From 153a17df090fbe2db546647768c3f780c90f8b85 Mon Sep 17 00:00:00 2001 From: krishana7911 Date: Fri, 22 Aug 2025 13:25:28 +0530 Subject: [PATCH 1/3] sanitize and validate [rt_media] attributes --- admin/rt-transcoder-functions.php | 63 ++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 14 deletions(-) diff --git a/admin/rt-transcoder-functions.php b/admin/rt-transcoder-functions.php index 812f4e4c..ac5996cb 100755 --- a/admin/rt-transcoder-functions.php +++ b/admin/rt-transcoder-functions.php @@ -24,7 +24,6 @@ function rta() { * Builds the [rt_media] shortcode output. * * If media type is video then display transcoded video (mp4 format) if any else original video. - * * If media type is audio then display transcoded audio (mp3 format) if any else original audio. * * @since 1.0.0 @@ -35,72 +34,108 @@ function rta() { * @type int $attachment_id ID of attachment. * } * @param string $content Shortcode content. - * @return string|void HTML content to display video. + * @return string|void HTML content to display media. */ function rt_media_shortcode( $attrs, $content = '' ) { + // Bail early if required attribute is missing. if ( empty( $attrs['attachment_id'] ) ) { return false; } - $attachment_id = $attrs['attachment_id']; + // Sanitize attachment ID (force integer). + $attachment_id = absint( $attrs['attachment_id'] ); + // Validate that attachment exists and has a MIME type. $type = get_post_mime_type( $attachment_id ); - if ( empty( $type ) ) { - return false; + return '

' . esc_html__( 'Invalid attachment ID.', 'transcoder' ) . '

'; } $mime_type = explode( '/', $type ); $media_url = ''; + // Define whitelist of allowed shortcode attributes + // (prevents arbitrary attributes that could lead to XSS). + $allowed_video_attrs = array( 'src', 'poster', 'preload', 'autoplay', 'loop', 'muted', 'width', 'height' ); + $allowed_audio_attrs = array( 'src', 'preload', 'autoplay', 'loop' ); + if ( 'video' === $mime_type[0] ) { - $video_shortcode_attributes = ''; - $media_url = rtt_get_media_url( $attachment_id ); + // Resolve video URL (transcoded version if available). + $media_url = rtt_get_media_url( $attachment_id ); + // Generate a poster thumbnail for the video. $poster = rt_media_get_video_thumbnail( $attachment_id ); + // Force shortcode to use validated `src` + `poster`. $attrs['src'] = $media_url; $attrs['poster'] = $poster; + // Build video shortcode attributes securely. + $video_shortcode_attributes = ''; foreach ( $attrs as $key => $value ) { - $video_shortcode_attributes .= ' ' . $key . '="' . $value . '"'; + if ( in_array( $key, $allowed_video_attrs, true ) ) { + // Escape URLs properly for `src` and `poster`. + if ( 'src' === $key || 'poster' === $key ) { + $value = esc_url( $value ); + } else { + // Escape all other attribute values. + $value = esc_attr( $value ); + } + $video_shortcode_attributes .= ' ' . esc_attr( $key ) . '="' . $value . '"'; + } } + // Render the final [video] shortcode. $content = do_shortcode( "[video {$video_shortcode_attributes}]" ); } elseif ( 'audio' === $mime_type[0] ) { + // Resolve audio URL (prefer transcoded mp3). $media_url = rtt_get_media_url( $attachment_id, 'mp3' ); - $audio_shortcode_attributes = 'src="' . $media_url . '"'; + // Force valid `src` attribute. + $attrs['src'] = $media_url; + // Build audio shortcode attributes securely. + $audio_shortcode_attributes = ''; foreach ( $attrs as $key => $value ) { - $audio_shortcode_attributes .= ' ' . $key . '="' . $value . '"'; + if ( in_array( $key, $allowed_audio_attrs, true ) ) { + // Escape URL for `src`, escape attr for others. + if ( 'src' === $key ) { + $value = esc_url( $value ); + } else { + $value = esc_attr( $value ); + } + $audio_shortcode_attributes .= ' ' . esc_attr( $key ) . '="' . $value . '"'; + } } + // Render the final [audio] shortcode. $content = do_shortcode( "[audio {$audio_shortcode_attributes}]" ); } elseif ( 'image' === $mime_type[0] ) { + // Transcoder does not support images — return notice. $content = '

' . esc_html__( 'Image attachments are not handled by Transcoder plugin.', 'transcoder' ) . '

'; } + // Add user feedback if file is still being transcoded. if ( is_file_being_transcoded( $attachment_id ) ) { $content .= '

' . esc_html__( 'This file is being transcoded. Please wait.', 'transcoder' ) . '

'; } /** - * Allow user to filter [rt_media] short code content. + * Allow user to filter [rt_media] shortcode output. * * @since 1.0.0 * - * @param string $content Activity content. - * @param int $attachment_id ID of attachment. + * @param string $content Shortcode content. + * @param int $attachment_id Attachment ID. * @param string $media_url URL of the media. - * @param string $media_type Mime type of the media. + * @param string $media_type Top-level mime type (video|audio|image). */ return apply_filters( 'rt_media_shortcode', $content, $attachment_id, $media_url, $mime_type[0] ); } From 085cdb6350cd816dbef9c5c71bfda6950ac0db7e Mon Sep 17 00:00:00 2001 From: krishana7911 Date: Fri, 22 Aug 2025 13:34:38 +0530 Subject: [PATCH 2/3] add check if media_url is not resolved --- admin/rt-transcoder-functions.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/admin/rt-transcoder-functions.php b/admin/rt-transcoder-functions.php index ac5996cb..359de75c 100755 --- a/admin/rt-transcoder-functions.php +++ b/admin/rt-transcoder-functions.php @@ -68,6 +68,10 @@ function rt_media_shortcode( $attrs, $content = '' ) { // Generate a poster thumbnail for the video. $poster = rt_media_get_video_thumbnail( $attachment_id ); + if ( empty( $media_url ) ) { + return '

' . esc_html__( 'Media file unavailable.', 'transcoder' ) . '

'; + } + // Force shortcode to use validated `src` + `poster`. $attrs['src'] = $media_url; $attrs['poster'] = $poster; @@ -95,6 +99,13 @@ function rt_media_shortcode( $attrs, $content = '' ) { // Resolve audio URL (prefer transcoded mp3). $media_url = rtt_get_media_url( $attachment_id, 'mp3' ); + + // Graceful fallback: if media URL cannot be resolved (e.g. missing file), + // show a friendly message instead of rendering a broken player. + if ( empty( $media_url ) ) { + return '

' . esc_html__( 'Media file unavailable.', 'transcoder' ) . '

'; + } + // Force valid `src` attribute. $attrs['src'] = $media_url; From 45133b3101220f542262b92c7964d91e8fe87361 Mon Sep 17 00:00:00 2001 From: krishana7911 Date: Fri, 22 Aug 2025 15:39:32 +0530 Subject: [PATCH 3/3] Version update v1.4.1 --- README.md | 6 ++++++ languages/transcoder.pot | 28 ++++++++++++++++++---------- readme.txt | 15 +++++++++++++-- rt-transcoder.php | 4 ++-- 4 files changed, 39 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 05ca1a61..65f29c5e 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,12 @@ Read [Documentation](https://rtmedia.io/docs/transcoder/?utm_source=readme&utm_m ## Changelog ## +#### 1.4.1 [August 22, 2025] #### + +* FIXED + * Added validation and sanitization for `[rt_media]` shortcode attributes. + * Graceful fallback when media file is unavailable (prevents broken audio/video players). + #### 1.4.0 [May 30, 2025] #### * REMOVED diff --git a/languages/transcoder.pot b/languages/transcoder.pot index 8d92031b..573274b3 100644 --- a/languages/transcoder.pot +++ b/languages/transcoder.pot @@ -4,7 +4,7 @@ msgid "" msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: http://community.rtcamp.com/\n" -"POT-Creation-Date: 2025-05-30 17:03:33+00:00\n" +"POT-Creation-Date: 2025-08-22 10:08:44+00:00\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" @@ -439,33 +439,41 @@ msgid "" "our GoDAM services." msgstr "" -#: admin/rt-transcoder-functions.php:87 +#: admin/rt-transcoder-functions.php:52 +msgid "Invalid attachment ID." +msgstr "" + +#: admin/rt-transcoder-functions.php:72 admin/rt-transcoder-functions.php:106 +msgid "Media file unavailable." +msgstr "" + +#: admin/rt-transcoder-functions.php:132 msgid "Image attachments are not handled by Transcoder plugin." msgstr "" -#: admin/rt-transcoder-functions.php:92 +#: admin/rt-transcoder-functions.php:138 msgid "This file is being transcoded. Please wait." msgstr "" -#: admin/rt-transcoder-functions.php:463 admin/rt-transcoder-functions.php:728 -#: admin/rt-transcoder-functions.php:901 +#: admin/rt-transcoder-functions.php:509 admin/rt-transcoder-functions.php:774 +#: admin/rt-transcoder-functions.php:947 msgid "Check Status" msgstr "" -#: admin/rt-transcoder-functions.php:478 admin/rt-transcoder-functions.php:484 -#: admin/rt-transcoder-functions.php:924 +#: admin/rt-transcoder-functions.php:524 admin/rt-transcoder-functions.php:530 +#: admin/rt-transcoder-functions.php:970 msgid "This file is converting. Please refresh the page after some time." msgstr "" -#: admin/rt-transcoder-functions.php:705 +#: admin/rt-transcoder-functions.php:751 msgid "Transcode Status" msgstr "" -#: admin/rt-transcoder-functions.php:745 +#: admin/rt-transcoder-functions.php:791 msgid "File is transcoded." msgstr "" -#: admin/rt-transcoder-functions.php:919 +#: admin/rt-transcoder-functions.php:965 msgid "" "This file is converting. Please click on check status button to know " "current status or refresh the page after some time. " diff --git a/readme.txt b/readme.txt index 42beaae9..ad3a7b32 100644 --- a/readme.txt +++ b/readme.txt @@ -3,14 +3,16 @@ Contributors: rtcamp, mangeshp, chandrapatel, manishsongirkar36, bhargavbhandari Tags: media, multimedia, audio, songs, music, video, ffmpeg, media-node, rtMedia, WordPress, kaltura, transcode, transcoder, encoding, encode Donate link: https://rtcamp.com/donate/ Requires at least: 4.1 -Tested up to: 6.8.1 -Stable tag: 1.4.0 +Tested up to: 6.8.2 +Stable tag: 1.4.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html Transcoding services for ANY WordPress website. Convert audio/video files of any format to a web-friendly format (mp3/mp4). == Description == +**Transcoder plugin has been discontinued and no longer maintained**, we recommend to use our new video management solution [GoDAM](https://godam.io/?utm_source=readme&utm_medium=plugin&utm_campaign=transcoder) which provides smart transcoding & adaptive bitrate, generate thumbnail, add custom layers, better way to organize media files, serve via CDN and do a lot more. Install the GoDAM plugin from [here](https://wordpress.org/plugins/godam) + Transcoder easily converts all audio and video files uploaded to your website to a web-friendly format. Transcoder eliminates the need for a dedicated media node- no fiddling with installation, managing dependancies or renting servers! Transcoder also works on shared hosting- just install, subscribe and go! @@ -63,6 +65,12 @@ Read [Documentation](https://rtmedia.io/docs/transcoder/?utm_source=readme&utm_m == Changelog == += 1.4.1 [August 22, 2025] = + +* FIXED + * Added validation and sanitization for `[rt_media]` shortcode attributes. + * Graceful fallback when media file is unavailable (prevents broken audio/video players). + = 1.4.0 [May 30, 2025] * REMOVED @@ -254,6 +262,9 @@ Initial release == Upgrade Notice == += 1.4.1 = +Transcoder 1.4.1 with improved shortcode security. + = 1.4.0 = Update to users - Discontinuing the Transcoder service and replacing with GoDAM. diff --git a/rt-transcoder.php b/rt-transcoder.php index 45a22772..6d62b8ba 100644 --- a/rt-transcoder.php +++ b/rt-transcoder.php @@ -3,7 +3,7 @@ * Plugin Name: Transcoder * Plugin URI: https://rtmedia.io/transcoder/?utm_source=dashboard&utm_medium=plugin&utm_campaign=transcoder * Description: Audio & video transcoding services for ANY WordPress website. Allows you to convert audio/video files of any format to a web-friendly format (mp3/mp4). - * Version: 1.4.0 + * Version: 1.4.1 * Text Domain: transcoder * Author: rtCamp * Author URI: https://rtcamp.com/?utm_source=dashboard&utm_medium=plugin&utm_campaign=transcoder @@ -39,7 +39,7 @@ /** * The version of the plugin */ - define( 'RT_TRANSCODER_VERSION', '1.4.0' ); + define( 'RT_TRANSCODER_VERSION', '1.4.1' ); } if ( ! defined( 'RT_TRANSCODER_NO_MAIL' ) && defined( 'VIP_GO_APP_ENVIRONMENT' ) ) {