From 32c6260f604c40d5d7f6e6b5dda1060403e91d81 Mon Sep 17 00:00:00 2001
From: Joe Hawes <morehawes@gmail.com>
Date: Sun, 2 Feb 2025 15:39:30 -0800
Subject: [PATCH] v1.5.1 - Improved escaping of Shortcode attributes.

---
 Waymark.php                     |  2 +-
 inc/Front/Waymark_HTTP.php      | 47 +-----------------
 inc/Front/Waymark_Shortcode.php | 84 ++++++++++++++++-----------------
 inc/Helpers/Waymark_Helper.php  | 55 +++++++++++++++++++++
 inc/Waymark_Config.php          |  2 +-
 languages/waymark-en_CA.po      |  2 +-
 languages/waymark-en_GB.po      |  2 +-
 languages/waymark-es_ES.po      |  2 +-
 languages/waymark-fr_CA.po      |  2 +-
 languages/waymark-ja_JP.po      |  2 +-
 languages/waymark-sv_SE.po      |  2 +-
 languages/waymark-uk_UA.po      |  2 +-
 languages/waymark-zh_CN.po      |  2 +-
 languages/waymark.pot           | 76 ++++++++++++++---------------
 package.json                    |  2 +-
 readme.md                       |  6 ++-
 readme.txt                      |  6 ++-
 17 files changed, 153 insertions(+), 143 deletions(-)

diff --git a/Waymark.php b/Waymark.php
index 4d55d91d..bb1fb497 100644
--- a/Waymark.php
+++ b/Waymark.php
@@ -4,7 +4,7 @@
 Plugin Name: Waymark
 Plugin URI: https://www.waymark.dev/
 Description: Mapping with WordPress made easy. With Waymark enabled, click on the "Maps" link in the sidebar to create and edit Maps. Once you are happy with your Map, copy the Waymark shortcode and add it to your content.
-Version: 1.5.0
+Version: 1.5.1
 Text Domain: waymark
 Author: Joe Hawes
 Author URI: https://www.morehawes.ca/
diff --git a/inc/Front/Waymark_HTTP.php b/inc/Front/Waymark_HTTP.php
index 349ec872..dfa38470 100644
--- a/inc/Front/Waymark_HTTP.php
+++ b/inc/Front/Waymark_HTTP.php
@@ -137,29 +137,7 @@ public function template_redirect() {
 						header('Content-Type: application/gpx+xml');
 
 						//Clean (allow GPX elements)
-						echo wp_kses($map_data, [
-							'gpx' => [
-								'creator' => true,
-								'version' => true,
-								'xmlns' => true,
-								'xmlns:xsi' => true,
-								'xsi:schemaLocation' => true,
-							],
-							'metadata' => [],
-							'name' => [],
-							'wpt' => [
-								'lat' => true,
-								'lon' => true,
-							],
-							'desc' => [],
-							'trk' => [],
-							'trkseg' => [],
-							'trkpt' => [
-								'lat' => true,
-								'lon' => true,
-							],
-							'ele' => [],
-						]);
+						echo wp_kses($map_data, Waymark_Helper::allowable_tags('gpx'));
 
 						break;
 					case 'kml':
@@ -167,28 +145,7 @@ public function template_redirect() {
 
 						// Clean (allow KML elements)
 						echo '<?xml version="1.0" encoding="UTF-8"?>';
-						echo wp_kses($map_data, [
-							'kml' => [
-								'xmlns' => true,
-							],
-							'document' => [],
-							'placemark' => [],
-							'name' => [],
-							'extendeddata' => [],
-							'data' => [
-								'name' => true,
-							],
-							'value' => [],
-							'point' => [],
-							'coordinates' => [],
-							'description' => [],
-							'linestring' => [],
-							'linearring' => [],
-							'polygon' => [],
-							'outerboundaryis' => [],
-							'innerboundaryis' => [],
-							'multigeometry' => [],
-						]);
+						echo wp_kses($map_data, Waymark_Helper::allowable_tags('kml'));
 
 						break;
 					case 'geojson':
diff --git a/inc/Front/Waymark_Shortcode.php b/inc/Front/Waymark_Shortcode.php
index 758c3847..9cce5f9b 100644
--- a/inc/Front/Waymark_Shortcode.php
+++ b/inc/Front/Waymark_Shortcode.php
@@ -6,12 +6,6 @@ function __construct() {
 	}
 
 	function handle_shortcode($shortcode_data, $content = null) {
-		// Sanitize
-		foreach ($shortcode_data as $key => $value) {
-			// Escape
-			$shortcode_data[$key] = esc_attr($value);
-		}
-
 		$out = '';
 		$map_class = 'waymark-map';
 		$shortcode_hash = substr(md5(wp_json_encode($shortcode_data)), 0, 6);
@@ -83,7 +77,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 				$shortcode_meta = Waymark_Helper::get_collection_meta($Collection, 'shortcode');
 
 				//Map Class
-				$map_class .= ' waymark-collection-id-' . $collection_id;
+				$map_class .= ' waymark-collection-id-' . esc_attr($collection_id);
 
 				// Collection Maps as GeoJSON
 
@@ -172,14 +166,14 @@ function handle_shortcode($shortcode_data, $content = null) {
 		}
 
 		//Output HTML container
-		$out = "\n\n" . '<!-- START Waymark Shortcode #' . $shortcode_hash . ' -->' . "\n";
+		$out = "\n\n" . '<!-- START Waymark Shortcode #' . esc_html($shortcode_hash) . ' -->' . "\n";
 
 		$shortcode_style = '';
 		if ($map_width) {
 			$shortcode_style .= 'width:' . $map_width . 'px';
 		}
 
-		$out .= '<div style="' . $shortcode_style . '" id="waymark-shortcode-' . $shortcode_hash . '" data-shortcode_hash="' . $shortcode_hash . '" class="waymark-shortcode waymark-container">' . "\n";
+		$out .= '<div style="' . esc_attr($shortcode_style) . '" id="waymark-shortcode-' . esc_attr($shortcode_hash) . '" data-shortcode_hash="' . esc_attr($shortcode_hash) . '" class="waymark-shortcode waymark-container">' . "\n";
 
 		//Header ?
 		$do_header = 0;
@@ -256,7 +250,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 
 		$map_style = 'display:none;';
 		$map_style .= 'height:' . $map_height . 'px;min-height:' . $map_height . 'px;';
-		$out .= '	<div style="' . $map_style . '" id="waymark-map-' . $shortcode_hash . '" class="' . $map_class . '" data-shortcode_hash="' . $shortcode_hash . '"></div>' . "\n";
+		$out .= '	<div style="' . esc_attr($map_style) . '" id="waymark-map-' . esc_attr($shortcode_hash) . '" class="' . esc_attr($map_class) . '" data-shortcode_hash="' . esc_attr($shortcode_hash) . '"></div>' . "\n";
 
 		//Elevation?
 
@@ -269,7 +263,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 		}
 
 		if ($show_elevation) {
-			$out .= '	<div id="waymark-elevation-' . $shortcode_hash . '"></div>' . "\n";
+			$out .= '	<div id="waymark-elevation-' . esc_attr($shortcode_hash) . '"></div>' . "\n";
 		}
 
 		// Waymark_Helper::debug($show_elevation);
@@ -290,10 +284,10 @@ function handle_shortcode($shortcode_data, $content = null) {
 		$out .= '	if(typeof waymark_user_config === "undefined") { waymark_viewer.message("Configuration not found! Check for \"var waymark_user_config\" in your page HTML.", "error"); }' . "\n";
 
 		$out .= '	var waymark_config = jQuery.extend(true, {}, waymark_user_config);' . "\n";
-		$out .= '	waymark_config.map_options.map_div_id = "waymark-map-' . $shortcode_hash . '";' . "\n";
-		$out .= '	waymark_config.map_options.map_height = ' . $map_height . ";\n";
+		$out .= '	waymark_config.map_options.map_div_id = "waymark-map-' . esc_js($shortcode_hash) . '";' . "\n";
+		$out .= '	waymark_config.map_options.map_height = ' . esc_js($map_height) . ";\n";
 		if ($map_width) {
-			$out .= '	waymark_config.map_options.map_width = ' . $map_width . ";\n";
+			$out .= '	waymark_config.map_options.map_width = ' . esc_js($map_width) . ";\n";
 		}
 
 		// ===== Shortcode options (2/2) =====
@@ -304,7 +298,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 			$map_latlng_array = Waymark_Helper::latlng_string_to_array($latlng_string);
 
 			if (is_array($map_latlng_array)) {
-				$out .= '	waymark_config.map_options.map_init_latlng = [' . $map_latlng_array[0] . ',' . $map_latlng_array[1] . '];' . "\n";
+				$out .= '	waymark_config.map_options.map_init_latlng = [' . esc_js($map_latlng_array[0]) . ',' . esc_js($map_latlng_array[1]) . '];' . "\n";
 			}
 			// } else if ($default_latlng = Waymark_Config::get_setting('misc', 'map_options', 'map_default_latlng')) {
 			// 	// We have a valid LatLng
@@ -318,7 +312,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 			$map_init_zoom = $shortcode_data['map_zoom'];
 
 			if (is_numeric($map_init_zoom)) {
-				$out .= '	waymark_config.map_options.map_init_zoom = ' . $map_init_zoom . ";\n";
+				$out .= '	waymark_config.map_options.map_init_zoom = ' . esc_js($map_init_zoom) . ";\n";
 			}
 			// Default Zoom
 			// } elseif ($default_zoom = Waymark_Config::get_setting('misc', 'map_options', 'map_default_zoom')) {
@@ -327,33 +321,33 @@ function handle_shortcode($shortcode_data, $content = null) {
 
 		//Max Zoom
 		if (array_key_exists('max_zoom', $shortcode_data) && is_numeric($shortcode_data['max_zoom'])) {
-			$out .= '	waymark_config.map_options.map_max_zoom = ' . $shortcode_data['max_zoom'] . ";\n";
+			$out .= '	waymark_config.map_options.map_max_zoom = ' . esc_js($shortcode_data['max_zoom']) . ";\n";
 		}
 
 		//Basemap?
 		if (array_key_exists('basemap', $shortcode_data)) {
-			$out .= '	waymark_config.map_options.map_init_basemap = "' . $shortcode_data['basemap'] . '";' . "\n";
+			$out .= '	waymark_config.map_options.map_init_basemap = "' . esc_js($shortcode_data['basemap']) . '";' . "\n";
 		}
 
 		//Gallery?
 		if (array_key_exists('show_gallery', $shortcode_data) && in_array($shortcode_data['show_gallery'], ['1', '0'])) {
-			$out .= '	waymark_config.viewer_options.show_gallery = ' . $shortcode_data['show_gallery'] . ';' . "\n";
+			$out .= '	waymark_config.viewer_options.show_gallery = ' . esc_js($shortcode_data['show_gallery']) . ';' . "\n";
 		}
 
 		//Overlay filter?
 		if (array_key_exists('show_filter', $shortcode_data) && in_array($shortcode_data['show_filter'], ['1', '0'])) {
-			$out .= '	waymark_config.viewer_options.show_filter = ' . $shortcode_data['show_filter'] . ';' . "\n";
+			$out .= '	waymark_config.viewer_options.show_filter = ' . esc_js($shortcode_data['show_filter']) . ';' . "\n";
 		}
 
 		//Elevation?
 		if ($show_elevation) {
 			$out .= '	waymark_config.viewer_options.show_elevation = "1";' . "\n";
-			$out .= '	waymark_config.viewer_options.elevation_div_id = "waymark-elevation-' . $shortcode_hash . '";' . "\n";
+			$out .= '	waymark_config.viewer_options.elevation_div_id = "waymark-elevation-' . esc_js($shortcode_hash) . '";' . "\n";
 
 			//Units
 			//Shortcode
 			if (array_key_exists('elevation_units', $shortcode_data) && in_array($shortcode_data['elevation_units'], ['metric', 'imperial'])) {
-				$out .= '	waymark_config.viewer_options.elevation_units = "' . $elevation_units . '";' . "\n";
+				$out .= '	waymark_config.viewer_options.elevation_units = "' . esc_js($shortcode_data['elevation_units']) . '";' . "\n";
 			}
 		}
 
@@ -361,7 +355,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 
 		// Shortcode option set?
 		if (array_key_exists('show_cluster', $shortcode_data) && in_array($shortcode_data['show_cluster'], ['1', '0'])) {
-			$out .= '	waymark_config.viewer_options.show_cluster = ' . $shortcode_data['show_cluster'] . ';' . "\n";
+			$out .= '	waymark_config.viewer_options.show_cluster = ' . esc_js($shortcode_data['show_cluster']) . ';' . "\n";
 		}
 
 		// === Initially Show / Hide ===
@@ -385,17 +379,17 @@ function handle_shortcode($shortcode_data, $content = null) {
 				$overlay_type_explode = explode(',', $shortcode_data[$show_hide_type]);
 
 				foreach ($overlay_type_explode as $overlay_type) {
-					$out .= '	for(i in waymark_config.map_options.' . $overlay_kind . '_types) {' . "\n";
+					$out .= '	for(i in waymark_config.map_options.' . esc_js($overlay_kind) . '_types) {' . "\n";
 
-					$out .= '		var this_key = waymark_viewer.make_key(waymark_config.map_options.' . $overlay_kind . '_types[i]["' . $overlay_kind . '_title"]);' . "\n";
+					$out .= '		var this_key = waymark_viewer.make_key(waymark_config.map_options.' . esc_js($overlay_kind) . '_types[i]["' . esc_js($overlay_kind) . '_title"]);' . "\n";
 
-					$out .= '		if("' . $overlay_type . '" == "*" || this_key == "' . $overlay_type . '") {' . "\n";
+					$out .= '		if("' . esc_js($overlay_type) . '" == "*" || this_key == "' . esc_js($overlay_type) . '") {' . "\n";
 
 					if (Waymark_Helper::is_debug()) {
 						$debug_output .= ucwords($overlay_kind) . ' ' . ucwords($show_hide_explode[0]) . ' (' . $overlay_type . ') ';
 					}
 
-					$out .= '			waymark_config.map_options.' . $overlay_kind . '_types[i]["' . $overlay_kind . '_display"] = ' . $overlay_display . ';' . "\n";
+					$out .= '			waymark_config.map_options.' . esc_js($overlay_kind) . '_types[i]["' . esc_js($overlay_kind) . '_display"] = ' . esc_js($overlay_display) . ';' . "\n";
 					$out .= '		}' . "\n";
 					$out .= '	}' . "\n";
 				}
@@ -409,11 +403,11 @@ function handle_shortcode($shortcode_data, $content = null) {
 		$out .= '	waymark_viewer.init(waymark_config);' . "\n";
 
 		if (Waymark_Helper::is_debug()) {
-			$out .= '	waymark_viewer.debug("Shortcode #' . $shortcode_hash . ' Initialised");' . "\n";
+			$out .= '	waymark_viewer.debug("Shortcode #' . esc_js($shortcode_hash) . ' Initialised");' . "\n";
 			$out .= '	waymark_viewer.debug(waymark_config);' . "\n";
 
 			if ($debug_output) {
-				$out .= '	waymark_viewer.debug("' . $debug_output . '");' . "\n";
+				$out .= '	waymark_viewer.debug("' . esc_js($debug_output) . '");' . "\n";
 			}
 		}
 
@@ -432,7 +426,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 					$out .= '	waymark_viewer.load_json(' . $map_output['map_data'] . ');' . "\n";
 
 					if (Waymark_Helper::is_debug()) {
-						$out .= '	waymark_viewer.debug("Shortcode #' . $shortcode_hash . ' Map Loaded");' . "\n";
+						$out .= '	waymark_viewer.debug("Shortcode #' . esc_js($shortcode_hash) . ' Map Loaded");' . "\n";
 						$out .= '	waymark_viewer.debug(' . $map_output['map_data'] . ');' . "\n";
 					}
 
@@ -451,7 +445,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 				$out .= '	waymark_load_map_data(waymark_viewer, ' . $map_id . ', ' . $reset_view . ');' . "\n";
 
 				if (Waymark_Helper::is_debug()) {
-					$out .= '	waymark_viewer.debug("Shortcode #' . $shortcode_hash . ' Map Loaded via HTTP (' . $i . '/' . sizeof($maps_output) . ')");' . "\n";
+					$out .= '	waymark_viewer.debug("Shortcode #' . esc_js($shortcode_hash) . ' Map Loaded via HTTP (' . $i . '/' . sizeof($maps_output) . ')");' . "\n";
 					$out .= '	waymark_viewer.debug(' . $map_id . ');' . "\n";
 				}
 
@@ -542,7 +536,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 				$out .= '	waymark_viewer.load_json(marker_geojson);' . "\n";
 
 				if (Waymark_Helper::is_debug()) {
-					$out .= '	waymark_viewer.debug("Shortcode #' . $shortcode_hash . ' Marker Loaded");' . "\n";
+					$out .= '	waymark_viewer.debug("Shortcode #' . esc_js($shortcode_hash) . ' Marker Loaded");' . "\n";
 					$out .= '	waymark_viewer.debug(marker_geojson);' . "\n";
 				}
 			}
@@ -582,7 +576,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 
 						switch ($file_ext) {
 						case 'gpx':
-							$out .= '	var file_data = \'' . $file_string . '\';' . "\n";
+							$out .= '	var file_data = \'' . wp_kses($file_string, Waymark_Helper::allowable_tags('gpx')) . '\';' . "\n";
 
 							$out .= '	var file_data = (new DOMParser()).parseFromString(file_data, "text/xml");' . "\n";
 							$out .= '	let file_geo_json = toGeoJSON.gpx(file_data) || {};' . "\n";
@@ -607,7 +601,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 
 							libxml_clear_errors();
 
-							$out .= '	var file_data = \'' . $file_string . '\';' . "\n";
+							$out .= '	var file_data = \'' . wp_kses($file_string, Waymark_Helper::allowable_tags('kml')) . '\';' . "\n";
 
 							$out .= '	var file_data = (new DOMParser()).parseFromString(file_data, "text/xml");' . "\n";
 							$out .= '	var file_geo_json = toGeoJSON.kml(file_data);' . "\n";
@@ -615,6 +609,8 @@ function handle_shortcode($shortcode_data, $content = null) {
 							break;
 
 						default:
+							// Encode & Decode to ensure valid JSON
+							$file_string = wp_json_encode(json_decode($file_string));
 							$out .= '	var file_data = \'' . $file_string . '\';' . "\n";
 
 							$out .= '	var file_geo_json = JSON.parse(file_data);' . "\n";
@@ -655,8 +651,8 @@ function handle_shortcode($shortcode_data, $content = null) {
 									break (2);
 								}
 
-								$out .= '	// Casting File ' . ucwords($overlay_type) . 's to "' . $castType . '"' . "\n";
-								$out .= '	file_geo_json.features.filter(feature => feature.geometry.type == "' . $geomType . '").forEach(feature => { feature.properties.type = "' . $castType . '"; });' . "\n";
+								$out .= '	// Casting File ' . ucwords($overlay_type) . 's to "' . esc_js($castType) . '"' . "\n";
+								$out .= '	file_geo_json.features.filter(feature => feature.geometry.type == "' . $geomType . '").forEach(feature => { feature.properties.type = "' . esc_js($castType) . '"; });' . "\n";
 							}
 
 							// By Feature Type
@@ -693,12 +689,12 @@ function handle_shortcode($shortcode_data, $content = null) {
 
 									// Add Start Marker
 									if ($marker_start) {
-										$out .= '  	fileAddFeatures.features.push({"geometry":{"type":"Point","coordinates":[start[0],start[1]]},"type":"Feature","properties":{"type":"' . $marker_start . '"}});' . "\n";
+										$out .= '  	fileAddFeatures.features.push({"geometry":{"type":"Point","coordinates":[start[0],start[1]]},"type":"Feature","properties":{"type":"' . esc_js($marker_start) . '"}});' . "\n";
 									}
 
 									// Add End Marker
 									if ($marker_end) {
-										$out .= '	fileAddFeatures.features.push({"geometry":{"type":"Point","coordinates":[end[0],end[1]]},"type":"Feature","properties":{"type":"' . $marker_end . '"}});' . "\n";
+										$out .= '	fileAddFeatures.features.push({"geometry":{"type":"Point","coordinates":[end[0],end[1]]},"type":"Feature","properties":{"type":"' . esc_js($marker_end) . '"}});' . "\n";
 									}
 
 									$out .= '	});' . "\n";
@@ -707,7 +703,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 									$out .= '	waymark_viewer.load_json(fileAddFeatures);' . "\n";
 
 									if (Waymark_Helper::is_debug()) {
-										$out .= '	waymark_viewer.debug("Shortcode #' . $shortcode_hash . ' File ' . ucwords($overlay_type) . 's Loaded");' . "\n";
+										$out .= '	waymark_viewer.debug("Shortcode #' . esc_js($shortcode_hash) . ' File ' . ucwords($overlay_type) . 's Loaded");' . "\n";
 										$out .= '	waymark_viewer.debug(fileAddFeatures);' . "\n";
 									}
 								}
@@ -720,7 +716,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 						$out .= '	waymark_viewer.load_json(file_geo_json);' . "\n";
 
 						if (Waymark_Helper::is_debug()) {
-							$out .= '	waymark_viewer.debug("Shortcode #' . $shortcode_hash . ' File Loaded");' . "\n";
+							$out .= '	waymark_viewer.debug("Shortcode #' . esc_js($shortcode_hash) . ' File Loaded");' . "\n";
 							$out .= '	waymark_viewer.debug(file_geo_json);' . "\n";
 						}
 					}
@@ -733,12 +729,12 @@ function handle_shortcode($shortcode_data, $content = null) {
 		// ========== START CALLBACK ===========
 
 		if (array_key_exists('loaded_callback', $shortcode_data)) {
-			$out .= '	if(typeof ' . $shortcode_data['loaded_callback'] . ' === "function") {' . "\n";
+			$out .= '	if(typeof ' . esc_js($shortcode_data['loaded_callback']) . ' === "function") {' . "\n";
 			if (Waymark_Helper::is_debug()) {
-				$out .= '		waymark_viewer.debug("Shortcode Callback detected ' . $shortcode_data['loaded_callback'] . '(waymark_instance)");' . "\n";
+				$out .= '		waymark_viewer.debug("Shortcode Callback detected ' . esc_js($shortcode_data['loaded_callback']) . '(waymark_instance)");' . "\n";
 			}
 
-			$out .= '		' . $shortcode_data['loaded_callback'] . '(waymark_viewer);' . "\n";
+			$out .= '		' . esc_js($shortcode_data['loaded_callback']) . '(waymark_viewer);' . "\n";
 			$out .= '	} else {' . "\n";
 			$out .= '		waymark_viewer.message("Callback function not found!", "error");' . "\n";
 			$out .= '	}' . "\n";
@@ -747,7 +743,7 @@ function handle_shortcode($shortcode_data, $content = null) {
 		// =========== END CALLBACK ============
 		$out .= '});' . "\n";
 		$out .= '</script>' . "\n";
-		$out .= '<!-- END Waymark Shortcode #' . $shortcode_hash . ' -->' . "\n";
+		$out .= '<!-- END Waymark Shortcode #' . esc_html($shortcode_hash) . ' -->' . "\n";
 
 		// ============= END JAVASCRIPT =================
 
diff --git a/inc/Helpers/Waymark_Helper.php b/inc/Helpers/Waymark_Helper.php
index a5af0453..928a246b 100644
--- a/inc/Helpers/Waymark_Helper.php
+++ b/inc/Helpers/Waymark_Helper.php
@@ -1674,4 +1674,59 @@ public static function parameter_allowed_html() {
 		];
 	}
 
+	public static function allowable_tags($kind = '') {
+		switch ($kind) {
+		case 'kml':
+			return [
+				'kml' => [
+					'xmlns' => true,
+				],
+				'document' => [],
+				'placemark' => [],
+				'name' => [],
+				'extendeddata' => [],
+				'data' => [
+					'name' => true,
+				],
+				'value' => [],
+				'point' => [],
+				'coordinates' => [],
+				'description' => [],
+				'linestring' => [],
+				'linearring' => [],
+				'polygon' => [],
+				'outerboundaryis' => [],
+				'innerboundaryis' => [],
+				'multigeometry' => [],
+			];
+
+			break;
+		case 'gpx':
+			return [
+				'gpx' => [
+					'creator' => true,
+					'version' => true,
+					'xmlns' => true,
+					'xmlns:xsi' => true,
+					'xsi:schemaLocation' => true,
+				],
+				'metadata' => [],
+				'name' => [],
+				'wpt' => [
+					'lat' => true,
+					'lon' => true,
+				],
+				'desc' => [],
+				'trk' => [],
+				'trkseg' => [],
+				'trkpt' => [
+					'lat' => true,
+					'lon' => true,
+				],
+				'ele' => [],
+			];
+
+			break;
+		}
+	}
 }
diff --git a/inc/Waymark_Config.php b/inc/Waymark_Config.php
index 6424492b..f23c29fd 100644
--- a/inc/Waymark_Config.php
+++ b/inc/Waymark_Config.php
@@ -11,7 +11,7 @@ public static function init() {
 			'plugin_name' => 'Waymark',
 			'plugin_name_short' => 'Waymark',
 			'custom_types' => [],
-			'plugin_version' => '1.5.0',
+			'plugin_version' => '1.5.1',
 			'nonce_string' => 'Waymark_Nonce',
 			'site_url' => 'https://www.waymark.dev/',
 			'directory_url' => 'https://wordpress.org/support/plugin/waymark/',
diff --git a/languages/waymark-en_CA.po b/languages/waymark-en_CA.po
index 175f0d3b..1a7dd16e 100644
--- a/languages/waymark-en_CA.po
+++ b/languages/waymark-en_CA.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-18 00:24:31+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:12-0800\n"
diff --git a/languages/waymark-en_GB.po b/languages/waymark-en_GB.po
index de131439..cd376669 100644
--- a/languages/waymark-en_GB.po
+++ b/languages/waymark-en_GB.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-18 00:24:31+00:00\n"
 "PO-Revision-Date: 2024-01-23 08:47-0800\n"
diff --git a/languages/waymark-es_ES.po b/languages/waymark-es_ES.po
index c5bf0617..50eddeae 100644
--- a/languages/waymark-es_ES.po
+++ b/languages/waymark-es_ES.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-18 00:24:31+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:19-0800\n"
diff --git a/languages/waymark-fr_CA.po b/languages/waymark-fr_CA.po
index 5747f886..8712b4ab 100644
--- a/languages/waymark-fr_CA.po
+++ b/languages/waymark-fr_CA.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-18 00:24:31+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:17-0800\n"
diff --git a/languages/waymark-ja_JP.po b/languages/waymark-ja_JP.po
index 509fae89..02cd63b9 100644
--- a/languages/waymark-ja_JP.po
+++ b/languages/waymark-ja_JP.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-23 14:32:30+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:42-0800\n"
diff --git a/languages/waymark-sv_SE.po b/languages/waymark-sv_SE.po
index ff1c032e..3f1e496d 100644
--- a/languages/waymark-sv_SE.po
+++ b/languages/waymark-sv_SE.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-18 00:24:31+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:18-0800\n"
diff --git a/languages/waymark-uk_UA.po b/languages/waymark-uk_UA.po
index a10188bc..a45da288 100644
--- a/languages/waymark-uk_UA.po
+++ b/languages/waymark-uk_UA.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-18 00:24:31+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:18-0800\n"
diff --git a/languages/waymark-zh_CN.po b/languages/waymark-zh_CN.po
index 75ec5202..513be213 100644
--- a/languages/waymark-zh_CN.po
+++ b/languages/waymark-zh_CN.po
@@ -2,7 +2,7 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
 "POT-Creation-Date: 2024-01-23 14:32:30+00:00\n"
 "PO-Revision-Date: 2024-01-23 10:25-0800\n"
diff --git a/languages/waymark.pot b/languages/waymark.pot
index 8c661d50..b65a9f43 100644
--- a/languages/waymark.pot
+++ b/languages/waymark.pot
@@ -2,9 +2,9 @@
 # This file is distributed under the GPLv2.
 msgid ""
 msgstr ""
-"Project-Id-Version: Waymark 1.5.0\n"
+"Project-Id-Version: Waymark 1.5.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/waymark\n"
-"POT-Creation-Date: 2025-01-27 21:06:25+00:00\n"
+"POT-Creation-Date: 2025-02-02 23:36:51+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
@@ -49,20 +49,20 @@ msgstr ""
 msgid "HTML"
 msgstr ""
 
-#: inc/Admin/Waymark_Menu.php:20 inc/Admin/Waymark_Menu.php:68
+#: inc/Admin/Waymark_Menu.php:20 inc/Admin/Waymark_Menu.php:69
 #: inc/Admin/Waymark_Settings.php:26 inc/Waymark_Admin.php:184
 #: inc/Waymark_Install.php:61 inc/Waymark_Types.php:13 inc/Waymark_Types.php:15
 #. translators: %s: URL to the Waymark documentation
 msgid "Maps"
 msgstr ""
 
-#: inc/Admin/Waymark_Menu.php:21 inc/Admin/Waymark_Menu.php:62
+#: inc/Admin/Waymark_Menu.php:21 inc/Admin/Waymark_Menu.php:63
 #: inc/Waymark_Admin.php:210 inc/Waymark_Types.php:23
 #. translators: Creating a new map
 msgid "New Map"
 msgstr ""
 
-#: inc/Admin/Waymark_Menu.php:24 inc/Admin/Waymark_Menu.php:70
+#: inc/Admin/Waymark_Menu.php:24 inc/Admin/Waymark_Menu.php:71
 #: inc/Waymark_Admin.php:176 inc/Waymark_Taxonomies.php:15
 #. translators: Collection is a group of maps
 msgid "Collections"
@@ -80,20 +80,20 @@ msgstr ""
 msgid "Settings"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:11
+#: inc/Admin/Waymark_Meta.php:9
 msgid "Map Editor"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:14 inc/Waymark_Admin.php:123
+#: inc/Admin/Waymark_Meta.php:12 inc/Waymark_Admin.php:123
 msgid "Shortcode"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:15 inc/Helpers/Waymark_Helper.php:198
+#: inc/Admin/Waymark_Meta.php:13 inc/Helpers/Waymark_Helper.php:198
 #: inc/Helpers/Waymark_Helper.php:227
 msgid "Export"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:16
+#: inc/Admin/Waymark_Meta.php:14
 msgid "Help"
 msgstr ""
 
@@ -101,17 +101,17 @@ msgstr ""
 msgid "Download the Overlays added to this Map in the selected format."
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:115
+#: inc/Admin/Waymark_Meta.php:114
 msgid ""
 "Add this Map to your content with this Shortcode. Click here for more "
 "details."
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:124
+#: inc/Admin/Waymark_Meta.php:122
 msgid "Image Location Detection Not Supported!"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:127
+#: inc/Admin/Waymark_Meta.php:125
 #. translators: %s: Link to PHP EXIF Extension documentation
 msgid ""
 "Your hosting environment does not currently have the <a href=\"%s\">PHP "
@@ -119,24 +119,24 @@ msgid ""
 "metadata. Try asking your host to enable it."
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:130 inc/Admin/Waymark_Settings.php:881
+#: inc/Admin/Waymark_Meta.php:128 inc/Admin/Waymark_Settings.php:881
 #: inc/Admin/Waymark_Settings.php:950
 #. translators: The option for reading from a file
 msgid "Read from File"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:131
+#: inc/Admin/Waymark_Meta.php:129
 msgid ""
 "You can read Lines and Markers from GPX, KML and GeoJSON files (most "
 "mapping apps will be able to export to one of these)."
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:133 inc/Admin/Waymark_Settings.php:144
+#: inc/Admin/Waymark_Meta.php:131 inc/Admin/Waymark_Settings.php:144
 #: inc/Admin/Waymark_Settings.php:318 inc/Admin/Waymark_Settings.php:436
 msgid "Types"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:136
+#: inc/Admin/Waymark_Meta.php:134
 #. translators: %s: Link to Waymark Settings
 msgid ""
 "Types allow you to control how Overlays (Markers, Lines and Shapes) are "
@@ -144,7 +144,7 @@ msgid ""
 "target=\"_blank\">Waymark &gt; Settings</a>."
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:138 inc/Admin/Waymark_Settings.php:74
+#: inc/Admin/Waymark_Meta.php:136 inc/Admin/Waymark_Settings.php:74
 #: inc/Admin/Waymark_Settings.php:82 inc/Admin/Waymark_Settings.php:89
 #: inc/Admin/Waymark_Settings.php:101 inc/Admin/Waymark_Settings.php:116
 #. translators: The title of the field for the name of the Basemap
@@ -155,7 +155,7 @@ msgstr ""
 msgid "Basemap"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:141
+#: inc/Admin/Waymark_Meta.php:139
 #. translators: %s: Link to Waymark Settings
 msgid ""
 "Add and edit Basemaps in <a href=\"%1$s\" target=\"_blank\">Waymark &gt; "
@@ -163,11 +163,11 @@ msgid ""
 "specified in the shortcode like this: %2$s"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:143
+#: inc/Admin/Waymark_Meta.php:141
 msgid "Read the Docs"
 msgstr ""
 
-#: inc/Admin/Waymark_Meta.php:168
+#: inc/Admin/Waymark_Meta.php:165
 #. translators: %s: Link to Waymark Settings
 msgid "You can manage Meta fields in <a href=\"%s\">Settings</a>."
 msgstr ""
@@ -229,7 +229,7 @@ msgid "Overlays"
 msgstr ""
 
 #: inc/Admin/Waymark_Settings.php:35 inc/Admin/Waymark_Settings.php:138
-#: inc/Helpers/Waymark_Helper.php:1373 inc/Helpers/Waymark_Lang.php:41
+#: inc/Helpers/Waymark_Helper.php:1375 inc/Helpers/Waymark_Lang.php:41
 #. translators: The name of the tab for customising Markers
 msgid "Markers"
 msgstr ""
@@ -633,7 +633,7 @@ msgstr ""
 #: inc/Admin/Waymark_Settings.php:558 inc/Admin/Waymark_Settings.php:676
 #: inc/Admin/Waymark_Settings.php:742 inc/Admin/Waymark_Settings.php:883
 #: inc/Admin/Waymark_Settings.php:952 inc/Admin/Waymark_Settings.php:1525
-#: inc/Front/Waymark_Submission.php:224 inc/Helpers/Waymark_Lang.php:31
+#: inc/Front/Waymark_Submission.php:222 inc/Helpers/Waymark_Lang.php:31
 #. translators: The option for a title input
 #. translators: The option to enable the title
 msgid "Title"
@@ -953,9 +953,7 @@ msgstr ""
 #: inc/Admin/Waymark_Settings.php:922
 #. translators: The description of the section for configuring submissions from
 #. guests
-msgid ""
-"This will allow Submissions from <b>any visitor</b>, without "
-"registration.<!--<br /><br /><b>Important!</b>-->"
+msgid "This will allow Submissions from <b>any visitor</b>, without registration."
 msgstr ""
 
 #: inc/Admin/Waymark_Settings.php:932
@@ -1554,48 +1552,44 @@ msgstr ""
 msgid "Settings Updated"
 msgstr ""
 
-#: inc/Admin/Waymark_Settings.php:1815
-msgid "Action Complete"
-msgstr ""
-
-#: inc/Front/Waymark_Shortcode.php:229
+#: inc/Front/Waymark_Shortcode.php:223
 msgid "Details"
 msgstr ""
 
-#: inc/Front/Waymark_Shortcode.php:245
+#: inc/Front/Waymark_Shortcode.php:239
 msgid "More Details"
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:172
+#: inc/Front/Waymark_Submission.php:168
 msgid "There was an error with your submission."
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:180
+#: inc/Front/Waymark_Submission.php:176
 msgid "Your submission has been received and is awaiting moderation."
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:190
+#: inc/Front/Waymark_Submission.php:186
 #. translators: %s: link to the published map
 msgid "Your submission has been <a href=\"%s\">published</a>."
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:192
+#: inc/Front/Waymark_Submission.php:188
 msgid "Your submission has been published."
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:235
+#: inc/Front/Waymark_Submission.php:233
 msgid "Submit"
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:255
+#: inc/Front/Waymark_Submission.php:252
 msgid "Your Map was empty."
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:264
+#: inc/Front/Waymark_Submission.php:261
 msgid "Your Map did not contain valid features."
 msgstr ""
 
-#: inc/Front/Waymark_Submission.php:271
+#: inc/Front/Waymark_Submission.php:268
 msgid "Submission"
 msgstr ""
 
@@ -1647,12 +1641,12 @@ msgid ""
 "selected format."
 msgstr ""
 
-#: inc/Helpers/Waymark_Helper.php:493 inc/Waymark_Types.php:10
+#: inc/Helpers/Waymark_Helper.php:495 inc/Waymark_Types.php:10
 #: inc/Waymark_Types.php:14 inc/Waymark_Types.php:16
 msgid "Map"
 msgstr ""
 
-#: inc/Helpers/Waymark_Helper.php:669 inc/Helpers/Waymark_Helper.php:694
+#: inc/Helpers/Waymark_Helper.php:671 inc/Helpers/Waymark_Helper.php:696
 msgid "Download"
 msgstr ""
 
diff --git a/package.json b/package.json
index e81109c6..22337ecb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "Waymark",
-  "version": "1.5.0",
+  "version": "1.5.1",
   "description": "Waymark for WordPress",
   "author": "Joe Hawes",
   "main": "Gruntfile.js",
diff --git a/readme.md b/readme.md
index 6fe08aaf..bf2170c4 100644
--- a/readme.md
+++ b/readme.md
@@ -4,7 +4,7 @@
 **Requires at least:** 4.6  
 **Tested up to:** 6.7  
 **Requires PHP:** 5.2  
-**Stable tag:** 1.5.0  
+**Stable tag:** 1.5.1  
 **License:** GPLv2 or later  
 **License URI:** http://www.gnu.org/licenses/gpl-2.0.html  
 
@@ -191,6 +191,10 @@ Built on the shoulders of giants, [thank you](https://www.waymark.dev/docs/thank
 
 ## Changelog ##
 
+### 1.5.1 ###
+
+- Improved escaping of Shortcode attributes.
+
 ### 1.5.0 ###
 
 - **Security update** This is a big update which includes a number of security fixes, many highlighted by the [Plugin Check](https://wordpress.org/plugins/plugin-check/) plugin.
diff --git a/readme.txt b/readme.txt
index ad31cf03..11dc562c 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Tags: GIS, Map maker, GPX, Track, Elevation
 Requires at least: 4.6
 Tested up to: 6.7
 Requires PHP: 5.2
-Stable tag: 1.5.0
+Stable tag: 1.5.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -173,6 +173,10 @@ Built on the shoulders of giants, [thank you](https://www.waymark.dev/docs/thank
 
 == Changelog ==
 
+= 1.5.1 = 
+
+- Improved escaping of Shortcode attributes.
+
 = 1.5.0 = 
 
 - **Security update** This is a big update which includes a number of security fixes, many highlighted by the [Plugin Check](https://wordpress.org/plugins/plugin-check/) plugin.