From ac4f2916accbd7f2b315b941ce8028302ab041ca Mon Sep 17 00:00:00 2001
From: snrbrnjna <snr@brnjna.net>
Date: Sat, 25 Feb 2023 15:30:24 +0100
Subject: [PATCH 1/4] sanitize all short code attributes

---
 gigpress.php                | 10 ++++++++++
 output/gigpress_related.php |  2 ++
 output/gigpress_shows.php   |  4 ++++
 3 files changed, 16 insertions(+)

diff --git a/gigpress.php b/gigpress.php
index e4cd444..c6926ed 100644
--- a/gigpress.php
+++ b/gigpress.php
@@ -404,6 +404,16 @@ function gigpress_prepare( $show, $scope = 'public' ) {
 }
 
 
+function gigpress_sanitize_sort($sort_value, $default = false, $safe_values = array('asc', 'desc')) {
+    if (!in_array($sort_value, $safe_values, true)) {
+        // DEBUG
+        debug_log('hui, seems, to have an SQL injection attempt here? "'. $sort_value . '"');
+        return $default;
+    }
+    return $sort_value;
+}
+
+
 function gigpress_related_link( $postid, $format) {
 
 	if ( $postid == 0 ) return;
diff --git a/output/gigpress_related.php b/output/gigpress_related.php
index 6db33d2..0025f32 100644
--- a/output/gigpress_related.php
+++ b/output/gigpress_related.php
@@ -17,6 +17,8 @@ function gigpress_show_related($args = array(), $content = '') {
 			'sort' => 'asc'
 		), $args));
 
+		$sort = gigpress_sanitize_sort($sort, $default = 'asc');
+
 		// Date conditionals based on scope
 		switch($scope) {
 			case 'upcoming':
diff --git a/output/gigpress_shows.php b/output/gigpress_shows.php
index 6e0499d..d0c2d9f 100644
--- a/output/gigpress_shows.php
+++ b/output/gigpress_shows.php
@@ -44,6 +44,8 @@ function gigpress_shows( $filter = null, $content = null ) {
 		), $filter )
 	);
 
+	$sort = gigpress_sanitize_sort($sort);
+	
 	$total_artists = $wpdb->get_var( "SELECT count(*) from " . GIGPRESS_ARTISTS );
 
 	// Date conditionals and sorting based on scope
@@ -347,6 +349,8 @@ function gigpress_menu( $options = null ) {
 		'sort'       => 'desc',
 	), $options ) );
 
+	$sort = gigpress_sanitize_sort($sort, $default='desc');
+
 	$base .= ( strpos( $base, '?' ) === false ) ? '?' : '&amp;';
 
 	// Date conditionals based on scope

From 873412caf4cbd4d7891ed1323d6c21ef985108a7 Mon Sep 17 00:00:00 2001
From: snrbrnjna <snr@brnjna.net>
Date: Sat, 25 Feb 2023 15:32:12 +0100
Subject: [PATCH 2/4] bump version

---
 gigpress.php | 4 ++--
 readme.txt   | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/gigpress.php b/gigpress.php
index c6926ed..15b31a5 100644
--- a/gigpress.php
+++ b/gigpress.php
@@ -3,7 +3,7 @@
  * Plugin Name: GigPress
  * Plugin URI:  https://evnt.is/1aca
  * Description: GigPress is a live performance listing and management plugin built for musicians and performers.
- * Version:     2.3.28
+ * Version:     2.3.29
  * Author:      The Events Calendar
  * Author URI:  https://evnt.is/1aor
  * Text Domain: gigpress
@@ -46,7 +46,7 @@
 }
 
 if ( ! defined( 'GIGPRESS_VERSION' ) ) {
-	define( 'GIGPRESS_VERSION', '2.3.26' );
+	define( 'GIGPRESS_VERSION', '2.3.29' );
 }
 
 if ( ! defined( 'GIGPRESS_DB_VERSION' ) ) {
diff --git a/readme.txt b/readme.txt
index b4a24c8..407aa6f 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: theeventscalendar, brianjessee, camwynsp, aguseo, bordoni, borkweb
 Tags: concerts, bands, tours, shows, record labels, music, musicians, performers, artists
 Requires at least: 4.5
 Tested up to: 6.1.1
-Stable tag: 2.3.28
+Stable tag: 2.3.29
 
 GigPress is a live performance listing and management plugin that's been serving musicians and performers since 2007.
 
@@ -36,6 +36,10 @@ If you want to go beyond GigPress, we also have other plugins that could work gr
 
 == Changelog ==
 
+= 2.3.29 [2023-02-25] =
+
+* Tweak - Imporving safety for all shortcoe parameters
+
 = 2.3.28 [2022-12-27] =
 
 * Tweak - Resolve a problematic usaged of the shortcode `[gigpress_menu]` improving the safety of the plugin.

From 6f0ac1a6f04a1bacd12610526d98f90180885619 Mon Sep 17 00:00:00 2001
From: snrbrnjna <snr@brnjna.net>
Date: Sat, 25 Feb 2023 15:37:03 +0100
Subject: [PATCH 3/4] remove debug output

---
 gigpress.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/gigpress.php b/gigpress.php
index 15b31a5..68d8d8e 100644
--- a/gigpress.php
+++ b/gigpress.php
@@ -406,8 +406,6 @@ function gigpress_prepare( $show, $scope = 'public' ) {
 
 function gigpress_sanitize_sort($sort_value, $default = false, $safe_values = array('asc', 'desc')) {
     if (!in_array($sort_value, $safe_values, true)) {
-        // DEBUG
-        debug_log('hui, seems, to have an SQL injection attempt here? "'. $sort_value . '"');
         return $default;
     }
     return $sort_value;

From f380e97adfab68f682c11523496dd75449c9812c Mon Sep 17 00:00:00 2001
From: snrbrnjna <snr@brnjna.net>
Date: Sat, 25 Feb 2023 15:38:20 +0100
Subject: [PATCH 4/4] fix typos

---
 readme.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/readme.txt b/readme.txt
index 407aa6f..fc2fad1 100644
--- a/readme.txt
+++ b/readme.txt
@@ -38,7 +38,7 @@ If you want to go beyond GigPress, we also have other plugins that could work gr
 
 = 2.3.29 [2023-02-25] =
 
-* Tweak - Imporving safety for all shortcoe parameters
+* Tweak - Improving safety for all shortcode parameters
 
 = 2.3.28 [2022-12-27] =