From 11c0a8ebf9837fd3a0b88d5068bd9bb21e3ad334 Mon Sep 17 00:00:00 2001
From: Mykyta Synelnikov <nsinelnikov.work@gmail.com>
Date: Tue, 15 Aug 2023 23:52:40 +0300
Subject: [PATCH] - fixed HTML validation for user description field in header;
 - fixed escaping HTML in user description field;

---
 includes/core/class-fields.php    | 34 +++++++++++++++++++++++++------
 includes/core/class-profile.php   |  2 ++
 includes/core/um-actions-form.php | 14 ++++++++++---
 3 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/includes/core/class-fields.php b/includes/core/class-fields.php
index e730a65c..c7171e38 100644
--- a/includes/core/class-fields.php
+++ b/includes/core/class-fields.php
@@ -2766,25 +2766,36 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
 						// User 'description' field uses `<textarea>` block everytime.
 						$textarea_field_value = '';
 						if ( ! empty( $field_value ) ) {
+							$show_bio       = false;
 							$bio_html       = false;
 							$global_setting = UM()->options()->get( 'profile_show_html_bio' );
 							if ( 'profile' === $this->global_args['mode'] ) {
 								if ( ! empty( $this->global_args['use_custom_settings'] ) ) {
 									if ( ! empty( $this->global_args['show_bio'] ) ) {
+										$show_bio = true;
 										$bio_html = ! empty( $global_setting );
 									}
 								} else {
 									$global_show_bio = UM()->options()->get( 'profile_show_bio' );
 									if ( ! empty( $global_show_bio ) ) {
+										$show_bio = true;
 										$bio_html = ! empty( $global_setting );
 									}
 								}
 							}
 
-							if ( true === $bio_html && ! empty( $data['html'] ) ) {
-								$textarea_field_value = $field_value;
+							if ( $show_bio ) {
+								if ( true === $bio_html && ! empty( $data['html'] ) ) {
+									$textarea_field_value = $field_value;
+								} else {
+									$textarea_field_value = wp_strip_all_tags( $field_value );
+								}
 							} else {
-								$textarea_field_value = wp_strip_all_tags( $field_value );
+								if ( ! empty( $data['html'] ) ) {
+									$textarea_field_value = $field_value;
+								} else {
+									$textarea_field_value = wp_strip_all_tags( $field_value );
+								}
 							}
 						}
 						$output .= '<textarea  ' . $disabled . '  style="height: ' . esc_attr( $data['height'] ) . ';" class="' . esc_attr( $this->get_class( $key, $data ) ) . '" name="' . esc_attr( $field_name ) . '" id="' . esc_attr( $field_id ) . '" placeholder="' . esc_attr( $placeholder ) . '">' . esc_textarea( $textarea_field_value ) . '</textarea>';
@@ -4276,25 +4287,36 @@ if ( ! class_exists( 'um\core\Fields' ) ) {
 
 						$bio_key = UM()->profile()->get_show_bio_key( $this->global_args );
 						if ( $bio_key === $data['metakey'] ) {
+							$show_bio       = false;
 							$bio_html       = false;
 							$global_setting = UM()->options()->get( 'profile_show_html_bio' );
 							if ( 'profile' === $this->global_args['mode'] ) {
 								if ( ! empty( $this->global_args['use_custom_settings'] ) ) {
 									if ( ! empty( $this->global_args['show_bio'] ) ) {
+										$show_bio = true;
 										$bio_html = ! empty( $global_setting );
 									}
 								} else {
 									$global_show_bio = UM()->options()->get( 'profile_show_bio' );
 									if ( ! empty( $global_show_bio ) ) {
+										$show_bio = true;
 										$bio_html = ! empty( $global_setting );
 									}
 								}
 							}
 
-							if ( true === $bio_html && ! empty( $data['html'] ) ) {
-								$res = make_clickable( wpautop( wp_kses_post( $res ) ) );
+							if ( $show_bio ) {
+								if ( true === $bio_html && ! empty( $data['html'] ) ) {
+									$res = wp_kses_post( make_clickable( wpautop( $res ) ) );
+								} else {
+									$res = esc_html( $res );
+								}
 							} else {
-								$res = esc_html( $res );
+								if ( ! empty( $data['html'] ) ) {
+									$res = wp_kses_post( make_clickable( wpautop( $res ) ) );
+								} else {
+									$res = esc_html( $res );
+								}
 							}
 
 							$res = nl2br( $res );
diff --git a/includes/core/class-profile.php b/includes/core/class-profile.php
index c47b99b7..ca698a96 100644
--- a/includes/core/class-profile.php
+++ b/includes/core/class-profile.php
@@ -439,6 +439,8 @@ if ( ! class_exists( 'um\core\Profile' ) ) {
 							}
 
 							if ( $bio_html ) {
+								$data['html'] = true;
+								$value = um_filtered_value( $key, $data );
 								$res = wp_kses_post( make_clickable( wpautop( $value ) ) );
 							} else {
 								$res = esc_html( $value );
diff --git a/includes/core/um-actions-form.php b/includes/core/um-actions-form.php
index 44e72695..cc5d9526 100644
--- a/includes/core/um-actions-form.php
+++ b/includes/core/um-actions-form.php
@@ -710,10 +710,18 @@ function um_submit_form_errors_hook_( $submitted_data, $form_data ) {
 						$max_chars = $array['max_chars'];
 					}
 
-					if ( ! empty( $array['html'] ) && $bio_html ) {
-						$description_value = wp_strip_all_tags( $submitted_data[ $description_key ] );
+					if ( $show_bio ) {
+						if ( ! empty( $array['html'] ) && $bio_html ) {
+							$description_value = wp_strip_all_tags( $submitted_data[ $description_key ] );
+						} else {
+							$description_value = $submitted_data[ $description_key ];
+						}
 					} else {
-						$description_value = $submitted_data[ $description_key ];
+						if ( ! empty( $array['html'] ) ) {
+							$description_value = wp_strip_all_tags( $submitted_data[ $description_key ] );
+						} else {
+							$description_value = $submitted_data[ $description_key ];
+						}
 					}
 				}
 			}