diff --git a/.vscode/settings.json b/.vscode/settings.json
deleted file mode 100644
index ad92582..0000000
--- a/.vscode/settings.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "editor.formatOnSave": true
-}
diff --git a/class.leaflet-map.php b/class.leaflet-map.php
index 5c36ac5..9fcc6d2 100644
--- a/class.leaflet-map.php
+++ b/class.leaflet-map.php
@@ -22,7 +22,7 @@ class Leaflet_Map
      * 
      * @var string major minor patch version
      */
-    public static $leaflet_version = '1.9.3';
+    public static $leaflet_version = '1.9.4';
 
     /**
      * Files to include upon init
diff --git a/leaflet-map.php b/leaflet-map.php
index e689105..2699411 100644
--- a/leaflet-map.php
+++ b/leaflet-map.php
@@ -8,7 +8,7 @@
  * Author URI: https://bozdoz.com/
  * Text Domain: leaflet-map
  * Domain Path: /languages/
- * Version: 3.3.0
+ * Version: 3.3.1
  * License: GPL2
  * Leaflet Map is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -29,7 +29,7 @@
     exit; 
 }
 
-define('LEAFLET_MAP__PLUGIN_VERSION', '3.3.0');
+define('LEAFLET_MAP__PLUGIN_VERSION', '3.3.1');
 define('LEAFLET_MAP__PLUGIN_FILE', __FILE__);
 define('LEAFLET_MAP__PLUGIN_DIR', plugin_dir_path(__FILE__));
 
diff --git a/package-lock.json b/package-lock.json
index 39425ae..0713305 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "wp-plugin-leaflet-map",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "wp-plugin-leaflet-map",
-      "version": "3.3.0",
+      "version": "3.3.1",
       "license": "GPL-2.0",
       "devDependencies": {
         "jest": "^27.0.5",
diff --git a/package.json b/package.json
index b1c8754..7085174 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "wp-plugin-leaflet-map",
   "private": true,
-  "version": "3.3.0",
+  "version": "3.3.1",
   "description": "Leaflet Map WordPress Plugin",
   "scripts": {
     "start": "docker-compose up && exit 0",
diff --git a/readme.txt b/readme.txt
index e8f3884..1d79897 100644
--- a/readme.txt
+++ b/readme.txt
@@ -6,9 +6,9 @@ Contributors: bozdoz, hupe13, remigr, gerital, sal0max, thibault-barrat, sardyla
 Donate link: https://www.paypal.me/bozdoz
 Tags: leaflet, map, mobile, javascript, openstreetmap, mapquest, interactive
 Requires at least: 4.6
-Tested up to: 6.1.1
-Version: 3.3.0
-Stable tag: 3.3.0
+Tested up to: 6.3.1
+Version: 3.3.1
+Stable tag: 3.3.1
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -149,6 +149,13 @@ For more FAQs, please visit the [FAQ section on GitHub here](https://github.com/
 
 == Changelog ==
 
+= 3.3.1 =
+* [Update] Default Leaflet map set at v1.9.4 
+* [Security] Escapes geojson popup properties to prevent XSS attacks
+* [Bug] Updates "!attribution" or "attribution=0" attributes to actually remove attribution
+* [Bug] Switches SANITIZE_FULL with SANITIZE to to allow "German umlauts"
+* [Bug] Fixes some issues when a map's max zoom differs from a tile layer's max zoom
+
 = 3.3.0 =
 * Adds 'leaflet_map_popup_message' filter for manipulating popup messages
 
@@ -460,6 +467,9 @@ For more FAQs, please visit the [FAQ section on GitHub here](https://github.com/
 
 == Upgrade Notice ==
 
+= 3.3.1 =
+* Escapes geojson popup properties to prevent XSS attacks
+
 = 3.2.0 =
 * Fixes error if geocoder fails to get a lat/lng
 * Fixes deprecated warnings in php 8.1
diff --git a/shortcodes/class.geojson-shortcode.php b/shortcodes/class.geojson-shortcode.php
index 631ea99..3e16bfa 100644
--- a/shortcodes/class.geojson-shortcode.php
+++ b/shortcodes/class.geojson-shortcode.php
@@ -120,8 +120,10 @@ protected function getHTML($atts='', $content=null)
 });
 var fitbounds = <?php echo $fitbounds ? '1' : '0'; ?>;
 var circleMarker = <?php echo $circleMarker ? '1' : '0'; ?>;
-var popup_text = window.WPLeafletMapPlugin.unescape("<?php echo $popup_text; ?>");
-var popup_property = "<?php echo $popup_property; ?>";
+var popup_text = window.WPLeafletMapPlugin.unescape("<?php echo esc_js(
+  $popup_text
+); ?>");
+var popup_property = "<?php echo esc_js($popup_property); ?>";
 var group = window.WPLeafletMapPlugin.getCurrentGroup();
 var markerOptions = window.WPLeafletMapPlugin.getIconOptions(<?php echo $options; ?>);
 layer.addTo( group );
diff --git a/shortcodes/class.map-shortcode.php b/shortcodes/class.map-shortcode.php
index 51c1f0b..c2004ee 100644
--- a/shortcodes/class.map-shortcode.php
+++ b/shortcodes/class.map-shortcode.php
@@ -170,7 +170,9 @@ protected function getAtts($atts='')
 
         // custom field for moving to javascript
         // filter out any unwanted HTML tags (including img)
-        $map_options['attribution'] = wp_kses_post($atts['attribution']);
+        if ($atts['attribution'] !== 0) {
+            $map_options['attribution'] = wp_kses_post($atts['attribution']);
+        }
 
         // wrap as JSON
         $atts['map_options'] = json_encode($map_options);