Merge branch 'release/1.13.13'

.github/workflows/phpunit.yml

@@ -15,15 +15,15 @@ jobs:
     runs-on: ubuntu-latest
     services:
       mysql:
-        image: mariadb:10.4
+        image: mariadb:10.5
         ports:
           - 3306:3306
         env:
           MYSQL_ROOT_PASSWORD: root
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=10s --health-retries=10
     strategy:
       matrix:
-        php-versions: ['5.6', '7.2', '7.3', '7.4']
+        php-versions: ['7.2', '7.3', '7.4', '8.0']
 
     steps:
     - uses: actions/checkout@v3

composer.json

@@ -27,7 +27,7 @@
   "require-dev": {
     "roave/security-advisories": "dev-latest",
     "phpunit/phpunit": "^5.7.27",
-    "yoast/phpunit-polyfills": "^1.0.3"
+    "yoast/phpunit-polyfills": "^1.1.0"
   },
   "scripts": {
     "test": "phpunit"

docker-dev/docker-compose.yarn.yml

@@ -1,5 +1,3 @@
-version: '2'
-
 services:
   yarn:
     image: juliquiron/wordpress-phpunit-test-runner-gitlab-ci

docker-dev/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '2'
-
 services:
   wordpress:
     image: wordpress:php7.4

geo-mashup.php

@@ -3,7 +3,7 @@
 Plugin Name: Geo Mashup
 Plugin URI: https://wordpress.org/plugins/geo-mashup/
 Description: Save location for posts and pages, or even users and comments. Display these locations on Google, Leaflet, and OSM maps. Make WordPress into your GeoCMS.
-Version: 1.13.12
+Version: 1.13.13
 Author: Dylan Kuhn
 Text Domain: GeoMashup
 Domain Path: /lang
@@ -256,7 +256,7 @@ private static function load_constants() {
 		define('GEO_MASHUP_DIRECTORY', dirname( GEO_MASHUP_PLUGIN_NAME ) );
 		define('GEO_MASHUP_URL_PATH', trim( plugin_dir_url( __FILE__ ), '/' ) );
 		define('GEO_MASHUP_MAX_ZOOM', 20);
-		define('GEO_MASHUP_VERSION', '1.13.12');
+		define('GEO_MASHUP_VERSION', '1.13.13');
 		define('GEO_MASHUP_DB_VERSION', '1.3');
 	}
 
@@ -1280,7 +1280,7 @@ public static function full_post($args = null) {
 		// It's nice if click-to-load works in the full post display
 		self::$add_loader_script = true;
 
-		return '<div id="' . $for_map . '-post"></div>';
+		return '<div id="' . esc_attr($for_map) . '-post"></div>';
 	}
 
 	/**
@@ -1361,7 +1361,7 @@ public static function term_legend($args = null) {
 			}
 		}
 
-		return '<div id="' . $id . '" class="' . implode( ' ', $classes ) . '"></div>';
+		return '<div id="' . esc_attr($id) . '" class="' . esc_attr(implode( ' ', $classes )) . '"></div>';
 	}
 
 	/**
@@ -1402,7 +1402,7 @@ public static function list_cats($content, $category = null) {
 			if ($count) {
 				// This feature doesn't work unless there is a category description
 				if ( empty( $category->description ) ) {
-					return $content . $geo_mashup_options->get('overall', 'category_link_separator') .
+					return $content . esc_html($geo_mashup_options->get('overall', 'category_link_separator')) .
 						__( 'You must add a description to this category to use this Geo Mashup feature.', 'GeoMashup' );
 				}
 				$url = get_page_link($geo_mashup_options->get('overall', 'mashup_page'));
@@ -1411,10 +1411,10 @@ public static function list_cats($content, $category = null) {
 				} else {
 					$url .= '?';
 				}
-				$link = '<a href="'.$url.'map_cat='.$category->cat_ID.'&amp;zoom='.$geo_mashup_options->get('overall', 'category_zoom').
-					'" title="'.$geo_mashup_options->get('overall', 'category_link_text').'">';
-				return $content.'</a>'.$geo_mashup_options->get('overall', 'category_link_separator').$link.
-					$geo_mashup_options->get('overall', 'category_link_text');
+				$link = '<a href="'.$url.'map_cat='.$category->cat_ID.'&amp;zoom='.esc_attr($geo_mashup_options->get('overall', 'category_zoom')).
+					'" title="'.esc_attr($geo_mashup_options->get('overall', 'category_link_text')).'">';
+				return $content.'</a>'.esc_html($geo_mashup_options->get('overall', 'category_link_separator')).$link.
+					esc_html($geo_mashup_options->get('overall', 'category_link_text'));
 			}
 		}
 		return $content;
@@ -1732,7 +1732,7 @@ public static function show_on_map_link( $args = null ) {
 					'/images/geotag_16.png" alt="'.__('Geotag Icon','GeoMashup').'"/>';
 			}
 			$link = '<a class="gm-link" href="'.$url.'">'.
-				$icon.' '.$options['text'].'</a>';
+				$icon.' '.esc_html($options['text']).'</a>';
 			if ($options['display']) {
 				echo $link;
 			}
@@ -1769,7 +1769,7 @@ public static function visible_posts_list($args = null) {
 			}
 			$list_html .= balanceTags( $heading_div . $heading_tags . $args['heading_text'], true );
 		}
-		$list_html .= '<div id="' . $for_map . '-visible-list"></div>';
+		$list_html .= '<div id="' . esc_attr($for_map) . '-visible-list"></div>';
 		return $list_html;
 	}
 
@@ -1827,7 +1827,7 @@ public static function list_located_posts_by_area( $args ) {
 			if ( $country_count > 1 ) {
 				$country_name = GeoMashupDB::get_administrative_name( $country->country_code );
 				$country_name = $country_name ? $country_name : $country->country_code;
-				$country_heading = '<h3 id="' . $country->country_code . $id_suffix . '">' . $country_name . '</h3>';
+				$country_heading = '<h3 id="' . esc_attr($country->country_code . $id_suffix) . '">' . esc_html($country_name) . '</h3>';
 			}
 
 			$states = GeoMashupDB::get_distinct_located_values(
@@ -1853,17 +1853,17 @@ public static function list_located_posts_by_area( $args ) {
 					if ( null !== $states[0]->admin_code ) {
 						$state_name = GeoMashupDB::get_administrative_name( $country->country_code, $state->admin_code );
 						$state_name = $state_name ? $state_name : $state->admin_code;
-						$list_html .= '<h4 id="' . $country->country_code . '-' . $state->admin_code . $id_suffix . '">' . $state_name . '</h4>';
+						$list_html .= '<h4 id="' . esc_attr($country->country_code) . '-' . esc_attr($state->admin_code . $id_suffix) . '">' . esc_html($state_name) . '</h4>';
 					}
 					$list_html .= '<ul class="gm-index-posts">';
 					foreach ( $post_locations as $post_location ) {
 						$list_html .= '<li><a href="' .
 							get_permalink( $post_location->object_id ) .
 							'">' .
-							$post_location->label .
+							esc_html($post_location->label) .
 							'</a>';
 						if ( isset( $args['include_address'] ) && $args['include_address'] === 'true' ) {
-							$list_html .= '<p>' . $post_location->address . '</p>';
+							$list_html .= '<p>' . esc_html($post_location->address) . '</p>';
 						}
 						$list_html .= '</li>';
 					}
@@ -2080,7 +2080,7 @@ public static function tabbed_term_index( $args ) {
 			$classes[] = 'disable-tab-auto-select';
 		}
 
-		return '<div id="' . $id . '" class="' . implode( ' ', $classes ) . '"></div>';
+		return '<div id="' . esc_attr($id) . '" class="' . esc_attr(implode( ' ', $classes )) . '"></div>';
 	}
 	/**
 	 * Enqueue widget assets in admin.

package.json

@@ -1,6 +1,6 @@
 {
   "license": "GPL-2.0-or-later",
-  "version": "1.13.12",
+  "version": "1.13.13",
   "devDependencies": {
     "@larscom/cpx": "^2.0.0",
     "csso-cli": "^3.0.0",

readme.txt

@@ -3,8 +3,8 @@ Contributors: cyberhobo, freemius
 Donate Link:
 Tags: map, maps, google maps, google map, mapping, mashup, geo, google, geocms
 Requires at least: 3.7
-Tested up to: 6.2.2
-Stable tag: 1.13.12
+Tested up to: 6.6.2
+Stable tag: 1.13.13
 License: GPL2+
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -66,6 +66,9 @@ Geo Mashup combines WordPress, [Google Maps](http://maps.google.com), [OpenStree
 and [GeoNames](http://geonames.org) to create a GeoCMS that puts you in control
 of all your content, including geographic data.
 
+Thanks to [LVT-tholv2k at patchstack](https://patchstack.com/database/researcher/ada529e8-a3cf-495a-8dcb-3e5e460a4081)
+for responsibly reporting a security issue.
+
 Thanks to [Abhinav Mishra](https://twitter.com/0ctac0der) for finding an XSS bug in the map template.
 
 Thanks to [Alex Chepovetsky](https://www.linkedin.com/in/alexchepovetsky)
@@ -81,6 +84,9 @@ GeoMashup supports [standard WordPress plugin installation].
 
 == Upgrade Notice ==
 
+= 1.13.13 =
+This version includes a security update.  Upgrade immediately.
+
 = 1.13.10 =
 This version includes a security update.  Upgrade immediately.
 
@@ -95,7 +101,11 @@ This version fixes a security related bug.  Upgrade immediately.
 
 == Change Log ==
 
-= 1.13.12 Jul 14 2023 =
+= 1.13.13 Sep 14 2024 =
+
+Security fix.
+
+= 1.13.12 Jul 14 2024 =
 
 [milestone 1.13.12 changes](https://github.com/cyberhobo/wordpress-geo-mashup/milestone/30?closed=1)
 

yarn.lock

@@ -158,11 +158,11 @@ brace-expansion@^1.1.7:
     concat-map "0.0.1"
 
 braces@~3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
-  integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789"
+  integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==
   dependencies:
-    fill-range "^7.0.1"
+    fill-range "^7.1.1"
 
 caseless@~0.12.0:
   version "0.12.0"
@@ -347,9 +347,9 @@ debounce@^1.1.0:
   integrity sha512-mYtLl1xfZLi1m4RtQYlZgJUNQjl4ZxVnHzIR8nLLgi4q1YT8o/WM+MK/f8yfcc9s5Ir5zRaPZyZU6xs1Syoocg==
 
 debug@^3.1.0:
-  version "3.2.6"
-  resolved "https://registry.yarnpkg.com/debug/-/debug-3.2.6.tgz#e83d17de16d8a7efb7717edbe5fb10135eee629b"
-  integrity sha512-mel+jf7nrtEl5Pn1Qx46zARXKDpBbvzezse7p7LqINmdoIk8PYP5SySaxEmYv6TZ0JyEKA1hsCId6DIhgITtWQ==
+  version "3.2.7"
+  resolved "https://registry.yarnpkg.com/debug/-/debug-3.2.7.tgz#72580b7e9145fb39b6676f9c5e5fb100b934179a"
+  integrity sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==
   dependencies:
     ms "^2.1.1"
 
@@ -438,10 +438,10 @@ fast-json-stable-stringify@^2.0.0:
   resolved "https://registry.yarnpkg.com/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz#874bf69c6f404c2b5d99c481341399fd55892633"
   integrity sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==
 
-fill-range@^7.0.1:
-  version "7.0.1"
-  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40"
-  integrity sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==
+fill-range@^7.1.1:
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292"
+  integrity sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==
   dependencies:
     to-regex-range "^5.0.1"
 
@@ -842,6 +842,11 @@ minipass@^3.0.0:
   dependencies:
     yallist "^4.0.0"
 
+minipass@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/minipass/-/minipass-5.0.0.tgz#3e9788ffb90b694a5d0ec94479a45b5d8738133d"
+  integrity sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==
+
 minizlib@^2.1.1:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/minizlib/-/minizlib-2.1.2.tgz#e90d3466ba209b932451508a11ce3d3632145931"
@@ -1296,13 +1301,13 @@ table-layout@^1.0.1:
     wordwrapjs "^4.0.0"
 
 tar@^6.0.2:
-  version "6.1.11"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-6.1.11.tgz#6760a38f003afa1b2ffd0ffe9e9abbd0eab3d621"
-  integrity sha512-an/KZQzQUkZCkuoAA64hM92X0Urb6VpRhAFllDzz44U2mcD5scmT3zBc4VgVpkugF580+DQn8eAFSyoQt0tznA==
+  version "6.2.1"
+  resolved "https://registry.yarnpkg.com/tar/-/tar-6.2.1.tgz#717549c541bc3c2af15751bea94b1dd068d4b03a"
+  integrity sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==
   dependencies:
     chownr "^2.0.0"
     fs-minipass "^2.0.0"
-    minipass "^3.0.0"
+    minipass "^5.0.0"
     minizlib "^2.1.1"
     mkdirp "^1.0.3"
     yallist "^4.0.0"