♻️ (wp) Improve wp escape attr

baptisteArno · Jul 16, 2024 · 867041e · 867041e
1 parent c6005c4
commit 867041e
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 22 deletions.
diff --git a/packages/embeds/wordpress/package.json b/packages/embeds/wordpress/package.json
@@ -1,13 +1,13 @@
 {
   "name": "@typebot.io/wordpress",
-  "version": "3.6.1",
+  "version": "4.0.0",
   "main": "index.js",
   "repository": "https://github.com/baptisteArno/typebot.io",
   "author": "baptisteArno",
   "license": "AGPL-3.0-or-later",
   "scripts": {
     "deploy": "pnpm copy && pnpm commit",
-    "copy": "svn copy ./trunk ./tags/3.6.1",
-    "commit": "svn ci -m 'Fix XSS vulnerability with shortcode attributes'"
+    "copy": "svn copy ./trunk ./tags/4.0.0",
+    "commit": "svn ci -m 'Use embed v0.3 by default'"
   }
 }
diff --git a/packages/embeds/wordpress/trunk/README.txt b/packages/embeds/wordpress/trunk/README.txt
@@ -5,7 +5,7 @@ Requires at least: 5.0
 Tested up to: 6.6
 License: GPL 2.0
 License URI: http://www.gnu.org/licenses/gpl-2.0.txt
-Stable Tag: 3.6.1
+Stable Tag: 4.0.0
 
 == Description ==
 Collect 4x more responses with conversational apps using Typebot.
@@ -24,6 +24,10 @@ This plugin relies on Typebot which is a tool that allows you to create conversa
 3. Activate your Typebot with the "Typebot" admin button located in the sidebar
 
 == Changelog ==
+= 4.0.0 =
+* Use embed lib v0.3 by default
+* Improve shortcode attributes validation
+
 = 3.6.1 =
 * Fix XSS vulnerability with shortcode attributes
 

diff --git a/packages/embeds/wordpress/trunk/admin/partials/typebot-admin-display.php b/packages/embeds/wordpress/trunk/admin/partials/typebot-admin-display.php
@@ -11,7 +11,7 @@
         ?>
         <div style="display: flex; flex-direction: column">
           <label>Library version:</label>
-          <input name="lib_version" value="<?php echo esc_attr(get_option('lib_version') !== null && get_option('lib_version') !== ''  ? get_option('lib_version') : '0.2'); ?>" style="padding: .5rem" />
+          <input name="lib_version" value="<?php echo esc_attr(get_option('lib_version') !== null && get_option('lib_version') !== ''  ? get_option('lib_version') : '0.3'); ?>" style="padding: .5rem" />
         </div>
 
         <div style="display: flex; flex-direction: column">

diff --git a/packages/embeds/wordpress/trunk/public/class-typebot-public.php b/packages/embeds/wordpress/trunk/public/class-typebot-public.php
@@ -40,7 +40,7 @@ public function add_head_code()
 
   function typebot_script()
   {
-    $lib_version = get_option('lib_version') !== null && get_option('lib_version') !== ''  ? get_option('lib_version') : '0.2';
+    $lib_version = get_option('lib_version') !== null && get_option('lib_version') !== ''  ? get_option('lib_version') : '0.3';
     echo '<script type="module">import Typebot from "https://cdn.jsdelivr.net/npm/@typebot.io/js@'.$lib_version.'/dist/web.js";';
     if (
       get_option('excluded_pages') !== null &&
@@ -90,27 +90,52 @@ function typebot_script()
     echo '</script>';
   }
 
-  public function add_typebot_container($attributes = [])
-  {
-    $lib_version = '0.2';
-    if(array_key_exists('lib_version', $attributes)) {
-      $lib_version = custom_sanitize_text_field($attributes['lib_version']);
+  public function add_typebot_container($attributes = []) {
+    $lib_version = '0.3';
+    if (array_key_exists('lib_version', $attributes)) {
+      $lib_version = $attributes['lib_version'];
+      if (strlen($lib_version) > 10 || !preg_match('/^\d+\.\d+(\.\d+)?$/', $lib_version)) {
+          $lib_version = '0.3';
+      } else {
+          $lib_version = sanitize_text_field($lib_version);
+      }
     }
-    $lib_url = "https://cdn.jsdelivr.net/npm/@typebot.io/js@". $lib_version ."/dist/web.js";
+    $lib_url = esc_url_raw("https://cdn.jsdelivr.net/npm/@typebot.io/js@". $lib_version ."/dist/web.js");
     $width = '100%';
     $height = '500px';
-    $api_host = 'https://typebot.io';
+    $api_host = 'https://typebot.co';
     if (array_key_exists('width', $attributes)) {
-      $width = custom_sanitize_text_field($attributes['width']);
+      $width = $attributes['width'];
+      if (strlen($width) > 10 || !preg_match('/^\d+(%|px)$/', $width)) {
+        $width = '100%';
+      } else {
+        $width = sanitize_text_field($width);
+      }
     }
     if (array_key_exists('height', $attributes)) {
-      $height = custom_sanitize_text_field($attributes['height']);
+      $height = $attributes['height'];
+      if (strlen($height) > 10 || !preg_match('/^\d+(%|px)$/', $height)) {
+        $height = '500px';
+      } else {
+        $height = sanitize_text_field($height);
+      }
     }
     if (array_key_exists('typebot', $attributes)) {
-      $typebot = custom_sanitize_text_field($attributes['typebot']);
+      $typebot = $attributes['typebot'];
+      if (strlen($typebot) > 50 || empty($typebot) || !preg_match('/^[a-zA-Z0-9_-]+$/', $typebot)) {
+        return;
+      } else {
+        $typebot = sanitize_text_field($typebot);
+      }
     }
     if (array_key_exists('host', $attributes)) {
-      $api_host = custom_sanitize_text_field($attributes['host']);
+      $api_host = $attributes['host'];
+      // Limit the length and sanitize
+      if (strlen($api_host) > 100 || !filter_var($api_host, FILTER_VALIDATE_URL)) {
+        $api_host = 'https://typebot.co'; // fallback to default host
+      } else {
+        $api_host = sanitize_text_field($api_host);
+      }
     }
     if (!$typebot) {
       return;
@@ -119,14 +144,14 @@ public function add_typebot_container($attributes = [])
     $id = $this->generateRandomString();
 
     $bot_initializer = '<script type="module">
-    import Typebot from "' . $lib_url . '"
+    import Typebot from "' . esc_url($lib_url) . '"
 
     const urlParams = new URLSearchParams(window.location.search);
     const queryParams = Object.fromEntries(urlParams.entries());
 
-    Typebot.initStandard({ apiHost: "' . $api_host . '", id: "' . $id . '", typebot: "' . $typebot . '", prefilledVariables: { ...window.typebotWpUser, ...queryParams } });</script>';
+    Typebot.initStandard({ apiHost: "' . esc_js($api_host) . '", id: "' . esc_js($id) . '", typebot: "' . esc_js($typebot) . '", prefilledVariables: { ...window.typebotWpUser, ...queryParams } });</script>';
 
-    return  '<typebot-standard id="' . $id . '" style="width: ' . $width . '; height: ' . $height . ';"></typebot-standard>' . $bot_initializer;
+    return  '<typebot-standard id="' . esc_attr($id) . '" style="width: ' . esc_attr($width) . '; height: ' . esc_attr($height) . ';"></typebot-standard>' . $bot_initializer;
   }
 
   private function generateRandomString($length = 10)

diff --git a/packages/embeds/wordpress/trunk/typebot.php b/packages/embeds/wordpress/trunk/typebot.php
@@ -3,7 +3,7 @@
 /**
  * Plugin Name:       Typebot
  * Description:       Convert more with conversational forms
- * Version:           3.6.1
+ * Version:           4.0.0
  * Author:            Typebot
  * Author URI:        http://typebot.io/
  * License:           GPL-2.0+
@@ -16,7 +16,7 @@
   die();
 }
 
-define('TYPEBOT_VERSION', '3.6.1');
+define('TYPEBOT_VERSION', '4.0.0');
 
 function activate_typebot()
 {