Merge pull request #68 from snrbrnjna/sanitize-all-shortcode-atts

Sanitize all shortcode atts

gigpress.php

@@ -404,6 +404,14 @@ function gigpress_prepare( $show, $scope = 'public' ) {
 }
 
 
+function gigpress_sanitize_sort($sort_value, $default = false, $safe_values = array('asc', 'desc')) {
+    if (!in_array($sort_value, $safe_values, true)) {
+        return $default;
+    }
+    return $sort_value;
+}
+
+
 function gigpress_related_link( $postid, $format) {
 
 	if ( $postid == 0 ) return;

output/gigpress_related.php

@@ -23,6 +23,8 @@ function gigpress_show_related( $args = [], $content = '' ) {
 			$sort = 'asc';
 		}
 
+		$sort = gigpress_sanitize_sort($sort, $default = 'asc');
+
 		// Date conditionals based on scope
 		switch ( $arguments['scope'] ) {
 			case 'upcoming':

output/gigpress_shows.php

@@ -44,6 +44,8 @@ function gigpress_shows( $filter = null, $content = null ) {
 		), $filter )
 	);
 
+	$sort = gigpress_sanitize_sort($sort);
+
 	$total_artists = $wpdb->get_var( "SELECT count(*) from " . GIGPRESS_ARTISTS );
 
 	// Date conditionals and sorting based on scope
@@ -347,6 +349,8 @@ function gigpress_menu( $options = null ) {
 		'sort'       => 'desc',
 	), $options ) );
 
+	$sort = gigpress_sanitize_sort($sort, $default='desc');
+
 	$base .= ( strpos( $base, '?' ) === false ) ? '?' : '&';
 
 	// Date conditionals based on scope

readme.txt

@@ -38,7 +38,7 @@ If you want to go beyond GigPress, we also have other plugins that could work gr
 
 = 2.3.29 [2023-04-27] =
 
-* Tweak - Resolve a problematic usage of the shortcode `[gigpress_related]` improving the safety of the plugin.
+* Tweak - Resolve a problematic usage of the shortcodes params improving the safety of the plugin.
 
 = 2.3.28 [2022-12-27] =