escape attributes on liveblog render

jeffreyvr · Nov 20, 2024 · d2e53fe · d2e53fe
1 parent 43b4c25
commit d2e53fe
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/includes/class-elb-liveblog.php b/includes/class-elb-liveblog.php
@@ -110,7 +110,7 @@ public function render() {
 
 		$content .= do_action( 'elb_before_liveblog', $this->get_liveblog_id(), array() );
 
-		$content .= '<div id="elb-liveblog" class="' . implode( ' ', $classes ) . '" data-append-timestamp="' . elb_get_option( 'append_timestamp', false ) . '" data-status="' . elb_get_liveblog_status() . '" data-highlighted-entry="' . elb_get_highlighted_entry_id() . '" data-show-entries="' . elb_get_show_entries() . '" data-endpoint="' . $this->endpoint . '">';
+		$content .= '<div id="elb-liveblog" class="' . implode( ' ', $classes ) . '" data-append-timestamp="' . esc_attr( elb_get_option( 'append_timestamp', false ) ) . '" data-status="' . esc_attr( elb_get_liveblog_status() ) . '" data-highlighted-entry="' . esc_attr( elb_get_highlighted_entry_id() ) . '" data-show-entries="' . esc_attr( elb_get_show_entries() ) . '" data-endpoint="' . esc_attr( $this->endpoint ) . '">';
 
 		$content .= '<div class="elb-liveblog-closed-message" style="display: none;">' . __( 'The liveblog has ended.', ELB_TEXT_DOMAIN ) . '</div>';
 

diff --git a/includes/elb-shortcodes.php b/includes/elb-shortcodes.php
@@ -12,15 +12,18 @@
  * @return string
  */
 function elb_liveblog_shortcode( $atts ) {
-	if ( ! empty( $atts['endpoint'] ) ) {
-		$liveblog = ELB_Liveblog::fromEndpoint( $atts['endpoint'] );
-	} elseif ( ! empty( $atts['id'] ) ) {
-		$liveblog = ELB_Liveblog::fromId( $atts['id'] );
+    $endpoint = !empty($atts['endpoint']) ? esc_attr($atts['endpoint']) : null;
+    $id = !empty($atts['id']) ? esc_attr($atts['id']) : null;
+
+	if ( $endpoint ) {
+		$liveblog = ELB_Liveblog::fromEndpoint( $endpoint );
+	} elseif ( $id ) {
+		$liveblog = ELB_Liveblog::fromId( $id );
 	} else {
 		return;
 	}
 
 	return $liveblog->render();
 }
 
-add_shortcode( 'elb_liveblog', 'elb_liveblog_shortcode' );
+add_shortcode( 'elb_liveblog', 'elb_liveblog_shortcode' );
diff --git a/readme.txt b/readme.txt
@@ -53,6 +53,8 @@ AMP is not supported, but a fallback link to the original page is displayed on A
 
 = Unreleased =
 
+* Escape attributes on liveblog render.
+
 = 2.3.5, August 22th, 2023 =
 * Replace Twitter with X.
 * Fix PHP notice when liveblog has no items yet.