Merge pull request #88 from TycheSoftwares/Fix-#87

Fixed Stored Cross-Site Scripting via Shortcode
TycheSoftwares · Oct 17, 2024 · bfe4090 · bfe4090
2 parents 0c674f3 + 0e541ae
commit bfe4090
Showing 1 changed file with 49 additions and 29 deletions.
diff --git a/includes/shortcodes.php b/includes/shortcodes.php
@@ -441,52 +441,72 @@ function box_arconix_shortcode( $atts, $content = null ) {
  * @return string
  */
 function button_arconix_shortcode( $atts, $content = null ) {
-    $defaults = apply_filters( 'arconix_button_shortcode_args', array(
-        'size' => 'medium',
-        'color' => 'gray',
-        'url' => '#',
-        'target' => '',
-        'rel' => '',
-        'title' => '',
-        'icon' => '',
-        'icon_size' => '',
-        'style' => ''
-    ) );
+    $defaults = apply_filters(
+        'arconix_button_shortcode_args',
+        array(
+            'size'      => 'medium',
+            'color'     => 'gray',
+            'url'       => '#',
+            'target'    => '',
+            'rel'       => '',
+            'title'     => '',
+            'icon'      => '',
+            'icon_size' => '',
+            'style'     => '',
+        )
+    );
     extract( shortcode_atts( $defaults, $atts, 'arconix_button' ) );
 
+    // Sanitize input.
+    $url       = esc_url( $url );
+    $size      = sanitize_html_class( $size );
+    $color     = sanitize_html_class( $color );
+    $rel       = sanitize_text_field( $rel );
+    $title     = sanitize_text_field( $title );
+    $icon      = sanitize_text_field( $icon );
+    $icon_size = sanitize_text_field( $icon_size );
+    $style     = sanitize_text_field( $style );
+
+    // Set target attribute.
     switch( $target ) {
-        case "_blank":
-        case "blank":
-            $target = ' target="_blank" ';
-            break;
+        case '_blank':
+        case 'blank':
+        $target = ' target="_blank" ';
+        break;
         default:
-            $target = '';
-            break;
+        $target = '';
+        break;
     }
 
-    if ( $rel ) $rel = ' rel="' . esc_attr( $rel ) . '"';
-    if ( $title ) $rel = ' title="' . esc_attr ( $title ) . '"';
-
-    if ( $icon ) $icon = "<i class='fa {$icon_size} {$icon}'></i>";
+    // Build optional attributes.
+    $rel   = $rel ? ' rel="' . esc_attr( $rel ) . '"' : '';
+    $title = $title ? ' title="' . esc_attr( $title ) . '"' : '';
+    $icon  = $icon ? "<i class='fa " . esc_attr( $icon_size ) . " " . esc_attr( $icon ) . "'></i>" : '';
 
+    // Determine button style class.
     switch ( $style ) {
         case 'flat':
         case 'clear':
             $button = 'arconix-button-' . $style;
             break;
-
         default:
             $button = 'arconix-button';
             break;
     }
 
-    // Properly escape our data
-    $url = esc_url( $url );
-    $size = sanitize_html_class( $size );
-    $color = sanitize_html_class( $color );
-
-    $r = "<a href='{$url}' class='{$button} arconix-button-{$size} arconix-button-{$color}'{$title}{$rel}{$target}>{$icon}{$content}</a>";
-
+    // Build the final output.
+    $r = sprintf(
+        "<a href='%s' class='%s %s %s'%s%s%s>%s%s</a>",
+        esc_url( $url ),
+        esc_attr( $button ),
+        esc_attr( "arconix-button-{$size}" ),
+        esc_attr( "arconix-button-{$color}" ),
+        $title,
+        $rel,
+        $target,
+        $icon,
+        esc_html( $content ) // Escaping content
+    );
     return apply_filters( 'arconix_button_return', $r );
 }