Security Patch

  • I have not found a replacement but have not been happy about the security issue. So I have made a patch. Be warned that the patch below might break some of the advanced shortcode options. I do not use any of them so what I did was sanitize each to strip out any HTML.

    Starting at line 144 in /includes/class-widget-shortcode.php of the plugin.

    			'before_widget' => '<' . esc_html($container_tag) . ' id="' . esc_html($container_id) . '" class="' . esc_html($container_class) . ' ' . esc_html($css_class) . '">',
			'before_title' => '<' . esc_html($title_tag) . ' class="' . esc_html($title_class) . '">',
			'after_title' => '</' . esc_html($title_tag) . '>',
			'after_widget' => '</' . esc_html($container_tag) . '>',

    So as you can see I have wrapped every shortcode option with an esc_html function to strip any HTML out of the inputs. If you use html in any of these such as css_class it will break things. But if you only use the plugin to place widgets on your site with the basic shortcode structure like [widget id=”text-2″] then it will still work and be secure.

    If you do this I also suggest you edit the version number in the main file init.php so that site scans do not show the vulnerable version number.

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security Patch’ is closed to new replies.