From 39cf8f9662ce18e33f6b081f5f41d891e2779166 Mon Sep 17 00:00:00 2001 From: Brian Miyaji Date: Sat, 6 Nov 2021 00:27:35 +0900 Subject: [PATCH] Add sanitization to event meta boxes --- .../meta-boxes/class-sp-meta-box-event-details.php | 6 +++--- .../meta-boxes/class-sp-meta-box-event-format.php | 2 +- .../meta-boxes/class-sp-meta-box-event-mode.php | 2 +- .../meta-boxes/class-sp-meta-box-event-officials.php | 2 +- .../class-sp-meta-box-event-performance.php | 10 +++++----- .../meta-boxes/class-sp-meta-box-event-results.php | 6 +++--- .../meta-boxes/class-sp-meta-box-event-specs.php | 2 +- .../meta-boxes/class-sp-meta-box-event-teams.php | 12 ++++++------ .../meta-boxes/class-sp-meta-box-event-video.php | 2 +- 9 files changed, 22 insertions(+), 22 deletions(-) diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php index 16e0dba0..61da542d 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-details.php @@ -73,11 +73,11 @@ class SP_Meta_Box_Event_Details { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_day', sp_array_value( $_POST, 'sp_day', null ) ); - update_post_meta( $post_id, 'sp_minutes', sp_array_value( $_POST, 'sp_minutes', get_option( 'sportspress_event_minutes', 90 ) ) ); + update_post_meta( $post_id, 'sp_day', sp_array_value( $_POST, 'sp_day', null, 'text' ) ); + update_post_meta( $post_id, 'sp_minutes', sp_array_value( $_POST, 'sp_minutes', get_option( 'sportspress_event_minutes', 90 ), 'int' ) ); $venues = array_filter( sp_array_value( sp_array_value( $_POST, 'tax_input', array() ), 'sp_venue', array() ) ); if ( empty( $venues ) ) { - $teams = sp_array_value( $_POST, 'sp_team', array() ); + $teams = sp_array_value( $_POST, 'sp_team', array(), 'int' ); $team = reset( $teams ); $venue = sp_get_the_term_id( $team, 'sp_venue' ); wp_set_post_terms( $post_id, $venue, 'sp_venue' ); diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php index 5d0e9c5e..2221c8a1 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-format.php @@ -34,6 +34,6 @@ class SP_Meta_Box_Event_Format { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_format', sp_array_value( $_POST, 'sp_format', 'league' ) ); + update_post_meta( $post_id, 'sp_format', sp_array_value( $_POST, 'sp_format', 'league', 'text' ) ); } } \ No newline at end of file diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php index ebb87ace..b1aedf1b 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-mode.php @@ -33,6 +33,6 @@ class SP_Meta_Box_Event_Mode { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_mode', sp_array_value( $_POST, 'sp_mode', 'team' ) ); + update_post_meta( $post_id, 'sp_mode', sp_array_value( $_POST, 'sp_mode', 'team', 'text' ) ); } } diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php index 8f727219..bebad8fc 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-officials.php @@ -70,6 +70,6 @@ class SP_Meta_Box_Event_Officials { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_officials', sp_array_value( $_POST, 'sp_officials', array() ) ); + update_post_meta( $post_id, 'sp_officials', sp_array_value( $_POST, 'sp_officials', array(), 'int' ) ); } } diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php index e917f738..1a6098d0 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-performance.php @@ -69,13 +69,13 @@ class SP_Meta_Box_Event_Performance { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_players', sp_array_value( $_POST, 'sp_players', array() ) ); - update_post_meta( $post_id, 'sp_order', sp_array_value( $_POST, 'sp_order', array() ) ); - update_post_meta( $post_id, 'sp_timeline', sp_array_value( $_POST, 'sp_timeline', array() ) ); - update_post_meta( $post_id, 'sp_stars', sp_array_value( $_POST, 'sp_stars', array() ) ); + update_post_meta( $post_id, 'sp_players', sp_array_value( $_POST, 'sp_players', array(), 'text' ) ); + update_post_meta( $post_id, 'sp_order', sp_array_value( $_POST, 'sp_order', array(), 'int' ) ); + update_post_meta( $post_id, 'sp_timeline', sp_array_value( $_POST, 'sp_timeline', array(), 'text' ) ); + update_post_meta( $post_id, 'sp_stars', sp_array_value( $_POST, 'sp_stars', array(), 'text' ) ); if ( isset( $_POST['sp_columns'] ) ) { - $columns = array_filter( (array) $_POST['sp_columns'] ); + $columns = array_filter( (array) sp_array_value( $_POST, 'sp_columns', array(), 'text' ) ); update_post_meta( $post_id, 'sp_columns', $columns ); } } diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php index 8add0fe3..4acb820d 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-results.php @@ -34,11 +34,11 @@ class SP_Meta_Box_Event_Results { * Save meta box data */ public static function save( $post_id, $post ) { - $results = (array)sp_array_value( $_POST, 'sp_results', array() ); + $results = (array)sp_array_value( $_POST, 'sp_results', array(), 'text' ); $main_result = get_option( 'sportspress_primary_result', null ); // Get player performance - $performance = sp_array_value( $_POST, 'sp_players', array() ); + $performance = sp_array_value( $_POST, 'sp_players', array(), 'text' ); // Initialize finished $finished = false; @@ -212,7 +212,7 @@ class SP_Meta_Box_Event_Results { // Update meta update_post_meta( $post_id, 'sp_results', $results ); - update_post_meta( $post_id, 'sp_result_columns', sp_array_value( $_POST, 'sp_result_columns', array() ) ); + update_post_meta( $post_id, 'sp_result_columns', sp_array_value( $_POST, 'sp_result_columns', array(), 'key' ) ); } /** diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-specs.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-specs.php index 6ef6fb4c..c3f3c54d 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-specs.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-specs.php @@ -48,6 +48,6 @@ class SP_Meta_Box_Event_Specs { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_specs', sp_array_value( $_POST, 'sp_specs', array() ) ); + update_post_meta( $post_id, 'sp_specs', sp_array_value( $_POST, 'sp_specs', array(), 'text' ) ); } } \ No newline at end of file diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-teams.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-teams.php index b40c4e10..d32e11a1 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-teams.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-teams.php @@ -143,7 +143,7 @@ class SP_Meta_Box_Event_Teams { * Save meta box data */ public static function save( $post_id, $post ) { - $teams = sp_array_value( $_POST, 'sp_team', array() ); + $teams = sp_array_value( $_POST, 'sp_team', array(), 'int' ); sp_update_post_meta_recursive( $post_id, 'sp_team', $teams ); @@ -159,14 +159,14 @@ class SP_Meta_Box_Event_Teams { $tabs = array(); $sections = get_option( 'sportspress_event_performance_sections', -1 ); if ( -1 == $sections ) { - sp_update_post_meta_recursive( $post_id, 'sp_player', sp_array_value( $_POST, 'sp_player', array() ) ); + sp_update_post_meta_recursive( $post_id, 'sp_player', sp_array_value( $_POST, 'sp_player', array(), 'int' ) ); } else { - $players = array_merge( sp_array_value( $_POST, 'sp_offense', array() ), sp_array_value( $_POST, 'sp_defense', array() ) ); - sp_update_post_meta_recursive( $post_id, 'sp_offense', sp_array_value( $_POST, 'sp_offense', array() ) ); - sp_update_post_meta_recursive( $post_id, 'sp_defense', sp_array_value( $_POST, 'sp_defense', array() ) ); + $players = array_merge( sp_array_value( $_POST, 'sp_offense', array() ), sp_array_value( $_POST, 'sp_defense', array(), 'int' ) ); + sp_update_post_meta_recursive( $post_id, 'sp_offense', sp_array_value( $_POST, 'sp_offense', array(), 'int' ) ); + sp_update_post_meta_recursive( $post_id, 'sp_defense', sp_array_value( $_POST, 'sp_defense', array(), 'int' ) ); sp_update_post_meta_recursive( $post_id, 'sp_player', $players ); } - sp_update_post_meta_recursive( $post_id, 'sp_staff', sp_array_value( $_POST, 'sp_staff', array() ) ); + sp_update_post_meta_recursive( $post_id, 'sp_staff', sp_array_value( $_POST, 'sp_staff', array(), 'int' ) ); } } } diff --git a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-video.php b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-video.php index 48160f78..d642dd67 100644 --- a/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-video.php +++ b/includes/admin/post-types/meta-boxes/class-sp-meta-box-event-video.php @@ -42,6 +42,6 @@ class SP_Meta_Box_Event_Video { * Save meta box data */ public static function save( $post_id, $post ) { - update_post_meta( $post_id, 'sp_video', sp_array_value( $_POST, 'sp_video', null ) ); + update_post_meta( $post_id, 'sp_video', sp_array_value( $_POST, 'sp_video', null, 'text' ) ); } } \ No newline at end of file