the render() function:

/**
 * Render widget output on the frontend
 */
protected function render() {
    $i_am                 = __( 'I am', 'hello-elementor-child' );
    $and_i_am_looking_for = __( 'and I am looking for', 'hello-elementor-child' );

    $output = <<<HTML
        <form>
            <div>
                <label>$i_am</label>
                <input type="text" name="i_am" value="" />
            </div>
            <div>
                <label>$and_i_am_looking_for</label>
                <input type="text" name="and_i_am_looking_for" value="" />
            </div>
        </form>
    HTML;

    echo $output;
}

CodeSniffer now complains about the $output, since I'm not escaping it:

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '$output'.

PHPCS(WordPress.Security.EscapeOutput.OutputNotEscaped)

Now looking up the WP Dev Handbook, it tells me about several methods to escape the output, and esc_html for excamples does exactly what it should, but of course, Then I have the frontend display html code to the user instead of rendering actual html thats rendered by the browser...

So in this szenario, how do I please the codesniffer but also output what I need?

SVARTBERG
  • 435
  • 1
  • 7
  • 16
  • It's only really content which was derived from user input which needs to be escaped (in order to prevent XSS attacks). – ADyson Aug 09 '21 at 09:28
  • True but wordpress coding standards want me to escape this. I know I could echo line by line and only escape specific variables, but in this case I would like to use heredoc. In the case of using heredoc, codesniffer/wordpress can't know what variables I might included. So the complaint by codesniffer is ok I think. But there must be a way to solve it? – SVARTBERG Aug 09 '21 at 09:31
  • Automated coding standards don't always understand the full context of what you're doing. If you're satisfied there's no danger, can't you just ignore it (and maybe add a comment to the code as a note for the future)? – ADyson Aug 09 '21 at 09:32
  • `I know I could echo line by line and only escape specific variables, but in this case I would like to use heredoc`...you can still escape the variables before you concatenate them. – ADyson Aug 09 '21 at 09:32
  • 1
    Ignoring it: In javascript linters I know you can add comments to ignore certain rules for the current line or for the whole file, but in PHP I don't know how to do that. And this project enforces these rules with a pre-commit hook that only lets me commit the result when there are no errors :P – SVARTBERG Aug 09 '21 at 09:47
  • ```you can still escape the variables before you concatenate them``` I know, but the error still occures even if I escape the vars beforehand. – SVARTBERG Aug 09 '21 at 09:48
  • If you want, you can use `esc_html` on the variables such as `$i_am`. That is safe. Will PHPCS complain, possibly, but you can [silence](https://stackoverflow.com/a/59073074/231316) those warnings. Is that safe? Yes, until you make a change. PHPCS is trying to tell you that automated tools cannot tell you the answer, so a human has to inspect each and every time. The solution is to inspect each and every time, or write your code in a way that PHPCS can reason about, concatenation. – Chris Haas Aug 09 '21 at 23:47

2 Answers2

2

You can use wp_kses.

echo wp_kses(
    $output,
    array(
        'form'  => array(),
        'div'   => array(),
        'label' => array(),
        'input' => array(
            'type',
            'name',
            'value',
        ),
    )
);
Marcos Nakamine
  • 1,286
  • 17
  • 29
0

if you want to echo html code inside php. Better make them into String. Please change your code a litle like this:

$output = "<HTML>
    <form>
        <div>
            <label>$i_am</label>
            <input type='text' name='i_am' value='' />
        </div>
        <div>
            <label>$and_i_am_looking_for</label>
            <input type='text' name='and_i_am_looking_for' value='' />
        </div>
    </form>
</HTML>";
thống nguyễn
  • 765
  • 1
  • 5
  • 13
  • Thats not the problem, since I have to echo the $output in the end, which triggers phpcs to complain about $output not being escaped. – SVARTBERG Aug 11 '21 at 08:22