Harden xss security fix

include/lcp-wrapper.php

@@ -35,7 +35,7 @@ private function assign_style($info, $tag = null, $css_class = null){
     # e.g. If a post has this excerpt: alert(/XSS/) another post could use:
     # [catlist excerpt_tag='script' excerpt=yes]
     # and the XSS would be triggered.
-    if ( $tag == 'script' ) {
+    if ( !empty( $tag ) && strtolower( tag_escape( $tag ) ) == 'script' ) {
       $tag = null;
     }
     if (!empty($info)):

list-category-posts.php

@@ -3,7 +3,7 @@
   Plugin Name: List category posts
   Plugin URI: https://github.com/picandocodigo/List-Category-Posts
   Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
-  Version: 0.90.2
+  Version: 0.90.3
   Author: Fernando Briano
   Author URI: http://fernandobriano.com
 

readme.txt

@@ -5,7 +5,7 @@ Tags: list, categories, posts, cms
 Requires at least: 3.3
 Tested up to: 6.7.1
 Requires PHP: 5.6
-Stable tag: 0.90.2
+Stable tag: 0.90.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -237,6 +237,10 @@ Template system has changed. Custom templates should be stored in WordPress them
 
 == Changelog ==
 
+= 0.90.3 =
+
+* Hardens xss fix for script tag by checking case insensitive and using tag_escape.
+
 = 0.90.2 =
 
 * Updates fix for stored cross-site scripting from 0.90.0, now applied to all tags. From this version onwards, script is not available to use as a tag when setting an element's tag in the shortcode.

tests/lcpwrapper/test-wrap.php

@@ -46,4 +46,28 @@ public function test_multiple_classes() {
       '<span class="test1 test2 test3">test string</span>',
       $wrapper->wrap($this->test_string, null, 'test1 test2 test3'));
   }
+
+  public function test_script_tag() {
+    $wrapper = LcpWrapper::get_instance();
+    $this->assertSame(
+      '<span class="test">test string</span>',
+      $wrapper->wrap($this->test_string, 'script', 'test')
+    );
+    $this->assertSame(
+      'test string',
+      $wrapper->wrap($this->test_string, 'script', null)
+    );
+    $this->assertSame(
+      'test string',
+      $wrapper->wrap($this->test_string, 'SCRIPT', null)
+    );
+    $this->assertSame(
+      'test string',
+      $wrapper->wrap($this->test_string, 'sCrIpt', null)
+    );
+    $this->assertSame(
+      'test string',
+      $wrapper->wrap($this->test_string, 's(cript', null)
+    );
+  }
 }