From b27becd31fec02ea9ff2e37bbdb7c28ce3ca2447 Mon Sep 17 00:00:00 2001
From: Ante Laca <ante.laca@gmail.com>
Date: Fri, 3 May 2024 09:29:37 +0200
Subject: [PATCH] Fix: sanitize shortcode atts (#7379)

Co-authored-by: Ante Laca <ante.laca@gmail.com>
---
 includes/class-give-donate-form.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/includes/class-give-donate-form.php b/includes/class-give-donate-form.php
index 1193dea4d3..829fb777cc 100644
--- a/includes/class-give-donate-form.php
+++ b/includes/class-give-donate-form.php
@@ -838,6 +838,11 @@ public function get_form_classes( $args ) {
 		// Remove empty class names.
 		$form_classes_array = array_filter( $form_classes_array );
 
+        /**
+         * @unreleased sanitize attributes
+         */
+        $form_classes_array = array_map('esc_attr', $form_classes_array);
+
 		return implode( ' ', $form_classes_array );
 
 	}
@@ -885,6 +890,11 @@ public function get_form_wrap_classes( $args ) {
 		 */
 		$form_wrap_classes_array = (array) apply_filters( 'give_form_wrap_classes', $custom_class, $this->ID, $args );
 
+        /**
+         * @unreleased sanitize attributes
+         */
+        $form_wrap_classes_array = array_map('esc_attr', $form_wrap_classes_array);
+
 		return implode( ' ', $form_wrap_classes_array );
 
 	}