malhuda/fictioneer
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 112 Wiki Activity

Improve orderby sanitization

Browse Source 
WP_Query probably already sanitizes this, but I could not find anything about it.
This commit is contained in:
Tetrakern 2023-08-30 23:15:17 +02:00
parent 92c240cbcd
commit 67a1cbd144
7 changed files with 40 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
FILTERS.md
View File

@ -53,6 +53,17 @@ Filters the data to be returned as JSON by the `fictioneer_ajax_get_user_data()`
---
### `apply_filters( 'fictioneer_filter_allowed_orderby', $defaults )`
Filters the array of allowed orderby arguments for WP_Query.
**$defaults:**
* $0 (string) `modified`
* $0 (string) `date`
* $0 (string) `title`
* $0 (string) `rand`
---
### `apply_filters( 'fictioneer_filter_breadcrumbs_array', $breadcrumbs, $args )`
Filters the array of breadcrumb tuples inside the `fictioneer_get_breadcrumbs( $args )` function before the HTML is build.

4
chapters.php
View File

@ -19,9 +19,9 @@
// Setup
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [strtolower( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [strtolower( $_GET['orderby'] ?? 0 )], ['modified', 'date', 'title', 'rand'] );
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

4
collections.php
View File

@ -19,9 +19,9 @@
// Setup
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [strtolower( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [strtolower( $_GET['orderby'] ?? 0 )], ['modified', 'date', 'title', 'rand'] );
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

20
includes/functions/_query_helpers.php
View File

@ -1,5 +1,23 @@
<?php
// =============================================================================
// ALLOWED ORDERBY
// =============================================================================
/**
* Returns list of allowed orderby parameters for WP_Query
*
* @since Fictioneer 5.7.0
*
* @return array List of allowed orderby parameters.
*/
function fictioneer_allowed_orderby() {
$defaults = ['modified', 'date', 'title', 'rand'];
return apply_filters( 'fictioneer_filter_allowed_orderby', $defaults );
}
// =============================================================================
// GET CARD LIST
// =============================================================================
@ -119,7 +137,7 @@ if ( ! function_exists( 'fictioneer_append_date_query' ) ) {
// Orderby?
if ( empty( $orderby ) ) {
$orderby = array_intersect( [strtolower( $_GET['orderby'] ?? 0 )], ['modified', 'date', 'title', 'rand'] );
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
}

4
partials/_archive-loop.php
View File

@ -23,9 +23,9 @@ defined( 'ABSPATH' ) OR exit;
// Setup
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [strtolower( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [strtolower( $_GET['orderby'] ?? 0 )], ['modified', 'date', 'title', 'rand'] );
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'date';
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

4
recommendations.php
View File

@ -19,9 +19,9 @@
// Setup
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [strtolower( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [strtolower( $_GET['orderby'] ?? 0 )], ['modified', 'date', 'title', 'rand'] );
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

4
stories.php
View File

@ -19,9 +19,9 @@
// Setup
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [strtolower( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [strtolower( $_GET['orderby'] ?? 0 )], ['modified', 'date', 'title', 'rand'] );
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );