Merge pull request #200 from BeAPI/fix/escape-svg

Add escape for the svg and add method to allow svg tag

Author: asadowski10

inc/Helpers/Formatting/Link.php

@@ -172,7 +172,7 @@ function get_the_link( array $attributes, array $settings = [] ): string {
 	// Implode all attributes for display purposes
 	$attributes_escaped = implode( ' ', $attributes_escaped );
 	// Escape content for display purposes
-	$label = $settings['content'] ? escape_content_value( $settings['content'], $settings['escape']['content'] ?? 'esc_html' ) : '';
+	$label = $settings['content'] ? escape_content_value( $settings['content'], $settings['escape']['content'] ?? 'wp_kses_post' ) : '';
 
 	$link_markup = sprintf( '<a %s>%s%s</a>', $attributes_escaped, $settings['new_window'], $label );
 

inc/Services/Svg.php

@@ -16,6 +16,7 @@ class Svg implements Service {
 	 * @param Service_Container $container
 	 */
 	public function register( Service_Container $container ): void {
+		add_filter( 'wp_kses_allowed_html', [ $this, 'allow_svg_tag' ] );
 	}
 
 	/**
@@ -52,9 +53,41 @@ public function get_the_icon( string $icon_class, array $additionnal_classes = [
 
 	/**
 	 * @param string $icon_class
-	 * @param array  $additionnal_classes
+	 * @param array $additionnal_classes
 	 */
 	public function the_icon( string $icon_class, array $additionnal_classes = [] ): void {
 		echo $this->get_the_icon( $icon_class, $additionnal_classes ); //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
+
+	/**
+	 * Allow svg tag
+	 *
+	 * @param $tags
+	 *
+	 * @return mixed
+	 * @author Egidio CORICA
+	 */
+	public function allow_svg_tag( $tags ) {
+		$tags['svg'] = [
+			'xmlns'       => [],
+			'fill'        => [],
+			'viewbox'     => [],
+			'role'        => [],
+			'aria-hidden' => [],
+			'focusable'   => [],
+			'class'       => [],
+		];
+
+		$tags['path'] = [
+			'd'    => [],
+			'fill' => [],
+		];
+
+		$tags['use'] = [
+			'xmlns:xlink' => [],
+			'xlink:href'  => [],
+		];
+
+		return $tags;
+	}
 }