From 622d8dc3c8cdac01f46f0991fbf00e5475437ea8 Mon Sep 17 00:00:00 2001
From: nobu <big-me@n-k-y.net>
Date: Fri, 18 Jun 2021 19:20:02 +0900
Subject: [PATCH] =?UTF-8?q?WP=5FPLUGIN=E3=80=80=E3=83=91=E3=82=B9=E3=83=AF?=
 =?UTF-8?q?=E3=83=BC=E3=83=89=E4=BF=9D=E8=AD=B7=E3=83=9A=E3=83=BC=E3=82=B8?=
 =?UTF-8?q?=E3=81=AE=E3=83=86=E3=82=AD=E3=82=B9=E3=83=88=E5=A4=89=E6=9B=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

・サニタイズとエスケープ
・完了メッセージの閉じるボタン追加
---
 convert-protection-text.php | 105 ++++++++++++++++++------------------
 1 file changed, 54 insertions(+), 51 deletions(-)
diff --git a/convert-protection-text.php b/convert-protection-text.php
index 053eff7..5044d3c 100644
--- a/convert-protection-text.php
+++ b/convert-protection-text.php
@@ -30,19 +30,20 @@ class CNV_Protection_Text {
 	}
 
 	public function show_text_option_page() {
-		//$_POST['_cnv_protect_options'])があったら保存
-		if ( isset( $_POST['_cnv_protect_options'] ) ) {
+		$update_option = filter_input( INPUT_POST, '_cnv_protect_options', FILTER_SANITIZE_STRING, FILTER_REQUIRE_ARRAY );
+		if ( ! empty( $update_option ) ) {
 			check_admin_referer( 'cnv_options' );
-			$opt = $_POST['_cnv_protect_options'];
-			update_option( '_cnv_protect_options', $opt );
+			update_option( '_cnv_protect_options', $update_option );
 			?>
-			<div class="updated fade"><p><strong>設定を保存しました</strong></p></div><?php
+            <div id="settings_updated" class="updated notice is-dismissible">
+                <p><strong>設定を保存しました</strong></p>
+            </div><?php
 		}
 		?>
-		<div class="wrap">
-			<div id="icon-options-general" class="icon32"><br/></div>
-			<h2>アクセス権限ページ設定</h2>
-			<form action="" method="post">
+        <div class="wrap">
+            <div id="icon-options-general" class="icon32"><br/></div>
+            <h2>アクセス権限ページ設定</h2>
+            <form action="" method="post">
 				<?php
 				wp_nonce_field( 'cnv_options' );
 				$opt        = get_option( '_cnv_protect_options' );
@@ -51,50 +52,52 @@ class CNV_Protection_Text {
 				$show_label = $opt['label'] ?? self::BTN_LABEL;
 				$show_btn   = $opt['btn'] ?? self::BTN_TEXT;
 				?>
-				<table class="form-table">
-					<tr valign="top">
-						<th scope="row"><label for="inputtext">保護中</label></th>
-						<td>
+                <table class="form-table">
+                    <tr valign="top">
+                        <th scope="row"><label for="inputtext">保護中</label></th>
+                        <td>
 							<?php if ( $show_radio == 2 ) : ?>
-								<label>
-									<input type="radio" name="_cnv_protect_options[flag]" value="1">表示
-								</label>
-								<label>
-									<input type="radio" name="_cnv_protect_options[flag]" value="2" checked>非表示
-								</label>
+                                <label>
+                                    <input type="radio" name="_cnv_protect_options[flag]" value="1">表示
+                                </label>
+                                <label>
+                                    <input type="radio" name="_cnv_protect_options[flag]" value="2" checked>非表示
+                                </label>
 							<?php elseif ( $show_radio == 1 ): ?>
-								<label>
-									<input type="radio" name="_cnv_protect_options[flag]" value="1" checked>表示
-								</label>
-								<label>
-									<input type="radio" name="_cnv_protect_options[flag]" value="2">非表示
-								</label>
+                                <label>
+                                    <input type="radio" name="_cnv_protect_options[flag]" value="1" checked>表示
+                                </label>
+                                <label>
+                                    <input type="radio" name="_cnv_protect_options[flag]" value="2">非表示
+                                </label>
 							<?php endif; ?>
-						</td>
-					</tr>
-					<tr valign="top">
-						<th scope="row">メッセージ</th>
-						<td>
+                        </td>
+                    </tr>
+                    <tr valign="top">
+                        <th scope="row">メッセージ</th>
+                        <td>
                             <textarea name="_cnv_protect_options[text]" rows="4"
-                                      cols="60"><?php echo $show_text; ?></textarea>
-						</td>
-					</tr>
-					<tr valign="top">
-						<th scope="row">ボタンラベル</th>
-						<td>
-							<input type="text" name="_cnv_protect_options[label]" value="<?php echo $show_label; ?>">
-						</td>
-					</tr>
-					<tr valign="top">
-						<th scope="row">ボタン名</th>
-						<td>
-							<input type="text" name="_cnv_protect_options[btn]" value="<?php echo $show_btn; ?>">
-						</td>
-					</tr>
-				</table>
-				<p class="submit"><input type="submit" name="Submit" class="button-primary" value="変更を保存"/></p>
-			</form>
-			<!-- /.wrap --></div>
+                                      cols="60"><?php echo esc_html( $show_text ); ?></textarea>
+                        </td>
+                    </tr>
+                    <tr valign="top">
+                        <th scope="row">ボタンラベル</th>
+                        <td>
+                            <input type="text" name="_cnv_protect_options[label]"
+                                   value="<?php echo esc_html( $show_label ); ?>">
+                        </td>
+                    </tr>
+                    <tr valign="top">
+                        <th scope="row">ボタン名</th>
+                        <td>
+                            <input type="text" name="_cnv_protect_options[btn]"
+                                   value="<?php echo esc_html( $show_btn ); ?>">
+                        </td>
+                    </tr>
+                </table>
+                <p class="submit"><input type="submit" name="Submit" class="button-primary" value="変更を保存"/></p>
+            </form>
+            <!-- /.wrap --></div>
 		<?php
 	}
 
@@ -127,8 +130,8 @@ class CNV_Protection_Text {
 		}
 
 		return '<form action="' . home_url() . '/wp-login.php?action=postpass" class="post-password-form" method="post">
-<p>' . nl2br( $alert_text ) . '</p>
-<p><label for="pwbox">' . $btn_label . '<input name="post_password" id="pwbox" type="password" size="20"></label> <input type="submit" name="Submit" value="' . $btn_text . '"></p></form>';
+<p>' . nl2br( esc_html( $alert_text ) ) . '</p>
+<p><label for="pwbox">' . esc_html( $btn_label ) . '<input name="post_password" id="pwbox" type="password" size="20"></label> <input type="submit" name="Submit" value="' . esc_html( $btn_text ) . '"></p></form>';
 	}
 }
 
