Title: Security Patch
Last modified: October 26, 2023

---

# Security Patch

 *  [Michael Aronoff](https://wordpress.org/support/users/masterk/)
 * (@masterk)
 * [2 years, 6 months ago](https://wordpress.org/support/topic/security-patch-3/)
 * I have not found a replacement but have not been happy about the security issue.
   So I have made a patch. Be warned that the patch below might break some of the
   advanced shortcode options. I do not use any of them so what I did was sanitize
   each to strip out any HTML.
 * Starting at line 144 in /includes/class-widget-shortcode.php of the plugin.
 *     ```wp-block-code
       			'before_widget' => '<' . esc_html($container_tag) . ' id="' . esc_html($container_id) . '" class="' . esc_html($container_class) . ' ' . esc_html($css_class) . '">',
       			'before_title' => '<' . esc_html($title_tag) . ' class="' . esc_html($title_class) . '">',
       			'after_title' => '</' . esc_html($title_tag) . '>',
       			'after_widget' => '</' . esc_html($container_tag) . '>',
       ```
   
 * So as you can see I have wrapped every shortcode option with an esc_html function
   to strip any HTML out of the inputs. If you use html in any of these such as 
   css_class it will break things. But if you only use the plugin to place widgets
   on your site with the basic shortcode structure like [widget id=”text-2″] then
   it will still work and be secure.
 * If you do this I also suggest you edit the version number in the main file init.
   php so that site scans do not show the vulnerable version number.

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [Terry J](https://wordpress.org/support/users/texasbiz/)
 * (@texasbiz)
 * [2 years, 6 months ago](https://wordpress.org/support/topic/security-patch-3/#post-17154197)
 * [@masterk](https://wordpress.org/support/users/masterk/), thanks!
 * Was very useful plugin. Unfortunately, I have lost all of my copies. Now WP org
   has prevented new downloads…
 *  Thread Starter [Michael Aronoff](https://wordpress.org/support/users/masterk/)
 * (@masterk)
 * [2 years, 6 months ago](https://wordpress.org/support/topic/security-patch-3/#post-17154198)
 * You can still grab it manually from the [SVN repository](https://plugins.svn.wordpress.org/widget-shortcode/trunk/).
 *  [Terry J](https://wordpress.org/support/users/texasbiz/)
 * (@texasbiz)
 * [2 years, 6 months ago](https://wordpress.org/support/topic/security-patch-3/#post-17154203)
 * > You can still grab it manually from the [SVN repository](https://plugins.svn.wordpress.org/widget-shortcode/trunk/).
 * Thanks! I was just looking at that

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security Patch’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/widget-shortcode.svg)
 * [Widget Shortcode](https://wordpress.org/plugins/widget-shortcode/)
 * [Support Threads](https://wordpress.org/support/plugin/widget-shortcode/)
 * [Active Topics](https://wordpress.org/support/plugin/widget-shortcode/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/widget-shortcode/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/widget-shortcode/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [Terry J](https://wordpress.org/support/users/texasbiz/)
 * Last activity: [2 years, 6 months ago](https://wordpress.org/support/topic/security-patch-3/#post-17154203)
 * Status: not resolved