From a6fe4216d5651bf133fcfbb9282d8b13e868c887 Mon Sep 17 00:00:00 2001
From: "alex.oakland" <alex.oakland@bynder.com>
Date: Thu, 13 Jun 2024 14:59:46 +0100
Subject: [PATCH 1/3] No longer escaping table col options

---
 includes/classes/admin/mapping/field-types/database.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/classes/admin/mapping/field-types/database.php b/includes/classes/admin/mapping/field-types/database.php
index cbb0707f..2167c8e6 100644
--- a/includes/classes/admin/mapping/field-types/database.php
+++ b/includes/classes/admin/mapping/field-types/database.php
@@ -148,7 +148,11 @@ class="cw-column-selector"
 				<option value="">Select a column</option>
 
 				<?php
-				echo wp_kses_post( implode( '\r\n', $this->getAllTableColOptions() ) );
+				/**
+				 * This is not escaped as it can contain various tags that we know are safe.
+				 */
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo implode( '\r\n', $this->getAllTableColOptions() );
 				?>
 			</select>
 

From 5f0a5671d164e982579a806e27a5c702eece04c9 Mon Sep 17 00:00:00 2001
From: "alex.oakland" <alex.oakland@bynder.com>
Date: Thu, 13 Jun 2024 16:45:27 +0100
Subject: [PATCH 2/3] Escaping like

---
 includes/classes/admin/mapping/field-types/acf.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/classes/admin/mapping/field-types/acf.php b/includes/classes/admin/mapping/field-types/acf.php
index 31f770d6..46c9789d 100644
--- a/includes/classes/admin/mapping/field-types/acf.php
+++ b/includes/classes/admin/mapping/field-types/acf.php
@@ -53,11 +53,11 @@ public function underscore_template( View $view ) {
 			}, $groupIds ) );
 
 			// Prepare and execute query to get all fields for all groups
+			$wild           = '%' . $wpdb->esc_like( 'repeater' ) . '%';
 			$fields_results = $wpdb->get_results(
 				$wpdb->prepare(
 					"SELECT * FROM {$wpdb->posts} WHERE post_type = 'acf-field' AND post_content LIKE %s AND post_parent IN ($groupIdPlaceholders)",
-					'%' . $wpdb->esc_like('repeater') . '%',
-					$groupIds
+					array_merge( $wild, $groupIds )
 				)
 			);
 

From 3bfb117d37e516a4a173a7b04609c52ca7eeda90 Mon Sep 17 00:00:00 2001
From: "alex.oakland" <alex.oakland@bynder.com>
Date: Thu, 13 Jun 2024 17:01:53 +0100
Subject: [PATCH 3/3] Handling for escaping like for WordPress stuff

---
 includes/classes/admin/mapping/field-types/acf.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/classes/admin/mapping/field-types/acf.php b/includes/classes/admin/mapping/field-types/acf.php
index 46c9789d..ceb5033f 100644
--- a/includes/classes/admin/mapping/field-types/acf.php
+++ b/includes/classes/admin/mapping/field-types/acf.php
@@ -57,7 +57,7 @@ public function underscore_template( View $view ) {
 			$fields_results = $wpdb->get_results(
 				$wpdb->prepare(
 					"SELECT * FROM {$wpdb->posts} WHERE post_type = 'acf-field' AND post_content LIKE %s AND post_parent IN ($groupIdPlaceholders)",
-					array_merge( $wild, $groupIds )
+					array_merge( [ $wild ], $groupIds )
 				)
 			);