Add sanitizer for query vars
Should have done that from the start.
This commit is contained in:
Tetrakern
parent
e38593981b
commit
b3e79e80fe
@ -28,8 +28,7 @@ if (
|
||||
$current_url = get_author_posts_url( $author_id );
|
||||
$current_tab = sanitize_key( $_GET['tab'] ?? '' );
|
||||
$current_page = get_query_var( 'pg', 1 ) ?: 1;
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$author_page = get_the_author_meta( 'fictioneer_author_page', $author_id );
|
||||
$author_page = $author_page > 0 ? $author_page : false;
|
||||
$author_statistics = fictioneer_get_author_statistics( $author_id );
|
||||
|
||||
@ -17,10 +17,8 @@
|
||||
// Setup
|
||||
$post_id = get_the_ID();
|
||||
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
|
||||
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, fictioneer_allowed_orderby(), 'modified' );
|
||||
$ago = $_GET['ago'] ?? 0;
|
||||
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );
|
||||
$meta_query_stack = [];
|
||||
|
||||
@ -17,10 +17,8 @@
|
||||
// Setup
|
||||
$post_id = get_the_ID();
|
||||
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
|
||||
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, fictioneer_allowed_orderby(), 'modified' );
|
||||
$ago = $_GET['ago'] ?? 0;
|
||||
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );
|
||||
|
||||
|
||||
@ -21,8 +21,7 @@ if ( post_password_required() ) {
|
||||
$post_id = get_the_ID();
|
||||
$user = wp_get_current_user();
|
||||
$comments_count = get_comments_number();
|
||||
$order = array_intersect( [ strtolower( $_GET['corder'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: get_option( 'comment_order' ); // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['corder'] ?? 0, ['desc', 'asc'], get_option( 'comment_order' ) );
|
||||
$logout_url = fictioneer_get_logout_url( get_permalink() );
|
||||
$is_ajax_comments = get_option( 'fictioneer_enable_ajax_comments' );
|
||||
|
||||
|
||||
@ -197,8 +197,7 @@ if ( ! function_exists( 'fictioneer_append_date_query' ) ) {
|
||||
|
||||
// Orderby?
|
||||
if ( empty( $orderby ) ) {
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
|
||||
$orderby = reset( $orderby ) ?: 'modified';
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, fictioneer_allowed_orderby(), 'modified' );
|
||||
}
|
||||
|
||||
// Validate ago argument
|
||||
|
||||
@ -224,17 +224,19 @@ function fictioneer_extend_search_query( $query ) {
|
||||
$ex_warnings = empty( $_GET['ex_warnings'] ) ? [] : array_map( 'absint', explode( ',', $_GET['ex_warnings'] ) );
|
||||
$ex_tags = empty( $_GET['ex_tags'] ) ? [] : array_map( 'absint', explode( ',', $_GET['ex_tags'] ) );
|
||||
|
||||
$story_status = array_intersect(
|
||||
[ $_GET['story_status'] ?? 0 ],
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled']
|
||||
$story_status = fictioneer_sanitize_query_var(
|
||||
$_GET['story_status'] ?? 0,
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled'],
|
||||
0,
|
||||
array( 'keep_case' => 1 )
|
||||
);
|
||||
$story_status = reset( $story_status ) ?: 0;
|
||||
|
||||
$age_rating = array_intersect(
|
||||
[ $_GET['age_rating'] ?? 0 ],
|
||||
['Everyone', 'Teen', 'Mature', 'Adult']
|
||||
$age_rating = fictioneer_sanitize_query_var(
|
||||
$_GET['age_rating'] ?? 0,
|
||||
['Everyone', 'Teen', 'Mature', 'Adult'],
|
||||
0,
|
||||
array( 'keep_case' => 1 )
|
||||
);
|
||||
$age_rating = reset( $age_rating ) ?: 0;
|
||||
|
||||
// Exclude pages if necessary
|
||||
if ( $is_any_post || empty( $_GET['post_type'] ) ) {
|
||||
|
||||
@ -929,11 +929,10 @@ function fictioneer_add_sof_to_taxonomy_query( $query ) {
|
||||
}
|
||||
|
||||
// Post type?
|
||||
$post_type = array_intersect(
|
||||
[ sanitize_key( $_GET['post_type'] ?? '' ) ],
|
||||
$post_type = fictioneer_sanitize_query_var(
|
||||
sanitize_key( $_GET['post_type'] ?? '' ),
|
||||
['any', 'post', 'fcn_story', 'fcn_chapter', 'fcn_collection', 'fcn_recommendation']
|
||||
);
|
||||
$post_type = reset( $post_type ) ?: null;
|
||||
|
||||
// If post type queried...
|
||||
if ( ! empty( $post_type ) && $post_type !== 'any' ) {
|
||||
|
||||
@ -1501,6 +1501,38 @@ function fictioneer_sanitize_css( $css ) {
|
||||
return $css;
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// SANITIZE QUERY VARIABLE
|
||||
// =============================================================================
|
||||
|
||||
/**
|
||||
* Sanitizes a query variable
|
||||
*
|
||||
* @since 5.14.0
|
||||
*
|
||||
* @param string $var Query variable to sanitize.
|
||||
* @param array $allowed Array of allowed string (lowercase).
|
||||
* @param string|null $default Optional default value.
|
||||
* @param array $args {
|
||||
* Optional. An array of additional arguments.
|
||||
*
|
||||
* @type bool $keep_case Whether to transform the variable to lowercase. Default false.
|
||||
* }
|
||||
*
|
||||
*
|
||||
* @return string The sanitized (lowercase) query variable.
|
||||
*/
|
||||
|
||||
function fictioneer_sanitize_query_var( $var, $allowed, $default = null, $args = [] ) {
|
||||
if ( $args['keep_case'] ?? 0 ) {
|
||||
$sanitized = array_intersect( [ $var ?? 0 ], $allowed );
|
||||
} else {
|
||||
$sanitized = array_intersect( [ strtolower( $var ?? 0 ) ], $allowed );
|
||||
}
|
||||
|
||||
return reset( $sanitized ) ?: $default;
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// ASPECT RATIO CSS
|
||||
// =============================================================================
|
||||
|
||||
@ -98,8 +98,7 @@ function fictioneer_ajax_get_comment_section() {
|
||||
$post_id = absint( $_GET['post_id'] );
|
||||
$post = get_post( $post_id ); // Called later anyway; no performance loss
|
||||
$page = absint( $_GET['page'] ?? 1 ) ?: 1;
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: get_option( 'comment_order' ); // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['corder'] ?? 0, ['desc', 'asc'], get_option( 'comment_order' ) );
|
||||
$commentcode = ( $_GET['commentcode'] ?? 0 ) ?: false;
|
||||
$must_login = get_option( 'comment_registration' ) && ! is_user_logged_in();
|
||||
|
||||
|
||||
@ -240,8 +240,7 @@ if ( ! function_exists( 'fictioneer_ajax_list_comments' ) ) {
|
||||
function fictioneer_comment_list_args( $parsed_args ) {
|
||||
// Setup
|
||||
$page = get_query_var( 'cpage', 1 );
|
||||
$order = array_intersect( [ strtolower( $_GET['corder'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: get_option( 'comment_order' ); // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['corder'] ?? 0, ['desc', 'asc'], get_option( 'comment_order' ) );
|
||||
|
||||
// Build arguments
|
||||
$list_args = array(
|
||||
|
||||
@ -463,11 +463,10 @@ function fictioneer_sort_order_filter_interface( $args ) {
|
||||
|
||||
// Archive?
|
||||
if ( is_archive() ) {
|
||||
$post_type = array_intersect(
|
||||
[ sanitize_key( $_GET['post_type'] ?? '' ) ],
|
||||
$post_type = fictioneer_sanitize_query_var(
|
||||
sanitize_key( $_GET['post_type'] ?? '' ),
|
||||
['any', 'post', 'fcn_story', 'fcn_chapter', 'fcn_collection', 'fcn_recommendation']
|
||||
);
|
||||
$post_type = reset( $post_type ) ?: null;
|
||||
}
|
||||
|
||||
// Post type?
|
||||
@ -697,11 +696,13 @@ add_action( 'fictioneer_archive_loop_before', 'fictioneer_sort_order_filter_inte
|
||||
*/
|
||||
|
||||
function fictioneer_add_search_for_age_rating( $args ) {
|
||||
$age_rating = array_intersect(
|
||||
[ $_GET['age_rating'] ?? 0 ],
|
||||
['Everyone', 'Teen', 'Mature', 'Adult']
|
||||
// Setup
|
||||
$age_rating = fictioneer_sanitize_query_var(
|
||||
$_GET['age_rating'] ?? 0,
|
||||
['Everyone', 'Teen', 'Mature', 'Adult'],
|
||||
0,
|
||||
array( 'keep_case' => 1 )
|
||||
);
|
||||
$age_rating = reset( $age_rating ) ?: 0;
|
||||
|
||||
// Start HTML ---> ?>
|
||||
<div class="search-form__select-wrapper select-wrapper">
|
||||
@ -727,11 +728,13 @@ add_action( 'fictioneer_search_form_filters', 'fictioneer_add_search_for_age_rat
|
||||
*/
|
||||
|
||||
function fictioneer_add_search_for_status( $args ) {
|
||||
$story_status = array_intersect(
|
||||
[ $_GET['story_status'] ?? 0 ],
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled']
|
||||
// Setup
|
||||
$story_status = fictioneer_sanitize_query_var(
|
||||
$_GET['story_status'] ?? 0,
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled'],
|
||||
0,
|
||||
array( 'keep_case' => 1 )
|
||||
);
|
||||
$story_status = reset( $story_status ) ?: 0;
|
||||
|
||||
// Start HTML ---> ?>
|
||||
<div class="search-form__select-wrapper select-wrapper">
|
||||
|
||||
@ -33,10 +33,8 @@ class Fictioneer_Seo_Table extends WP_List_Table {
|
||||
$this->per_page = $this->get_items_per_page( 'fictioneer_seo_items_per_page', 25 );
|
||||
|
||||
// Sort
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], ['title', 'type', 'modified'] );
|
||||
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, ['title', 'type', 'modified'], 'modified' );
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
|
||||
// Query
|
||||
$query_args = array(
|
||||
|
||||
@ -23,10 +23,8 @@ defined( 'ABSPATH' ) OR exit;
|
||||
|
||||
// Setup
|
||||
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
|
||||
$orderby = reset( $orderby ) ?: 'date'; // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, fictioneer_allowed_orderby(), 'modified' );
|
||||
$ago = $_GET['ago'] ?? 0;
|
||||
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );
|
||||
|
||||
|
||||
@ -17,10 +17,8 @@
|
||||
// Setup
|
||||
$post_id = get_the_ID();
|
||||
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
|
||||
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, fictioneer_allowed_orderby(), 'modified' );
|
||||
$ago = $_GET['ago'] ?? 0;
|
||||
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );
|
||||
|
||||
|
||||
@ -22,11 +22,11 @@ $sentence = sanitize_text_field( $_GET['sentence'] ?? 0 );
|
||||
$order = sanitize_text_field( $_GET['order'] ?? 'desc' );
|
||||
$orderby = sanitize_text_field( $_GET['orderby'] ?? 'modified' );
|
||||
|
||||
$story_status = array_intersect(
|
||||
[ $_GET['story_status'] ?? 0 ],
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled']
|
||||
$story_status = fictioneer_sanitize_query_var(
|
||||
$_GET['story_status'] ?? 0,
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled'],
|
||||
0
|
||||
);
|
||||
$story_status = reset( $story_status ) ?: 0;
|
||||
|
||||
$queried_genres = sanitize_text_field( $_GET['genres'] ?? 0 );
|
||||
$queried_fandoms = sanitize_text_field( $_GET['fandoms'] ?? 0 );
|
||||
|
||||
@ -30,17 +30,19 @@ if ( $show_advanced ) {
|
||||
$min_words = absint( $_GET['min_words'] ?? 0 );
|
||||
$max_words = absint( $_GET['max_words'] ?? 0 );
|
||||
|
||||
$story_status = array_intersect(
|
||||
[ $_GET['story_status'] ?? 0 ],
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled']
|
||||
$story_status = fictioneer_sanitize_query_var(
|
||||
$_GET['story_status'] ?? 0,
|
||||
['Completed', 'Ongoing', 'Oneshot', 'Hiatus', 'Canceled'],
|
||||
0,
|
||||
array( 'keep_case' => 1 )
|
||||
);
|
||||
$story_status = reset( $story_status ) ?: 0;
|
||||
|
||||
$age_rating = array_intersect(
|
||||
[ $_GET['age_rating'] ?? 0 ],
|
||||
['Everyone', 'Teen', 'Mature', 'Adult']
|
||||
$age_rating = fictioneer_sanitize_query_var(
|
||||
$_GET['age_rating'] ?? 0,
|
||||
['Everyone', 'Teen', 'Mature', 'Adult'],
|
||||
0,
|
||||
array( 'keep_case' => 1 )
|
||||
);
|
||||
$age_rating = reset( $age_rating ) ?: 0;
|
||||
|
||||
$all_authors = get_users(
|
||||
array(
|
||||
|
||||
@ -16,8 +16,7 @@
|
||||
|
||||
// Setup
|
||||
$current_tab = sanitize_key( $_GET['tab'] ?? '' );
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc';
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$current_page = get_query_var( 'pg', 1 ) ?: 1;
|
||||
$max_pages = 1;
|
||||
$tabs = [];
|
||||
|
||||
@ -23,8 +23,7 @@ if ( ! is_user_logged_in() || get_option( 'fictioneer_enable_public_cache_compat
|
||||
// Setup
|
||||
$user = wp_get_current_user();
|
||||
$current_tab = sanitize_key( $_GET['tab'] ?? '' );
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc';
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$current_page = get_query_var( 'pg', 1 ) ?: 1;
|
||||
$max_pages = 1;
|
||||
$tabs = [];
|
||||
|
||||
@ -18,10 +18,8 @@
|
||||
// Setup
|
||||
$post_id = get_the_ID();
|
||||
$page = get_query_var( 'paged', 1 ) ?: 1; // Main query
|
||||
$order = array_intersect( [ strtolower( $_GET['order'] ?? 0 ) ], ['desc', 'asc'] );
|
||||
$order = reset( $order ) ?: 'desc'; // Sanitized
|
||||
$orderby = array_intersect( [ strtolower( $_GET['orderby'] ?? 0 ) ], fictioneer_allowed_orderby() );
|
||||
$orderby = reset( $orderby ) ?: 'modified'; // Sanitized
|
||||
$order = fictioneer_sanitize_query_var( $_GET['order'] ?? 0, ['desc', 'asc'], 'desc' );
|
||||
$orderby = fictioneer_sanitize_query_var( $_GET['orderby'] ?? 0, fictioneer_allowed_orderby(), 'modified' );
|
||||
$ago = $_GET['ago'] ?? 0;
|
||||
$ago = is_numeric( $ago ) ? absint( $ago ) : sanitize_text_field( $ago );
|
||||
$meta_query_stack = [];
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user