From 042417e0a59102e98312a462dbfc3432a90d9389 Mon Sep 17 00:00:00 2001
From: Faishal Saiyed <saiyedfaishal@gmail.com>
Date: Thu, 8 Jan 2015 19:58:35 +0530
Subject: [PATCH] Add missing escaping

---
 class-jobs.php                               | 2 +-
 class-post-public.php                        | 7 +++----
 templates-admin/translation-editor-terms.php | 6 +++---
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/class-jobs.php b/class-jobs.php
index bf351f0..57f482a 100755
--- a/class-jobs.php
+++ b/class-jobs.php
@@ -835,7 +835,7 @@ public function metabox_post_translations( WP_Post $post, array $metabox ) {
 				'bbl_job_post' => "{$post->post_type}|{$post->ID}",
 			);
 			?>
-			<p><a href="<?php echo add_query_arg( $args, admin_url( 'edit.php' ) ); ?>"><?php _e( 'View pending translation jobs &raquo;', 'babble' ); ?></a></p>
+			<p><a href="<?php echo esc_url( add_query_arg( $args, admin_url( 'edit.php' ) ) ); ?>"><?php _e( 'View pending translation jobs &raquo;', 'babble' ); ?></a></p>
 			<?php
 
 		} else if ( $capable ) {
diff --git a/class-post-public.php b/class-post-public.php
index 34f1efd..16bbb3c 100644
--- a/class-post-public.php
+++ b/class-post-public.php
@@ -303,8 +303,7 @@ public function registered_post_type( $post_type, $args ) {
 			// @FIXME: We are in danger of a post_type name being longer than 20 chars
 			// I would prefer to keep the post_type human readable, as human devs and sysadmins always
 			// end up needing to read this kind of thing.
-			// @FIXME: Should I be sanitising these values?
-			$new_post_type = strtolower( "{$post_type}_{$lang->code}" );
+			$new_post_type = sanitize_key( strtolower( "{$post_type}_{$lang->code}" ) );
 
 			if ( strlen( $new_post_type ) > 20 ) {
 				trigger_error( sprintf( __( 'Warning: The translated name for the post type %s is longer than %d characters. This *will* cause problems.', 'babble' ),
@@ -996,9 +995,9 @@ public function manage_posts_custom_column( $column_name, $post_id ) {
 			return;
 		}
 		$edit_link = get_edit_post_link( $default_post->ID );
-		$edit_link = add_query_arg( array( 'lang' => bbl_get_default_lang_code() ), $edit_link );
+		$edit_link = esc_url( add_query_arg( array( 'lang' => bbl_get_default_lang_code() ), $edit_link ) );
 		bbl_switch_to_lang( bbl_get_default_lang_code() );
-		$view_link = get_permalink( $default_post->ID );
+		$view_link = esc_url( get_permalink( $default_post->ID ) );
 		bbl_restore_lang();
 		$edit_title = esc_attr( sprintf( __( 'Edit the originating post: “%s”', 'babble' ), get_the_title( $default_post->ID ) ) );
 		$view_title = esc_attr( sprintf( __( 'View the originating post: “%s”', 'babble' ), get_the_title( $default_post->ID ) ) );
diff --git a/templates-admin/translation-editor-terms.php b/templates-admin/translation-editor-terms.php
index cd7cd9e..6b8eb9b 100644
--- a/templates-admin/translation-editor-terms.php
+++ b/templates-admin/translation-editor-terms.php
@@ -11,7 +11,7 @@
 
 			<h4><?php _e( 'Name', 'babble' ); ?></h4>
 			<div class="bbl-translation-property bbl-translation-property-term_name">
-				<input type="text" class="regular-text" name="bbl_translation[terms][<?php echo $original->term_id; ?>][name]" value="<?php echo esc_attr( $translation->name ); ?>">
+				<input type="text" class="regular-text" name="bbl_translation[terms][<?php echo esc_attr( $original->term_id ); ?>][name]" value="<?php echo esc_attr( $translation->name ); ?>">
 			</div>
 			<div class="bbl-translation-original bbl-translation-original-term_name">
 				<?php echo esc_html( $original->name ); ?>
@@ -24,7 +24,7 @@
 
 				<h4><?php _e( 'Slug (optional)', 'babble' ); ?></h4>
 				<div class="bbl-translation-property bbl-translation-property-term_slug">
-					<input type="text" class="regular-text" name="bbl_translation[terms][<?php echo $original->term_id; ?>][slug]" value="<?php echo esc_attr( $translation->slug ); ?>">
+					<input type="text" class="regular-text" name="bbl_translation[terms][<?php echo esc_attr( $original->term_id ); ?>][slug]" value="<?php echo esc_attr( $translation->slug ); ?>">
 				</div>
 				<div class="bbl-translation-original bbl-translation-original-term_slug">
 					<?php echo esc_html( $original->slug ); ?>
@@ -38,7 +38,7 @@
 
 				<h4><?php _e( 'Description', 'babble' ); ?></h4>
 				<div class="bbl-translation-property bbl-translation-property-term_description">
-					<textarea class="regular-text" name="bbl_translation[terms][<?php echo $original->term_id; ?>][description]"><?php echo esc_textarea( $translation->description ); ?></textarea>
+					<textarea class="regular-text" name="bbl_translation[terms][<?php echo esc_attr( $original->term_id ); ?>][description]"><?php echo esc_textarea( $translation->description ); ?></textarea>
 				</div>
 				<div class="bbl-translation-original bbl-translation-original-term_description">
 					<textarea class="regular-text" readonly><?php echo esc_textarea( $original->description ); ?></textarea>