Move to early sanitizing in api

joedolson · Jan 6, 2025 · db11529 · db11529
1 parent 76724d7
commit db11529
Showing 1 changed file with 12 additions and 13 deletions.
diff --git a/src/my-calendar-api.php b/src/my-calendar-api.php
@@ -30,9 +30,9 @@ function my_calendar_api() {
 			 */
 			$api_key = apply_filters( 'mc_api_key', true );
 			if ( $api_key ) {
-				$format = ( isset( $_REQUEST['my-calendar-api'] ) ) ? $_REQUEST['my-calendar-api'] : 'json';
-				$format = ( isset( $_REQUEST['mc-api'] ) ) ? $_REQUEST['mc-api'] : $format;
-				$from   = ( isset( $_REQUEST['from'] ) ) ? $_REQUEST['from'] : current_time( 'Y-m-d' );
+				$format = ( isset( $_REQUEST['my-calendar-api'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['my-calendar-api'] ) ) : 'json';
+				$format = ( isset( $_REQUEST['mc-api'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['mc-api'] ) ) : $format;
+				$from   = ( isset( $_REQUEST['from'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['from'] ) ): current_time( 'Y-m-d' );
 				$range  = '+ 7 days';
 				/**
 				 * Default date for API 'to' parameter. Default '+ 7 days'.
@@ -43,15 +43,14 @@ function my_calendar_api() {
 				 *
 				 * @return {string}
 				 */
-				$adjust = apply_filters( 'mc_api_auto_date', $range );
-				$to     = ( isset( $_REQUEST['to'] ) ) ? $_REQUEST['to'] : mc_date( 'Y-m-d', strtotime( $adjust ) );
-				// sanitization is handled elsewhere.
-				$category = ( isset( $_REQUEST['mcat'] ) ) ? $_REQUEST['mcat'] : '';
-				$ltype    = ( isset( $_REQUEST['ltype'] ) ) ? $_REQUEST['ltype'] : '';
-				$lvalue   = ( isset( $_REQUEST['lvalue'] ) ) ? $_REQUEST['lvalue'] : '';
-				$author   = ( isset( $_REQUEST['author'] ) ) ? $_REQUEST['author'] : '';
-				$host     = ( isset( $_REQUEST['host'] ) ) ? $_REQUEST['host'] : '';
-				$search   = ( isset( $_REQUEST['search'] ) ) ? $_REQUEST['search'] : '';
+				$adjust   = apply_filters( 'mc_api_auto_date', $range );
+				$to       = ( isset( $_REQUEST['to'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['to'] ) ) : mc_date( 'Y-m-d', strtotime( $adjust ) );
+				$category = ( isset( $_REQUEST['mcat'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['mcat'] ) ) : '';
+				$ltype    = ( isset( $_REQUEST['ltype'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['ltype'] ) ) : '';
+				$lvalue   = ( isset( $_REQUEST['lvalue'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['lvalue'] ) ) : '';
+				$author   = ( isset( $_REQUEST['author'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['author'] ) ) : '';
+				$host     = ( isset( $_REQUEST['host'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['host'] ) ) : '';
+				$search   = ( isset( $_REQUEST['search'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['search'] ) ) : '';
 				$args     = array(
 					'from'     => $from,
 					'to'       => $to,
@@ -73,7 +72,7 @@ function my_calendar_api() {
 				 *
 				 * @return {array}
 				 */
-				$args   = apply_filters( 'mc_filter_api_args', $args, map_deep( $_REQUEST, 'sanitize_text_field' ) );
+				$args   = apply_filters( 'mc_filter_api_args', $args, map_deep( wp_unslash( $_REQUEST ), 'sanitize_text_field' ) );
 				$data   = my_calendar_events( $args );
 				$output = mc_format_api( $data, $format );
 				echo wp_kses_post( $output );