WordPress.org
Get WordPress

Plugin Directory

Changeset 3389153


Ignore:
Timestamp:
11/03/2025 08:58:51 PM (5 months ago)
Author:
sheetdb
Message:

fix(xss): contextual escaping and URL sanitization

Location:
sheetdb/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • sheetdb/trunk/readme.txt

    r3268332 r3389153  
    44Tags: google spreadsheet, google sheets, sheetdb, google api, api
    55Requires at least: 4.0
    6 Tested up to: 6.8.0
     6Tested up to: 6.9.0
    77Requires PHP: 5.4
    8 Stable tag: 1.3.4
     8Stable tag: 1.3.5
    99License: GPLv2 or later
    1010

  • sheetdb/trunk/sheetdb.php

    r3268332 r3389153  
    77Plugin name: SheetDB
    88Description: The SheetDB wordpress plugin allows you to easily add content from Google Spreadsheet to your wordpress site.
    9 Version: 1.3.4
     9Version: 1.3.5
    1010Author: SheetDB
    1111Author URI: https://sheetdb.io/
     
    4646        public function enqueueAssets()
    4747        {
    48             wp_enqueue_script('sheetdb-js', plugins_url('assets/js/sheetdb-handlebars-1.2.4.js', __FILE__));
     48            wp_enqueue_script('sheetdb-js', plugins_url('assets/js/sheetdb-handlebars-1.2.5.js', __FILE__));
    4949        }
    5050
     
    5252        {
    5353            isset($atts['url']) ? $url = $atts['url'] : $url = null;
    54             isset($atts['element']) ? $element = $atts['element'] : $element = "div";
     54            isset($atts['element']) ? $element = tag_escape($atts['element']) : $element = "div";
     55            if (!$element) {
     56                $element = 'div';
     57            }
    5558
    5659            isset($atts['save']) ? $save = $atts['save'] : $save = null;
     
    7073            $additionalCode = $this->makeAdditionalCode($sheet, $limit, $offset, $search, $searchMode, $sortBy, $sortOrder, $sortMethod, $sortDateFormat, $save, $lazy);
    7174
    72             return "<{$element} data-sheetdb-url=\"{$url}\"{$additionalCode}>{$content}</{$element}>";
     75            return "<{$element} data-sheetdb-url=\"" . esc_url($url) . "\"{$additionalCode}>" . wp_kses_post($content) . "</{$element}>";
    7376        }
    7477
     
    7679        {
    7780            isset($atts['slot']) ? $slot = $atts['slot'] : $slot = null;
    78             isset($atts['element']) ? $element = $atts['element'] : $element = "div";
     81            isset($atts['element']) ? $element = tag_escape($atts['element']) : $element = "div";
     82            if (!$element) {
     83                $element = 'div';
     84            }
    7985
    80             return "<{$element} data-sheetdb-slot=\"{$slot}\">{$content}</{$element}>";
     86            return "<{$element} data-sheetdb-slot=\"" . esc_attr($slot) . "\">" . wp_kses_post($content) . "</{$element}>";
    8187        }
    8288
     
    8591            $additionalCode = '';
    8692            if ($sheet) {
    87                 $additionalCode .= ' data-sheetdb-sheet="' . $sheet . '"';
     93                $additionalCode .= ' data-sheetdb-sheet="' . esc_attr($sheet) . '"';
    8894            }
    8995            if ($limit) {
    90                 $additionalCode .= ' data-sheetdb-limit="' . $limit . '"';
     96                $additionalCode .= ' data-sheetdb-limit="' . esc_attr($limit) . '"';
    9197            }
    9298            if ($offset) {
    93                 $additionalCode .= ' data-sheetdb-offset="' . $offset . '"';
     99                $additionalCode .= ' data-sheetdb-offset="' . esc_attr($offset) . '"';
    94100            }
    95101            if ($search) {
    96                 $additionalCode .= ' data-sheetdb-search="' . $search . '"';
     102                $additionalCode .= ' data-sheetdb-search="' . esc_attr($search) . '"';
    97103            }
    98104            if ($searchMode) {
    99                 $additionalCode .= ' data-sheetdb-search-mode="' . $searchMode . '"';
     105                $additionalCode .= ' data-sheetdb-search-mode="' . esc_attr($searchMode) . '"';
    100106            }
    101107            if ($sortBy) {
    102                 $additionalCode .= ' data-sheetdb-sort-by="' . $sortBy . '"';
     108                $additionalCode .= ' data-sheetdb-sort-by="' . esc_attr($sortBy) . '"';
    103109            }
    104110            if ($sortOrder) {
    105                 $additionalCode .= ' data-sheetdb-sort-order="' . $sortOrder . '"';
     111                $additionalCode .= ' data-sheetdb-sort-order="' . esc_attr($sortOrder) . '"';
    106112            }
    107113            if ($sortMethod) {
    108                 $additionalCode .= ' data-sheetdb-sort-method="' . $sortMethod . '"';
     114                $additionalCode .= ' data-sheetdb-sort-method="' . esc_attr($sortMethod) . '"';
    109115            }
    110116            if ($sortDateFormat) {
    111                 $additionalCode .= ' data-sheetdb-sort-date-format="' . $sortDateFormat . '"';
     117                $additionalCode .= ' data-sheetdb-sort-date-format="' . esc_attr($sortDateFormat) . '"';
    112118            }
    113119            if ($save) {
    114                 $additionalCode .= ' data-sheetdb-save="' . $save . '"';
     120                $additionalCode .= ' data-sheetdb-save="' . esc_attr($save) . '"';
    115121            }
    116122            if ($lazy) {
Note: See TracChangeset for help on using the changeset viewer.