Replace deprecated SANITIZE_STRING filter with UNSAFE_RAW.

`FILTER_UNSAFE_RAW` doesn't strip HTML tags like `FILTER_SANITIZE_STRING` did, but some of these are being run through `sanitize_text_field` as well, and the others aren't being output or saved to the database. See https://stackoverflow.com/a/69207369/450127
2025-04-16 16:43:42 +03:00 · 2022-07-19 09:49:23 -07:00 · 2022-07-19 09:49:23 -07:00 · bb0216adc6
parent 87979f588f
commit bb0216adc6
3 changed files with 7 additions and 7 deletions
--- a/plugins/wporg-5ftf/includes/contributor.php
+++ b/plugins/wporg-5ftf/includes/contributor.php
@ -430,7 +430,7 @@ function render_my_pledges() {
 */
 function process_my_pledges_form() {
 	$contributor_post_id = filter_input( INPUT_POST, 'contributor_post_id', FILTER_VALIDATE_INT );
-	$unverified_nonce    = filter_input( INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING );
+	$unverified_nonce    = filter_input( INPUT_POST, '_wpnonce', FILTER_UNSAFE_RAW );
 	if ( empty( $contributor_post_id ) || empty( $unverified_nonce ) ) {
 		return ''; // Return early, the form wasn't submitted.
 	}
--- a/plugins/wporg-5ftf/includes/pledge-form.php
+++ b/plugins/wporg-5ftf/includes/pledge-form.php
@ -194,7 +194,7 @@ function render_form_manage() {
 */
 function process_form_manage( $pledge_id, $auth_token ) {
 	$errors          = array();
-	$nonce           = filter_input( INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING );
+	$nonce           = filter_input( INPUT_POST, '_wpnonce', FILTER_UNSAFE_RAW );
 	$nonce_action    = 'manage_pledge_' . $pledge_id;
 	$has_valid_nonce = wp_verify_nonce( $nonce, $nonce_action );

@ -250,13 +250,13 @@ function process_form_manage( $pledge_id, $auth_token ) {
 }

 /**
- * Process a submission from the Manage Pledge form.
+ * Process a submission from the Remove Pledge form.
 *
 * @return WP_Error|true An error if the pledge could not be saved. Otherwise true.
 */
 function process_form_remove( $pledge_id, $auth_token ) {
 	$errors          = array();
-	$nonce           = filter_input( INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING );
+	$nonce           = filter_input( INPUT_POST, '_wpnonce', FILTER_UNSAFE_RAW );
 	$nonce_action    = 'remove_pledge_' . $pledge_id;
 	$has_valid_nonce = wp_verify_nonce( $nonce, $nonce_action );
 	$can_view_form   = Auth\can_manage_pledge( $pledge_id, $auth_token );
@ -300,7 +300,7 @@ function process_confirmed_email( $value, $tag ) {
 	}

 	$pledge_id  = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT );
-	$auth_token = filter_input( INPUT_GET, 'auth_token', FILTER_SANITIZE_STRING );
+	$auth_token = filter_input( INPUT_GET, 'auth_token', FILTER_UNSAFE_RAW );

 	$meta_key          = PledgeMeta\META_PREFIX . 'pledge-email-confirmed';
 	$already_confirmed = get_post( $pledge_id )->$meta_key;
@ -382,7 +382,7 @@ function get_form_submission() {
 		wp_list_pluck( PledgeMeta\get_pledge_meta_config( 'user_input' ), 'php_filter' ),
 		// Inputs with no corresponding meta value.
 		array(
-			'pledge-contributors' => FILTER_SANITIZE_STRING,
+			'pledge-contributors' => FILTER_UNSAFE_RAW,
 			'pledge-agreement'    => FILTER_VALIDATE_BOOLEAN,
 		)
 	);
--- a/plugins/wporg-5ftf/includes/pledge-meta.php
+++ b/plugins/wporg-5ftf/includes/pledge-meta.php
@ -49,7 +49,7 @@ function get_pledge_meta_config( $subset = 'all' ) {
 			'sanitize_callback' => 'sanitize_text_field',
 			'show_in_rest'      => true,
 			'context'           => array( 'create', 'update' ),
-			'php_filter'        => FILTER_SANITIZE_STRING,
+			'php_filter'        => FILTER_UNSAFE_RAW,
 		),
 		'org-url'          => array(
 			'single'            => true,