From 98608f18fc50009233a86398c257001b0c5790c6 Mon Sep 17 00:00:00 2001
From: Hardeep Asrani <hardeepasrani@gmail.com>
Date: Wed, 27 Mar 2024 03:33:00 +0530
Subject: [PATCH 1/2] fix: use wp_kses in review output

---
 inc/render/class-leaflet-map-block.php     |  4 +--
 inc/render/class-masonry-variant.php       |  2 +-
 inc/render/class-posts-grid-block.php      |  2 +-
 inc/render/class-review-block.php          | 40 +++++++++++-----------
 inc/render/class-stripe-checkout-block.php |  4 +--
 5 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/inc/render/class-leaflet-map-block.php b/inc/render/class-leaflet-map-block.php
index 7369fe9db..154e53262 100644
--- a/inc/render/class-leaflet-map-block.php
+++ b/inc/render/class-leaflet-map-block.php
@@ -33,7 +33,7 @@ public function render( $attributes ) {
 		}
 
 		// Set the ID and the class name.
-		$id    = isset( $attributes['id'] ) ? $attributes['id'] : 'wp-block-themeisle-blocks-map-' . wp_rand( 10, 100 );
+		$id    = isset( $attributes['id'] ) ? esc_attr( $attributes['id'] ) : 'wp-block-themeisle-blocks-map-' . wp_rand( 10, 100 );
 		$class = '';
 		$style = '';
 
@@ -58,7 +58,7 @@ public function render( $attributes ) {
 		$output .= '<script type="text/javascript">' . "\n";
 		$output .= '	/* <![CDATA[ */' . "\n";
 		$output .= '		if ( ! window.themeisleLeafletMaps ) window.themeisleLeafletMaps =[];' . "\n";
-		$output .= '		window.themeisleLeafletMaps.push( { container: "' . $id . '", attributes: ' . wp_json_encode( $attributes ) . ' } );' . "\n";
+		$output .= '		window.themeisleLeafletMaps.push( { container: "' . esc_attr( $id ) . '", attributes: ' . wp_json_encode( $attributes ) . ' } );' . "\n";
 		$output .= '	/* ]]> */' . "\n";
 		$output .= '</script>' . "\n";
 
diff --git a/inc/render/class-masonry-variant.php b/inc/render/class-masonry-variant.php
index 97e1d8f63..51f68d1a3 100644
--- a/inc/render/class-masonry-variant.php
+++ b/inc/render/class-masonry-variant.php
@@ -60,7 +60,7 @@ public function render_blocks( $block_content, $block ) {
 
 			wp_script_add_data( 'otter-masonry', 'defer', true );
 
-			$margin = isset( $block['attrs']['margin'] ) ? $block['attrs']['margin'] : 10;
+			$margin = isset( $block['attrs']['margin'] ) ? esc_attr( $block['attrs']['margin'] ) : 10;
 
 			$style = '<style type="text/css">.otter-masonry .blocks-gallery-grid .blocks-gallery-item img{ width:100% }</style>';
 
diff --git a/inc/render/class-posts-grid-block.php b/inc/render/class-posts-grid-block.php
index d519ccaf9..1a525f53f 100644
--- a/inc/render/class-posts-grid-block.php
+++ b/inc/render/class-posts-grid-block.php
@@ -119,7 +119,7 @@ function ( $x ) use ( $sticky_posts_id ) {
 			$wrapper_attributes,
 			isset( $attributes['id'] ) ? $attributes['id'] : '',
 			isset( $attributes['enableFeaturedPost'] ) && $attributes['enableFeaturedPost'] && isset( $recent_posts[0] ) ? $this->render_featured_post( $recent_posts[0], $attributes ) : '',
-			trim( $class ),
+			esc_attr( trim( $class ) ),
 			$list_items_markup,
 			$has_pagination ? $this->render_pagination( $page_number, $total_posts ) : ''
 		);
diff --git a/inc/render/class-review-block.php b/inc/render/class-review-block.php
index f682983e7..12663936e 100644
--- a/inc/render/class-review-block.php
+++ b/inc/render/class-review-block.php
@@ -39,7 +39,7 @@ function() use ( $attributes, $post_id ) {
 			);
 		}
 
-		$id            = isset( $attributes['id'] ) ? $attributes['id'] : 'wp-block-themeisle-blocks-review-' . wp_rand( 10, 100 );
+		$id            = isset( $attributes['id'] ) ? esc_attr( $attributes['id'] ) : 'wp-block-themeisle-blocks-review-' . wp_rand( 10, 100 );
 		$class         = '';
 		$details_class = ( isset( $attributes['image'] ) && isset( $attributes['description'] ) && ! empty( $attributes['description'] ) ) ? '' : 'is-single ';
 		$scale         = get_option( 'themeisle_blocks_settings_review_scale', false ) ? 2 : 1;
@@ -70,11 +70,11 @@ function() use ( $attributes, $post_id ) {
 		$is_one_colum_layout = strpos( $wrapper_attributes, 'is-style-single-column' ) !== false;
 		$is_inline_features  = strpos( $wrapper_attributes, 'is-style-inline-features' ) !== false;
 
-		$main_heading = isset( $attributes['mainHeading'] ) ? $attributes['mainHeading'] : 'h2';
-		$sub_heading  = isset( $attributes['subHeading'] ) ? $attributes['subHeading'] : 'h3';
+		$main_heading = isset( $attributes['mainHeading'] ) ? esc_attr( $attributes['mainHeading'] ) : 'h2';
+		$sub_heading  = isset( $attributes['subHeading'] ) ? esc_attr( $attributes['subHeading'] ) : 'h3';
 
 		$html  = '<div ' . $wrapper_attributes . '>';
-		$html .= '  <div class ="o-review__header">';
+		$html .= '  <div class="o-review__header">';
 
 		if ( isset( $attributes['title'] ) && ! empty( $attributes['title'] ) ) {
 			$html .= '<' . $main_heading . '>' . esc_html( $attributes['title'] ) . '</' . $main_heading . '>';
@@ -93,7 +93,7 @@ function() use ( $attributes, $post_id ) {
 			$html .= '			<span class="o-review__header_price">';
 
 			if ( ( isset( $attributes['price'] ) && ! empty( $attributes['price'] ) ) && isset( $attributes['discounted'] ) ) {
-				$html .= '			<del>' . self::get_currency( isset( $attributes['currency'] ) ? $attributes['currency'] : 'USD' ) . $attributes['price'] . '</del>';
+				$html .= '			<del>' . self::get_currency( isset( $attributes['currency'] ) ? $attributes['currency'] : 'USD' ) . esc_html( $attributes['price'] ) . '</del>';
 			}
 
 			$html .= self::get_currency( isset( $attributes['currency'] ) ? $attributes['currency'] : 'USD' ) . ( isset( $attributes['discounted'] ) ? $attributes['discounted'] : $attributes['price'] );
@@ -102,17 +102,17 @@ function() use ( $attributes, $post_id ) {
 
 		$html .= '		</div>';
 		if ( ( isset( $attributes['image'] ) || ( isset( $attributes['description'] ) && ! empty( $attributes['description'] ) ) ) ) {
-			$html .= '	<div class="o-review__header_details ' . trim( $details_class ) . '">';
+			$html .= '	<div class="o-review__header_details ' . trim( esc_attr( $details_class ) ) . '">';
 			if ( isset( $attributes['image'] ) ) {
 				if ( isset( $attributes['image']['id'] ) && wp_attachment_is_image( $attributes['image']['id'] ) ) {
-					$html .= wp_get_attachment_image( $attributes['image']['id'], isset( $attributes['imageSize'] ) ? $attributes['imageSize'] : 'medium' );
+					$html .= wp_get_attachment_image( $attributes['image']['id'], isset( $attributes['imageSize'] ) ? esc_attr( $attributes['imageSize'] ) : 'medium' );
 				} else {
 					$html .= '	<img src="' . esc_url( $attributes['image']['url'] ) . '" alt="' . esc_attr( $attributes['image']['alt'] ) . '"/>';
 				}
 			}
 
 			if ( isset( $attributes['description'] ) && ! empty( $attributes['description'] ) ) {
-				$html .= '	<p>' . $attributes['description'] . '</p>';
+				$html .= '	<p>' . esc_html( $attributes['description'] ) . '</p>';
 			}
 			$html .= '	</div>';
 		}
@@ -125,7 +125,7 @@ function() use ( $attributes, $post_id ) {
 			foreach ( $attributes['features'] as $feature ) {
 				$html .= '	<div class="o-review__left_feature">';
 				if ( isset( $feature['title'] ) ) {
-					$html .= '	<span class="o-review__left_feature_title">' . $feature['title'] . '</span>';
+					$html .= '	<span class="o-review__left_feature_title">' . esc_html( $feature['title'] ) . '</span>';
 				}
 
 				$html .= '		<div class="o-review__left_feature_ratings">';
@@ -140,7 +140,7 @@ function() use ( $attributes, $post_id ) {
 				$html .= '		</div>';
 
 				if ( isset( $feature['description'] ) ) {
-					$html .= '	<span class="o-review__left_feature_description">' . $feature['description'] . '</span>';
+					$html .= '	<span class="o-review__left_feature_description">' . esc_html( $feature['description'] ) . '</span>';
 				}
 
 				$html .= '	</div>';
@@ -154,7 +154,7 @@ function() use ( $attributes, $post_id ) {
 			if ( isset( $attributes['pros'] ) && count( $attributes['pros'] ) > 0 ) {
 				$html .= '	<div class="o-review__right_pros">';
 				if ( isset( $attributes['prosLabel'] ) && ! empty( $attributes['prosLabel'] ) ) {
-					$html .= '		<' . $sub_heading . '>' . $attributes['prosLabel'] . '</' . $sub_heading . '>';
+					$html .= '		<' . $sub_heading . '>' . esc_html( $attributes['prosLabel'] ) . '</' . $sub_heading . '>';
 				}
 
 				foreach ( $attributes['pros'] as $pro ) {
@@ -169,7 +169,7 @@ function() use ( $attributes, $post_id ) {
 			if ( isset( $attributes['cons'] ) && count( $attributes['cons'] ) > 0 ) {
 				$html .= '	<div class="o-review__right_cons">';
 				if ( isset( $attributes['consLabel'] ) && ! empty( $attributes['consLabel'] ) ) {
-					$html .= '		<' . $sub_heading . '>' . $attributes['consLabel'] . '</' . $sub_heading . '>';
+					$html .= '		<' . $sub_heading . '>' . esc_html( $attributes['consLabel'] ) . '</' . $sub_heading . '>';
 				}
 
 				foreach ( $attributes['cons'] as $con ) {
@@ -186,21 +186,21 @@ function() use ( $attributes, $post_id ) {
 		if ( isset( $attributes['links'] ) && count( $attributes['links'] ) > 0 ) {
 			$html .= '	<div class="o-review__footer">';
 			if ( isset( $attributes['buttonsLabel'] ) && ! empty( $attributes['buttonsLabel'] ) ) {
-				$html .= '		<' . $sub_heading . ' class="o-review__footer_label">' . $attributes['buttonsLabel'] . '</' . $sub_heading . '>';
+				$html .= '		<' . $sub_heading . ' class="o-review__footer_label">' . esc_html( $attributes['buttonsLabel'] ) . '</' . $sub_heading . '>';
 			}
 
 			$html .= '		<div class="o-review__footer_buttons">';
 
 			foreach ( $attributes['links'] as $link ) {
 				$rel   = ( isset( $link['isSponsored'] ) && true === $link['isSponsored'] ) ? 'sponsored' : 'nofollow';
-				$html .= '	<a href="' . esc_url( $link['href'] ) . '" rel="' . $rel . '" target="' . ( empty( $link['target'] ) ? '_blank' : $link['target'] ) . '">' . esc_html( $link['label'] ) . '</a>';
+				$html .= '	<a href="' . esc_url( $link['href'] ) . '" rel="' . $rel . '" target="' . ( empty( $link['target'] ) ? '_blank' : esc_attr( $link['target'] ) ) . '">' . esc_html( $link['label'] ) . '</a>';
 			}
 			$html .= '		</div>';
 			$html .= '	</div>';
 		}
 		$html .= '</div>';
 
-		return $html;
+		return wp_kses_post( $html );
 	}
 
 	/**
@@ -266,15 +266,15 @@ public function get_json_ld( $attributes, $post_id ) {
 		$json = array(
 			'@context' => 'https://schema.org/',
 			'@type'    => 'Product',
-			'name'     => $attributes['title'],
+			'name'     => esc_attr( $attributes['title'] ),
 		);
 
 		if ( isset( $attributes['image'] ) && isset( $attributes['image']['url'] ) ) {
-			$json['image'] = $attributes['image']['url'];
+			$json['image'] = esc_url( $attributes['image']['url'] );
 		}
 
 		if ( isset( $attributes['description'] ) && ! empty( $attributes['description'] ) ) {
-			$json['description'] = $attributes['description'];
+			$json['description'] = esc_attr( $attributes['description'] );
 		}
 
 		$json['review'] = array(
@@ -349,8 +349,8 @@ public function get_json_ld( $attributes, $post_id ) {
 				$offer = array(
 					'@type'         => 'Offer',
 					'url'           => esc_url( $link['href'] ),
-					'priceCurrency' => isset( $attributes['currency'] ) ? $attributes['currency'] : 'USD',
-					'price'         => isset( $attributes['discounted'] ) ? $attributes['discounted'] : $attributes['price'],
+					'priceCurrency' => isset( $attributes['currency'] ) ? esc_attr( $attributes['currency'] ) : 'USD',
+					'price'         => isset( $attributes['discounted'] ) ? esc_attr( $attributes['discounted'] ) : esc_attr( $attributes['price'] ),
 				);
 
 				array_push( $offers, $offer );
diff --git a/inc/render/class-stripe-checkout-block.php b/inc/render/class-stripe-checkout-block.php
index f1e463b46..5921cd49a 100644
--- a/inc/render/class-stripe-checkout-block.php
+++ b/inc/render/class-stripe-checkout-block.php
@@ -62,7 +62,7 @@ public function render( $attributes ) {
 		$details_markup = '';
 
 		if ( 0 < count( $product['images'] ) ) {
-			$details_markup .= '<img src="' . $product['images'][0] . '" alt="' . $product['description'] . '" />';
+			$details_markup .= '<img src="' . esc_url( $product['images'][0] ) . '" alt="' . esc_attr( $product['description'] ) . '" />';
 		}
 
 		$price = $stripe->create_request( 'price', $attributes['price'] );
@@ -79,7 +79,7 @@ public function render( $attributes ) {
 		$amount   = number_format( $price['unit_amount'] / 100, 2, '.', ' ' );
 
 		$details_markup .= '<div class="o-stripe-checkout-description">';
-		$details_markup .= '<h3>' . $product['name'] . '</h3>';
+		$details_markup .= '<h3>' . esc_html( $product['name'] ) . '</h3>';
 		$details_markup .= '<h5>' . $currency . $amount . '</h5>';
 		$details_markup .= '</div>';
 

From e5d36dd8d6fae55f5802056986da0a5785ca2fd5 Mon Sep 17 00:00:00 2001
From: Hardeep Asrani <hardeepasrani@gmail.com>
Date: Wed, 27 Mar 2024 17:18:09 +0530
Subject: [PATCH 2/2] chore: update formbricks

---
 package-lock.json | 10 +++++-----
 package.json      |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index d12ae1d13..04505f6a9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6,10 +6,10 @@
 	"packages": {
 		"": {
 			"name": "otter-blocks",
-			"version": "2.6.4",
+			"version": "2.6.5",
 			"license": "GPL-2.0+",
 			"dependencies": {
-				"@formbricks/js": "^1.5.0",
+				"@formbricks/js": "^1.6.5",
 				"@wordpress/icons": "^9.43.0",
 				"array-move": "^3.0.1",
 				"classnames": "^2.5.1",
@@ -2752,9 +2752,9 @@
 			"dev": true
 		},
 		"node_modules/@formbricks/js": {
-			"version": "1.5.0",
-			"resolved": "https://registry.npmjs.org/@formbricks/js/-/js-1.5.0.tgz",
-			"integrity": "sha512-Q8kwqwlWk4FAuVnOGeQBD7v160fg1bVgxXSIWy6q7oqb7o9xIxTrG7+tFBln6Os0G7ko9iPKKqcCWXQAoDE+Vg=="
+			"version": "1.6.5",
+			"resolved": "https://registry.npmjs.org/@formbricks/js/-/js-1.6.5.tgz",
+			"integrity": "sha512-eGlnauNgzv4ye22/yN+FyQAl6gLgHbNOCxysex/UoLjTZbXYOali7ilQ1Ksyl/ujBBcqcrXKe/OnsGena2zP8A=="
 		},
 		"node_modules/@hapi/hoek": {
 			"version": "9.3.0",
diff --git a/package.json b/package.json
index dec9a955a..17f0dc634 100644
--- a/package.json
+++ b/package.json
@@ -63,7 +63,7 @@
 		"lasttranslator": "Themeisle Translate Team <friends@themeisle.com>"
 	},
 	"dependencies": {
-		"@formbricks/js": "^1.5.0",
+		"@formbricks/js": "^1.6.5",
 		"@wordpress/icons": "^9.43.0",
 		"array-move": "^3.0.1",
 		"classnames": "^2.5.1",