Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Escape output in setting fields, fixes XSS CWE-79. Props @und3sc0n0c1d0
  • Loading branch information
barrykooij committed Oct 13, 2022
1 parent 637a70e commit 3773339
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions classes/settings/class-settings.php
Expand Up @@ -209,13 +209,13 @@ public function do_field( $field ) {
echo '<input type="checkbox" name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '" value="1" ' . checked( 1, $this->get_option( $field['id'] ), false ) . ' />';
break;
case 'text':
echo '<input type="text" name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '" value="' . $this->get_option( $field['id'] ) . '" class="rp4wp-input-text" />';
echo '<input type="text" name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '" value="' . esc_attr( $this->get_option( $field['id'] ) ) . '" class="rp4wp-input-text" />';
break;
case 'textarea':
echo '<textarea name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '">' . $this->get_option( $field['id'] ) . '</textarea>';
echo '<textarea name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '">' . esc_html( $this->get_option( $field['id'] ) ) . '</textarea>';
break;
case 'button_link':
echo '<a href="' . $field['href'] . '" class="button">' . $field['default'] . '</a>';
echo '<a href="' . esc_attr( $field['href'] ) . '" class="button">' . esc_html( $field['default'] ) . '</a>';
break;
}

Expand Down Expand Up @@ -297,4 +297,4 @@ public function get_option( $option ) {
return apply_filters( 'rp4wp_' . $option, isset( $options[ $option ] ) ? $options[ $option ] : false );
}

}
}

0 comments on commit 3773339

Please sign in to comment.