Merge pull request #39 from Bynder/feature/GC-5171

[GC-5171] Variables and options must be escaped when echo'd
Bynder · Jul 16, 2024 · 26292b6 · 26292b6
2 parents e63ecd4 + b67d1ef
commit 26292b6
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/includes/classes/admin/mapping/field-types/base.php b/includes/classes/admin/mapping/field-types/base.php
@@ -65,17 +65,17 @@ public function e_type_id() {
 	}
 
 	public function option_underscore_template( View $view ) {
-		$option = '<option <# if ( "' . $this->type_id() . '" === data.field_type ) { #>selected="selected"<# } #> value="' . $this->type_id() . '">' . $this->option_label . '</option>';
+		$option = '<option <# if ( "' . esc_html($this->type_id()) . '" === data.field_type ) { #>selected="selected"<# } #> value="' . esc_html($this->type_id()) . '">' . esc_html($this->option_label) . '</option>';
 
 		if ( $types = $this->get_supported_types() ) {
 			$option = '<# if ( data.type in ' . $types . ' ) { #>' . $option . '<# } #>';
 		}
 
 		/**
-		 * This is not escaped as it can contain various tags that we know are safe.
+		 * We force strip the script tags to avoid as XSS attacks.
+		 * We are unable to use wp_kses as it doesn't handle the <# #> tags correctly and strips the end tag.
 		 */
-		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-		echo "\n\t" . $option;
+		echo "\n\t" . preg_replace("/<script.*?\/script>/s", "", $option)
 	}
 
 	public function underscore_options( $array ) {