Merge pull request #197 from dcooney/release/5.6.0.1-security-updates

Adding security fixes and other parameter updates
ajaxloadmore · Feb 16, 2023 · 62dff8d · 62dff8d
2 parents dc81fc3 + d963e47
commit 62dff8d
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 992 deletions.
diff --git a/README.txt b/README.txt
@@ -5,7 +5,7 @@ Tags: infinite scroll, load more, ajax, lazy load, endless scroll, infinite scro
 Requires at least: 4.4
 Requires PHP: 5.6
 Tested up to: 6.1
-Stable tag: 5.6.0
+Stable tag: 5.6.0.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -263,6 +263,12 @@ How to install Ajax Load More.
 
 == Changelog ==
 
+= 5.6.0.1 - February 16, 2023 =
+* FIX: Added security fix for missing escaping on various shortcode params.
+* FIX: Added fix for new alm object parameter.
+* UPDATE: HTML data-attribute clean up on rendered shortcode parameters.
+
+
 = 5.6.0 - February 14, 2023 =
 * NEW: Added new ajaxloadmore.click() public JS function to manually trigger an Ajax Load More load action from any element on the screen.
 * NEW: Added support for new Filter facets in Filters add-on version 2.0.

diff --git a/ajax-load-more.php b/ajax-load-more.php
@@ -7,15 +7,15 @@
  * Author: Darren Cooney
  * Twitter: @KaptonKaos
  * Author URI: https://connekthq.com
- * Version: 5.6.0
+ * Version: 5.6.0.1
  * License: GPL
  * Copyright: Darren Cooney & Connekt Media
  *
  * @package AjaxLoadMore
  */
 
-define( 'ALM_VERSION', '5.6.0' );
-define( 'ALM_RELEASE', 'February 14, 2023' );
+define( 'ALM_VERSION', '5.6.0.1' );
+define( 'ALM_RELEASE', 'February 16, 2023' );
 define( 'ALM_STORE_URL', 'https://connekthq.com' );
 
 // Plugin installation helpers.

diff --git a/core/classes/class-alm-noscript.php b/core/classes/class-alm-noscript.php
@@ -172,7 +172,7 @@ public static function build_noscript_paging( $query = [], $filters = false, $pe
 		 * @return HTMLElement
 		 */
 		public static function render( $output, $container, $paging, $css_classes, $transition_container_classes ) {
-			return ( ! empty( $output ) ) ? '<' . self::$element . '><' . $container . ' class="alm-listing alm-noscript' . $css_classes . '"><div class="alm-reveal' . $transition_container_classes . '">' . $output . '</div></' . $container . '>' . $paging . '</' . self::$element . '>' : '';
+			return ( ! empty( $output ) ) ? '<' . esc_attr( self::$element ) . '><' . esc_attr( $container ) . ' class="alm-listing alm-noscript' . esc_attr( $css_classes ) . '"><div class="alm-reveal' . esc_attr( $transition_container_classes ) . '">' . $output . '</div></' . esc_attr( $container ) . '>' . $paging . '</' . esc_attr( self::$element ) . '>' : '';
 		}
 
 		/**

diff --git a/core/classes/class-alm-shortcode.php b/core/classes/class-alm-shortcode.php
diff --git a/core/functions.php b/core/functions.php
@@ -28,7 +28,7 @@ function alm_progress_css( $counter, $progress, $color ) {
 <style>
 .pace { -webkit-pointer-events: none; pointer-events: none; -webkit-user-select: none; -moz-user-select: none; user-select: none; }
 .pace-inactive { display: none; }
-.pace .pace-progress { background: #' . $color . '; position: fixed; z-index: 2000; top: 0; right: 100%; width: 100%; height: 5px; -webkit-box-shadow: 0 0 3px rgba(255, 255, 255, 0.3); box-shadow: 0 0 2px rgba(255, 255, 255, 0.3); }
+.pace .pace-progress { background: #' . esc_attr( $color ) . '; position: fixed; z-index: 2000; top: 0; right: 100%; width: 100%; height: 5px; -webkit-box-shadow: 0 0 3px rgba(255, 255, 255, 0.3); box-shadow: 0 0 2px rgba(255, 255, 255, 0.3); }
 </style>';
 		return $style;
 	}

diff --git a/core/functions/masonry.php b/core/functions/masonry.php
@@ -9,21 +9,23 @@
 /**
  * Masonry HTML wrapper open.
  *
- * @param string $transition
+ * @param string $transition Transition type.
+ * @return string            Raw HTML.
  * @since 3.1.0
  */
 function alm_masonry_before( $transition ) {
-	return ( $transition === 'masonry' ) ? '<div class="alm-masonry" style="opacity: 0;">' : '';
+	return $transition === 'masonry' ? '<div class="alm-masonry" style="opacity: 0;">' : '';
 }
 add_filter( 'alm_masonry_before', 'alm_masonry_before' );
 
 /**
  * Masonry HTML wrapper close.
  *
- * @param $transition string
+ * @param string $transition Transition type.
+ * @return string            Raw HTML.
  * @since 3.1.0
  */
-function alm_masonry_after( $transition ){
-	return ( $transition === 'masonry' ) ? '</div>' : '';
+function alm_masonry_after( $transition ) {
+	return $transition === 'masonry' ? '</div>' : '';
 }
 add_filter( 'alm_masonry_after', 'alm_masonry_after' );
diff --git a/core/src/js/ajax-load-more.js b/core/src/js/ajax-load-more.js
@@ -505,7 +505,7 @@ let alm_is_filtering = false;
 		alm.repeater = alm.repeater === undefined ? 'default' : alm.repeater;
 		alm.theme_repeater = alm.theme_repeater === undefined ? false : alm.theme_repeater;
 
-		/* Max Pages (while scrolling) */
+		/* Max Pages */
 		alm.max_pages = alm.max_pages === undefined || alm.max_pages === 0 ? 9999 : alm.max_pages;
 
 		/* Scroll Distance */