diff --git a/gigpress.php b/gigpress.php index d5647df..68d8d8e 100644 --- a/gigpress.php +++ b/gigpress.php @@ -404,6 +404,14 @@ function gigpress_prepare( $show, $scope = 'public' ) { } +function gigpress_sanitize_sort($sort_value, $default = false, $safe_values = array('asc', 'desc')) { + if (!in_array($sort_value, $safe_values, true)) { + return $default; + } + return $sort_value; +} + + function gigpress_related_link( $postid, $format) { if ( $postid == 0 ) return; diff --git a/output/gigpress_related.php b/output/gigpress_related.php index 35910c9..39da18b 100644 --- a/output/gigpress_related.php +++ b/output/gigpress_related.php @@ -23,6 +23,8 @@ function gigpress_show_related( $args = [], $content = '' ) { $sort = 'asc'; } + $sort = gigpress_sanitize_sort($sort, $default = 'asc'); + // Date conditionals based on scope switch ( $arguments['scope'] ) { case 'upcoming': diff --git a/output/gigpress_shows.php b/output/gigpress_shows.php index 6e0499d..d0c2d9f 100644 --- a/output/gigpress_shows.php +++ b/output/gigpress_shows.php @@ -44,6 +44,8 @@ function gigpress_shows( $filter = null, $content = null ) { ), $filter ) ); + $sort = gigpress_sanitize_sort($sort); + $total_artists = $wpdb->get_var( "SELECT count(*) from " . GIGPRESS_ARTISTS ); // Date conditionals and sorting based on scope @@ -347,6 +349,8 @@ function gigpress_menu( $options = null ) { 'sort' => 'desc', ), $options ) ); + $sort = gigpress_sanitize_sort($sort, $default='desc'); + $base .= ( strpos( $base, '?' ) === false ) ? '?' : '&'; // Date conditionals based on scope diff --git a/readme.txt b/readme.txt index 0fe5a9d..35f0ae2 100644 --- a/readme.txt +++ b/readme.txt @@ -38,7 +38,7 @@ If you want to go beyond GigPress, we also have other plugins that could work gr = 2.3.29 [2023-04-27] = -* Tweak - Resolve a problematic usage of the shortcode `[gigpress_related]` improving the safety of the plugin. +* Tweak - Resolve a problematic usage of the shortcodes params improving the safety of the plugin. = 2.3.28 [2022-12-27] =