Security fixes

lloc · lloc · commit 6613f79e3a10 · 2024-09-23T16:16:12.000+02:00
diff --git a/includes/MslsPostTag.php b/includes/MslsPostTag.php
@@ -160,7 +160,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 
 			$this->maybe_set_linked_term( $mydata );
 
-			printf( $title_format, esc_html( $this->get_select_title() ), esc_attr( $type ) );
+			printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ), esc_attr( $type ) );
 
 			foreach ( $blogs as $blog ) {
 				switch_to_blog( $blog->userblog_id );
@@ -179,7 +179,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo
 					}
 				}
 
-				printf( $item_format, esc_attr( $blog->userblog_id ), $icon, esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );
+				printf( wp_kses_post( $item_format ), esc_attr( $blog->userblog_id ), $icon, esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );
 
 				restore_current_blog();
 			}

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo`
`160`	`160`
`161`	`161`	`$this->maybe_set_linked_term( $mydata );`
`162`	`162`
`163`		`- printf( $title_format, esc_html( $this->get_select_title() ), esc_attr( $type ) );`
	`163`	`+ printf( wp_kses_post( $title_format ), esc_html( $this->get_select_title() ), esc_attr( $type ) );`
`164`	`164`
`165`	`165`	`foreach ( $blogs as $blog ) {`
`166`	`166`	`switch_to_blog( $blog->userblog_id );`
`@@ -179,7 +179,7 @@ public function the_input( ?\WP_Term $tag, string $title_format, string $item_fo`
`179`	`179`	`}`
`180`	`180`	`}`
`181`	`181`
`182`		`- printf( $item_format, esc_attr( $blog->userblog_id ), $icon, esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );`
	`182`	`+ printf( wp_kses_post( $item_format ), esc_attr( $blog->userblog_id ), $icon, esc_attr( $language ), esc_attr( $value ), esc_attr( $title ) );`
`183`	`183`
`184`	`184`	`restore_current_blog();`
`185`	`185`	`}`