Skip to content
This repository was archived by the owner on Aug 22, 2025. It is now read-only.

Fix: rtMedia Shortcode [ Develop ] #324

Merged
merged 3 commits into from
Aug 22, 2025
Merged

Fix: rtMedia Shortcode [ Develop ] #324

merged 3 commits into from
Aug 22, 2025

Conversation

@krishana7911
Copy link
Contributor

@krishana7911 krishana7911 commented Aug 22, 2025

Summary

This PR hardens the [rt_media] shortcode against potential XSS and attribute injection vulnerabilities, and improves error handling for invalid or missing media.

Changes

Security

  • Validated and sanitized all shortcode attributes before output.
  • Restricted allowed attributes (src, poster, etc.) for video/audio to prevent arbitrary attribute injection.
  • Escaped all attribute values (esc_url for URLs, esc_attr for others).
  • Enforced absint() on attachment_id to prevent non-integer input.

Error Handling / UX

  • Added fallback message when:
    • Invalid or missing attachment_id is passed.
    • Media type is not supported.
    • Media file URL cannot be resolved (e.g., file deleted).
  • Prevents rendering broken <video> / <audio> players.

Why

  • Fixes possible XSS when unsanitized attributes were injected into shortcode output.
  • Makes shortcode safer to use across all roles (e.g., contributors submitting posts).
  • Provides a clearer user experience by showing friendly messages instead of silent failures or broken players.

Testing

  1. Add [rt_media attachment_id="valid_id"] → should render media correctly.
  2. Add [rt_media attachment_id="invalid_id"] → should show "Invalid attachment ID." message.
  3. Add [rt_media attachment_id="valid_id"] where file is missing → should show "Media file unavailable."
  4. Try injecting malicious attributes in the shortcode → should be sanitized and not execute.

@subodhr258 subodhr258 requested a review from Copilot August 22, 2025 08:25
Copilot AI reviewed Aug 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR hardens the [rt_media] shortcode against XSS vulnerabilities by implementing proper attribute validation, sanitization, and error handling for media attachments.

  • Adds comprehensive input validation and sanitization for all shortcode attributes
  • Implements whitelist-based attribute filtering to prevent arbitrary attribute injection
  • Introduces graceful error handling with user-friendly messages for invalid or missing media

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@krishana7911 krishana7911 merged commit 866ea7a into develop Aug 22, 2025
1 of 2 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@subodhr258 subodhr258 subodhr258 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@krishana7911 @subodhr258