Use wp_kses to allow only <a href=""> element.

pronamic · Oct 11, 2023 · 171d841 · 171d841
1 parent d70823b
commit 171d841
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/src/Integration.php b/src/Integration.php
@@ -406,17 +406,24 @@ public function get_settings_fields() {
 			'title'    => \__( 'Authentication', 'pronamic_ideal' ),
 			'type'     => 'custom',
 			'callback' => function () {
-				\printf(
-					/* translators: %s: Pronamic Pay settings page URL. */
-					__( 'Go to the <a href="%s">Pronamic Pay settings page</a> for webhook authentication settings.', 'pronamic_ideal' ),
-					\esc_url(
-						\add_query_arg(
-							[
-								'page' => 'pronamic_pay_settings',
-							],
-							\admin_url( 'admin.php' )
+				echo \wp_kses(
+					\sprintf(
+						/* translators: %s: Pronamic Pay settings page URL. */
+						__( 'Go to the <a href="%s">Pronamic Pay settings page</a> for webhook authentication settings.', 'pronamic_ideal' ),
+						\esc_url(
+							\add_query_arg(
+								[
+									'page' => 'pronamic_pay_settings',
+								],
+								\admin_url( 'admin.php' )
+							)
 						)
-					)
+					),
+					[
+						'a' => [
+							'href' => true,
+						],
+					]
 				);
 			},
 		];