Fix/security improvements

feed-block.php

@@ -5,7 +5,7 @@
  * Description:       Advanced RSS & Atom feed block with configurable child blocks, similar to the Query Loop block.
  * Requires at least: 6.2
  * Requires PHP:      7.0
- * Version:           0.5.0
+ * Version:           0.6.0
  * Author:            Cory Hughart
  * Author URI:        https://coryhughart.com
  * License:           GPL-3.0-or-later

includes/ajax.php

@@ -21,7 +21,7 @@ function get_feed_action() {
 
 	$url = filter_input( INPUT_POST, 'url', FILTER_SANITIZE_URL );
 
-	if ( ! $url ) {
+	if ( ! $url || ! wp_http_validate_url( $url ) ) {
 		wp_send_json_error( 'Invalid URL' );
 	}
 

includes/feed.php

@@ -120,7 +120,6 @@ function( $namespace_item ) {
 			}
 
 			// Find the primary image.
-			// TODO: handle enclosures?
 			$image = false;
 
 			// Check for itunes:image.
@@ -129,10 +128,22 @@ function( $namespace_item ) {
 				$image = $itunes_image[0]['attribs']['']['href'];
 			}
 
+			// Check for enclosure with image type.
+			if ( ! $image ) {
+				$enclosure = $feed_item->get_enclosure();
+				if ( $enclosure ) {
+					$enclosure_type = $enclosure->get_type();
+					if ( $enclosure_type && strpos( $enclosure_type, 'image/' ) === 0 ) {
+						$image = $enclosure->get_link();
+					}
+				}
+			}
+
 			// Parse and strip images from content, grab first image if needed.
 			$dom = new \DOMDocument();
-			// Must convert encoding, or otherwise will be interpreted as ISO-8859-1 https://stackoverflow.com/a/28502287/900971
-			$dom->loadHTML( mb_convert_encoding( $feed_item->get_content(), 'HTML-ENTITIES', $feed->get_encoding() ?? 'UTF-8' ) );
+			$content = $feed_item->get_content();
+			// Use XML encoding declaration for UTF-8 support and LIBXML_NOERROR to suppress HTML5 tag warnings.
+			$dom->loadHTML( '<?xml encoding="UTF-8">' . $content, LIBXML_NOERROR );
 			$images = $dom->getElementsByTagName( 'img' );
 			if ( $images->length ) {
 				if ( ! $image ) {

includes/util.php

@@ -128,8 +128,8 @@ function get_block_border_attributes( $attributes ) {
  */
 function get_img_url( $html, $encoding = 'UTF-8' ) {
 	$dom   = new \DOMDocument();
-	// Must convert encoding, or otherwise will be interpreted as ISO-8859-1 https://stackoverflow.com/a/28502287/900971
-	$dom->loadHTML( mb_convert_encoding( $html, 'HTML-ENTITIES', $encoding ) );
+	// Use XML encoding declaration for UTF-8 support and LIBXML_NOERROR to suppress HTML5 tag warnings.
+	$dom->loadHTML( '<?xml encoding="UTF-8">' . $html, LIBXML_NOERROR );
 	$images = $dom->getElementsByTagName( 'img' );
 	if ( $images->length ) {
 		return $images->item( 0 )->getAttribute( 'src' );

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "feed-block",
-	"version": "0.5.0",
+	"version": "0.6.0",
 	"description": "Advanced RSS and Atom feed block with configurable child blocks, similar to the Query Loop block.",
 	"author": {
 		"name": "Cory Hughart",

readme.txt

@@ -2,7 +2,7 @@
 Contributors:      cr0ybot
 Tags:              block, rss, atom, feed
 Tested up to:      6.2
-Stable tag:        0.5.0
+Stable tag:        0.6.0
 License:           GPL-3.0-or-later
 License URI:       https://www.gnu.org/licenses/gpl-3.0.html
 

src/blocks/feed-item-date/render.php

@@ -36,7 +36,7 @@
 
 $custom_input_format = $attributes['inputFormat'] ?: $default_input_format;
 // Note: when using default date_published/date_modified, input is ATOM format.
-$input_format = $is_custom_tag ? $custom_input_format : DateTIme::ATOM;
+$input_format = $is_custom_tag ? $custom_input_format : DateTime::ATOM;
 $display_format = $attributes['displayFormat'] ?: $default_display_format;
 
 $atts          = get_block_border_attributes( $attributes );

src/blocks/feed-item-image/render.php

@@ -51,7 +51,7 @@
 $overlay_markup = get_block_feed_item_image_overlay_element_markup( $attributes );
 
 if ( $is_link ) {
-	$img_atts['alt'] = $block->context['feed-block/item/title'];
+	$img_atts['alt'] = $block->context['feed-block/item/title'] ?? '';
 }
 
 $extra_styles = '';
@@ -80,12 +80,13 @@
 $item_image = sprintf( '<img src="%1$s" %2$s />', esc_url( $img_url ), $img_atts_html );
 
 if ( $is_link ) {
+	$link_url   = $block->context['feed-block/item/url'] ?? '';
 	$rel        = ! empty( $block->context['feed-block/itemLinkRel'] ) ? 'rel="' . esc_attr( $block->context['feed-block/itemLinkRel'] ) . '"' : '';
 	$height     = ! empty( $attributes['height'] ) ? 'style="' . esc_attr( safecss_filter_attr( 'height:' . $attributes['height'] ) ) . '"' : '';
 	$item_image = sprintf(
 		'<a href="%1$s" target="%2$s" %3$s %4$s>%5$s%6$s</a>',
-		esc_url( $img_url ),
-		esc_attr( $block->context['feed-block/itemLinkTarget'] ),
+		esc_url( $link_url ),
+		esc_attr( $block->context['feed-block/itemLinkTarget'] ?? '_self' ),
 		$rel,
 		$height,
 		$item_image,

src/blocks/feed-item-link/render.php

@@ -17,14 +17,12 @@
 
 $atts = get_block_border_attributes( $attributes );
 
-$rel = ! empty( $block->context['feed-block/itemLinkRel'] ) ? 'rel="' . esc_attr( $block->context['feed-block/itemLinkRel'] ) . '"' : '';
-if ( ! empty( $rel ) ) {
-	$atts['rel'] = $rel;
+if ( ! empty( $block->context['feed-block/itemLinkRel'] ) ) {
+	$atts['rel'] = esc_attr( $block->context['feed-block/itemLinkRel'] );
 }
 
-$target = ! empty( $block->context['feed-block/itemLinkTarget'] ) ? 'target="' . esc_attr( $block->context['feed-block/itemLinkTarget'] ) . '"' : '';
-if ( ! empty( $target ) ) {
-	$atts['target'] = $target;
+if ( ! empty( $block->context['feed-block/itemLinkTarget'] ) ) {
+	$atts['target'] = esc_attr( $block->context['feed-block/itemLinkTarget'] );
 }
 
 printf(

src/blocks/feed-item-summary/render.php

@@ -42,11 +42,11 @@
 <div <?php echo $wrapper_attributes; ?>>
 <?php
 if ( ! $attributes['showMore'] ) :
-	echo $content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+	echo esc_html( $content );
 else :
 	if ( $attributes['showMoreOnNewLine'] ) :
 		?>
-	<p><?php echo $content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></p>
+	<p><?php echo esc_html( $content ); ?></p>
 	<p><?php echo $readMoreLink; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></p>
 		<?php
 	else :