release: fixes

- Enhanced security
Codeinwp · Jan 9, 2025 · 36bf483 · 36bf483
2 parents d316676 + 9943337
commit 36bf483
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 12 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/obfx_modules/elementor-extra-widgets/widgets/elementor/pricing-table.php b/obfx_modules/elementor-extra-widgets/widgets/elementor/pricing-table.php
@@ -1021,7 +1021,7 @@ protected function render() {
 		//      $this->add_render_attribute( 'button_icon', 'class', $settings['button_icon'] );
 		$this->add_render_attribute( 'button_icon_align', 'class', 'obfx-button-icon-align-' . $settings['button_icon_align'] );
 		if ( ! empty( $settings['button_link']['url'] ) ) {
-			$this->add_render_attribute( 'button', 'href', $settings['button_link']['url'] );
+			$this->add_render_attribute( 'button', 'href', esc_url( $settings['button_link']['url'] ) );
 
 			if ( ! empty( $settings['button_link']['is_external'] ) ) {
 				$this->add_render_attribute( 'button', 'target', '_blank' );
@@ -1039,23 +1039,25 @@ protected function render() {
 			$output .= '<div class="obfx-title-wrapper">';
 			if ( ! empty( $settings['title'] ) ) {
 				// Start of title tag.
-				$output .= '<' . esc_html( $settings['title_tag'] ) . ' ' . $this->get_render_attribute_string( 'title' ) . '>';
+				$title_tag = $this->sanitize_tag( $settings['title_tag'] );
+				$output   .= '<' . esc_html( $title_tag ) . ' ' . $this->get_render_attribute_string( 'title' ) . '>';
 
 				// Title string.
 				$output .= esc_html( $settings['title'] );
 
 				// End of title tag.
-				$output .= '</' . esc_html( $settings['title_tag'] ) . '>';
+				$output .= '</' . esc_html( $title_tag ) . '>';
 			}
 			if ( ! empty( $settings['subtitle'] ) ) {
 				// Start of subtitle tag.
-				$output .= '<' . esc_html( $settings['subtitle_tag'] ) . ' ' . $this->get_render_attribute_string( 'subtitle' ) . '>';
+				$subtitle_tag = $this->sanitize_tag( $settings['subtitle_tag'] );
+				$output      .= '<' . esc_html( $subtitle_tag ) . ' ' . $this->get_render_attribute_string( 'subtitle' ) . '>';
 
 				// Subtitle string.
 				$output .= esc_html( $settings['subtitle'] );
 
 				// End of subtitle tag.
-				$output .= '</' . esc_html( $settings['subtitle_tag'] ) . '>';
+				$output .= '</' . esc_html( $subtitle_tag ) . '>';
 
 			}
 
@@ -1157,5 +1159,16 @@ private function display_button_icon( $settings ) {
 		}
 		return $output;
 	}
+
+	/**
+	 * Sanitize html tags.
+	 *
+	 * @param string $tag HTML tagname.
+	 *
+	 * @return string
+	 */
+	private function sanitize_tag( $tag ) {
+		return in_array( $tag, array( 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p' ), true ) ? $tag : 'h1';
+	}
 }