v3.3.1 - security fixes to xss issues; bump leaflet to 1.9.4; fix !a…

…ttribution; fix maxzoom tile layers; allow german umlauts

class.leaflet-map.php

@@ -22,7 +22,7 @@ class Leaflet_Map
      * 
      * @var string major minor patch version
      */
-    public static $leaflet_version = '1.9.3';
+    public static $leaflet_version = '1.9.4';
 
     /**
      * Files to include upon init

leaflet-map.php

@@ -8,7 +8,7 @@
  * Author URI: https://bozdoz.com/
  * Text Domain: leaflet-map
  * Domain Path: /languages/
- * Version: 3.3.0
+ * Version: 3.3.1
  * License: GPL2
  * Leaflet Map is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -29,7 +29,7 @@
     exit; 
 }
 
-define('LEAFLET_MAP__PLUGIN_VERSION', '3.3.0');
+define('LEAFLET_MAP__PLUGIN_VERSION', '3.3.1');
 define('LEAFLET_MAP__PLUGIN_FILE', __FILE__);
 define('LEAFLET_MAP__PLUGIN_DIR', plugin_dir_path(__FILE__));
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "wp-plugin-leaflet-map",
   "private": true,
-  "version": "3.3.0",
+  "version": "3.3.1",
   "description": "Leaflet Map WordPress Plugin",
   "scripts": {
     "start": "docker-compose up && exit 0",

readme.txt

@@ -6,9 +6,9 @@ Contributors: bozdoz, hupe13, remigr, gerital, sal0max, thibault-barrat, sardyla
 Donate link: https://www.paypal.me/bozdoz
 Tags: leaflet, map, mobile, javascript, openstreetmap, mapquest, interactive
 Requires at least: 4.6
-Tested up to: 6.1.1
-Version: 3.3.0
-Stable tag: 3.3.0
+Tested up to: 6.3.1
+Version: 3.3.1
+Stable tag: 3.3.1
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -149,6 +149,13 @@ For more FAQs, please visit the [FAQ section on GitHub here](https://github.com/
 
 == Changelog ==
 
+= 3.3.1 =
+* [Update] Default Leaflet map set at v1.9.4 
+* [Security] Escapes geojson popup properties to prevent XSS attacks
+* [Bug] Updates "!attribution" or "attribution=0" attributes to actually remove attribution
+* [Bug] Switches SANITIZE_FULL with SANITIZE to to allow "German umlauts"
+* [Bug] Fixes some issues when a map's max zoom differs from a tile layer's max zoom
+
 = 3.3.0 =
 * Adds 'leaflet_map_popup_message' filter for manipulating popup messages
 
@@ -460,6 +467,9 @@ For more FAQs, please visit the [FAQ section on GitHub here](https://github.com/
 
 == Upgrade Notice ==
 
+= 3.3.1 =
+* Escapes geojson popup properties to prevent XSS attacks
+
 = 3.2.0 =
 * Fixes error if geocoder fails to get a lat/lng
 * Fixes deprecated warnings in php 8.1

shortcodes/class.geojson-shortcode.php

@@ -120,8 +120,10 @@ protected function getHTML($atts='', $content=null)
 });
 var fitbounds = <?php echo $fitbounds ? '1' : '0'; ?>;
 var circleMarker = <?php echo $circleMarker ? '1' : '0'; ?>;
-var popup_text = window.WPLeafletMapPlugin.unescape("<?php echo $popup_text; ?>");
-var popup_property = "<?php echo $popup_property; ?>";
+var popup_text = window.WPLeafletMapPlugin.unescape("<?php echo esc_js(
+  $popup_text
+); ?>");
+var popup_property = "<?php echo esc_js($popup_property); ?>";
 var group = window.WPLeafletMapPlugin.getCurrentGroup();
 var markerOptions = window.WPLeafletMapPlugin.getIconOptions(<?php echo $options; ?>);
 layer.addTo( group );

shortcodes/class.map-shortcode.php

@@ -170,7 +170,9 @@ protected function getAtts($atts='')
 
         // custom field for moving to javascript
         // filter out any unwanted HTML tags (including img)
-        $map_options['attribution'] = wp_kses_post($atts['attribution']);
+        if ($atts['attribution'] !== 0) {
+            $map_options['attribution'] = wp_kses_post($atts['attribution']);
+        }
 
         // wrap as JSON
         $atts['map_options'] = json_encode($map_options);