🐛 (wp) Fix XSS vuln shortcode attributes

Closes #1632

packages/embeds/wordpress/package.json

@@ -1,13 +1,13 @@
 {
   "name": "@typebot.io/wordpress",
-  "version": "3.6.0",
+  "version": "3.6.1",
   "main": "index.js",
   "repository": "https://github.com/baptisteArno/typebot.io",
   "author": "baptisteArno",
   "license": "AGPL-3.0-or-later",
   "scripts": {
     "deploy": "pnpm copy && pnpm commit",
-    "copy": "svn copy ./trunk ./tags/3.6.0",
-    "commit": "svn ci -m 'Add lib_version attr in admin panel'"
+    "copy": "svn copy ./trunk ./tags/3.6.1",
+    "commit": "svn ci -m 'Fix XSS vulnerability with shortcode attributes'"
   }
 }

packages/embeds/wordpress/trunk/README.txt

@@ -2,10 +2,10 @@
 Contributors: baptisteArno
 Tags: typebot, forms, surveys, quizzes, form builder, survey builder, quiz builder, custom forms, mobile forms, payment forms, order forms, feedback forms, enquiry forms, stripe, dropbox, google sheets, mailchimp, salesforce, hubspot, activecampaign, infusionsoft, asana, hipchat, slack, trello, zendesk
 Requires at least: 5.0
-Tested up to: 6.5
+Tested up to: 6.6
 License: GPL 2.0
 License URI: http://www.gnu.org/licenses/gpl-2.0.txt
-Stable Tag: 3.6.0
+Stable Tag: 3.6.1
 
 == Description ==
 Collect 4x more responses with conversational apps using Typebot.
@@ -24,6 +24,9 @@ This plugin relies on Typebot which is a tool that allows you to create conversa
 3. Activate your Typebot with the "Typebot" admin button located in the sidebar
 
 == Changelog ==
+= 3.6.1 =
+* Fix XSS vulnerability with shortcode attributes
+
 = 3.6.0 =
 * Add the lib_version attribute to wp admin panel
 

packages/embeds/wordpress/trunk/public/class-typebot-public.php

@@ -94,23 +94,23 @@ public function add_typebot_container($attributes = [])
   {
     $lib_version = '0.2';
     if(array_key_exists('lib_version', $attributes)) {
-      $lib_version = sanitize_text_field($attributes['lib_version']);
+      $lib_version = custom_sanitize_text_field($attributes['lib_version']);
     }
     $lib_url = "https://cdn.jsdelivr.net/npm/@typebot.io/js@". $lib_version ."/dist/web.js";
     $width = '100%';
     $height = '500px';
     $api_host = 'https://typebot.io';
     if (array_key_exists('width', $attributes)) {
-      $width = sanitize_text_field($attributes['width']);
+      $width = custom_sanitize_text_field($attributes['width']);
     }
     if (array_key_exists('height', $attributes)) {
-      $height = sanitize_text_field($attributes['height']);
+      $height = custom_sanitize_text_field($attributes['height']);
     }
     if (array_key_exists('typebot', $attributes)) {
-      $typebot = sanitize_text_field($attributes['typebot']);
+      $typebot = custom_sanitize_text_field($attributes['typebot']);
     }
     if (array_key_exists('host', $attributes)) {
-      $api_host = sanitize_text_field($attributes['host']);
+      $api_host = custom_sanitize_text_field($attributes['host']);
     }
     if (!$typebot) {
       return;
@@ -143,3 +143,9 @@ private function generateRandomString($length = 10)
     );
   }
 }
+
+function custom_sanitize_text_field($str) {
+  $str = str_replace(array('"', "'", '\\'), '', $str);
+  $str = sanitize_text_field($str);
+  return $str;
+}

packages/embeds/wordpress/trunk/typebot.php

@@ -3,7 +3,7 @@
 /**
  * Plugin Name:       Typebot
  * Description:       Convert more with conversational forms
- * Version:           3.6.0
+ * Version:           3.6.1
  * Author:            Typebot
  * Author URI:        http://typebot.io/
  * License:           GPL-2.0+
@@ -16,7 +16,7 @@
   die();
 }
 
-define('TYPEBOT_VERSION', '3.6.0');
+define('TYPEBOT_VERSION', '3.6.1');
 
 function activate_typebot()
 {