Merge branch 'hotfix/0.21.4'

src/classes/theme-helper/class-tainacan-theme-helper.php

@@ -499,9 +499,14 @@ class Theme_Helper {
 		// Passes arguments to custom props
 		if ($args) {
 			foreach ($args as $key => $value) {
-				if ($value == true || $value == 'true') {
-					$props .= str_replace('_', '-', $key) . '="' . $value . '" ';
-				}
+				if (is_bool($value))
+					$value = $value ? 'true' : 'false';
+				// Changes from PHP '_' notation to HTML '-' notation
+				$key_attr = str_replace('_', '-', $key);
+				if ( $key !== 'class' && $key !== 'style' && $key !== 'id' && strpos($key, 'data-') === false )
+					$key_attr = 'data-' . $key_attr;
+				
+				$props .= sprintf("%s='%s' ", $key_attr, esc_attr($value));
 			}
 		}
 
@@ -511,28 +516,28 @@ class Theme_Helper {
 			'div' => [
 				'id' => true,
 				'data-module' => true,
-				'collection-id' => true,
-				'hide-file-modal-button' => true,
-				'hide-text-modal-button' => true,
-				'hide-link-modal-button' => true,
-				'hide-thumbnail-section' => true,
-				'hide-attachments-section' => true,
-				'show-allow-comments-section' => true,
-				'hide-collapses' => true,
-				'hide-help-buttons' => true,
-				'hide-metadata-types' => true,
-				'help-info-bellow-label' => true,
-				'document-section-label' => true,
-				'thumbnail-section-label' => true,
-				'attachments-section-label' => true,
-				'metadata-section-label' => true,
-				'sent-form-heading' => true,
-				'sent-form-message' => true,
-				'item-link-button-label' => true,
-				'show-item-link-button' => true,
-				'show-terms-agreement-checkbox' => true,
-				'terms-agreement-message' => true,
-				'enabled-metadata' => true,
+				'data-collection-id' => true,
+				'data-hide-file-modal-button' => true,
+				'data-hide-text-modal-button' => true,
+				'data-hide-link-modal-button' => true,
+				'data-hide-thumbnail-section' => true,
+				'data-hide-attachments-section' => true,
+				'data-show-allow-comments-section' => true,
+				'data-hide-collapses' => true,
+				'data-hide-help-buttons' => true,
+				'data-hide-metadata-types' => true,
+				'data-help-info-bellow-label' => true,
+				'data-document-section-label' => true,
+				'data-thumbnail-section-label' => true,
+				'data-attachments-section-label' => true,
+				'data-metadata-section-label' => true,
+				'data-sent-form-heading' => true,
+				'data-sent-form-message' => true,
+				'data-item-link-button-label' => true,
+				'data-show-item-link-button' => true,
+				'data-show-terms-agreement-checkbox' => true,
+				'data-terms-agreement-message' => true,
+				'data-enabled-metadata' => true,
 			]
 		];
 
@@ -1096,10 +1101,43 @@ class Theme_Helper {
 				$value = $value ? 'true' : 'false';
 			// Changes from PHP '_' notation to HTML '-' notation
 			$key_attr = str_replace('_', '-', $key);
+			if ( $key !== 'class' && $key !== 'style' && $key !== 'id' && strpos($key, 'data-') === false )
+				$key_attr = 'data-' . $key_attr;
+			
 			$props .= sprintf("%s='%s' ", $key_attr, esc_attr($value));
 		}
 		
-		return "<div data-module='carousel-items-list' id='tainacan-items-carousel-shortcode_" . uniqid() . "' $props ></div>";
+		$allowed_html = [
+			'div' => [
+				'id' => true,
+				'class' => true,
+				'style' => true,
+				'data-module' => true,
+				'data-search-url' => true,
+				'data-selected-items' => true,
+				'data-arrows-position' => true,
+				'data-load-strategy' => true,
+				'data-collection-id' => true,
+				'data-auto-play' => true,
+				'data-auto-play-speed' => true,
+				'data-loop-slides' => true,
+				'data-hide-title' => true,
+				'data-large-arrows' => true,
+				'data-arrows-style' => true,
+				'data-image-size' => true,
+				'data-show-collection-header' => true,
+				'data-show-collection-label' => true,
+				'data-collection-background-color' => true,
+				'data-collection-text-color' => true,
+				'data-max-items-number' => true,
+				'data-max-items-per-screen' => true,
+				'data-space-between-items' => true,
+				'data-space-around-carousel' => true,
+				'data-tainacan-api-root' => true
+			]
+		];
+
+		return wp_kses( "<div data-module='carousel-items-list' id='tainacan-items-carousel-shortcode_" . uniqid() . "' $props ></div>", $allowed_html );
 	} 
 
 	/**
@@ -1174,10 +1212,49 @@ class Theme_Helper {
 				$value = $value ? 'true' : 'false';
 			// Changes from PHP '_' notation to HTML '-' notation
 			$key_attr = str_replace('_', '-', $key);
+			if ( $key !== 'class' && $key !== 'style' && $key !== 'id' && strpos($key, 'data-') === false )
+				$key_attr = 'data-' . $key_attr;
+
 			$props .= sprintf("%s='%s' ", $key_attr, esc_attr($value));
 		}
 		
-		return "<div data-module='dynamic-items-list' id='tainacan-dynamic-items-list-shortcode_" . uniqid(). "' $props ></div>";
+		$allowed_html = [
+			'div' => [
+				'data-module' => true,
+                'data-search-url' => true,
+                'data-selected-items' => true,
+                'data-collection-id' => true,
+                'data-show-image' => true,
+                'data-show-name' => true,
+                'data-show-search-bar' => true,
+                'data-show-collection-header' => true,
+                'data-show-collection-label' => true,
+                'data-image-size' => true,
+                'data-layout' => true,
+                'data-load-strategy' => true,
+                'data-mosaic-height' => true,
+                'data-mosaic-density' => true,
+                'data-mosaic-grid-rows' => true,
+                'data-mosaic-grid-columns' => true,
+                'data-mosaic-item-focal-point-x' => true,
+                'data-mosaic-item-focal-point-y' => true,
+                'data-max-columns-count' => true,
+                'data-collection-background-color' => true,
+                'data-collection-text-color' => true,
+                'data-grid-margin' => true,
+                'data-max-items-number' => true,
+                'data-order' => true,
+                'data-order-by' => true,
+                'data-order-by-meta-key' => true,
+                'data-tainacan-view-mode' => true,
+                'data-tainacan-api-root' => true,
+                'id' => true,
+				'class' => true,
+				'style' => true
+			]
+		];
+		
+		return wp_kses("<div data-module='dynamic-items-list' id='tainacan-dynamic-items-list-shortcode_" . uniqid(). "' $props ></div>", $allowed_html );
 	} 
 
 	/**

src/readme.txt

@@ -4,7 +4,7 @@ Tags: museums, archives, GLAM, collections, repository
 Requires at least: 5.9
 Tested up to: 6.5
 Requires PHP: 7.0
-Stable tag: 0.21.3
+Stable tag: 0.21.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -83,6 +83,12 @@ If you have Imagick installed on your server, Tainacan will be able to automatic
 * Contribute to the source code: [https://github.com/tainacan/tainacan](https://github.com/tainacan/tainacan)
 * Check our documentation Wiki: [https://wiki.tainacan.org/](https://wiki.tainacan.org/)
 
+== Frequently Asked Questions ==
+
+= Where do I report security bugs found in this plugin? =
+
+Please report security bugs found in the source code of the Tainacan plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/tainacan). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
+
 == Screenshots ==
 
 1. Manage your repository

src/tainacan.php

@@ -5,17 +5,17 @@ Plugin URI: https://tainacan.org/
 Description: Open source, powerful and flexible repository platform for WordPress. Manage and publish you digital collections as easily as publishing a post to your blog, while having all the tools of a professional repository platform.
 Author: Tainacan.org
 Author URI: https://tainacan.org/
-Version: 0.21.3
+Version: 0.21.4
 Requires at least: 5.9
 Tested up to: 6.5
 Requires PHP: 7.0
-Stable tag: 0.21.3
+Stable tag: 0.21.4
 Text Domain: tainacan
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 */
 
-const TAINACAN_VERSION = '0.21.3';
+const TAINACAN_VERSION = '0.21.4';
 
 defined( 'ABSPATH' ) or die( 'No script kiddies please!' );
 $TAINACAN_BASE_URL = plugins_url('', __FILE__);

src/views/class-tainacan-admin.php

@@ -163,8 +163,15 @@ class Admin {
 	}
 
 	function roles_page() {
-		global $TAINACAN_BASE_URL;
-		echo "<div id='tainacan-roles-app' data-module='roles'></div>";
+		$allowed_html = [
+			'div' => [
+				'id' => true,
+				'style' => true,
+				'class' => true,
+				'data-module' => true
+			]
+		];
+		echo wp_kses( "<div id='tainacan-roles-app' data-module='roles'></div>", $allowed_html );
 	}
 
 	function add_reports_css() {
@@ -194,8 +201,16 @@ class Admin {
 	}
 
 	function reports_page() {
-		global $TAINACAN_BASE_URL;
-		echo "<div id='tainacan-reports-app'  data-module='reports'></div>";
+		
+		$allowed_html = [
+			'div' => [
+				'id' => true,
+				'style' => true,
+				'class' => true,
+				'data-module' => true
+			]
+		];
+		echo wp_kses( "<div id='tainacan-reports-app'  data-module='reports'></div>", $allowed_html );
 	}
 
 	function add_admin_css() {
@@ -411,7 +426,16 @@ class Admin {
 		$admin_options = apply_filters('tainacan-admin-ui-options', $_GET);
 		$admin_options = json_encode($admin_options);
 
-		echo "<div id='tainacan-admin-app' data-module='admin' data-options='$admin_options'></div>";
+		$allowed_html = [
+			'div' => [
+				'id' => true,
+				'style' => true,
+				'class' => true,
+				'data-module' => true,
+				'data-options' => true
+			]
+		];
+		echo wp_kses( "<div id='tainacan-admin-app' data-module='admin' data-options='$admin_options'></div>", $allowed_html );
 	}
 
 	function register_user_meta() {