improve sanitization

jrtashjian · Aug 18, 2023 · e0952d7 · e0952d7
1 parent c41faf2
commit e0952d7
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 7 deletions.
diff --git a/includes/Plugin/Form.php b/includes/Plugin/Form.php
@@ -208,7 +208,9 @@ public function hook_render_block( $block_content, $parsed_block, $wp_block ) {
 	 * @param \WP_REST_Request $request Full details about the request.
 	 */
 	public function validate( \WP_REST_Request $request ) {
-		$request_params = new \OmniForm\Dependencies\Dflydev\DotAccessData\Data( $request->get_params() );
+		$request_params = new \OmniForm\Dependencies\Dflydev\DotAccessData\Data(
+			array_map( 'sanitize_textarea_field', $request->get_params() )
+		);
 
 		$this->register_fields();
 
@@ -308,7 +310,7 @@ public function response_email_message( $response_id ) {
 		$message[] = '---';
 		$message[] = sprintf( 'This email was sent to notify you of a response made through the contact form on %s.', esc_url( get_bloginfo( 'url' ) ) );
 		$message[] = 'Time: ' . $response_data['response']->post_date;
-		$message[] = 'IP Address: ' . $_SERVER['REMOTE_ADDR'];
+		$message[] = 'IP Address: ' . sanitize_text_field( $_SERVER['REMOTE_ADDR'] );
 		$message[] = 'Form URL: ' . esc_url( get_post_meta( $response_id, '_wp_http_referer', true ) );
 
 		return esc_html( implode( "\n", $message ) );

diff --git a/includes/Plugin/PluginServiceProvider.php b/includes/Plugin/PluginServiceProvider.php
@@ -666,7 +666,7 @@ public function filter_block_patterns_on_rest_api() {
 			return;
 		}
 
-		$url_parts = wp_parse_url( $_SERVER['HTTP_REFERER'] );
+		$url_parts = wp_parse_url( sanitize_url( $_SERVER['HTTP_REFERER'] ) );
 
 		$query_args = array();
 		if ( ! empty( $url_parts['query'] ) ) {

diff --git a/includes/Plugin/RestApi/ResponsesController.php b/includes/Plugin/RestApi/ResponsesController.php
@@ -92,8 +92,8 @@ public function create_response( \WP_REST_Request $request ) {
 				'post_title'   => wp_generate_uuid4(),
 				'post_content' => wp_json_encode(
 					array(
-						'response' => $response_data,
-						'fields'   => $fields_data,
+						'response' => array_map( 'sanitize_textarea_field', $response_data ),
+						'fields'   => array_map( 'sanitize_textarea_field', $fields_data ),
 						'groups'   => $form->get_groups(),
 					)
 				),
@@ -102,8 +102,8 @@ public function create_response( \WP_REST_Request $request ) {
 				'post_parent'  => $form->get_id(),
 				'meta_input'   => array(
 					'_omniform_id'      => $form->get_id(),
-					'_omniform_user_ip' => $_SERVER['REMOTE_ADDR'],
-					'_wp_http_referer'  => $request->get_param( '_wp_http_referer' ),
+					'_omniform_user_ip' => sanitize_text_field( $_SERVER['REMOTE_ADDR'] ),
+					'_wp_http_referer'  => sanitize_text_field( $request->get_param( '_wp_http_referer' ) ),
 				),
 			),
 			true