More escaping

src/my-calendar-design.php

@@ -36,7 +36,7 @@ function my_calendar_design() {
 							<div class="inside">
 							<?php my_calendar_style_edit(); ?>
 							</div>
-							<?php echo mc_display_contrast_variables(); ?>
+							<?php mc_display_contrast_variables(); ?>
 						</div>
 					</div>
 
@@ -45,9 +45,9 @@ function my_calendar_design() {
 							<?php
 							$disable_templates = ( 'true' === mc_get_option( 'disable_legacy_templates' ) ) ? true : false;
 							if ( $disable_templates ) {
-								echo '<h2>' . __( 'Template Documentation', 'my-calendar' ) . '</h2>';
+								echo '<h2>' . esc_html__( 'Template Documentation', 'my-calendar' ) . '</h2>';
 							} else {
-								echo '<h2>' . __( 'Template Editor (Legacy)', 'my-calendar' ) . '</h2>';
+								echo '<h2>' . esc_html__( 'Template Editor (Legacy)', 'my-calendar' ) . '</h2>';
 								echo '<p><span class="mc-flex">';
 								echo ( isset( $_GET['mc_template'] ) && 'add-new' === $_GET['mc_template'] ) ? '' : wp_kses_post( '<a class="button" href="' . esc_url( add_query_arg( 'mc_template', 'add-new', admin_url( 'admin.php?page=my-calendar-design' ) ) ) . '#my-calendar-templates">' . __( 'Add New Template', 'my-calendar' ) . '</a>' );
 								mc_help_link( __( 'Template Tag Help', 'my-calendar' ), __( 'Template Tags', 'my-calendar' ), 'template tags', 5 );
@@ -58,7 +58,7 @@ function my_calendar_design() {
 							<?php
 							echo '<p>';
 							// translators: URL for the PHP templating docs.
-							printf( __( 'Learn about the <a href="%s">PHP templating system in My Calendar</a>.', 'my-calendar' ), 'https://docs.joedolson.com/my-calendar/php-templates/' );
+							printf( wp_kses_post( __( 'Learn about the <a href="%s">PHP templating system in My Calendar</a>.', 'my-calendar' ) ), 'https://docs.joedolson.com/my-calendar/php-templates/' );
 							echo '</p>';
 							mc_templates_edit();
 							?>

src/my-calendar-settings.php

@@ -925,7 +925,7 @@ function mc_remote_db() {
 					</form>
 					<div class="mc-extended-settings">
 						<h3><?php esc_html_e( 'Import and Export Settings', 'my-calendar' ); ?></h3>
-						<p><a href="<?php echo mc_export_settings_url(); ?>"><?php esc_html_e( 'Export settings', 'my-calendar' ); ?></a></p>
+						<p><a href="<?php echo esc_url( mc_export_settings_url() ); ?>"><?php esc_html_e( 'Export settings', 'my-calendar' ); ?></a></p>
 						<form method="post" enctype="multipart/form-data" action="<?php echo esc_url( admin_url( 'admin.php?page=my-calendar-config#my-calendar-manage' ) ); ?>">
 							<input type="hidden" name="_wpnonce" value="<?php echo esc_attr( wp_create_nonce( 'my-calendar-nonce' ) ); ?>" />
 							<p class="mc-input-settings">
@@ -940,8 +940,8 @@ function mc_remote_db() {
 							$current_event_slug    = ( '' === mc_get_option( 'cpt_base' ) ) ? __( 'mc-events', 'my-calendar' ) : mc_get_option( 'cpt_base' );
 						?>
 						<ul>
-							<li><?php esc_html_e( 'Settings > Permalinks', 'my-calendar' ); ?>: <a aria-describedby='mc-current-events-slug' href="<?php echo esc_url( admin_url( 'options-permalink.php#mc_cpt_base' ) ); ?>"><?php esc_html_e( 'Events permalink slug', 'my-calendar' ); ?></a> <span id="mc-current-events-slug">(<?php echo $current_event_slug; ?>)</span></li>
-							<li><?php esc_html_e( 'Settings > Permalinks', 'my-calendar' ); ?>: <a aria-describedby='mc-current-location-slug' href="<?php echo esc_url( admin_url( 'options-permalink.php#mc_location_cpt_base' ) ); ?>"><?php esc_html_e( 'Location permalink slug', 'my-calendar' ); ?></a> <span id="mc-current-location-slug">(<?php echo $current_location_slug; ?>)</span></li>
+							<li><?php esc_html_e( 'Settings > Permalinks', 'my-calendar' ); ?>: <a aria-describedby='mc-current-events-slug' href="<?php echo esc_url( admin_url( 'options-permalink.php#mc_cpt_base' ) ); ?>"><?php esc_html_e( 'Events permalink slug', 'my-calendar' ); ?></a> <span id="mc-current-events-slug">(<?php echo esc_html( $current_event_slug ); ?>)</span></li>
+							<li><?php esc_html_e( 'Settings > Permalinks', 'my-calendar' ); ?>: <a aria-describedby='mc-current-location-slug' href="<?php echo esc_url( admin_url( 'options-permalink.php#mc_location_cpt_base' ) ); ?>"><?php esc_html_e( 'Location permalink slug', 'my-calendar' ); ?></a> <span id="mc-current-location-slug">(<?php echo esc_html( $current_location_slug ); ?>)</span></li>
 							<li><?php esc_html_e( 'Settings > General', 'my-calendar' ); ?>: <a href="<?php echo esc_url( admin_url( 'options-general.php#start_of_week' ) ); ?>"><?php esc_html_e( 'First day of the week', 'my-calendar' ); ?></a></li>
 						</ul>
 					</div>
@@ -1933,7 +1933,7 @@ function mc_remote_db() {
 		?>
 						</div>
 						<p>
-							<input type="submit" name="mc_permissions" class="button-primary" value="<?php _e( 'Save Permissions', 'my-calendar' ); ?>"/>
+							<input type="submit" name="mc_permissions" class="button-primary" value="<?php esc_html_e( 'Save Permissions', 'my-calendar' ); ?>"/>
 						</p>
 					</form>
 		<?php

src/my-calendar-styles.php

@@ -199,8 +199,6 @@ function my_calendar_style_edit() {
 
 /**
  * Display color contrast array of custom variables.
- *
- * @return string
  */
 function mc_display_contrast_variables() {
 	$styles = mc_get_option( 'style_vars', array() );
@@ -229,12 +227,19 @@ function mc_display_contrast_variables() {
 		$row  .= '</tr>';
 		$body .= $row;
 	}
-	$header = '<thead><tr>' . $head . '</tr></thead>';
-	$body   = '<tbody>' . $body . '</tbody>';
-
-	$output = '<table class="mc-contrast-table mc-responsive-table striped"><caption>' . __( 'Accessible Color Combinations', 'my-calendar' ) . '</caption>' . $header . $body . '</table>';
-
-	return $output;
+	?>
+	<table class="mc-contrast-table mc-responsive-table striped">
+		<caption><?php esc_html_e( 'Accessible Color Combinations', 'my-calendar' ); ?></caption>
+		<thead>
+			<tr>
+				<?php echo wp_kses_post( $head ); ?>
+			</tr>
+		</thead>
+		<tbody>
+			<?php echo wp_kses_post( $body ); ?>
+		</tbody>
+	</table>
+	<?php
 }
 
 /**