Merge pull request #441 from Codeinwp/bugfix/pro/528

Fixed XSS vulnerability issue with tooltip text

Author: vytisbulkevicius

classes/frontend-scripts.class.php

@@ -444,6 +444,9 @@ public static function load_scripts_by_product_id( $product_id, $ppom_id = null,
 								break;
 						}
 
+						if ( ! empty( $fields_meta['description'] ) ) {
+							$fields_meta['description'] = wp_strip_all_tags( html_entity_decode( $fields_meta['description'] ) );
+						}
 						$inputs_meta_updated[] = $fields_meta;
 
 						// Conditional fields

classes/input-meta.class.php

@@ -155,7 +155,7 @@ function field_label( $tooltip = true, $desc = true, $asterisk = true ) {
 
 		$asterisk_symbol = ( ! empty( $this->required() ) && $this->title() != '' ) ? '<span class="show_required"> *</span>' : '';
 
-		$show_desc = ( ! empty( $this->desc() ) ) ? '<span class="show_description ppom-input-desc">' . $this->desc() . '</span>' : '';
+		$show_desc = ( ! empty( $this->desc() ) ) ? '<span class="show_description ppom-input-desc">' . wp_strip_all_tags( html_entity_decode( $this->desc() ) ) . '</span>' : '';
 
 		if ( $desc ) {
 			$show_desc = apply_filters( 'ppom_field_description', $show_desc, self::$input_meta );

classes/plugin.class.php

@@ -974,9 +974,10 @@ function add_ppom_meta_panel() {
 	public function show_tooltip( $description, $meta ) {
 		$input_desc = ! empty( $meta['description'] ) ? $meta['description'] : '';
 		$input_desc = apply_filters( 'ppom_description_content', stripslashes( $input_desc ), $meta );
+		$input_desc = wp_strip_all_tags( html_entity_decode( $input_desc ) );
 
 		// Check if the tooltip is enabled.
-		if ( isset( $meta['desc_tooltip'] ) && 'on' === $meta['desc_tooltip'] ) {
+		if ( ! empty( $input_desc ) && isset( $meta['desc_tooltip'] ) && 'on' === $meta['desc_tooltip'] ) {
 			$description = ( ! empty( $meta['description'] ) ) ? ' <span data-ppom-tooltip="ppom_tooltip" class="ppom-tooltip" title="' . esc_attr( $input_desc ) . '"><svg width="13px" height="13px" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M504 256c0 136.997-111.043 248-248 248S8 392.997 8 256C8 119.083 119.043 8 256 8s248 111.083 248 248zM262.655 90c-54.497 0-89.255 22.957-116.549 63.758-3.536 5.286-2.353 12.415 2.715 16.258l34.699 26.31c5.205 3.947 12.621 3.008 16.665-2.122 17.864-22.658 30.113-35.797 57.303-35.797 20.429 0 45.698 13.148 45.698 32.958 0 14.976-12.363 22.667-32.534 33.976C247.128 238.528 216 254.941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"></path></svg></span>' : '';
 		}
 		return $description;

templates/frontend/inputs/divider.php

@@ -103,7 +103,18 @@
 	if ( $divider_styles == 'style1' ) {
 		if ( $fm->field_label() ) { 
 			?>
-			<h2 class="ppom-divider-with-txt ppom-divider-line ppom-divider-line-clr ppom-divider-txt"><?php echo esc_html( $fm->field_label() ); ?></h2>
+			<h2 class="ppom-divider-with-txt ppom-divider-line ppom-divider-line-clr ppom-divider-txt">
+				<?php
+				echo wp_kses(
+					$fm->field_label(),
+					array(
+						'span' => array(
+							'class' => true,
+						),
+					)
+				);
+				?>
+			</h2>
 		<?php } else { ?>
 			<hr class="ppom-divider-<?php echo esc_attr( $style1_border ); ?>">
 			<?php 
@@ -113,27 +124,71 @@
 
 	<!--Style 2-->
 	<?php if ( $divider_styles == 'style2' ) { ?>
-		<h2 class="ppom-divider-with-txt ppom-divider-gradient ppom-divider-txt"><?php echo esc_html( $fm->field_label() ); ?></h2>
+		<h2 class="ppom-divider-with-txt ppom-divider-gradient ppom-divider-txt">
+			<?php
+			echo wp_kses(
+				$fm->field_label(),
+				array(
+					'span' => array(
+						'class' => true,
+					),
+				)
+			);
+			?>
+		</h2>
 	<?php } ?>
 
 	<!--Style 3-->
 	<?php if ( $divider_styles == 'style3' ) { ?>
-		<h2 class="ppom-divider-with-txt ppom-divider-donotcross ppom-divider-txt"><?php echo esc_html( $fm->field_label() ); ?></h2>
+		<h2 class="ppom-divider-with-txt ppom-divider-donotcross ppom-divider-txt">
+			<?php
+			echo wp_kses(
+				$fm->field_label(),
+				array(
+					'span' => array(
+						'class' => true,
+					),
+				)
+			);
+			?>
+		</h2>
 	<?php } ?>
 
 	<!--Style 4-->
 	<?php if ( $divider_styles == 'style4' ) { ?>
 		<div class="ppom-divider-easy-shadow">
 			<span></span>
-			<span class="ppom-divider-txt"><?php echo esc_html( $fm->field_label() ); ?></span>
+			<span class="ppom-divider-txt">
+				<?php
+				echo wp_kses(
+					$fm->field_label(),
+					array(
+						'span' => array(
+							'class' => true,
+						),
+					)
+				);
+				?>
+			</span>
 			<span></span>
 		</div>
 	<?php } ?>
 
 	<!--Style 5-->
 	<?php if ( $divider_styles == 'style5' ) { ?>
 
-		<h1 class="ppom-divider-fancy-heading ppom-divider-txt"><?php echo esc_html( $fm->field_label() ); ?></h1>
+		<h1 class="ppom-divider-fancy-heading ppom-divider-txt">
+			<?php
+			echo wp_kses(
+				$fm->field_label(),
+				array(
+					'span' => array(
+						'class' => true,
+					),
+				)
+			);
+			?>
+		</h1>
 		<div class="ppom-divider-fancy-line">
 			<span></span>
 		</div>

templates/frontend/inputs/quantities.php

@@ -51,7 +51,16 @@
 			class="<?php echo esc_attr( $fm->label_classes() ); ?>"
 			for="<?php echo esc_attr( $fm->data_name() ); ?>"
 		>
-			<?php echo esc_html( $fm->field_label() ); ?>
+			<?php
+			echo wp_kses(
+				$fm->field_label(),
+				array(
+					'span' => array(
+						'class' => true,
+					),
+				)
+			);
+			?>
 		</label>
 	<?php endif ?>
 

templates/frontend/inputs/text.php

@@ -54,7 +54,16 @@
 			class="<?php echo esc_attr( $fm->label_classes() ); ?>"
 			for="<?php echo esc_attr( $fm->data_name() ); ?>"
 		>
-			<?php echo esc_html( $fm->field_label() ); ?>
+			<?php
+			echo wp_kses(
+				$fm->field_label(),
+				array(
+					'span' => array(
+						'class' => true,
+					),
+				)
+			);
+			?>
 		</label>
 	<?php endif ?>