alleyinteractive · enrico-sorcinelli · Feb 4, 2018 · Feb 4, 2018
diff --git a/php/class-fieldmanager-autocomplete.php b/php/class-fieldmanager-autocomplete.php
@@ -136,11 +136,12 @@ public function form_element( $value = null ) {
 		}
 
 		$element = sprintf(
-			'<input class="fm-autocomplete fm-element fm-incrementable" type="text" id="%s" value="%s"%s %s />',
+			'<input class="fm-autocomplete fm-element fm-incrementable%s" type="text" id="%s" value="%s"%s %s />',
+			$this->get_element_attributes( 'class' ),
 			esc_attr( $this->get_element_id() ),
 			esc_attr( $display_value ),
 			( ! empty( $this->custom_args_js_event ) ) ? ' data-custom-args-js-event="' . esc_attr( $this->custom_args_js_event ) . '"' : '',
-			$this->get_element_attributes()
+			$this->get_element_attributes( '', array( 'data-custom-args-js-event' ) )
 		);
 
 		$element .= sprintf(

diff --git a/php/class-fieldmanager-checkbox.php b/php/class-fieldmanager-checkbox.php
@@ -55,14 +55,15 @@ public function form_element( $value = null ) {
 		return sprintf(
 			'
 			<input class="fm-checkbox-hidden fm-element" type="hidden" name="%1$s" value="%6$s" />
-			<input class="fm-element" type="checkbox" name="%1$s" value="%2$s" %3$s %4$s id="%5$s" />
+			<input class="fm-element%7$s" type="checkbox" name="%1$s" value="%2$s" %3$s %4$s id="%5$s" />
 			',
 			esc_attr( $this->get_form_name() ),
 			esc_attr( (string) $this->checked_value ),
 			$this->get_element_attributes(),
 			( $value == $this->checked_value ) ? 'checked="checked"' : '',
 			esc_attr( $this->get_element_id() ),
-			$this->unchecked_value
+			$this->unchecked_value,
+			$this->get_element_attributes( 'class' )
 		);
 	}
 

diff --git a/php/class-fieldmanager-colorpicker.php b/php/class-fieldmanager-colorpicker.php
@@ -58,12 +58,13 @@ public function __construct( $label = '', $options = array() ) {
 	 */
 	public function form_element( $value = '' ) {
 		return sprintf(
-			'<input class="fm-element fm-colorpicker-popup" name="%1$s" id="%2$s" data-default-color="%3$s" value="%4$s" %5$s />',
+			'<input class="fm-element fm-colorpicker-popup%6$s" name="%1$s" id="%2$s" data-default-color="%3$s" value="%4$s" %5$s />',
 			esc_attr( $this->get_form_name() ),
 			esc_attr( $this->get_element_id() ),
 			esc_attr( $this->default_color ),
 			esc_attr( $value ),
-			$this->get_element_attributes()
+			$this->get_element_attributes( '', array( 'data-default-color' ) ),
+			$this->get_element_attributes( 'class' )
 		);
 	}
 }
diff --git a/php/class-fieldmanager-field.php b/php/class-fieldmanager-field.php
@@ -1056,12 +1056,26 @@ public function presave( $value, $current_value = array() ) {
 	/**
 	 * Generates an HTML attribute string based on the value of $this->attributes.
 	 *
+	 * @param string $attr          Attribute name.
+	 * @param array  $attr_exclude  Add attributes to black list. Default to ('class',
+	 *                              'type', 'name', 'id', 'value', 'checked').
+	 *
 	 * @see Fieldmanager_Field::$attributes
-	 * @return string attributes ready to insert into an HTML tag.
+	 * @return string Attributes or single attribute value ready to insert into an HTML tag.
 	 */
-	public function get_element_attributes() {
+	public function get_element_attributes( $attr = '', $attr_exclude = array() ) {
+
+		if ( ! empty( $attr ) ) {
+			return array_key_exists( $attr, $this->attributes ) ? ' ' . esc_attr( $this->attributes[ $attr ] ) : '';
+		}
+
+		$attr_exclude = array_merge( is_array( $attr_exclude ) ? $attr_exclude : array(), array( 'class', 'type', 'name', 'id', 'value', 'checked' ) );
+
 		$attr_str = array();
 		foreach ( $this->attributes as $attr => $val ) {
+			if ( in_array( $attr, $attr_exclude ) ) {
+				continue;
+			}
 			if ( true === $val ) {
 				$attr_str[] = sanitize_key( $attr );
 			} else {

diff --git a/php/class-fieldmanager-media.php b/php/class-fieldmanager-media.php
@@ -181,7 +181,7 @@ public function form_element( $value = array() ) {
 			esc_attr( $this->modal_title ),
 			esc_attr( $this->modal_button_label ),
 			esc_attr( $this->mime_type ),
-			$this->get_element_attributes()
+			$this->get_element_attributes( '', array( 'data-choose', 'data-update', 'data-preview-size', 'data-mime-type' ) )
 		);
 	}
 

diff --git a/php/class-fieldmanager-textarea.php b/php/class-fieldmanager-textarea.php
@@ -43,7 +43,8 @@ public function __construct( $label = '', $options = array() ) {
 	 */
 	public function form_element( $value = '' ) {
 		return sprintf(
-			'<textarea class="fm-element" name="%s" id="%s" %s >%s</textarea>',
+			'<textarea class="fm-element%s" name="%s" id="%s" %s >%s</textarea>',
+			$this->get_element_attributes( 'class' ),
 			esc_attr( $this->get_form_name() ),
 			esc_attr( $this->get_element_id() ),
 			$this->get_element_attributes(),

diff --git a/templates/datepicker.php b/templates/datepicker.php
@@ -8,7 +8,7 @@
 ?>
 
 <input
-	class="fm-element fm-datepicker-popup"
+	class="fm-element fm-datepicker-popup<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>"
 	type="text"
 	data-datepicker-opts="<?php echo esc_attr( json_encode( $this->js_opts ) ); ?>"
 	name="<?php echo esc_attr( $this->get_form_name( '[date]' ) ); ?>"
@@ -24,11 +24,11 @@ class="fm-element fm-datepicker-popup"
 <?php if ( $this->use_time ) : ?>
 	<span class="fm-datepicker-time-wrapper">
 		@
-		<input class="fm-element fm-datepicker-time" type="text" value="<?php echo esc_attr( $this->get_hour( $value ) ); ?>" name="<?php echo esc_attr( $this->get_form_name( '[hour]' ) ); ?>" />
+		<input class="fm-element fm-datepicker-time<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>" type="text" value="<?php echo esc_attr( $this->get_hour( $value ) ); ?>" name="<?php echo esc_attr( $this->get_form_name( '[hour]' ) ); ?>" />
 		:
-		<input class="fm-element fm-datepicker-time" type="text" value="<?php echo esc_attr( $this->get_minute( $value ) ); ?>" name="<?php echo esc_attr( $this->get_form_name( '[minute]' ) ); ?>" />
+		<input class="fm-element fm-datepicker-time<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>" type="text" value="<?php echo esc_attr( $this->get_minute( $value ) ); ?>" name="<?php echo esc_attr( $this->get_form_name( '[minute]' ) ); ?>" />
 		<?php if ( $this->use_am_pm ) : ?>
-			<select class="fm-element" name="<?php echo esc_attr( $this->get_form_name( '[ampm]' ) ); ?>">
+			<select class="fm-element<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>" name="<?php echo esc_attr( $this->get_form_name( '[ampm]' ) ); ?>">
 				<option value="am"<?php selected( $this->get_am_pm( $value ), 'am' ); ?>>A.M.</option>
 				<option value="pm"<?php selected( $this->get_am_pm( $value ), 'pm' ); ?>>P.M.</option>
 			</select>

diff --git a/templates/options-checkboxes.php b/templates/options-checkboxes.php
@@ -10,7 +10,7 @@
 
 <div class="fm-option">
 	<input
-		class="fm-element"
+		class="fm-element<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>"
 		type="checkbox"
 		value="<?php echo esc_attr( $data_row['value'] ); ?>"
 		name="<?php echo esc_attr( $this->get_form_name( '[]' ) ); ?>"

diff --git a/templates/options-radios.php b/templates/options-radios.php
@@ -10,7 +10,7 @@
 
 <div class="fm-option">
 	<input
-		class="fm-element"
+		class="fm-element<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>"
 		type="radio"
 		value="<?php echo esc_attr( $data_row['value'] ); ?>"
 		name="<?php echo esc_attr( $this->get_form_name() ); ?>"

diff --git a/templates/textfield.php b/templates/textfield.php
@@ -7,7 +7,7 @@
 
 ?>
 <input
-	class="fm-element"
+	class="fm-element<?php echo $this->get_element_attributes( 'class' ); /* Escaped internally. WPCS XSS okay. */ ?>"
 	type="<?php echo esc_attr( $this->input_type ); ?>"
 	name="<?php echo esc_attr( $this->get_form_name() ); ?>"
 	id="<?php echo esc_attr( $this->get_element_id() ); ?>"

diff --git a/tests/php/test-fieldmanager-checkbox-field.php b/tests/php/test-fieldmanager-checkbox-field.php
@@ -338,4 +338,32 @@ public function test_save_group_custom_values_default_checked() {
 		$html = $this->render( $group, $this->post );
 		$this->assertNotContains( 'checked', $html );
 	}
+
+	/**
+	 * Test element attributes
+	 */
+	public function test_attributes () {
+		$checkbox = new Fieldmanager_Checkbox( array(
+			'name' => 'test_checkbox',
+			'attributes' => array(
+				'id' => 'foo',
+				'class' => 'baz',
+				'name' => 'foo',
+				'value' => 10,
+				'type' => 'text',
+				'checked' => true,
+				'data-bar' => 'bar'
+			),
+		) );
+		$html = $this->render( $checkbox, $this->post );
+		$this->assertNotContains( 'id="foo"', $html );
+		$this->assertNotContains( 'class="baz"', $html );
+		$this->assertNotContains( 'name="foo"', $html );
+		$this->assertNotContains( 'value="10"', $html );
+		$this->assertNotContains( 'type="text"', $html );
+		$this->assertNotContains( 'checked', $html );
+		$this->assertRegExp( '/class="[^"]+baz"/', $html );
+		$this->assertContains( 'data-bar="bar"', $html );
+	}
+
 }