Merge pull request #12 from modernaweb/dev

v1.3.8

README.md

@@ -3,7 +3,7 @@
 **Contributors:** skalanter, modernaweb \
 **Donate link:** http://modernaweb.net/ \
 **Tags:** page builder, editor, elementor widgets, elementor addon, typography \
-**Stable tag:** 1.3.7 \
+**Stable tag:** 1.3.8 \
 **Requires at least:** 6.0 \
 **Tested up to:** 6.6 \
 **Requires PHP:** 7.4 \
@@ -127,6 +127,9 @@ WordPress 5.3+
 
 ## Changelog
 
+### 1.3.8 — 2024-10-30
+- Improved: Using SVG by adding sanitizer on inputs — (Security Reasons)
+
 ### 1.3.7 — 2024-10-15
 
 - Fixed: Cross-site scripting (XSS) vulnerability in all widgets; Thanks to Patchstack

black-widgets.php

@@ -4,7 +4,7 @@
  * Plugin URI: https://modernaweb.net/black-widgets
  * Description: Build web pages with black widgets.
  * Author: Modernaweb Studio
- * Version: 1.3.7
+ * Version: 1.3.8
  * Author URI: https://modernaweb.net/
  * Text Domain: blackwidgets
  * Domain Path: /languages
@@ -27,7 +27,7 @@
 define( 'BLACK_WIDGETS_PLUGIN_BASENAME', plugin_basename(__FILE__));
 define( 'BLACK_WIDGETS_PLUGIN_PATH', trailingslashit(plugin_dir_path(__FILE__)));
 define( 'BLACK_WIDGETS_PLUGIN_URL', trailingslashit(plugins_url('/', __FILE__)));
-define( 'BLACK_WIDGETS_VERSION', '1.3.6' );
+define( 'BLACK_WIDGETS_VERSION', '1.3.8' );
 define( 'BLACK_WIDGETS_ASSET_PATH', wp_upload_dir()['basedir'] . '/black-widgets');
 define( 'BLACK_WIDGETS_ASSET_URL', wp_upload_dir()['baseurl'] . '/black-widgets');
 
@@ -38,6 +38,11 @@
  */
 require_once BLACK_WIDGETS_PLUGIN_PATH . 'autoload.php';
 
+/**
+ * Composer
+ */
+require_once BLACK_WIDGETS_PLUGIN_PATH . 'vendor/autoload.php';
+
 /**
  * The code that runs during plugin activation.
  * This action is documented in includes/class-black-widgets-activator.php

composer.json

@@ -0,0 +1,5 @@
+{
+    "require": {
+        "enshrined/svg-sanitize": "^0.20.0"
+    }
+}

includes/class-bw.php

@@ -3,7 +3,8 @@
 namespace Elementor;
 namespace BLACK_WIDGETS_Modernaweb\Includes\Widgets;
 namespace Black_Widgets;
-use Elementor\Plugin;
+
+use enshrined\svgSanitize\Sanitizer;
 
 final class BLACK_WIDGETS_Modernaweb_Plugin {
 
@@ -92,9 +93,9 @@ public function __construct() {
 	 */
     public function sanitize_svg( $file ) {
         if ( $file['type'] == 'image/svg+xml' ) {
+            $sanitizer = new Sanitizer();
             $content = file_get_contents( $file['tmp_name'] );
-            $pattern = '/<script\b[^>]*>(.*?)<\/script>/is';
-            $content = preg_replace($pattern, '', $content);
+            $content = $sanitizer->sanitize( $content );
             file_put_contents( $file['tmp_name'], $content );
         }
 

includes/widgets/bw-icon-box.php

@@ -3,6 +3,7 @@
 namespace BLACK_WIDGETS_Modernaweb\Includes\Widgets;
 namespace Black_Widgets;
 
+
 // If this file is called directly, abort.
 if (!defined('ABSPATH')) {
     exit;
@@ -22,6 +23,8 @@
 use Elementor\Group_Control_Image_Size;
 // use Elementor\Group_Control_Css_Filter;
 
+use enshrined\svgSanitize\Sanitizer;
+
 /**
  * Elementor title Widget.
  *
@@ -2004,6 +2007,8 @@ protected function render() {
 		$data_id				= 'bw_' . uniqid();
 		$animate_id				= '#' . $data_id;
 
+        $sanitizer = new Sanitizer();
+        $svgcode = $sanitizer->sanitize( $svgcode );
 
 		// Render 
 		switch ($position) {

includes/widgets/bw-typography.php

@@ -22,6 +22,8 @@
 use Elementor\Group_Control_Image_Size;
 use Elementor\Group_Control_Css_Filter;
 
+use enshrined\svgSanitize\Sanitizer;
+
 /**
  * Elementor title Widget.
  *
@@ -2338,6 +2340,10 @@ protected function render() {
 		$second_bw_id			= 'second_bw_' . uniqid();
 		$second_bwscript_id		= '#' . $second_bw_id;
 
+        $sanitizer = new Sanitizer();
+        $svgcode_1 = $sanitizer->sanitize( $svgcode_1 );
+        $svgcode_2 = $sanitizer->sanitize( $svgcode_2 );
+
 		echo '<style>'. esc_html( $normal_transform_style ) . ' ' . $z_index. ' ' . $unique_z_index.'</style>';
 
 		// Render