From 37733398dd88863fc0bdb3d6d378598429fd0b81 Mon Sep 17 00:00:00 2001
From: Barry Kooij <barrykooij@users.noreply.github.com>
Date: Thu, 13 Oct 2022 14:33:29 +0200
Subject: [PATCH] Escape output in setting fields, fixes XSS CWE-79. Props
 @und3sc0n0c1d0

---
 classes/settings/class-settings.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/classes/settings/class-settings.php b/classes/settings/class-settings.php
index 457e631..52bfc76 100644
--- a/classes/settings/class-settings.php
+++ b/classes/settings/class-settings.php
@@ -209,13 +209,13 @@ public function do_field( $field ) {
 				echo '<input type="checkbox" name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '" value="1" ' . checked( 1, $this->get_option( $field['id'] ), false ) . ' />';
 				break;
 			case 'text':
-				echo '<input type="text" name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '" value="' . $this->get_option( $field['id'] ) . '" class="rp4wp-input-text" />';
+				echo '<input type="text" name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '" value="' . esc_attr( $this->get_option( $field['id'] ) ) . '" class="rp4wp-input-text" />';
 				break;
 			case 'textarea':
-				echo '<textarea name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '">' . $this->get_option( $field['id'] ) . '</textarea>';
+				echo '<textarea name="' . self::PAGE . '[' . $field['id'] . ']' . '" id="' . $field['id'] . '">' . esc_html( $this->get_option( $field['id'] ) ) . '</textarea>';
 				break;
 			case 'button_link':
-				echo '<a href="' . $field['href'] . '" class="button">' . $field['default'] . '</a>';
+				echo '<a href="' . esc_attr( $field['href'] ) . '" class="button">' . esc_html( $field['default'] ) . '</a>';
 				break;
 		}
 
@@ -297,4 +297,4 @@ public function get_option( $option ) {
 		return apply_filters( 'rp4wp_' . $option, isset( $options[ $option ] ) ? $options[ $option ] : false );
 	}
 
-}
\ No newline at end of file
+}