events_calendar format arguments

  • In the 6.4.8 changelog it mentions that format arguments/values have been added to events_calendar shortcode, [event_tags] and [event_tag] shortcodes.

    Can anyone tell me please what these format arguments/values are or where to find them as I can’t see anything in the documentation.

Viewing 2 replies - 1 through 2 (of 2 total)

  • Here’s the comment in the code about the new format parameter:

    If supplied via $args in shortcode context, we cannot guarantee the format HTML is safe as it can be invoked by any user. Therefore, we must wp_kses it.
    We strongly suggest users to add formats within the shortcode such as [event]format[/event] to avoid this, and header/footer HTML surrounds the shortcode.

    It looks like the change is related to the fix for preventing the XSS vulnerability.

    Plugin Author Marcus

    (@msykes)

    Hi @joneiseman thanks for all your input!

    We’ve fully updated our docs page for shortcode parameters with all the latest formatting.

    As indicated by @joneiseman we’ve been forced to correct this issue as it did present a potential XSS vulnerability. Shortcode args don’t get sanitized by WordPress, and we can’t do it on the fly since it should be done when saving that post with the shortcode, and depending on who’s doing the saving.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.