From 119dcbd5b53b6d41f28496d276463d88cbd3114b Mon Sep 17 00:00:00 2001 From: Rodrigo Primo Date: Fri, 14 Apr 2023 15:18:37 -0300 Subject: [PATCH] Sanitize name and description when creating a segment This commits adds the sanitization right before the data is added to the database (\MailPoet\Segments\SegmentsRepository::createOrUpdate()) and removes the sanitization from \MailPoet\Segments\DynamicSegments\SegmentSaveController::save() to avoid sanitizing twice. save() calls createOrUpdate(). Before this commit, we were sanitizing the name and description of dynamic segments but not regular segments. [MAILPOET-5232] --- .../lib/Segments/DynamicSegments/SegmentSaveController.php | 4 ++-- mailpoet/lib/Segments/SegmentsRepository.php | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/mailpoet/lib/Segments/DynamicSegments/SegmentSaveController.php b/mailpoet/lib/Segments/DynamicSegments/SegmentSaveController.php index 72fb8f891d..dd9ee93163 100644 --- a/mailpoet/lib/Segments/DynamicSegments/SegmentSaveController.php +++ b/mailpoet/lib/Segments/DynamicSegments/SegmentSaveController.php @@ -31,8 +31,8 @@ class SegmentSaveController { */ public function save(array $data = []): SegmentEntity { $id = isset($data['id']) ? (int)$data['id'] : null; - $name = isset($data['name']) ? sanitize_text_field($data['name']) : ''; - $description = isset($data['description']) ? sanitize_textarea_field($data['description']) : ''; + $name = $data['name'] ?? ''; + $description = $data['description'] ?? ''; $filtersData = $this->filterDataMapper->map($data); return $this->segmentsRepository->createOrUpdate($name, $description, SegmentEntity::TYPE_DYNAMIC, $filtersData, $id); diff --git a/mailpoet/lib/Segments/SegmentsRepository.php b/mailpoet/lib/Segments/SegmentsRepository.php index 9d5b4f7dab..e5aa6b30d0 100644 --- a/mailpoet/lib/Segments/SegmentsRepository.php +++ b/mailpoet/lib/Segments/SegmentsRepository.php @@ -138,6 +138,10 @@ class SegmentsRepository extends Repository { bool $displayInManageSubscriptionPage = true ): SegmentEntity { $displayInManageSubPage = $type === SegmentEntity::TYPE_DEFAULT ? $displayInManageSubscriptionPage : false; + + $name = sanitize_text_field($name); + $description = sanitize_textarea_field($description); + if ($id) { $segment = $this->findOneById($id); if (!$segment instanceof SegmentEntity) {