fix: XSS vulnerability issue with tooltip text

girishpanchal30 · girishpanchal30 · commit 01eaa69f914a · 2024-12-26T12:45:58.000+05:30
diff --git a/classes/frontend-scripts.class.php b/classes/frontend-scripts.class.php
@@ -444,6 +444,9 @@ public static function load_scripts_by_product_id( $product_id, $ppom_id = null,
 								break;
 						}
 
+						if ( ! empty( $fields_meta['description'] ) ) {
+							$fields_meta['description'] = wp_strip_all_tags( html_entity_decode( $fields_meta['description'] ) );
+						}
 						$inputs_meta_updated[] = $fields_meta;
 
 						// Conditional fields
diff --git a/classes/input-meta.class.php b/classes/input-meta.class.php
@@ -155,7 +155,7 @@ function field_label( $tooltip = true, $desc = true, $asterisk = true ) {
 
 		$asterisk_symbol = ( ! empty( $this->required() ) && $this->title() != '' ) ? '<span class="show_required"> *</span>' : '';
 
-		$show_desc = ( ! empty( $this->desc() ) ) ? '<span class="show_description ppom-input-desc">' . $this->desc() . '</span>' : '';
+		$show_desc = ( ! empty( $this->desc() ) ) ? '<span class="show_description ppom-input-desc">' . wp_strip_all_tags( html_entity_decode( $this->desc() ) ) . '</span>' : '';
 
 		if ( $desc ) {
 			$show_desc = apply_filters( 'ppom_field_description', $show_desc, self::$input_meta );
diff --git a/classes/plugin.class.php b/classes/plugin.class.php
@@ -974,7 +974,10 @@ function add_ppom_meta_panel() {
 	public function show_tooltip( $description, $meta ) {
 		$input_desc = ! empty( $meta['description'] ) ? $meta['description'] : '';
 		$input_desc = apply_filters( 'ppom_description_content', stripslashes( $input_desc ), $meta );
-
+		$input_desc = wp_strip_all_tags( html_entity_decode( $input_desc ) );
+		if ( empty( $input_desc ) ) {
+			return $description;
+		}
 		// Check if the tooltip is enabled.
 		if ( isset( $meta['desc_tooltip'] ) && 'on' === $meta['desc_tooltip'] ) {
 			$description = ( ! empty( $meta['description'] ) ) ? ' <span data-ppom-tooltip="ppom_tooltip" class="ppom-tooltip" title="' . esc_attr( $input_desc ) . '"><svg width="13px" height="13px" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path fill="currentColor" d="M504 256c0 136.997-111.043 248-248 248S8 392.997 8 256C8 119.083 119.043 8 256 8s248 111.083 248 248zM262.655 90c-54.497 0-89.255 22.957-116.549 63.758-3.536 5.286-2.353 12.415 2.715 16.258l34.699 26.31c5.205 3.947 12.621 3.008 16.665-2.122 17.864-22.658 30.113-35.797 57.303-35.797 20.429 0 45.698 13.148 45.698 32.958 0 14.976-12.363 22.667-32.534 33.976C247.128 238.528 216 254.941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"></path></svg></span>' : '';

Original file line number	Diff line number	Diff line change
`@@ -444,6 +444,9 @@ public static function load_scripts_by_product_id( $product_id, $ppom_id = null,`
`444`	`444`	`break;`
`445`	`445`	`}`
`446`	`446`
	`447`	`+ if ( ! empty( $fields_meta['description'] ) ) {`
	`448`	`+ $fields_meta['description'] = wp_strip_all_tags( html_entity_decode( $fields_meta['description'] ) );`
	`449`	`+ }`
`447`	`450`	`$inputs_meta_updated[] = $fields_meta;`
`448`	`451`
`449`	`452`	`// Conditional fields`