Fix: Sanitize Donation Form CSS (#7378)

src/DonationForms/Properties/FormSettings.php

@@ -246,6 +246,7 @@ class FormSettings implements Arrayable, Jsonable
      * @since 3.7.0 Added formExcerpt
 
     /**
+     * @unreleased Sanitize customCSS property
      * @since 3.2.0 Added registrationNotification
      * @since 3.0.0
      */
@@ -273,7 +274,7 @@ public static function fromArray(array $array): self
         $self->secondaryColor = $array['secondaryColor'] ?? '#f49420';
         $self->goalAmount = $array['goalAmount'] ?? 0;
         $self->registrationNotification = $array['registrationNotification'] ?? false;
-        $self->customCss = $array['customCss'] ?? '';
+        $self->customCss = wp_strip_all_tags($array['customCss'] ?? '');
         $self->pageSlug = $array['pageSlug'] ?? '';
         $self->goalAchievedMessage = $array['goalAchievedMessage'] ?? __(
             'Thank you to all our donors, we have met our fundraising goal.',

src/DonationForms/ViewModels/DonationConfirmationReceiptViewModel.php

@@ -84,6 +84,7 @@ public function formExports(): array
     }
 
     /**
+     * @unreleased Sanitize customCSS property
      * @since 3.0.0
      */
     public function render(): string
@@ -111,7 +112,7 @@ public function render(): string
 
         <?php
         if ($customCss): ?>
-            <style><?= $customCss ?></style>
+            <style><?php echo wp_strip_all_tags($customCss); ?></style>
         <?php
         endif; ?>
 

src/DonationForms/ViewModels/DonationFormViewModel.php

@@ -247,6 +247,7 @@ public function exports(): array
      * 5. Finally, call the specific WP function wp_print_footer_scripts()
      *  - This will only print the footer scripts that are enqueued within our route.
      *
+     * @unreleased Sanitize customCSS property
      * @since 3.0.0
      */
     public function render(): string
@@ -266,7 +267,7 @@ public function render(): string
         <?php
         if ($this->previewMode || $this->formSettings->customCss): ?>
             <style id="root-givewp-donation-form-style"><?php
-                echo $this->formSettings->customCss; ?></style>
+                echo wp_strip_all_tags($this->formSettings->customCss); ?></style>
         <?php
         endif; ?>
 

tests/Unit/DonationForms/Properties/FormSettingsTest.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace Unit\DonationForms\Properties;
+
+use Give\DonationForms\Properties\FormSettings;
+use Give\Tests\TestCase;
+
+/**
+ * @unreleased
+ */
+class FormSettingsTest extends TestCase
+{
+    public function testSanitizationRemovesHtmlTagsFromCustomCss()
+    {
+        $formSettings = FormSettings::fromArray([
+            'customCss' => '<script>alert("hi!")</script>',
+        ]);
+
+        $this->assertEmpty($formSettings->customCss);
+    }
+
+    public function testSanitizationPreservesCssWhileRemovingHtmlTags()
+    {
+        $formSettings = FormSettings::fromArray([
+            'customCss' => '.test { color: green; }</style><script>alert("hi!")</script><style>',
+        ]);
+
+        $this->assertSame('.test { color: green; }', $formSettings->customCss);
+    }
+}