WordPress.org
Get WordPress

Plugin Directory

Changeset 3391071


Ignore:
Timestamp:
11/06/2025 11:48:35 AM (5 months ago)
Author:
PascalBajorat
Message:

Version 1.6.3

Location:
ga-germanized
Files:
35 added
3 edited

Legend:

Unmodified
Added
Removed

  • ga-germanized/trunk/ga-germanized.php

    r2750183 r3391071  
    44Plugin URI: https://wordpress.org/plugins/ga-germanized/
    55Description: Google Analytics preconfigured to respect EU law (GDPR / DSGVO) and with lots of advanced analytics settings for extensive tracking possibilities.
    6 Version: 1.6.2
     6Version: 1.6.3
    77Author: Pascal Bajorat
    88Author URI: https://www.bajorat-media.com/
     
    1111License: GNU General Public License v.3
    1212
    13 Copyright (c) 2022 by Bajorat-Media.com.
     13Copyright (c) 2025 by Bajorat-Media.com.
    1414*/
    1515

  • ga-germanized/trunk/inc/gag_shortcodes.php

    r1881905 r3391071  
    5555        }
    5656
    57         public static function ga_optout( $atts )
    58         {
    59             $a = shortcode_atts( array(
    60                 'text' => esc_html__('Disable Google Analytics', 'ga-germanized'),
    61             ), $atts );
     57        public static function ga_optout( $atts ) {
     58            // Defaults
     59            $defaults = array(
     60                'text' => __( 'Disable Google Analytics', 'ga-germanized' ),
     61            );
    6262
    63             $settings = gag_settings_handler::current_settings();
     63            // Merge attributes with defaults; include shortcode tag for filters.
     64            $a = shortcode_atts( $defaults, $atts, 'ga-optout' );
    6465
    65             return sprintf(
    66                 __('<a href="#" data-ua="%s" class="gaoptout">%s</a>', 'ga-germanized'),
     66            // Sanitize user-controllable input early
     67            // We treat "text" strictly as plain text label.
     68            $link_text = sanitize_text_field( $a['text'] ?? $defaults['text'] );
    6769
    68                 $settings['analytics-id'],
    69                 $a['text']
     70            // Fetch settings defensively
     71            $settings = is_array( gag_settings_handler::current_settings() ) ? gag_settings_handler::current_settings() : array();
     72            $analytics_id = isset( $settings['analytics-id'] ) ? (string) $settings['analytics-id'] : '';
     73
     74            // (Optional) light validation of the analytics ID; if invalid, leave empty.
     75            // Accept common GA formats like "UA-XXXXXX-Y" or "G-XXXXXXXXXX".
     76            if ( $analytics_id !== '' ) {
     77                $is_valid_ga = preg_match( '/^(UA-\d{4,}-\d+|G-[A-Z0-9]{6,})$/i', $analytics_id ) === 1;
     78                if ( ! $is_valid_ga ) {
     79                    $analytics_id = '';
     80                }
     81            }
     82
     83            // Build safe HTML
     84            $html = sprintf(
     85                '<a href="#" data-ua="%1$s" class="gaoptout">%2$s</a>',
     86                esc_attr( $analytics_id ),
     87                esc_html( $link_text )
    7088            );
     89
     90            return $html;
    7191        }
    7292    }

  • ga-germanized/trunk/readme.txt

    r2750183 r3391071  
    55Requires at least: 5.0
    66Tested up to: 6.1
    7 Stable tag: 1.6.2
     7Stable tag: 1.6.3
    88License: GPLv3
    99License URI: http://www.gnu.org/licenses/gpl-3.0.html
     
    5656
    5757== Changelog ==
     58
     59= 1.6.3 =
     60* Fixed XSS
    5861
    5962= 1.6.2 =
Note: See TracChangeset for help on using the changeset viewer.