From 237373b19ab7538a886943efd83ce16f36f57b49 Mon Sep 17 00:00:00 2001
From: filippo buratti <info@filippoburatti.net>
Date: Mon, 3 Apr 2023 17:40:45 +0200
Subject: [PATCH] Fix XSS Vulnerability

Escaping shortocde attribuites

https://github.com/TheWebShop/bootstrap-shortcodes/issues/79
---
 bootstrap-shortcodes.php |  2 +-
 inc/bs_alert.php         |  2 +-
 inc/bs_buttons.php       |  2 +-
 inc/bs_collapse.php      | 10 +++++-----
 inc/bs_grid.php          |  6 +++---
 inc/bs_icons.php         |  2 +-
 inc/bs_labels.php        |  2 +-
 inc/bs_tabs.php          |  8 ++++----
 inc/bs_well.php          |  4 ++--
 readme.txt               |  7 +++++--
 10 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/bootstrap-shortcodes.php b/bootstrap-shortcodes.php
index 58730f7..5046790 100644
--- a/bootstrap-shortcodes.php
+++ b/bootstrap-shortcodes.php
@@ -3,7 +3,7 @@
 Plugin Name: Bootstrap Shortcodes
 Plugin URI: https://github.com/TheWebShop/bootstrap-shortcodes
 Description: A simple shortcode generator. Add buttons, columns, toggles and alerts to your theme.
-Version: 3.4.0
+Version: 3.4.1
 Author: Kevin Attfield
 Author URI: https://github.com/Sinetheta
 
diff --git a/inc/bs_alert.php b/inc/bs_alert.php
index 6d4cc0f..e43eadf 100644
--- a/inc/bs_alert.php
+++ b/inc/bs_alert.php
@@ -5,7 +5,7 @@ function bs_notice( $params, $content=null ) {
         'dismissible' => 'true'
     ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result =  '<div class="alert alert-'.$type.($dismissible=='true'? ' alert-dismissible' : '').'">';
+    $result =  '<div class="alert alert-'.esc_attr($type).($dismissible=='true'? ' alert-dismissible' : '').'">';
     $result .= $dismissible=='true'? '<button type="button" class="close" data-dismiss="alert" aria-hidden="true">&times;</button>' : '';
     $result .= do_shortcode( $content );
     $result .= '</div>';
diff --git a/inc/bs_buttons.php b/inc/bs_buttons.php
index 60f7d81..f83a66a 100644
--- a/inc/bs_buttons.php
+++ b/inc/bs_buttons.php
@@ -8,7 +8,7 @@ function bs_buttons( $params, $content=null ) {
     ), $params ) );
 
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result = '<a class="btn btn-' . $size . ' btn-' . $type . '" href="' . $href . '">' . $value . '</a>';
+    $result = '<a class="btn btn-' . esc_attr($size) . ' btn-' . esc_attr($type) . '" href="' . esc_url($href) . '">' . esc_attr($value) . '</a>';
     return force_balance_tags( $result );
 }
 add_shortcode( 'bs_button', 'bs_buttons' );
diff --git a/inc/bs_collapse.php b/inc/bs_collapse.php
index 87675bb..b46e857 100644
--- a/inc/bs_collapse.php
+++ b/inc/bs_collapse.php
@@ -5,7 +5,7 @@ function bs_collapse( $params, $content=null ){
         'id'=>''
          ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result = '<div class="panel-group" id="' . $id . '">';
+    $result = '<div class="panel-group" id="' . esc_attr($id) . '">';
     $result .= do_shortcode( $content );
     $result .= '</div>';
     return force_balance_tags( $result );
@@ -22,14 +22,14 @@ function bs_citem( $params, $content=null ){
          ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
     $result =  '<div class="panel panel-default">';
-    $result .= '    <div class="panel-heading" role="tab" id="heading_' . $id . '">';
+    $result .= '    <div class="panel-heading" role="tab" id="heading_' . esc_attr($id) . '">';
     $result .= '        <h4 class="panel-title">';
-    $result .= '<a class="accordion-toggle collapsed" data-toggle="collapse" aria-controls="heading_' . $id . '" data-parent="#' . $parent . '" href="#' . $id . '">';
-    $result .= $title;
+    $result .= '<a class="accordion-toggle collapsed" data-toggle="collapse" aria-controls="heading_' . esc_attr($id) . '" data-parent="#' . esc_attr($parent) . '" href="#' . esc_attr($id) . '">';
+    $result .= esc_attr($title);
     $result .= '</a>';
     $result .= '        </h4>';
     $result .= '    </div>';
-    $result .= '    <div id="' . $id . '" class="panel-collapse collapse '.($open=='true'? 'in' : '').'" role="tabpanel" aria-labelledby="heading_' . $id . '">';
+    $result .= '    <div id="' . esc_attr($id) . '" class="panel-collapse collapse '.($open=='true'? 'in' : '').'" role="tabpanel" aria-labelledby="heading_' . esc_attr($id) . '">';
     $result .= '        <div class="panel-body">';
     $result .= do_shortcode( $content );
     $result .= '        </div>';
diff --git a/inc/bs_grid.php b/inc/bs_grid.php
index 329038f..22a7d53 100644
--- a/inc/bs_grid.php
+++ b/inc/bs_grid.php
@@ -5,7 +5,7 @@ function bs_row( $params, $content=null ) {
         'class' => 'row'
     ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result = '<div class="' . $class . '">';
+    $result = '<div class="' . esc_attr($class) . '">';
     $result .= do_shortcode( $content );
     $result .= '</div>';
     return force_balance_tags( $result );
@@ -17,9 +17,9 @@ function bs_span( $params, $content=null ) {
         'class' => 'col-sm-1'
         ), $params ) );
 
-    $result = '<div class="' . $class . '">';
+    $result = '<div class="' . esc_attr($class) . '">';
     $result .= do_shortcode( $content );
     $result .= '</div>';
     return force_balance_tags( $result );
 }
-add_shortcode( 'bs_col', 'bs_span' );
\ No newline at end of file
+add_shortcode( 'bs_col', 'bs_span' );
diff --git a/inc/bs_icons.php b/inc/bs_icons.php
index 1063ac3..1a8decd 100644
--- a/inc/bs_icons.php
+++ b/inc/bs_icons.php
@@ -6,7 +6,7 @@ function bs_icons( $params, $content=null ) {
     ), $params));
 
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result = '<i class="' . $name . '"></i>';
+    $result = '<i class="' . esc_attr($name) . '"></i>';
     return force_balance_tags( $result );
 }
 add_shortcode( 'bs_icon', 'bs_icons' );
diff --git a/inc/bs_labels.php b/inc/bs_labels.php
index 523cf9d..7bef796 100644
--- a/inc/bs_labels.php
+++ b/inc/bs_labels.php
@@ -5,7 +5,7 @@ function bs_labels( $params, $content=null ) {
     ), $params ) );
 
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result = '<span class="label label-' . $type . '">' . $content . '</span>';
+    $result = '<span class="label label-' . esc_attr($type) . '">' . $content . '</span>';
     return force_balance_tags( $result );
 }
 add_shortcode( 'bs_label', 'bs_labels' );
diff --git a/inc/bs_tabs.php b/inc/bs_tabs.php
index c05daa7..b607e17 100644
--- a/inc/bs_tabs.php
+++ b/inc/bs_tabs.php
@@ -40,8 +40,8 @@ function bs_tab( $params, $content=null ) {
         ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
 
-    $result = '<li class="' . $class . '">';
-    $result .= '<a data-toggle="tab" href="' . $href . '">' . $title . '</a>';
+    $result = '<li class="' . esc_attr($class) . '">';
+    $result .= '<a data-toggle="tab" href="' . esc_url($href) . '">' . esc_attr($title) . '</a>';
     $result .= '</li>';
     return force_balance_tags( $result );
 }
@@ -56,7 +56,7 @@ function bs_dropdown( $params, $content=null ) {
         ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
     $result = '<li class="dropdown">';
-    $result .= '<a class="' . $class . '" id="' . $id . '" class="dropdown-toggle" data-toggle="dropdown">' . $title . '<b class="caret"></b></a>';
+    $result .= '<a class="' . esc_attr($class) . '" id="' . esc_attr($id) . '" class="dropdown-toggle" data-toggle="dropdown">' . esc_attr($title) . '<b class="caret"></b></a>';
     $result .= '<ul class="dropdown-menu">';
     $result .= do_shortcode( $content );
     $result .= '</ul></li>';
@@ -80,7 +80,7 @@ function bs_tcontent( $params, $content=null ) {
         ), $params ) );
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
     $class = ($class=='active')? 'active in': '';
-    $result = '<div class="tab-pane fade ' . $class . '" id=' . $id . '>';
+    $result = '<div class="tab-pane fade ' . esc_attr($class) . '" id=' . esc_attr($id) . '>';
     $result .= do_shortcode( $content );
     $result .= '</div>';
     return force_balance_tags( $result );
diff --git a/inc/bs_well.php b/inc/bs_well.php
index 72b87a9..e074348 100644
--- a/inc/bs_well.php
+++ b/inc/bs_well.php
@@ -5,9 +5,9 @@ function bs_well( $params, $content=null ) {
     ), $params));
 
     $content = preg_replace( '/<br class="nc".\/>/', '', $content );
-    $result =  '<div class="well well-' . $size . '">';
+    $result =  '<div class="well well-' . esc_attr($size) . '">';
     $result .= do_shortcode( $content );
     $result .= '</div>';
     return force_balance_tags( $result );
 }
-add_shortcode( 'bs_well', 'bs_well' );
\ No newline at end of file
+add_shortcode( 'bs_well', 'bs_well' );
diff --git a/readme.txt b/readme.txt
index 90c75fc..7df5e6b 100644
--- a/readme.txt
+++ b/readme.txt
@@ -2,8 +2,8 @@
 Contributors: sinetheta, beaurixon, no3x, Designwall Team
 Tags: shortcode, shortcodes, bootstrap, buttons, grid, well, responsive, widget
 Requires at least: 3.9
-Tested up to: 4.3
-Stable tag: 3.4.0
+Tested up to: 6.2
+Stable tag: 3.4.1
 License: GNU General Public License v2.0
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -48,6 +48,9 @@ Please report issues directly to our [Github repository](https://github.com/TheW
 
 == Changelog ==
 
+= 3.4.1 =
+* Fix XSS vulnerability (escaping shortcode attributes)
+
 = 3.4.0 =
 * Updated icons to 3.3.5
 * Added control panel popup for inserting alerts.