humanmade · MiguelAxcar · Dec 6, 2023 · Dec 1, 2023 · Dec 1, 2023 · Dec 1, 2023
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v12.22.8
+v12
diff --git a/composer.lock b/composer.lock
diff --git a/js/post-select/components/post-list-item.js b/js/post-select/components/post-list-item.js
@@ -1,4 +1,5 @@
 import classNames from 'classnames';
+import DOMPurify from 'dompurify';
 import moment from 'moment';
 import PropTypes from 'prop-types';
 import React from 'react';
@@ -14,7 +15,7 @@ const PostListItem = ( { post, author, thumbnail, postTypeObject, isSelected, on
 		<label htmlFor={ `select-post-${post.id}` }>
 			{ thumbnail
 				? <img
-					alt={ post.title.rendered }
+					alt={ DOMPurify.sanitize( post.title.rendered ) }
 					className="post-list-item--image"
 					src={ thumbnail.media_details.sizes.thumbnail.source_url }
 				/>
@@ -27,7 +28,7 @@ const PostListItem = ( { post, author, thumbnail, postTypeObject, isSelected, on
 					type="checkbox"
 					onChange={ () => onToggleSelected() }
 				/>
-				<h2 dangerouslySetInnerHTML={ { __html: post.title.rendered } } />
+				<h2 dangerouslySetInnerHTML={ { __html: DOMPurify.sanitize( post.title.rendered ) } } />
 				<div className="post-list-item--meta">
 					{ postTypeObject && ( <span><b>{ __( 'Type:', 'hm-gb-tools' ) }</b> { postTypeObject.labels.singular_name }</span> ) }
 					<span><b>{ __( 'Status:', 'hm-gb-tools' ) }</b> { post.status }</span>

diff --git a/js/post-select/components/selection-item.js b/js/post-select/components/selection-item.js
@@ -1,4 +1,5 @@
 import classNames from 'classnames';
+import DOMPurify from 'dompurify';
 import moment from 'moment';
 import PropTypes from 'prop-types';
 import React, { Fragment } from 'react';
@@ -18,13 +19,13 @@ const SelectionListItem = ( { post, thumbnail, author, postTypeObject, isSelecte
 			<Fragment>
 				{ thumbnail
 					? <img
-						alt={ post.title.rendered }
+						alt={ DOMPurify.sanitize( post.title.rendered ) }
 						className="post-list-item--image"
 						src={ thumbnail.media_details.sizes.thumbnail.source_url }
 					/>
 					: '' }
 				<div className="post-list-item--inner">
-					<h2 dangerouslySetInnerHTML={ { __html: post.title.rendered } } />
+					<h2 dangerouslySetInnerHTML={ { __html: DOMPurify.sanitize( post.title.rendered ) } } />
 					<div className="post-list-item--meta">
 						{ postTypeObject && ( <span><b>{ __( 'Type:', 'hm-gb-tools' ) }</b> { postTypeObject.labels.singular_name }</span> ) }
 						<span><b>{ __( 'Status:', 'hm-gb-tools' ) }</b> { post.status }</span>