Sanitize and unslash all inputs
This commit is contained in:
Brian Miyaji
@@ -58,10 +58,10 @@ if ( class_exists( 'WP_Importer' ) ) {
|
||||
$rows = array_chunk( $array, sizeof( $columns ) );
|
||||
|
||||
// Get event format, league, and season from post vars
|
||||
$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_text_field( $_POST['sp_format'] ) );
|
||||
$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_league'] ) );
|
||||
$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_text_field( $_POST['sp_season'] ) );
|
||||
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
|
||||
$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_key( $_POST['sp_format'] ) );
|
||||
$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_league'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_season'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( wp_unslash( $_POST['sp_date_format'] ) ) );
|
||||
|
||||
// Get labels from result and performance post types
|
||||
$result_labels = sp_get_var_labels( 'sp_result' );
|
||||
|
||||
@@ -52,10 +52,10 @@ if ( class_exists( 'WP_Importer' ) ) {
|
||||
$rows = array_chunk( $array, sizeof( $columns ) );
|
||||
|
||||
// Get event ID and team ID from post vars
|
||||
$event = ( empty( $_POST['sp_event'] ) ? false : sanitize_text_field( $_POST['sp_event'] ) );
|
||||
$teams = ( empty( $_POST['sp_teams'] ) ? false : sanitize_text_field( $_POST['sp_teams'] ) );
|
||||
$index = ( empty( $_POST['sp_index'] ) ? false : sanitize_text_field( $_POST['sp_index'] ) );
|
||||
$team = ( empty( $_POST['sp_team'] ) ? false : sanitize_text_field( $_POST['sp_team'] ) );
|
||||
$event = ( empty( $_POST['sp_event'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_event'] ) ) );
|
||||
$teams = ( empty( $_POST['sp_teams'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_teams'] ) ) );
|
||||
$index = ( empty( $_POST['sp_index'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_index'] ) ) );
|
||||
$team = ( empty( $_POST['sp_team'] ) ? false : sanitize_text_field( wp_unslash( $_POST['sp_team'] ) ) );
|
||||
|
||||
$team_players = array( 0 );
|
||||
$team_performance = array();
|
||||
|
||||
@@ -54,10 +54,10 @@ if ( class_exists( 'WP_Importer' ) ) {
|
||||
$rows = array_chunk( $array, sizeof( $columns ) );
|
||||
|
||||
// Get event format, league, and season from post vars
|
||||
$event_format = ( empty( $_POST['sp_format'] ) ? false : $_POST['sp_format'] );
|
||||
$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : $_POST['sp_league'] );
|
||||
$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : $_POST['sp_season'] );
|
||||
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : $_POST['sp_date_format'] );
|
||||
$event_format = ( empty( $_POST['sp_format'] ) ? false : sanitize_key( $_POST['sp_format'] ) );
|
||||
$league = ( sp_array_value( $_POST, 'sp_league', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_league'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
$season = ( sp_array_value( $_POST, 'sp_season', '-1' ) == '-1' ? false : sanitize_key( $_POST['sp_season'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( wp_unslash( $_POST['sp_date_format'] ) ) );
|
||||
|
||||
foreach ( $rows as $row ) :
|
||||
|
||||
|
||||
@@ -49,7 +49,7 @@ if ( class_exists( 'WP_Importer' ) ) {
|
||||
$this->header();
|
||||
|
||||
if ( ! empty( $_POST['delimiter'] ) ) {
|
||||
$this->delimiter = stripslashes( trim( sanitize_text_field( $_POST['delimiter'] ) ) );
|
||||
$this->delimiter = stripslashes( trim( sanitize_text_field( wp_unslash( $_POST['delimiter'] ) ) ) );
|
||||
}
|
||||
|
||||
if ( ! $this->delimiter ) {
|
||||
@@ -87,8 +87,8 @@ if ( class_exists( 'WP_Importer' ) ) {
|
||||
case 2:
|
||||
check_admin_referer( 'import-upload' );
|
||||
if ( isset( $_POST['sp_import'] ) ) :
|
||||
$columns = array_filter( sp_array_value( $_POST, 'sp_columns', array( 'post_title' ) ) );
|
||||
$this->import( $_POST['sp_import'], array_values( $columns ) );
|
||||
$columns = array_filter( array_map( 'sanitize_key', array_map( 'wp_unslash', sp_array_value( $_POST, 'sp_columns', array( 'post_title' ) ) ) ) );
|
||||
$this->import( $_POST['sp_import'], array_values( $columns ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
endif;
|
||||
break;
|
||||
endswitch;
|
||||
@@ -249,9 +249,9 @@ endwhile;
|
||||
|
||||
} else {
|
||||
|
||||
if ( file_exists( ABSPATH . $_POST['file_url'] ) ) {
|
||||
if ( file_exists( ABSPATH . sanitize_url( wp_unslash( $_POST['file_url'] ) ) ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
|
||||
$this->file_url = sanitize_url( $_POST['file_url'] );
|
||||
$this->file_url = sanitize_url( wp_unslash( $_POST['file_url'] ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
|
||||
|
||||
} else {
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@ if ( class_exists( 'WP_Importer' ) ) {
|
||||
$rows = array_chunk( $array, sizeof( $columns ) );
|
||||
|
||||
// Get Date of Birth format from post vars
|
||||
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( $_POST['sp_date_format'] ) );
|
||||
$date_format = ( empty( $_POST['sp_date_format'] ) ? 'yyyy/mm/dd' : sanitize_text_field( wp_unslash( $_POST['sp_date_format'] ) ) );
|
||||
|
||||
foreach ( $rows as $row ) :
|
||||
|
||||
|
||||
Reference in New Issue
Block a user