From da6db055ec946633e2674b91479136a96561d048 Mon Sep 17 00:00:00 2001 From: Boone B Gorges Date: Tue, 18 Feb 2014 13:44:06 -0500 Subject: [PATCH] Sanitize content before save This should prevent invalid markup from copy-paste --- includes/functions.php | 21 +++++++++++++++++++++ includes/widget.php | 3 +++ includes/widgets/text.php | 3 +++ 3 files changed, 27 insertions(+) diff --git a/includes/functions.php b/includes/functions.php index 6e2a3da..1056e3a 100644 --- a/includes/functions.php +++ b/includes/functions.php @@ -102,3 +102,24 @@ function cacap_field_is_visible_for_user( $field_id = 0, $displayed_user_id = 0, return ! in_array( $field_id, $hidden_fields_for_user ); } + +function cacap_sanitize_content( $content ) { + return wp_kses( $content, array( + 'a' => array( + 'href' => array(), + 'rel' => array(), + ), + 'b' => array(), + 'br' => array(), + 'div' => array( + 'align' => array(), + ), + 'h1' => array(), + 'h2' => array(), + 'h3' => array(), + 'i' => array(), + 'p' => array(), + 'ol' => array(), + 'ul' => array(), + ) ); +} diff --git a/includes/widget.php b/includes/widget.php index 96b3055..351ead6 100644 --- a/includes/widget.php +++ b/includes/widget.php @@ -90,6 +90,9 @@ public function save_instance_for_user( $args = array() ) { ) ); } + // Sanitize data + $r['content'] = cacap_sanitize_content( $r['content'] ); + if ( xprofile_set_field_data( $field_id, absint( $r['user_id'] ), $r['content'] ) ) { return CACAP_Widget_Instance::format_instance( array( 'user_id' => $r['user_id'], diff --git a/includes/widgets/text.php b/includes/widgets/text.php index 1f7b6f9..65f39ff 100644 --- a/includes/widgets/text.php +++ b/includes/widgets/text.php @@ -33,6 +33,9 @@ public function save_instance_for_user( $args = array() ) { return false; } + // Sanitize + $r['content'] = cacap_sanitize_content( $r['content'] ); + $meta_value = array( 'title' => $r['title'], 'content' => $r['content'],