diff --git a/includes/class-validation.php b/includes/class-validation.php index de4f75f2..ef84f06b 100644 --- a/includes/class-validation.php +++ b/includes/class-validation.php @@ -182,9 +182,12 @@ public function validate_fields($data, $type, $fields = false) { $sanitized_value = wp_kses_post( strip_shortcodes( $value ) ); break; + case 'url': + $sanitized_value = sanitize_url( wp_unslash( $value ) ); + break; + default: $sanitized_value = sanitize_text_field($value); - } } diff --git a/includes/helpers/pages.php b/includes/helpers/pages.php index b491c9e3..ae792cd0 100644 --- a/includes/helpers/pages.php +++ b/includes/helpers/pages.php @@ -388,10 +388,16 @@ function uwp_get_user_badge($args){ // will be replace in condition check } - //link url, replace vars - if( !empty( $args['link'] ) && $args['link'] = str_replace("%%input%%", $match_value,$args['link']) ){ + // link url, replace vars + if ( ! empty( $args['link'] ) && $args['link'] = str_replace( "%%input%%", $match_value, $args['link'] ) ) { // will be replace in condition check + if ( ! empty( $field->field_type ) && $field->field_type == 'url' ) { + $args['link'] = esc_url( $args['link'] ); + } else { + $args['link'] = esc_attr( $args['link'] ); + } } + if( !empty( $args['link'] ) && $user_id && $args['link'] = str_replace("%%profile_url%%", uwp_build_profile_tab_url($user_id),$args['link']) ){ // will be replace in condition check } diff --git a/readme.txt b/readme.txt index 04efde7e..d00e7713 100644 --- a/readme.txt +++ b/readme.txt @@ -152,6 +152,9 @@ Yes, you can customize it with Elementor, but also with Gutenberg, Divi, Beaver == Changelog == += 1.2.61 - 2026-04-TBD = +* Sanitize URL field types before saving - FIXED/SECURITY + = 1.2.60 - 2026-04-02 = * WordPress 7.0 compatibility - COMPATIBILITY