Sanitize admin settings

inc/class-wooviet-admin-page.php

@@ -36,7 +36,7 @@ class WooViet_Admin_Page {
 	 */
 	public function save_settings() {
 		if ( wp_verify_nonce( $_REQUEST['wooviet_nonce'], 'wooviet_save_settings' ) ) {
-			update_option( 'woo-viet', $_REQUEST['settings'] );
+			update_option( 'woo-viet', $this->sanitize_settings( $_REQUEST['settings'] ) );
 
 			$this->message =
 				'<div class="updated notice"><p><strong>' .
@@ -327,4 +327,25 @@ class WooViet_Admin_Page {
         <?php
 	}
 
-}
+	/**
+	 * Sanitize admin settings.
+	 *
+	 * @author   htdat
+	 * @since    1.5.3
+	 *
+	 * @param  array  $settings User input settings.
+	 *
+	 * @return array
+	 */
+	private function sanitize_settings( array $settings ): array {
+		$sanitized_settings = array();
+
+		foreach ( $settings as $feature => $feature_options ) {
+			foreach ( $feature_options as $option => $value ) {
+				$sanitized_settings[ $feature ][ $option ] = esc_html( sanitize_text_field( $value ) );
+			}
+		}
+
+		return $sanitized_settings;
+	}
+}

readme.md

@@ -8,6 +8,10 @@ Xem phiên bản tiếng Việt tại đây https://vi.wordpress.org/plugins/woo
 
 ## Changelog
 
+### 1.5.3 - 2024.01.13 
+
+* Update - Sanitize admin settings to avoid XSS. Thanks Dhabaleshwar Das.
+
 ### 1.5.2 - 2021.10.03 
 
 * Update - tested with WP 5.8.1 and WC 5.7.1. #86

woo-viet.php

@@ -7,10 +7,10 @@
  * Author URI: https://profiles.wordpress.org/htdat
  * Text Domain: woo-viet
  * Domain Path: /languages
- * Version: 1.5.2
+ * Version: 1.5.3
  *
  * WC requires at least: 3.0
- * WC tested up to: 5.7.1
+ * WC tested up to: 8.4.0
  *
  * License:     GPLv2+
  */