From 716921fcced115ecd4a9e356c58e724a9263e8f5 Mon Sep 17 00:00:00 2001 From: sect Date: Sun, 5 May 2024 15:11:21 +0900 Subject: [PATCH] make sanitization stricter --- includes/index.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/includes/index.php b/includes/index.php index 21a2e70..a7aa385 100644 --- a/includes/index.php +++ b/includes/index.php @@ -156,8 +156,9 @@ function save_wpto_meta_box( int $post_id, WP_Post $post, bool $update ): void { return; } - $pt = wto_has_tag_posttype(); - if ( ! in_array( $post->post_type, $pt, true ) ) { + $post_type = sanitize_key( $post->post_type ); + $post_type_has_tag = wto_has_tag_posttype(); + if ( ! in_array( $post_type, $post_type_has_tag, true ) ) { return; } @@ -168,11 +169,12 @@ function save_wpto_meta_box( int $post_id, WP_Post $post, bool $update ): void { } foreach ( $taxonomies as $taxonomy ) { + $taxonomy = sanitize_key( $taxonomy ); if ( ! is_taxonomy_hierarchical( $taxonomy ) && wto_is_enabled_taxonomy( $taxonomy ) ) { $meta_box_tags_value = ''; $fieldname = 'wp-tag-order-' . $taxonomy; - if ( isset( $_POST[ $fieldname ] ) ) { - $meta_box_tags_value = serialize( $_POST[ $fieldname ] ); + if ( isset( $_POST[ $fieldname ] ) && is_array( $_POST[ $fieldname ] ) ) { + $meta_box_tags_value = serialize( array_map( 'sanitize_text_field', $_POST[ $fieldname ] ) ); } update_post_meta( $post_id, $fieldname, $meta_box_tags_value ); }