Security enhancements and code refactoring

includes/class-alpha-price-table-widget.php

@@ -796,22 +796,20 @@ protected function render()
 
         $migration_allowed = Icons_Manager::is_migration_allowed();
 
-        $allowed_tags = [
-            'h2' => [],
-            'h3' => [],
-            'h4' => [],
-            'h5' => [],
-            'h6' => [],
-        ];
+        // Define an allow-list for heading tags
+        $allowed_tags = ['h2', 'h3', 'h4', 'h5', 'h6'];
+
+        // Check if the provided tag is in the allow-list, default to 'h2' if not
+        $heading_tag = in_array($settings['heading_tag'], $allowed_tags) ? $settings['heading_tag'] : 'h2';
 ?>
 
         <div class="elementor-price-table">
             <?php if ($settings['heading'] || $settings['sub_heading']) : ?>
                 <div class="elementor-price-table__header">
                     <?php if (! empty($settings['heading'])) : ?>
-                        <<?php echo wp_kses($settings['heading_tag'], $allowed_tags); ?> <?php echo wp_kses_post($this->get_render_attribute_string('heading')); ?>>
+                        <<?php echo esc_attr($heading_tag); ?> <?php echo wp_kses_post($this->get_render_attribute_string('heading')); ?>>
                             <?php echo wp_kses_post($settings['heading']); ?>
-                        </<?php echo wp_kses($settings['heading_tag'], $allowed_tags); ?>>
+                        </<?php echo esc_attr($heading_tag); ?>>
                     <?php endif; ?>
 
                     <?php if (! empty($settings['sub_heading'])) : ?>