review changes #855

ahmedkaludi · Jan 6, 2025 · 98ecbd5 · 98ecbd5
1 parent 78fa43b
commit 98ecbd5
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/includes/class-eztoc-widget.php b/includes/class-eztoc-widget.php
@@ -9,6 +9,7 @@
 	 */
 	class ezTOC_Widget extends WP_Widget {
 
+		private $allowed_tags = ['h2', 'h3', 'h4', 'h5', 'h6','span','div','p'];
 		/**
 		 * Setup and register the table of contents widget.
 		 *
@@ -241,7 +242,7 @@ public function widget( $args, $instance ) {
 					?>
 
 					<?php 
-					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags)){
                         echo '<'.esc_attr($instance[ 'heading_label_tag' ]).' class="widget-title">';
                     }else{
                         echo $before_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core
@@ -320,7 +321,7 @@ public function widget( $args, $instance ) {
                                         </span>
 
 					<?php
-					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags) ){
 						echo '</'.esc_attr($instance[ 'heading_label_tag' ]).'>';
 					}else{
 						echo $after_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core

diff --git a/includes/class-eztoc-widgetsticky.php b/includes/class-eztoc-widgetsticky.php
@@ -11,7 +11,7 @@
      */
     class ezTOC_WidgetSticky extends WP_Widget
     {
-
+        private $allowed_tags = ['h2', 'h3', 'h4', 'h5', 'h6','span','div','p'];
         /**
          * Setup and register the table of contents widget.
          *
@@ -342,7 +342,7 @@ public function widget ( $args, $instance )
                  */
                 if ( 0 < strlen ( $title ) )
                 {
-                    if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+                    if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags) ){
                         echo '<'.esc_attr($instance[ 'heading_label_tag' ]).' class="widget-title">';
                     }else{
                         echo $before_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core
@@ -425,7 +425,7 @@ public function widget ( $args, $instance )
                     </span>
 
                     <?php 
-                        if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+                        if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags) ){
                             echo '</'.esc_attr($instance[ 'heading_label_tag' ]).'>';
                         }else{
                             echo $after_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core