Merge pull request #9 from HelloAsso/fix/xss-injection-mika

Check if widget value correct to avoid injection

Author: emnbdx

README.txt

@@ -5,7 +5,7 @@ Tags: helloasso, paiement, association, crowdfunding, don
 Requires at least: 4.0
 Tested up to: 6.4.3
 Requires PHP: 7.2.34
-Stable tag: 1.1.11
+Stable tag: 1.1.12
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -81,6 +81,9 @@ https://www.youtube.com/watch?v=Bjaqc_Yun8g
 
 == Changelog ==
 
+= 1.1.12 =
+* Correction d'une faille XSS possible sur l'insertion de l'iframe
+
 = 1.1.11 =
 * Correction d'une faille Broken Access Control
 

admin/js/hello-asso-admin.js

@@ -16,7 +16,7 @@
  * Plugin Name:       HelloAsso
  * Plugin URI:        https://centredaide.helloasso.com/s/article/paiement-en-ligne-wordpress-integrer-vos-campagnes-helloasso
  * Description:       HelloAsso est la solution gratuite des associations pour collecter des paiements et des dons sur internet.
- * Version:           1.1.11
+ * Version:           1.1.12
  * Author:            HelloAsso
  * Author URI:        https://helloasso.com
  * License:           GPL-2.0+
@@ -36,7 +36,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define('HELLO_ASSO_VERSION', '1.1.11');
+define('HELLO_ASSO_VERSION', '1.1.12');
 
 /**
  * The code that runs during plugin activation.

hello-asso.php

@@ -132,6 +132,12 @@ function ha_shortcode($atts)
 			{
 				$height = preg_match($pattern, $atts['height'] ?? 0) ? $atts['height'] : "450px";
 				$styleIframe = 'style="width:350px; height:'. $height . '; border:none;"';
+			} else {
+				$type = "";
+			}
+
+			if(!str_starts_with($url, "https://www.helloasso.com/")) {
+				$url = "";
 			}
 
 			ob_start();