Merge branch 'fix/query-vulnerability'

includes/classes/Query.php

@@ -280,10 +280,12 @@ public function shortcode( $attrs ) {
 			'queryArgs'        => $queryArgs,
 		];
 
+		$escaped_attrs = array_map( 'esc_attr', $attrs );
+
 		$content = sprintf(
 			'<div class="ootb-openstreetmap--map" %1$s style="height: %2$s;"></div>',
-			self::default_attrs( $attrs ),
-			$attrs[ 'height' ]
+			self::default_attrs( $escaped_attrs ),
+			$escaped_attrs[ 'height' ]
 		);
 
 		return $this->render_callback( $render_callback_attrs, $content );

ootb-openstreetmap.php

@@ -5,7 +5,7 @@
  * Description:       A map block for the Gutenberg Editor using OpenStreetMaps and Leaflet that needs no API keys and works out of the box.
  * Requires at least: 6.5
  * Requires PHP:      7.4
- * Version:           2.8.3
+ * Version:           2.8.4
  * Author:            Giorgos Sarigiannidis
  * Author URI:        https://www.gsarigiannidis.gr
  * License:           GPL-2.0-or-later
@@ -21,7 +21,7 @@
 define( 'OOTB_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );
 
 const OOTB_BLOCK_NAME     = 'ootb/openstreetmap';
-const OOTB_VERSION        = '2.8.3';
+const OOTB_VERSION        = '2.8.4';
 const OOTB_SCRIPT_VERSION = [
 	'leaflet'                  => '1.9.4',
 	'leaflet-gesture-handling' => '1.4.4',

readme.txt

@@ -5,7 +5,7 @@ Tags: Map, OpenStreetMap, Leaflet, Google Maps, block
 Requires at least: 6.5
 Tested up to: 6.7
 Requires PHP: 7.4
-Stable tag: 2.8.3
+Stable tag: 2.8.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -139,6 +139,9 @@ Version 2.0.0 is a major, almost full, refactoring, both for the build scripts a
 = 1.0 =
 
 == Changelog ==
+= 2.8.4 =
+* Security update. Fixes a vulnerability which allows authenticated attackers with contributor permissions or above to insert JavaScript that triggers when accessing the web-page by mouse.
+
 = 2.8.3 =
 * Bumps support to WordPress 6.7.
 * Bumps minimum supported WordPress version to 6.5.