wideangle/wide-angle-analytics-wordpress
3
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add extra sanitation step to input

Browse source
This commit is contained in:
Jarek Rozanski 2021-12-30 20:55:20 +01:00
parent fb1789343c
commit b84917f2b7
3 changed files with 16 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

17
types/WideAngleHelpers.php
View file

@ -50,10 +50,11 @@ class WideAngleHelpers {
$params = array(); $params = array();
foreach($request as $requestKey => $paramValue) { foreach($request as $requestKey => $paramValue) {
if(preg_match(self::includeParamRequestKeyPattern, $requestKey)) { if(preg_match(self::includeParamRequestKeyPattern, $requestKey)) {
if(preg_match(self::includeParamRequestValuePattern, $paramValue)) { $sanitizedValue = sanitize_text_field($paramValue);
array_push($params, trim($paramValue)); if(preg_match(self::includeParamRequestValuePattern, $sanitizedValue)) {
array_push($params, trim($sanitizedValue));
} else { } else {
return WideAngleValidated::createInvalid($name, $paramValue, "Name of parameter to include in request must consint of letters, numbers and can contain _ or - sign only."); return WideAngleValidated::createInvalid($name, $sanitizedValue, "Name of parameter to include in request must consint of letters, numbers and can contain _ or - sign only.");
} }
} }
} }
@ -67,13 +68,13 @@ class WideAngleHelpers {
$idx = array(); $idx = array();
if(preg_match(self::excludePathRequestKeyPattern, $key, $idx)) { if(preg_match(self::excludePathRequestKeyPattern, $key, $idx)) {
$valueKey = "waa_exc_path_".$idx[1]."_value"; $valueKey = "waa_exc_path_".$idx[1]."_value";
$exclusionValue = trim($request[$valueKey]); $sanitizedValue = trim(sanitize_text_field($request[$valueKey]));
if($exclusionValue != null) { if($sanitizedValue != null) {
if(filter_var($exclusionValue, FILTER_VALIDATE_REGEXP)) { if(filter_var($sanitizedValue, FILTER_VALIDATE_REGEXP)) {
$typedExclusion = "[" . $exclusionType . "]" . $exclusionValue; $typedExclusion = "[" . $exclusionType . "]" . $sanitizedValue;
array_push($exclusions, $typedExclusion); array_push($exclusions, $typedExclusion);
} else { } else {
$typedExclusion = "[" . $exclusionType . "]" . filter_var($exclusionValue, FILTER_SANITIZE_SPECIAL_CHARS); $typedExclusion = "[" . $exclusionType . "]" . filter_var($sanitizedValue, FILTER_SANITIZE_SPECIAL_CHARS);
array_push($exclusions, $typedExclusion); array_push($exclusions, $typedExclusion);
} }
} }

8
views/admin_settings.php
View file

@ -1,9 +1,9 @@
<?php <?php
$siteId = $this->settings[self::WAA_CONF_SITE_ID]; $siteId = wp_unslash($this->settings[self::WAA_CONF_SITE_ID]);
$trackerDomain = $this->settings[self::WAA_CONF_TRACKER_DOMAIN]; $trackerDomain = wp_unslash($this->settings[self::WAA_CONF_TRACKER_DOMAIN]);
$ignoreHash = filter_var($this->settings[self::WAA_CONF_IGNORE_HASH], FILTER_VALIDATE_BOOLEAN); $ignoreHash = filter_var($this->settings[self::WAA_CONF_IGNORE_HASH], FILTER_VALIDATE_BOOLEAN);
$parsedExclusions = $this->plugin->helpers->parseExclusionSetting($this->settings[self::WAA_CONF_EXC_PATHS]); $parsedExclusions = $this->plugin->helpers->parseExclusionSetting(wp_unslash($this->settings[self::WAA_CONF_EXC_PATHS]));
$parsedIncludeParams = $this->plugin->helpers->parseIncludeParamsSetting($this->settings[self::WAA_CONF_INC_PARAMS]); $parsedIncludeParams = $this->plugin->helpers->parseIncludeParamsSetting(wp_unslash($this->settings[self::WAA_CONF_INC_PARAMS]));
$generator = new WideAngleGenerator($this->settings[self::WAA_CONF_ATTRIBUTES]); $generator = new WideAngleGenerator($this->settings[self::WAA_CONF_ATTRIBUTES]);
?> ?>
<div class="wrap"> <div class="wrap">

6
wide-angle-analytics.php
View file

@ -112,9 +112,9 @@ class WideAngleAnalytics {
} elseif ( ! wp_verify_nonce( $_REQUEST[ $this->plugin->name . '_nonce' ], $this->plugin->name ) ) { } elseif ( ! wp_verify_nonce( $_REQUEST[ $this->plugin->name . '_nonce' ], $this->plugin->name ) ) {
$this->errorMessage = __( 'Invalid nonce specified. Settings NOT saved.', $this->plugin->name ); $this->errorMessage = __( 'Invalid nonce specified. Settings NOT saved.', $this->plugin->name );
} else { } else {
$waaSiteId = $this->plugin->helpers->validateSiteId(self::WAA_CONF_SITE_ID, $_REQUEST['waa_site_id']); $waaSiteId = $this->plugin->helpers->validateSiteId(self::WAA_CONF_SITE_ID, sanitize_text_field($_REQUEST['waa_site_id']));
$waaTrackerDomain = $this->plugin->helpers->validateTrackerDomain(self::WAA_CONF_TRACKER_DOMAIN, $_REQUEST['waa_tracker_domain']); $waaTrackerDomain = $this->plugin->helpers->validateTrackerDomain(self::WAA_CONF_TRACKER_DOMAIN, sanitize_text_field($_REQUEST['waa_tracker_domain']));
$waaIgnoreHash = $this->plugin->helpers->validateIgnoreHashFlag(self::WAA_CONF_IGNORE_HASH, $_REQUEST['waa_ignore_hash']); $waaIgnoreHash = $this->plugin->helpers->validateIgnoreHashFlag(self::WAA_CONF_IGNORE_HASH, sanitize_text_field($_REQUEST['waa_ignore_hash']));
$waaIncParams = $this->plugin->helpers->validateIncludeParams(self::WAA_CONF_INC_PARAMS, $_REQUEST); $waaIncParams = $this->plugin->helpers->validateIncludeParams(self::WAA_CONF_INC_PARAMS, $_REQUEST);
$waaExclusionPaths = $this->plugin->helpers->validateExclusionPathsRequest(self::WAA_CONF_EXC_PATHS, $_REQUEST); $waaExclusionPaths = $this->plugin->helpers->validateExclusionPathsRequest(self::WAA_CONF_EXC_PATHS, $_REQUEST);