From 496f3ffff32542afc0a840d462c31090cf5b3ad0 Mon Sep 17 00:00:00 2001
From: Jeffrey Paul <jeffpaul@hotmail.com>
Date: Thu, 19 Sep 2024 11:58:34 -0700
Subject: [PATCH] Fix code scanning alert #2: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 assets/js/admin-pull.js | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/assets/js/admin-pull.js b/assets/js/admin-pull.js
index 3de9f9255..39902a50d 100755
--- a/assets/js/admin-pull.js
+++ b/assets/js/admin-pull.js
@@ -6,6 +6,18 @@ import { __ } from '@wordpress/i18n';
 
 const { document } = window;
 
+/**
+ * Escape special characters in URL components.
+ *
+ * @param {string} str The string to escape.
+ * @return {string} The escaped string.
+ */
+const escapeURLComponent = (str) => {
+    return encodeURIComponent(str).replace(/[!'()*]/g, (c) => {
+        return '%' + c.charCodeAt(0).toString(16);
+    });
+};
+
 const chooseConnection = document.getElementById( 'pull_connections' );
 const choosePostType = document.getElementById( 'pull_post_type' );
 const choosePostTypeBtn = document.getElementById( 'pull_post_type_submit' );
@@ -83,11 +95,11 @@ if ( chooseConnection && choosePostType && form ) {
  */
 const getURL = () => {
 	const postType =
-		choosePostType.options[ choosePostType.selectedIndex ].value;
+		escapeURLComponent(choosePostType.options[ choosePostType.selectedIndex ].value);
 	const baseURL =
-		chooseConnection.options[ chooseConnection.selectedIndex ].getAttribute(
+		escapeURLComponent(chooseConnection.options[ chooseConnection.selectedIndex ].getAttribute(
 			'data-pull-url'
-		);
+		));
 	let status = 'new';
 
 	if ( -1 < ` ${ form.className } `.indexOf( ' status-skipped ' ) ) {