asc/sportspress
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize and unslash all inputs

Browse Source
This commit is contained in:
Brian Miyaji
2021-11-14 13:49:51 +09:00
parent 8873e5adeb
commit a605d7ed1a
30 changed files with 98 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/sportspress-comments-scheduled-events.php
View File

@@ -54,10 +54,10 @@ if ( ! class_exists( 'SportsPress_Comments_Scheduled_Events' ) ) :
do_action( 'pre_comment_on_post', $comment_post_ID );
$comment_author = ( isset( $_POST['author'] ) ) ? trim( strip_tags( $_POST['author'] ) ) : null;
$comment_author_email = ( isset( $_POST['email'] ) ) ? sanitize_email( trim( $_POST['email'] ) ) : null;
$comment_author_url = ( isset( $_POST['url'] ) ) ? esc_url( trim( $_POST['url'] ) ) : null;
$comment_content = ( isset( $_POST['comment'] ) ) ? esc_textarea( trim( $_POST['comment'] ) ) : null;
$comment_author = ( isset( $_POST['author'] ) ) ? trim( strip_tags( sanitize_text_field( wp_unslash( $_POST['author'] ) ) ) ) : null;
$comment_author_email = ( isset( $_POST['email'] ) ) ? trim( sanitize_email( wp_unslash( $_POST['email'] ) ) ) : null;
$comment_author_url = ( isset( $_POST['url'] ) ) ? trim( sanitize_url( wp_unslash( $_POST['url'] ) ) ) : null; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$comment_content = ( isset( $_POST['comment'] ) ) ? trim( sanitize_text_field( wp_unslash( $_POST['comment'] ) ) ) : null;
// If the user is logged in
$user = wp_get_current_user();
@@ -136,7 +136,7 @@ if ( ! class_exists( 'SportsPress_Comments_Scheduled_Events' ) ) :
wp_set_comment_status( $comment_id, 'approve' );
}
$location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment_id ) : $_POST['redirect_to'] . '#comment-' . $comment_id;
$location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment_id ) : sanitize_url( wp_unslash( $_POST['redirect_to'] ) ) . '#comment-' . $comment_id; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$location = apply_filters( 'comment_post_redirect', $location, $comment );

4
modules/sportspress-overview.php
View File

@@ -262,7 +262,7 @@ endif;
<?php
if ( isset( $_GET['term'] ) ) :
$term = get_term( $_GET['term'], $taxonomy ); // Posts in term
$term = get_term( sanitize_key( $_GET['term'] ), $taxonomy ); // Posts in term
?>
<ul class="sp-utility">
@@ -910,7 +910,7 @@ endforeach;
<?php
$post_object = get_post_type_object( $post_type );
$taxonomy_object = get_taxonomy( $_GET['taxonomy'] );
$taxonomy_object = get_taxonomy( sanitize_key( $_GET['taxonomy'] ) );
?>
<?php

2
modules/sportspress-tutorials.php
View File

@@ -194,7 +194,7 @@ if ( ! class_exists( 'SportsPress_Tutorials' ) ) :
'advanced' => esc_attr__( 'Advanced', 'sportspress' ),
)
);
if ( isset( $_GET['tab'] ) && array_key_exists( $_GET['tab'], $tabs ) ) {
if ( isset( $_GET['tab'] ) && array_key_exists( wp_unslash( $_GET['tab'] ), $tabs ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$current_tab = sanitize_key( $_GET['tab'] );
} else {
$current_tab = key( $tabs );

18
modules/sportspress-user-registration.php
View File

@@ -105,8 +105,8 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
*/
public static function register_form() {
if ( 'yes' === get_option( 'sportspress_registration_name_inputs', 'no' ) ) {
$first_name = ( ! empty( $_POST['first_name'] ) ) ? trim( sanitize_text_field( $_POST['first_name'] ) ) : '';
$last_name = ( ! empty( $_POST['last_name'] ) ) ? trim( sanitize_text_field( $_POST['last_name'] ) ) : '';
$first_name = ( ! empty( $_POST['first_name'] ) ) ? trim( sanitize_text_field( wp_unslash( $_POST['first_name'] ) ) ) : '';
$last_name = ( ! empty( $_POST['last_name'] ) ) ? trim( sanitize_text_field( wp_unslash( $_POST['last_name'] ) ) ) : '';
?>
<p>
<label for="first_name"><?php esc_attr_e( 'First Name', 'sportspress' ); ?><br />
@@ -149,22 +149,22 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
// Save first and last name
if ( 'yes' === get_option( 'sportspress_registration_name_inputs', 'no' ) ) {
if ( ! empty( $_POST['first_name'] ) ) {
$meta = trim( sanitize_text_field( $_POST['first_name'] ) );
$meta = trim( sanitize_text_field( wp_unslash( $_POST['first_name'] ) ) );
$parts[] = $meta;
update_user_meta( $user_id, 'first_name', $meta );
}
if ( ! empty( $_POST['last_name'] ) ) {
$meta = trim( sanitize_text_field( $_POST['last_name'] ) );
$meta = trim( sanitize_text_field( wp_unslash( $_POST['last_name'] ) ) );
$parts[] = $meta;
update_user_meta( $user_id, 'last_name', $meta );
}
}
// Add team from team name
if ( isset( $_POST['sp_register_form_team'] ) && wp_verify_nonce( $_POST['sp_register_form_team'], 'submit_team_name' ) ) {
if ( isset( $_POST['sp_register_form_team'] ) && wp_verify_nonce( sanitize_key( $_POST['sp_register_form_team'] ), 'submit_team_name' ) ) {
if ( ! empty( $_POST['team_name'] ) ) {
$team_name = trim( sanitize_text_field( $_POST['team_name'] ) );
$team_name = trim( sanitize_text_field( wp_unslash( $_POST['team_name'] ) ) );
$post['post_type'] = 'sp_team';
$post['post_title'] = $team_name;
$post['post_author'] = $user_id;
@@ -174,9 +174,9 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
}
// Save team
if ( isset( $_POST['sp_register_form_player'] ) && wp_verify_nonce( $_POST['sp_register_form_player'], 'submit_team' ) ) {
if ( isset( $_POST['sp_register_form_player'] ) && wp_verify_nonce( sanitize_key( $_POST['sp_register_form_player'] ), 'submit_team' ) ) {
if ( ! empty( $_POST['sp_team'] ) ) {
$team = trim( sanitize_text_field( $_POST['sp_team'] ) );
$team = trim( sanitize_text_field( wp_unslash( $_POST['sp_team'] ) ) );
if ( $team <= 0 ) {
$team = 0;
}
@@ -187,7 +187,7 @@ if ( ! class_exists( 'SportsPress_User_Registration' ) ) :
// Add player
if ( 'yes' === get_option( 'sportspress_registration_add_player', 'no' ) ) {
if ( ! sizeof( $parts ) && ! empty( $_POST['user_login'] ) ) {
$parts[] = trim( sanitize_text_field( $_POST['user_login'] ) );
$parts[] = trim( sanitize_text_field( wp_unslash( $_POST['user_login'] ) ) );
}
if ( sizeof( $parts ) ) {