blsmedia/bot
2
0
Fork 0
Code Activity

♻️ (wp) Improve wp escape attr

Browse Source
This commit is contained in:
Baptiste Arnaud
2024-07-16 15:54:55 +02:00
parent c6005c49a2
commit 867041e7d8
5 changed files with 51 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
packages/embeds/wordpress/package.json
View File

@ -1,13 +1,13 @@
{ {
"name": "@typebot.io/wordpress", "name": "@typebot.io/wordpress",
"version": "3.6.1", "version": "4.0.0",
"main": "index.js", "main": "index.js",
"repository": "https://github.com/baptisteArno/typebot.io", "repository": "https://github.com/baptisteArno/typebot.io",
"author": "baptisteArno", "author": "baptisteArno",
"license": "AGPL-3.0-or-later", "license": "AGPL-3.0-or-later",
"scripts": { "scripts": {
"deploy": "pnpm copy && pnpm commit", "deploy": "pnpm copy && pnpm commit",
"copy": "svn copy ./trunk ./tags/3.6.1", "copy": "svn copy ./trunk ./tags/4.0.0",
"commit": "svn ci -m 'Fix XSS vulnerability with shortcode attributes'" "commit": "svn ci -m 'Use embed v0.3 by default'"
} }
} }

6
packages/embeds/wordpress/trunk/README.txt
View File

@ -5,7 +5,7 @@ Requires at least: 5.0
Tested up to: 6.6 Tested up to: 6.6
License: GPL 2.0 License: GPL 2.0
License URI: http://www.gnu.org/licenses/gpl-2.0.txt License URI: http://www.gnu.org/licenses/gpl-2.0.txt
Stable Tag: 3.6.1 Stable Tag: 4.0.0
== Description == == Description ==
Collect 4x more responses with conversational apps using Typebot. Collect 4x more responses with conversational apps using Typebot.
@ -24,6 +24,10 @@ This plugin relies on Typebot which is a tool that allows you to create conversa
3. Activate your Typebot with the "Typebot" admin button located in the sidebar 3. Activate your Typebot with the "Typebot" admin button located in the sidebar
== Changelog == == Changelog ==
= 4.0.0 =
* Use embed lib v0.3 by default
* Improve shortcode attributes validation
= 3.6.1 = = 3.6.1 =
* Fix XSS vulnerability with shortcode attributes * Fix XSS vulnerability with shortcode attributes

2
packages/embeds/wordpress/trunk/admin/partials/typebot-admin-display.php
View File

@ -11,7 +11,7 @@
?> ?>
<div style="display: flex; flex-direction: column"> <div style="display: flex; flex-direction: column">
<label>Library version:</label> <label>Library version:</label>
<input name="lib_version" value="<?php echo esc_attr(get_option('lib_version') !== null && get_option('lib_version') !== '' ? get_option('lib_version') : '0.2'); ?>" style="padding: .5rem" /> <input name="lib_version" value="<?php echo esc_attr(get_option('lib_version') !== null && get_option('lib_version') !== '' ? get_option('lib_version') : '0.3'); ?>" style="padding: .5rem" />
</div> </div>
<div style="display: flex; flex-direction: column"> <div style="display: flex; flex-direction: column">

55
packages/embeds/wordpress/trunk/public/class-typebot-public.php
View File

@ -40,7 +40,7 @@ class Typebot_Public
function typebot_script() function typebot_script()
{ {
$lib_version = get_option('lib_version') !== null && get_option('lib_version') !== '' ? get_option('lib_version') : '0.2'; $lib_version = get_option('lib_version') !== null && get_option('lib_version') !== '' ? get_option('lib_version') : '0.3';
echo '<script type="module">import Typebot from "https://cdn.jsdelivr.net/npm/@typebot.io/js@'.$lib_version.'/dist/web.js";'; echo '<script type="module">import Typebot from "https://cdn.jsdelivr.net/npm/@typebot.io/js@'.$lib_version.'/dist/web.js";';
if ( if (
get_option('excluded_pages') !== null && get_option('excluded_pages') !== null &&
@ -90,27 +90,52 @@ class Typebot_Public
echo '</script>'; echo '</script>';
} }
public function add_typebot_container($attributes = []) public function add_typebot_container($attributes = []) {
{ $lib_version = '0.3';
$lib_version = '0.2'; if (array_key_exists('lib_version', $attributes)) {
if(array_key_exists('lib_version', $attributes)) { $lib_version = $attributes['lib_version'];
$lib_version = custom_sanitize_text_field($attributes['lib_version']); if (strlen($lib_version) > 10 || !preg_match('/^\d+\.\d+(\.\d+)?$/', $lib_version)) {
$lib_version = '0.3';
} else {
$lib_version = sanitize_text_field($lib_version);
}
} }
$lib_url = "https://cdn.jsdelivr.net/npm/@typebot.io/js@". $lib_version ."/dist/web.js"; $lib_url = esc_url_raw("https://cdn.jsdelivr.net/npm/@typebot.io/js@". $lib_version ."/dist/web.js");
$width = '100%'; $width = '100%';
$height = '500px'; $height = '500px';
$api_host = 'https://typebot.io'; $api_host = 'https://typebot.co';
if (array_key_exists('width', $attributes)) { if (array_key_exists('width', $attributes)) {
$width = custom_sanitize_text_field($attributes['width']); $width = $attributes['width'];
if (strlen($width) > 10 || !preg_match('/^\d+(%|px)$/', $width)) {
$width = '100%';
} else {
$width = sanitize_text_field($width);
}
} }
if (array_key_exists('height', $attributes)) { if (array_key_exists('height', $attributes)) {
$height = custom_sanitize_text_field($attributes['height']); $height = $attributes['height'];
if (strlen($height) > 10 || !preg_match('/^\d+(%|px)$/', $height)) {
$height = '500px';
} else {
$height = sanitize_text_field($height);
}
} }
if (array_key_exists('typebot', $attributes)) { if (array_key_exists('typebot', $attributes)) {
$typebot = custom_sanitize_text_field($attributes['typebot']); $typebot = $attributes['typebot'];
if (strlen($typebot) > 50 || empty($typebot) || !preg_match('/^[a-zA-Z0-9_-]+$/', $typebot)) {
return;
} else {
$typebot = sanitize_text_field($typebot);
}
} }
if (array_key_exists('host', $attributes)) { if (array_key_exists('host', $attributes)) {
$api_host = custom_sanitize_text_field($attributes['host']); $api_host = $attributes['host'];
// Limit the length and sanitize
if (strlen($api_host) > 100 || !filter_var($api_host, FILTER_VALIDATE_URL)) {
$api_host = 'https://typebot.co'; // fallback to default host
} else {
$api_host = sanitize_text_field($api_host);
}
} }
if (!$typebot) { if (!$typebot) {
return; return;
@ -119,14 +144,14 @@ class Typebot_Public
$id = $this->generateRandomString(); $id = $this->generateRandomString();
$bot_initializer = '<script type="module"> $bot_initializer = '<script type="module">
import Typebot from "' . $lib_url . '" import Typebot from "' . esc_url($lib_url) . '"
const urlParams = new URLSearchParams(window.location.search); const urlParams = new URLSearchParams(window.location.search);
const queryParams = Object.fromEntries(urlParams.entries()); const queryParams = Object.fromEntries(urlParams.entries());
Typebot.initStandard({ apiHost: "' . $api_host . '", id: "' . $id . '", typebot: "' . $typebot . '", prefilledVariables: { ...window.typebotWpUser, ...queryParams } });</script>'; Typebot.initStandard({ apiHost: "' . esc_js($api_host) . '", id: "' . esc_js($id) . '", typebot: "' . esc_js($typebot) . '", prefilledVariables: { ...window.typebotWpUser, ...queryParams } });</script>';
return '<typebot-standard id="' . $id . '" style="width: ' . $width . '; height: ' . $height . ';"></typebot-standard>' . $bot_initializer; return '<typebot-standard id="' . esc_attr($id) . '" style="width: ' . esc_attr($width) . '; height: ' . esc_attr($height) . ';"></typebot-standard>' . $bot_initializer;
} }
private function generateRandomString($length = 10) private function generateRandomString($length = 10)

4
packages/embeds/wordpress/trunk/typebot.php
View File

@ -3,7 +3,7 @@
/** /**
* Plugin Name: Typebot * Plugin Name: Typebot
* Description: Convert more with conversational forms * Description: Convert more with conversational forms
* Version: 3.6.1 * Version: 4.0.0
* Author: Typebot * Author: Typebot
* Author URI: http://typebot.io/ * Author URI: http://typebot.io/
* License: GPL-2.0+ * License: GPL-2.0+
@ -16,7 +16,7 @@ if (!defined('WPINC')) {
die(); die();
} }
define('TYPEBOT_VERSION', '3.6.1'); define('TYPEBOT_VERSION', '4.0.0');
function activate_typebot() function activate_typebot()
{ {