YouTube Embed - Version 5.0.2

Version Description

  • Enhancement: I now include the shortcodes code whether you're in admin or not, as there is no performance improvement by doing otherwise
  • Enhancement: After WordPress 4.6 you don't need to load the text domain. So I don't!
  • Enhancement: Fixed XSS vulnerability by restricting which HTML tags can be used in the template field
Download this release

Release Info

Developer dartiss
Plugin Icon 128x128 YouTube Embed
Version 5.0.2
Comparing to
See all releases

Code changes from version 5.0.1 to 5.0.2

Files changed (4) hide show
  1. includes/add-scripts.php +8 -2
  2. includes/options-profiles.php +32 -3
  3. readme.txt +12 -5
  4. youtube-embed.php +4 -10
includes/add-scripts.php CHANGED
@@ -49,9 +49,15 @@ if ( $version != youtube_embed_version ) {
49
 
50
  function ye_plugin_init() {
51
 
52
- $language_dir = plugin_basename( dirname( __FILE__ ) ) . '/languages/';
53
 
54
- load_plugin_textdomain( 'youtube-embed', false, $language_dir );
 
 
 
 
 
 
55
  }
56
 
57
  add_action( 'init', 'ye_plugin_init' );
49
 
50
  function ye_plugin_init() {
51
 
52
+ global $wp_version;
53
 
54
+ if ( 4.6 >= ( float ) $wp_version ) {
55
+
56
+ $language_dir = plugin_basename( dirname( __FILE__ ) ) . '/languages/';
57
+
58
+ load_plugin_textdomain( 'youtube-embed', false, $language_dir );
59
+
60
+ }
61
  }
62
 
63
  add_action( 'init', 'ye_plugin_init' );
includes/options-profiles.php CHANGED
@@ -8,7 +8,7 @@
8
  * @since 2.0
9
  */
10
 
11
- $demo_video = '8qMtsir0l9k';
12
 
13
  // Set current profile number
14
 
@@ -23,7 +23,36 @@ if ( ( !empty( $_POST[ 'Submit' ] ) ) && ( check_admin_referer( 'youtube-embed-p
23
  $options[ 'width' ] = sanitize_text_field( $_POST[ 'youtube_embed_width' ] );
24
  $options[ 'height' ] = sanitize_text_field( $_POST[ 'youtube_embed_height' ] );
25
 
26
- $options[ 'template' ] = htmlspecialchars_decode( $_POST[ 'youtube_embed_template' ] );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
27
  if ( strpos( $options[ 'template' ], '%video%' ) === false ) { $options[ 'template' ] = '%video%'; }
28
 
29
  $options[ 'style' ] = sanitize_text_field( $_POST[ 'youtube_embed_style' ] );
@@ -161,7 +190,7 @@ echo ' ' . __( 'Use the drop-down on the right hand side to swap between profile
161
  <tr>
162
  <th scope="row"><?php _e( 'Template', 'youtube-embed' ); ?></th>
163
  <td><label for="youtube_embed_template"><textarea name="youtube_embed_template" rows="4" cols="50" class="large-text code"><?php echo esc_html( $options[ 'template' ] ); ?></textarea>
164
- <p class="description"><?php _e( 'Wrapper for video output. Must include <code>%video%</code> tag to show video position.', 'youtube-embed' ); ?></p></label></td>
165
  </tr>
166
 
167
  <!-- Style -->
8
  * @since 2.0
9
  */
10
 
11
+ $demo_video = 'EYs_FckMqow';
12
 
13
  // Set current profile number
14
 
23
  $options[ 'width' ] = sanitize_text_field( $_POST[ 'youtube_embed_width' ] );
24
  $options[ 'height' ] = sanitize_text_field( $_POST[ 'youtube_embed_height' ] );
25
 
26
+ $allowed_html = array( 'a' => array( 'href' => array(),
27
+ 'title' => array(),
28
+ 'target' => array(),
29
+ 'class' => array(),
30
+ 'id' => array(),
31
+ 'style' => array()
32
+ ),
33
+ 'img' => array( 'src' => array(),
34
+ 'alt' => array(),
35
+ 'height' => array(),
36
+ 'width' => array(),
37
+ 'align' => array(),
38
+ 'class' => array(),
39
+ 'id' => array(),
40
+ 'style' => array()
41
+ ),
42
+ 'div' => array( 'class' => array(),
43
+ 'id' => array(),
44
+ 'style' => array()
45
+ ),
46
+ 'span' => array('class' => array(),
47
+ 'id' => array(),
48
+ 'style' => array()
49
+ ),
50
+ 'br' => array(),
51
+ 'p' => array(),
52
+ 'strong' => array(),
53
+ );
54
+
55
+ $options[ 'template' ] = wp_kses( htmlspecialchars_decode( $_POST[ 'youtube_embed_template' ] ), $allowed_html );
56
  if ( strpos( $options[ 'template' ], '%video%' ) === false ) { $options[ 'template' ] = '%video%'; }
57
 
58
  $options[ 'style' ] = sanitize_text_field( $_POST[ 'youtube_embed_style' ] );
190
  <tr>
191
  <th scope="row"><?php _e( 'Template', 'youtube-embed' ); ?></th>
192
  <td><label for="youtube_embed_template"><textarea name="youtube_embed_template" rows="4" cols="50" class="large-text code"><?php echo esc_html( $options[ 'template' ] ); ?></textarea>
193
+ <p class="description"><?php _e( 'Wrapper for video output. Must include <code>%video%</code> tag to show video position. Valid HTML tags are <code>a</code>, <code>br</code>, <code>div</code>, <code>img</code>, <code>p</code>, <code>span</code> and <code>strong</code>.', 'youtube-embed' ); ?></p></label></td>
194
  </tr>
195
 
196
  <!-- Style -->
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: dartiss
3
  Donate link: http://www.artiss.co.uk/donate
4
  Tags: embed, insert, video, youtube
5
  Requires at least: 3.9
6
- Tested up to: 4.6
7
- Stable tag: 5.0.1
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -133,10 +133,12 @@ An alternative to the YouTube build playlists is the build-in lists function - s
133
 
134
  Both in the profile and as a parameter you can specify a template. This allows you to define any CSS that you wish to "wrap" around the YouTube output.
135
 
136
- The template consists simply of any HTML that you wish but with `%video%` where you wish the video to appear.
137
 
138
  e.g. `<div align="center">%video%</div>`
139
 
 
 
140
  == Profiles ==
141
 
142
  You've probably already had a look at the default profile, accessible by selecting Profiles from the YouTube Embed Administration menu option. Here you can specify the default option which will apply to any embedded video.
@@ -330,6 +332,11 @@ Before reporting it please bear in mind that this plugin uses the standard YouTu
330
 
331
  == Changelog ==
332
 
 
 
 
 
 
333
  = 5.0.1 =
334
  * Maintenance: Now suppressing errors when fetching of API data fails
335
  * Maintenance: Updated the drop-down of video sizes in the profiles screen, based upon latest YouTube recommendations
@@ -516,5 +523,5 @@ Before reporting it please bear in mind that this plugin uses the standard YouTu
516
 
517
  == Upgrade Notice ==
518
 
519
- = 5.0.1 =
520
- * A soothing band-aid to place on top of the lightly grazed 5.0
3
  Donate link: http://www.artiss.co.uk/donate
4
  Tags: embed, insert, video, youtube
5
  Requires at least: 3.9
6
+ Tested up to: 4.6.1
7
+ Stable tag: 5.0.2
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
133
 
134
  Both in the profile and as a parameter you can specify a template. This allows you to define any CSS that you wish to "wrap" around the YouTube output.
135
 
136
+ The template consists simply of your choice of HTML but with `%video%` where you wish the video to appear.
137
 
138
  e.g. `<div align="center">%video%</div>`
139
 
140
+ For reasons of security, only specific HTML tags are valid - these are a, br, div, img, p span and strong. If there are any others that you'd like to have added, please let me know via the forum.
141
+
142
  == Profiles ==
143
 
144
  You've probably already had a look at the default profile, accessible by selecting Profiles from the YouTube Embed Administration menu option. Here you can specify the default option which will apply to any embedded video.
332
 
333
  == Changelog ==
334
 
335
+ = 5.0.2 =
336
+ * Enhancement: I now include the shortcodes code whether you're in admin or not, as there is no performance improvement by doing otherwise
337
+ * Enhancement: After WordPress 4.6 you don't need to load the text domain. So I don't!
338
+ * Enhancement: Fixed XSS vulnerability by restricting which HTML tags can be used in the template field
339
+
340
  = 5.0.1 =
341
  * Maintenance: Now suppressing errors when fetching of API data fails
342
  * Maintenance: Updated the drop-down of video sizes in the profiles screen, based upon latest YouTube recommendations
523
 
524
  == Upgrade Notice ==
525
 
526
+ = 5.0.2 =
527
+ *
youtube-embed.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: YouTube Embed
4
  Plugin URI: https://wordpress.org/plugins/youtube-embed/
5
  Description: Embed YouTube Videos in WordPress
6
- Version: 5.0.1
7
  Author: dartiss
8
  Author URI: http://www.artiss.co.uk
9
  Text Domain: youtube-embed
@@ -19,7 +19,7 @@ Domain Path: /languages
19
  * @since 2.0
20
  */
21
 
22
- define( 'youtube_embed_version', '5.0.1' );
23
 
24
  $functions_dir = plugin_dir_path( __FILE__ ) . 'includes/';
25
 
@@ -39,13 +39,7 @@ include_once( $functions_dir . 'api-access.php' ); // Fetch video data from
39
 
40
  include_once( $functions_dir . 'caching.php' ); // Data caching functions
41
 
42
- if ( is_admin() && !( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
43
 
44
- include_once( $functions_dir . 'admin-config.php' ); // Administration configuration
45
-
46
- } else {
47
-
48
- include_once( $functions_dir . 'shortcodes.php' ); // Shortcodes
49
-
50
- }
51
  ?>
3
  Plugin Name: YouTube Embed
4
  Plugin URI: https://wordpress.org/plugins/youtube-embed/
5
  Description: Embed YouTube Videos in WordPress
6
+ Version: 5.0.2
7
  Author: dartiss
8
  Author URI: http://www.artiss.co.uk
9
  Text Domain: youtube-embed
19
  * @since 2.0
20
  */
21
 
22
+ define( 'youtube_embed_version', '5.0.2' );
23
 
24
  $functions_dir = plugin_dir_path( __FILE__ ) . 'includes/';
25
 
39
 
40
  include_once( $functions_dir . 'caching.php' ); // Data caching functions
41
 
42
+ include_once( $functions_dir . 'shortcodes.php' ); // Shortcodes
43
 
44
+ include_once( $functions_dir . 'admin-config.php' ); // Administration configuration
 
 
 
 
 
 
45
  ?>