Skip to content
Permalink
Browse files Browse the repository at this point in the history
Strengthen sanitization, fixes #817
  • Loading branch information
cyberhobo committed Jul 12, 2018
1 parent c9b75d9 commit 838e2fe
Show file tree
Hide file tree
Showing 4 changed files with 250 additions and 161 deletions.
55 changes: 55 additions & 0 deletions geo-mashup-db.php
Expand Up @@ -1476,6 +1476,61 @@ public static function get_post_locations( $query_args = '' ) {
return self::get_object_locations( $query_args );
}

/**
* Sanitize an array of query arguments.
*
* @param array $query_args
*
* @return array
*/
public static function sanitize_query_args( $query_args ) {
array_walk_recursive($query_args, array( __CLASS__, 'sanitize_query_arg' ) );
return $query_args;
}

/**
* Sanitize a single query argument.
*
* @param mixed $value May be modified.
* @param string $name
*/
public static function sanitize_query_arg( &$value, $name ) {
switch ($name) {
case 'minlat':
case 'maxlat':
case 'minlng':
case 'maxlng':
case 'near_lat':
case 'near_lng':
case 'radius_km':
case 'radius_mi':
$value = (float) $value;
break;

case 'map_cat':
case 'object_ids':
$value = preg_replace( '/[^0-9,]', '', $value );
break;

case 'map_post_type':
case 'object_name':
$value = sanitize_key( $value );
break;

case 'limit':
case 'map_offset':
$value = (int) $value;
break;

case 'suppress_filters':
$value = (bool) $value;
break;

default:
$value = sanitize_text_field( $value );
}
}

/**
* Get locations of objects.
*
Expand Down

0 comments on commit 838e2fe

Please sign in to comment.