From 98ecbd562d46ced38660d162b19e05d56ff2694a Mon Sep 17 00:00:00 2001
From: Akshay Wali <akshaywali@live.in>
Date: Mon, 6 Jan 2025 10:49:06 +0530
Subject: [PATCH] review changes #855

---
 includes/class-eztoc-widget.php       | 5 +++--
 includes/class-eztoc-widgetsticky.php | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/includes/class-eztoc-widget.php b/includes/class-eztoc-widget.php
index d73aea3..a87b614 100644
--- a/includes/class-eztoc-widget.php
+++ b/includes/class-eztoc-widget.php
@@ -9,6 +9,7 @@
 	 */
 	class ezTOC_Widget extends WP_Widget {
 
+		private $allowed_tags = ['h2', 'h3', 'h4', 'h5', 'h6','span','div','p'];
 		/**
 		 * Setup and register the table of contents widget.
 		 *
@@ -241,7 +242,7 @@ public function widget( $args, $instance ) {
 					?>
 
 					<?php 
-					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags)){
                         echo '<'.esc_attr($instance[ 'heading_label_tag' ]).' class="widget-title">';
                     }else{
                         echo $before_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core
@@ -320,7 +321,7 @@ public function widget( $args, $instance ) {
                                         </span>
 
 					<?php
-					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+					if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags) ){
 						echo '</'.esc_attr($instance[ 'heading_label_tag' ]).'>';
 					}else{
 						echo $after_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core
diff --git a/includes/class-eztoc-widgetsticky.php b/includes/class-eztoc-widgetsticky.php
index 5e61310..e4950cf 100644
--- a/includes/class-eztoc-widgetsticky.php
+++ b/includes/class-eztoc-widgetsticky.php
@@ -11,7 +11,7 @@
      */
     class ezTOC_WidgetSticky extends WP_Widget
     {
-
+        private $allowed_tags = ['h2', 'h3', 'h4', 'h5', 'h6','span','div','p'];
         /**
          * Setup and register the table of contents widget.
          *
@@ -342,7 +342,7 @@ public function widget ( $args, $instance )
                  */
                 if ( 0 < strlen ( $title ) )
                 {
-                    if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+                    if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags) ){
                         echo '<'.esc_attr($instance[ 'heading_label_tag' ]).' class="widget-title">';
                     }else{
                         echo $before_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core
@@ -425,7 +425,7 @@ public function widget ( $args, $instance )
                     </span>
 
                     <?php 
-                        if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' ){
+                        if( isset($instance[ 'heading_label_tag' ]) && $instance[ 'heading_label_tag' ] != 'default' && in_array($instance[ 'heading_label_tag' ], $this->allowed_tags) ){
                             echo '</'.esc_attr($instance[ 'heading_label_tag' ]).'>';
                         }else{
                             echo $after_title;  //phpcs:ignore  WordPress.Security.EscapeOutput.OutputNotEscaped -- Already escaped in the core