Merge pull request #841 from brainstormforce/release-candidate

Version 1.6.36

README.md

@@ -5,7 +5,7 @@
 **Requires at least:** 4.4  
 **Requires PHP:** 5.4  
 **Tested up to:** 6.5  
-**Stable tag:** 1.6.35  
+**Stable tag:** 1.6.36  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 
@@ -140,6 +140,9 @@ This same applies when you are creating your Header/Footer using this plugin.
 
 ## Changelog ##
 
+### 1.6.36 ###
+- Fix: This update addressed a security bug. Props to Wordfence for privately reporting it to our team. Please make sure you are using the latest version on your website. 
+
 ### 1.6.35 ###
 - Improvement: Compatibility with latest Elementor and Elementor Pro 3.22 version.
 - Improvement: Updated sanitize SVG function.

header-footer-elementor.php

@@ -7,14 +7,14 @@
  * Author URI:  https://www.brainstormforce.com/
  * Text Domain: header-footer-elementor
  * Domain Path: /languages
- * Version: 1.6.35
+ * Version: 1.6.36
  * Elementor tested up to: 3.22
  * Elementor Pro tested up to: 3.22
  *
  * @package         header-footer-elementor
  */
 
-define( 'HFE_VER', '1.6.35' );
+define( 'HFE_VER', '1.6.36' );
 define( 'HFE_FILE', __FILE__ );
 define( 'HFE_DIR', plugin_dir_path( __FILE__ ) );
 define( 'HFE_URL', plugins_url( '/', __FILE__ ) );

inc/widgets-manager/widgets/class-navigation-menu.php

@@ -1925,7 +1925,7 @@ protected function render() {
 
 		if ( 'yes' === $settings['schema_support'] ) {
 			$this->add_render_attribute( 'hfe-nav-menu', 'itemscope', 'itemscope' );
-			$this->add_render_attribute( 'hfe-nav-menu', 'itemtype', 'http://schema.org/SiteNavigationElement' );
+			$this->add_render_attribute( 'hfe-nav-menu', 'itemtype', 'https://schema.org/SiteNavigationElement' );
 
 			add_filter( 'hfe_nav_menu_attrs', [ $this, 'handle_link_attrs' ] );
 			add_filter( 'nav_menu_li_values', [ $this, 'handle_li_values' ] );

inc/widgets-manager/widgets/class-page-title.php

@@ -474,11 +474,15 @@ protected function content_template() {
 		}
 
 		if ( '' != settings.page_heading_link.url ) {
-			view.addRenderAttribute( 'url', 'href', settings.page_heading_link.url );
+			var urlPattern = /^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$|^www\.[^\s/$.?#].[^\s]*$/;
+			if( urlPattern.test( settings.page_heading_link.url ) ){
+				var sanitizedPgUrl = _.escape( settings.page_heading_link.url );
+				view.addRenderAttribute( 'url', 'href', sanitizedPgUrl );
+			}
 		}
 		var iconHTML = elementor.helpers.renderIcon( view, settings.new_page_title_select_icon, { 'aria-hidden': true }, 'i' , 'object' );
 
-		var headingSizeTag = settings.heading_tag;
+		var headingSizeTag = elementor.helpers.validateHTMLTag( settings.heading_tag );
 
 		if ( typeof elementor.helpers.validateHTMLTag === "function" ) { 
 			headingSizeTag = elementor.helpers.validateHTMLTag( settings.heading_tag );
@@ -497,8 +501,9 @@ protected function content_template() {
 						{{{iconHTML.value}}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>                    
 					</span>
 				<# } #>
-					<# if ( '' != settings.before ) { #>
-						{{{ settings.before }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+					<# if ( '' != settings.before ) {
+						var before = elementor.helpers.sanitize( settings.before ) #>
+						{{{ before }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 					<# } #>
 					<?php
 					if ( is_archive() || is_home() ) {
@@ -507,8 +512,9 @@ protected function content_template() {
 						echo wp_kses_post( get_the_title() );
 					}
 					?>
-					<# if ( '' != settings.after ) { #>
-						{{{ settings.after }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+					<# if ( '' != settings.after ) { 
+						var after = elementor.helpers.sanitize( settings.after )#>
+						{{{ after }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 					<# } #>				
 			</{{{ headingSizeTag }}}> <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 			<# if ( '' != settings.page_heading_link.url ) { #>

inc/widgets-manager/widgets/class-site-tagline.php

@@ -306,12 +306,14 @@ protected function content_template() {
 				</span>
 			<# } #>
 			<span>
-			<#if ( '' != settings.before ){#>
-				{{{ settings.before}}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+			<#if ( '' != settings.before ){
+				var before = elementor.helpers.sanitize( settings.before ) #>
+				{{{ before }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 			<#}#>
 			<?php echo wp_kses_post( get_bloginfo( 'description' ) ); ?>
-			<# if ( '' != settings.after ){#>
-				{{{ settings.after }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+			<# if ( '' != settings.after ){
+				var after = elementor.helpers.sanitize( settings.after ) #>
+				{{{ after }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 			<#}#>
 			</span>
 		</div>

inc/widgets-manager/widgets/class-site-title.php

@@ -458,11 +458,15 @@ protected function content_template() {
 			return;
 		}
 		if ( '' != settings.heading_link.url ) {
-			view.addRenderAttribute( 'url', 'href', settings.heading_link.url );
+			var urlPattern = /^(https?|ftp):\/\/[^\s/$.?#].[^\s]*$|^www\.[^\s/$.?#].[^\s]*$/;
+			if ( urlPattern.test( settings.heading_link.url ) ) {
+				var sanitizedUrl = _.escape( settings.heading_link.url );
+				view.addRenderAttribute( 'url', 'href', sanitizedUrl );
+			}
 		}
 		var iconHTML = elementor.helpers.renderIcon( view, settings.icon, { 'aria-hidden': true }, 'i' , 'object' );
 
-		var headingSizeTag = settings.heading_tag;
+		var headingSizeTag = elementor.helpers.validateHTMLTag( settings.heading_tag );
 
 		if ( typeof elementor.helpers.validateHTMLTag === "function" ) { 
 			headingSizeTag = elementor.helpers.validateHTMLTag( headingSizeTag );
@@ -475,19 +479,21 @@ protected function content_template() {
 				<# if ( '' != settings.heading_link.url ) { #>
 					<a {{{ view.getRenderAttributeString( 'url' ) }}} > <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 				<# } #>
-				<{{{ headingSizeTag }}} class="hfe-heading elementor-heading-title elementor-size-{{{ settings.size }}}"> <?php //phpcs:ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+				<{{{ headingSizeTag }}} class="hfe-heading elementor-heading-title elementor-size-{{{ elementor.helpers.sanitize( settings.size ) }}}"> <?php //phpcs:ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 				<# if( '' != settings.icon.value ){ #>
 				<span class="hfe-icon">
 					{{{ iconHTML.value }}}	<?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>			
 				</span>
 				<# } #>
 				<span class="hfe-heading-text  elementor-heading-title" data-elementor-setting-key="heading_title" data-elementor-inline-editing-toolbar="basic" >
-				<#if ( '' != settings.before ){#>
-					{{{ settings.before }}}  <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+				<# if ( '' != settings.before ){
+					var before = elementor.helpers.sanitize( settings.before )#>
+					{{{ before }}}  <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 				<#}#>
 				<?php echo wp_kses_post( get_bloginfo( 'name' ) ); ?>
-				<# if ( '' != settings.after ){#>
-					{{{ settings.after }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
+				<# if ( '' != settings.after ){
+					var after = elementor.helpers.sanitize( settings.after )#>
+					{{{ after }}} <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>
 				<#}#>
 				</span>
 			</{{{ headingSizeTag }}}> <?php // PHPCS:Ignore WordPressVIPMinimum.Security.Mustache.OutputNotation ?>

languages/header-footer-elementor.pot

@@ -2,10 +2,10 @@
 # This file is distributed under the same license as the Elementor Header & Footer Builder package.
 msgid ""
 msgstr ""
-"Project-Id-Version: Elementor Header & Footer Builder 1.6.35\n"
+"Project-Id-Version: Elementor Header & Footer Builder 1.6.36\n"
 "Report-Msgid-Bugs-To: "
 "https://wordpress.org/support/plugin/header-footer-elementor\n"
-"POT-Creation-Date: 2024-05-29 07:30:13+00:00\n"
+"POT-Creation-Date: 2024-06-12 05:43:35+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "header-footer-elementor",
-  "version": "1.6.35",
+  "version": "1.6.36",
   "main": "Gruntfile.js",
   "author": "Nikhil Chavan",
   "devDependencies": {

readme.txt

@@ -5,7 +5,7 @@ Donate link: https://www.paypal.me/BrainstormForce
 Requires at least: 4.4
 Requires PHP: 5.4
 Tested up to: 6.5
-Stable tag: 1.6.35
+Stable tag: 1.6.36
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -140,6 +140,9 @@ This same applies when you are creating your Header/Footer using this plugin.
 
 == Changelog ==
 
+= 1.6.36 = 
+- Fix: This update addressed a security bug. Props to Wordfence for privately reporting it to our team. Please make sure you are using the latest version on your website. 
+
 = 1.6.35 = 
 - Improvement: Compatibility with latest Elementor and Elementor Pro 3.22 version.
 - Improvement: Updated sanitize SVG function.