commit v2.3.1

* date: November 23, 2023 * security fix CVE-2023-47511 Cross Site Scripting (XSS) vulnerability ([issue 22](#22) thanks for pointing it out @ramiror)
senlin · Nov 23, 2023 · 486eb6c · 486eb6c
1 parent c28bf76
commit 486eb6c
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -2,8 +2,8 @@
 
 [![plugin version](https://img.shields.io/wordpress/plugin/v/so-pinyin-slugs.svg)](https://wordpress.org/plugins/so-pinyin-slugs) [![WP compatibility](https://plugintests.com/plugins/so-pinyin-slugs/wp-badge.svg)](https://plugintests.com/plugins/so-pinyin-slugs/latest) [![PHP compatibility](https://plugintests.com/plugins/so-pinyin-slugs/php-badge.svg)](https://plugintests.com/plugins/so-pinyin-slugs/latest)
 
-###### Last updated on August 27, 2023
-###### tested up to WP 6.3
+###### Last updated on November 23, 2023
+###### tested up to WP 6.4
 ###### Authors: [Pieter Bos](https://github.com/senlin)
 ###### [Stable Version](https://wordpress.org/plugins/so-pinyin-slugs) (via WordPress Plugins Repository)
 ###### [Plugin homepage](https://so-wp.com/plugin/pinyin-slugs)
@@ -75,6 +75,11 @@ This repo is open to _any_ kind of contributions.
 
 ## Changelog
 
+### 2.3.1
+
+* date: November 23, 2023
+* security fix CVE-2023-47511 Cross Site Scripting (XSS) vulnerability ([issue 22](https://github.com/senlin/pinyin-slugs/issues/22) thanks for pointing it out @ramiror)
+
 ### 2.3.0
 
 * date: August 27, 2023

diff --git a/admin/settings.php b/admin/settings.php
@@ -3,6 +3,7 @@
  * Render the Plugin options form
  * @since 2014.07.29
  * @modified 2.1.3
+ * @modified 2.3.1
  */
 function sops_render_form() { ?>
 
@@ -48,7 +49,8 @@ function sops_render_form() { ?>
 						</th>
 
 						<td>
-							<input name="sops_options[slug_length]" type="number" id="slug_length" value="<?php echo $options['slug_length']; ?>" />
+							<input name="sops_options[slug_length]" type="number" id="slug_length" value="<?php echo esc_attr($options['slug_length']); ?>" /> <!-- Escaping the slug_length Value -->
+
 							<p class="description"><?php _e( 'By default the maximum slug length is set to 100 letters; anything over that limit will not be converted. If you want to change this limit, you can do that here.', 'so-pinyin-slugs' ); ?></p>
 							<input type="hidden" name="action" value="update" />
 							<input type="hidden" name="page_options" value="<?php echo $options['slug_length']; ?>" />

diff --git a/inc/functions.php b/inc/functions.php
@@ -6,9 +6,11 @@
   * and return the slug in Pinyin when true
   *
   * since version 2.0.0
+  * @modified 2.3.1
   */
 
 function getPinyinSlug( $strTitle ) {
+	$strTitle = sanitize_text_field( $strTitle ); // Sanitizing and Validating Input ($strTitle)
 	// Load Chinese character dictionary
 	global $dictPinyin;
 
@@ -56,6 +58,10 @@ function getPinyinSlug( $strTitle ) {
 		$strRet = $origStrTitle;
 	}
 
+	// Validate the output
+	$strRet = preg_replace('/[^A-Za-z0-9-_]/', '', $strRet);
+
+	// Return the sanitized slug
 	return $strRet;
 }
 
diff --git a/readme.txt b/readme.txt
@@ -2,8 +2,8 @@
 Contributors: senlin
 Tags: pinyin, permalinks, slugs, Mandarin, Chinese, traditional, simplified
 Requires at least: 4.4
-Tested up to: 6.3
-Stable tag: 2.3.0
+Tested up to: 6.4
+Stable tag: 2.3.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -79,6 +79,11 @@ Please open an issue over at [Github](https://github.com/senlin/so-pinyin-slugs/
 
 == Changelog ==
 
+= 2.3.1 =
+
+* date: November 23, 2023
+* security fix CVE-2023-47511 Cross Site Scripting (XSS) vulnerability ([issue 22](https://github.com/senlin/pinyin-slugs/issues/22) thanks for pointing it out @ramiror)
+
 = 2.3.0 =
 
 * date: August 27, 2023

diff --git a/so-pinyin-slugs.php b/so-pinyin-slugs.php
@@ -4,7 +4,7 @@
 Plugin URI: https://so-wp.com/plugin/pinyin-slugs
 Description: Transforms Simplified or Traditional Chinese character titles into Pinyin to create a permalink friendly slug.
 Author: SO WP
-Version: 2.3.0
+Version: 2.3.1
 Author URI: https://so-wp.com
 Text Domain: so-pinyin-slugs
 */
@@ -84,7 +84,7 @@ function init() {
 	function constants() {
 
 		/* Set the version number of the plugin. */
-		define( 'SOPS_VERSION', '2.3.0' );
+		define( 'SOPS_VERSION', '2.3.1' );
 
 		/* Set constant path to the plugin directory. */
 		define( 'SOPS_DIR', trailingslashit( plugin_dir_path( __FILE__ ) ) );