diff --git a/packages/embeds/wordpress/package.json b/packages/embeds/wordpress/package.json index b6affd374..5b8066f4f 100644 --- a/packages/embeds/wordpress/package.json +++ b/packages/embeds/wordpress/package.json @@ -1,13 +1,13 @@ { "name": "@typebot.io/wordpress", - "version": "3.6.0", + "version": "3.6.1", "main": "index.js", "repository": "https://github.com/baptisteArno/typebot.io", "author": "baptisteArno", "license": "AGPL-3.0-or-later", "scripts": { "deploy": "pnpm copy && pnpm commit", - "copy": "svn copy ./trunk ./tags/3.6.0", - "commit": "svn ci -m 'Add lib_version attr in admin panel'" + "copy": "svn copy ./trunk ./tags/3.6.1", + "commit": "svn ci -m 'Fix XSS vulnerability with shortcode attributes'" } } diff --git a/packages/embeds/wordpress/trunk/README.txt b/packages/embeds/wordpress/trunk/README.txt index e8673905e..c5704ecce 100644 --- a/packages/embeds/wordpress/trunk/README.txt +++ b/packages/embeds/wordpress/trunk/README.txt @@ -2,10 +2,10 @@ Contributors: baptisteArno Tags: typebot, forms, surveys, quizzes, form builder, survey builder, quiz builder, custom forms, mobile forms, payment forms, order forms, feedback forms, enquiry forms, stripe, dropbox, google sheets, mailchimp, salesforce, hubspot, activecampaign, infusionsoft, asana, hipchat, slack, trello, zendesk Requires at least: 5.0 -Tested up to: 6.5 +Tested up to: 6.6 License: GPL 2.0 License URI: http://www.gnu.org/licenses/gpl-2.0.txt -Stable Tag: 3.6.0 +Stable Tag: 3.6.1 == Description == Collect 4x more responses with conversational apps using Typebot. @@ -24,6 +24,9 @@ This plugin relies on Typebot which is a tool that allows you to create conversa 3. Activate your Typebot with the "Typebot" admin button located in the sidebar == Changelog == += 3.6.1 = +* Fix XSS vulnerability with shortcode attributes + = 3.6.0 = * Add the lib_version attribute to wp admin panel diff --git a/packages/embeds/wordpress/trunk/public/class-typebot-public.php b/packages/embeds/wordpress/trunk/public/class-typebot-public.php index 1cd927c51..efd27cf53 100644 --- a/packages/embeds/wordpress/trunk/public/class-typebot-public.php +++ b/packages/embeds/wordpress/trunk/public/class-typebot-public.php @@ -94,23 +94,23 @@ class Typebot_Public { $lib_version = '0.2'; if(array_key_exists('lib_version', $attributes)) { - $lib_version = sanitize_text_field($attributes['lib_version']); + $lib_version = custom_sanitize_text_field($attributes['lib_version']); } $lib_url = "https://cdn.jsdelivr.net/npm/@typebot.io/js@". $lib_version ."/dist/web.js"; $width = '100%'; $height = '500px'; $api_host = 'https://typebot.io'; if (array_key_exists('width', $attributes)) { - $width = sanitize_text_field($attributes['width']); + $width = custom_sanitize_text_field($attributes['width']); } if (array_key_exists('height', $attributes)) { - $height = sanitize_text_field($attributes['height']); + $height = custom_sanitize_text_field($attributes['height']); } if (array_key_exists('typebot', $attributes)) { - $typebot = sanitize_text_field($attributes['typebot']); + $typebot = custom_sanitize_text_field($attributes['typebot']); } if (array_key_exists('host', $attributes)) { - $api_host = sanitize_text_field($attributes['host']); + $api_host = custom_sanitize_text_field($attributes['host']); } if (!$typebot) { return; @@ -143,3 +143,9 @@ class Typebot_Public ); } } + +function custom_sanitize_text_field($str) { + $str = str_replace(array('"', "'", '\\'), '', $str); + $str = sanitize_text_field($str); + return $str; +} diff --git a/packages/embeds/wordpress/trunk/typebot.php b/packages/embeds/wordpress/trunk/typebot.php index bededf519..ec07c6019 100644 --- a/packages/embeds/wordpress/trunk/typebot.php +++ b/packages/embeds/wordpress/trunk/typebot.php @@ -3,7 +3,7 @@ /** * Plugin Name: Typebot * Description: Convert more with conversational forms - * Version: 3.6.0 + * Version: 3.6.1 * Author: Typebot * Author URI: http://typebot.io/ * License: GPL-2.0+ @@ -16,7 +16,7 @@ if (!defined('WPINC')) { die(); } -define('TYPEBOT_VERSION', '3.6.0'); +define('TYPEBOT_VERSION', '3.6.1'); function activate_typebot() {