1berry/include-mastodon-feed
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: string escaping to harden against XSS vulnerability

Browse Source
This commit is contained in:
wolfgang101 2024-11-20 14:21:06 +01:00
parent e89ead587e
commit db193b15ec
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
plugin.php
View File

@ -3,7 +3,7 @@
Plugin Name: Include Mastodon Feed
Plugin URI: https://wolfgang.lol/code/include-mastodon-feed-wordpress-plugin
Description: Plugin providing [include-mastodon-feed] shortcode
Version: 1.9.5
Version: 1.9.6
Author: wolfgang.lol
Author URI: https://wolfgang.lol
*/
@ -727,7 +727,7 @@ function display_feed($atts) {
"<?php echo sanitize_url( $apiUrl, ['https'] ); ?>",
"<?php echo filter_var( $elemId, FILTER_UNSAFE_RAW ); ?>",
{
linkTarget: "<?php echo filter_var( $atts['linktarget'], FILTER_UNSAFE_RAW ); ?>",
linkTarget: "<?php echo esc_js(filter_var( $atts['linktarget'], FILTER_UNSAFE_RAW )); ?>",
showPreviewCards: <?php echo (filter_var( $atts['showpreviewcards'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ? "true" : "false"); ?>,
excludeConversationStarters: <?php echo (filter_var( $atts['excludeconversationstarters'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ? "true" : "false"); ?>,
content: {
@ -750,8 +750,8 @@ function display_feed($atts) {
},
localization: {
date: {
locale: "<?php echo filter_var( $atts['date-locale'], FILTER_UNSAFE_RAW ); ?>",
options: <?php echo filter_var( $atts['date-options'], FILTER_UNSAFE_RAW ); ?>,
locale: "<?php echo esc_js(filter_var( $atts['date-locale'], FILTER_UNSAFE_RAW )); ?>",
options: <?php echo esc_js(filter_var( $atts['date-options'], FILTER_UNSAFE_RAW )); ?>,
}
}
}

5
readme.txt
View File

@ -5,7 +5,7 @@ Tags: mastodon, status, feed
Requires at least: 6.0
Tested up to: 6.7
Requires PHP: 7.4
Stable tag: 1.9.5
Stable tag: 1.9.6
License: Expat License
License URI: https://directory.fsf.org/wiki/License:Expat
@ -154,6 +154,9 @@ Use the following URL to get your ID:
== Changelog ==
= 1.9.6 =
* fixed XSS vulnerability where authenticated attackers with contributor permissions could insert malicious JavaScript
= 1.9.5 =
* added option to either display smaller image media attachment previews (default) or large image versions
* added option to point image media attachment links to either status (default) or image