fix: escape ticker ID in shortcode output (#28)

Ticker ID is user input and may contain literally anything. While this is properly escaped in the internal query, we should also escape it in the generated HTML output.
stklcode · Feb 4, 2025 · 313159c · 313159c
1 parent a0573a3
commit 313159c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/includes/class-scliveticker.php b/includes/class-scliveticker.php
@@ -232,7 +232,7 @@ public static function shortcode_ticker_show( $atts ) {
 			$output = '<div class="wp-block-scliveticker-ticker';
 			if ( 1 === self::$options['enable_ajax'] ) {
 				$output .= ' sclt-ajax" '
-							. 'data-sclt-ticker="' . $ticker . '" '
+							. 'data-sclt-ticker="' . esc_attr( $ticker ) . '" '
 							. 'data-sclt-limit="' . $limit . '" '
 							. 'data-sclt-last="' . $last;
 			}
@@ -242,9 +242,9 @@ public static function shortcode_ticker_show( $atts ) {
 			if ( $show_feed ) {
 				$feed_link = get_post_type_archive_feed_link( 'scliveticker_tick' ) . '';
 				if ( false === strpos( $feed_link, '&' ) ) {
-					$feed_link .= '?scliveticker_ticker=' . $ticker;
+					$feed_link .= '?scliveticker_ticker=' . rawurlencode( $ticker );
 				} else {
-					$feed_link .= '&scliveticker_ticker=' . $ticker;
+					$feed_link .= '&scliveticker_ticker=' . rawurlencode( $ticker );
 				}
 				$output .= '<a href="' . esc_attr( $feed_link ) . '">Feed</a>';
 			}