From 4f7a103054cf30028f0718c3543edde18a43076d Mon Sep 17 00:00:00 2001
From: Fernando Briano <fernando@picandocodigo.net>
Date: Sat, 14 Dec 2024 13:30:01 +0000
Subject: [PATCH] Version 0.90.0, fixes xss issue

---
 include/lcp-catlistdisplayer.php | 7 +++++++
 list-category-posts.php          | 2 +-
 readme.txt                       | 6 +++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/include/lcp-catlistdisplayer.php b/include/lcp-catlistdisplayer.php
index 8810750..5db544b 100644
--- a/include/lcp-catlistdisplayer.php
+++ b/include/lcp-catlistdisplayer.php
@@ -177,6 +177,13 @@ private function content_getter($type, $post, $tag = null, $css_class = null) {
       $info = $this->catlist->get_content($post);
       break;
     case 'excerpt':
+      # Security vulnerability fix for Stored Cross-Site Scripting
+      # If a post has this excerpt: alert(/XSS/)
+      # Another post could use  [catlist excerpt_tag='script' excerpt=yes]
+      # and the XSS would be triggered.
+      if ( $tag == 'script' ) {
+        $tag = null;
+      }
       $info = $this->catlist->get_excerpt($post);
       if ( ! empty( $info ) ) {
         $info = preg_replace('/\[.*\]/', '', $info);
diff --git a/list-category-posts.php b/list-category-posts.php
index 53bfa50..9efe1bd 100644
--- a/list-category-posts.php
+++ b/list-category-posts.php
@@ -3,7 +3,7 @@
   Plugin Name: List category posts
   Plugin URI: https://github.com/picandocodigo/List-Category-Posts
   Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
-  Version: 0.89.9
+  Version: 0.90.0
   Author: Fernando Briano
   Author URI: http://fernandobriano.com
 
diff --git a/readme.txt b/readme.txt
index c2405b9..fbf424b 100644
--- a/readme.txt
+++ b/readme.txt
@@ -5,7 +5,7 @@ Tags: list, categories, posts, cms
 Requires at least: 3.3
 Tested up to: 6.7.1
 Requires PHP: 5.6
-Stable tag: 0.89.9
+Stable tag: 0.90.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -237,6 +237,10 @@ Template system has changed. Custom templates should be stored in WordPress them
 
 == Changelog ==
 
+= 0.90.0 =
+
+* Fixes a Stored Cross-Site Scripting issue using `excerpt_tag='script'`.
+
 = 0.89.9 =
 
 * Fix deprecation notices caused by tag_escape - https://wordpress.org/support/topic/php-deprecated-preg_replace-passing-null-to-parameter-3/