Changeset 3261089

Timestamp:

03/24/2025 08:16:12 PM (12 months ago)

Author:

redpixelstudios

Message:

• Update sanitization handling of submitted shortcode attribute values.
• Sanitize output of more text to prevent potential code injection.
• Bump version.

Location:

rps-include-content/tags/1.2.2

Files:

• . (copied) (copied from rps-include-content/tags/1.2.1)
• readme.txt (modified) (2 diffs)
• rps-include-content.php (modified) (7 diffs)

rps-include-content/tags/1.2.2/readme.txt

@@ -4 +4 @@
 Tags: duplicate content, copy content, include, include content, includes, multisite, nested content, pull content, red pixel, red pixel studios, redpixelstudios, rps, same content
 Requires at least: 5.0
-Tested up to: 6.6.1
-Stable tag: 1.2.1
+Tested up to: 6.7.2
+Stable tag: 1.2.2
 License: GPL3
 
@@ -154 +154 @@
 == Upgrade Notice ==
 
+= 1.2.2 =
+* Update sanitization handling of submitted shortcode attribute values.
+* Sanitize output of more text to prevent potential code injection.
+
 = 1.2.1 =
 * Silenced a couple of notices related to variables being undefined.

rps-include-content/tags/1.2.2/rps-include-content.php

@@ -4 +4 @@
 Plugin URI: http://redpixel.com/
 Description: Adds the ability to include content on the current post or page from another. 
-Version: 1.2.1
+Version: 1.2.2
 Author: Red Pixel Studios
 Author URI: http://redpixel.com/
@@ -32 +32 @@
  * @package rps-include-content
  * @author Red Pixel Studios
- * @version 1.2.1
+ * @version 1.2.2
  */
  
@@ -45 +45 @@
      * @since 1.0
      */
-    const PLUGIN_VERSION = '1.2.1';
+    const PLUGIN_VERSION = '1.2.2';
     
     /**
@@ -129 +129 @@
     }
 
+    /**
+     * Helper to sanitize boolean shortcode values.
+     * 
+     * @since 1.2.2
+     */
+    private static function sanitize_bool_attr( $val, $default = false ) {
+        $bool = filter_var( $val, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE );
+        return is_null( $bool ) ? $default : $bool;
+    }
+
+    /**
+     * Sanitize a value and fallback to a default if it's not in the allowed list.
+     *
+     * @since 1.2.2
+     *
+     * @param string   $value       The input value.
+     * @param callable $sanitize_cb A sanitization callback (e.g., 'sanitize_key', 'sanitize_html_class').
+     * @param array    $allowed     Array of allowed values.
+     * @param mixed    $default     Fallback value if input is not allowed.
+     * @return mixed
+     */
+    private static function sanitize_enum_attr( $value, $sanitize_cb, array $allowed, $default ) {
+        $sanitized = call_user_func( $sanitize_cb, $value );
+        return in_array( $sanitized, $allowed, true ) ? $sanitized : $default;
+    }
+
     public function cb_include_shortcode( $atts, $content = null ) {
         global $shortcode_tags;
-        
-        // specify allowed values for shortcode attributes
-        $allowed_titletag = array(
-            'h1',
-            'h2',
-            'h3',
-            'h4',
-            'h5',
-            'h6'
-        );
-
-        $allowed_content = array(
-            'content',
-            'excerpt',
-            'lede',
-            'full',
-            'none'
-        );
-        
+                
         $current_blog_id = get_current_blog_id();
         
@@ -180 +188 @@
         extract( shortcode_atts( $defaults, $atts ) );
         
-        // convert string values to lowercase and trim
-        $title = trim( strtolower( $title ) );
-        $titletag = trim( strtolower( $titletag ) );
-        $content = trim( strtolower( $content ) );
-        $allow_shortcodes = trim( strtolower( $allow_shortcodes ) );
-        $allow_shortcodes_array = ( ! empty( $allow_shortcodes ) ) ? explode( ',', $allow_shortcodes ) : array();
-        $allow_shortcodes_array = array_map( 'trim', $allow_shortcodes_array );
-
-        // type cast strings as necessary
+        //sanitize shortcode atts
         $blog = absint( $blog );
         $post = absint( $post );
         $page = absint( $page );
-        $title = ( $title == 'true' ) ? true : false;
-        $titlelink = ( $titlelink == 'true' ) ? true : false;
-        $filter = ( $filter == 'true' ) ? true : false;
-        $embeds = ( $embeds == 'true' ) ? true : false;
-        $shortcodes = ( $shortcodes == 'true' ) ? true : false;
-        $length = ( $length == '0' || $length == '' ) ? 55 : absint( $length );
-        $hover = ( $hover == 'true' ) ? true : false;
-        $private = ( $private == 'true' ) ? true : false;
-        $featured_image = ( $featured_image == 'true' ) ? true : false;
-        $featured_image_wrap = ( $featured_image_wrap == 'true' ) ? true : false;
-        
+        $title = self::sanitize_bool_attr( $title );
+        $titletag = self::sanitize_enum_attr( $titletag, 'sanitize_html_class', ['h1','h2','h3','h4','h5','h6'], $defaults['titletag'] );
+        $titlelink = self::sanitize_bool_attr( $titlelink );
+        $content = self::sanitize_enum_attr( $content, 'sanitize_key', ['content', 'excerpt', 'lede', 'full', 'none'], $defaults['content'] );
+        $filter = self::sanitize_bool_attr( $filter );
+        $shortcodes = self::sanitize_bool_attr( $shortcodes );
+        $embeds = self::sanitize_bool_attr( $embeds );
+        $more_text = sanitize_text_field( $more_text );
+        $length = absint( $length );
+        if ( $length <= 0 ) {
+            $length = $defaults['length'];
+        }       
+        $allow_shortcodes_array = ! empty( $allow_shortcodes )
+            ? array_map( 'trim', explode( ',', strtolower( sanitize_text_field( $allow_shortcodes ) ) ) )
+            : array();
+        $hover = self::sanitize_bool_attr( $hover );
+        $private = self::sanitize_bool_attr( $private );
+        $featured_image = self::sanitize_bool_attr( $featured_image );
+        $featured_image_size = sanitize_key( $featured_image_size );
+        $featured_image_wrap = self::sanitize_bool_attr( $featured_image_wrap );
+        $featured_image_wrap_class = sanitize_html_class( $featured_image_wrap_class, '' );
+
         // handle if page attribute used instead of post
         $post = ( $post === 0 && $page !== 0 ) ? $page : $post;
-
-        // test for allowed values and sanitize as necessary
-        if ( !in_array( $titletag, $allowed_titletag ) ) $titletag = $defaults['titletag'];
-        if ( !in_array( $content, $allowed_content ) ) $content = $defaults['content'];
-        $featured_image_size = sanitize_text_field( $featured_image_size );
-        $featured_image_wrap_class = sanitize_html_class( $featured_image_wrap_class, '' );
-
         if ( $post === 0 )
             return $this->error_msg( __( 'Post must be a non-zero integer.', 'rps-include-content' ), $hover );
@@ -221 +225 @@
         endif;
         
-
         $the_post = ( is_multisite() ) ? get_blog_post( $blog, $post ) : get_post( $post );
 
@@ -299 +302 @@
         endif;
         
-        $more_link = '<p class="more-link-container"><a href="'. $the_permalink .'#more-' . $the_post->ID . '" class="more-link">' . $more_text . '</a></p>';
+        $more_link = '<p class="more-link-container"><a href="'. $the_permalink .'#more-' . $the_post->ID . '" class="more-link">' . esc_html( $more_text ) . '</a></p>';
         
         /**