From db11529c4aa86f53f9828d079a8e70c92f5e80d5 Mon Sep 17 00:00:00 2001 From: Joe Dolson Date: Mon, 6 Jan 2025 11:19:22 -0600 Subject: [PATCH] Move to early sanitizing in api --- src/my-calendar-api.php | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/src/my-calendar-api.php b/src/my-calendar-api.php index 144eaec0..55894c6d 100644 --- a/src/my-calendar-api.php +++ b/src/my-calendar-api.php @@ -30,9 +30,9 @@ function my_calendar_api() { */ $api_key = apply_filters( 'mc_api_key', true ); if ( $api_key ) { - $format = ( isset( $_REQUEST['my-calendar-api'] ) ) ? $_REQUEST['my-calendar-api'] : 'json'; - $format = ( isset( $_REQUEST['mc-api'] ) ) ? $_REQUEST['mc-api'] : $format; - $from = ( isset( $_REQUEST['from'] ) ) ? $_REQUEST['from'] : current_time( 'Y-m-d' ); + $format = ( isset( $_REQUEST['my-calendar-api'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['my-calendar-api'] ) ) : 'json'; + $format = ( isset( $_REQUEST['mc-api'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['mc-api'] ) ) : $format; + $from = ( isset( $_REQUEST['from'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['from'] ) ): current_time( 'Y-m-d' ); $range = '+ 7 days'; /** * Default date for API 'to' parameter. Default '+ 7 days'. @@ -43,15 +43,14 @@ function my_calendar_api() { * * @return {string} */ - $adjust = apply_filters( 'mc_api_auto_date', $range ); - $to = ( isset( $_REQUEST['to'] ) ) ? $_REQUEST['to'] : mc_date( 'Y-m-d', strtotime( $adjust ) ); - // sanitization is handled elsewhere. - $category = ( isset( $_REQUEST['mcat'] ) ) ? $_REQUEST['mcat'] : ''; - $ltype = ( isset( $_REQUEST['ltype'] ) ) ? $_REQUEST['ltype'] : ''; - $lvalue = ( isset( $_REQUEST['lvalue'] ) ) ? $_REQUEST['lvalue'] : ''; - $author = ( isset( $_REQUEST['author'] ) ) ? $_REQUEST['author'] : ''; - $host = ( isset( $_REQUEST['host'] ) ) ? $_REQUEST['host'] : ''; - $search = ( isset( $_REQUEST['search'] ) ) ? $_REQUEST['search'] : ''; + $adjust = apply_filters( 'mc_api_auto_date', $range ); + $to = ( isset( $_REQUEST['to'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['to'] ) ) : mc_date( 'Y-m-d', strtotime( $adjust ) ); + $category = ( isset( $_REQUEST['mcat'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['mcat'] ) ) : ''; + $ltype = ( isset( $_REQUEST['ltype'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['ltype'] ) ) : ''; + $lvalue = ( isset( $_REQUEST['lvalue'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['lvalue'] ) ) : ''; + $author = ( isset( $_REQUEST['author'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['author'] ) ) : ''; + $host = ( isset( $_REQUEST['host'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['host'] ) ) : ''; + $search = ( isset( $_REQUEST['search'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['search'] ) ) : ''; $args = array( 'from' => $from, 'to' => $to, @@ -73,7 +72,7 @@ function my_calendar_api() { * * @return {array} */ - $args = apply_filters( 'mc_filter_api_args', $args, map_deep( $_REQUEST, 'sanitize_text_field' ) ); + $args = apply_filters( 'mc_filter_api_args', $args, map_deep( wp_unslash( $_REQUEST ), 'sanitize_text_field' ) ); $data = my_calendar_events( $args ); $output = mc_format_api( $data, $format ); echo wp_kses_post( $output );