Version Update v1.4.1 [ master ]

[krishana7911]

Summary

This PR hardens the [rt_media] shortcode against potential XSS and attribute injection vulnerabilities, and improves error handling for invalid or missing media.

Changelog

1.4.1 [August 22, 2025]

• FIXED
  • Added validation and sanitization for [rt_media] shortcode attributes.
  • Graceful fallback when media file is unavailable (prevents broken audio/video players).

Changes

Security

• Validated and sanitized all shortcode attributes before output.
• Restricted allowed attributes (src, poster, etc.) for video/audio to prevent arbitrary attribute injection.
• Escaped all attribute values (esc_url for URLs, esc_attr for others).
• Enforced absint() on attachment_id to prevent non-integer input.

Error Handling / UX

• Added fallback message when:
  • Invalid or missing attachment_id is passed.
  • Media type is not supported.
  • Media file URL cannot be resolved (e.g., file deleted).
• Prevents rendering broken <video> / <audio> players.

Why

• Fixes possible XSS when unsanitized attributes were injected into shortcode output.
• Makes shortcode safer to use across all roles (e.g., contributors submitting posts).
• Provides a clearer user experience by showing friendly messages instead of silent failures or broken players.

Testing

1. Add [rt_media attachment_id="valid_id"] → should render media correctly.
2. Add [rt_media attachment_id="invalid_id"] → should show "Invalid attachment ID." message.
3. Add [rt_media attachment_id="valid_id"] where file is missing → should show "Media file unavailable."
4. Try injecting malicious attributes in the shortcode → should be sanitized and not execute.