From fc260e59feace81cdae65494c936df0e618eb1eb Mon Sep 17 00:00:00 2001
From: Gustavo Bordoni <bordoni.dev@gmail.com>
Date: Thu, 27 Apr 2023 01:09:53 -0400
Subject: [PATCH 1/2] Resolve security problem and version bump to 2.3.29

---
 gigpress.php                |  4 +-
 output/gigpress_related.php | 85 +++++++++++++++++++++++--------------
 readme.txt                  |  8 +++-
 3 files changed, 61 insertions(+), 36 deletions(-)

diff --git a/gigpress.php b/gigpress.php
index e4cd444..d5647df 100644
--- a/gigpress.php
+++ b/gigpress.php
@@ -3,7 +3,7 @@
  * Plugin Name: GigPress
  * Plugin URI:  https://evnt.is/1aca
  * Description: GigPress is a live performance listing and management plugin built for musicians and performers.
- * Version:     2.3.28
+ * Version:     2.3.29
  * Author:      The Events Calendar
  * Author URI:  https://evnt.is/1aor
  * Text Domain: gigpress
@@ -46,7 +46,7 @@
 }
 
 if ( ! defined( 'GIGPRESS_VERSION' ) ) {
-	define( 'GIGPRESS_VERSION', '2.3.26' );
+	define( 'GIGPRESS_VERSION', '2.3.29' );
 }
 
 if ( ! defined( 'GIGPRESS_DB_VERSION' ) ) {
diff --git a/output/gigpress_related.php b/output/gigpress_related.php
index 6db33d2..35910c9 100644
--- a/output/gigpress_related.php
+++ b/output/gigpress_related.php
@@ -1,24 +1,30 @@
 <?php
 
-function gigpress_show_related_auto($content = '') {
-	return gigpress_show_related(null, $content);
+function gigpress_show_related_auto( $content = '' ) {
+	return gigpress_show_related( null, $content );
 }
 
-function gigpress_show_related($args = array(), $content = '') {
+function gigpress_show_related( $args = [], $content = '' ) {
 
 	global $is_excerpt, $wpdb, $gpo, $post;
-	if( $is_excerpt == TRUE || !is_object($post) ) {
-		$is_excerpt = FALSE;
+	if ( $is_excerpt == true || ! is_object( $post ) ) {
+		$is_excerpt = false;
+
 		return $content;
 	} else {
-
-		extract(shortcode_atts(array(
+		$default_args = [
 			'scope' => 'all',
-			'sort' => 'asc'
-		), $args));
+			'sort'  => 'asc',
+		];
+		$arguments    = shortcode_atts( $default_args, $args );
+
+		$sort = strtolower( sanitize_key( $arguments['sort'] ) );
+		if ( ! in_array( $sort, [ 'asc', 'desc' ] ) ) {
+			$sort = 'asc';
+		}
 
 		// Date conditionals based on scope
-		switch($scope) {
+		switch ( $arguments['scope'] ) {
 			case 'upcoming':
 				$date_condition = ">= '" . GIGPRESS_NOW . "'";
 				break;
@@ -29,26 +35,45 @@ function gigpress_show_related($args = array(), $content = '') {
 				$date_condition = "IS NOT NULL";
 		}
 
+		$artists_table = GIGPRESS_ARTISTS;
+		$venues_table  = GIGPRESS_VENUES;
+		$shows_table   = GIGPRESS_SHOWS;
+		$tours_table   = GIGPRESS_TOURS;
+
 		$shows = $wpdb->get_results(
-			$wpdb->prepare("SELECT * FROM " . GIGPRESS_ARTISTS . " AS a, " . GIGPRESS_VENUES . " as v, " . GIGPRESS_SHOWS ." AS s LEFT JOIN  " . GIGPRESS_TOURS . " AS t ON s.show_tour_id = t.tour_id WHERE show_related = %d AND show_expire " . $date_condition . " AND show_status != 'deleted' AND s.show_artist_id = a.artist_id AND s.show_venue_id = v.venue_id ORDER BY show_date " . $sort . ",show_expire " . $sort . ",show_time " . $sort, $post->ID)
+			$wpdb->prepare(
+				"
+				SELECT * 
+					FROM {$artists_table} AS a,
+					     {$venues_table} as v,
+					     {$shows_table} AS s 
+					     LEFT JOIN {$tours_table} AS t 
+					         ON s.show_tour_id = t.tour_id 
+					WHERE show_related = %d 
+					  AND show_expire {$date_condition}
+					  AND show_status != 'deleted' 
+					  AND s.show_artist_id = a.artist_id 
+					  AND s.show_venue_id = v.venue_id 
+					  ORDER BY show_date {$sort}, show_expire {$sort}, show_time {$sort}",
+				$post->ID
+			)
 		);
 
-		if($shows != FALSE) {
+		if ( $shows != false ) {
 
-			$shows_markup = array();
+			$shows_markup = [];
 			ob_start();
 
-			$count = 1;
-			$total_shows = count($shows);
-			foreach ($shows as $show) {
-				$showdata = gigpress_prepare($show, 'related');
-				include gigpress_template('related');
-				if($gpo['output_schema_json'] == 'y')
-				{
-					$show_markup = gigpress_json_ld($showdata);
-					array_push($shows_markup,$show_markup);
+			$count       = 1;
+			$total_shows = count( $shows );
+			foreach ( $shows as $show ) {
+				$showdata = gigpress_prepare( $show, 'related' );
+				include gigpress_template( 'related' );
+				if ( $gpo['output_schema_json'] == 'y' ) {
+					$show_markup = gigpress_json_ld( $showdata );
+					array_push( $shows_markup, $show_markup );
 				}
-				$count++;
+				$count ++;
 			}
 
 			$giginfo = ob_get_clean();
@@ -59,17 +84,13 @@ function gigpress_show_related($args = array(), $content = '') {
 				$output = $content . $giginfo;
 			}
 
-			if(!empty($shows_markup))
-			{
+			if ( ! empty( $shows_markup ) ) {
 				$output .= '<script type="application/ld+json">';
-				if (!defined("JSON_UNESCAPED_SLASHES"))
-				{
+				if ( ! defined( "JSON_UNESCAPED_SLASHES" ) ) {
 					require_once( GIGPRESS_PLUGIN_DIR . 'lib/upgrade.php' );
-					$output .= up_json_encode($shows_markup, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
-				}
-				else
-				{
-					$output .= json_encode($shows_markup, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
+					$output .= up_json_encode( $shows_markup, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES );
+				} else {
+					$output .= json_encode( $shows_markup, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES );
 				}
 				$output .= '</script>';
 			}
diff --git a/readme.txt b/readme.txt
index b4a24c8..f435083 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: theeventscalendar, brianjessee, camwynsp, aguseo, bordoni, borkweb
 Tags: concerts, bands, tours, shows, record labels, music, musicians, performers, artists
 Requires at least: 4.5
 Tested up to: 6.1.1
-Stable tag: 2.3.28
+Stable tag: 2.3.29
 
 GigPress is a live performance listing and management plugin that's been serving musicians and performers since 2007.
 
@@ -36,9 +36,13 @@ If you want to go beyond GigPress, we also have other plugins that could work gr
 
 == Changelog ==
 
+= 2.3.29 [2023-04-27] =
+
+* Tweak - Resolve a problematic usage of the shortcode `[gigpress_menu]` improving the safety of the plugin.
+
 = 2.3.28 [2022-12-27] =
 
-* Tweak - Resolve a problematic usaged of the shortcode `[gigpress_menu]` improving the safety of the plugin.
+* Tweak - Resolve a problematic usage of the shortcode `[gigpress_menu]` improving the safety of the plugin.
 
 = 2.3.27 [2021-12-03] =
 

From 70a944be5e53d8bee32fb4b1aeece778b6e6e693 Mon Sep 17 00:00:00 2001
From: Gustavo Bordoni <bordoni.dev@gmail.com>
Date: Thu, 27 Apr 2023 01:11:13 -0400
Subject: [PATCH 2/2] Fix changelog

---
 readme.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/readme.txt b/readme.txt
index f435083..0fe5a9d 100644
--- a/readme.txt
+++ b/readme.txt
@@ -38,7 +38,7 @@ If you want to go beyond GigPress, we also have other plugins that could work gr
 
 = 2.3.29 [2023-04-27] =
 
-* Tweak - Resolve a problematic usage of the shortcode `[gigpress_menu]` improving the safety of the plugin.
+* Tweak - Resolve a problematic usage of the shortcode `[gigpress_related]` improving the safety of the plugin.
 
 = 2.3.28 [2022-12-27] =