asc/sportspress
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add sanitization to setup, welcome, importer, settings, and admin cpt

Browse Source
This commit is contained in:
Brian Miyaji
2021-11-09 03:37:04 +09:00
parent e23e1c2eed
commit c7302dfc80
12 changed files with 38 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
includes/admin/class-sp-admin-setup-wizard.php
View File

@@ -390,7 +390,7 @@ class SP_Admin_Setup_Wizard {
check_admin_referer( 'sp-setup' ); check_admin_referer( 'sp-setup' );
// Add away team // Add away team
$post['post_title'] = $_POST['away_team']; $post['post_title'] = sanitize_text_field( $_POST['away_team'] );
$post['post_type'] = 'sp_team'; $post['post_type'] = 'sp_team';
$post['post_status'] = 'publish'; $post['post_status'] = 'publish';
$post['tax_input'] = array(); $post['tax_input'] = array();
@@ -401,7 +401,7 @@ class SP_Admin_Setup_Wizard {
wp_insert_post( $post ); wp_insert_post( $post );
// Add home team // Add home team
$post['post_title'] = $_POST['home_team']; $post['post_title'] = sanitize_text_field( $_POST['home_team'] );
wp_insert_post( $post ); wp_insert_post( $post );
wp_redirect( esc_url_raw( $this->get_next_step_link() ) ); wp_redirect( esc_url_raw( $this->get_next_step_link() ) );

6
includes/admin/class-sp-admin-welcome.php
View File

@@ -152,13 +152,13 @@ class SP_Admin_Welcome {
<?php <?php
// Save settings // Save settings
if ( isset( $_POST['timezone_string'] ) ): if ( isset( $_POST['timezone_string'] ) ):
update_option( 'timezone_string', $_POST['timezone_string'] ); update_option( 'timezone_string', sanitize_text_field( $_POST['timezone_string'] ) );
update_option( 'sportspress_basic_setup', 1 ); update_option( 'sportspress_basic_setup', 1 );
endif; endif;
if ( isset( $_POST['sportspress_sport'] ) && ! empty( $_POST['sportspress_sport'] ) ): if ( isset( $_POST['sportspress_sport'] ) && ! empty( $_POST['sportspress_sport'] ) ):
$sport = $_POST['sportspress_sport']; $sport = sanitize_text_field( $_POST['sportspress_sport'] );
SP_Admin_Sports::apply_preset( $sport ); SP_Admin_Sports::apply_preset( $sport );
update_option( 'sportspress_sport', $_POST['sportspress_sport'] ); update_option( 'sportspress_sport', $sport );
delete_option( '_sp_needs_welcome' ); delete_option( '_sp_needs_welcome' );
update_option( 'sportspress_installed', 1 ); update_option( 'sportspress_installed', 1 );
?> ?>

8
includes/admin/importers/class-sp-event-importer.php
View File

@@ -55,10 +55,10 @@ if ( class_exists( 'WP_Importer' ) ) {
$rows = array_chunk( $array, sizeof( $columns ) ); $rows = array_chunk( $array, sizeof( $columns ) );
// Get event format, league, and season from post vars // Get event format, league, and season from post vars
$event_format = ( empty( $_POST['sp_format'] ) ? false : $_POST['sp_format'] ); $event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_text_field( $_POST['sp_format'] ) );
$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : $_POST['sp_league'] ); $league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_league'] ) );
$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : $_POST['sp_season'] ); $season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_season'] ) );
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : $_POST['sp_date_format'] ); $date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
// Get labels from result and performance post types // Get labels from result and performance post types
$result_labels = sp_get_var_labels( 'sp_result' ); $result_labels = sp_get_var_labels( 'sp_result' );

8
includes/admin/importers/class-sp-event-performance-importer.php
View File

@@ -49,10 +49,10 @@ if ( class_exists( 'WP_Importer' ) ) {
$rows = array_chunk( $array, sizeof( $columns ) ); $rows = array_chunk( $array, sizeof( $columns ) );
// Get event ID and team ID from post vars // Get event ID and team ID from post vars
$event = ( empty( $_POST['sp_event'] ) ? false : $_POST['sp_event'] ); $event = ( empty( $_POST['sp_event'] ) ? false : sanitize_text_field( $_POST['sp_event'] ) );
$teams = ( empty( $_POST['sp_teams'] ) ? false : $_POST['sp_teams'] ); $teams = ( empty( $_POST['sp_teams'] ) ? false : sanitize_text_field( $_POST['sp_teams'] ) );
$index = ( empty( $_POST['sp_index'] ) ? false : $_POST['sp_index'] ); $index = ( empty( $_POST['sp_index'] ) ? false : sanitize_text_field( $_POST['sp_index'] ) );
$team = ( empty( $_POST['sp_team'] ) ? false : $_POST['sp_team'] ); $team = ( empty( $_POST['sp_team'] ) ? false : sanitize_text_field( $_POST['sp_team'] ) );
$team_players = array( 0 ); $team_players = array( 0 );
$team_performance = array(); $team_performance = array();

2
includes/admin/importers/class-sp-player-importer.php
View File

@@ -54,7 +54,7 @@ if ( class_exists( 'WP_Importer' ) ) {
$rows = array_chunk( $array, sizeof( $columns ) ); $rows = array_chunk( $array, sizeof( $columns ) );
// Get Date of Birth format from post vars // Get Date of Birth format from post vars
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : $_POST['sp_date_format'] ); $date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
foreach ( $rows as $row ): foreach ( $rows as $row ):

8
includes/admin/post-types/class-sp-admin-cpt-calendar.php
View File

@@ -110,7 +110,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
if ( $typenow != 'sp_calendar' ) if ( $typenow != 'sp_calendar' )
return; return;
$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null; $selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all leagues', 'sportspress' ), 'show_option_all' => __( 'Show all leagues', 'sportspress' ),
'taxonomy' => 'sp_league', 'taxonomy' => 'sp_league',
@@ -119,7 +119,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null; $selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all seasons', 'sportspress' ), 'show_option_all' => __( 'Show all seasons', 'sportspress' ),
'taxonomy' => 'sp_season', 'taxonomy' => 'sp_season',
@@ -128,7 +128,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null; $selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
$args = array( $args = array(
'post_type' => 'sp_team', 'post_type' => 'sp_team',
'name' => 'team', 'name' => 'team',
@@ -150,7 +150,7 @@ class SP_Admin_CPT_Calendar extends SP_Admin_CPT {
if ( $typenow == 'sp_calendar' ) { if ( $typenow == 'sp_calendar' ) {
if ( ! empty( $_GET['team'] ) ) { if ( ! empty( $_GET['team'] ) ) {
$query->query_vars['meta_value'] = $_GET['team']; $query->query_vars['meta_value'] = sanitize_key( $_GET['team'] );
$query->query_vars['meta_key'] = 'sp_team'; $query->query_vars['meta_key'] = 'sp_team';
} }
} }

8
includes/admin/post-types/class-sp-admin-cpt-list.php
View File

@@ -104,7 +104,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
if ( $typenow != 'sp_list' ) if ( $typenow != 'sp_list' )
return; return;
$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null; $selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all leagues', 'sportspress' ), 'show_option_all' => __( 'Show all leagues', 'sportspress' ),
'taxonomy' => 'sp_league', 'taxonomy' => 'sp_league',
@@ -113,7 +113,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null; $selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all seasons', 'sportspress' ), 'show_option_all' => __( 'Show all seasons', 'sportspress' ),
'taxonomy' => 'sp_season', 'taxonomy' => 'sp_season',
@@ -122,7 +122,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null; $selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
$args = array( $args = array(
'post_type' => 'sp_team', 'post_type' => 'sp_team',
'name' => 'team', 'name' => 'team',
@@ -144,7 +144,7 @@ class SP_Admin_CPT_List extends SP_Admin_CPT {
if ( $typenow == 'sp_list' ) { if ( $typenow == 'sp_list' ) {
if ( ! empty( $_GET['team'] ) ) { if ( ! empty( $_GET['team'] ) ) {
$query->query_vars['meta_value'] = $_GET['team']; $query->query_vars['meta_value'] = sanitize_key( $_GET['team'] );
$query->query_vars['meta_key'] = 'sp_team'; $query->query_vars['meta_key'] = 'sp_team';
} }
} }

10
includes/admin/post-types/class-sp-admin-cpt-player.php
View File

@@ -141,7 +141,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
return; return;
if ( taxonomy_exists( 'sp_position' ) ): if ( taxonomy_exists( 'sp_position' ) ):
$selected = isset( $_REQUEST['sp_position'] ) ? $_REQUEST['sp_position'] : null; $selected = isset( $_REQUEST['sp_position'] ) ? sanitize_key( $_REQUEST['sp_position'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all positions', 'sportspress' ), 'show_option_all' => __( 'Show all positions', 'sportspress' ),
'taxonomy' => 'sp_position', 'taxonomy' => 'sp_position',
@@ -151,7 +151,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
endif; endif;
$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null; $selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
$args = array( $args = array(
'post_type' => 'sp_team', 'post_type' => 'sp_team',
'name' => 'team', 'name' => 'team',
@@ -162,7 +162,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
wp_dropdown_pages( $args ); wp_dropdown_pages( $args );
if ( taxonomy_exists( 'sp_league' ) ): if ( taxonomy_exists( 'sp_league' ) ):
$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null; $selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all leagues', 'sportspress' ), 'show_option_all' => __( 'Show all leagues', 'sportspress' ),
'taxonomy' => 'sp_league', 'taxonomy' => 'sp_league',
@@ -173,7 +173,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
endif; endif;
if ( taxonomy_exists( 'sp_season' ) ): if ( taxonomy_exists( 'sp_season' ) ):
$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null; $selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all seasons', 'sportspress' ), 'show_option_all' => __( 'Show all seasons', 'sportspress' ),
'taxonomy' => 'sp_season', 'taxonomy' => 'sp_season',
@@ -198,7 +198,7 @@ class SP_Admin_CPT_Player extends SP_Admin_CPT {
if ( $typenow == 'sp_player' ) { if ( $typenow == 'sp_player' ) {
if ( ! empty( $_GET['team'] ) ) { if ( ! empty( $_GET['team'] ) ) {
$query->query_vars['meta_value'] = $_GET['team']; $query->query_vars['meta_value'] = sanitize_key( $_GET['team'] );
$query->query_vars['meta_key'] = 'sp_team'; $query->query_vars['meta_key'] = 'sp_team';
} }
} }

8
includes/admin/post-types/class-sp-admin-cpt-staff.php
View File

@@ -119,7 +119,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
if ( $typenow != 'sp_staff' ) if ( $typenow != 'sp_staff' )
return; return;
$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null; $selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
$args = array( $args = array(
'post_type' => 'sp_team', 'post_type' => 'sp_team',
'name' => 'team', 'name' => 'team',
@@ -129,7 +129,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
); );
wp_dropdown_pages( $args ); wp_dropdown_pages( $args );
$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null; $selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all leagues', 'sportspress' ), 'show_option_all' => __( 'Show all leagues', 'sportspress' ),
'taxonomy' => 'sp_league', 'taxonomy' => 'sp_league',
@@ -138,7 +138,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null; $selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all seasons', 'sportspress' ), 'show_option_all' => __( 'Show all seasons', 'sportspress' ),
'taxonomy' => 'sp_season', 'taxonomy' => 'sp_season',
@@ -159,7 +159,7 @@ class SP_Admin_CPT_Staff extends SP_Admin_CPT {
if ( $typenow == 'sp_staff' ) { if ( $typenow == 'sp_staff' ) {
if ( ! empty( $_GET['team'] ) ) { if ( ! empty( $_GET['team'] ) ) {
$query->query_vars['meta_value'] = $_GET['team']; $query->query_vars['meta_value'] = sanitize_key( $_GET['team'] );
$query->query_vars['meta_key'] = 'sp_team'; $query->query_vars['meta_key'] = 'sp_team';
} }
} }

8
includes/admin/post-types/class-sp-admin-cpt-table.php
View File

@@ -86,7 +86,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
if ( $typenow != 'sp_table' ) if ( $typenow != 'sp_table' )
return; return;
$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null; $selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all leagues', 'sportspress' ), 'show_option_all' => __( 'Show all leagues', 'sportspress' ),
'taxonomy' => 'sp_league', 'taxonomy' => 'sp_league',
@@ -95,7 +95,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null; $selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all seasons', 'sportspress' ), 'show_option_all' => __( 'Show all seasons', 'sportspress' ),
'taxonomy' => 'sp_season', 'taxonomy' => 'sp_season',
@@ -104,7 +104,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['team'] ) ? $_REQUEST['team'] : null; $selected = isset( $_REQUEST['team'] ) ? sanitize_key( $_REQUEST['team'] ) : null;
$args = array( $args = array(
'post_type' => 'sp_team', 'post_type' => 'sp_team',
'name' => 'team', 'name' => 'team',
@@ -126,7 +126,7 @@ class SP_Admin_CPT_Table extends SP_Admin_CPT {
if ( $typenow == 'sp_table' ) { if ( $typenow == 'sp_table' ) {
if ( ! empty( $_GET['team'] ) ) { if ( ! empty( $_GET['team'] ) ) {
$query->query_vars['meta_value'] = $_GET['team']; $query->query_vars['meta_value'] = sanitize_key( $_GET['team'] );
$query->query_vars['meta_key'] = 'sp_team'; $query->query_vars['meta_key'] = 'sp_team';
} }
} }

4
includes/admin/post-types/class-sp-admin-cpt-team.php
View File

@@ -107,7 +107,7 @@ class SP_Admin_CPT_Team extends SP_Admin_CPT {
if ( $typenow != 'sp_team' ) if ( $typenow != 'sp_team' )
return; return;
$selected = isset( $_REQUEST['sp_league'] ) ? $_REQUEST['sp_league'] : null; $selected = isset( $_REQUEST['sp_league'] ) ? sanitize_key( $_REQUEST['sp_league'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all leagues', 'sportspress' ), 'show_option_all' => __( 'Show all leagues', 'sportspress' ),
'taxonomy' => 'sp_league', 'taxonomy' => 'sp_league',
@@ -116,7 +116,7 @@ class SP_Admin_CPT_Team extends SP_Admin_CPT {
); );
sp_dropdown_taxonomies( $args ); sp_dropdown_taxonomies( $args );
$selected = isset( $_REQUEST['sp_season'] ) ? $_REQUEST['sp_season'] : null; $selected = isset( $_REQUEST['sp_season'] ) ? sanitize_key( $_REQUEST['sp_season'] ) : null;
$args = array( $args = array(
'show_option_all' => __( 'Show all seasons', 'sportspress' ), 'show_option_all' => __( 'Show all seasons', 'sportspress' ),
'taxonomy' => 'sp_season', 'taxonomy' => 'sp_season',

2
includes/admin/settings/class-sp-settings-text.php
View File

@@ -67,7 +67,7 @@ class SP_Settings_Text extends SP_Settings_Page {
*/ */
public function save() { public function save() {
if ( isset( $_POST['sportspress_text'] ) ) if ( isset( $_POST['sportspress_text'] ) )
update_option( 'sportspress_text', $_POST['sportspress_text'] ); update_option( 'sportspress_text', array_map( 'sanitize_text_field', $_POST['sportspress_text'] ) );
} }
} }