Unreleased bugfix v2.6.1 with Stable Tag 2.6.0.

Needed to share in a Forum topic where the problem came up incidentally. Must also be shared in the Forum topic of the related bug report. This also contains an escapement reversal (without known incidence on the plugin’s behavior). = 2.6.1 = - Bugfix: Tooltips: Styling: Font color: set to black for maximum contrast with respect to white default background, thanks to 4msc bug report. - Bugfix: Tooltips: Styling: Background color: set default value back to white because empty doesn’t work out as expected. = Branches = Delete the staging branch. Rationale: - It is outdated an cannot be used for staging any more. - It had been made improperly on its own instead of copying from trunk/. - It is undue for the following reasons: - Staging release processes here is too dangerous. - Staging release processes here is too little effective. Staging must not take place in this repository but in another SVN instance. git-svn-id: https://plugins.svn.wordpress.org/footnotes/trunk@2504324 b8457f37-d9ea-0310-8a92-e5e31aec5664
2021-03-27 06:10:08 +00:00 · 2021-03-27 06:10:08 +00:00 · 258e3c6070
commit 258e3c6070
parent 380a309ad3
17 changed files with 104 additions and 66 deletions
--- a/class/dashboard/layout.php
+++ b/class/dashboard/layout.php
@ -337,9 +337,24 @@ abstract class MCI_Footnotes_Layout_Engine {
 	/**
 	 * Loads specific setting and returns an array with the keys [id, name, value].
 	 *
-	 * @since  1.5.0
+	 * @since 1.5.0
 	 * @param string $p_str_setting_key_name Settings Array key name.
 	 * @return array Contains Settings ID, Settings Name and Settings Value.
+	 * 
+	 * @since 2.5.11 Remove escapement function.
+	 * When refactoring the codebase after 2.5.8, all and every output was escaped.
+	 * After noticing that the plugin was broken, all escapement functions were removed.
+	 * @link https://github.com/markcheret/footnotes/pull/50/commits/25c3f2f12eb5de1079e9215bf624ec4289b095a5
+	 * @link https://github.com/markcheret/footnotes/pull/50#issuecomment-787624123
+	 * In that process, this instance of esc_attr() was removed too, so the plugin was
+	 * broken again.
+	 * @link https://github.com/markcheret/footnotes/pull/50/commits/25c3f2f12eb5de1079e9215bf624ec4289b095a5#diff-a8ed6e859c32a18fc10bbbad3b4dd8ce7f43f2378d29471c7638e314ab30f1bdL349-L354
+	 * 
+	 * @since 2.5.15 To fix it, the data was escaped in add_select_box() instead.
+	 * @since 2.6.1  Restore esc_attr() in load_setting().
+	 * @see add_select_box()
+	 * This is the only instance of esc_|kses|sanitize in the pre-2.5.11 codebase.
+	 * Removing this did not fix the quotation mark backslash escapement bug.
 	 */
 	protected function load_setting( $p_str_setting_key_name ) {
 		// Get current section.
@ -347,7 +362,7 @@ abstract class MCI_Footnotes_Layout_Engine {
 		$p_arr_return          = array();
 		$p_arr_return['id']    = sprintf( '%s', $p_str_setting_key_name );
 		$p_arr_return['name']  = sprintf( '%s', $p_str_setting_key_name );
-		$p_arr_return['value'] = MCI_Footnotes_Settings::instance()->get( $p_str_setting_key_name );
+		$p_arr_return['value'] = esc_attr( MCI_Footnotes_Settings::instance()->get( $p_str_setting_key_name ) );
 		return $p_arr_return;
 	}

@ -467,6 +482,9 @@ abstract class MCI_Footnotes_Layout_Engine {
 	 * @param string $p_str_setting_name  Name of the Settings key to pre select the current value.
 	 * @param array  $p_arr_options       Possible options to be selected.
 	 * @return string
+	 * 
+	 * @since 2.5.15 Bugfix: Dashboard: General settings: Footnote start and end short codes: debug select box for shortcodes with pointy brackets.
+	 * @since 2.6.1  Restore esc_attr() in load_setting(), remove htmlspecialchars() here.
 	 */
 	protected function add_select_box( $p_str_setting_name, $p_arr_options ) {
 		// Collect data for given settings field.
@ -478,9 +496,8 @@ abstract class MCI_Footnotes_Layout_Engine {
 			$l_str_options .= sprintf(
 				'<option value="%s" %s>%s</option>',
 				$l_str_value,
-				// Now we need to escape the data, WRT shortcodes with pointy brackets.
 				// Only check for equality, not identity, WRT backlink symbol arrows.
-				$l_str_value == htmlspecialchars( $l_arr_data['value'] ) ? 'selected' : '',
+				$l_str_value == $l_arr_data['value'] ? 'selected' : '',
 				$l_str_caption
 			);
 		}
--- a/class/dashboard/subpage-main.php
+++ b/class/dashboard/subpage-main.php
@ -170,6 +170,7 @@ class MCI_Footnotes_Layout_Settings extends MCI_Footnotes_Layout_Engine {
 	 * Displays the AMP compatibility mode option.
 	 *
 	 * @since 2.5.11 (draft)
+	 * @since 2.6.0  (release)
 	 */
 	public function amp_compat() {

@ -1084,21 +1085,21 @@ class MCI_Footnotes_Layout_Settings extends MCI_Footnotes_Layout_Engine {
 	 * Displays all settings for the backlink symbol.
 	 *
 	 * @since 1.5.0
-	 * 
+	 *
 	 * - Update: **symbol for backlinks** removed; hyperlink moved to the reference number.
-	 * 
+	 *
 	 * @since 2.0.0
 	 * The former 'hyperlink arrow' is incompatible with combined identical footnotes.
 	 *
 	 * - Update: Reference container: clarify backlink semantics by prepended transitional up arrow, thanks to @mmallett issue report.
-	 * 
+	 *
 	 * @since 2.0.3
-	 * 
+	 *
 	 * - Update: Restore arrow settings to customize or disable the now prepended arrow symbol, thanks to @mmallett issue report.
-	 * 
+	 *
 	 * @since 2.0.4
 	 * @date 2020-11-02T2115+0100
-	 * 
+	 *
 	 * @reporter @mmallett
 	 * @link https://wordpress.org/support/topic/mouse-over-broken/#post-13593037
 	 *
@ -1345,7 +1346,7 @@ class MCI_Footnotes_Layout_Settings extends MCI_Footnotes_Layout_Engine {
 				'example-string' => '<br/>' . __( 'will be displayed as:', 'footnotes' ),
 				'example'        => $g_obj_mci_footnotes->a_obj_task->exec( $l_str_example, true ),
 				// Translators: 1: <a>; 2: </a>.
-				'information'    => sprintf( __( 'For further information please check out our %1$ssupport forum%2$s on WordPress.org.', 'footnotes' ), '<a href="http://wordpress.org/support/plugin/footnotes" target="_blank" class="footnote_plugin">', '</a>' ),
+				'information'    => sprintf( __( 'For further information please check out our %1$ssupport forum%2$s on WordPress.org.', 'footnotes' ), '<a href="https://wordpress.org/support/plugin/footnotes" target="_blank" class="footnote_plugin">', '</a>' ),
 			)
 		);
 		// Call wp_head function to get the Styling of the mouse-over box.