Changeset 3462863

Timestamp:

02/16/2026 07:51:00 PM (6 weeks ago)

Author:

_smartik_

Message:

Release 4.1.1 - Security hardening and new shortcode features

Location:

compact-archives

Files:

• tags/4.1.1 (added)
• tags/4.1.1/assets (added)
• tags/4.1.1/assets/build (added)
• tags/4.1.1/assets/build/blocks.asset.php (added)
• tags/4.1.1/assets/build/blocks.css (added)
• tags/4.1.1/assets/build/blocks.js (added)
• tags/4.1.1/assets/build/wpFiveTwo.asset.php (added)
• tags/4.1.1/assets/build/wpFiveTwo.js (added)
• tags/4.1.1/assets/build/wpFiveZero.asset.php (added)
• tags/4.1.1/assets/build/wpFiveZero.js (added)
• tags/4.1.1/assets/src (added)
• tags/4.1.1/assets/src/blocks.css (added)
• tags/4.1.1/assets/src/blocks.js (added)
• tags/4.1.1/assets/src/edit.js (added)
• tags/4.1.1/assets/src/transforms.js (added)
• tags/4.1.1/assets/src/wp50.js (added)
• tags/4.1.1/assets/src/wp52.js (added)
• tags/4.1.1/changelog.md (added)
• tags/4.1.1/compact.php (added)
• tags/4.1.1/inc (added)
• tags/4.1.1/inc/class-wpbeginner-caw-widget.php (added)
• tags/4.1.1/inc/compact-archives.php (added)
• tags/4.1.1/inc/compat (added)
• tags/4.1.1/inc/compat/block-widget-screen.php (added)
• tags/4.1.1/readme.txt (added)
• trunk/changelog.md (modified) (1 diff)
• trunk/compact.php (modified) (2 diffs)
• trunk/inc/compact-archives.php (modified) (5 diffs)
• trunk/readme.txt (modified) (5 diffs)

compact-archives/trunk/changelog.md

@@ +1 @@
+= 4.1.1 =
+* Improved input validation for shortcode parameters.
+* Enhanced output sanitization.
+* Added URL escaping for archive links.
+* New: Added `classname` attribute to shortcode for custom CSS classes.
+* New: Shortcode `before` attribute now accepts tag names without brackets (e.g., `before="div"`).
+
+= 4.1.0 =
+* New: Support the block based Widget editor introduced in WordPress 5.8.
+
+= 4.0.0 =
+* New: Improve caching of database queries by using the WordPress object cache.
+* Enhancement: Use WordPress Core date internationalization.
+* Enhancement: Use language files generated by translate.wordpress.org.
+* Fix: Styling fixes for block editor archive block.
+* Minimum version of WordPress updated to 4.7.
+
 = 3.0.9 =
 * Update Readme.txt

compact-archives/trunk/compact.php

@@ -4 +4 @@
 Plugin URI: http://www.wpbeginner.com
 Description: Displays a compact monthly archive instead of the default long list. Either display it as a block suitable for the body of a page or in a form compact enough for a sidebar.
-Version: 4.1.0
+Version: 4.1.1
 Author: WPBeginner
 Author URI: http://www.wpbeginner.com
@@ -10 +10 @@
 Requires PHP: 5.6
 Requires at least: 4.8
-Tested up to: 6.6
+Tested up to: 6.9.1
 License: GPL-2.0+
 */

compact-archives/trunk/inc/compact-archives.php

@@ -101 +101 @@
 
     if ( empty( $dates ) ) {
-        return $before . __( 'Archive is empty' ) . $after;
+        return wp_kses_post( $before . __( 'Archive is empty' ) . $after );
     }
     $result = '';
     foreach ( $dates as $year => $months ) {
-        $result .= $before . '<strong><a href="' . get_year_link( $year ) . '">' . esc_html( $year ) . '</a>: </strong> ';
+        $result .= $before . '<strong><a href="' . esc_url( get_year_link( $year ) ) . '">' . esc_html( $year ) . '</a>: </strong> ';
         for ( $month = 1; $month <= 12; $month++ ) {
             $month_has_posts = ( isset( $months[ $month ] ) );
@@ -124 +124 @@
             }
             if ( $month_has_posts ) {
-                $result .= '<a href="' . get_month_link( $year, $month ) . '" title="' . esc_attr( date_i18n( 'F Y', $dummydate ) ) . '">' . esc_html( $month_abbrev ) . '</a> ';
+                $result .= '<a href="' . esc_url( get_month_link( $year, $month ) ) . '" title="' . esc_attr( date_i18n( 'F Y', $dummydate ) ) . '">' . esc_html( $month_abbrev ) . '</a> ';
             } else {
                 $result .= '<span class="emptymonth">' . esc_html( $month_abbrev ) . '</span> ';
@@ -154 +154 @@
     $atts = shortcode_atts(
         array(
-            'style'  => 'initial',
-            'before' => '<li>',
-            'after'  => '</li>',
+            'style'     => 'initial',
+            'before'    => '<li>',
+            'after'     => '</li>',
+            'classname' => '',
         ),
         $atts
     );
 
-    if ( '<li>' === $atts['before'] ) :
-        $wrap = '<ul style="list-style-type: none; margin-top: 10px; margin-bottom 20px;">';
-    endif;
-
-    if ( '</li>' === $atts['after'] ) :
-        $wrap_end = '</ul>';
-    endif;
+    // Validate style against allowlist.
+    $allowed_styles = array( 'initial', 'block', 'numeric' );
+    if ( ! in_array( $atts['style'], $allowed_styles, true ) ) {
+        $atts['style'] = 'initial';
+    }
+
+    // Allowed wrapper tags.
+    $allowed_tags = array( 'li', 'p', 'div', 'span' );
+
+    // Normalize input: trim, lowercase, decode HTML entities, strip </p> from editor.
+    $before_normalized = strtolower( trim( html_entity_decode( $atts['before'] ) ) );
+    $before_normalized = trim( str_ireplace( '</p>', '', $before_normalized ) );
+
+    // Extract tag name (strip < > / to support both "div" and "<div>").
+    $tag_name = preg_replace( '/[<>\/]/', '', $before_normalized );
+
+    if ( ! in_array( $tag_name, $allowed_tags, true ) ) {
+        $tag_name = 'li';
+    }
+
+    // Sanitize classname: split by space, sanitize each, rejoin.
+    $class_attr = '';
+    if ( ! empty( $atts['classname'] ) ) {
+        $classes = preg_split( '/\s+/', trim( $atts['classname'] ) );
+        $sanitized_classes = array_map( 'sanitize_html_class', $classes );
+        $sanitized_classes = array_filter( $sanitized_classes ); // Remove empty.
+        if ( ! empty( $sanitized_classes ) ) {
+            $class_attr = ' class="' . esc_attr( implode( ' ', $sanitized_classes ) ) . '"';
+        }
+    }
+
+    $wrap     = '';
+    $wrap_end = '';
+
+    if ( 'li' === $tag_name ) {
+        // For li, apply classname to the ul container.
+        $atts['before'] = '<' . $tag_name . '>';
+        $wrap           = '<ul' . $class_attr . ' style="list-style-type: none; margin-top: 10px; margin-bottom: 20px;">';
+        $wrap_end       = '</ul>';
+    } else {
+        // For other tags, apply classname to the before tag.
+        $atts['before'] = '<' . $tag_name . $class_attr . '>';
+    }
+
+    $atts['after'] = '</' . $tag_name . '>';
 
     return $wrap . get_compact_archive( $atts['style'], $atts['before'], $atts['after'] ) . $wrap_end;
@@ -311 +350 @@
     }
 
+    // Validate archive type against allowlist.
+    $allowed_types = array( 'initial', 'block', 'numeric' );
+    if ( ! in_array( $attributes['compact_archive_type'], $allowed_types, true ) ) {
+        $attributes['compact_archive_type'] = 'block';
+    }
+
+    // Validate text case against allowlist.
+    $allowed_text_cases = array( 'none', 'capitalize', 'uppercase' );
+    if ( ! in_array( $attributes['compact_archive_text_case'], $allowed_text_cases, true ) ) {
+        $attributes['compact_archive_text_case'] = 'none';
+    }
+
     // Default styles.
     $style = ( ! empty( $attributes['compact_archive_title'] ) ) ? 'list-style-type: none; margin-top: 10px; margin-bottom 20px;' : 'list-style-type: none; margin-top: 20px; margin-bottom 20px;';
@@ -321 +372 @@
     }
 
-    return ( ! empty( $attributes['compact_archive_title'] ) ? '<p>' . wp_kses_post( $attributes['compact_archive_title'] ) . '</p>' : '' ) . '<ul style="' . esc_attr( $style ) . '">' . get_compact_archive( $attributes['compact_archive_type'] ) . '</ul>';
-}
+    // Sanitize title with restrictive allowlist matching RichText formatting controls.
+    $title_html = '';
+    if ( ! empty( $attributes['compact_archive_title'] ) ) {
+        $allowed_title_html = array(
+            'strong' => array(),
+            'b'      => array(),
+            'em'     => array(),
+            'i'      => array(),
+            'a'      => array(
+                'href'  => true,
+                'title' => true,
+                'rel'   => true,
+            ),
+        );
+        $title_html = '<p>' . wp_kses( $attributes['compact_archive_title'], $allowed_title_html ) . '</p>';
+    }
+
+    return $title_html . '<ul style="' . esc_attr( $style ) . '">' . get_compact_archive( $attributes['compact_archive_type'] ) . '</ul>';
+}

compact-archives/trunk/readme.txt

@@ -1 +1 @@
 === Compact Archives ===
-Contributors: smub, noumaan, deb255
-Tags: archive, archives, yearly archive, montly archive, yearly, monthly, annually, archive by month, archive by year
-Tested up to: 6.6
-Stable tag: 4.1.0
+Contributors: smub, noumaan, _smartik_
+Tags: archive, archives, monthly archive, yearly archive, widget
+Tested up to: 6.9.1
+Stable tag: 4.1.1
 Requires PHP: 5.6
 Requires at least: 4.8
@@ -104 +104 @@
 = How do I get different layouts using shortcode? =
 
-The shortcode `[compact_archive]` works just like the template tag. It accepts three parameters which are style, before, and after.
+The shortcode `[compact_archive]` works just like the template tag. It accepts the following parameters:
 
-Using shortcode `[compact_archive style="block"]` will display compact archives in block.
+* `style` - Display format: `initial` (default), `block`, or `numeric`
+* `before` - Wrapper tag: `li` (default), `p`, `div`, or `span`. Can be written with or without angle brackets.
+* `classname` - Custom CSS class(es) to add to the container
 
-Using shortcode `[compact_archive style="numeric" before="<p>" after="</p>"]` will display compact archive in numeric form, wrapped in a paragraph tag.
+Examples:
+
+`[compact_archive style="block"]` - Display archives in block format.
+
+`[compact_archive style="numeric" before="p"]` - Display in numeric form, wrapped in paragraph tags.
+
+`[compact_archive before="div" classname="my-archive custom-class"]` - Wrap each line in a div with custom CSS classes.
 
 = How do I get different layouts using Compact Archive Widget in Sidebar? =
@@ -117 +125 @@
 
 The year links at the start of each line are wrapped in <strong></strong> tags while months with no posts are wrapped with <span class="emptymonth"></span> so you can differentiate them visually using your style sheet.
+
+You can also use the `classname` attribute in the shortcode to add custom CSS classes:
+
+`[compact_archive classname="my-custom-archive"]`
 
 = What if My Site is in Another Language? =
@@ -130 +142 @@
 
 == Changelog ==
+
+= 4.1.1 =
+* Improved input validation for shortcode parameters.
+* Enhanced output sanitization.
+* Added URL escaping for archive links.
+* New: Added `classname` attribute to shortcode for custom CSS classes.
+* New: Shortcode `before` attribute now accepts tag names without brackets (e.g., `before="div"`).
 
 = 4.1.0 =
@@ -145 +164 @@
 == Upgrade Notice ==
 
+= 4.1.1 =
+
+Maintenance release with security hardening. Update recommended.
+
 = 4.1.0 =