CRM: Improve string sanitization and escaping#48390
Conversation
github-actions
Bot
added
[CRM] Givewp Module
[CRM] MailPoet Module
[CRM] Portal Module
[CRM] WooSync Module
[Plugin] CRM
|
Thank you for your PR! When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:
This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖 Follow this PR Review Process:
If you have questions about anything, reach out in #jetpack-developers for guidance! |
Code Coverage SummaryCoverage changed in 6 files. Only the first 5 are listed here.
|
| if ( SHOW_FUNNEL_LEGEND ) { | ||
| funnel_html += '<br>' + legend_html; | ||
| } | ||
| funnel_element.innerHTML = funnel_html + '<br>'; |
There was a problem hiding this comment.
Even better would be to construct the contents using DOM functions instead of assigning innerHTML. But the above seems to cover everything.
There was a problem hiding this comment.
Personally I prefer innerHTML (less verbose and more performant), but a refactor would be out of scope here.
| @@ -767,7 +767,7 @@ function zeroBSCRMJS_validateSettings() { | |||
| resHTML = | |||
| window.zeroBSCRMJS_globViewLang( 'settingsValidatedSMTP' ) + | |||
There was a problem hiding this comment.
Should this be escaped too?
| '<div class="email-avatar avatar-' + | ||
| jpcrm.esc_attr( v.in_or_out ) + | ||
| '">' + | ||
| v.avatar + |
There was a problem hiding this comment.
Is v.avatar sanitized server-side too?
| billTo + | ||
| jpcrm.esc_attr( billTo ) + | ||
| '" placeholder="' + | ||
| zbscrm_JS_invoice_lang( 'bill_to' ) + |
There was a problem hiding this comment.
Should this be escaped too? If so, I see a lot of them in this file.
| break; | ||
| case 'email': | ||
| $new_contact_data['email'] = $v; | ||
| $new_contact_data['email'] = sanitize_text_field( $v ); |
There was a problem hiding this comment.
If you're going to use WordPress's "sanitize" functions, this should probably be
| $new_contact_data['email'] = sanitize_text_field( $v ); | |
| $new_contact_data['email'] = sanitize_email( $v ); |
Same everywhere else you process email addresses.
And address surrounding `phpcs:ignore` comments
Skipping any that require more attention
github-actions
Bot
added
[CRM] API
Admin Page
| title: window.zeroBSCRMJS_globViewLang( 'deleteMailDeliverySureTitle' ), | ||
| text: window.zeroBSCRMJS_globViewLang( 'deleteMailDeliverySureText' ), | ||
| title: jpcrm.esc_html( window.zeroBSCRMJS_globViewLang( 'deleteMailDeliverySureTitle' ) ), | ||
| text: jpcrm.esc_html( window.zeroBSCRMJS_globViewLang( 'deleteMailDeliverySureText' ) ), |
There was a problem hiding this comment.
Looks like using text rather than html doesn't need escaping.
Looks like there's also titleText to use instead of title to do the same for that field.
There was a problem hiding this comment.
Looks like using
textrather thanhtmldoesn't need escaping.
Can you clarify what you mean by that? If you mean jQuery's text(), I did switch to that several places in this branch.
There was a problem hiding this comment.
Oh, in the SweetAlert params, I suppose.
There was a problem hiding this comment.
This is about the sweetalert2 things (function swal()). https://sweetalert2.github.io/#configuration
| confirmButtonColor: '#3085d6', | ||
| cancelButtonColor: '#d33', | ||
| confirmButtonText: window.zeroBSCRMJS_globViewLang( 'deleteMailDeliverySureConfirm' ), | ||
| confirmButtonText: jpcrm.esc_html( |
There was a problem hiding this comment.
Oddly, despite the name, confirmButtonText appears to take HTML and so still probably needs escaping.
| e.preventDefault(); | ||
| var image = wp.media({ | ||
| title: '<?php esc_html_e( 'Upload Image', 'zero-bs-crm' ); ?>', | ||
| titleText: '<?php esc_html_e( 'Upload Image', 'zero-bs-crm' ); ?>', |
There was a problem hiding this comment.
This should probably drop the esc_html then. And really, probably switch to json_encode() for outputting the string to JS.
OTOH, in practice it probably doesn't much matter, because "Upload Image" or any reasonable translation is unlikely to wind up with characters that get encoded as HTML entities anyway. I see some below that were already passing esc_html to text: and no one has noticed.
There was a problem hiding this comment.
Actually, I introduced a bug here (it's wp.media(), not swal()). Fixed (along with escape) in a58bfab.
There was a problem hiding this comment.
Properly escaped swal() instances here: 644ef0f
| ); | ||
| swal( { | ||
| titleText: 'Twilio Extension Needed!', | ||
| text: 'To SMS your contacts you need the <a target="_blank" style="font-weight:900;text-decoration:underline;" href="https://jetpackcrm.com/extension-bundles/">Twilio extension</a> (included in our Entrepreneurs Bundle)', |
There was a problem hiding this comment.
This one would need to stay as html, there's an HTML link in there.
On the plus side, this is the only one I saw like this. 🙂
There was a problem hiding this comment.
Oops, not sure how I missed that one. It's a literal string, so should be safe to leave as unescaped at this stage: 38367c7
| html: '<div>' + zeroBSCRMJS_listViewLang( 'acceptareyousurequotes' ) + '</div>', | ||
| titleText: zeroBSCRMJS_listViewLang( 'areyousure' ), | ||
| html: | ||
| '<div>' + jpcrm.esc_html( zeroBSCRMJS_listViewLang( 'acceptareyousurequotes' ) ) + '</div>', |
There was a problem hiding this comment.
I wonder why this wraps it in a div while most others don't.
anomiex
left a comment
anomiex
left a comment
There was a problem hiding this comment.
Looks reasonable; I'm not too worried about the other two comments when there's so much existing debt already.
anomiex
left a comment
anomiex
left a comment
There was a problem hiding this comment.
Quick, let's merge before we see more stuff that needs fixing! 😅
2 participants
Proposed changes
This improves string sanitization and escaping.
Related product discussion/links
Does this pull request change what data or activity we track or use?
Testing instructions