Version Update v1.4.1 [ master ]

README.md

@@ -66,6 +66,12 @@ Read [Documentation](https://rtmedia.io/docs/transcoder/?utm_source=readme&utm_m
 
 ## Changelog ##
 
+#### 1.4.1 [August 22, 2025] ####
+
+* FIXED
+  * Added validation and sanitization for `[rt_media]` shortcode attributes.
+  * Graceful fallback when media file is unavailable (prevents broken audio/video players).
+
 #### 1.4.0 [May 30, 2025] ####
 
 * REMOVED

admin/rt-transcoder-functions.php

@@ -24,7 +24,6 @@ function rta() {
  * Builds the [rt_media] shortcode output.
  *
  * If media type is video then display transcoded video (mp4 format) if any else original video.
- *
  * If media type is audio then display transcoded audio (mp3 format) if any else original audio.
  *
  * @since 1.0.0
@@ -35,72 +34,119 @@ function rta() {
  *     @type int $attachment_id     ID of attachment.
  * }
  * @param  string $content  Shortcode content.
- * @return string|void      HTML content to display video.
+ * @return string|void      HTML content to display media.
  */
 function rt_media_shortcode( $attrs, $content = '' ) {
 
+	// Bail early if required attribute is missing.
 	if ( empty( $attrs['attachment_id'] ) ) {
 		return false;
 	}
 
-	$attachment_id = $attrs['attachment_id'];
+	// Sanitize attachment ID (force integer).
+	$attachment_id = absint( $attrs['attachment_id'] );
 
+	// Validate that attachment exists and has a MIME type.
 	$type = get_post_mime_type( $attachment_id );
-
 	if ( empty( $type ) ) {
-		return false;
+		return '<p>' . esc_html__( 'Invalid attachment ID.', 'transcoder' ) . '</p>';
 	}
 
 	$mime_type = explode( '/', $type );
 	$media_url = '';
 
+	// Define whitelist of allowed shortcode attributes
+	// (prevents arbitrary attributes that could lead to XSS).
+	$allowed_video_attrs = array( 'src', 'poster', 'preload', 'autoplay', 'loop', 'muted', 'width', 'height' );
+	$allowed_audio_attrs = array( 'src', 'preload', 'autoplay', 'loop' );
+
 	if ( 'video' === $mime_type[0] ) {
 
-		$video_shortcode_attributes = '';
-		$media_url                  = rtt_get_media_url( $attachment_id );
+		// Resolve video URL (transcoded version if available).
+		$media_url = rtt_get_media_url( $attachment_id );
 
+		// Generate a poster thumbnail for the video.
 		$poster = rt_media_get_video_thumbnail( $attachment_id );
 
+		if ( empty( $media_url ) ) {
+			return '<p>' . esc_html__( 'Media file unavailable.', 'transcoder' ) . '</p>';
+		}
+
+		// Force shortcode to use validated `src` + `poster`.
 		$attrs['src']    = $media_url;
 		$attrs['poster'] = $poster;
 
+		// Build video shortcode attributes securely.
+		$video_shortcode_attributes = '';
 		foreach ( $attrs as $key => $value ) {
-			$video_shortcode_attributes .= ' ' . $key . '="' . $value . '"';
+			if ( in_array( $key, $allowed_video_attrs, true ) ) {
+				// Escape URLs properly for `src` and `poster`.
+				if ( 'src' === $key || 'poster' === $key ) {
+					$value = esc_url( $value );
+				} else {
+					// Escape all other attribute values.
+					$value = esc_attr( $value );
+				}
+				$video_shortcode_attributes .= ' ' . esc_attr( $key ) . '="' . $value . '"';
+			}
 		}
 
+		// Render the final [video] shortcode.
 		$content = do_shortcode( "[video {$video_shortcode_attributes}]" );
 
 	} elseif ( 'audio' === $mime_type[0] ) {
 
+		// Resolve audio URL (prefer transcoded mp3).
 		$media_url = rtt_get_media_url( $attachment_id, 'mp3' );
 
-		$audio_shortcode_attributes = 'src="' . $media_url . '"';
 
+		// Graceful fallback: if media URL cannot be resolved (e.g. missing file),
+		// show a friendly message instead of rendering a broken player.
+		if ( empty( $media_url ) ) {
+			return '<p>' . esc_html__( 'Media file unavailable.', 'transcoder' ) . '</p>';
+		}
+
+		// Force valid `src` attribute.
+		$attrs['src'] = $media_url;
+
+		// Build audio shortcode attributes securely.
+		$audio_shortcode_attributes = '';
 		foreach ( $attrs as $key => $value ) {
-			$audio_shortcode_attributes .= ' ' . $key . '="' . $value . '"';
+			if ( in_array( $key, $allowed_audio_attrs, true ) ) {
+				// Escape URL for `src`, escape attr for others.
+				if ( 'src' === $key ) {
+					$value = esc_url( $value );
+				} else {
+					$value = esc_attr( $value );
+				}
+				$audio_shortcode_attributes .= ' ' . esc_attr( $key ) . '="' . $value . '"';
+			}
 		}
 
+		// Render the final [audio] shortcode.
 		$content = do_shortcode( "[audio {$audio_shortcode_attributes}]" );
 
 	} elseif ( 'image' === $mime_type[0] ) {
 
+		// Transcoder does not support images — return notice.
 		$content = '<p>' . esc_html__( 'Image attachments are not handled by Transcoder plugin.', 'transcoder' ) . '</p>';
 
 	}
 
+	// Add user feedback if file is still being transcoded.
 	if ( is_file_being_transcoded( $attachment_id ) ) {
 		$content .= '<p class="transcoding-in-progress"> ' . esc_html__( 'This file is being transcoded. Please wait.', 'transcoder' ) . '</p>';
 	}
 
 	/**
-	 * Allow user to filter [rt_media] short code content.
+	 * Allow user to filter [rt_media] shortcode output.
 	 *
 	 * @since 1.0.0
 	 *
-	 * @param string $content       Activity content.
-	 * @param int $attachment_id    ID of attachment.
+	 * @param string $content       Shortcode content.
+	 * @param int    $attachment_id Attachment ID.
 	 * @param string $media_url     URL of the media.
-	 * @param string $media_type    Mime type of the media.
+	 * @param string $media_type    Top-level mime type (video|audio|image).
 	 */
 	return apply_filters( 'rt_media_shortcode', $content, $attachment_id, $media_url, $mime_type[0] );
 }

languages/transcoder.pot

@@ -4,7 +4,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: http://community.rtcamp.com/\n"
-"POT-Creation-Date: 2025-05-30 17:03:33+00:00\n"
+"POT-Creation-Date: 2025-08-22 10:08:44+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -439,33 +439,41 @@ msgid ""
 "our <a href=\"%s\" target=\"_blank\">GoDAM</a> services."
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:87
+#: admin/rt-transcoder-functions.php:52
+msgid "Invalid attachment ID."
+msgstr ""
+
+#: admin/rt-transcoder-functions.php:72 admin/rt-transcoder-functions.php:106
+msgid "Media file unavailable."
+msgstr ""
+
+#: admin/rt-transcoder-functions.php:132
 msgid "Image attachments are not handled by Transcoder plugin."
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:92
+#: admin/rt-transcoder-functions.php:138
 msgid "This file is being transcoded. Please wait."
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:463 admin/rt-transcoder-functions.php:728
-#: admin/rt-transcoder-functions.php:901
+#: admin/rt-transcoder-functions.php:509 admin/rt-transcoder-functions.php:774
+#: admin/rt-transcoder-functions.php:947
 msgid "Check Status"
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:478 admin/rt-transcoder-functions.php:484
-#: admin/rt-transcoder-functions.php:924
+#: admin/rt-transcoder-functions.php:524 admin/rt-transcoder-functions.php:530
+#: admin/rt-transcoder-functions.php:970
 msgid "This file is converting. Please refresh the page after some time."
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:705
+#: admin/rt-transcoder-functions.php:751
 msgid "Transcode Status"
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:745
+#: admin/rt-transcoder-functions.php:791
 msgid "File is transcoded."
 msgstr ""
 
-#: admin/rt-transcoder-functions.php:919
+#: admin/rt-transcoder-functions.php:965
 msgid ""
 "This file is converting. Please click on check status button to know "
 "current status or refresh the page after some time. "

readme.txt

@@ -3,14 +3,16 @@ Contributors: rtcamp, mangeshp, chandrapatel, manishsongirkar36, bhargavbhandari
 Tags: media, multimedia, audio, songs, music, video, ffmpeg, media-node, rtMedia, WordPress, kaltura, transcode, transcoder, encoding, encode
 Donate link: https://rtcamp.com/donate/
 Requires at least: 4.1
-Tested up to: 6.8.1
-Stable tag: 1.4.0
+Tested up to: 6.8.2
+Stable tag: 1.4.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
 Transcoding services for ANY WordPress website. Convert audio/video files of any format to a web-friendly format (mp3/mp4).
 
 == Description ==
+**Transcoder plugin has been discontinued and no longer maintained**, we recommend to use our new video management solution [GoDAM](https://godam.io/?utm_source=readme&utm_medium=plugin&utm_campaign=transcoder) which provides smart transcoding & adaptive bitrate, generate thumbnail, add custom layers, better way to organize media files, serve via CDN and do a lot more. Install the GoDAM plugin from [here](https://wordpress.org/plugins/godam)
+
 Transcoder easily converts all audio and video files uploaded to your website to a web-friendly format.
 
 Transcoder eliminates the need for a dedicated media node- no fiddling with installation, managing dependancies or renting servers! Transcoder also works on shared hosting- just install, subscribe and go!
@@ -63,6 +65,12 @@ Read [Documentation](https://rtmedia.io/docs/transcoder/?utm_source=readme&utm_m
 
 == Changelog ==
 
+= 1.4.1 [August 22, 2025] =
+
+* FIXED
+  * Added validation and sanitization for `[rt_media]` shortcode attributes.
+  * Graceful fallback when media file is unavailable (prevents broken audio/video players).
+
 = 1.4.0 [May 30, 2025]
 
 * REMOVED
@@ -254,6 +262,9 @@ Initial release
 
 == Upgrade Notice ==
 
+= 1.4.1 =
+Transcoder 1.4.1 with improved shortcode security.
+
 = 1.4.0 =
 Update to users - Discontinuing the Transcoder service and replacing with GoDAM.
 

rt-transcoder.php

@@ -3,7 +3,7 @@
  * Plugin Name: Transcoder
  * Plugin URI: https://rtmedia.io/transcoder/?utm_source=dashboard&utm_medium=plugin&utm_campaign=transcoder
  * Description: Audio & video transcoding services for ANY WordPress website. Allows you to convert audio/video files of any format to a web-friendly format (mp3/mp4).
- * Version: 1.4.0
+ * Version: 1.4.1
  * Text Domain: transcoder
  * Author: rtCamp
  * Author URI: https://rtcamp.com/?utm_source=dashboard&utm_medium=plugin&utm_campaign=transcoder
@@ -39,7 +39,7 @@
 	/**
 	 * The version of the plugin
 	 */
-	define( 'RT_TRANSCODER_VERSION', '1.4.0' );
+	define( 'RT_TRANSCODER_VERSION', '1.4.1' );
 }
 
 if ( ! defined( 'RT_TRANSCODER_NO_MAIL' ) && defined( 'VIP_GO_APP_ENVIRONMENT' ) ) {