fix: xss vulnerability

Author: jakubmikita

assets/src/js/event-actions.js

@@ -22,12 +22,13 @@
 
 				// if data is type of array, we send it as JSON anyway,
 				// change characters to make it look like associative array
-				 if ( data.type === 'array' ) {
-					 formattedData = `(${data.type}) ` + JSON.stringify(JSON.parse(data.msg), null, 2)
-						 .replace(/\{/g, '[')
-						 .replace(/}/g, ']')
-						 .replace(/:/g, ' =>')
-				 }
+				if ( data.type === 'array' ) {
+					formattedData = `(${data.type}) ` + JSON.stringify(JSON.parse(data.msg), null, 2)
+						.replace(/\{/g, '[')
+						.replace(/}/g, ']')
+						.replace(/:/g, ' =>')
+				}
+
 				arr.push(formattedData);
 
 			} else {

inc/AdminScreen.php

@@ -295,7 +295,7 @@ public static function prepare_event_arguments( $event ) {
 			} else {
 				$parsed_args[] = array(
 					'type' => gettype( $arg ),
-					'msg'  => $arg,
+					'msg'  => wp_filter_nohtml_kses( sanitize_text_field( html_entity_decode( $arg ) ) ),
 				);
 			}
 

inc/Cron/EventsActions.php

@@ -87,7 +87,7 @@ public function insert() {
 		if ( ! empty( $data['arguments'] ) ) {
 			foreach ( $data['arguments'] as $arg_raw ) {
 				if ( ! empty( $arg_raw ) ) {
-					$args[] = sanitize_text_field( $arg_raw );
+					$args[] = wp_filter_nohtml_kses( sanitize_text_field( html_entity_decode( $arg_raw ) ) );
 				}
 			}
 		}

readme.txt

@@ -101,6 +101,9 @@ Yes! We're offering a [custom plugin development](https://bracketspace.com/custo
 
 == Changelog ==
 
+= [Next] =
+* [Fixed] Security vulnerability.
+
 = 2.5.5 =
 * [Added] Custom schedules availability info.