tec3/five-for-the-future
tec3/five-for-the-future
1
0
Fork 0
mirror of https://github.com/WordPress/five-for-the-future.git synced 2025-04-21 10:33:44 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Replace deprecated SANITIZE_STRING filter with UNSAFE_RAW.

Browse source 
`FILTER_UNSAFE_RAW` doesn't strip HTML tags like `FILTER_SANITIZE_STRING` did, but some of these are being run through `sanitize_text_field` as well, and the others aren't being output or saved to the database.

See https://stackoverflow.com/a/69207369/450127
This commit is contained in:
Ian Dunn 2022-07-19 09:49:23 -07:00
parent 87979f588f
commit bb0216adc6
No known key found for this signature in database
GPG key ID: 99B971B50343CBCB
3 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
plugins/wporg-5ftf/includes/contributor.php
View file

@ -430,7 +430,7 @@ function render_my_pledges() {
*/ */
function process_my_pledges_form() { function process_my_pledges_form() {
$contributor_post_id = filter_input( INPUT_POST, 'contributor_post_id', FILTER_VALIDATE_INT ); $contributor_post_id = filter_input( INPUT_POST, 'contributor_post_id', FILTER_VALIDATE_INT );
$unverified_nonce = filter_input( INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ); $unverified_nonce = filter_input( INPUT_POST, '_wpnonce', FILTER_UNSAFE_RAW );
if ( empty( $contributor_post_id ) || empty( $unverified_nonce ) ) { if ( empty( $contributor_post_id ) || empty( $unverified_nonce ) ) {
return ''; // Return early, the form wasn't submitted. return ''; // Return early, the form wasn't submitted.
} }

10
plugins/wporg-5ftf/includes/pledge-form.php
View file

@ -194,7 +194,7 @@ function render_form_manage() {
*/ */
function process_form_manage( $pledge_id, $auth_token ) { function process_form_manage( $pledge_id, $auth_token ) {
$errors = array(); $errors = array();
$nonce = filter_input( INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ); $nonce = filter_input( INPUT_POST, '_wpnonce', FILTER_UNSAFE_RAW );
$nonce_action = 'manage_pledge_' . $pledge_id; $nonce_action = 'manage_pledge_' . $pledge_id;
$has_valid_nonce = wp_verify_nonce( $nonce, $nonce_action ); $has_valid_nonce = wp_verify_nonce( $nonce, $nonce_action );
@ -250,13 +250,13 @@ function process_form_manage( $pledge_id, $auth_token ) {
} }
/** /**
* Process a submission from the Manage Pledge form. * Process a submission from the Remove Pledge form.
* *
* @return WP_Error|true An error if the pledge could not be saved. Otherwise true. * @return WP_Error|true An error if the pledge could not be saved. Otherwise true.
*/ */
function process_form_remove( $pledge_id, $auth_token ) { function process_form_remove( $pledge_id, $auth_token ) {
$errors = array(); $errors = array();
$nonce = filter_input( INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ); $nonce = filter_input( INPUT_POST, '_wpnonce', FILTER_UNSAFE_RAW );
$nonce_action = 'remove_pledge_' . $pledge_id; $nonce_action = 'remove_pledge_' . $pledge_id;
$has_valid_nonce = wp_verify_nonce( $nonce, $nonce_action ); $has_valid_nonce = wp_verify_nonce( $nonce, $nonce_action );
$can_view_form = Auth\can_manage_pledge( $pledge_id, $auth_token ); $can_view_form = Auth\can_manage_pledge( $pledge_id, $auth_token );
@ -300,7 +300,7 @@ function process_confirmed_email( $value, $tag ) {
} }
$pledge_id = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT ); $pledge_id = filter_input( INPUT_GET, 'pledge_id', FILTER_VALIDATE_INT );
$auth_token = filter_input( INPUT_GET, 'auth_token', FILTER_SANITIZE_STRING ); $auth_token = filter_input( INPUT_GET, 'auth_token', FILTER_UNSAFE_RAW );
$meta_key = PledgeMeta\META_PREFIX . 'pledge-email-confirmed'; $meta_key = PledgeMeta\META_PREFIX . 'pledge-email-confirmed';
$already_confirmed = get_post( $pledge_id )->$meta_key; $already_confirmed = get_post( $pledge_id )->$meta_key;
@ -382,7 +382,7 @@ function get_form_submission() {
wp_list_pluck( PledgeMeta\get_pledge_meta_config( 'user_input' ), 'php_filter' ), wp_list_pluck( PledgeMeta\get_pledge_meta_config( 'user_input' ), 'php_filter' ),
// Inputs with no corresponding meta value. // Inputs with no corresponding meta value.
array( array(
'pledge-contributors' => FILTER_SANITIZE_STRING, 'pledge-contributors' => FILTER_UNSAFE_RAW,
'pledge-agreement' => FILTER_VALIDATE_BOOLEAN, 'pledge-agreement' => FILTER_VALIDATE_BOOLEAN,
) )
); );

2
plugins/wporg-5ftf/includes/pledge-meta.php
View file

@ -49,7 +49,7 @@ function get_pledge_meta_config( $subset = 'all' ) {
'sanitize_callback' => 'sanitize_text_field', 'sanitize_callback' => 'sanitize_text_field',
'show_in_rest' => true, 'show_in_rest' => true,
'context' => array( 'create', 'update' ), 'context' => array( 'create', 'update' ),
'php_filter' => FILTER_SANITIZE_STRING, 'php_filter' => FILTER_UNSAFE_RAW,
), ),
'org-url' => array( 'org-url' => array(
'single' => true, 'single' => true,