From 240bcce33468684236968c20acc53166e7298afe Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 19 Sep 2024 12:40:12 +0300
Subject: [PATCH 1/3] Add notices

---
 class-two-factor-core.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 99033a70..eebce9c4 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1821,9 +1821,21 @@ public static function user_two_factor_options( $user ) {
 			$show_2fa_options ? '' : 'disabled="disabled"'
 		);
 
-		wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false );
+		$notices = [];
+		if ( empty( $enabled_providers ) ) {
+			$notices[] = __( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' );
+		} elseif ( 1 === count( $enabled_providers ) ) {
+			$notices['warning'] = __( 'To prevent being locked out of your account, consider enabling a backup method like Recovery Codes in case you lose access to your primary authentication method.', 'two-factor' );
+		}
+
 		?>
 		<h2><?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?></h2>
+		<?php foreach ( $notices as $notice_type => $notice ) : ?>
+		<div class="<?php echo esc_attr( $notice_type ? 'notice inline notice-' . $notice_type : '' ); ?>">
+			<p><?php echo esc_html( $notice ); ?></p>
+		</div>
+		<?php endforeach; ?>
+		<?php wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
 		<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
 		<table class="wp-list-table widefat fixed striped table-view-list two-factor-methods-table">
 			<thead>

From 1225521ae22c19e363b9082b57d1a488e037b56c Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Thu, 19 Sep 2024 13:29:01 +0300
Subject: [PATCH 2/3] Add the default notice as a permanent information

Collect all warnings into same place
---
 class-two-factor-core.php | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index eebce9c4..78525089 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1788,6 +1788,8 @@ public static function manage_users_custom_column( $output, $column_name, $user_
 	 * @param WP_User $user WP_User object of the logged-in user.
 	 */
 	public static function user_two_factor_options( $user ) {
+		$notices = [];
+
 		wp_enqueue_style( 'user-edit-2fa', plugins_url( 'user-edit.css', __FILE__ ), array(), TWO_FACTOR_VERSION );
 
 		$enabled_providers = array_keys( self::get_available_providers_for_user( $user ) );
@@ -1803,16 +1805,16 @@ public static function user_two_factor_options( $user ) {
 		$show_2fa_options = self::current_user_can_update_two_factor_options();
 
 		if ( ! $show_2fa_options ) {
-			$url = self::get_user_two_factor_revalidate_url();
-			$url = add_query_arg( 'redirect_to', urlencode( self::get_user_settings_page_url( $user->ID ) . '#two-factor-options' ), $url );
+			$url = add_query_arg(
+				'redirect_to',
+				urlencode( self::get_user_settings_page_url( $user->ID ) . '#two-factor-options' ),
+				self::get_user_two_factor_revalidate_url()
+			);
 
-			printf(
-				'<div class="notice notice-warning inline"><p>%s</p></div>',
-				sprintf(
-					__( 'To update your Two-Factor options, you must first revalidate your session.', 'two-factor' ) .
-					'<br><a class="button" href="%s">' . __( 'Revalidate now', 'two-factor' ) . '</a>',
+			$notices['warning two-factor-warning-revalidate-session'] = sprintf(
+					esc_html__( 'To update your Two-Factor options, you must first revalidate your session.', 'two-factor' ) .
+					' <a class="button" href="%s">' . esc_html__( 'Revalidate now', 'two-factor' ) . '</a>',
 					esc_url( $url )
-				)
 			);
 		}
 
@@ -1821,20 +1823,19 @@ public static function user_two_factor_options( $user ) {
 			$show_2fa_options ? '' : 'disabled="disabled"'
 		);
 
-		$notices = [];
-		if ( empty( $enabled_providers ) ) {
-			$notices[] = __( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' );
-		} elseif ( 1 === count( $enabled_providers ) ) {
-			$notices['warning'] = __( 'To prevent being locked out of your account, consider enabling a backup method like Recovery Codes in case you lose access to your primary authentication method.', 'two-factor' );
+		if ( 1 === count( $enabled_providers ) ) {
+			$notices['warning two-factor-warning-suggest-backup'] = esc_html__( 'To prevent being locked out of your account, consider enabling a backup method like Recovery Codes in case you lose access to your primary authentication method.', 'two-factor' );
 		}
-
 		?>
 		<h2><?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?></h2>
 		<?php foreach ( $notices as $notice_type => $notice ) : ?>
 		<div class="<?php echo esc_attr( $notice_type ? 'notice inline notice-' . $notice_type : '' ); ?>">
-			<p><?php echo esc_html( $notice ); ?></p>
+			<p><?php echo $notice; ?></p>
 		</div>
 		<?php endforeach; ?>
+		<p>
+			<?php  esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method.', 'two-factor' ); ?>
+		</p>
 		<?php wp_nonce_field( 'user_two_factor_options', '_nonce_user_two_factor_options', false ); ?>
 		<input type="hidden" name="<?php echo esc_attr( self::ENABLED_PROVIDERS_USER_META_KEY ); ?>[]" value="<?php /* Dummy input so $_POST value is passed when no providers are enabled. */ ?>" />
 		<table class="wp-list-table widefat fixed striped table-view-list two-factor-methods-table">

From 2284d6a37c7f106a1b275900d6d53db675129bbb Mon Sep 17 00:00:00 2001
From: Kaspars Dambis <hi@kaspars.net>
Date: Mon, 2 Dec 2024 12:22:44 +0200
Subject: [PATCH 3/3] Add additional escaping just in case

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 78525089..f0204378 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1830,7 +1830,7 @@ public static function user_two_factor_options( $user ) {
 		<h2><?php esc_html_e( 'Two-Factor Options', 'two-factor' ); ?></h2>
 		<?php foreach ( $notices as $notice_type => $notice ) : ?>
 		<div class="<?php echo esc_attr( $notice_type ? 'notice inline notice-' . $notice_type : '' ); ?>">
-			<p><?php echo $notice; ?></p>
+			<p><?php echo wp_kses_post( $notice ); ?></p>
 		</div>
 		<?php endforeach; ?>
 		<p>