From 2ccfcc2422afdf6e0665cdc87dccc57275bec334 Mon Sep 17 00:00:00 2001
From: stiofan <info@wpgeodirectory.com>
Date: Mon, 15 Apr 2024 21:29:55 +0100
Subject: [PATCH] 2.3.49

---
 geodirectory.php                                    |  4 ++--
 .../api/class-geodir-rest-post-tags-controller.php  |  4 ++--
 includes/class-geodir-ajax.php                      | 10 +++++-----
 includes/widgets/class-geodir-widget-categories.php |  8 ++++++--
 includes/widgets/class-geodir-widget-listings.php   |  4 ++++
 includes/widgets/class-geodir-widget-page-title.php | 13 +++----------
 .../widgets/class-geodir-widget-single-tabs.php     |  4 ++++
 readme.txt                                          |  5 ++++-
 8 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/geodirectory.php b/geodirectory.php
index 5fad114ef..82e004c90 100644
--- a/geodirectory.php
+++ b/geodirectory.php
@@ -11,7 +11,7 @@
  * Plugin Name: GeoDirectory
  * Plugin URI: https://wpgeodirectory.com/
  * Description: GeoDirectory - Business Directory Plugin for WordPress.
- * Version: 2.3.48
+ * Version: 2.3.49
  * Author: AyeCode - WordPress Business Directory Plugins
  * Author URI: https://wpgeodirectory.com
  * Text Domain: geodirectory
@@ -34,7 +34,7 @@ final class GeoDirectory {
 	 *
 	 * @var string
 	 */
-	public $version = '2.3.48';
+	public $version = '2.3.49';
 
 	/**
 	 * GeoDirectory instance.
diff --git a/includes/api/class-geodir-rest-post-tags-controller.php b/includes/api/class-geodir-rest-post-tags-controller.php
index ce7bbe0d2..41f6403c8 100644
--- a/includes/api/class-geodir-rest-post-tags-controller.php
+++ b/includes/api/class-geodir-rest-post-tags-controller.php
@@ -39,14 +39,14 @@ public function prepare_item_for_response( $item, $request ) {
 		if ( ! empty( $schema['properties']['id'] ) ) {
 			$data['id'] = (int) $item->term_id;
 		}
-		
+
 		if ( ! empty( $schema['properties']['name'] ) ) {
 			$data['name'] = $item->name;
 		}
 
 		if ( ! empty( $schema['properties']['slug'] ) ) {
 			$data['slug'] = $item->slug;
-		}		
+		}
 
 		if ( ! empty( $schema['properties']['taxonomy'] ) ) {
 			$data['taxonomy'] = $this->taxonomy;
diff --git a/includes/class-geodir-ajax.php b/includes/class-geodir-ajax.php
index 6388c1f25..8d1970f33 100644
--- a/includes/class-geodir-ajax.php
+++ b/includes/class-geodir-ajax.php
@@ -222,25 +222,25 @@ public static function manual_map() {
 
 			echo geodir_get_template_html( $template, $tmpl_args );
 		} else {
-			echo "<style>.lity-show #" . $prefix . "set_address_button,.lity-show .TopLeft,.lity-show .TopRight,.lity-show .BottomRight,.lity-show .BottomLeft{display:none}.lity-show .geodir_map_container{margin-top:0 !important}</style>";
+			echo "<style>.lity-show #" . esc_attr( $prefix ) . "set_address_button,.lity-show .TopLeft,.lity-show .TopRight,.lity-show .BottomRight,.lity-show .BottomLeft{display:none}.lity-show .geodir_map_container{margin-top:0 !important}</style>";
 
 			include_once( GEODIRECTORY_PLUGIN_DIR . 'templates/map.php' );
 		}
 		?>
-		<input type="hidden" id="<?php echo $prefix . 'latitude'; ?>">
-		<input type="hidden" id="<?php echo $prefix . 'longitude'; ?>">
+		<input type="hidden" id="<?php echo esc_attr( $prefix ) . 'latitude'; ?>">
+		<input type="hidden" id="<?php echo esc_attr( $prefix ) . 'longitude'; ?>">
 		<?php
 		if( $design_style ) {
 			?>
 			<div class="text-right text-end">
 			<button type="button" class="btn btn-link" data-dismiss="modal"><?php _e("Cancel","geodirectory");?></button>
 			<button class="btn btn-primary"
-			        onclick="if(jQuery('#<?php echo $prefix . 'latitude'; ?>').val()==''){alert('<?php _e( 'Please drag the marker or the map to set the position.', 'geodirectory' ); ?>');}else{jQuery(window).triggerHandler('<?php echo $prefix; ?>', [jQuery('#<?php echo $prefix . 'latitude'; ?>').val(), jQuery('#<?php echo $prefix . 'longitude'; ?>').val()]);}"><?php _e( 'Set my location', 'geodirectory' ); ?></button>
+			        onclick="if(jQuery('#<?php echo esc_attr( $prefix ) . 'latitude'; ?>').val()==''){alert('<?php _e( 'Please drag the marker or the map to set the position.', 'geodirectory' ); ?>');}else{jQuery(window).triggerHandler('<?php echo esc_attr( $prefix ); ?>', [jQuery('#<?php echo esc_attr( $prefix ) . 'latitude'; ?>').val(), jQuery('#<?php echo esc_attr( $prefix ) . 'longitude'; ?>').val()]);}"><?php _e( 'Set my location', 'geodirectory' ); ?></button>
 			</div><?php
 		}else{
 			?>
 			<button style="float: right;margin: 10px 0 0 0;"
-			        onclick="if(jQuery('#<?php echo $prefix . 'latitude'; ?>').val()==''){alert('<?php _e( 'Please drag the marker or the map to set the position.', 'geodirectory' ); ?>');}else{jQuery(window).triggerHandler('<?php echo $prefix; ?>', [jQuery('#<?php echo $prefix . 'latitude'; ?>').val(), jQuery('#<?php echo $prefix . 'longitude'; ?>').val()]);}"><?php _e( 'Set my location', 'geodirectory' ); ?></button>
+			        onclick="if(jQuery('#<?php echo esc_attr( $prefix ) . 'latitude'; ?>').val()==''){alert('<?php _e( 'Please drag the marker or the map to set the position.', 'geodirectory' ); ?>');}else{jQuery(window).triggerHandler('<?php echo esc_attr( $prefix ); ?>', [jQuery('#<?php echo esc_attr( $prefix ) . 'latitude'; ?>').val(), jQuery('#<?php echo esc_attr( $prefix ) . 'longitude'; ?>').val()]);}"><?php _e( 'Set my location', 'geodirectory' ); ?></button>
 			<?php
 		}
 		wp_die();
diff --git a/includes/widgets/class-geodir-widget-categories.php b/includes/widgets/class-geodir-widget-categories.php
index fa88e70e8..ed84193a2 100644
--- a/includes/widgets/class-geodir-widget-categories.php
+++ b/includes/widgets/class-geodir-widget-categories.php
@@ -609,8 +609,8 @@ public function output( $args = array(), $widget_args = array(), $content = '' )
 		 */
 		$options = wp_parse_args( $args, $defaults );
 
-		//      print_r($args);
-		//      print_r($options);
+		// sanitize tag
+		$options['title_tag'] = in_array( $options['title_tag'], array( 'h2', 'h3', 'h4', 'h5', 'h6', 'span' ), true ) ? esc_attr( $options['title_tag'] ) : 'h4';
 
 		if ( empty( $options['card_color'] ) ) {
 			$options['card_color'] = $defaults['card_color'];}
@@ -788,6 +788,10 @@ public static function categories_output( $params ) {
 			)
 		);
 
+		// sanitize tag
+		$args['title_tag'] = in_array( $args['title_tag'], array( 'h2', 'h3', 'h4', 'h5', 'h6', 'span' ), true ) ? esc_attr( $args['title_tag'] ) : 'h4';
+
+
 		$sort_by    = isset( $args['sort_by'] ) && in_array( $args['sort_by'], array( 'az', 'count' ) ) ? sanitize_text_field( $args['sort_by'] ) : 'count';
 		$cpt_filter = empty( $args['no_cpt_filter'] ) ? true : false;
 		$cat_filter = empty( $args['no_cat_filter'] ) ? true : false;
diff --git a/includes/widgets/class-geodir-widget-listings.php b/includes/widgets/class-geodir-widget-listings.php
index 1aef5c029..ab3d3add2 100644
--- a/includes/widgets/class-geodir-widget-listings.php
+++ b/includes/widgets/class-geodir-widget-listings.php
@@ -852,6 +852,10 @@ public function output( $instance = array(), $widget_args = array(), $content =
 			)
 		);
 
+
+		// sanitize title_tag
+		$instance['title_tag'] = in_array( $instance['title_tag'], array( 'h2', 'h3' ), true ) ? esc_attr( $instance['title_tag'] ) : 'h3';
+
 		ob_start();
 
 		$this->output_html( $widget_args, $instance );
diff --git a/includes/widgets/class-geodir-widget-page-title.php b/includes/widgets/class-geodir-widget-page-title.php
index 866266fea..cfa58b517 100644
--- a/includes/widgets/class-geodir-widget-page-title.php
+++ b/includes/widgets/class-geodir-widget-page-title.php
@@ -217,19 +217,12 @@ public function output( $instance = array(), $args = array(), $content = '' ) {
 			$instance['font_size_class'] = 'h1';
 		}
 
+		// sanitize tag
+		$instance['tag'] = in_array( $instance['tag'], array( 'h1', 'h2', 'h3', 'div' ), true ) ? esc_attr( $instance['tag'] ) : 'h1';
+
 		$design_style = geodir_design_style();
 		$block_preview = $this->is_block_content_call();
 		$output = '';
-//		if ( $this->is_preview() ) {
-//			return $output;
-//		}
-
-		// No GD page
-//		if ( ! geodir_is_geodir_page() && !$block_preview ) {
-//			return;
-//		}
-
-
 
 		// Title container class
 		$container_class = 'geodir-page-title-wrap geodir-page-title-' . sanitize_html_class( $instance['tag'] );
diff --git a/includes/widgets/class-geodir-widget-single-tabs.php b/includes/widgets/class-geodir-widget-single-tabs.php
index 2c7fb8478..f0fdc5755 100644
--- a/includes/widgets/class-geodir-widget-single-tabs.php
+++ b/includes/widgets/class-geodir-widget-single-tabs.php
@@ -323,6 +323,10 @@ public function output( $args = array(), $widget_args = array(), $content = '' )
 		 */
 		$args = wp_parse_args( $args, $defaults );
 
+		// sanitize heading_tag
+		$allowed_tags = array( 'h2', 'h3', 'h4' );
+		$args['heading_tag'] = in_array( $args['heading_tag'], $allowed_tags, true ) ? esc_attr( $args['heading_tag'] ) : 'h2';
+
 		// Check if we have been here before
 		$tabs_array = ! empty( $gd_single_tabs_array ) ? $gd_single_tabs_array : array();
 
diff --git a/readme.txt b/readme.txt
index 18b2b11ec..c314c6910 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Donate link: https://wpgeodirectory.com
 Tags: business directory, listings, directory plugin, classifieds, directory
 Requires at least: 4.5
 Tested up to: 6.5
-Stable tag: 2.3.48
+Stable tag: 2.3.49
 Requires PHP: 5.6
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -306,6 +306,9 @@ We don't offer free trials, but we have a 30-day money-back guarantee if you are
 
 __WARNING: GDv2 is a significant update over GDv1 and may require manual work, such as adding widgets to sidebars to recreate your current layout. As always, we recommend trying this on a staging site first. [Learn more](https://docs.wpgeodirectory.com/article/260-upgrading-from-gdv1-to-gdv2)__
 
+= GeoDirectory v2.3.49 - 2024-04-15 =
+* Extra sanitization for shortcode tag selectors, contributor+ user with details template access could potentially output JS code - FIXED/SECURITY
+
 = GeoDirectory v2.3.48 - 2024-04-11 =
 * UK regions can sometime contain "Council", we now remove this by default - CHANGED
 * SD and AUI packages updated to latest - UPDATED