Changeset 3403213

Timestamp:

11/26/2025 10:33:44 AM (3 weeks ago)

Author:

ThemeHigh

Message:

V1.5.3

Location:

advanced-faq-manager/trunk

Files:

• advanced-faq-manager.php (modified) (2 diffs)
• includes/admin/class-thfaqf-admin-settings-faq.php (modified) (8 diffs)
• includes/admin/class-thfaqf-admin-settings-general.php (modified) (4 diffs)
• includes/admin/class-thfaqf-admin-settings.php (modified) (6 diffs)
• includes/admin/class-thfaqf-admin.php (modified) (2 diffs)
• includes/public/class-thfaqf-public.php (modified) (25 diffs)
• languages (added)
• languages/advanced-faq-manager.pot (added)
• readme.txt (modified) (2 diffs)

advanced-faq-manager/trunk/advanced-faq-manager.php

@@ -3 +3 @@
  * Plugin Name: Advanced FAQ Manager (Best FAQ Plugin for WordPress)
  * Description: FAQ Plugin for WordPress lets you create and manage FAQs in your WordPress pages. 
- * Version:     1.5.2
+ * Version:     1.5.3
  * Author:      ThemeHigh
  * Author URI:  https://www.themehigh.com
@@ -24 +24 @@
 
         public function init() {
-            define('THFAQF_VERSION', '1.5.2');
+            define('THFAQF_VERSION', '1.5.3');
             !defined('THFAQF_BASE_NAME') && define('THFAQF_BASE_NAME', plugin_basename( __FILE__ ));
             !defined('THFAQF_PATH') && define('THFAQF_PATH', plugin_dir_path( __FILE__ ));

advanced-faq-manager/trunk/includes/admin/class-thfaqf-admin-settings-faq.php

@@ -154 +154 @@
                     <td class="pl-10">
                         <label class="thpladmin-switch">
-                            <input type="checkbox" id="override_global_settings" name="override_global_settings" value= yes <?php echo $override_checked; ?> onchange="thfaqfEnableDisableOverrideSettings(this)"/>
+                            <input type="checkbox" id="override_global_settings" name="override_global_settings" value= yes <?php echo esc_attr($override_checked); ?> onchange="thfaqfEnableDisableOverrideSettings(this)"/>
                             <span class="thpladmin-slider"></span>
                         </label>
@@ -196 +196 @@
 
     public function render_meta_box_shortcode_display(){
-        $post_id = get_the_ID();
+        $post_id = absint(get_the_ID());
         $shortcode = '[faq id="'. $post_id .'"]';
 
@@ -212 +212 @@
 
     public function render_meta_box_shortcode_display_faq_group(){
-        $post_id = get_the_ID();
+        $post_id = absint(get_the_ID());
         $shortcode = '[thfaq_group category="category_1,category_2,etc.." limit="-1"]';
 
@@ -276 +276 @@
         $rand_editor_id = $random_editor_id ? $random_editor_id : rand(1,10000);
         ?>
-        <div class="thfaqf-single-form-wrapper <?php echo $wrapper_class; ?>" >
+        <div class="thfaqf-single-form-wrapper <?php echo esc_attr($wrapper_class); ?>" >
             <div class="thfaqf-single-form-header">
-                <span class="faq-title"><?php echo wordwrap($title); ?></span>
+                <span class="faq-title"><?php echo esc_html(wordwrap($title)); ?></span>
                 <span class="faq-delete dashicons dashicons-trash" onclick="thfaqfDeleteFaqItem(this)"></span>
                 <span class="faq-edit dashicons dashicons-edit" onclick="thfaqfEditFaqItem(this)"></span>
@@ -286 +286 @@
                 <p>
                     <label class="faq-label">Title:</label>
-                    <input type="text"  name="faq_title[]" value="<?php echo $title; ?>" placeholder="FAQ title" class="faq-input-title">
+                    <input type="text"  name="faq_title[]" value="<?php echo esc_attr($title); ?>" placeholder="FAQ title" class="faq-input-title">
                 </p>
 
@@ -294 +294 @@
                     <span class="thfaqf-media-button-icon"></span> Add Media
                 </button>
-                <textarea name="faq_content[]" id = "<?php echo 'thfaq_editor_tinymce_'.$rand_editor_id; ?>" class="faq-input-content"><?php echo $content; ?></textarea>
-                <input type="hidden"  name="faq_comment[]" value="<?php echo $faq_comment; ?>"/>
-                <input type="hidden"  name="like_user_ids[]" value="<?php echo $like_user_ids; ?>"/>
-                <input type="hidden"  name="dislike_user_ids[]" value="<?php echo $dislike_user_ids; ?>"/>
-                <input type="hidden" class="random-editor-id" name="random_editor_id[]" value="<?php echo $rand_editor_id; ?>"/>
+                <textarea name="faq_content[]" id = "<?php echo esc_attr('thfaq_editor_tinymce_'.$rand_editor_id); ?>" class="faq-input-content"><?php echo esc_textarea($content); ?></textarea>
+                <input type="hidden"  name="faq_comment[]" value="<?php echo esc_attr($faq_comment); ?>"/>
+                <input type="hidden"  name="like_user_ids[]" value="<?php echo esc_attr($like_user_ids); ?>"/>
+                <input type="hidden"  name="dislike_user_ids[]" value="<?php echo esc_attr($dislike_user_ids); ?>"/>
+                <input type="hidden" class="random-editor-id" name="random_editor_id[]" value="<?php echo esc_attr($rand_editor_id); ?>"/>
 
             </div>
@@ -324 +324 @@
                         $faq_field_value  = isset($_POST[$key][$i]) ? $_POST[$key][$i] : array();
 
-                        if($type == 'f_text' || $type == 'f_textarea'){
-                            $faq_field_value = htmlspecialchars($faq_field_value);
+                        if($type == 'f_text'){
+                            $faq_field_value = sanitize_post_field('post_title', stripslashes($faq_field_value), 0, 'db');
+                        }elseif($type == 'f_textarea'){
+                            $faq_field_value = sanitize_post_field('post_content', stripslashes($faq_field_value), 0, 'db');
                         }else {
-                            
-                            $faq_field_value = sanitize_text_field($faq_field_value);
+                            $faq_field_value = sanitize_text_field(stripslashes($faq_field_value));
                         }
 
@@ -399 +400 @@
         $posttype = get_post_type();
         if($post_columns === 'Shortcode' && $posttype == 'faq'){
+            $post_id = absint($post_id);
             $shortcode = '[FAQ id="'. $post_id .'"]'
             ?>

advanced-faq-manager/trunk/includes/admin/class-thfaqf-admin-settings-general.php

@@ -97 +97 @@
                         ?>
                     </tr>
-                      <tr class="thfaq-icon-poss <?php echo $enable_icon_options; ?>">
+                      <tr class="thfaq-icon-poss <?php echo esc_attr($enable_icon_options); ?>">
                         <?php
                         $this->render_form_field_element($this->settings_fields['icon_picker'], $settings, $this->cell_props_L);
@@ -166 +166 @@
                         ?>
                     </tr> 
-                    <tr class="thfaqf-additonal-css-wrapper <?php echo $thfaq_custom_css; ?>">
+                    <tr class="thfaqf-additonal-css-wrapper <?php echo esc_attr($thfaq_custom_css); ?>">
                         <?php
                         $this->render_form_field_element($this->settings_fields['thfaq_custom_css'], $settings, $this->cell_props_L);
@@ -177 +177 @@
                     <input type="submit" name="reset_settings" class="button" value="Reset to default" onclick="return confirm('Are you sure you want to reset to default settings? all your changes will be deleted.');">
                 </p>
-                <p class="mt-20">Here you can <a href="<?php echo $eurl.'export.php'; ?>"><i>Export</i></a>/ <a href="<?php echo $eurl.'import.php'; ?>"> <i>Import</i></a> FAQs</p>
+                <p class="mt-20">Here you can <a href="<?php echo esc_url($eurl.'export.php'); ?>"><i>Export</i></a>/ <a href="<?php echo esc_url($eurl.'import.php'); ?>"> <i>Import</i></a> FAQs</p>
             </form>
         </div>       
@@ -185 +185 @@
     private function wp_verify_nonce() {
         ?>
-        <input type="hidden" name="wp_thfaqgs_nonce" value="<?php echo wp_create_nonce('thfaqgs_nonce'); ?>">
-        <input type="hidden" name="wp_thfaqrs_nonce" value="<?php echo wp_create_nonce('thfaqrs_nonce'); ?>">
+        <input type="hidden" name="wp_thfaqgs_nonce" value="<?php echo esc_attr(wp_create_nonce('thfaqgs_nonce')); ?>">
+        <input type="hidden" name="wp_thfaqrs_nonce" value="<?php echo esc_attr(wp_create_nonce('thfaqrs_nonce')); ?>">
         <?php
     }

advanced-faq-manager/trunk/includes/admin/class-thfaqf-admin-settings.php

@@ -161 +161 @@
             }else if($ftype == 'switch'){
                 $field_props .= isset($field['checked']) && $field['checked'] ? ' checked' : '';
-                $field_html .= '<label class="'.$class.' thpladmin-switch">';
+                $field_html .= '<label class="'.esc_attr($class).' thpladmin-switch">';
                 $field_html .= '<input type="checkbox" '. $field_props .' />'; 
                 $field_html .= '<span class="thpladmin-slider"></span>';
@@ -197 +197 @@
                 ?>
                 
-                <td <?php echo $label_cell_props ?> > <?php 
-                    echo $flabel; echo $required_html; 
+                <td <?php echo esc_attr($label_cell_props); ?> > <?php 
+                    echo esc_html($flabel); 
+                    echo wp_kses_post($required_html); 
                     
                     if(isset($field['sub_label']) && !empty($field['sub_label'])){
                         ?>
-                        <br /><span class="thpladmin-subtitle"><?php _e($field['sub_label'], 'advanced-faq-manager'); ?></span>
+                        <br /><span class="thpladmin-subtitle"><?php esc_html_e($field['sub_label'], 'advanced-faq-manager'); ?></span>
                         <?php
                     }
@@ -215 +216 @@
                 ?>
                 
-                <td <?php echo $input_cell_props ?> ><?php echo $field_html; ?></td>
+                <td <?php echo esc_attr($input_cell_props); ?> ><?php echo $field_html; ?></td>
                 
                 <?php
@@ -249 +250 @@
         if($render_cell){
         ?>
-            <td <?php echo $args['cell_props']; ?> ><?php echo $field_html; ?></td>
+            <td <?php echo esc_attr($args['cell_props']); ?> ><?php echo $field_html; ?></td>
         <?php 
         }else{
@@ -260 +261 @@
     public function render_form_section_separator($props, $atts=array()){
         ?>
-        <tr valign="top"><td colspan="<?php echo $props['colspan']; ?>" style="height:10px;"></td></tr>
-        <tr valign="top"><td colspan="<?php echo $props['colspan']; ?>" class="thpladmin-form-section-title" ><?php echo $props['title']; ?></td></tr>
-        <tr valign="top"><td colspan="<?php echo $props['colspan']; ?>" style="height:0px;"></td></tr>
+        <tr valign="top"><td colspan="<?php echo esc_attr($props['colspan']); ?>" style="height:10px;"></td></tr>
+        <tr valign="top"><td colspan="<?php echo esc_attr($props['colspan']); ?>" class="thpladmin-form-section-title" ><?php echo esc_html($props['title']); ?></td></tr>
+        <tr valign="top"><td colspan="<?php echo esc_attr($props['colspan']); ?>" style="height:0px;"></td></tr>
         <?php
     }
@@ -268 +269 @@
     public function render_form_section_subtitle($props, $atts=array()){
         ?>
-        <tr valign="top"><td colspan="<?php echo $props['colspan']; ?>" class="thpladmin-form-section-subtitle" ><?php echo $props['title']; ?></td></tr>
+        <tr valign="top"><td colspan="<?php echo esc_attr($props['colspan']); ?>" class="thpladmin-form-section-subtitle" ><?php echo esc_html($props['title']); ?></td></tr>
         <?php
     }

advanced-faq-manager/trunk/includes/admin/class-thfaqf-admin.php

@@ -6 +6 @@
 
 class THFAQF_Admin{
+
+    private $screen_id;
 
     public function faq_general_setting_menu(){
@@ -56 +58 @@
     public function output_settings(){
         if(!current_user_can('manage_options')){
-            wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
+            wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'advanced-faq-manager' ) );
         }      
         $settings = THFAQF_Admin_Settings_General::instance();

advanced-faq-manager/trunk/includes/public/class-thfaqf-public.php

@@ -41 +41 @@
         ob_start();
         foreach($faq_post_ids as  $key => $faq_post_id){
+            $faq_post_id = absint($faq_post_id);
+            
             $post_status = get_post_status($faq_post_id);
             $post_type = get_post_type($faq_post_id);
@@ -52 +54 @@
 
         $invalid_ids = implode(',', $invalid_ids);
-        echo $invalid_faq_html = !empty($invalid_ids) ? '[FAQ id="'.$invalid_ids.'"]' : '';
+        // Escape output to prevent XSS
+        echo !empty($invalid_ids) ? esc_html('[FAQ id="'.$invalid_ids.'"]') : '';
         return ob_get_clean();
     }
@@ -64 +67 @@
         ), $atts );
 
-        $faq_category = $sh_args['category'];
-        $limit = $sh_args['limit'];
+        $faq_category = isset($sh_args['category']) ? sanitize_text_field($sh_args['category']) : '';
+        $limit = isset($sh_args['limit']) ? intval($sh_args['limit']) : '';
         $category_array = explode (",", $faq_category); 
         $pst_args = array(  
@@ -90 +93 @@
         $theme_wrapper_class = $this->get_theme_wrapper_class();
         ?> 
-        <div class="thfaqf-layout-wrapper thfaqf-faq-list <?php echo $theme_wrapper_class; ?>">
+        <div class="thfaqf-layout-wrapper thfaqf-faq-list <?php echo esc_attr($theme_wrapper_class); ?>">
             <?php 
             $faq_index1 = 0;
@@ -98 +101 @@
             while($loop->have_posts()) : $loop->the_post();
                 $faq_index1++;
+                $post_id = absint(get_the_ID());
                 ?>
-                <div class="<?php echo 'thfaqf-tab-id_'.get_the_ID(); ?> thfaqf-tabcontent-wrapper  <?php echo $faq_index1 != 1 ? 'thfaqf-hide' : ''; ?>">
+                <div class="<?php echo 'thfaqf-tab-id_'.esc_attr($post_id); ?> thfaqf-tabcontent-wrapper  <?php echo esc_attr($faq_index1 != 1 ? 'thfaqf-hide' : ''); ?>">
                     <?php
                     echo $enable_search_option_faq_layout ? $this->faq_search_option($show_updated_date) : '';
-                    $last_updated = get_the_modified_date(get_option('date_format'), get_the_ID()); 
+                    $last_updated = get_the_modified_date(get_option('date_format'), $post_id); 
                     echo $show_updated_date ? '<p class="thfaqf-faq-updated-date">'.esc_html($last_updated).'</p>' :  '';
                     ?>
@@ -116 +120 @@
                     $tab_title = get_the_title(get_the_ID());
                     $tab_title =  $tab_title ?  $tab_title : 'Title '.$tab_index;
+                    $tab_id = absint(get_the_ID());
                     ?>
-                    <h3 class="thfaqf-tablinks thfaqf-tablinks-<?php echo get_the_ID(); ?>  <?php echo $tab_index == 1 ? 'active' : ''; ?>" onclick="FaqTabOnClick(this, 'thfaqf-tab-id_<?php echo get_the_ID(); ?>')"><?php echo $tab_title; ?></h3>
+                    <h3 class="thfaqf-tablinks thfaqf-tablinks-<?php echo esc_attr($tab_id); ?>  <?php echo $tab_index == 1 ? 'active' : ''; ?>" onclick="FaqTabOnClick(this, 'thfaqf-tab-id_<?php echo esc_js($tab_id); ?>')"><?php echo esc_html($tab_title); ?></h3>
                 <?php endwhile; ?>
             </div> 
@@ -124 +129 @@
             while( $loop->have_posts()) : $loop->the_post(); 
                 $faq_index++;
+                $post_id = absint(get_the_ID());
                 ?>
-                <div class="<?php echo 'thfaqf-tab-id_'.get_the_ID(); ?> thfaqf-tabcontent-wrapper thfaqf-tabcontent  <?php echo $faq_index != 1 ? 'thfaqf-hide' : ''; ?>">
-                    <?php $this->faq_list(get_the_ID(),'layout'); ?>
+                <div class="<?php echo 'thfaqf-tab-id_'.esc_attr($post_id); ?> thfaqf-tabcontent-wrapper thfaqf-tabcontent  <?php echo $faq_index != 1 ? 'thfaqf-hide' : ''; ?>">
+                    <?php $this->faq_list($post_id,'layout'); ?>
                 </div>
             <?php endwhile; ?>
@@ -134 +140 @@
 
     public function faq_list($post_id,$type){
+        $post_id = absint($post_id);
         $faqs = get_post_meta($post_id, THFAQF_Utils::OPTION_KEY_FAQ_ITEMS, true);
         if(empty($faqs)){
@@ -194 +201 @@
         $this->get_additional_css_for_faqs($post_id);
         ?>
-        <div class="thfaqf-faq-list <?php echo $theme_wrapper_class ?>">
+        <div class="thfaqf-faq-list <?php echo esc_attr($theme_wrapper_class); ?>">
             <?php 
-            echo $type == 'faq' ? '<h3 class="thfaqf-faq-list-title">'.get_the_title($post_id).'</h3>' : '';
-            echo ($enable_search_option === 'yes' || $enable_search_option === true) && $type != 'layout'  ? $this->faq_search_option($show_updated_date ) : '';
-            if(($show_updated_date === "yes" || $show_updated_date == 1) && $type != 'layout'){ 
+            echo $type == 'faq' ? '<h3 class="thfaqf-faq-list-title">'.esc_html(get_the_title($post_id)).'</h3>' : '';
+            echo (($enable_search_option === 'yes' || $enable_search_option === true) && $type !== 'layout') ? wp_kses_post((string) $this->faq_search_option($show_updated_date)) : '';
+            if(($show_updated_date === "yes" || $show_updated_date == 1) && $type != 'layout'){ 
                 $last_updated = get_the_modified_date(get_option('date_format'), $post_id);
                 echo '<p class="thfaqf-faq-last-updated">'. esc_html($last_updated).'</p>';
@@ -210 +217 @@
                 $dislike_user_ids = !empty ($faq_item['dislike_user_ids']) ? $faq_item['dislike_user_ids'] : '';
                 $display_none = $key < $visible_faq_count ? '' : 'thfaqf-div-none';
-                $this->display_faq_item($faq_item, $item_wrapper_class, $item_wrapper_style, $item_title_style, $item_content_style, $title_text_style,$item_expnd_icon_style,$post_id,$key,$like_user_ids,$dislike_user_ids,$faq_title_icon,$enable_icon_options,$user_id,$display_none,$title_active_color);
+                $this->display_faq_item($faq_item, $item_wrapper_class, $item_wrapper_style, $item_title_style, $item_content_style, $title_text_style,$item_expnd_icon_style,$post_id,$key,$like_user_ids,$dislike_user_ids,$faq_title_icon,$enable_icon_options,$user_id,esc_attr($display_none),$title_active_color);
                 $index++;
             }
@@ -230 +237 @@
                         $display_none = $i>4? 'thfaqf-div-none' : '';
                         ?>
-                        <span class="thfaqf-page-no <?php echo $display_none; ?>" data-number="<?php echo $i; ?>">
-                        <a class="thfaqf-pnumber <?php echo $active; ?>"href="#" onclick="ThfaqEachPage(this)" ><?php echo $i; ?></a>
+                        <span class="thfaqf-page-no <?php echo esc_attr($display_none); ?>" data-number="<?php echo esc_attr($i); ?>">
+                        <a class="thfaqf-pnumber <?php echo esc_attr($active); ?>"href="#" onclick="ThfaqEachPage(this)" ><?php echo esc_html($i); ?></a>
                         </span>
                         <?php
@@ -239 +246 @@
                     } 
                     ?> 
-                    <span onclick="ThfaqPagination(this,'next_page')" data-page_count="<?php echo $page_count; ?>"><a class="thfaqf-next-page <?php echo $pagination_panel == 1 ? 'thfaqf-div-none': ''; ?>" href="#">>></a></span> 
+                    <span onclick="ThfaqPagination(this,'next_page')" data-page_count="<?php echo esc_attr($page_count); ?>"><a class="thfaqf-next-page <?php echo esc_attr($pagination_panel == 1 ? 'thfaqf-div-none': ''); ?>" href="#">>></a></span> 
                 </span>
                 <input type="hidden" class="thfaqf-count-faq-number"name="count_faq" value="<?php echo esc_attr($visible_faq_count);?>"/>
@@ -252 +259 @@
         $faq_content = isset($faq_item['faq_content']) ? $faq_item['faq_content'] : '';
         $faq_title = htmlspecialchars_decode($faq_title);
-        $faq_content = htmlspecialchars_decode($faq_content);
+        // $faq_content = htmlspecialchars_decode($faq_content); // --- IGNORE ---
+        $faq_content = apply_filters('thfaq_faq_content_single_page', $faq_content, $faq_item);
         $enable_like_dislike = THFAQF_Utils::get_faq_settings('','like_and_dislike_option');
         $enable_comment_box = THFAQF_Utils::get_faq_settings('','enable_disable_comment');
@@ -261 +269 @@
 
         ?>
-        <div id="thfaqf-faq-item-<?php echo $post_id.'_'.$key; ?>" class="thfaqf-faq-item  thfaqf-faq-item-<?php echo $post_id; ?>  <?php echo esc_attr($display_none).' '.esc_attr($item_wrapper_class).' thfaqf-post-id-'.esc_attr($post_id); ?> thfaqf-count-dsply-setngs" style="<?php echo esc_attr($item_wrapper_style); ?>" >
-            <div data-active_color="<?php echo $title_active_color; ?>" class="thfaqf-faq-item-title" style="<?php echo esc_attr($item_title_style); ?>">
+        <div id="thfaqf-faq-item-<?php echo esc_attr($post_id.'_'.$key); ?>" class="thfaqf-faq-item  thfaqf-faq-item-<?php echo esc_attr($post_id); ?>  <?php echo esc_attr($display_none).' '.esc_attr($item_wrapper_class).' thfaqf-post-id-'.esc_attr($post_id); ?> thfaqf-count-dsply-setngs" style="<?php echo esc_attr($item_wrapper_style); ?>" >
+            <div data-active_color="<?php echo esc_attr($title_active_color); ?>" class="thfaqf-faq-item-title" style="<?php echo esc_attr($item_title_style); ?>">
                 <h4>
                 <?php 
@@ -269 +277 @@
                     <?php } ?>
                     <span class="<?php echo esc_attr($expand_style);?> thfaqf-toggle-icon" style="<?php echo esc_attr($item_expnd_icon_style); ?>"></span>
-                    <span class="thfaqf-title-text " style="<?php echo esc_attr($title_text_style); ?>" ><?php echo $faq_title; ?></span>
+                    <span class="thfaqf-title-text " style="<?php echo esc_attr($title_text_style); ?>" ><?php echo esc_html($faq_title); ?></span>
                 </h4>   
             </div>
             <div class="thfaqf-faq-item-content" style="<?php echo esc_attr($item_content_style); ?>" >
                 <?php 
-                echo wpautop($faq_content);
-                echo $enable_like_dislike == true ?  $this->like_option($post_id,$key,$like_user_ids,$dislike_user_ids,$user_id) : '';
+
+                echo wp_kses_post(wpautop($faq_content));
+                echo $enable_like_dislike == true ? wp_kses_post($this->like_option($post_id,$key,$like_user_ids,$dislike_user_ids,$user_id)) : '';
             
                 if($enable_comment_box == true){ 
@@ -294 +303 @@
 
     public function display_comment_box($faq_id,$faq_index){
+        // Cast IDs to integers for security
+        $faq_id = absint($faq_id);
+        $faq_index = absint($faq_index);
+        
+        if($faq_id <= 0){
+            return;
+        }
+        
         ?>
         <div class="thfaqf-comment-wrapper">
@@ -304 +321 @@
                 <p><textarea placeholder="Add a Comment..."name="user_msg" class="thfaqf-comment-box thfaqf-ucomment"></textarea></p>
                 <p class="threq-comment"></p>
-                <input type="hidden" name="wp_thfaqc_nonce" value="<?php echo wp_create_nonce('thfaqc_nonce'); ?>"/>
+                <input type="hidden" name="wp_thfaqc_nonce" value="<?php echo esc_attr(wp_create_nonce('thfaqc_nonce')); ?>"/>
                 <p><button type="submit" name="thfaqf_comment_submt" class="thfaqf-submt-cmmt button primary is-xsmall" onclick="submitFaqfComment(this)">Send</button></p><p class="thfaqf-comment-validetion"></p>
             </form> 
@@ -310 +327 @@
             <?php
             $faq_data = get_post_meta($faq_id, THFAQF_Utils::OPTION_KEY_FAQ_ITEMS, true);
+            // Validate array key exists before access
+            if(!isset($faq_data[$faq_index])){
+                return;
+            }
+            
             $faq_comment_id = isset($faq_data[$faq_index]['faq_comment']) ? $faq_data[$faq_index]['faq_comment'] : '';
             $faq_comments_array = isset($faq_comment_id) ? explode(',', $faq_comment_id) : array();
@@ -316 +338 @@
                 $arr =array();
                 foreach($faq_comments_array as $key =>$faq_single_comment_ids){
+                    // Cast comment ID to integer
+                    $faq_single_comment_ids = absint($faq_single_comment_ids);
+                    if($faq_single_comment_ids <= 0){
+                        continue;
+                    }
+                    
                     $post_status = get_post_status($faq_single_comment_ids);
                     $post_type = get_post_type($faq_single_comment_ids);
@@ -330 +358 @@
                                 <span class="thfaq-cmmt-user-name"><i class="fas fa-user"></i><spam style="margin-left:7px;"><?php echo esc_html($faq_cmmted_user).' ';?><?php echo !empty($faq_cmmted_user) ? 'Commented' : ''?></spam></span> 
                             </div>
-                            <br><div class="thfaq-cmmted-data"><?php echo  do_shortcode( $content );?></div>
+                            <br><div class="thfaq-cmmted-data"><?php  echo $content; ?></div>
                         </div>
                         <?php
@@ -365 +393 @@
             $faq_id = isset($_REQUEST['faq_id']) ? trim($_REQUEST['faq_id']) : false;
             $faq_index = isset($_REQUEST['faq_index']) ? trim($_REQUEST['faq_index']) : false;
+            
+            // Cast IDs to integers
+            $faq_id = absint($faq_id);
+            $faq_index = absint($faq_index);
+            
             $post_status = get_post_status($faq_id);
 
             $user_name = sanitize_text_field(stripslashes($user_name));
             $user_msg = wp_filter_post_kses(stripslashes($user_msg));
-            $faq_id  = sanitize_text_field($faq_id);
-            $faq_index  = sanitize_text_field($faq_index);
             $message = array();
 
@@ -532 +563 @@
 
     public function like_option($post_id,$key,$like_user_ids,$dislike_user_ids,$user_id){ 
+        ob_start(); // start capturing output
         $liked_user = !empty($like_user_ids) ? explode(',', $like_user_ids): array();
         $dislikeliked_user = !empty($dislike_user_ids) ? explode(',', $dislike_user_ids): array();
@@ -542 +574 @@
 
         <span class="th-like-wrapper">      
-            <a href="<?php echo esc_attr($user_login); ?>" onclick="likeDislikeOption(this)" data-user_id="<?php echo esc_attr($user_id); ?>" class="thfaq-thums-up" data-_wp_thfaqld_nonce="<?php echo wp_create_nonce('thfaqld_nonce');?>" data-post_id="<?php echo esc_attr($post_id);?>" data-uid="<?php echo esc_attr($key);?>" data-value="like" data-action="like_dislike_option"><i style="<?php echo esc_attr($l_color); ?>" class="thfaq-icomoon icon-thumb_up_alt"></i></a>
+            <a href="<?php echo esc_attr($user_login); ?>" onclick="likeDislikeOption(this)" data-user_id="<?php echo esc_attr($user_id); ?>" class="thfaq-thums-up" data-_wp_thfaqld_nonce="<?php echo esc_attr(wp_create_nonce('thfaqld_nonce'));?>" data-post_id="<?php echo esc_attr($post_id);?>" data-uid="<?php echo esc_attr($key);?>" data-value="like" data-action="like_dislike_option"><i style="<?php echo esc_attr($l_color); ?>" class="thfaq-icomoon icon-thumb_up_alt"></i></a>
             <span class="thfaq-like-count"><?php echo esc_html($like_count);?></span>  
-            <a href="<?php echo esc_attr($user_login); ?>" onclick="likeDislikeOption(this)" data-user_id="<?php echo esc_attr($user_id); ?>" class="thfaq-thums-down" data-post_id="<?php echo esc_attr($post_id);?>" data-_wp_thfaqld_nonce="<?php echo wp_create_nonce('thfaqld_nonce');?>" data-uid="<?php echo esc_attr($key);?>" data-value="dislike"  data-action="like_dislike_option"><span class="th-dislike-img"><i style="<?php echo esc_attr($d_color); ?>" class="thfaq-icomoon icon-thumb_down"></i></span></a>
+            <a href="<?php echo esc_attr($user_login); ?>" onclick="likeDislikeOption(this)" data-user_id="<?php echo esc_attr($user_id); ?>" class="thfaq-thums-down" data-post_id="<?php echo esc_attr($post_id);?>" data-_wp_thfaqld_nonce="<?php echo esc_attr(wp_create_nonce('thfaqld_nonce'));?>" data-uid="<?php echo esc_attr($key);?>" data-value="dislike"  data-action="like_dislike_option"><span class="th-dislike-img"><i style="<?php echo esc_attr($d_color); ?>" class="thfaq-icomoon icon-thumb_down"></i></span></a>
             <span class="thfaq-dislike-count"><?php echo esc_html($dislike_count);?></span>
         </span>
         <?php
+        return ob_get_clean(); // return the HTML safely as a string
     }
 
@@ -573 +606 @@
             $faq_uid = isset($_REQUEST['uid']) ? trim($_REQUEST['uid']) : false;
             $post_id = isset($_REQUEST['post_id']) ? trim($_REQUEST['post_id']) : false;
+            
+            // Sanitize and validate inputs
+            $value = sanitize_text_field($value);
+           
+            // Cast numeric values with absint() before use
+            $faq_uid = absint($faq_uid);
+            $post_id = absint($post_id);    
             $faq_data = get_post_meta($post_id, THFAQF_Utils::OPTION_KEY_FAQ_ITEMS, true);
-            $value = sanitize_text_field($value);
-            $faq_uid  = sanitize_text_field($faq_uid);
-            $post_id  = sanitize_text_field($post_id);
             $result = array();
 
@@ -659 +696 @@
         <style type="text/css">
             <?php echo $enable ? esc_attr($css) : ''; ?>
-            .thfaqf-tab h3.thfaqf-tablinks-<?=$id?>.active {
-                background-color: <?=$tab_bg_color?>!important;
-                color: <?=$tab_active_color?>!important;
+            .thfaqf-tab h3.thfaqf-tablinks-<?php echo esc_attr($id); ?>.active {
+                background-color: <?php echo esc_attr($tab_bg_color); ?>!important;
+                color: <?php echo esc_attr($tab_active_color); ?>!important;
             }
-            .thfaqf-tab h3.thfaqf-tablinks-<?=$id?>:hover {
-                background-color: <?=$tab_bg_color?>!important;
+            .thfaqf-tab h3.thfaqf-tablinks-<?php echo esc_attr($id); ?>:hover {
+                background-color: <?php echo esc_attr($tab_bg_color); ?>!important;
             }
-            .thfaqf-faq-item-<?=$id?>.thfaqf-active .thfaqf-title-text{
-                color: <?=$title_active_color?>!important;
+            .thfaqf-faq-item-<?php echo esc_attr($id); ?>.thfaqf-active .thfaqf-title-text{
+                color: <?php echo esc_attr($title_active_color); ?>!important;
             }
           

advanced-faq-manager/trunk/readme.txt

@@ -4 +4 @@
 Tags: Accordion FAQ, WordPress FAQ Plugin, FAQ Plugin, WordPress FAQ, FAQ Widget 
 Requires at least: 5.0
-Tested up to: 6.6
-Stable tag: 1.5.2
+Tested up to: 6.8
+Stable tag: 1.5.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -146 +146 @@
 == Changelog ==
 
+= 1.5.3 =
+* Added WordPress 6.8 compatibility.
+* Security: Fixed an XSS vulnerability reported by PatchStack.
+
 = 1.5.2 =
 * Added WordPress 6.6 compatibility.