From f9404bb516fd26eb973915af54caadfc1d339620 Mon Sep 17 00:00:00 2001
From: Mykyta Synelnikov <nsinelnikov.work@gmail.com>
Date: Fri, 23 Jun 2023 03:05:49 +0300
Subject: [PATCH] - reviewed `um_add_update_notice()`;

---
 includes/core/um-actions-misc.php | 109 ++++++++++++++++++------------
 1 file changed, 65 insertions(+), 44 deletions(-)

diff --git a/includes/core/um-actions-misc.php b/includes/core/um-actions-misc.php
index c5744df3..0160e190 100644
--- a/includes/core/um-actions-misc.php
+++ b/includes/core/um-actions-misc.php
@@ -1,8 +1,8 @@
-<?php if ( ! defined( 'ABSPATH' ) ) {
+<?php
+if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }
 
-
 /**
  * Add a force redirect to from $_get
  *
@@ -66,122 +66,125 @@ function um_browser_url_redirect_to( $args ) {
 }
 add_action( 'um_after_form_fields', 'um_browser_url_redirect_to' );
 
-
 /**
- * Add a notice to form
+ * Add a notice to UM Form after submission
  *
- * @param $args
+ * @param array $args
  */
 function um_add_update_notice( $args ) {
 	$output  = '';
 	$err     = '';
 	$success = '';
 
-	if ( ! empty( $_REQUEST['updated'] ) && ! UM()->form()->errors ) { // phpcs:ignore WordPress.Security.NonceVerification
-		switch ( sanitize_key( $_REQUEST['updated'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
+	// Skip if there are errors while submission.
+	if ( UM()->form()->errors ) {
+		return;
+	}
+
+	// phpcs:disable WordPress.Security.NonceVerification -- used for echo and already verified here.
+	if ( ! empty( $_REQUEST['updated'] ) ) {
+		$updated = sanitize_key( $_REQUEST['updated'] );
+		switch ( $updated ) {
 			default:
 				/**
-				 * Filters add custom success message
+				 * Filters a custom success message.
 				 *
-				 * @since 2.0
+				 * @since 1.3.x
+				 * @since 2.6.4 Added `$args` parameter.
 				 * @hook  um_custom_success_message_handler
 				 *
-				 * @param {string}  $success  Message.
-				 * @param {array}   $updated  Updated data.
+				 * @param {string} $success Success message.
+				 * @param {string} $updated Updated key.
+				 * @param {array}  $args    UM Form shortcode arguments.
 				 *
 				 * @return {string} Message.
 				 *
-				 * @example <caption>Can view profile.</caption>
-				 * function my_custom_success_message( $success, $updated ) {
-				 *     // your code here
+				 * @example <caption>It adds a custom message for `custom_key_on_profile` updated key.</caption>
+				 * function my_custom_success_message( $success, $updated, $args ) {
+				 *     if ( 'custom_key_on_profile' === $updated ) {
+				 *         $success = 'Some custom message';
+				 *     }
 				 *     return $success;
 				 * }
-				 * add_filter( 'um_custom_success_message_handler', 'my_custom_success_message', 10, 2 );
+				 * add_filter( 'um_custom_success_message_handler', 'my_custom_success_message', 10, 3 );
 				 */
-				$success = apply_filters( 'um_custom_success_message_handler', $success, sanitize_key( $_REQUEST['updated'] ) ); // phpcs:ignore WordPress.Security.NonceVerification
+				$success = apply_filters( 'um_custom_success_message_handler', $success, $updated, $args );
 				break;
-
 			case 'account':
 				$success = __( 'Your account was updated successfully.', 'ultimate-member' );
 				break;
-
 			case 'password_changed':
 				$success = __( 'You have successfully changed your password.', 'ultimate-member' );
 				break;
-
 			case 'account_active':
 				$success = __( 'Your account is now active! You can login.', 'ultimate-member' );
 				break;
-
 		}
 	}
 
-	if ( ! empty( $_REQUEST['err'] ) && ! UM()->form()->errors ) { // phpcs:ignore WordPress.Security.NonceVerification
-		switch ( sanitize_key( $_REQUEST['err'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
-
+	if ( ! empty( $_REQUEST['err'] ) ) {
+		$request_error = sanitize_key( $_REQUEST['err'] );
+		switch ( $request_error ) {
 			default:
 				/**
-				 * Filters add custom error message
+				 * Filters a custom error message.
 				 *
-				 * @since 2.0
+				 * @since 1.3.x
+				 * @since 2.6.4 Added `$args` parameter.
 				 * @hook  um_custom_error_message_handler
 				 *
-				 * @param {string}  $success  Error message.
-				 * @param {array}   $updated  Error data.
+				 * @param {string} $error         Error message.
+				 * @param {string} $request_error Error data.
+				 * @param {array}  $args          UM Form shortcode arguments.
 				 *
 				 * @return {string} Error message.
 				 *
-				 * @example <caption>Can view profile.</caption>
-				 * function my_custom_error_message( $error, $request_error ) {
-				 *     // your code here
+				 * @example <caption>It adds a custom error for `custom_key_on_profile` error key.</caption>
+				 * function my_custom_error_message( $error, $request_error, $args ) {
+				 *     if ( 'custom_key_on_profile' === $request_error ) {
+				 *         $error = 'Some custom message';
+				 *     }
 				 *     return $error;
 				 * }
-				 * add_filter( 'um_custom_error_message_handler', 'my_custom_error_message', 10, 2 );
+				 * add_filter( 'um_custom_error_message_handler', 'my_custom_error_message', 10, 3 );
 				 */
-				$err = apply_filters( 'um_custom_error_message_handler', $err, sanitize_key( $_REQUEST['err'] ) ); // phpcs:ignore WordPress.Security.NonceVerification
-				if ( ! $err ) {
+				$err = apply_filters( 'um_custom_error_message_handler', $err, $request_error, $args );
+				if ( empty( $err ) ) {
 					$err = __( 'An error has been encountered', 'ultimate-member' );
 				}
 				break;
-
 			case 'registration_disabled':
 				$err = __( 'Registration is currently disabled', 'ultimate-member' );
 				break;
-
 			case 'blocked_email':
 				$err = __( 'This email address has been blocked.', 'ultimate-member' );
 				break;
-
 			case 'blocked_domain':
 				$err = __( 'We do not accept registrations from that domain.', 'ultimate-member' );
 				break;
-
 			case 'blocked_ip':
 				$err = __( 'Your IP address has been blocked.', 'ultimate-member' );
 				break;
-
 			case 'inactive':
 				$err = __( 'Your account has been disabled.', 'ultimate-member' );
 				break;
-
 			case 'awaiting_admin_review':
 				$err = __( 'Your account has not been approved yet.', 'ultimate-member' );
 				break;
-
 			case 'awaiting_email_confirmation':
 				$err = __( 'Your account is awaiting e-mail verification.', 'ultimate-member' );
 				break;
-
 			case 'rejected':
 				$err = __( 'Your membership request has been rejected.', 'ultimate-member' );
 				break;
-
 			case 'invalid_nonce':
 				$err = __( 'An error has been encountered. Probably page was cached. Please try again.', 'ultimate-member' );
 				break;
-
 		}
 	}
+	// phpcs:enable WordPress.Security.NonceVerification -- used for echo and already verified here.
+
+	add_filter( 'um_late_escaping_allowed_tags', 'um_form_notices_additional_tags', 10, 2 );
 
 	if ( ! empty( $err ) ) {
 		$output .= '<p class="um-notice err"><i class="um-icon-ios-close-empty" onclick="jQuery(this).parent().fadeOut();"></i>' . $err . '</p>';
@@ -191,6 +194,24 @@ function um_add_update_notice( $args ) {
 		$output .= '<p class="um-notice success"><i class="um-icon-ios-close-empty" onclick="jQuery(this).parent().fadeOut();"></i>' . $success . '</p>';
 	}
 
-	echo $output;
+	echo wp_kses( $output, UM()->get_allowed_html( 'templates' ) );
+
+	remove_filter( 'um_late_escaping_allowed_tags', 'um_form_notices_additional_tags' );
 }
 add_action( 'um_before_form', 'um_add_update_notice', 500 );
+
+/**
+ * Extends allowed tags for displaying UM Form notices.
+ *
+ * @since 2.6.4
+ *
+ * @param array  $allowed_html
+ * @param string $context
+ * @return array
+ */
+function um_form_notices_additional_tags( $allowed_html, $context ) {
+	if ( 'templates' === $context ) {
+		$allowed_html['i']['onclick'] = true;
+	}
+	return $allowed_html;
+}