Skip to content

Commit 9dae245

Browse files
committed
Updates fix for stored cross-site scripting from 0.90.0, now applied to all tags.
Bumps version to 0.90.2
1 parent 0926387 commit 9dae245

File tree

4 files changed

+14
-9
lines changed

4 files changed

+14
-9
lines changed

include/lcp-catlistdisplayer.php

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -178,13 +178,6 @@ private function content_getter($type, $post, $tag = null, $css_class = null) {
178178
$info = $this->catlist->get_content($post);
179179
break;
180180
case 'excerpt':
181-
# Security vulnerability fix for Stored Cross-Site Scripting
182-
# If a post has this excerpt: alert(/XSS/)
183-
# Another post could use [catlist excerpt_tag='script' excerpt=yes]
184-
# and the XSS would be triggered.
185-
if ( $tag == 'script' ) {
186-
$tag = null;
187-
}
188181
$info = $this->catlist->get_excerpt($post);
189182
if ( ! empty( $info ) ) {
190183
$info = preg_replace('/\[.*\]/', '', $info);

include/lcp-wrapper.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,15 @@ public static function get_instance(){
2929
* @return string
3030
*/
3131
private function assign_style($info, $tag = null, $css_class = null){
32+
# Security vulnerability fix for Stored Cross-Site Scripting
33+
# If a field stores some malicious JavaScript, it could be displayed with the 'script' tag, so
34+
# that tag needs to be excluded.
35+
# e.g. If a post has this excerpt: alert(/XSS/) another post could use:
36+
# [catlist excerpt_tag='script' excerpt=yes]
37+
# and the XSS would be triggered.
38+
if ( $tag == 'script' ) {
39+
$tag = null;
40+
}
3241
if (!empty($info)):
3342
if (empty($tag) && !empty($css_class)):
3443
$tag = "span";
@@ -53,7 +62,6 @@ private function assign_style($info, $tag = null, $css_class = null){
5362
* @return string
5463
*/
5564
public function wrap($info, $tag=null, $css_class=null) {
56-
5765
$wrapped = '';
5866

5967
if (is_array($info)) {

list-category-posts.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
Plugin Name: List category posts
44
Plugin URI: https://github.com/picandocodigo/List-Category-Posts
55
Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
6-
Version: 0.90.1
6+
Version: 0.90.2
77
Author: Fernando Briano
88
Author URI: http://fernandobriano.com
99

readme.txt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -237,6 +237,10 @@ Template system has changed. Custom templates should be stored in WordPress them
237237

238238
== Changelog ==
239239

240+
= 0.90.2 =
241+
242+
* Updates fix for stored cross-site scripting from 0.90.0, now applied to all tags. From this version onwards, script is not available to use as a tag when setting an element's tag in the shortcode.
243+
240244
= 0.90.1 =
241245

242246
* Fix PHP 8.2 deprecation notices

0 commit comments

Comments
 (0)