asc/tonys-sportspress-enhancements
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Fix security and logic bugs in image generator and OG tags

Browse Source 
- Fix null-dereference: check !$post with || before accessing post_type
- Sanitize $_GET['post'] with absint() before use
- Escape OG tag attribute values with esc_attr()/esc_url()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Anthony Correa
2026-04-06 08:19:57 -05:00
parent dbe3048af7
commit 7f0d0457e1
2 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
includes/featured-image-generator.php
View File

@@ -115,12 +115,14 @@ add_action('init', 'add_image_generator_endpoint');
function handle_image_request() {
if (!isset($_GET['post'])) return;
$post_id = $_GET['post'];
$post_id = absint( $_GET['post'] );
if ( $post_id <= 0 ) return;
$post = get_post($post_id);
// Verify post type
if (!$post && $post->post_type !== 'sp_event') return;
if (!$post || $post->post_type !== 'sp_event') return;
// Get associated teams from post meta
$team_ids = get_post_meta($post_id, 'sp_team', false); // false to get an array of values