From 85ebe6b4647203068625ccc4825f452bc71fea73 Mon Sep 17 00:00:00 2001
From: potreb <potreb@gmail.com>
Date: Wed, 15 Sep 2021 12:17:59 +0200
Subject: [PATCH] fix: escaping

---
 templates/header.php      | 4 ++--
 templates/input-image.php | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/header.php b/templates/header.php
index 276c103..5ff3be6 100644
--- a/templates/header.php
+++ b/templates/header.php
@@ -5,8 +5,8 @@
  * @var string $value
  */
 
-$header_size = $field->get_meta_value( 'header_size' ) ?: '2';
-$classes     = $field->has_classes() ? 'class="' . $field->get_classes() . '"' : '';
+$header_size = (int) $field->get_meta_value( 'header_size' ) ?: 2;
+$classes     = $field->has_classes() ? 'class="' . esc_attr( $field->get_classes() ) . '"' : '';
 
 ?>
 
diff --git a/templates/input-image.php b/templates/input-image.php
index 8141b2f..ebeffdb 100644
--- a/templates/input-image.php
+++ b/templates/input-image.php
@@ -7,7 +7,7 @@
 
 $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 ?>
-<div class="media-input-wrapper" id="<?php echo $media_container_id; ?>">
+<div class="media-input-wrapper" id="<?php echo esc_attr( $media_container_id ); ?>">
 	<input type="hidden" class="image-field-value" value="<?php echo \esc_html( $value ); ?>"
 		   name="<?php echo \esc_attr( $name_prefix ) . '[' . \esc_attr( $field->get_name() ) . ']'; ?>"
 		   id="<?php echo \esc_attr( $field->get_id() ); ?>"/>
@@ -17,14 +17,14 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 		<?php endif; ?>
 	</div>
 	<p class="hide-if-no-js">
-		<a class="upload-custom-img 
+		<a class="upload-custom-img
 		<?php
 		if ( $value ) :
 			?>
 			hidden<?php endif ?>" href="<?php echo $value; ?>">
 			<?php _e( 'Set image', 'wp-forms' ); ?>
 		</a>
-		<a class="delete-custom-img 
+		<a class="delete-custom-img
 		<?php
 		if ( ! $value ) :
 			?>
@@ -36,7 +36,7 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() );
 <script>
 	jQuery( function ( $ ) {
 		var frame,
-			metaBox = $( '#<?php echo $media_container_id; ?>' ),
+			metaBox = $( '#<?php echo esc_attr( $media_container_id ); ?>' ),
 			addImgLink = metaBox.find( '.upload-custom-img' ),
 			delImgLink = metaBox.find( '.delete-custom-img' ),
 			imgContainer = metaBox.find( '.custom-img-container' ),
-- 
GitLab