From 6907e484f530690fe3f668219a82d167988ea5f0 Mon Sep 17 00:00:00 2001 From: Christian Nikkanen Date: Sat, 22 Sep 2018 17:12:18 +0300 Subject: [PATCH] Sanitize values --- classes/class.wp-libre-formbuilder.php | 33 ++++++++++++++++++++------ init.php | 2 +- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/classes/class.wp-libre-formbuilder.php b/classes/class.wp-libre-formbuilder.php index 9905d01..a8475f2 100644 --- a/classes/class.wp-libre-formbuilder.php +++ b/classes/class.wp-libre-formbuilder.php @@ -30,11 +30,13 @@ public function __construct() { $template = !empty($_POST["wplfb-field-template"]) ? $_POST["wplfb-field-template"] : ""; $label = !empty($_POST["wplfb-field-label"]) ? $_POST["wplfb-field-label"] : false; - update_post_meta($post_id, "wplfb-field-template", $template); - update_post_meta($post_id, "wplfb-field-label", $label); + // Field template contains HTML, that must remain as-is for the frontend. + update_post_meta($post_id, "wplfb-field-template", esc_html($template)); + update_post_meta($post_id, "wplfb-field-label", sanitize_text_field($label)); } if ($post->post_type === "wplf-form") { + // State is always a JSON export from Redux, must remain as-is or things will break! $state = !empty($_POST["wplfb-state"]) ? wp_json_encode($_POST["wplfb-state"], JSON_UNESCAPED_UNICODE) : ""; @@ -75,7 +77,7 @@ public function registerCPT() { ])); } - public function render_settings_page() { + public function renderSettingsPage() { ?>

WP Libre Formbuilder settings

@@ -101,7 +103,7 @@ function ($post) {

@@ -170,7 +172,9 @@ function ($post) {

@@ -195,7 +199,9 @@ function ($post) { "> + value="ID, "wplfb-field-label", true)); + ?>">

@@ -247,11 +253,14 @@ public function registerRESTRoutes() { * This goes around that. */ public function getRequestBody() { - // Maybe do error handling. return json_decode(file_get_contents('php://input')); } + /** + * Get fields in a format readable by the frontend. + * Frontend requires unescaped HTML. + */ public function getFields(WP_REST_Request $request) { $codefields = apply_filters("wplfb-available-code-fields", $this->fields); // Pass later later with callback; does not contain fields from DB @@ -277,6 +286,16 @@ public function getFields(WP_REST_Request $request) { // Allow user to filter the result. $fields = apply_filters("wplfb-available-fields", $this->fields, $codefields); + // Unescape values for frontend. + foreach ($fields as $key => $value) { + $newValue = array_merge($value, [ + "field" => html_entity_decode($value['field']), + "template" => html_entity_decode($value['template']), + ]); + + $fields[$key] = $newValue; + } + return new WP_REST_Response([ "fields" => $fields, ]); diff --git a/init.php b/init.php index 38114d4..b6ce075 100644 --- a/init.php +++ b/init.php @@ -51,7 +51,7 @@ "link" => "https://github.com/k1sul1/wp-libre-formbuilder", "version" => WPLFB_VERSION, "instance" => $builder, - "settings_page" => [$builder, "render_settings_page"], + "settings_page" => [$builder, "renderSettingsPage"], ]); }); } else {