From 3abe3f4aa695bc00a03819f509c1ce68b254dce7 Mon Sep 17 00:00:00 2001
From: Fernando Briano <fernando@picandocodigo.net>
Date: Mon, 16 Dec 2024 16:26:18 +0000
Subject: [PATCH] Updates fix for stored cross-site scripting from 0.90.0, now
 applied to all tags. Bumps version to 0.90.2

---
 include/lcp-catlistdisplayer.php |  7 -------
 include/lcp-wrapper.php          | 10 +++++++++-
 list-category-posts.php          |  2 +-
 readme.txt                       |  4 ++++
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/include/lcp-catlistdisplayer.php b/include/lcp-catlistdisplayer.php
index 936156c..01ae2af 100644
--- a/include/lcp-catlistdisplayer.php
+++ b/include/lcp-catlistdisplayer.php
@@ -178,13 +178,6 @@ private function content_getter($type, $post, $tag = null, $css_class = null) {
       $info = $this->catlist->get_content($post);
       break;
     case 'excerpt':
-      # Security vulnerability fix for Stored Cross-Site Scripting
-      # If a post has this excerpt: alert(/XSS/)
-      # Another post could use  [catlist excerpt_tag='script' excerpt=yes]
-      # and the XSS would be triggered.
-      if ( $tag == 'script' ) {
-        $tag = null;
-      }
       $info = $this->catlist->get_excerpt($post);
       if ( ! empty( $info ) ) {
         $info = preg_replace('/\[.*\]/', '', $info);
diff --git a/include/lcp-wrapper.php b/include/lcp-wrapper.php
index 90cc9e9..d2ff5cd 100644
--- a/include/lcp-wrapper.php
+++ b/include/lcp-wrapper.php
@@ -29,6 +29,15 @@ public static function get_instance(){
    * @return string
    */
   private function assign_style($info, $tag = null, $css_class = null){
+    # Security vulnerability fix for Stored Cross-Site Scripting
+    # If a field stores some malicious JavaScript, it could be displayed with the 'script' tag, so
+    # that tag needs to be excluded.
+    # e.g. If a post has this excerpt: alert(/XSS/) another post could use:
+    # [catlist excerpt_tag='script' excerpt=yes]
+    # and the XSS would be triggered.
+    if ( $tag == 'script' ) {
+      $tag = null;
+    }
     if (!empty($info)):
       if (empty($tag) && !empty($css_class)):
         $tag = "span";
@@ -53,7 +62,6 @@ private function assign_style($info, $tag = null, $css_class = null){
    * @return string
    */
   public function wrap($info, $tag=null, $css_class=null) {
-
     $wrapped = '';
 
     if (is_array($info)) {
diff --git a/list-category-posts.php b/list-category-posts.php
index 405f6d3..9bea3e0 100644
--- a/list-category-posts.php
+++ b/list-category-posts.php
@@ -3,7 +3,7 @@
   Plugin Name: List category posts
   Plugin URI: https://github.com/picandocodigo/List-Category-Posts
   Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
-  Version: 0.90.1
+  Version: 0.90.2
   Author: Fernando Briano
   Author URI: http://fernandobriano.com
 
diff --git a/readme.txt b/readme.txt
index f0a8da6..6f2a7d8 100644
--- a/readme.txt
+++ b/readme.txt
@@ -237,6 +237,10 @@ Template system has changed. Custom templates should be stored in WordPress them
 
 == Changelog ==
 
+= 0.90.2 =
+
+* Updates fix for stored cross-site scripting from 0.90.0, now applied to all tags. From this version onwards, script is not available to use as a tag when setting an element's tag in the shortcode.
+
 = 0.90.1 =
 
 * Fix PHP 8.2 deprecation notices