No longer use FILTER_UNSAFE_RAW, instead use a custom input callback.

pronamic · Oct 11, 2023 · d70823b · d70823b
1 parent ac99766
commit d70823b
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/src/Integration.php b/src/Integration.php
@@ -241,12 +241,6 @@ public function get_settings_fields() {
 		// API Key.
 		$fields[] = [
 			'section'     => 'general',
-			/**
-			 * Filter Adyen API key unsafe raw to allow <> chars.
-			 *
-			 * @link https://github.com/pronamic/wp-pronamic-pay-adyen/issues/7
-			 */
-			'filter'      => \FILTER_UNSAFE_RAW,
 			'meta_key'    => '_pronamic_gateway_adyen_api_key',
 			'title'       => _x( 'API Key', 'adyen', 'pronamic_ideal' ),
 			'type'        => 'textarea',
@@ -258,6 +252,23 @@ public function get_settings_fields() {
 				esc_html__( 'Adyen documentation: "API credentials".', 'pronamic_ideal' )
 			),
 			'required'    => true,
+			/**
+			 * Filter Adyen API key unsafe raw to allow <> chars.
+			 *
+			 * @link https://github.com/pronamic/wp-pronamic-pay-adyen/issues/7
+			 */
+			'input'       => function ( $name ) {
+				// phpcs:disable WordPress.Security.NonceVerification.Missing
+
+				if ( ! \array_key_exists( $name, $_POST ) ) {
+					return '';
+				}
+
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- API Key can contain whitespace, HTML tags and percent-encoded characters.
+				return $_POST[ $name ];
+
+				// phpcs:enable WordPress.Security.NonceVerification.Missing
+			},
 		];
 
 		if ( 'live' === $this->get_mode() ) {