Sanitize output

@ndukesx – Appreciate the report. First in he future we have a dedicated form for these to make sure they get handled and fixed without alerting hackers to their presence here: https://github.com/PopupMaker/Popup-Maker/security/policy

Quick note, the data in question is sanitized when its saved. However I’m assuming you meant escaping data which .html() does not do (stripping out script tags)

That said can you provide any attack details on how this could be exploited, or was this the result of an automated scanner notice?

I ask because I have gone over the ways that code gets called, and they all come from either our own hard coded messages, or from options only a user with admin privilege’s (manage_options) already could edit. If a user can modify those messages, they have far more control than they could gain from trying to exploit this.

The function with that code is only called during usage of our own Subscription form shortcode during submission to render error notices & success messages. It is also one of the ways admins output script tags for google analytics tracking on successful submission, so stripping out script tags isn’t exactly desirable behavior assuming they never took advantage of our extensions.

I’m happy to investigate as needed, especially if you , but potentially breaking X number of sites ability to track their submissions with no real security threat would not be the best path forward.

If you do have an exploit, and details on duplicating it, I implore you to use the link I posted above: https://github.com/PopupMaker/Popup-Maker/security/policy

@ndukesx – Not a problem. Very much appreciate the report & confirmation. If you tell me what scanner you are using we might be able to add some comments that prevent it from throwing a notice.