diff --git a/admin/class-agora-channels-list-table.php b/admin/class-agora-channels-list-table.php index a0a1991d..107f53ed 100644 --- a/admin/class-agora-channels-list-table.php +++ b/admin/class-agora-channels-list-table.php @@ -83,21 +83,21 @@ public function prepare_items() { ); if ( ! empty( $_REQUEST['s'] ) ) { - $args['s'] = $_REQUEST['s']; + $args['s'] = sanitize_key($_REQUEST['s']); } if ( ! empty( $_REQUEST['orderby'] ) ) { - if ( 'title' == $_REQUEST['orderby'] ) { + if ( 'title' == sanitize_key($_REQUEST['orderby']) ) { $args['orderby'] = 'title'; - } elseif ( 'date' == $_REQUEST['orderby'] ) { + } elseif ( 'date' == sanitize_key($_REQUEST['orderby']) ) { $args['orderby'] = 'date'; } } if ( ! empty( $_REQUEST['order'] ) ) { - if ( 'asc' == strtolower( $_REQUEST['order'] ) ) { + if ( 'asc' == strtolower( sanitize_key($_REQUEST['order']) ) ) { $args['order'] = 'ASC'; - } elseif ( 'desc' == strtolower( $_REQUEST['order'] ) ) { + } elseif ( 'desc' == strtolower( sanitize_key($_REQUEST['order']) ) ) { $args['order'] = 'DESC'; } } @@ -129,7 +129,7 @@ public function process_bulk_action() { die( 'Go get a life script kiddies' ); } else { - self::delete_channel( absint( $_GET['channel'] ) ); + self::delete_channel( absint( sanitize_key($_GET['channel']) ) ); wp_redirect( esc_url( add_query_arg() ) ); exit; @@ -163,8 +163,8 @@ public function no_items() { public static function get_channels( $per_page = 5, $page_number = 1 ) { return WP_Agora_Channel::find(array( - 'order' => !empty($_REQUEST['order']) ? $_REQUEST['order'] : 'ASC', - 'orderby' => !empty($_REQUEST['orderby']) ? $_REQUEST['orderby'] : '', + 'order' => !empty($_REQUEST['order']) ? sanitize_key( $_REQUEST['order'] ) : 'ASC', + 'orderby' => !empty($_REQUEST['orderby']) ? sanitize_sql_orderby( $_REQUEST['orderby'] ) : '', 'posts_per_page' => $per_page, 'offset' => $page_number-1 )); diff --git a/admin/class-wp-agora-io-admin.php b/admin/class-wp-agora-io-admin.php index a6c980bf..497bf23b 100755 --- a/admin/class-wp-agora-io-admin.php +++ b/admin/class-wp-agora-io-admin.php @@ -202,12 +202,12 @@ public function agora_load_channel_pages() { // die("
AGORA Load action:".print_r($action, true)."
"); do_action( 'agoraio_admin_load', - isset( $_GET['page'] ) ? trim( $_GET['page'] ) : '', + isset( $_GET['page'] ) ? trim( sanitize_key($_GET['page']) ) : '', $action ); if ( 'save' === $action ) { - $id = isset( $_POST['post_ID'] ) ? $_POST['post_ID'] : '-1'; + $id = isset( $_POST['post_ID'] ) ? sanitize_key($_POST['post_ID']) : '-1'; check_admin_referer( 'agoraio-save-channel_' . $id ); // save form data @@ -215,7 +215,7 @@ public function agora_load_channel_pages() { $query = array( 'post' => $agoraio_channel ? $id : 0, - 'active-tab' => isset( $_POST['active-tab'] ) ? (int) $_POST['active-tab'] : 0, + 'active-tab' => isset( $_POST['active-tab'] ) ? (int) sanitize_key($_POST['active-tab']) : 0, ); if ( ! $agoraio_channel ) { @@ -232,9 +232,9 @@ public function agora_load_channel_pages() { if ( 'delete' == $action ) { if ( !empty( $_POST['post_ID'] ) ) { - check_admin_referer( 'agora_delete_channel_' . $_POST['post_ID'] ); + check_admin_referer( 'agora_delete_channel_' . sanitize_key($_POST['post_ID']) ); } elseif ( isset($_REQUEST['channel']) && !is_array($_REQUEST['channel']) ) { - check_admin_referer( 'agora_delete_channel_' . $_REQUEST['channel'] ); + check_admin_referer( 'agora_delete_channel_' . sanitize_key($_REQUEST['channel']) ); } else { // TODO: Fix this validation later... // check_admin_referer( 'bulk-posts' ); @@ -309,7 +309,7 @@ public function agora_load_channel_pages() { private function save_channel( $args ) { $args = wp_unslash( $args ); - $id = isset( $args['post_ID'] ) ? $args['post_ID'] : '-1'; + $id = isset( $args['post_ID'] ) ? sanitize_key($args['post_ID']) : '-1'; $args['id'] = (int) $id; if ( -1 == $args['id'] ) { diff --git a/includes/class-wp-agora-io-channel.php b/includes/class-wp-agora-io-channel.php index 19edaaef..4edff6e6 100644 --- a/includes/class-wp-agora-io-channel.php +++ b/includes/class-wp-agora-io-channel.php @@ -203,39 +203,46 @@ public function save( $args ) { $post_id = wp_insert_post( array( 'post_type' => self::post_type, 'post_status' => 'publish', - 'post_title' => $args['post_title'], + 'post_title' => sanitize_text_field($args['post_title']), ) ); } else { $post_id = wp_update_post( array( 'ID' => (int) $args['post_ID'], 'post_status' => 'publish', - 'post_title' => $args['post_title'], + 'post_title' => sanitize_text_field($args['post_title']), ) ); } $videoSettings = array(); array_map(function($key) use ($args, &$videoSettings) { - $videoSettings[$key] = $args[$key]; - return $args[$key]; + $videoSettings[$key] = sanitize_text_field($args[$key]); + return $videoSettings[$key]; }, array_keys(self::$defaultVideoSettings)); $appearanceSettings = array(); array_map(function($key) use ($args, &$appearanceSettings) { - $appearanceSettings[$key] = $args[$key]; - return $args[$key]; + if ($key==='splashImageURL' || $key==='noHostImageURL') { + $value = esc_url_raw($args[$key]); + } else if ($key==='watchButtonText') { + $value = sanitize_text_field($args[$key]); + } else { + $value = sanitize_text_field($args[$key]); + } + $appearanceSettings[$key] = $value; + return $value; }, array_keys(self::$defaultAppearanceSettings)); $recordingSettings = array(); array_map(function($key) use ($args, &$recordingSettings) { - $recordingSettings[$key] = $args[$key]; - return $args[$key]; + $recordingSettings[$key] = sanitize_text_field($args[$key]); + return $recordingSettings[$key]; }, array_keys(self::$defaultRecordingSettings)); update_post_meta($post_id, 'channel_video_settings', $videoSettings); update_post_meta($post_id, 'channel_appearance_settings', $appearanceSettings); update_post_meta($post_id, 'channel_recording_settings', $recordingSettings); - update_post_meta($post_id, 'channel_type', $args['type']); - update_post_meta($post_id, 'channel_user_host', $args['host']); + update_post_meta($post_id, 'channel_type', sanitize_key($args['type'])); + update_post_meta($post_id, 'channel_user_host', sanitize_key($args['host'])); unset($args['_wp_http_referer']); unset($args['agoraio-locale']);