From b84917f2b7568c50c5276c45411f92e253ce6dc6 Mon Sep 17 00:00:00 2001
From: Jaroslaw Rozanski <jrozanski@inputobjects.eu>
Date: Thu, 30 Dec 2021 20:55:20 +0100
Subject: [PATCH] Add extra sanitation step to input

---
 types/WideAngleHelpers.php | 17 +++++++++--------
 views/admin_settings.php   |  8 ++++----
 wide-angle-analytics.php   |  6 +++---
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/types/WideAngleHelpers.php b/types/WideAngleHelpers.php
index 891a174..8f9289f 100644
--- a/types/WideAngleHelpers.php
+++ b/types/WideAngleHelpers.php
@@ -50,10 +50,11 @@ class WideAngleHelpers {
     $params = array();
     foreach($request as $requestKey => $paramValue) {
       if(preg_match(self::includeParamRequestKeyPattern, $requestKey)) {
-        if(preg_match(self::includeParamRequestValuePattern, $paramValue)) {
-          array_push($params, trim($paramValue));
+        $sanitizedValue = sanitize_text_field($paramValue);
+        if(preg_match(self::includeParamRequestValuePattern, $sanitizedValue)) {
+          array_push($params, trim($sanitizedValue));
         } else {
-          return WideAngleValidated::createInvalid($name, $paramValue, "Name of parameter to include in request must consint of letters, numbers and can contain _ or - sign only.");
+          return WideAngleValidated::createInvalid($name, $sanitizedValue, "Name of parameter to include in request must consint of letters, numbers and can contain _ or - sign only.");
         }
       }
     }
@@ -67,13 +68,13 @@ class WideAngleHelpers {
       $idx = array();
       if(preg_match(self::excludePathRequestKeyPattern, $key, $idx)) {
         $valueKey = "waa_exc_path_".$idx[1]."_value";
-        $exclusionValue = trim($request[$valueKey]);
-        if($exclusionValue != null) {
-          if(filter_var($exclusionValue, FILTER_VALIDATE_REGEXP)) {
-            $typedExclusion = "[" . $exclusionType . "]" . $exclusionValue;
+        $sanitizedValue = trim(sanitize_text_field($request[$valueKey]));
+        if($sanitizedValue != null) {
+          if(filter_var($sanitizedValue, FILTER_VALIDATE_REGEXP)) {
+            $typedExclusion = "[" . $exclusionType . "]" . $sanitizedValue;
             array_push($exclusions, $typedExclusion);
           } else {
-            $typedExclusion = "[" . $exclusionType . "]" . filter_var($exclusionValue, FILTER_SANITIZE_SPECIAL_CHARS);
+            $typedExclusion = "[" . $exclusionType . "]" . filter_var($sanitizedValue, FILTER_SANITIZE_SPECIAL_CHARS);
             array_push($exclusions, $typedExclusion);
           }
         }
diff --git a/views/admin_settings.php b/views/admin_settings.php
index 90a7c52..3ebb588 100644
--- a/views/admin_settings.php
+++ b/views/admin_settings.php
@@ -1,9 +1,9 @@
 <?php
-$siteId               = $this->settings[self::WAA_CONF_SITE_ID];
-$trackerDomain        = $this->settings[self::WAA_CONF_TRACKER_DOMAIN];
+$siteId               = wp_unslash($this->settings[self::WAA_CONF_SITE_ID]);
+$trackerDomain        = wp_unslash($this->settings[self::WAA_CONF_TRACKER_DOMAIN]);
 $ignoreHash           = filter_var($this->settings[self::WAA_CONF_IGNORE_HASH], FILTER_VALIDATE_BOOLEAN);
-$parsedExclusions     = $this->plugin->helpers->parseExclusionSetting($this->settings[self::WAA_CONF_EXC_PATHS]);
-$parsedIncludeParams  = $this->plugin->helpers->parseIncludeParamsSetting($this->settings[self::WAA_CONF_INC_PARAMS]);
+$parsedExclusions     = $this->plugin->helpers->parseExclusionSetting(wp_unslash($this->settings[self::WAA_CONF_EXC_PATHS]));
+$parsedIncludeParams  = $this->plugin->helpers->parseIncludeParamsSetting(wp_unslash($this->settings[self::WAA_CONF_INC_PARAMS]));
 $generator            = new WideAngleGenerator($this->settings[self::WAA_CONF_ATTRIBUTES]);
 ?>
 <div class="wrap">
diff --git a/wide-angle-analytics.php b/wide-angle-analytics.php
index 3a46d7c..71c99d1 100644
--- a/wide-angle-analytics.php
+++ b/wide-angle-analytics.php
@@ -112,9 +112,9 @@ class WideAngleAnalytics {
       } elseif ( ! wp_verify_nonce( $_REQUEST[ $this->plugin->name . '_nonce' ], $this->plugin->name ) ) {
         $this->errorMessage = __( 'Invalid nonce specified. Settings NOT saved.', $this->plugin->name );
       } else {
-        $waaSiteId          = $this->plugin->helpers->validateSiteId(self::WAA_CONF_SITE_ID, $_REQUEST['waa_site_id']);
-        $waaTrackerDomain   = $this->plugin->helpers->validateTrackerDomain(self::WAA_CONF_TRACKER_DOMAIN, $_REQUEST['waa_tracker_domain']);
-        $waaIgnoreHash      = $this->plugin->helpers->validateIgnoreHashFlag(self::WAA_CONF_IGNORE_HASH, $_REQUEST['waa_ignore_hash']);
+        $waaSiteId          = $this->plugin->helpers->validateSiteId(self::WAA_CONF_SITE_ID, sanitize_text_field($_REQUEST['waa_site_id']));
+        $waaTrackerDomain   = $this->plugin->helpers->validateTrackerDomain(self::WAA_CONF_TRACKER_DOMAIN, sanitize_text_field($_REQUEST['waa_tracker_domain']));
+        $waaIgnoreHash      = $this->plugin->helpers->validateIgnoreHashFlag(self::WAA_CONF_IGNORE_HASH, sanitize_text_field($_REQUEST['waa_ignore_hash']));
         $waaIncParams       = $this->plugin->helpers->validateIncludeParams(self::WAA_CONF_INC_PARAMS, $_REQUEST);
         $waaExclusionPaths  = $this->plugin->helpers->validateExclusionPathsRequest(self::WAA_CONF_EXC_PATHS, $_REQUEST);