Xss vulnerabilities issue (#530)

* Xss vulnerabilities issue * feedback changes * Change and version update
Xtendify · Dec 14, 2023 · f607bf9 · f607bf9
1 parent fdc0d1d
commit f607bf9
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 4 deletions.
diff --git a/google-calendar-events.php b/google-calendar-events.php
@@ -23,7 +23,7 @@
 $this_plugin_constants = [
 	'SIMPLE_CALENDAR_VERSION' => 'PACKAGE_VERSION',
 	'SIMPLE_CALENDAR_FULLCALENDAR_VERSION' => '1.2.2',
-	'SIMPLE_CALENDAR_GOOGLE_CALENDAR_PRO_VERSION' => '1.1.3',
+	'SIMPLE_CALENDAR_GOOGLE_CALENDAR_PRO_VERSION' => '1.2.0',
 	'SIMPLE_CALENDAR_MAIN_FILE' => __FILE__,
 	'SIMPLE_CALENDAR_URL' => $this_plugin_dir,
 	'SIMPLE_CALENDAR_ASSETS' => $this_plugin_dir . 'assets/',

diff --git a/includes/feeds/admin/google-admin.php b/includes/feeds/admin/google-admin.php
@@ -381,7 +381,9 @@ public function test_api_key_connection($google_calendar_id)
 	 */
 	public function process_meta($post_id)
 	{
-		$calendar_id = isset($_POST['_google_calendar_id']) ? base64_encode(trim($_POST['_google_calendar_id'])) : '';
+		$calendar_id = isset($_POST['_google_calendar_id'])
+			? base64_encode(sanitize_text_field($_POST['_google_calendar_id']))
+			: '';
 		update_post_meta($post_id, '_google_calendar_id', $calendar_id);
 
 		$search_query = isset($_POST['_google_events_search_query'])
@@ -392,7 +394,10 @@ public function process_meta($post_id)
 		$recurring = isset($_POST['_google_events_recurring']) ? sanitize_key($_POST['_google_events_recurring']) : 'show';
 		update_post_meta($post_id, '_google_events_recurring', $recurring);
 
-		$max_results = isset($_POST['_google_events_max_results']) ? absint($_POST['_google_events_max_results']) : '2500';
+		$max_results_sanitize = isset($_POST['_google_events_max_results'])
+			? sanitize_text_field($_POST['_google_events_max_results'])
+			: '2500';
+		$max_results = absint($max_results_sanitize);
 		update_post_meta($post_id, '_google_events_max_results', $max_results);
 
 		$this->test_api_key_connection($calendar_id);

diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "name": "google-calendar-events",
   "title": "Simple Calendar",
   "description": "Add Google Calendar events to your WordPress site.",
-  "version": "3.2.6",
+  "version": "3.2.7",
   "license": "GPLv2+",
   "homepage": "https://simplecalendar.io",
   "repository": {

diff --git a/readme.txt b/readme.txt
@@ -97,6 +97,9 @@ We'd love your help! Here's a few things you can do:
 
 == Changelog ==
 
+= 3.2.7 =
+* Fix: Cross Site Scripting (XSS) vulnerability.
+
 = 3.2.6 =
 * Fix: CSRF vulnerability for bulk actions.
 * Dev: Update dependencies Carbon, Dayjs and TailwindCSS.