AST-4336 - Fixed - Cross site scripting (XSS) issue in Astra Widget p…

…lugin. (#71) * chore:fixed cross site scripting issue * chore:pot file updated and version bump and minified command run * chore:PHP warning by adding a check for the existence of the 'link' key in the social profiles widget
brainstormforce · Oct 9, 2024 · f87dd4b · f87dd4b
1 parent cba91ce
commit f87dd4b
Show file tree

Hide file tree

Showing 11 changed files with 109 additions and 93 deletions.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 **Requires at least:** 4.7
 **Tested up to:** 6.6
 **Requires PHP:** 5.2
-**Stable tag:** 1.2.14
+**Stable tag:** 1.2.15
 **License:** GPLv2 or later
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html
 

diff --git a/assets/js/minified/astra-widget-list-icons.min.js b/assets/js/minified/astra-widget-list-icons.min.js
diff --git a/assets/js/minified/astra-widget-social-profiles.min.js b/assets/js/minified/astra-widget-social-profiles.min.js
diff --git a/assets/js/minified/astra-widgets-backend.min.js b/assets/js/minified/astra-widgets-backend.min.js
diff --git a/astra-widgets.php b/astra-widgets.php
@@ -3,7 +3,7 @@
  * Plugin Name: Astra Widgets
  * Plugin URI: https://wpastra.com/
  * Description: The Fastest Way to Add More Widgets into Your WordPress Website.
- * Version: 1.2.14
+ * Version: 1.2.15
  * Author: Brainstorm Force
  * Author URI: https://www.brainstormforce.com
  * Text Domain: astra-widgets
@@ -25,7 +25,7 @@
 define( 'ASTRA_WIDGETS_BASE', plugin_basename( ASTRA_WIDGETS_FILE ) );
 define( 'ASTRA_WIDGETS_DIR', plugin_dir_path( ASTRA_WIDGETS_FILE ) );
 define( 'ASTRA_WIDGETS_URI', plugins_url( '/', ASTRA_WIDGETS_FILE ) );
-define( 'ASTRA_WIDGETS_VER', '1.2.14' );
+define( 'ASTRA_WIDGETS_VER', '1.2.15' );
 define( 'ASTRA_WIDGETS_TEMPLATE_DEBUG_MODE', false );
 
 require_once ASTRA_WIDGETS_DIR . 'classes/class-astra-widgets.php';

diff --git a/classes/widgets/class-astra-widget-social-profiles.php b/classes/widgets/class-astra-widget-social-profiles.php
@@ -347,10 +347,10 @@ public function widget( $args, $instance ) {
 							$trimmed = str_replace( 'astra-icon-', '', $list['icon'] );
 							?>
 							<li>
-								<a href="<?php echo esc_attr( $list['link'] ); ?>" target="<?php echo esc_attr( $target ); ?>" rel="<?php echo esc_attr( $rel ); ?>" aria-label="<?php echo ( is_object( $list_data ) ) ? esc_html( $list_data->name ) : ''; ?>">
+								<a href="<?php echo isset( $list['link'] ) ? esc_attr( $list['link'] ) : '#'; ?>" target="<?php echo esc_attr( $target ); ?>" rel="<?php echo esc_attr( $rel ); ?>" aria-label="<?php echo ( is_object( $list_data ) ) ? esc_html( $list_data->name ) : ''; ?>">
 										<span class="ast-widget-icon <?php echo ( is_object( $list_data ) ) ? esc_html( $list_data->name ) : ''; ?>">
 											<?php if ( ! empty( $list_data->viewbox ) && ! empty( $list_data->path ) ) { ?>
-												<svg xmlns="http://www.w3.org/2000/svg" viewBox="<?php echo ( isset( $list_data->viewbox ) ) ? esc_attr( $list_data->viewbox ) : ''; ?>" width=<?php echo esc_attr( $icon_width ); ?> height=<?php echo esc_attr( $icon_width ); ?> ><path d="<?php echo ( isset( $list_data->path ) ) ? esc_attr( $list_data->path ) : ''; ?>"></path></svg>
+												<svg xmlns="http://www.w3.org/2000/svg" viewBox="<?php echo ( isset( $list_data->viewbox ) ) ? esc_attr( $list_data->viewbox ) : ''; ?>" width="<?php echo esc_attr( $icon_width ); ?>" height="<?php echo esc_attr( $icon_width ); ?>"><path d="<?php echo ( isset( $list_data->path ) ) ? esc_attr( $list_data->path ) : ''; ?>"></path></svg>
 											<?php } ?>
 										</span>
 									<?php if ( $display_title ) { ?>