Fix: security for unfiltered html cap (#6)

* fix: downgrading and upgrading multiple times should migrate

* chore: updated readme

* chore: dont' exclude pro in search

* build: added file renaming for premium build

* chore: updated readme screenshots

* chore: updated plugin name to be more descriptive

* chore: updated description

* fix: conflict with others that use freemius activation

* chore: updated readme

* chore: updated readme

* chore: version bumped to 1.3.1

* chore: updated plugin name and readme info

* chore: updated tested up to

* Added sanitization and security for users without unfiltered_html capability

* chore: updated version number and changelog

---------

Co-authored-by: bfintal@gmail.com <>

Author: bfintal

src/action-types/class-action-type-update-attribute.php

@@ -59,6 +59,33 @@ public function initialize() {
 			$this->has_easing = false;
 		}
 
+		public function is_dangerous_attribute( $attribute_name ) {
+			if ( empty( $attribute_name ) || ! is_string( $attribute_name ) ) {
+				return false;
+			}
+	
+			$attribute_name = strtolower( trim( $attribute_name ) );
+	
+			// Event handler attributes (onclick, onerror, onload, etc.)
+			if ( preg_match( '/^on[a-z]+/', $attribute_name ) ) {
+				return true;
+			}
+	
+			// Attributes that can contain JavaScript URIs or code
+			$dangerous_attributes = [
+				'href',
+				'src',
+				'action',
+				'formaction',
+				// 'style', // Can contain CSS with expression() or javascript: URIs
+				'form',
+				'formmethod',
+				'formtarget',
+			];
+	
+			return in_array( $attribute_name, $dangerous_attributes, true );
+		}
+
 		public function sanitize_data_for_saving( $value ) {
 			// Sanitize action value: ensure $value is an array and attribute/value are strings.
 			if ( ! is_array( $value ) ) {