From 11b939c6936df46b2be35182382bfb5a4385ebc8 Mon Sep 17 00:00:00 2001 From: Christian Gastrell Date: Tue, 17 Oct 2023 12:42:56 -0300 Subject: [PATCH] VideoPress: Improve attribute escaping (#33637) --- .../videopress/changelog/improve-vp-attribute-escaping | 4 ++++ projects/packages/videopress/package.json | 2 +- projects/packages/videopress/src/class-initializer.php | 8 ++++---- .../packages/videopress/src/class-package-version.php | 2 +- 4 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 projects/packages/videopress/changelog/improve-vp-attribute-escaping diff --git a/projects/packages/videopress/changelog/improve-vp-attribute-escaping b/projects/packages/videopress/changelog/improve-vp-attribute-escaping new file mode 100644 index 0000000000000..294f81842c2b9 --- /dev/null +++ b/projects/packages/videopress/changelog/improve-vp-attribute-escaping @@ -0,0 +1,4 @@ +Significance: patch +Type: security + +Escape VideoPress attributes diff --git a/projects/packages/videopress/package.json b/projects/packages/videopress/package.json index f1db8ab2618f3..dbf3ed6df4786 100644 --- a/projects/packages/videopress/package.json +++ b/projects/packages/videopress/package.json @@ -1,7 +1,7 @@ { "private": true, "name": "@automattic/jetpack-videopress", - "version": "0.17.5", + "version": "0.17.6-alpha", "description": "VideoPress package", "homepage": "https://github.com/Automattic/jetpack/tree/HEAD/projects/packages/videopress/#readme", "bugs": { diff --git a/projects/packages/videopress/src/class-initializer.php b/projects/packages/videopress/src/class-initializer.php index 8f87791a342f1..6cfdcbad1d704 100644 --- a/projects/packages/videopress/src/class-initializer.php +++ b/projects/packages/videopress/src/class-initializer.php @@ -237,7 +237,7 @@ public static function render_videopress_video_block( $block_attributes, $conten // Try to get the custom anchor from the block attributes. if ( isset( $block_attributes['anchor'] ) && $block_attributes['anchor'] ) { - $id_attribute = sprintf( 'id="%s"', $block_attributes['anchor'] ); + $id_attribute = sprintf( 'id="%s"', esc_attr( $block_attributes['anchor'] ) ); } elseif ( preg_match( '/]*id="([^"]+)"/', $content, $matches ) ) { // Othwerwise, try to get the custom anchor from the
element. $id_attribute = sprintf( 'id="%s"', $matches[1] ); @@ -266,9 +266,8 @@ public static function render_videopress_video_block( $block_attributes, $conten $inline_style = ''; if ( $poster ) { $inline_style = sprintf( - 'style="background-image: url(%s); background-size: cover; - background-position: center center;"', - $poster + 'style="background-image: url(%s); background-size: cover; background-position: center center;"', + esc_attr( $poster ) ); } @@ -309,6 +308,7 @@ public static function render_videopress_video_block( $block_attributes, $conten ); } + // $id_attribute, $video_wrapper, $figcaption properly escaped earlier on the code return sprintf( $figure_template, esc_attr( $classes ), diff --git a/projects/packages/videopress/src/class-package-version.php b/projects/packages/videopress/src/class-package-version.php index b628a3ce066e9..cc83a06783dce 100644 --- a/projects/packages/videopress/src/class-package-version.php +++ b/projects/packages/videopress/src/class-package-version.php @@ -11,7 +11,7 @@ * The Package_Version class. */ class Package_Version { - const PACKAGE_VERSION = '0.17.5'; + const PACKAGE_VERSION = '0.17.6-alpha'; const PACKAGE_SLUG = 'videopress';