malhuda/fictioneer
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 112 Wiki Activity

Improve sanitization

Browse Source
This commit is contained in:
Tetrakern 2023-12-15 17:51:09 +01:00
parent 1f738f5308
commit 78005f40d9
24 changed files with 118 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
author.php
View File

@ -26,10 +26,10 @@ if (
// Setup
$current_url = get_author_posts_url( $author_id );
$current_tab = $_GET['tab'] ?? null;
$current_tab = sanitize_key( $_GET['tab'] ?? '' );
$current_page = get_query_var( 'pg', 1 ) ?: 1;
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$order = reset( $order ) ?: 'desc'; // Sanitized
$author_page = get_the_author_meta( 'fictioneer_author_page', $author_id );
$author_page = $author_page > 0 ? $author_page : false;
$author_statistics = fictioneer_get_author_statistics( $author_id );

8
chapters.php
View File

@ -17,10 +17,10 @@
// Setup
$post_id = get_the_ID();
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc'; // Sanitized
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

8
collections.php
View File

@ -17,10 +17,10 @@
// Setup
$post_id = get_the_ID();
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc'; // Sanitized
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

2
comments.php
View File

@ -73,7 +73,7 @@ $logout_url = fictioneer_get_logout_url( get_permalink() );
if (
have_comments() ||
( $count > 0 && user_can( $user, 'moderate_comments' ) ) ||
( $count > 0 && ! empty( $_GET['commentcode'] ) )
( $count > 0 && ! empty( $_GET['commentcode'] ?? 0 ) )
) {
// Start HTML ---> ?>
<ol class="fictioneer-comments__list commentlist">

2
includes/functions/_query_helpers.php
View File

@ -198,7 +198,7 @@ if ( ! function_exists( 'fictioneer_append_date_query' ) ) {
// Orderby?
if ( empty( $orderby ) ) {
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
}

14
includes/functions/_search.php
View File

@ -20,8 +20,8 @@ if ( ! function_exists( 'fcn_keyword_search_taxonomies_input' ) ) {
function fcn_keyword_search_taxonomies_input( $taxonomies, $query_var, $and_var, $singular, $plural, $args = [] ) {
// Setup
$and = wp_strip_all_tags( $_GET[ $and_var ] ?? 0, true );
$query_list = wp_strip_all_tags( $_GET[ $query_var ] ?? '', true );
$and = sanitize_key( $_GET[ $and_var ] ?? 0, true );
$query_list = sanitize_text_field( wp_strip_all_tags( $_GET[ $query_var ] ?? '', true ) );
$examples = array_rand( $taxonomies, min( 5, count( $taxonomies ) ) );
$examples = is_array( $examples ) ? $examples : [$examples];
@ -31,11 +31,11 @@ if ( ! function_exists( 'fcn_keyword_search_taxonomies_input' ) ) {
<label
class="keyword-input__operator"
role="checkbox"
aria-checked="<?php if ( $and == 1 ) echo 'true'; ?>"
aria-checked="<?php if ( $and === '1' ) echo 'true'; ?>"
title="<?php esc_attr_e( 'Operator. Either must match (OR) or all must match (AND).', 'fictioneer' ); ?>"
tabindex="0"
>
<input type="checkbox" name="<?php echo $and_var; ?>" value="1" hidden <?php if ( $and == 1 ) echo 'checked'; ?> autocomplete="off">
<input type="checkbox" name="<?php echo $and_var; ?>" value="1" hidden <?php if ( $and === '1' ) echo 'checked'; ?> autocomplete="off">
<span class="on"><?php _ex( 'AND', 'Advanced search operator.', 'fictioneer' ); ?></span>
<span class="off"><?php _ex( 'OR', 'Advanced search operator.', 'fictioneer' ); ?></span>
</label>
@ -115,7 +115,7 @@ if ( ! function_exists( 'fcn_keyword_search_authors_input' ) ) {
function fcn_keyword_search_authors_input( $authors, $query_var, $singular, $plural, $args = [] ) {
// Setup
$query_list = wp_strip_all_tags( $_GET[ $query_var ] ?? '', true );
$query_list = sanitize_text_field( wp_strip_all_tags( $_GET[ $query_var ] ?? '', true ) );
$examples = array_rand( $authors, min( 5, count( $authors ) ) );
$examples = is_array( $examples ) ? $examples : [$examples];
@ -246,7 +246,7 @@ function fictioneer_extend_search_query( $query ) {
);
$valid_terms = [];
$query_part = [];
$and = $_GET[ $triple[2] ] ?? 0;
$and = sanitize_key( $_GET[ $triple[2] ] ?? 0 );
// Filter out terms that do not exist
foreach ( $triple[0] as $term_id ) {
@ -312,7 +312,7 @@ function fictioneer_extend_search_query( $query ) {
);
$valid_terms = [];
$query_part = [];
$and = $_GET[ $triple[2] ] ?? 0;
$and = sanitize_key( $_GET[ $triple[2] ] ?? 0 );
// Filter out terms that do not exist
foreach ( $triple[0] as $term_id ) {

3
includes/functions/_wordpress_mods.php
View File

@ -885,9 +885,8 @@ function fictioneer_add_sof_to_taxonomy_query( $query ) {
}
// Post type?
$post_type = strtolower( sanitize_text_field( $_GET['post_type'] ?? '' ) );
$post_type = array_intersect(
[ $post_type ],
[ sanitize_key( $_GET['post_type'] ?? '' ) ],
['any', 'post', 'fcn_story', 'fcn_chapter', 'fcn_collection', 'fcn_recommendation']
);
$post_type = reset( $post_type ) ?: null;

3
includes/functions/comments/_comments_ajax.php
View File

@ -502,8 +502,7 @@ function fictioneer_ajax_edit_comment() {
}
// Update
$old_content = $comment['comment_content'];
$comment['comment_content'] = $_POST['content'];
$comment['comment_content'] = wp_kses_post( $_POST['content'] );
$edit_time = time();
if ( wp_update_comment( $comment, true ) ) {

3
includes/functions/hooks/_general_hooks.php
View File

@ -326,9 +326,8 @@ function fictioneer_sort_order_filter_interface( $args ) {
// Archive?
if ( is_archive() ) {
$post_type = strtolower( sanitize_text_field( $_GET['post_type'] ?? '' ) );
$post_type = array_intersect(
[ $post_type ],
[ sanitize_key( $_GET['post_type'] ?? '' ) ],
['any', 'post', 'fcn_story', 'fcn_chapter', 'fcn_collection', 'fcn_recommendation']
);
$post_type = reset( $post_type ) ?: null;

8
includes/functions/settings/_settings_actions.php
View File

@ -131,10 +131,10 @@ if ( ! defined( 'FICTIONEER_ADMIN_SETTINGS_NOTICES' ) ) {
function fictioneer_admin_settings_notices() {
// Get query vars
$success = $_GET['success'] ?? null;
$failure = $_GET['failure'] ?? null;
$info = $_GET['info'] ?? null;
$data = explode( ',', $_GET['data'] ?? '' );
$success = sanitize_text_field( $_GET['success'] ?? '' );
$failure = sanitize_text_field( $_GET['failure'] ?? '' );
$info = sanitize_text_field( $_GET['info'] ?? '' );
$data = explode( ',', sanitize_text_field( $_GET['data'] ?? '' ) );
$data = is_array( $data ) ? $data : [];
$data = array_map( 'esc_html', $data );

6
includes/functions/settings/_settings_page_epubs.php
View File

@ -33,14 +33,14 @@ class Fictioneer_Epubs_Table extends WP_List_Table {
$sortable = $this->get_sortable_columns();
$primary = 'story';
$this->epubs = glob(wp_upload_dir()['basedir'] . '/epubs/*.epub');
$this->epubs = glob( wp_upload_dir()['basedir'] . '/epubs/*.epub' );
$this->page = absint( $_GET['paged'] ?? 1 );
$this->count = count( $this->epubs );
$this->per_page = $this->get_items_per_page( 'fictioneer_epubs_per_page', 25 );
// Sort
$orderby = $_GET['orderby'] ?? 'date';
$order = $_GET['order'] ?? 'desc';
$orderby = sanitize_text_field( $_GET['orderby'] ?? 'date' );
$order = sanitize_text_field( $_GET['order'] ?? 'desc' );
switch ( $orderby ) {
case 'story':

1
includes/functions/settings/_settings_page_roles.php
View File

@ -226,6 +226,7 @@ uksort(
// Current role
$current_role_slug = ( $_GET['fictioneer-subnav'] ?? 0 ) ?: array_keys( $roles )[0];
$current_role_slug = sanitize_key( $current_role_slug );
$current_role = $roles[ $current_role_slug ];
?>

8
includes/functions/settings/_settings_page_seo.php
View File

@ -33,10 +33,10 @@ class Fictioneer_Seo_Table extends WP_List_Table {
$this->per_page = $this->get_items_per_page( 'fictioneer_seo_items_per_page', 25 );
// Sort
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], ['title', 'type', 'modified'] );
$orderby = reset( $orderby ) ?: 'modified';
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], ['title', 'type', 'modified'] );
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc'; // Sanitized
// Query
$query_args = array(

56
includes/functions/users/_admin_profile.php
View File

@ -9,7 +9,7 @@
*
* @since Fictioneer 5.2.5
*
* @param string $action Name of the admin profile action.
* @param string $action Name of the admin profile action.
*/
function fictioneer_verify_admin_profile_action( $action ) {
@ -24,8 +24,8 @@ function fictioneer_verify_admin_profile_action( $action ) {
*
* @since Fictioneer 5.2.5
*
* @param string $notice Optional. The notice message to include in the redirect URL.
* @param string $type Optional. The type of notice. Default 'success'.
* @param string $notice Optional. The notice message to include in the redirect URL.
* @param string $type Optional. The type of notice. Default 'success'.
*/
function fictioneer_finish_admin_profile_action( $notice = '', $type = 'success' ) {
@ -222,8 +222,8 @@ if ( ! defined( 'FICTIONEER_ADMIN_PROFILE_NOTICES' ) ) {
function fictioneer_admin_profile_notices() {
// Get performed action
$success = $_GET['success'] ?? null;
$failure = $_GET['failure'] ?? null;
$success = sanitize_text_field( $_GET['success'] ?? '' );
$failure = sanitize_text_field( $_GET['failure'] ?? '' );
// Has success notice?
if ( ! empty( $success ) && isset( FICTIONEER_ADMIN_PROFILE_NOTICES[ $success ] ) ) {
@ -246,8 +246,8 @@ add_action( 'admin_notices', 'fictioneer_admin_profile_notices' );
*
* @since Fictioneer 4.0
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_custom_profile_fields( $profile_user ) {
@ -285,8 +285,8 @@ add_action( 'edit_user_profile', 'fictioneer_custom_profile_fields', 20 );
*
* @since Fictioneer 5.7.4
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_fields_user_id( $profile_user ) {
@ -317,8 +317,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_fields_u
*
* @since Fictioneer 5.2.5
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_fields_fingerprint( $profile_user ) {
@ -352,8 +352,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_fields_f
*
* @since Fictioneer 5.2.5
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_fields_flags( $profile_user ) {
@ -460,8 +460,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_fields_f
*
* @since Fictioneer 5.2.5
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_fields_oauth( $profile_user ) {
@ -565,13 +565,13 @@ if ( get_option( 'fictioneer_enable_oauth' ) ) {
*
* @since Fictioneer 5.2.5
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_fields_data_nodes( $profile_user ) {
// Setup
$success = $_GET['success'] ?? null;
$success = sanitize_text_field( $_GET['success'] ?? '' );
$comments_count = get_comments(
array( 'user_id' => $profile_user->ID, 'count' => true, 'update_comment_meta_cache' => false )
);
@ -812,8 +812,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_moderati
*
* @since Fictioneer 5.0
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_author( $profile_user ) {
@ -907,8 +907,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_author',
*
* @since Fictioneer 5.0
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_oauth( $profile_user ) {
@ -955,8 +955,8 @@ if ( FICTIONEER_SHOW_OAUTH_HASHES ) {
*
* @since Fictioneer 5.0
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_badge( $profile_user ) {
@ -989,8 +989,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_badge',
*
* @since Fictioneer 5.0
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_profile_external_avatar( $profile_user ) {
@ -1023,8 +1023,8 @@ add_action( 'fictioneer_admin_user_sections', 'fictioneer_admin_profile_external
*
* @since Fictioneer 5.6.0
*
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
* @param WP_User $profile_user The profile user object. Not necessarily the one
* currently editing the profile!
*/
function fictioneer_admin_danger_zone( $profile_user ) {

2
includes/functions/users/_checkmarks.php
View File

@ -240,8 +240,6 @@ function fictioneer_ajax_get_finished_checkmarks_list() {
$post_ids = fictioneer_get_finished_checkmarks( $checkmarks );
$page = absint( $_GET['page'] ?? 1 );
$order = strtolower( $_GET['order'] ?? 'desc' );
// Sanitize
$order = in_array( $order, ['desc', 'asc'] ) ? $order : 'desc';
// Query

2
includes/functions/users/_follows.php
View File

@ -394,8 +394,6 @@ function fictioneer_ajax_get_follows_list() {
$post_ids = array_keys( $follows['data'] );
$page = absint( $_GET['page'] ?? 1 );
$order = strtolower( $_GET['order'] ?? 'desc' );
// Sanitize
$order = in_array( $order, ['desc', 'asc'] ) ? $order : 'desc';
// Query

2
includes/functions/users/_reminders.php
View File

@ -166,8 +166,6 @@ function fictioneer_ajax_get_reminders_list() {
$post_ids = array_keys( $reminders['data'] );
$page = absint( $_GET['page'] ?? 1 );
$order = strtolower( $_GET['order'] ?? 'desc' );
// Sanitize
$order = in_array( $order, ['desc', 'asc'] ) ? $order : 'desc';
// Query

8
partials/_archive-loop.php
View File

@ -23,10 +23,10 @@ defined( 'ABSPATH' ) OR exit;
// Setup
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'date';
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc'; // Sanitized
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'date'; // Sanitized
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

8
recommendations.php
View File

@ -17,10 +17,10 @@
// Setup
$post_id = get_the_ID();
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc'; // Sanitized
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );

41
search.php
View File

@ -16,27 +16,24 @@ global $wp_query;
$count = $wp_query->found_posts;
$no_params = empty( array_filter( $_GET ) );
$post_type = $_GET['post_type'] ?? 'any';
$sentence = $_GET['sentence'] ?? '0';
$order = $_GET['order'] ?? 'desc';
$orderby = $_GET['orderby'] ?? 'modified';
$post_type = sanitize_text_field( $_GET['post_type'] ?? 'any' );
$sentence = sanitize_text_field( $_GET['sentence'] ?? 0 );
$order = sanitize_text_field( $_GET['order'] ?? 'desc' );
$orderby = sanitize_text_field( $_GET['orderby'] ?? 'modified' );
$queried_genres = $_GET[ 'genres' ] ?? 0;
$queried_fandoms = $_GET[ 'fandoms' ] ?? 0;
$queried_characters = $_GET[ 'characters' ] ?? 0;
$queried_warnings = $_GET[ 'warnings' ] ?? 0;
$queried_tags = $_GET[ 'tags' ] ?? 0;
$queried_genres = sanitize_text_field( $_GET['genres'] ?? 0 );
$queried_fandoms = sanitize_text_field( $_GET['fandoms'] ?? 0 );
$queried_characters = sanitize_text_field( $_GET['characters'] ?? 0 );
$queried_warnings = sanitize_text_field( $_GET['warnings'] ?? 0 );
$queried_tags = sanitize_text_field( $_GET['tags'] ?? 0 );
$queried_ex_genres = $_GET[ 'ex_genres' ] ?? 0;
$queried_ex_fandoms = $_GET[ 'ex_fandoms' ] ?? 0;
$queried_ex_characters = $_GET[ 'ex_characters' ] ?? 0;
$queried_ex_warnings = $_GET[ 'ex_warnings' ] ?? 0;
$queried_ex_tags = $_GET[ 'ex_tags' ] ?? 0;
$is_advanced_search = $post_type != 'any' || $sentence != '0' || $order != 'desc' || $orderby != 'modified';
$is_advanced_search = $is_advanced_search || $queried_tags || $queried_genres || $queried_fandoms || $queried_characters || $queried_warnings;
$is_advanced_search = $is_advanced_search || $queried_ex_tags || $queried_ex_genres || $queried_ex_fandoms || $queried_ex_characters || $queried_ex_warnings;
$queried_ex_genres = sanitize_text_field( $_GET['ex_genres'] ?? 0 );
$queried_ex_fandoms = sanitize_text_field( $_GET['ex_fandoms'] ?? 0 );
$queried_ex_characters = sanitize_text_field( $_GET['ex_characters'] ?? 0 );
$queried_ex_warnings = sanitize_text_field( $_GET['ex_warnings'] ?? 0 );
$queried_ex_tags = sanitize_text_field( $_GET['ex_tags'] ?? 0 );
// Prepare hook arguments
$hook_args = array(
'post_type' => $post_type,
'sentence' => $sentence,
@ -51,10 +48,14 @@ $hook_args = array(
'queried_ex_fandoms' => $queried_ex_fandoms,
'queried_ex_characters' => $queried_ex_characters,
'queried_ex_warnings' => $queried_ex_warnings,
'queried_ex_tags' => $queried_ex_tags,
'is_advanced_search' => $is_advanced_search,
'queried_ex_tags' => $queried_ex_tags
);
// Advanced search?
$is_advanced_search = $post_type != 'any' || $sentence != '0' || $order != 'desc' || $orderby != 'modified' || $queried_tags || $queried_genres || $queried_fandoms || $queried_characters || $queried_warnings || $queried_ex_tags || $queried_ex_genres || $queried_ex_fandoms || $queried_ex_characters || $queried_ex_warnings;
$hook_args['is_advanced_search'] = $is_advanced_search;
?>
<?php get_header(); ?>

44
searchform.php
View File

@ -21,13 +21,13 @@ $simple_mode = $args['simple'] ?? false;
$cache_mode = $args['cache'] ?? false;
$show_advanced = ! get_option( 'fictioneer_disable_theme_search' ) && ! $simple_mode;
$placeholder = $args['placeholder'] ?? _x( 'Search keywords or phrase', 'Advanced search placeholder.', 'fictioneer' );
$post_type = $_GET['post_type'] ?? $args['preselect_type'] ?? 'any';
$post_type = sanitize_text_field( $_GET['post_type'] ?? $args['preselect_type'] ?? 'any' );
// Advanced setup
if ( $show_advanced ) {
$sentence = $_GET['sentence'] ?? '0';
$order = $_GET['order'] ?? 'desc';
$orderby = $_GET['orderby'] ?? 'modified';
$sentence = sanitize_text_field( $_GET['sentence'] ?? 0 );
$order = sanitize_text_field( $_GET['order'] ?? 'desc' );
$orderby = sanitize_text_field( $_GET['orderby'] ?? 'modified' );
$all_authors = get_users(
array(
@ -37,9 +37,9 @@ if ( $show_advanced ) {
$skip_author_keywords = count( $all_authors ) > FICTIONEER_AUTHOR_KEYWORD_SEARCH_LIMIT;
$queried_authors_in = $_GET['authors'] ?? 0;
$queried_authors_out = $_GET['ex_authors'] ?? 0;
$author_name = $_GET['author_name'] ?? 0; // Simple text field
$queried_authors_in = sanitize_text_field( $_GET['authors'] ?? 0 );
$queried_authors_out = sanitize_text_field( $_GET['ex_authors'] ?? 0 );
$author_name = sanitize_text_field( $_GET['author_name'] ?? 0 ); // Simple text field
$all_tags = get_tags();
$all_genres = get_tags( array( 'taxonomy' => 'fcn_genre' ) );
@ -47,22 +47,19 @@ if ( $show_advanced ) {
$all_characters = get_tags( array( 'taxonomy' => 'fcn_character' ) );
$all_warnings = get_tags( array( 'taxonomy' => 'fcn_content_warning' ) );
$queried_genres = $_GET['genres'] ?? 0;
$queried_fandoms = $_GET['fandoms'] ?? 0;
$queried_characters = $_GET['characters'] ?? 0;
$queried_warnings = $_GET['warnings'] ?? 0;
$queried_tags = $_GET['tags'] ?? 0;
$queried_genres = sanitize_text_field( $_GET['genres'] ?? 0 );
$queried_fandoms = sanitize_text_field( $_GET['fandoms'] ?? 0 );
$queried_characters = sanitize_text_field( $_GET['characters'] ?? 0 );
$queried_warnings = sanitize_text_field( $_GET['warnings'] ?? 0 );
$queried_tags = sanitize_text_field( $_GET['tags'] ?? 0 );
$queried_ex_genres = $_GET['ex_genres'] ?? 0;
$queried_ex_fandoms = $_GET['ex_fandoms'] ?? 0;
$queried_ex_characters = $_GET['ex_characters'] ?? 0;
$queried_ex_warnings = $_GET['ex_warnings'] ?? 0;
$queried_ex_tags = $_GET['ex_tags'] ?? 0;
$queried_ex_genres = sanitize_text_field( $_GET['ex_genres'] ?? 0 );
$queried_ex_fandoms = sanitize_text_field( $_GET['ex_fandoms'] ?? 0 );
$queried_ex_characters = sanitize_text_field( $_GET['ex_characters'] ?? 0 );
$queried_ex_warnings = sanitize_text_field( $_GET['ex_warnings'] ?? 0 );
$queried_ex_tags = sanitize_text_field( $_GET['ex_tags'] ?? 0 );
$is_advanced_search = $post_type != 'any' || $sentence != '0' || $order != 'desc' || $orderby != 'modified';
$is_advanced_search = $is_advanced_search || $queried_tags || $queried_genres || $queried_fandoms || $queried_characters || $queried_warnings;
$is_advanced_search = $is_advanced_search || $queried_ex_tags || $queried_ex_genres || $queried_ex_fandoms || $queried_ex_characters || $queried_ex_warnings;
$is_advanced_search = $is_advanced_search || $queried_authors_in || $queried_authors_out || $author_name;
$is_advanced_search = $post_type != 'any' || $sentence != '0' || $order != 'desc' || $orderby != 'modified' || $queried_tags || $queried_genres || $queried_fandoms || $queried_characters || $queried_warnings || $queried_ex_tags || $queried_ex_genres || $queried_ex_fandoms || $queried_ex_characters || $queried_ex_warnings || $queried_authors_in || $queried_authors_out || $author_name;
// Prime author cache
if ( function_exists( 'update_post_author_caches' ) ) {
@ -219,7 +216,8 @@ if ( $show_advanced ) {
echo "<span class='search-form__current-{$quad[2]}'>";
// AND/OR?
$and = isset( $_GET[ $quad[3] ] ) && $_GET[ $quad[3] ] == '1' ? _x( '[&] ', 'Advanced search summary AND operation note.', 'fictioneer' ) : '';
$and = ( $_GET[ $quad[3] ] ?? 0 ) === '1' ?
_x( '[&] ', 'Advanced search summary AND operation note.', 'fictioneer' ) : '';
// Heading (needs whitespace left and right)
printf( ' <b>' . $quad[4] . '</b> ', $and );
@ -340,7 +338,7 @@ if ( $show_advanced ) {
<?php if ( count( $all_authors ) > 1 ) : ?>
<?php if ( $skip_author_keywords ) : ?>
<h6 class="search-form__option-headline"><?php _ex( 'Author', 'Advanced search heading.', 'fictioneer' ); ?></h6>
<input type="text" class="search-form__text-input" name="author_name" value="<?php echo esc_attr( $_GET['author_name'] ?? '' ); ?>" placeholder="<?php echo esc_attr_x( 'Search for an author', 'Advanced search placeholder.', 'fictioneer' ); ?>">
<input type="text" class="search-form__text-input" name="author_name" value="<?php echo esc_attr( $author_name ); ?>" placeholder="<?php echo esc_attr_x( 'Search for an author', 'Advanced search placeholder.', 'fictioneer' ); ?>">
<?php else : ?>
<h6 class="search-form__option-headline"><?php _ex( 'Authors', 'Advanced search heading.', 'fictioneer' ); ?></h6>
<?php fcn_keyword_search_authors_input( $all_authors, 'authors', 'author', 'authors' ); ?>

2
singular-bookshelf-ajax.php
View File

@ -15,7 +15,7 @@
<?php
// Setup
$current_tab = $_GET['tab'] ?? null;
$current_tab = sanitize_key( $_GET['tab'] ?? '' );
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$current_page = get_query_var( 'pg', 1 ) ?: 1;

2
singular-bookshelf.php
View File

@ -22,7 +22,7 @@ if ( ! is_user_logged_in() || get_option( 'fictioneer_enable_public_cache_compat
// Setup
$user = wp_get_current_user();
$current_tab = $_GET['tab'] ?? null;
$current_tab = sanitize_key( $_GET['tab'] ?? '' );
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$current_page = get_query_var( 'pg', 1 ) ?: 1;

8
stories.php
View File

@ -18,10 +18,10 @@
// Setup
$post_id = get_the_ID();
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
$order = array_intersect( [sanitize_key( $_GET['order'] ?? 0 )], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc';
$orderby = array_intersect( [sanitize_key( $_GET['orderby'] ?? 0 )], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified';
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
$order = reset( $order ) ?: 'desc'; // Sanitized
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
$ago = $_GET['ago'] ?? 0;
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );