Merge pull request #382 from wielebenwir/bugfix/issue-380

multiple sanitize modifications due to wordpress feedback

commonsbooking.php

@@ -265,7 +265,7 @@ function ($posts, $query) {
 );
 
 // Redirect to startpage if user is not allowed to edit timeframe
-function cb_timeframe_redirect()
+function commonsbooking_timeframe_redirect()
 {
     global $post;
     if (
@@ -281,20 +281,20 @@ function cb_timeframe_redirect()
     }
 }
 
-add_action('template_redirect', 'cb_timeframe_redirect');
+add_action('template_redirect', 'commonsbooking_timeframe_redirect');
 
 // Shows Errors in Backend
 add_action('admin_notices', array(Plugin::class, 'renderError'));
 
 /**
- * sanitizeHTML
+ * commonsbooking_sanitizeHTML
  * Filters text content and strips out disallowed HTML.
  *
  * @param  mixed $string
  * @param  mixed $textdomain
  * @return void
  */
-function sanitizeHTML($string)
+function commonsbooking_sanitizeHTML($string)
 {
     $allowed_html = [
         'a'      => [
@@ -357,8 +357,8 @@ function cleanupBookings()
 }
 
 // Remove schedule on module deactivation
-register_deactivation_hook( __FILE__, 'cb_cron_deactivate' );
-function cb_cron_deactivate() {
+register_deactivation_hook( __FILE__, 'commonsbooking_cron_deactivate' );
+function commonsbooking_cron_deactivate() {
     $timestamp = wp_next_scheduled( 'cb_cron_hook' );
     wp_unschedule_event( $timestamp, 'cb_cron_hook' );
 }

src/Migration/Migration.php

@@ -21,6 +21,8 @@ class Migration
      */
     public static function migrateAll()
     {
+
+
         if ($_POST['data'] == 'false') {
             $tasks = [
                 'locations'    => [
@@ -65,11 +67,15 @@ public static function migrateAll()
                 ]
             ];
         } else {
-            $tasks = $_POST['data'];
+            if (is_array($_POST['data'])) {
+                $tasks = filter_var_array($_POST['data'], FILTER_SANITIZE_STRING);
+            }
         }
 
+
+
         $taskIndex = 0;
-        $taskLimit = 50;
+        $taskLimit = 40;
 
         $taskFunctions = [
             'locations'    => [

src/Model/Booking.php

@@ -62,7 +62,7 @@ public function getBookingCode() {
     public function formattedBookingCode() {
         if ($this->getMeta(COMMONSBOOKING_METABOX_PREFIX . 'bookingcode')) {
             // translators: %s = Booking code
-            $htmloutput = '<br>' . sprintf( sanitizeHTML( __( 'Your booking code is: %s' , 'commonsbooking' ) ), $this->getMeta( COMMONSBOOKING_METABOX_PREFIX . 'bookingcode') ) . '<br>' ;
+            $htmloutput = '<br>' . sprintf( commonsbooking_sanitizeHTML( __( 'Your booking code is: %s' , 'commonsbooking' ) ), $this->getMeta( COMMONSBOOKING_METABOX_PREFIX . 'bookingcode') ) . '<br>' ;
             return $htmloutput;
         }
     }
@@ -295,15 +295,15 @@ public function bookingNotice()
 
         if ($currentStatus == "unconfirmed")
         {
-            $noticeText = sanitizeHTML ( __('Please check your booking and click confirm booking', 'commonsbooking' ) );
+            $noticeText = commonsbooking_sanitizeHTML ( __('Please check your booking and click confirm booking', 'commonsbooking' ) );
         } else if ($currentStatus == "confirmed")
         {
-            $noticeText = sanitizeHTML( __('Your booking is confirmed. A confirmation mail has been sent to you.', 'commonsbooking' ) );
+            $noticeText = commonsbooking_sanitizeHTML( __('Your booking is confirmed. A confirmation mail has been sent to you.', 'commonsbooking' ) );
         }
 
         if ($currentStatus == "canceled")
         {
-            $noticeText = sanitizeHTML( __('Your booking has been canceled.', 'commonsbooking' ) );
+            $noticeText = commonsbooking_sanitizeHTML( __('Your booking has been canceled.', 'commonsbooking' ) );
         }
 
         return sprintf ('<div class="cb-notice cb-booking-notice cb-status-%s">%s</div>', $currentStatus, $noticeText);

src/Model/Timeframe.php

@@ -35,27 +35,27 @@ public static function formatBookableDate($startDate, $endDate) {
         $startDateFormatted = date_i18n($format, $startDate);
         $endDateFormatted = date_i18n($format, $endDate);
 
-        $label = sanitizeHTML( __('Available here', 'commonsbooking') );
+        $label = commonsbooking_sanitizeHTML( __('Available here', 'commonsbooking') );
         $availableString = '';
 
         if ($startDate !== 0 && $endDate !== 0 && $startDate == $endDate) { // available only one day
             /* translators: %s = date in wordpress defined format */
-            $availableString = sprintf( sanitizeHTML( __('on %s', 'commonsbooking') ), $startDateFormatted);
+            $availableString = sprintf( commonsbooking_sanitizeHTML( __('on %s', 'commonsbooking') ), $startDateFormatted);
         } elseif ($startDate > 0 && ($endDate == 0)) { // start but no end date
             if ($startDate > $today) { // start is in the future
                 /* translators: %s = date in wordpress defined format */
-                $availableString = sprintf(sanitizeHTML( __('from %s', 'commonsbooking') ), $startDateFormatted);
+                $availableString = sprintf(commonsbooking_sanitizeHTML( __('from %s', 'commonsbooking') ), $startDateFormatted);
             } else { // start has passed, no end date, probably a fixed location
-                $availableString = sanitizeHTML( __('permanently', 'commonsbooking') );
+                $availableString = commonsbooking_sanitizeHTML( __('permanently', 'commonsbooking') );
             }
         } elseif ($startDate > 0 && $endDate > 0) { // start AND end date
             if ($startDate > $today) { // start is in the future, with an end date
                 /* translators: %1$s = startdate, second %2$s = enddate in wordpress defined format */
-                $availableString = sprintf( sanitizeHTML( __(' from %1$s until %1$s', 'commonsbooking') ), $startDateFormatted,
+                $availableString = sprintf( commonsbooking_sanitizeHTML( __(' from %1$s until %1$s', 'commonsbooking') ), $startDateFormatted,
                     $endDateFormatted);
             } else { // start has passed, with an end date
                 /* translators: %s = enddate in wordpress defined format */
-                $availableString = sprintf( sanitizeHTML( __(' until %s', 'commonsbooking') ), $endDateFormatted);
+                $availableString = sprintf( commonsbooking_sanitizeHTML( __(' until %s', 'commonsbooking') ), $endDateFormatted);
             }
         }
 
@@ -178,7 +178,7 @@ public function isValid()
 
             if ($this->getStartTime() && ! $this->getEndTime()) {
                 set_transient("timeframeValidationFailed",
-                    sanitizeHTML( __("A pickup time but no return time has been set. Please set the return time.", 'commonsbooking') ),
+                    commonsbooking_sanitizeHTML( __("A pickup time but no return time has been set. Please set the return time.", 'commonsbooking') ),
                     45);
 
                 return false;
@@ -209,7 +209,7 @@ public function isValid()
                     if ($timeframe->getGrid() != $this->getGrid()) {
                         set_transient("timeframeValidationFailed",
                             /* translators: %1$s = timeframe-ID, %2$s is timeframe post_title */
-                            sprintf( sanitizeHTML( __('Overlapping bookable timeframes are only allowed to have the same grid. See overlapping timeframe ID: %1$s: %2$s',
+                            sprintf( commonsbooking_sanitizeHTML( __('Overlapping bookable timeframes are only allowed to have the same grid. See overlapping timeframe ID: %1$s: %2$s',
                                 'commonsbooking', 5) ), $timeframe->ID, $timeframe->post_title));
 
                         return false;
@@ -219,7 +219,7 @@ public function isValid()
                     if (!$this->getMeta('full-day') && $this->hasTimeframeTimeOverlap($this, $timeframe)) {
                         set_transient("timeframeValidationFailed",
                             /* translators: first %s = timeframe-ID, second %s is timeframe post_title */
-                            sprintf( sanitizeHTML( __('time periods are not allowed to overlap. Please check the other timeframe to avoid overlapping time periods during one specific day. See affected timeframe ID: %1$s: %2$s',
+                            sprintf( commonsbooking_sanitizeHTML( __('time periods are not allowed to overlap. Please check the other timeframe to avoid overlapping time periods during one specific day. See affected timeframe ID: %1$s: %2$s',
                                 'commonsbooking', 5) ), $timeframe->ID, $timeframe->post_title ) );
 
                         return false;
@@ -229,7 +229,7 @@ public function isValid()
                     if ($this->getMeta('full-day')) {
                         set_transient("timeframeValidationFailed",
                             /* translators: first %s = timeframe-ID, second %s is timeframe post_title */
-                            sprintf( sanitizeHTML( __('Date periods are not allowed to overlap. Please check the other timeframe to avoid overlapping Date periods. See affected timeframe ID: %1$s: %2$s',
+                            sprintf( commonsbooking_sanitizeHTML( __('Date periods are not allowed to overlap. Please check the other timeframe to avoid overlapping Date periods. See affected timeframe ID: %1$s: %2$s',
                                 'commonsbooking', 5) ), $timeframe->ID, $timeframe->post_title) );
                         return false;
                     }

src/Repository/CB1UserFields.php

@@ -44,38 +44,38 @@ public function __construct()
         $this->extra_profile_fields = array(
             'first_name'     => array(
                 'field_name'   => 'first_name',
-                'title'        => sanitizeHTML( __('First Name', 'commonsbooking') ),
+                'title'        => commonsbooking_sanitizeHTML( __('First Name', 'commonsbooking') ),
                 'type'         => 'input',
                 'description'  => '',
-                'errormessage' => sanitizeHTML( __('Please enter your first name', 'commonsbooking') ),
+                'errormessage' => commonsbooking_sanitizeHTML( __('Please enter your first name', 'commonsbooking') ),
             ),
             'last_name'      => array(
                 'field_name'   => 'last_name',
-                'title'        => sanitizeHTML( __('Last Name', 'commonsbooking') ),
+                'title'        => commonsbooking_sanitizeHTML( __('Last Name', 'commonsbooking') ),
                 'type'         => 'input',
                 'description'  => '',
-                'errormessage' => sanitizeHTML( __('Please enter your last name', 'commonsbooking') ),
+                'errormessage' => commonsbooking_sanitizeHTML( __('Please enter your last name', 'commonsbooking') ),
             ),
             'phone'          => array(
                 'field_name'   => 'phone',
-                'title'        => sanitizeHTML( __('Phone Number', 'commonsbooking') ),
+                'title'        => commonsbooking_sanitizeHTML( __('Phone Number', 'commonsbooking') ),
                 'type'         => 'input',
                 'description'  => '',
-                'errormessage' => sanitizeHTML( __('Please enter your phone number', 'commonsbooking') ),
+                'errormessage' => commonsbooking_sanitizeHTML( __('Please enter your phone number', 'commonsbooking') ),
             ),
             'address'        => array(
                 'field_name'   => 'address',
-                'title'        => sanitizeHTML( __('Address', 'commonsbooking') ),
+                'title'        => commonsbooking_sanitizeHTML( __('Address', 'commonsbooking') ),
                 'type'         => 'input',
                 'description'  => '',
-                'errormessage' => sanitizeHTML( __('Please enter your address', 'commonsbooking') ),
+                'errormessage' => commonsbooking_sanitizeHTML( __('Please enter your address', 'commonsbooking') ),
             ),
             'terms_accepted' => array(
-                'title'        => sanitizeHTML( __('Terms and Conditions', 'commonsbooking') ),
+                'title'        => commonsbooking_sanitizeHTML( __('Terms and Conditions', 'commonsbooking') ),
                 'field_name'   => 'terms_accepted',
                 'type'         => 'checkbox',
-                'description'  => sanitizeHTML( __('I accept the terms & conditions', 'commonsbooking') ),
-                'errormessage' => sanitizeHTML( __('Please accept the terms & conditions', 'commonsbooking') ),
+                'description'  => commonsbooking_sanitizeHTML( __('I accept the terms & conditions', 'commonsbooking') ),
+                'errormessage' => commonsbooking_sanitizeHTML( __('Please accept the terms & conditions', 'commonsbooking') ),
             ),
         );
 
@@ -169,7 +169,7 @@ public function get_termsservices_string()
         if ( ! empty ($this->termsservices_url)) {
             // translators: %s = terms and service url
             $string = sprintf(
-                sanitizeHTML( __('<a href="%s" target=_blank">Read the terms and services</a>', 'commonsbooking') ),
+                commonsbooking_sanitizeHTML( __('<a href="%s" target=_blank">Read the terms and services</a>', 'commonsbooking') ),
                 $this->termsservices_url
             );
         } else {
@@ -258,7 +258,7 @@ public function add_user_vars($key, $value)
     public function show_extra_profile_fields($user)
     { ?>
 
-        <h3><?php sanitizeHTML( _e('Extra Fields', 'commons-booking') ); ?> </h3>
+        <h3><?php commonsbooking_sanitizeHTML( _e('Extra Fields', 'commons-booking') ); ?> </h3>
 
         <table class="form-table">
             <tr>

src/Wordpress/CustomPostType/Location.php

@@ -252,7 +252,7 @@ public function registerMetabox()
 
         $cmb->add_field(array(
             'name'       => esc_html__('Allow locked day overbooking', 'commonsbooking'),
-            'desc'       => sanitizeHTML( __('If selected, all not selected days in any bookable timeframe that is connected to this location can be overbooked. Read the documentation on <a href="https://commonsbooking.org">commonsbooking.org</a> for more information.', 'commonsbooking') ),
+            'desc'       => commonsbooking_sanitizeHTML( __('If selected, all not selected days in any bookable timeframe that is connected to this location can be overbooked. Read the documentation on <a href="https://commonsbooking.org">commonsbooking.org</a> for more information.', 'commonsbooking') ),
             'id'         => COMMONSBOOKING_METABOX_PREFIX . 'allow_lockdays_in_range',
             'type'       => 'checkbox',
         ));

src/Wordpress/CustomPostType/Timeframe.php

@@ -143,8 +143,9 @@ public function handleFormRequest()
             isset($_REQUEST[static::getWPNonceId()]) &&
             wp_verify_nonce($_REQUEST[static::getWPNonceId()], static::getWPAction())
         ) {
-            $itemId     = isset($_REQUEST['item-id']) && $_REQUEST['item-id'] != "" ? sanitize_text_field($_REQUEST['item-id']) : null;
-            $locationId = isset($_REQUEST['location-id']) && $_REQUEST['location-id'] != "" ? sanitize_text_field($_REQUEST['location-id']) : null;
+            $itemId      = isset($_REQUEST['item-id']) && $_REQUEST['item-id'] != "" ? sanitize_text_field($_REQUEST['item-id']) : null;
+            $locationId  = isset($_REQUEST['location-id']) && $_REQUEST['location-id'] != "" ? sanitize_text_field($_REQUEST['location-id']) : null;
+            $post_status = isset($_REQUEST['post_status']) && $_REQUEST['post_status'] != "" ? sanitize_text_field($_REQUEST['post_status']) : null;
 
             if ( ! get_post($itemId)) {
                 throw new \Exception('Item does not exist. ('.$itemId.')');
@@ -188,8 +189,8 @@ public function handleFormRequest()
             }
 
             // Trigger Mail, only send mail if status has changed
-            if ( ! empty($booking) and $booking->post_status != $_REQUEST["post_status"]) {
-                $booking_msg = new \CommonsBooking\Messages\Messages($postId, $_REQUEST["post_status"]);
+            if ( ! empty($booking) and $booking->post_status != $post_status) {
+                $booking_msg = new \CommonsBooking\Messages\Messages($postId, $post_status);
                 $booking_msg->triggerMail();
             }
 
@@ -325,7 +326,7 @@ public static function renderFilter($label, $key, $values)
             <select name="<?php echo 'admin_'.$key; ?>">
                 <option value=""><?php echo $label; ?></option>
                 <?php
-                $filterValue = isset($_GET['admin_'.$key]) ? $_GET['admin_'.$key] : '';
+                $filterValue = isset($_GET['admin_'.$key]) ? sanitize_text_field( $_GET['admin_'.$key] ) : '';
                 foreach ($values as $value => $label) {
                     printf
                     (

templates/item-single.php

@@ -34,7 +34,7 @@
 <?php
             printf(
                 /* translators: %1$s: wp_login_url, 1$s: wp_registration_url */
-                sanitizeHTML( __( 'To be able to book, you must first <a href="%1$s">login</a> or <a href="%2$s">register as new user</a>.', 'commonsbooking' ) ),
+                commonsbooking_sanitizeHTML( __( 'To be able to book, you must first <a href="%1$s">login</a> or <a href="%2$s">register as new user</a>.', 'commonsbooking' ) ),
                 esc_url( wp_login_url( $current_url ) ), esc_url( wp_registration_url() )
             );
 ?>

templates/location-single.php

@@ -35,7 +35,7 @@
 <?php
             printf(
                 /* translators: %1$s: wp_login_url, 1$s: wp_registration_url */
-                sanitizeHTML( __( 'To be able to book, you must first <a href="%1$s">login</a> or <a href="%2$s">register as new user</a>.', 'commonsbooking' ) ),
+                commonsbooking_sanitizeHTML( __( 'To be able to book, you must first <a href="%1$s">login</a> or <a href="%2$s">register as new user</a>.', 'commonsbooking' ) ),
                 esc_url( wp_login_url( $current_url ) ), esc_url( wp_registration_url() )
             );
 ?>