Skip to content
This repository was archived by the owner on Aug 22, 2025. It is now read-only.

Commit f2e8501

Browse files
krishana7911krishana7911
authored
Merge pull request #326 from rtCamp/develop
Version Update v1.4.1 [ master ]
2 parents 3cba24c + 0288de4 commit f2e8501

File tree

5 files changed

+99
-28
lines changed

5 files changed

+99
-28
lines changed

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,12 @@ Read [Documentation](https://rtmedia.io/docs/transcoder/?utm_source=readme&utm_m
6666

6767
## Changelog ##
6868

69+
#### 1.4.1 [August 22, 2025] ####
70+
71+
* FIXED
72+
* Added validation and sanitization for `[rt_media]` shortcode attributes.
73+
* Graceful fallback when media file is unavailable (prevents broken audio/video players).
74+
6975
#### 1.4.0 [May 30, 2025] ####
7076

7177
* REMOVED

admin/rt-transcoder-functions.php

Lines changed: 60 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@ function rta() {
2424
* Builds the [rt_media] shortcode output.
2525
*
2626
* If media type is video then display transcoded video (mp4 format) if any else original video.
27-
*
2827
* If media type is audio then display transcoded audio (mp3 format) if any else original audio.
2928
*
3029
* @since 1.0.0
@@ -35,72 +34,119 @@ function rta() {
3534
* @type int $attachment_id ID of attachment.
3635
* }
3736
* @param string $content Shortcode content.
38-
* @return string|void HTML content to display video.
37+
* @return string|void HTML content to display media.
3938
*/
4039
function rt_media_shortcode( $attrs, $content = '' ) {
4140

41+
// Bail early if required attribute is missing.
4242
if ( empty( $attrs['attachment_id'] ) ) {
4343
return false;
4444
}
4545

46-
$attachment_id = $attrs['attachment_id'];
46+
// Sanitize attachment ID (force integer).
47+
$attachment_id = absint( $attrs['attachment_id'] );
4748

49+
// Validate that attachment exists and has a MIME type.
4850
$type = get_post_mime_type( $attachment_id );
49-
5051
if ( empty( $type ) ) {
51-
return false;
52+
return '<p>' . esc_html__( 'Invalid attachment ID.', 'transcoder' ) . '</p>';
5253
}
5354

5455
$mime_type = explode( '/', $type );
5556
$media_url = '';
5657

58+
// Define whitelist of allowed shortcode attributes
59+
// (prevents arbitrary attributes that could lead to XSS).
60+
$allowed_video_attrs = array( 'src', 'poster', 'preload', 'autoplay', 'loop', 'muted', 'width', 'height' );
61+
$allowed_audio_attrs = array( 'src', 'preload', 'autoplay', 'loop' );
62+
5763
if ( 'video' === $mime_type[0] ) {
5864

59-
$video_shortcode_attributes = '';
60-
$media_url = rtt_get_media_url( $attachment_id );
65+
// Resolve video URL (transcoded version if available).
66+
$media_url = rtt_get_media_url( $attachment_id );
6167

68+
// Generate a poster thumbnail for the video.
6269
$poster = rt_media_get_video_thumbnail( $attachment_id );
6370

71+
if ( empty( $media_url ) ) {
72+
return '<p>' . esc_html__( 'Media file unavailable.', 'transcoder' ) . '</p>';
73+
}
74+
75+
// Force shortcode to use validated `src` + `poster`.
6476
$attrs['src'] = $media_url;
6577
$attrs['poster'] = $poster;
6678

79+
// Build video shortcode attributes securely.
80+
$video_shortcode_attributes = '';
6781
foreach ( $attrs as $key => $value ) {
68-
$video_shortcode_attributes .= ' ' . $key . '="' . $value . '"';
82+
if ( in_array( $key, $allowed_video_attrs, true ) ) {
83+
// Escape URLs properly for `src` and `poster`.
84+
if ( 'src' === $key || 'poster' === $key ) {
85+
$value = esc_url( $value );
86+
} else {
87+
// Escape all other attribute values.
88+
$value = esc_attr( $value );
89+
}
90+
$video_shortcode_attributes .= ' ' . esc_attr( $key ) . '="' . $value . '"';
91+
}
6992
}
7093

94+
// Render the final [video] shortcode.
7195
$content = do_shortcode( "[video {$video_shortcode_attributes}]" );
7296

7397
} elseif ( 'audio' === $mime_type[0] ) {
7498

99+
// Resolve audio URL (prefer transcoded mp3).
75100
$media_url = rtt_get_media_url( $attachment_id, 'mp3' );
76101

77-
$audio_shortcode_attributes = 'src="' . $media_url . '"';
78102

103+
// Graceful fallback: if media URL cannot be resolved (e.g. missing file),
104+
// show a friendly message instead of rendering a broken player.
105+
if ( empty( $media_url ) ) {
106+
return '<p>' . esc_html__( 'Media file unavailable.', 'transcoder' ) . '</p>';
107+
}
108+
109+
// Force valid `src` attribute.
110+
$attrs['src'] = $media_url;
111+
112+
// Build audio shortcode attributes securely.
113+
$audio_shortcode_attributes = '';
79114
foreach ( $attrs as $key => $value ) {
80-
$audio_shortcode_attributes .= ' ' . $key . '="' . $value . '"';
115+
if ( in_array( $key, $allowed_audio_attrs, true ) ) {
116+
// Escape URL for `src`, escape attr for others.
117+
if ( 'src' === $key ) {
118+
$value = esc_url( $value );
119+
} else {
120+
$value = esc_attr( $value );
121+
}
122+
$audio_shortcode_attributes .= ' ' . esc_attr( $key ) . '="' . $value . '"';
123+
}
81124
}
82125

126+
// Render the final [audio] shortcode.
83127
$content = do_shortcode( "[audio {$audio_shortcode_attributes}]" );
84128

85129
} elseif ( 'image' === $mime_type[0] ) {
86130

131+
// Transcoder does not support images — return notice.
87132
$content = '<p>' . esc_html__( 'Image attachments are not handled by Transcoder plugin.', 'transcoder' ) . '</p>';
88133

89134
}
90135

136+
// Add user feedback if file is still being transcoded.
91137
if ( is_file_being_transcoded( $attachment_id ) ) {
92138
$content .= '<p class="transcoding-in-progress"> ' . esc_html__( 'This file is being transcoded. Please wait.', 'transcoder' ) . '</p>';
93139
}
94140

95141
/**
96-
* Allow user to filter [rt_media] short code content.
142+
* Allow user to filter [rt_media] shortcode output.
97143
*
98144
* @since 1.0.0
99145
*
100-
* @param string $content Activity content.
101-
* @param int $attachment_id ID of attachment.
146+
* @param string $content Shortcode content.
147+
* @param int $attachment_id Attachment ID.
102148
* @param string $media_url URL of the media.
103-
* @param string $media_type Mime type of the media.
149+
* @param string $media_type Top-level mime type (video|audio|image).
104150
*/
105151
return apply_filters( 'rt_media_shortcode', $content, $attachment_id, $media_url, $mime_type[0] );
106152
}

languages/transcoder.pot

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ msgid ""
44
msgstr ""
55
"Project-Id-Version: \n"
66
"Report-Msgid-Bugs-To: http://community.rtcamp.com/\n"
7-
"POT-Creation-Date: 2025-05-30 17:03:33+00:00\n"
7+
"POT-Creation-Date: 2025-08-22 10:08:44+00:00\n"
88
"MIME-Version: 1.0\n"
99
"Content-Type: text/plain; charset=utf-8\n"
1010
"Content-Transfer-Encoding: 8bit\n"
@@ -439,33 +439,41 @@ msgid ""
439439
"our <a href=\"%s\" target=\"_blank\">GoDAM</a> services."
440440
msgstr ""
441441

442-
#: admin/rt-transcoder-functions.php:87
442+
#: admin/rt-transcoder-functions.php:52
443+
msgid "Invalid attachment ID."
444+
msgstr ""
445+
446+
#: admin/rt-transcoder-functions.php:72 admin/rt-transcoder-functions.php:106
447+
msgid "Media file unavailable."
448+
msgstr ""
449+
450+
#: admin/rt-transcoder-functions.php:132
443451
msgid "Image attachments are not handled by Transcoder plugin."
444452
msgstr ""
445453

446-
#: admin/rt-transcoder-functions.php:92
454+
#: admin/rt-transcoder-functions.php:138
447455
msgid "This file is being transcoded. Please wait."
448456
msgstr ""
449457

450-
#: admin/rt-transcoder-functions.php:463 admin/rt-transcoder-functions.php:728
451-
#: admin/rt-transcoder-functions.php:901
458+
#: admin/rt-transcoder-functions.php:509 admin/rt-transcoder-functions.php:774
459+
#: admin/rt-transcoder-functions.php:947
452460
msgid "Check Status"
453461
msgstr ""
454462

455-
#: admin/rt-transcoder-functions.php:478 admin/rt-transcoder-functions.php:484
456-
#: admin/rt-transcoder-functions.php:924
463+
#: admin/rt-transcoder-functions.php:524 admin/rt-transcoder-functions.php:530
464+
#: admin/rt-transcoder-functions.php:970
457465
msgid "This file is converting. Please refresh the page after some time."
458466
msgstr ""
459467

460-
#: admin/rt-transcoder-functions.php:705
468+
#: admin/rt-transcoder-functions.php:751
461469
msgid "Transcode Status"
462470
msgstr ""
463471

464-
#: admin/rt-transcoder-functions.php:745
472+
#: admin/rt-transcoder-functions.php:791
465473
msgid "File is transcoded."
466474
msgstr ""
467475

468-
#: admin/rt-transcoder-functions.php:919
476+
#: admin/rt-transcoder-functions.php:965
469477
msgid ""
470478
"This file is converting. Please click on check status button to know "
471479
"current status or refresh the page after some time. "

readme.txt

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,16 @@ Contributors: rtcamp, mangeshp, chandrapatel, manishsongirkar36, bhargavbhandari
33
Tags: media, multimedia, audio, songs, music, video, ffmpeg, media-node, rtMedia, WordPress, kaltura, transcode, transcoder, encoding, encode
44
Donate link: https://rtcamp.com/donate/
55
Requires at least: 4.1
6-
Tested up to: 6.8.1
7-
Stable tag: 1.4.0
6+
Tested up to: 6.8.2
7+
Stable tag: 1.4.1
88
License: GPLv2 or later
99
License URI: http://www.gnu.org/licenses/gpl-2.0.html
1010

1111
Transcoding services for ANY WordPress website. Convert audio/video files of any format to a web-friendly format (mp3/mp4).
1212

1313
== Description ==
14+
**Transcoder plugin has been discontinued and no longer maintained**, we recommend to use our new video management solution [GoDAM](https://godam.io/?utm_source=readme&utm_medium=plugin&utm_campaign=transcoder) which provides smart transcoding & adaptive bitrate, generate thumbnail, add custom layers, better way to organize media files, serve via CDN and do a lot more. Install the GoDAM plugin from [here](https://wordpress.org/plugins/godam)
15+
1416
Transcoder easily converts all audio and video files uploaded to your website to a web-friendly format.
1517

1618
Transcoder eliminates the need for a dedicated media node- no fiddling with installation, managing dependancies or renting servers! Transcoder also works on shared hosting- just install, subscribe and go!
@@ -63,6 +65,12 @@ Read [Documentation](https://rtmedia.io/docs/transcoder/?utm_source=readme&utm_m
6365

6466
== Changelog ==
6567

68+
= 1.4.1 [August 22, 2025] =
69+
70+
* FIXED
71+
* Added validation and sanitization for `[rt_media]` shortcode attributes.
72+
* Graceful fallback when media file is unavailable (prevents broken audio/video players).
73+
6674
= 1.4.0 [May 30, 2025]
6775

6876
* REMOVED
@@ -254,6 +262,9 @@ Initial release
254262

255263
== Upgrade Notice ==
256264

265+
= 1.4.1 =
266+
Transcoder 1.4.1 with improved shortcode security.
267+
257268
= 1.4.0 =
258269
Update to users - Discontinuing the Transcoder service and replacing with GoDAM.
259270

rt-transcoder.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* Plugin Name: Transcoder
44
* Plugin URI: https://rtmedia.io/transcoder/?utm_source=dashboard&utm_medium=plugin&utm_campaign=transcoder
55
* Description: Audio & video transcoding services for ANY WordPress website. Allows you to convert audio/video files of any format to a web-friendly format (mp3/mp4).
6-
* Version: 1.4.0
6+
* Version: 1.4.1
77
* Text Domain: transcoder
88
* Author: rtCamp
99
* Author URI: https://rtcamp.com/?utm_source=dashboard&utm_medium=plugin&utm_campaign=transcoder
@@ -39,7 +39,7 @@
3939
/**
4040
* The version of the plugin
4141
*/
42-
define( 'RT_TRANSCODER_VERSION', '1.4.0' );
42+
define( 'RT_TRANSCODER_VERSION', '1.4.1' );
4343
}
4444

4545
if ( ! defined( 'RT_TRANSCODER_NO_MAIL' ) && defined( 'VIP_GO_APP_ENVIRONMENT' ) ) {

0 commit comments

Comments
 (0)