From d2e53fe4a491b80e3e96a6e14d550d66f578c96b Mon Sep 17 00:00:00 2001
From: Jeffrey van Rossum <jeffrey@vanrossum.dev>
Date: Wed, 20 Nov 2024 20:09:20 +0100
Subject: [PATCH] escape attributes on liveblog render

---
 includes/class-elb-liveblog.php |  2 +-
 includes/elb-shortcodes.php     | 13 ++++++++-----
 readme.txt                      |  2 ++
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/includes/class-elb-liveblog.php b/includes/class-elb-liveblog.php
index 05d5756..34cba09 100644
--- a/includes/class-elb-liveblog.php
+++ b/includes/class-elb-liveblog.php
@@ -110,7 +110,7 @@ public function render() {
 
 		$content .= do_action( 'elb_before_liveblog', $this->get_liveblog_id(), array() );
 
-		$content .= '<div id="elb-liveblog" class="' . implode( ' ', $classes ) . '" data-append-timestamp="' . elb_get_option( 'append_timestamp', false ) . '" data-status="' . elb_get_liveblog_status() . '" data-highlighted-entry="' . elb_get_highlighted_entry_id() . '" data-show-entries="' . elb_get_show_entries() . '" data-endpoint="' . $this->endpoint . '">';
+		$content .= '<div id="elb-liveblog" class="' . implode( ' ', $classes ) . '" data-append-timestamp="' . esc_attr( elb_get_option( 'append_timestamp', false ) ) . '" data-status="' . esc_attr( elb_get_liveblog_status() ) . '" data-highlighted-entry="' . esc_attr( elb_get_highlighted_entry_id() ) . '" data-show-entries="' . esc_attr( elb_get_show_entries() ) . '" data-endpoint="' . esc_attr( $this->endpoint ) . '">';
 
 		$content .= '<div class="elb-liveblog-closed-message" style="display: none;">' . __( 'The liveblog has ended.', ELB_TEXT_DOMAIN ) . '</div>';
 
diff --git a/includes/elb-shortcodes.php b/includes/elb-shortcodes.php
index c9f0f68..9ab3c34 100644
--- a/includes/elb-shortcodes.php
+++ b/includes/elb-shortcodes.php
@@ -12,10 +12,13 @@
  * @return string
  */
 function elb_liveblog_shortcode( $atts ) {
-	if ( ! empty( $atts['endpoint'] ) ) {
-		$liveblog = ELB_Liveblog::fromEndpoint( $atts['endpoint'] );
-	} elseif ( ! empty( $atts['id'] ) ) {
-		$liveblog = ELB_Liveblog::fromId( $atts['id'] );
+    $endpoint = !empty($atts['endpoint']) ? esc_attr($atts['endpoint']) : null;
+    $id = !empty($atts['id']) ? esc_attr($atts['id']) : null;
+
+	if ( $endpoint ) {
+		$liveblog = ELB_Liveblog::fromEndpoint( $endpoint );
+	} elseif ( $id ) {
+		$liveblog = ELB_Liveblog::fromId( $id );
 	} else {
 		return;
 	}
@@ -23,4 +26,4 @@ function elb_liveblog_shortcode( $atts ) {
 	return $liveblog->render();
 }
 
-add_shortcode( 'elb_liveblog', 'elb_liveblog_shortcode' );
\ No newline at end of file
+add_shortcode( 'elb_liveblog', 'elb_liveblog_shortcode' );
diff --git a/readme.txt b/readme.txt
index 326e82f..0e588d4 100644
--- a/readme.txt
+++ b/readme.txt
@@ -53,6 +53,8 @@ AMP is not supported, but a fallback link to the original page is displayed on A
 
 = Unreleased =
 
+* Escape attributes on liveblog render.
+
 = 2.3.5, August 22th, 2023 =
 * Replace Twitter with X.
 * Fix PHP notice when liveblog has no items yet.