Add validation in the post job to prevent add external images

This validation test the new image path against the upload dir.
Automattic · Apr 6, 2020 · d7954bb · d7954bb
1 parent 82c2631
commit d7954bb
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/includes/forms/class-wp-job-manager-form-submit-job.php b/includes/forms/class-wp-job-manager-form-submit-job.php
@@ -407,6 +407,22 @@ protected function validate_fields( $values ) {
 						}
 					}
 				}
+				if ( 'file' === $field['type'] ) {
+					if ( is_array( $values[ $group_key ][ $key ] ) ) {
+						$check_value = array_filter( $values[ $group_key ][ $key ] );
+					} else {
+						$check_value = array_filter( [ $values[ $group_key ][ $key ] ] );
+					}
+					if ( ! empty( $check_value ) ) {
+						foreach ( $check_value as $file_url ) {
+							$baseurl = wp_upload_dir()['baseurl'];
+
+							if ( ! is_numeric( $file_url ) && false === strpos( $file_url, $baseurl ) ) {
+								throw new Exception( __( 'Invalid image path.', 'wp-job-manager' ) );
+							}
+						}
+					}
+				}
 				if ( empty( $field['file_limit'] ) && empty( $field['multiple'] ) ) {
 					$field['file_limit'] = 1;
 				}