Merge pull request #2061 from ahmedkaludi/1.26

1.26

Author: Sanjeevsetu

modules/rating-box/frontend.php

@@ -28,9 +28,12 @@ public function saswp_review_hooks(){
          */
         public function saswp_review_display_via_shortcode($attr){
 
-            $review_id = $attr['id'];
+            $review_id = '';
+            if(isset($attr['id'])){
+                $review_id = $attr['id'];
+            }
 
-            if(isset($review_id)){
+            if($review_id > 0){
 
               $result = $this->saswp_get_review_box_content();  
               return $result;

modules/reviews/reviews_collection.php

@@ -436,7 +436,7 @@ public function saswp_reviews_collection_shortcode_render($attr){
 
             if(!is_admin()){
 
-                if(isset($attr['id'])){
+                if(isset($attr['id']) && $attr['id'] > 0){
                     $collection_post_status = get_post_status($attr['id']);
                     if($collection_post_status == 'publish'){
                         $total_reviews        = array();                 

modules/reviews/reviews_form.php

@@ -209,7 +209,7 @@ public function saswp_reviews_form_amp_script($data){
         }
 
         public function saswp_reviews_form_render($attr){
-            
+            $attr = saswp_wp_kses_post($attr);
             $on_button = false;
 
             update_option('saswp_g_site_key', '');

modules/reviews/reviews_service.php

@@ -555,6 +555,12 @@ public function saswp_fetch_google_reviews(){
     public function saswp_reviews_shortcode($attr){
 
         $response = '';
+        if(isset($attr['id'])){
+            $attr['id'] = intval($attr['id']);
+            if($attr['id'] <= 0){
+                return $response;
+            }
+        }
 
         $reviews = $this->saswp_get_reviews_list_by_parameters($attr);
 

modules/tinymce/register-shortcodes.php

@@ -8,6 +8,7 @@ function saswp_tiny_howto_render( $atts, $content = null ){
 
     $output = '';
 
+    $atts = saswp_wp_kses_post($atts);
     $saswp_tiny_howto = shortcode_atts(
         [
             'css_class'     => '',
@@ -73,7 +74,7 @@ function saswp_tiny_howto_render( $atts, $content = null ){
         }
 
         if( !empty($saswp_tiny_howto['description']) ){
-            $output .= '<p>'.html_entity_decode(esc_attr($saswp_tiny_howto['description'])).'</p>';
+            $output .= '<p>'.wp_kses_post($saswp_tiny_howto['description']).'</p>';
         }
 
         if( !empty($saswp_tiny_howto['elements']) ){
@@ -86,8 +87,8 @@ function saswp_tiny_howto_render( $atts, $content = null ){
                 if($value['step_title'] || $value['step_description']){
 
                     $output .= '<li>'; 
-                    $output .= '<strong class="saswp-how-to-step-name">'. html_entity_decode(esc_attr($value['step_title'])).'</strong>';
-                    $output .= '<p class="saswp-how-to-step-text">'.html_entity_decode(esc_textarea($value['step_description']));
+                    $output .= '<strong class="saswp-how-to-step-name">'. wp_kses_post($value['step_title']).'</strong>';
+                    $output .= '<p class="saswp-how-to-step-text">'.wp_kses_post($value['step_description']);
 
                     if ( ! empty( $value['image'] ) ) {
 
@@ -123,6 +124,7 @@ function saswp_tiny_multi_faq_render( $atts, $content = null ){
 
     $output = '';
 
+    $atts = saswp_wp_kses_post($atts);
     $saswp_tiny_multi_faq = shortcode_atts(
         [
             'css_class' => '',
@@ -188,6 +190,7 @@ function saswp_tiny_faq_render( $atts, $content = null ){
 
         global $saswp_tiny_faq;
 
+        $atts = saswp_wp_kses_post($atts);
         $saswp_tiny_faq = shortcode_atts(
             [            
                 'headline'  => 'h2',
@@ -244,6 +247,7 @@ function saswp_tiny_recipe_render( $atts, $content = null ){
 
     $output = '';
 
+    $atts = saswp_wp_kses_post($atts);
     $saswp_tiny_recipe = shortcode_atts(
         [
             'recipe_by'         => '',
@@ -352,4 +356,20 @@ function saswp_tiny_recipe_render( $atts, $content = null ){
         $output .= '</div>'; // saswp-recipe-block-container div end
     }
     return $output;
+}
+
+/**
+ * Sanitize shortcode attributes
+ * @since 1.26
+ * @param $atts array
+ * @return $atts array
+ * */
+function saswp_wp_kses_post($atts=array())
+{
+    if(!empty($atts) && is_array($atts)){
+        foreach ($atts as $atts_key => $atts_value) {
+            $atts[$atts_key] = wp_kses_post($atts_value);
+        }
+    }
+    return $atts;
 }

output/function.php

@@ -1852,9 +1852,12 @@ function saswp_get_the_tags(){
 
             $meta_tag = array_column($post_meta, 'value');
             $key      = array_search("keywords",$meta_tag);
-            
-            if(array_key_exists($key, $post_meta)){
-                $tag_str = $post_meta[$key]['content'];
+            if(!empty($key)){
+                if(is_numeric($key) || is_string($key)){
+                    if(array_key_exists($key, $post_meta)){
+                        $tag_str = $post_meta[$key]['content'];
+                    }
+                }
             }
 
         }

output/service.php

@@ -155,7 +155,10 @@ public function saswp_get_meta_list_value($key, $field, $schema_post_id, $schema
                     $response = get_site_url();                    
                     break;
                 case 'post_title':
-                    $response = @get_the_title();                    
+                    $response = @get_the_title(); 
+                    if(empty($response)){
+                        $response = @get_the_title(get_the_ID());
+                    }                   
                     break;
                 case 'post_content':
                     $response = @get_the_content();

readme.txt

@@ -4,7 +4,7 @@ Tags: Schema, Structured Data, Google Snippets, Rich Snippets, Schema.org, SEO,
 Requires at least: 3.0
 Tested up to: 6.4
 Requires PHP: 5.6.20
-Stable tag: 1.25
+Stable tag: 1.26
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -121,6 +121,12 @@ You can contact us from [here](http://structured-data-for-wp.com/contact-us/)
 
 == Changelog ==
 
+= 1.26 (10 Jan 2024) =
+
+* Fixed: Event schema automation issues #2058
+* Fixed: PHP warnings #2059
+* Fixed: Cross Site Scripting (XSS) vulnerability reported by patchstack.com
+
 = 1.25 (16 Dec 2023) =
 
 * Enhancement: Added ‘acceptedAnswer’ and ‘suggestedAnswer’ globally in Q&A schema #1967

structured-data-for-wp.php

@@ -2,7 +2,7 @@
 /*
 Plugin Name: Schema & Structured Data for WP & AMP
 Description: Schema & Structured Data adds Google Rich Snippets markup according to Schema.org guidelines to structure your site for SEO. (AMP Compatible) 
-Version: 1.25
+Version: 1.26
 Text Domain: schema-and-structured-data-for-wp
 Domain Path: /languages
 Author: Magazine3
@@ -13,7 +13,7 @@
 // Exit if accessed directly.
 if ( ! defined( 'ABSPATH' ) ) exit;
 
-define('SASWP_VERSION', '1.25');
+define('SASWP_VERSION', '1.26');
 define('SASWP_DIR_NAME_FILE', __FILE__ );
 define('SASWP_DIR_NAME', dirname( __FILE__ ));
 define('SASWP_DIR_URI', plugin_dir_url(__FILE__));