Skip to content

Commit

Permalink
Version 0.90.0, fixes xss issue
Browse files Browse the repository at this point in the history
  • Loading branch information
picandocodigo committed Dec 14, 2024
1 parent c9aa115 commit 4f7a103
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
7 changes: 7 additions & 0 deletions include/lcp-catlistdisplayer.php
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,13 @@ private function content_getter($type, $post, $tag = null, $css_class = null) {
$info = $this->catlist->get_content($post);
break;
case 'excerpt':
# Security vulnerability fix for Stored Cross-Site Scripting
# If a post has this excerpt: alert(/XSS/)
# Another post could use [catlist excerpt_tag='script' excerpt=yes]
# and the XSS would be triggered.
if ( $tag == 'script' ) {
$tag = null;
}
$info = $this->catlist->get_excerpt($post);
if ( ! empty( $info ) ) {
$info = preg_replace('/\[.*\]/', '', $info);
Expand Down
2 changes: 1 addition & 1 deletion list-category-posts.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Plugin Name: List category posts
Plugin URI: https://github.com/picandocodigo/List-Category-Posts
Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
Version: 0.89.9
Version: 0.90.0
Author: Fernando Briano
Author URI: http://fernandobriano.com
Expand Down
6 changes: 5 additions & 1 deletion readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Tags: list, categories, posts, cms
Requires at least: 3.3
Tested up to: 6.7.1
Requires PHP: 5.6
Stable tag: 0.89.9
Stable tag: 0.90.0
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Expand Down Expand Up @@ -237,6 +237,10 @@ Template system has changed. Custom templates should be stored in WordPress them

== Changelog ==

= 0.90.0 =

* Fixes a Stored Cross-Site Scripting issue using `excerpt_tag='script'`.

= 0.89.9 =

* Fix deprecation notices caused by tag_escape - https://wordpress.org/support/topic/php-deprecated-preg_replace-passing-null-to-parameter-3/
Expand Down

0 comments on commit 4f7a103

Please sign in to comment.