Fix #20 Sanitized all inputs on admin plugin

AgoraIO · Nov 20, 2019 · e0383d2 · e0383d2
1 parent 16047ce
commit e0383d2
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 24 deletions.
diff --git a/admin/class-agora-channels-list-table.php b/admin/class-agora-channels-list-table.php
@@ -83,21 +83,21 @@ public function prepare_items() {
     );
 
     if ( ! empty( $_REQUEST['s'] ) ) {
-      $args['s'] = $_REQUEST['s'];
+      $args['s'] = sanitize_key($_REQUEST['s']);
     }
 
     if ( ! empty( $_REQUEST['orderby'] ) ) {
-      if ( 'title' == $_REQUEST['orderby'] ) {
+      if ( 'title' == sanitize_key($_REQUEST['orderby']) ) {
         $args['orderby'] = 'title';
-      } elseif ( 'date' == $_REQUEST['orderby'] ) {
+      } elseif ( 'date' == sanitize_key($_REQUEST['orderby']) ) {
         $args['orderby'] = 'date';
       }
     }
 
     if ( ! empty( $_REQUEST['order'] ) ) {
-      if ( 'asc' == strtolower( $_REQUEST['order'] ) ) {
+      if ( 'asc' == strtolower( sanitize_key($_REQUEST['order']) ) ) {
         $args['order'] = 'ASC';
-      } elseif ( 'desc' == strtolower( $_REQUEST['order'] ) ) {
+      } elseif ( 'desc' == strtolower( sanitize_key($_REQUEST['order']) ) ) {
         $args['order'] = 'DESC';
       }
     }
@@ -129,7 +129,7 @@ public function process_bulk_action() {
         die( 'Go get a life script kiddies' );
       }
       else {
-        self::delete_channel( absint( $_GET['channel'] ) );
+        self::delete_channel( absint( sanitize_key($_GET['channel']) ) );
 
         wp_redirect( esc_url( add_query_arg() ) );
         exit;
@@ -163,8 +163,8 @@ public function no_items() {
 
   public static function get_channels( $per_page = 5, $page_number = 1 ) {
     return WP_Agora_Channel::find(array(
-      'order' => !empty($_REQUEST['order']) ? $_REQUEST['order'] : 'ASC',
-      'orderby' => !empty($_REQUEST['orderby']) ? $_REQUEST['orderby'] : '',
+      'order' => !empty($_REQUEST['order']) ? sanitize_key( $_REQUEST['order'] ) : 'ASC',
+      'orderby' => !empty($_REQUEST['orderby']) ? sanitize_sql_orderby( $_REQUEST['orderby'] ) : '',
       'posts_per_page' => $per_page,
       'offset' => $page_number-1
     ));

diff --git a/admin/class-wp-agora-io-admin.php b/admin/class-wp-agora-io-admin.php
@@ -202,20 +202,20 @@ public function agora_load_channel_pages() {
 		// die("<pre>AGORA Load action:".print_r($action, true)."</pre>");
 		do_action(
 			'agoraio_admin_load',
-			isset( $_GET['page'] ) ? trim( $_GET['page'] ) : '',
+			isset( $_GET['page'] ) ? trim( sanitize_key($_GET['page']) ) : '',
 			$action
 		);
 
 		if ( 'save' === $action ) {
-			$id = isset( $_POST['post_ID'] ) ? $_POST['post_ID'] : '-1';
+			$id = isset( $_POST['post_ID'] ) ? sanitize_key($_POST['post_ID']) : '-1';
 			check_admin_referer( 'agoraio-save-channel_' . $id );
 
 			// save form data
 			$agoraio_channel = $this->save_channel( $_POST );
 
 			$query = array(
 				'post' => $agoraio_channel ? $id : 0,
-				'active-tab' => isset( $_POST['active-tab'] ) ? (int) $_POST['active-tab'] : 0,
+				'active-tab' => isset( $_POST['active-tab'] ) ? (int) sanitize_key($_POST['active-tab']) : 0,
 			);
 
 			if ( ! $agoraio_channel ) {
@@ -232,9 +232,9 @@ public function agora_load_channel_pages() {
 
 		if ( 'delete' == $action ) {
 			if ( !empty( $_POST['post_ID'] ) ) {
-				check_admin_referer( 'agora_delete_channel_' . $_POST['post_ID'] );
+				check_admin_referer( 'agora_delete_channel_' . sanitize_key($_POST['post_ID']) );
 			} elseif ( isset($_REQUEST['channel']) && !is_array($_REQUEST['channel']) ) {
-				check_admin_referer( 'agora_delete_channel_' . $_REQUEST['channel'] );
+				check_admin_referer( 'agora_delete_channel_' . sanitize_key($_REQUEST['channel']) );
 			} else {
 				// TODO: Fix this validation later...
 				// check_admin_referer( 'bulk-posts' );
@@ -309,7 +309,7 @@ public function agora_load_channel_pages() {
 	private function save_channel( $args ) {
 		$args = wp_unslash( $args );
 
-		$id = isset( $args['post_ID'] ) ? $args['post_ID'] : '-1';
+		$id = isset( $args['post_ID'] ) ? sanitize_key($args['post_ID']) : '-1';
 		$args['id'] = (int) $id;
 
 		if ( -1 == $args['id'] ) {

diff --git a/includes/class-wp-agora-io-channel.php b/includes/class-wp-agora-io-channel.php
@@ -203,39 +203,46 @@ public function save( $args ) {
       $post_id = wp_insert_post( array(
         'post_type' => self::post_type,
         'post_status' => 'publish',
-        'post_title' => $args['post_title'],
+        'post_title' => sanitize_text_field($args['post_title']),
       ) );
     } else {
       $post_id = wp_update_post( array(
         'ID' => (int) $args['post_ID'],
         'post_status' => 'publish',
-        'post_title' => $args['post_title'],
+        'post_title' => sanitize_text_field($args['post_title']),
       ) );
     }
 
     $videoSettings = array();
     array_map(function($key) use ($args, &$videoSettings) {
-      $videoSettings[$key] = $args[$key];
-      return $args[$key];
+      $videoSettings[$key] = sanitize_text_field($args[$key]);
+      return $videoSettings[$key];
     }, array_keys(self::$defaultVideoSettings));
 
     $appearanceSettings = array();
     array_map(function($key) use ($args, &$appearanceSettings) {
-      $appearanceSettings[$key] = $args[$key];
-      return $args[$key];
+      if ($key==='splashImageURL' || $key==='noHostImageURL') {
+        $value = esc_url_raw($args[$key]);
+      } else if ($key==='watchButtonText') {
+        $value = sanitize_text_field($args[$key]);
+      } else {
+        $value = sanitize_text_field($args[$key]);
+      }
+      $appearanceSettings[$key] = $value;
+      return $value;
     }, array_keys(self::$defaultAppearanceSettings));
 
     $recordingSettings = array();
     array_map(function($key) use ($args, &$recordingSettings) {
-      $recordingSettings[$key] = $args[$key];
-      return $args[$key];
+      $recordingSettings[$key] = sanitize_text_field($args[$key]);
+      return $recordingSettings[$key];
     }, array_keys(self::$defaultRecordingSettings));
 
     update_post_meta($post_id, 'channel_video_settings', $videoSettings);
     update_post_meta($post_id, 'channel_appearance_settings', $appearanceSettings);
     update_post_meta($post_id, 'channel_recording_settings', $recordingSettings);
-    update_post_meta($post_id, 'channel_type', $args['type']);
-    update_post_meta($post_id, 'channel_user_host', $args['host']);
+    update_post_meta($post_id, 'channel_type', sanitize_key($args['type']));
+    update_post_meta($post_id, 'channel_user_host', sanitize_key($args['host']));
 
     unset($args['_wp_http_referer']);
     unset($args['agoraio-locale']);