VideoPress: Improve attribute escaping (#33637)

Automattic · Oct 17, 2023 · 11b939c · 11b939c
1 parent e9947ff
commit 11b939c
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 6 deletions.
diff --git a/projects/packages/videopress/changelog/improve-vp-attribute-escaping b/projects/packages/videopress/changelog/improve-vp-attribute-escaping
@@ -0,0 +1,4 @@
+Significance: patch
+Type: security
+
+Escape VideoPress attributes
diff --git a/projects/packages/videopress/package.json b/projects/packages/videopress/package.json
@@ -1,7 +1,7 @@
 {
 	"private": true,
 	"name": "@automattic/jetpack-videopress",
-	"version": "0.17.5",
+	"version": "0.17.6-alpha",
 	"description": "VideoPress package",
 	"homepage": "https://github.com/Automattic/jetpack/tree/HEAD/projects/packages/videopress/#readme",
 	"bugs": {

diff --git a/projects/packages/videopress/src/class-initializer.php b/projects/packages/videopress/src/class-initializer.php
@@ -237,7 +237,7 @@ public static function render_videopress_video_block( $block_attributes, $conten
 
 		// Try to get the custom anchor from the block attributes.
 		if ( isset( $block_attributes['anchor'] ) && $block_attributes['anchor'] ) {
-			$id_attribute = sprintf( 'id="%s"', $block_attributes['anchor'] );
+			$id_attribute = sprintf( 'id="%s"', esc_attr( $block_attributes['anchor'] ) );
 		} elseif ( preg_match( '/<figure[^>]*id="([^"]+)"/', $content, $matches ) ) {
 			// Othwerwise, try to get the custom anchor from the <figure /> element.
 			$id_attribute = sprintf( 'id="%s"', $matches[1] );
@@ -266,9 +266,8 @@ public static function render_videopress_video_block( $block_attributes, $conten
 			$inline_style = '';
 			if ( $poster ) {
 				$inline_style = sprintf(
-					'style="background-image: url(%s); background-size: cover;
-				background-position: center center;"',
-					$poster
+					'style="background-image: url(%s); background-size: cover; background-position: center center;"',
+					esc_attr( $poster )
 				);
 			}
 
@@ -309,6 +308,7 @@ public static function render_videopress_video_block( $block_attributes, $conten
 			);
 		}
 
+		// $id_attribute, $video_wrapper, $figcaption properly escaped earlier on the code
 		return sprintf(
 			$figure_template,
 			esc_attr( $classes ),

diff --git a/projects/packages/videopress/src/class-package-version.php b/projects/packages/videopress/src/class-package-version.php
@@ -11,7 +11,7 @@
  * The Package_Version class.
  */
 class Package_Version {
-	const PACKAGE_VERSION = '0.17.5';
+	const PACKAGE_VERSION = '0.17.6-alpha';
 
 	const PACKAGE_SLUG = 'videopress';