From b67d1efa13952c5e0fa11c78ab46937a720aadb2 Mon Sep 17 00:00:00 2001
From: Chris Normansell <norman@gathercontent.com>
Date: Tue, 16 Jul 2024 11:08:29 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Added=20more=20escaping?=
 =?UTF-8?q?=20to=20ensure=20there's=20no=20XSS=20attacks?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 includes/classes/admin/mapping/field-types/base.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/includes/classes/admin/mapping/field-types/base.php b/includes/classes/admin/mapping/field-types/base.php
index 8c4ad3f..776cb54 100644
--- a/includes/classes/admin/mapping/field-types/base.php
+++ b/includes/classes/admin/mapping/field-types/base.php
@@ -65,17 +65,17 @@ public function e_type_id() {
 	}
 
 	public function option_underscore_template( View $view ) {
-		$option = '<option <# if ( "' . $this->type_id() . '" === data.field_type ) { #>selected="selected"<# } #> value="' . $this->type_id() . '">' . $this->option_label . '</option>';
+		$option = '<option <# if ( "' . esc_html($this->type_id()) . '" === data.field_type ) { #>selected="selected"<# } #> value="' . esc_html($this->type_id()) . '">' . esc_html($this->option_label) . '</option>';
 
 		if ( $types = $this->get_supported_types() ) {
 			$option = '<# if ( data.type in ' . $types . ' ) { #>' . $option . '<# } #>';
 		}
 
 		/**
-		 * This is not escaped as it can contain various tags that we know are safe.
+		 * We force strip the script tags to avoid as XSS attacks.
+		 * We are unable to use wp_kses as it doesn't handle the <# #> tags correctly and strips the end tag.
 		 */
-		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-		echo "\n\t" . $option;
+		echo "\n\t" . preg_replace("/<script.*?\/script>/s", "", $option)
 	}
 
 	public function underscore_options( $array ) {