Updated render attribute function and escape functions added

README.md

@@ -5,7 +5,7 @@
 **Requires at least:** 4.4  
 **Requires PHP:** 5.4  
 **Tested up to:** 6.4.1  
-**Stable tag:** 1.6.22  
+**Stable tag:** 1.6.23  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 
@@ -140,6 +140,9 @@ This same applies when you are creating your Header/Footer using this plugin.
 
 ## Changelog ##
 
+### 1.6.23 ###
+- Fix: This update addressed a security bug. Props to WordPress Plugin Review Team and Plugin Vulnerabilities Team for reporting it to our team. Please make sure you are using the latest version on your website.
+
 ### 1.6.22 ###
 - Fix: Retina Image - Navigating to custom URL by clicking on images. 
 

admin/class-hfe-admin.php

@@ -72,7 +72,9 @@ public static function hfe_admin_enqueue_scripts( $hook ) {
 	 */
 	private function __construct() {
 		add_action( 'init', [ $this, 'header_footer_posttype' ] );
-		add_action( 'admin_menu', [ $this, 'register_admin_menu' ], 50 );
+		if ( is_admin() && current_user_can( 'manage_options' ) ) {
+			add_action( 'admin_menu', [ $this, 'register_admin_menu' ], 50 );
+		}
 		add_action( 'add_meta_boxes', [ $this, 'ehf_register_metabox' ] );
 		add_action( 'save_post', [ $this, 'ehf_save_meta' ] );
 		add_action( 'admin_notices', [ $this, 'location_notice' ] );

header-footer-elementor.php

@@ -7,14 +7,14 @@
  * Author URI:  https://www.brainstormforce.com/
  * Text Domain: header-footer-elementor
  * Domain Path: /languages
- * Version: 1.6.22
+ * Version: 1.6.23
  * Elementor tested up to: 3.18
  * Elementor Pro tested up to: 3.18
  *
  * @package         header-footer-elementor
  */
 
-define( 'HFE_VER', '1.6.22' );
+define( 'HFE_VER', '1.6.23' );
 define( 'HFE_FILE', __FILE__ );
 define( 'HFE_DIR', plugin_dir_path( __FILE__ ) );
 define( 'HFE_URL', plugins_url( '/', __FILE__ ) );

inc/class-hfe-settings-page.php

@@ -24,7 +24,9 @@ class HFE_Settings_Page {
 	 */
 	public function __construct() {
 		add_action( 'admin_head', [ $this, 'hfe_global_css' ] );
-		add_action( 'admin_menu', [ $this, 'hfe_register_settings_page' ] );
+		if ( is_admin() && current_user_can( 'manage_options' ) ) {
+			add_action( 'admin_menu', [ $this, 'hfe_register_settings_page' ] );
+		}
 		add_action( 'admin_init', [ $this, 'hfe_admin_init' ] );
 		add_filter( 'views_edit-elementor-hf', [ $this, 'hfe_settings' ], 10, 1 );
 		add_filter( 'admin_footer_text', [ $this, 'admin_footer_text' ] );

inc/widgets-manager/widgets/class-cart.php

@@ -630,20 +630,19 @@ protected function render() {
 						<div class="hfe-cart-menu-wrap-default">
 							<?php if ( null !== WC()->cart ) { ?>
 								<span class="hfe-cart-count">
-									<?php echo ( WC()->cart->get_cart_contents_count() ); ?>
+									<?php echo esc_html( WC()->cart->get_cart_contents_count() ); ?>
 								</span>
 							<?php } ?>
 						</div>
 					</a>
 					<?php
 				} else {
 					?>
-
 					<div class="hfe-menu-cart__toggle elementor-button-wrapper">
 						<a id="hfe-menu-cart__toggle_button" href="<?php echo esc_url( wc_get_cart_url() ); ?>" class="elementor-button hfe-cart-container">
 							<?php if ( null !== WC()->cart ) { ?>
 								<span class="elementor-button-text hfe-subtotal">
-									<?php echo WC()->cart->get_cart_subtotal(); ?>
+									<?php echo wp_kses_post( WC()->cart->get_cart_subtotal() ); ?>
 								</span>
 							<?php } ?>
 							<span class="elementor-button-icon" data-counter="<?php echo ( null !== WC()->cart ) ? esc_attr( WC()->cart->get_cart_contents_count() ) : ''; ?>">

inc/widgets-manager/widgets/class-navigation-menu.php

@@ -1947,12 +1947,14 @@ protected function render() {
 						<?php echo isset( $menu_close_icons[0] ) ? $menu_close_icons[0] : ''; //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
 					</div>
 				</div>
-			<div <?php echo wp_kses_post( $this->get_render_attribute_string( 'hfe-flyout' ) ); ?> >
+			<div <?php $this->print_render_attribute_string( 'hfe-flyout' ); ?> >
 				<div class="hfe-flyout-overlay elementor-clickable"></div>
 				<div class="hfe-flyout-container">
 					<div id="hfe-flyout-content-id-<?php echo esc_attr( $this->get_id() ); ?>" class="hfe-side hfe-flyout-<?php echo esc_attr( $settings['flyout_layout'] ); ?> hfe-flyout-open" data-layout="<?php echo wp_kses_post( $settings['flyout_layout'] ); ?>" data-flyout-type="<?php echo wp_kses_post( $settings['flyout_type'] ); ?>">
 						<div class="hfe-flyout-content push">
-							<nav <?php echo wp_kses_post( $this->get_render_attribute_string( 'hfe-nav-menu' ) ); ?>><?php echo ( $menu_html ); ?></nav>
+							<nav <?php $this->print_render_attribute_string( 'hfe-nav-menu' ); ?>>
+								<?php echo wp_kses_post( $menu_html ); ?>
+							</nav>
 							<div class="elementor-clickable hfe-flyout-close" tabindex="0">
 								<?php echo isset( $menu_close_icons[1] ) ? $menu_close_icons[1] : ''; //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
 							</div>
@@ -2016,7 +2018,7 @@ protected function render() {
 			$this->add_render_attribute( 'hfe-nav-menu', 'data-full-width', $settings['full_width_dropdown'] );
 
 			?>
-			<div <?php echo $this->get_render_attribute_string( 'hfe-main-menu' ); ?>>
+			<div <?php $this->print_render_attribute_string( 'hfe-main-menu' ); ?>>
 				<div role="button" class="hfe-nav-menu__toggle elementor-clickable">
 					<span class="screen-reader-text"><?php esc_html_e( 'Menu', 'header-footer-elementor' ); ?></span>
 					<div class="hfe-nav-menu-icon">
@@ -2026,7 +2028,9 @@ protected function render() {
 						?>
 					</div>
 				</div>
-				<nav <?php echo $this->get_render_attribute_string( 'hfe-nav-menu' ); ?>><?php echo $menu_html; ?></nav>
+				<nav <?php $this->print_render_attribute_string( 'hfe-nav-menu' ); ?>>
+					<?php echo wp_kses_post( $menu_html ); ?>
+				</nav>
 			</div>
 			<?php
 		}

inc/widgets-manager/widgets/class-retina.php

@@ -704,12 +704,12 @@ protected function render() {
 		}
 
 		?>
-		<div <?php echo ( $this->get_render_attribute_string( 'wrapper' ) ); ?>>
+		<div <?php $this->print_render_attribute_string( 'wrapper' ); ?>>
 			<?php if ( $has_caption ) : ?>
 				<figure class="wp-caption">
 			<?php endif; ?>
 			<?php if ( $link ) : ?>
-					<a <?php echo ( $this->get_render_attribute_string( 'link' ) ); ?>>
+				<a <?php $this->print_render_attribute_string( 'link' ); ?>>
 			<?php endif; ?>
 			<?php
 			$size = $settings[ 'retina_image' . '_size' ];
@@ -804,7 +804,7 @@ protected function render() {
 				?>
 				<?php if ( ! empty( $caption_text ) ) : ?>
 					<div class="hfe-caption-width"> 
-						<figcaption class="widget-image-caption wp-caption-text"><?php echo ( $caption_text ); ?></figcaption>
+						<figcaption class="widget-image-caption wp-caption-text"><?php echo esc_html( $caption_text ); ?></figcaption>
 					</div>
 				<?php endif; ?>
 				</figure>

inc/widgets-manager/widgets/class-search-button.php

@@ -982,18 +982,18 @@ protected function render() {
 		<form class="hfe-search-button-wrapper" role="search" action="<?php echo esc_url( home_url() ); ?>" method="get">
 			<?php if ( 'icon' === $settings['layout'] ) { ?>
 			<div class = "hfe-search-icon-toggle">
-				<input <?php echo $this->get_render_attribute_string( 'input' ); ?>>
+				<input <?php $this->print_render_attribute_string( 'input' ); ?>>
 				<i class="fas fa-search" aria-hidden="true"></i>
 			</div>
 			<?php } else { ?>
-			<div <?php echo $this->get_render_attribute_string( 'container' ); ?>>
+			<div <?php $this->print_render_attribute_string( 'container' ); ?>>
 				<?php if ( 'text' === $settings['layout'] ) { ?>
-					<input <?php echo $this->get_render_attribute_string( 'input' ); ?>>
+					<input <?php $this->print_render_attribute_string( 'input' ); ?>>
 						<button id="clear" type="reset">
 							<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
 						</button>
 				<?php } else { ?>
-					<input <?php echo $this->get_render_attribute_string( 'input' ); ?>>
+					<input <?php $this->print_render_attribute_string( 'input' ); ?>>
 					<button id="clear-with-button" type="reset">
 						<i class="fas fa-times" aria-hidden="true"></i>
 					</button>

inc/widgets-manager/widgets/class-site-logo.php

@@ -746,7 +746,7 @@ protected function render() {
 			$class = 'elementor-clickable';
 		}
 		?>
-		<div <?php echo ( $this->get_render_attribute_string( 'wrapper' ) ); ?>>
+		<div <?php $this->print_render_attribute_string( 'wrapper' ); ?>>
 		<?php if ( $has_caption ) : ?>
 				<figure class="wp-caption">
 		<?php endif; ?>
@@ -756,7 +756,7 @@ protected function render() {
 						$class = 'elementor-non-clickable';
 					}
 					?>
-				<a data-elementor-open-lightbox="<?php echo esc_attr( $settings['open_lightbox'] ); ?>"  class='<?php echo  esc_attr( $class ); ?>' <?php echo $this->get_render_attribute_string( 'link' ); ?>>
+				<a data-elementor-open-lightbox="<?php echo esc_attr( $settings['open_lightbox'] ); ?>"  class='<?php echo  esc_attr( $class ); ?>' <?php $this->print_render_attribute_string( 'link' ); ?>>
 		<?php endif; ?>
 		<?php
 		if ( empty( $site_image ) ) {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "header-footer-elementor",
-  "version": "1.6.22",
+  "version": "1.6.23",
   "main": "Gruntfile.js",
   "author": "Nikhil Chavan",
   "devDependencies": {

readme.txt

@@ -5,7 +5,7 @@ Donate link: https://www.paypal.me/BrainstormForce
 Requires at least: 4.4
 Requires PHP: 5.4
 Tested up to: 6.4.1
-Stable tag: 1.6.22
+Stable tag: 1.6.23
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -140,6 +140,9 @@ This same applies when you are creating your Header/Footer using this plugin.
 
 == Changelog ==
 
+= 1.6.23 =
+- Fix: This update addressed a security bug. Props to WordPress Plugin Review Team and Plugin Vulnerabilities Team for reporting it to our team. Please make sure you are using the latest version on your website.
+
 = 1.6.22 =
 - Fix: Retina Image - Navigating to custom URL by clicking on images.