1berry/include-mastodon-feed
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: XSS vulnerability concerning date-options in JS

Browse Source
This commit is contained in:
wolfgang101 2025-01-24 12:24:42 +01:00
parent 424909c665
commit 56a9fb25ae
3 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -54,11 +54,10 @@ Place the following shortcode right into the page. Either as shortcode block or
| text-permalinkPost | "" | text-showContent="📅" | Text after post permalink (date & time) | | text-permalinkPost | "" | text-showContent="📅" | Text after post permalink (date & time) |
| text-edited | "(edited)" | text-showContent="✏" | Text indicating edited posts | | text-edited | "(edited)" | text-showContent="✏" | Text indicating edited posts |
| date-locale | "en-US" | date-locale="de-DE" | Locale for date string, used in toLocaleString() | | date-locale | "en-US" | date-locale="de-DE" | Locale for date string, used in toLocaleString() |
| date-options | "{}" | date-options="{dateStyle: 'short', timeStyle: 'long'}" | Format options directly fed into toLocaleString() |
### Additional customizations ### Additional customizations
You can define several plugin constants to set custom default options that will be applied site-wide. You can define several plugin constants to set custom default options that will be applied site-wide (e.g. date options can only be set as php constant to mitigate an XSS vulnerability).
1. Open your `wp-config.php` file 1. Open your `wp-config.php` file
2. Search for the line `/* Add any custom values between this line and the "stop editing" line. */` 2. Search for the line `/* Add any custom values between this line and the "stop editing" line. */`

8
plugin.php
View File

@ -3,7 +3,7 @@
Plugin Name: Include Mastodon Feed Plugin Name: Include Mastodon Feed
Plugin URI: https://wolfgang.lol/code/include-mastodon-feed-wordpress-plugin Plugin URI: https://wolfgang.lol/code/include-mastodon-feed-wordpress-plugin
Description: Plugin providing [include-mastodon-feed] shortcode Description: Plugin providing [include-mastodon-feed] shortcode
Version: 1.9.9 Version: 1.9.10
Author: wolfgang.lol Author: wolfgang.lol
Author URI: https://wolfgang.lol Author URI: https://wolfgang.lol
License: MIT License: MIT
@ -725,7 +725,7 @@ function display_feed($atts) {
"<?php echo esc_url( $apiUrl, ['https'], 'apicall' ); ?>", "<?php echo esc_url( $apiUrl, ['https'], 'apicall' ); ?>",
"<?php echo filter_var( $elemId, FILTER_UNSAFE_RAW ); ?>", "<?php echo filter_var( $elemId, FILTER_UNSAFE_RAW ); ?>",
{ {
linkTarget: "<?php echo esc_attr(filter_var( $atts['linktarget'], FILTER_UNSAFE_RAW )); ?>", linkTarget: "<?php echo esc_js(filter_var( $atts['linktarget'], FILTER_UNSAFE_RAW )); ?>",
showPreviewCards: <?php echo (filter_var( $atts['showpreviewcards'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ? "true" : "false"); ?>, showPreviewCards: <?php echo (filter_var( $atts['showpreviewcards'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ? "true" : "false"); ?>,
excludeConversationStarters: <?php echo (filter_var( $atts['excludeconversationstarters'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ? "true" : "false"); ?>, excludeConversationStarters: <?php echo (filter_var( $atts['excludeconversationstarters'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ? "true" : "false"); ?>,
content: { content: {
@ -748,8 +748,8 @@ function display_feed($atts) {
}, },
localization: { localization: {
date: { date: {
locale: "<?php echo filter_var( $atts['date-locale'], FILTER_UNSAFE_RAW ); ?>", locale: "<?php echo esc_js( filter_var( $atts['date-locale'], FILTER_UNSAFE_RAW ) ); ?>",
options: <?php echo filter_var( $atts['date-options'], FILTER_UNSAFE_RAW ); ?>, options: <?php echo filter_var( INCLUDE_MASTODON_FEED_DATE_OPTIONS, FILTER_UNSAFE_RAW ); ?>,
} }
} }
} }

13
readme.txt
View File

@ -5,7 +5,7 @@ Tags: mastodon, status, feed
Requires at least: 6.0 Requires at least: 6.0
Tested up to: 6.7 Tested up to: 6.7
Requires PHP: 7.4 Requires PHP: 7.4
Stable tag: 1.9.9 Stable tag: 1.9.10
License: MIT License: MIT
License URI: https://directory.fsf.org/wiki/License:Expat License URI: https://directory.fsf.org/wiki/License:Expat
@ -105,15 +105,9 @@ Text after post permalink (date & time) (Default: )
* **text-edited** * **text-edited**
Text indicating edited posts (Default: (edited)) Text indicating edited posts (Default: (edited))
* **date-locale**
Locale for date string, used in toLocaleString() (Default: en-US)
* **date-options**
Format options directly fed into toLocaleString() (Default: {})
= Additional customizations = = Additional customizations =
You can define several plugin constants to set custom default options that will be applied site-wide. You can define several plugin constants to set custom default options that will be applied site-wide (e.g. date options can only be set as php constant to mitigate an XSS vulnerability).
1. Open your `wp-config.php` file 1. Open your `wp-config.php` file
2. Search for the line `/* Add any custom values between this line and the "stop editing" line. */` 2. Search for the line `/* Add any custom values between this line and the "stop editing" line. */`
@ -154,6 +148,9 @@ Use the following URL to get your ID:
== Changelog == == Changelog ==
= 1.9.10 =
* fixed XSS vulnerability: removed support for date-options as shortcode attribute to mitigate an XSS vulnerability (still can be set as constant in PHP code)
= 1.9.9 = = 1.9.9 =
* fixed esc_url context that previously broke the URL for the Mastodon API JS ajax request (thank you @beach@illo.social) * fixed esc_url context that previously broke the URL for the Mastodon API JS ajax request (thank you @beach@illo.social)