Skip to content
This repository has been archived by the owner on Sep 24, 2018. It is now read-only.

Sanitize args using new args API #1129

Merged
merged 6 commits into from Apr 23, 2015
Merged

Sanitize args using new args API #1129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
84e8540
Sanitize the tax endpoint param
joehoyle Apr 23, 2015
9a29285
Sanitize what little we can in the posts endpoint args
joehoyle Apr 23, 2015
4c44867
Sanitize post type
joehoyle Apr 23, 2015
c8f6a93
Move the sanitizing of params into the param declerations for comments
joehoyle Apr 23, 2015
5e5fd3f
Sanitizing and defaults for the users filters
joehoyle Apr 23, 2015
bcf5267
Fix fatal, doh!
joehoyle Apr 23, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
116 changes: 77 additions & 39 deletions lib/endpoints/class-wp-json-comments-controller.php
View file
Open in desktop
Expand Up @@ -17,38 +17,64 @@ public function register_routes() {
'permission_callback' => array( $this, 'get_items_permissions_check' ),
'args' => array(
'post' => array(
'default' => null,
'default' => null,
'sanitize_callback' => 'absint'
),
'user' => array(
'default' => 0,
'default' => 0,
'sanitize_callback' => 'absint'
),
'per_page' => array(
'default' => 10,
'default' => 10,
'sanitize_callback' => 'absint'
),
'page' => array(
'default' => 1,
'default' => 1,
'sanitize_callback' => 'absint'
),
'status' => array(
'default' => 'approve',
'default' => 'approve',
'sanitize_callback' => 'sanitize_key'
),
'type' => array(
'default' => 'comment',
'default' => 'comment',
'sanitize_callback' => 'sanitize_key'
),
'parent' => array(
'sanitize_callback' => 'absint'
),
'search' => array(
'sanitize_callback' => 'sanitize_text_field',
'default' => ''
),
'parent' => array(),
'search' => array(),
'order' => array(
'default' => 'DESC',
'default' => 'DESC',
'sanitize_callback' => 'sanitize_key'
),
'orderby' => array(
'default' => 'date_gmt',
),
'author_email' => array(),
'karma' => array(),
'post_author' => array(),
'post_name' => array(),
'post_parent' => array(),
'post_status' => array(),
'post_type' => array(),
'author_email' => array(
'sanitize_callback' => 'sanitize_email'
),
'karma' => array(
'sanitize_callback' => 'absint'
),
'post_author' => array(
'sanitize_callback' => 'absint'
),
'post_name' => array(
'sanitize_callback' => 'sanitize_key'
),
'post_parent' => array(
'sanitize_callback' => 'absint'
),
'post_status' => array(
'sanitize_callback' => 'sanitize_key'
),
'post_type' => array(
'sanitize_callback' => 'sanitize_key'
),
),
),
array(
Expand All @@ -58,20 +84,32 @@ public function register_routes() {
'args' => array(
'post' => array(
'required' => true,
'sanitize_callback' => 'absint'
),
'type' => array(
'default' => 'comment',
'default' => 'comment',
'sanitize_callback' => 'sanitize_key'
),
'author' => array(
'default' => 0,
'default' => 0,
'sanitize_callback' => 'absint'
),
'parent' => array(
'default' => 0,
'default' => 0,
'sanitize_callback' => 'absint'
),
'content' => array(
'sanitize_callback' => 'wp_filter_post_kses'
),
'author' => array(
'sanitize_callback' => 'absint'
),
'author_email' => array(
'sanitize_callback' => 'sanitize_email'
),
'author_url' => array(
'sanitize_callback' => 'esc_url_raw'
),
'content' => array(),
'author' => array(),
'author_email' => array(),
'author_url' => array(),
'date' => array(),
'date_gmt' => array(),
),
Expand Down Expand Up @@ -184,7 +222,7 @@ public function create_item( $request ) {
return new WP_Error( 'json_comment_exists', __( 'Cannot create existing comment.' ), array( 'status' => 400 ) );
}

$post = get_post( (int) $request['post'] );
$post = get_post( $request['post'] );
if ( empty( $post ) ) {
return new WP_Error( 'json_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) );
}
Expand Down Expand Up @@ -507,12 +545,12 @@ protected function prepare_items_query( $request ) {
$order_by = sanitize_key( $request['orderby'] );

$prepared_args = array(
'number' => absint( $request['per_page'] ),
'post_id' => isset( $request['post'] ) ? absint( $request['post'] ) : '',
'parent' => isset( $request['parent'] ) ? intval( $request['parent'] ) : '',
'search' => $request['search'] ? sanitize_text_field( $request['search'] ) : '',
'number' => $request['per_page'],
'post_id' => $request['post'] ? $request['post'] : '',
'parent' => isset( $request['parent'] ) ? $request['parent'] : '',
'search' => $request['search'],
'orderby' => $this->normalize_query_param( $order_by ),
'order' => sanitize_key( $request['order'] ),
'order' => $request['order'],
'status' => 'approve',
'type' => 'comment',
);
Expand All @@ -521,16 +559,16 @@ protected function prepare_items_query( $request ) {

if ( current_user_can( 'edit_posts' ) ) {
$protected_args = array(
'user' => $request['user'] ? absint( $request['user'] ) : '',
'status' => sanitize_key( $request['status'] ),
'type' => isset( $request['type'] ) ? sanitize_key( $request['type'] ) : '',
'author_email' => isset( $request['author_email'] ) ? sanitize_email( $request['author_email'] ) : '',
'karma' => isset( $request['karma'] ) ? intval( $request['karma'] ) : '',
'post_author' => isset( $request['post_author'] ) ? sanitize_key( $request['post_author'] ) : '',
'post_name' => isset( $request['post_name'] ) ? sanitize_key( $request['post_name'] ) : '',
'post_parent' => isset( $request['author_email'] ) ? intval( $request['post_parent'] ) : '',
'post_status' => isset( $request['post_status'] ) ? sanitize_key( $request['post_status'] ) : '',
'post_type' => isset( $request['post_type'] ) ? sanitize_key( $request['post_type'] ) : '',
'user' => $request['user'] ? $request['user'] : '',
'status' => $request['status'],
'type' => isset( $request['type'] ) ? $request['type'] : '',
'author_email' => isset( $request['author_email'] ) ? $request['author_email'] : '',
'karma' => isset( $request['karma'] ) ? $request['karma'] : '',
'post_author' => isset( $request['post_author'] ) ? $request['post_author'] : '',
'post_name' => isset( $request['post_name'] ) ? $request['post_name'] : '',
'post_parent' => isset( $request['post_parent'] ) ? $request['post_parent'] : '',
'post_status' => isset( $request['post_status'] ) ? $request['post_status'] : '',
'post_type' => isset( $request['post_type'] ) ? $request['post_type'] : '',
);

$prepared_args = array_merge( $prepared_args, $protected_args );
Expand Down
4 changes: 3 additions & 1 deletion lib/endpoints/class-wp-json-post-types-controller.php
View file
Open in desktop
Expand Up @@ -11,7 +11,9 @@ public function register_routes() {
'methods' => WP_JSON_Server::READABLE,
'callback' => array( $this, 'get_items' ),
'args' => array(
'post_type' => array(),
'post_type' => array(
'sanitize_callback' => 'sanitize_key'
),
),
) );

Expand Down
8 changes: 5 additions & 3 deletions lib/endpoints/class-wp-json-posts-controller.php
View file
Open in desktop
Expand Up @@ -25,8 +25,10 @@ public function register_routes() {
'context' => array(
'default' => 'view',
),
'type' => array(),
'page' => array(),
'page' => array(
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed type as it's not used in the controller at all - this was from before the posts controller abstraction.

'sanitize_callback' => 'absint',
'default' => 1
),
),
),
array(
Expand Down Expand Up @@ -80,7 +82,7 @@ public function register_routes() {
public function get_items( $request ) {
$args = (array) $request->get_params();
$args['post_type'] = $this->post_type;
$args['paged'] = isset( $args['page'] ) ? absint( $args['page'] ) : 1;
$args['paged'] = $args['page'];
unset( $args['page'] );

/**
Expand Down
4 changes: 3 additions & 1 deletion lib/endpoints/class-wp-json-taxonomies-controller.php
View file
Open in desktop
Expand Up @@ -11,7 +11,9 @@ public function register_routes() {
'methods' => WP_JSON_Server::READABLE,
'callback' => array( $this, 'get_items' ),
'args' => array(
'post_type' => array(),
'post_type' => array(
'sanitize_callback' => 'sanitize_key'
),
),
) );
register_json_route( 'wp', '/taxonomies/schema', array(
Expand Down
32 changes: 23 additions & 9 deletions lib/endpoints/class-wp-json-users-controller.php
View file
Open in desktop
Expand Up @@ -16,11 +16,25 @@ public function register_routes() {
'callback' => array( $this, 'get_items' ),
'permission_callback' => array( $this, 'get_items_permissions_check' ),
'args' => array(
'context' => array(),
'order' => array(),
'orderby' => array(),
'per_page' => array(),
'page' => array(),
'context' => array(
'default' => 'view'
),
'order' => array(
'default' => 'asc',
'sanitize_callback' => 'sanitize_key'
),
'orderby' => array(
'default' => 'user_login',
'sanitize_callback' => 'sanitize_key'
),
'per_page' => array(
'default' => 10,
'sanitize_callback' => 'absint'
),
'page' => array(
'default' => 1,
'sanitize_callback' => 'absint'
),
),
),
array(
Expand Down Expand Up @@ -110,10 +124,10 @@ public function register_routes() {
public function get_items( $request ) {

$prepared_args = array();
$prepared_args['order'] = isset( $request['order'] ) ? sanitize_text_field( $request['order'] ) : 'asc';
$prepared_args['orderby'] = isset( $request['orderby'] ) ? sanitize_text_field( $request['orderby'] ) : 'user_login';
$prepared_args['number'] = isset( $request['per_page'] ) ? (int) $request['per_page'] : 10;
$prepared_args['offset'] = isset( $request['page'] ) ? ( absint( $request['page'] ) - 1 ) * $prepared_args['number'] : 0;
$prepared_args['order'] = $request['order'];
$prepared_args['orderby'] = $request['orderby'];
$prepared_args['number'] = $request['per_page'];
$prepared_args['offset'] = ( $request['page'] - 1 ) * $prepared_args['number'];

$prepared_args = apply_filters( 'json_user_query', $prepared_args, $request );

Expand Down