fix xss on helloasso iframe

emnbdx · emnbdx · commit 773f43c0f9d8 · 2024-06-27T16:41:41.000+02:00
diff --git a/public/class-hello-asso-public.php b/public/class-hello-asso-public.php
@@ -110,24 +110,27 @@ function ha_shortcode($atts)
 			$type = $atts['type'];
 			$allowed_styles = array(
 			'style' => array(
+			'width' => array(),
 			'height' => array(),
 			'border' => array(),
 				),
 			);
 
+			$pattern = '/^\d+px$/';
+
 			if($type == "widget-bouton")
 			{
-				$height = $atts['height'] ?? "70px";
+				$height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "70px";
 				$styleIframe = 'style="width:200px; height:'. $height . '; border:none;"';
 			}
 			else if($type == "widget")
 			{
-				$height = $atts['height'] ?? "750px";
+				$height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "750px";
 				$styleIframe = 'style="width:100%; height:'. $height . '; border:none;"';
 			}
 			else if($type == "widget-vignette")
 			{
-				$height = $atts['height'] ?? "450px";
+				$height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "450px";
 				$styleIframe = 'style="width:350px; height:'. $height . '; border:none;"';
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -110,24 +110,27 @@ function ha_shortcode($atts)`
`110`	`110`	`$type = $atts['type'];`
`111`	`111`	`$allowed_styles = array(`
`112`	`112`	`'style' => array(`
	`113`	`+ 'width' => array(),`
`113`	`114`	`'height' => array(),`
`114`	`115`	`'border' => array(),`
`115`	`116`	`),`
`116`	`117`	`);`
`117`	`118`
	`119`	`+ $pattern = '/^\d+px$/';`
	`120`	`+`
`118`	`121`	`if($type == "widget-bouton")`
`119`	`122`	`{`
`120`		`- $height = $atts['height'] ?? "70px";`
	`123`	`+ $height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "70px";`
`121`	`124`	`$styleIframe = 'style="width:200px; height:'. $height . '; border:none;"';`
`122`	`125`	`}`
`123`	`126`	`else if($type == "widget")`
`124`	`127`	`{`
`125`		`- $height = $atts['height'] ?? "750px";`
	`128`	`+ $height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "750px";`
`126`	`129`	`$styleIframe = 'style="width:100%; height:'. $height . '; border:none;"';`
`127`	`130`	`}`
`128`	`131`	`else if($type == "widget-vignette")`
`129`	`132`	`{`
`130`		`- $height = $atts['height'] ?? "450px";`
	`133`	`+ $height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "450px";`
`131`	`134`	`$styleIframe = 'style="width:350px; height:'. $height . '; border:none;"';`
`132`	`135`	`}`
`133`	`136`