Changeset 3337681

Timestamp:

08/01/2025 09:22:17 AM (8 months ago)

Author:

petredobrescu

Message:

Version 3.10.5

🔒 The Security Hardening Update

Release Date: August 1, 2025

🛡️ Security Fix

• XSS Vulnerability Patched: Fixed a Cross-Site Scripting (XSS) vulnerability reported by the WordFence team. This issue affected multisite installations and sites where unfiltered_html is disabled.

We strongly recommend updating to benefit from the latest security improvements. Thank you to the WordFence team for the responsible disclosure! 🙏

Location:

shortpixel-adaptive-images

Files:

• tags/3.10.5 (copied) (copied from shortpixel-adaptive-images/trunk)
• tags/3.10.5/includes/actions/page.actions.class.php (modified) (1 diff)
• tags/3.10.5/includes/front/vanilla-js-loader.class.php (modified) (2 diffs)
• tags/3.10.5/readme.txt (modified) (2 diffs)
• tags/3.10.5/short-pixel-ai.php (modified) (2 diffs)
• trunk/includes/actions/page.actions.class.php (modified) (1 diff)
• trunk/includes/front/vanilla-js-loader.class.php (modified) (2 diffs)
• trunk/readme.txt (modified) (2 diffs)
• trunk/short-pixel-ai.php (modified) (2 diffs)

shortpixel-adaptive-images/tags/3.10.5/includes/actions/page.actions.class.php

@@ -51 +51 @@
 
                 //sanitize
-                if(isset($options->behaviour->api_url)) {
-                    $options->behaviour->api_url = trim($options->behaviour->api_url);
-                    if(parse_url($options->behaviour->api_url, PHP_URL_HOST) === NULL) {
-                        $options->behaviour->api_url = ShortPixelAI::DEFAULT_API_AI . ShortPixelAI::DEFAULT_API_AI_PATH;
+                if (isset($options->behaviour->api_url)) {
+                    $url = trim($options->behaviour->api_url);
+                    if (parse_url($url, PHP_URL_HOST) === NULL) {
+                        $url = ShortPixelAI::DEFAULT_API_AI . ShortPixelAI::DEFAULT_API_AI_PATH;
                     }
+                    $url = sanitize_text_field($url);
+                    $options->behaviour->api_url = $url;
                 }
 
-                //translate simple meta options
+
+                //translate simple meta options
                 $options = ShortPixelAI::translateSimpleOptions( $options );
 

shortpixel-adaptive-images/tags/3.10.5/includes/front/vanilla-js-loader.class.php

@@ -43 +43 @@
                     s.src = "https://<?= $scriptDomain ?>/assets/js/bundles/spai-lib-bg<?= $convert === 'detect' ? '-webp' : '' ?>" + v
                         + ".<?=$vjsVer?><?=($dbg ? '.dev' : '')?>.min.js?v=<?= SHORTPIXEL_AI_VERSION ?>";
-                    w.spaiDomain = "<?= $spaiDomain ?>";
+                    w.spaiDomain = "<?= esc_js($spaiDomain) ?>";
                     w.spaiData = {
-                        version: "<?= SHORTPIXEL_AI_VERSION ?>",
-                        key: "<?= end($apiUrlParts)?>",
-                        quality: "<?= $this->settings->compression->level ?>",
-                        convert: "<?= $convert ?>",
+                        version: "<?= esc_js(SHORTPIXEL_AI_VERSION) ?>",
+                        key: "<?= esc_js(end($apiUrlParts)) ?>",
+                        quality: "<?= esc_js($this->settings->compression->level) ?>",
+                        convert: "<?= esc_js($convert) ?>",
                         lqip: <?= $this->settings->behaviour->lqip ? 'true' : 'false' ?>,
                         <?php
@@ -74 +74 @@
                         exclusions: "__SPAI_EXCLUSIONS__",
                         sizeFromImageSuffix: <?php echo(defined('SPAI_FILENAME_RESOLUTION_UNSAFE') ? 'false' : 'true'); ?>,
-                        ajax_url: "<?= admin_url( 'admin-ajax.php' ) ?>",
+                        ajax_url: "<?= esc_js(admin_url('admin-ajax.php')) ?>"
                     };
                     b.appendChild(s);

shortpixel-adaptive-images/tags/3.10.5/readme.txt

@@ -5 +5 @@
 Tested up to: 6.8
 Requires PHP: 5.6.40
-Stable tag: 3.10.4
+Stable tag: 3.10.5
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -249 +249 @@
 
 == Changelog ==
+
+= 3.10.5 =
+
+🔒 The Security Hardening Update
+
+Release Date: August 1, 2025
+
+🛡️ Security Fix
+
+* XSS Vulnerability Patched: Fixed a Cross-Site Scripting (XSS) vulnerability reported by the WordFence team. This issue affected multisite installations and sites where `unfiltered_html` is disabled.
+
+We strongly recommend updating to benefit from the latest security improvements. Thank you to the WordFence team for the responsible disclosure! 🙏
 
 = 3.10.4 =

shortpixel-adaptive-images/tags/3.10.5/short-pixel-ai.php

@@ -4 +4 @@
      * Plugin URI: https://shortpixel.com/
      * Description: Display properly sized, smart cropped and optimized images on your website. Images are processed on the fly and served from our CDN.
-     * Version: 3.10.4
+     * Version: 3.10.5
      * Author: ShortPixel
      * GitHub Plugin URI: https://github.com/short-pixel-optimizer/shortpixel-adaptive-images
@@ -16 +16 @@
 
     if ( !class_exists( 'ShortPixelAI' ) ) {
-        define( 'SHORTPIXEL_AI_VERSION', '3.10.4' );
+        define( 'SHORTPIXEL_AI_VERSION', '3.10.5' );
         define( 'SPAI_SNIP_VERSION', '3.1.0' );
         define( 'SHORTPIXEL_AI_VANILLAJS_VER', '1.1' );

shortpixel-adaptive-images/trunk/includes/actions/page.actions.class.php

@@ -51 +51 @@
 
                 //sanitize
-                if(isset($options->behaviour->api_url)) {
-                    $options->behaviour->api_url = trim($options->behaviour->api_url);
-                    if(parse_url($options->behaviour->api_url, PHP_URL_HOST) === NULL) {
-                        $options->behaviour->api_url = ShortPixelAI::DEFAULT_API_AI . ShortPixelAI::DEFAULT_API_AI_PATH;
+                if (isset($options->behaviour->api_url)) {
+                    $url = trim($options->behaviour->api_url);
+                    if (parse_url($url, PHP_URL_HOST) === NULL) {
+                        $url = ShortPixelAI::DEFAULT_API_AI . ShortPixelAI::DEFAULT_API_AI_PATH;
                     }
+                    $url = sanitize_text_field($url);
+                    $options->behaviour->api_url = $url;
                 }
 
-                //translate simple meta options
+
+                //translate simple meta options
                 $options = ShortPixelAI::translateSimpleOptions( $options );
 

shortpixel-adaptive-images/trunk/includes/front/vanilla-js-loader.class.php

@@ -43 +43 @@
                     s.src = "https://<?= $scriptDomain ?>/assets/js/bundles/spai-lib-bg<?= $convert === 'detect' ? '-webp' : '' ?>" + v
                         + ".<?=$vjsVer?><?=($dbg ? '.dev' : '')?>.min.js?v=<?= SHORTPIXEL_AI_VERSION ?>";
-                    w.spaiDomain = "<?= $spaiDomain ?>";
+                    w.spaiDomain = "<?= esc_js($spaiDomain) ?>";
                     w.spaiData = {
-                        version: "<?= SHORTPIXEL_AI_VERSION ?>",
-                        key: "<?= end($apiUrlParts)?>",
-                        quality: "<?= $this->settings->compression->level ?>",
-                        convert: "<?= $convert ?>",
+                        version: "<?= esc_js(SHORTPIXEL_AI_VERSION) ?>",
+                        key: "<?= esc_js(end($apiUrlParts)) ?>",
+                        quality: "<?= esc_js($this->settings->compression->level) ?>",
+                        convert: "<?= esc_js($convert) ?>",
                         lqip: <?= $this->settings->behaviour->lqip ? 'true' : 'false' ?>,
                         <?php
@@ -74 +74 @@
                         exclusions: "__SPAI_EXCLUSIONS__",
                         sizeFromImageSuffix: <?php echo(defined('SPAI_FILENAME_RESOLUTION_UNSAFE') ? 'false' : 'true'); ?>,
-                        ajax_url: "<?= admin_url( 'admin-ajax.php' ) ?>",
+                        ajax_url: "<?= esc_js(admin_url('admin-ajax.php')) ?>"
                     };
                     b.appendChild(s);

shortpixel-adaptive-images/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.8
 Requires PHP: 5.6.40
-Stable tag: 3.10.4
+Stable tag: 3.10.5
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -249 +249 @@
 
 == Changelog ==
+
+= 3.10.5 =
+
+🔒 The Security Hardening Update
+
+Release Date: August 1, 2025
+
+🛡️ Security Fix
+
+* XSS Vulnerability Patched: Fixed a Cross-Site Scripting (XSS) vulnerability reported by the WordFence team. This issue affected multisite installations and sites where `unfiltered_html` is disabled.
+
+We strongly recommend updating to benefit from the latest security improvements. Thank you to the WordFence team for the responsible disclosure! 🙏
 
 = 3.10.4 =

shortpixel-adaptive-images/trunk/short-pixel-ai.php

@@ -4 +4 @@
      * Plugin URI: https://shortpixel.com/
      * Description: Display properly sized, smart cropped and optimized images on your website. Images are processed on the fly and served from our CDN.
-     * Version: 3.10.4
+     * Version: 3.10.5
      * Author: ShortPixel
      * GitHub Plugin URI: https://github.com/short-pixel-optimizer/shortpixel-adaptive-images
@@ -16 +16 @@
 
     if ( !class_exists( 'ShortPixelAI' ) ) {
-        define( 'SHORTPIXEL_AI_VERSION', '3.10.4' );
+        define( 'SHORTPIXEL_AI_VERSION', '3.10.5' );
         define( 'SPAI_SNIP_VERSION', '3.1.0' );
         define( 'SHORTPIXEL_AI_VANILLAJS_VER', '1.1' );