From 313159c74ab7755f4824e426ad9e5ab5cdbd1d40 Mon Sep 17 00:00:00 2001
From: Stefan Kalscheuer <stefan@stklcode.de>
Date: Tue, 4 Feb 2025 17:58:19 +0100
Subject: [PATCH] fix: escape ticker ID in shortcode output (#28)

Ticker ID is user input and may contain literally anything. While this
is properly escaped in the internal query, we should also escape it in
the generated HTML output.
---
 includes/class-scliveticker.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/class-scliveticker.php b/includes/class-scliveticker.php
index 89ab174..4405a2b 100644
--- a/includes/class-scliveticker.php
+++ b/includes/class-scliveticker.php
@@ -232,7 +232,7 @@ class SCLiveticker {
 			$output = '<div class="wp-block-scliveticker-ticker';
 			if ( 1 === self::$options['enable_ajax'] ) {
 				$output .= ' sclt-ajax" '
-							. 'data-sclt-ticker="' . $ticker . '" '
+							. 'data-sclt-ticker="' . esc_attr( $ticker ) . '" '
 							. 'data-sclt-limit="' . $limit . '" '
 							. 'data-sclt-last="' . $last;
 			}
@@ -242,9 +242,9 @@ class SCLiveticker {
 			if ( $show_feed ) {
 				$feed_link = get_post_type_archive_feed_link( 'scliveticker_tick' ) . '';
 				if ( false === strpos( $feed_link, '&' ) ) {
-					$feed_link .= '?scliveticker_ticker=' . $ticker;
+					$feed_link .= '?scliveticker_ticker=' . rawurlencode( $ticker );
 				} else {
-					$feed_link .= '&scliveticker_ticker=' . $ticker;
+					$feed_link .= '&scliveticker_ticker=' . rawurlencode( $ticker );
 				}
 				$output .= '<a href="' . esc_attr( $feed_link ) . '">Feed</a>';
 			}