Skip to content

fix escaping and security issue #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
som3669 wants to merge 5 commits into
base: master
Choose a base branch
from
Open

fix escaping and security issue #241

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ada9fb2
fix escaping issue
som3669 Aug 3, 2025
3678752
Update template-parts/header-builder-elements/html-1.php
asheshmagar Aug 12, 2025
40437fc
fix review commit
som3669 Aug 13, 2025
08bdd92
Merge branch 'master' of github.com:themegrill/colormag into CMAG-419…
som3669 Aug 13, 2025
9194c6e
Merge branch 'CMAG-419-color-mag-security-vulnerability-unescaped-out…
som3669 Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion template-parts/footer-builder-elements/html-1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?php
$html_1 = get_theme_mod( 'colormag_footer_html_1', '' );
echo '<div class="cm-html-1 cm-footer-html-1">';
echo $html_1;
echo wp_kses_post( $html_1 );
echo '</div>';
2 changes: 1 addition & 1 deletion template-parts/header-builder-elements/html-1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?php
$html_1 = get_theme_mod( 'colormag_header_html_1', '' );
echo '<div class="cm-html-1">';
echo $html_1;
echo wp_kses_post( $html_1 );
echo '</div>';
12 changes: 5 additions & 7 deletions template-parts/hooks/header/header.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,8 @@ function colormag_header_start() {
}

endif;
if ( ! colormag_maybe_enable_builder() ){
add_action( 'colormag_action_before_header', 'colormag_header_start', 10 );
if ( ! colormag_maybe_enable_builder() ) {
add_action( 'colormag_action_before_header', 'colormag_header_start', 10 );
}

if ( ! function_exists( 'colormag_header_main' ) ) :
Expand Down Expand Up @@ -373,9 +373,9 @@ function colormag_header_end() {
}

endif;
if ( ! colormag_maybe_enable_builder() ){
if ( ! colormag_maybe_enable_builder() ) {
add_action( 'colormag_action_after_header', 'colormag_header_end', 10 );
}
}

if ( ! function_exists( 'colormag_main_section_start' ) ) :

Expand Down Expand Up @@ -599,9 +599,7 @@ function colormag_menu_fallback( $args ) {

$output .= '</ul>';

// @codingStandardsIgnoreStart
echo $output;
// @codingStandardsIgnoreEnd
echo esc_html( $output );
Copy link

Copilot AI Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using esc_html() on menu HTML will strip all HTML tags and break the menu structure. The $output variable contains HTML markup (ul/li tags) that should be preserved. Consider using wp_kses() with appropriate allowed tags or ensure the content is already properly escaped when building $output.

Suggested change
echo esc_html( $output );
$allowed_html = array(
'ul' => array(
'id' => true,
'class' => true,
),
'li' => array(
'class' => true,
),
'a' => array(
'href' => true,
'title' => true,
'class' => true,
),
'span' => array(
'class' => true,
),
);
echo wp_kses( $output, $allowed_html );

Copilot uses AI. Check for mistakes.
}

endif;