Sanitize the iCal URL before initializing (#2607)

* Sanitize the iCal URL before initializing * Escape the URL * Refuse localhost URLs in events block * sanitize_url * Update error string * esc_url_raw()
godaddy-wordpress · Apr 30, 2024 · b5b5fb7 · b5b5fb7
1 parent f64b933
commit b5b5fb7
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/blocks/events/index.php b/src/blocks/events/index.php
@@ -19,6 +19,11 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
 		return $content;
 	}
 
+	// If externalCalendarUrl contains a localhost URL, return an error message.
+	if ( strpos( $attributes['externalCalendarUrl'], 'localhost' ) !== false || strpos( $attributes['externalCalendarUrl'], '127.0' ) !== false ) {
+		return '<div class="components-placeholder"><div class="notice notice-error">' . __( 'An error has occurred. localhost URLs are not permitted.', 'coblocks' ) . '</div></div>';
+	}
+
 	try {
 		$ical = new \CoBlocks_ICal(
 			false,
@@ -34,7 +39,7 @@ function coblocks_render_coblocks_events_block( $attributes, $content ) {
 				'use_timezone_with_r_rules'     => false,
 			)
 		);
-		$ical->init_url( $attributes['externalCalendarUrl'] );
+		$ical->init_url( esc_url_raw( $attributes['externalCalendarUrl'] ) );
 
 		if ( 'all' === $attributes['eventsRange'] ) {
 			$events = $ical->events_from_range();