From 02891af11c953f62811f8e2112a53e859a2564ef Mon Sep 17 00:00:00 2001
From: Brian Miyaji <brian@themeboy.com>
Date: Tue, 9 Nov 2021 03:51:03 +0900
Subject: [PATCH] Additional sanitization for setup wizard

---
 includes/admin/class-sp-admin-setup-wizard.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/admin/class-sp-admin-setup-wizard.php b/includes/admin/class-sp-admin-setup-wizard.php
index 96377ce4..b7d5569e 100644
--- a/includes/admin/class-sp-admin-setup-wizard.php
+++ b/includes/admin/class-sp-admin-setup-wizard.php
@@ -305,7 +305,7 @@ class SP_Admin_Setup_Wizard {
     check_admin_referer( 'sp-setup' );
 
     // Update timezone
-    $timezone_string = $_POST['timezone_string'];
+    $timezone_string = sanitize_text_field( $_POST['timezone_string'] );
     if ( ! empty( $timezone_string ) && preg_match( '/^UTC[+-]/', $timezone_string ) ) {
       $gmt_offset = $timezone_string;
       $gmt_offset = preg_replace( '/UTC\+?/', '', $gmt_offset );
@@ -492,7 +492,7 @@ class SP_Admin_Setup_Wizard {
     if ( ! empty( $_POST['staff'] ) ) {
 
       $post['post_type'] = 'sp_staff';
-      $post['post_title'] = $_POST['staff'];
+      $post['post_title'] = sanitize_text_field( $_POST['staff'] );
       $id = wp_insert_post( $post );
 
       // Add role