Skip to content

Commit baac7d7

Browse files
joedolsonjoedolson
committed
Security update: properly escape video element attributes in shortcode renderer
1 parent 75e9891 commit baac7d7

File tree

2 files changed

+27
-25
lines changed

2 files changed

+27
-25
lines changed

src/ableplayer.php

Lines changed: 22 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,14 @@
1515
* Text Domain: ableplayer
1616
* License: MIT
1717
* License URI: https://github.com/ableplayer/ableplayer-wordpress/blob/master/LICENSE
18-
* Version: 1.2.1
18+
* Version: 1.2.2
1919
*/
2020

2121
// Configure debugging mode.
2222
define( 'ABLEPLAYER_DEBUG', false );
2323

2424
// Get current version number.
25-
define( 'ABLEPLAYER_VERSION', '1.2.1' );
25+
define( 'ABLEPLAYER_VERSION', '1.2.2' );
2626

2727
register_activation_hook( __FILE__, 'ableplayer_activation' );
2828
/**
@@ -329,7 +329,7 @@ function ableplayer_shortcode( $atts, $content = null ) {
329329
'vimeo-id' => '',
330330
'vimeo-desc-id' => '',
331331
'autoplay' => 'false',
332-
'preload' => 'auto',
332+
'preload' => 'metadata',
333333
'loop' => 'false',
334334
'playsinline' => 'true',
335335
'hidecontrols' => 'false',
@@ -355,7 +355,7 @@ function ableplayer_shortcode( $atts, $content = null ) {
355355
} else {
356356
// build a video player.
357357
$o = '<video ';
358-
$o .= ' id="' . $all_atts['id'] . '"';
358+
$o .= ' id="' . esc_attr( $all_atts['id'] ) . '"';
359359
$o .= ' data-able-player';
360360
if ( ableplayer_is_true( $all_atts['autoplay'] ) ) {
361361
$o .= ' autoplay';
@@ -369,56 +369,54 @@ function ableplayer_shortcode( $atts, $content = null ) {
369369
if ( ableplayer_is_true( $all_atts['hidecontrols'] ) ) {
370370
$o .= ' data-hide-controls';
371371
}
372-
if ( ! empty( $all_atts['preload'] ) ) {
373-
$o .= ' preload="' . $all_atts['preload'] . '"';
372+
$preload = ( in_array( $all_atts['preload'], array( 'auto', 'metadata', 'none' ), true ) ) ? $all_atts['preload'] : '';
373+
if ( $preload ) {
374+
$o .= ' preload="' . esc_attr( $preload ) . '"';
374375
}
375376
if ( ! empty( $all_atts['poster'] ) ) {
376-
$o .= ' poster="' . $all_atts['poster'] . '"';
377+
$o .= ' poster="' . esc_attr( $all_atts['poster'] ) . '"';
377378
}
378379
if ( ! empty( $all_atts['width'] ) ) {
379-
$o .= ' width="' . $all_atts['width'] . '"';
380+
$o .= ' width="' . esc_attr( $all_atts['width'] ) . '"';
380381
}
381382
if ( ! empty( $all_atts['height'] ) ) {
382-
$o .= ' height="' . $all_atts['height'] . '"';
383-
}
384-
if ( ! empty( $all_atts['poster'] ) ) {
385-
$o .= ' poster="' . $all_atts['poster'] . '"';
383+
$o .= ' height="' . esc_attr( $all_atts['height'] ) . '"';
386384
}
387385
if ( ! empty( $all_atts['heading'] ) ) {
388-
$o .= ' data-heading-level="' . $all_atts['heading'] . '"';
386+
$o .= ' data-heading-level="' . esc_attr( $all_atts['heading'] ) . '"';
389387
}
390388
if ( ! empty( $all_atts['speed'] ) ) {
391-
$o .= ' data-speed-icons="' . $all_atts['speed'] . '"';
389+
$o .= ' data-speed-icons="' . esc_attr( $all_atts['speed'] ) . '"';
392390
}
393391
if ( ! empty( $all_atts['start'] ) ) {
394-
$o .= ' data-start-time="' . $all_atts['start'] . '"';
392+
$o .= ' data-start-time="' . esc_attr( $all_atts['start'] ) . '"';
395393
}
396394
if ( ! empty( $all_atts['volume'] ) ) {
397-
$o .= 'data-volume="' . $all_atts['volume'] . '"';
395+
$o .= 'data-volume="' . esc_attr( $all_atts['volume'] ) . '"';
398396
}
399397
if ( ! empty( $all_atts['seekinterval'] ) ) {
400-
$o .= ' data-seek-interval="' . $all_atts['seekinterval'] . '"';
398+
$o .= ' data-seek-interval="' . esc_attr( $all_atts['seekinterval'] ) . '"';
401399
}
402400
if ( ! empty( $all_atts['nowplaying'] ) ) {
403-
$o .= ' data-show-now-playing="' . $all_atts['nowplaying'] . '"';
401+
$o .= ' data-show-now-playing="' . esc_attr( $all_atts['nowplaying'] ) . '"';
404402
}
405403
if ( ! empty( $all_atts['skin'] ) ) {
406-
$o .= ' data-skin="' . $all_atts['skin'] . '"';
404+
$o .= ' data-skin="' . esc_attr( $all_atts['skin'] ) . '"';
407405
}
408406
if ( ! empty( $all_atts['youtube-id'] ) ) {
409-
$o .= ' data-youtube-id="' . $all_atts['youtube-id'] . '"';
407+
$o .= ' data-youtube-id="' . esc_attr( $all_atts['youtube-id'] ) . '"';
410408
}
411409
if ( ! empty( $all_atts['youtube-desc-id'] ) ) {
412-
$o .= ' data-youtube-desc-id="' . $all_atts['youtube-desc-id'] . '"';
410+
$o .= ' data-youtube-desc-id="' . esc_attr( $all_atts['youtube-desc-id'] ) . '"';
413411
}
414412
if ( ! empty( $all_atts['youtube-nocookie'] ) ) {
415-
$o .= ' data-youtube-nocookie="' . $all_atts['youtube-nocookie'] . '"';
413+
$o .= ' data-youtube-nocookie="' . esc_attr( $all_atts['youtube-nocookie'] ) . '"';
416414
}
417415
if ( ! empty( $all_atts['vimeo-id'] ) ) {
418-
$o .= ' data-vimeo-id="' . $all_atts['vimeo-id'] . '"';
416+
$o .= ' data-vimeo-id="' . esc_attr( $all_atts['vimeo-id'] ) . '"';
419417
}
420418
if ( ! empty( $all_atts['vimeo-desc-id'] ) ) {
421-
$o .= ' data-vimeo-desc-id="' . $all_atts['vimeo-desc-id'] . '"';
419+
$o .= ' data-vimeo-desc-id="' . esc_attr( $all_atts['vimeo-desc-id'] ) . '"';
422420
}
423421
$o .= '>';
424422

src/readme.txt

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ Tags: html5,media,audio,video,accessibility
66
Requires at least: 4.9
77
Tested up to: 6.8
88
Requires PHP: 7.0
9-
Stable tag: 1.2.1
9+
Stable tag: 1.2.2
1010
License: MIT
1111
License URI: https://github.com/ableplayer/ableplayer-wordpress/blob/master/LICENSE
1212

@@ -107,6 +107,10 @@ This example uses a shortcode to add a Vimeo player to the page, with two versio
107107

108108
== Changelog ==
109109

110+
= 1.2.2 =
111+
112+
* Security: Stored Cross Site Scripting vulnerability in shortcode. Props Peter Thaleikis, reported via WordFence. Also reported by Johska via Patchstack.
113+
110114
= 1.2.1 =
111115

112116
* Change: Updates Able Player to version 4.5.1.

0 commit comments

Comments
 (0)