Updates with code review changes

picandocodigo · picandocodigo · commit c43ab7a4149e · 2026-02-16T20:06:58.000Z
diff --git a/include/lcp-catlist.php b/include/lcp-catlist.php
@@ -344,7 +344,8 @@ public function get_posts_terms($single, $tax) {
   private function get_pt_params($tax) {
     $taxonomies = ['cat' => 'category', 'tag' => 'post_tag'];
     $slug =  array_key_exists($tax, $taxonomies) ? $taxonomies[$tax] : '';
-    if ($this->params["posts_{$tax}s_inner"] == 'script' ) {
+    if ( !empty( $this->params["posts_{$tax}s_inner"] ) &&
+         strtolower( tag_escape( $this->params["posts_{$tax}s_inner"] ) ) == 'script' ) {
       $this->params["posts_{$tax}s_inner"] = null;
     }
     $this->params["posts_{$tax}s_inner"] = sanitize_text_field($this->params["posts_{$tax}s_inner"]);
diff --git a/include/lcp-thumbnail.php b/include/lcp-thumbnail.php
@@ -58,7 +58,7 @@ public function get_thumbnail($single, $thumbnail, $thumbnail_size, $force_thumb
 
         $lcp_thumbnail .= '<img src="' . esc_url($imgMatches[1]) . '" ';
         if ( $lcp_thumb_class != null ) {  // thumbnail class passed as parameter to shortcode
-          $lcp_thumbnail .= 'class="' . esc_html($lcp_thumb_class) . '" ';
+          $lcp_thumbnail .= 'class="' . LcpUtils::sanitize_html_classes($lcp_thumb_class) . '" ';
         }
         else { // Otherwise, use this class name
           $lcp_thumbnail .= 'class="lcp_thumbnail" ';
@@ -74,7 +74,7 @@ public function get_thumbnail($single, $thumbnail, $thumbnail_size, $force_thumb
 
   private function check_youtube_thumbnail($single, $lcp_thumb_class){
     $content = $single->content;
-    
+
     # youtube.com/watch?v=id
     $yt_pattern = '/([a-zA-Z0-9\-\_]+\.|)youtube\.com\/watch(\?v\=|\/v\/)([a-zA-Z0-9\-\_]{11})([^<\s]*)/';
     # youtube.com/v[id]
@@ -96,7 +96,7 @@ private function check_youtube_thumbnail($single, $lcp_thumb_class){
       $lcp_ytimage = '<img src="' . $imageurl . '" alt="' . $single->post_title . '" />';
 
       if ($lcp_thumb_class != null){
-        $thmbn_class = ' class="' . esc_html($lcp_thumb_class) . '" />';
+        $thmbn_class = ' class="' . LcpUtils::sanitize_html_classes($lcp_thumb_class) . '" />';
         $lcp_ytimage = preg_replace("/\>/", $thmbn_class, $lcp_ytimage);
       }
       return '<a href="' . get_permalink($single->ID).'">' . $lcp_ytimage . '</a>';
