Add echoing methods for OptionRenderer

john-shaffer · john-shaffer · commit 60a767f7c416 · 2025-08-20T10:40:25.000-05:00
Plugin Check Plugin requires us to directly
escape all echoed output. It's not smart enough
to detect what our code is doing, so we have to
escape right with the echo. I don't want to
destroy our existing functional code for this, so
I added dedicated echoing functions that use
wp_kses to sastify the plugin checks. Since we
already know that the output is safe, the wp_kses
call is wasteful and therefore we only call it
when STATIC_DEPLOY_WP_ORG_MODE is true.
diff --git a/src/OptionRenderer.php b/src/OptionRenderer.php
@@ -14,6 +14,68 @@ class OptionRenderer {
         'string' => 'optionInputString',
     ];
 
+    const KSES_ALLOWED_HTML = [
+        'br' => [],
+        'input' => [
+            'class' => [],
+            'id' => [],
+            'name' => [],
+            'type' => [],
+            'value' => [],
+        ],
+        'label' => [
+            'for' => [],
+            'style' => [],
+        ],
+        'option' => [
+            'selected' => [],
+            'value' => [],
+        ],
+        'select' => [
+            'class' => [],
+            'id' => [],
+            'name' => [],
+        ],
+        'textarea' => [
+            'class' => [],
+            'cols' => [],
+            'id' => [],
+            'name' => [],
+            'rows' => [],
+        ],
+    ];
+
+    public static function echoInput( OptionData $option_data ): void {
+        if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' ) && STATIC_DEPLOY_WP_ORG_MODE ) {
+            // This is completely unnecessary but is required by
+            // the Plugin Check Plugin, so we have to take the performance
+            // hit.
+            echo wp_kses(
+                self::optionInput( $option_data ),
+                self::KSES_ALLOWED_HTML,
+            );
+        } else {
+            echo self::optionInput( $option_data );
+        }
+    }
+
+    public static function echoLabel(
+        OptionData $option_data,
+        bool $description = false,
+    ): void {
+        if ( defined( 'STATIC_DEPLOY_WP_ORG_MODE' ) && STATIC_DEPLOY_WP_ORG_MODE ) {
+            // This is completely unnecessary but is required by
+            // the Plugin Check Plugin, so we have to take the performance
+            // hit.
+            echo wp_kses(
+                self::optionLabel( $option_data, $description ),
+                self::KSES_ALLOWED_HTML,
+            );
+        } else {
+            echo self::optionLabel( $option_data, $description );
+        }
+    }
+
     public static function optionInput( OptionData $option ): string {
         $option_input = call_user_func(
             [
