Enhancement: implements development good practices to donor dashboard…

… shortcode (#7277)
impress-org · Mar 7, 2024 · a272cda · a272cda
1 parent 566bdca
commit a272cda
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/src/DonorDashboards/App.php b/src/DonorDashboards/App.php
@@ -27,6 +27,8 @@ public function __construct()
     }
 
     /**
+     * @unreleased Escape attributes
+     *
      * @param array $attributes
      *
      * @return string
@@ -38,7 +40,7 @@ public function getOutput($attributes)
         $queryArgs = [];
 
         if (isset($attributes['accent_color'])) {
-            $queryArgs['accent-color'] = urlencode($attributes['accent_color']);
+            $queryArgs['accent-color'] = urlencode(esc_attr($attributes['accent_color']));
         }
 
         if (isset($_GET['give_nl'])) {
@@ -55,7 +57,7 @@ public function getOutput($attributes)
 
         $url = esc_url(add_query_arg($queryArgs, $url));
 
-        $loader = $this->getIframeLoader($attributes['accent_color']);
+        $loader = $this->getIframeLoader(esc_attr($attributes['accent_color']));
 
         return sprintf(
             '<div style="position: relative; max-width: 100%%;"><iframe

diff --git a/src/DonorDashboards/Shortcode.php b/src/DonorDashboards/Shortcode.php
@@ -40,10 +40,13 @@ public function loadFrontendAssets()
     /**
      * Returns Shortcode markup
      *
+     * @unreleased Sanitize attributes
      * @since 2.10.0
      **/
     public function renderCallback($attributes)
     {
+        $attributes = give_clean($attributes);
+
         $attributes = shortcode_atts(
             [
                 'accent_color' => '#68bb6c',