Version 0.90.0, fixes xss issue

Author: picandocodigo

include/lcp-catlistdisplayer.php

@@ -177,6 +177,13 @@ private function content_getter($type, $post, $tag = null, $css_class = null) {
       $info = $this->catlist->get_content($post);
       break;
     case 'excerpt':
+      # Security vulnerability fix for Stored Cross-Site Scripting
+      # If a post has this excerpt: alert(/XSS/)
+      # Another post could use  [catlist excerpt_tag='script' excerpt=yes]
+      # and the XSS would be triggered.
+      if ( $tag == 'script' ) {
+        $tag = null;
+      }
       $info = $this->catlist->get_excerpt($post);
       if ( ! empty( $info ) ) {
         $info = preg_replace('/\[.*\]/', '', $info);

list-category-posts.php

@@ -3,7 +3,7 @@
   Plugin Name: List category posts
   Plugin URI: https://github.com/picandocodigo/List-Category-Posts
   Description: List Category Posts allows you to list posts by category in a post/page using the [catlist] shortcode. This shortcode accepts a category name or id, the order in which you want the posts to display, the number of posts to display and many more parameters. You can use [catlist] as many times as needed with different arguments. Usage: [catlist argument1=value1 argument2=value2].
-  Version: 0.89.9
+  Version: 0.90.0
   Author: Fernando Briano
   Author URI: http://fernandobriano.com
 

readme.txt

@@ -5,7 +5,7 @@ Tags: list, categories, posts, cms
 Requires at least: 3.3
 Tested up to: 6.7.1
 Requires PHP: 5.6
-Stable tag: 0.89.9
+Stable tag: 0.90.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -237,6 +237,10 @@ Template system has changed. Custom templates should be stored in WordPress them
 
 == Changelog ==
 
+= 0.90.0 =
+
+* Fixes a Stored Cross-Site Scripting issue using `excerpt_tag='script'`.
+
 = 0.89.9 =
 
 * Fix deprecation notices caused by tag_escape - https://wordpress.org/support/topic/php-deprecated-preg_replace-passing-null-to-parameter-3/