Cavemanon/piratepoet
8
Fork 0
Code Pull Requests Actions Releases 16 Activity

- Adds data sanitization on the client and server side

Browse Source 
- Closes #641
This commit is contained in:
Vlad
2016-10-16 12:42:13 -04:00
parent bf894fc26f
commit 9ba6e9806f
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
assets/js/src/subscribers/importExport/import.js
View File

@@ -337,9 +337,19 @@ define(
complete: function (CSV) { complete: function (CSV) {
for (var rowCount in CSV.data) { for (var rowCount in CSV.data) {
var rowData = CSV.data[rowCount].map(function (el) { var rowData = CSV.data[rowCount].map(function (el) {
return filterXSS(el.trim()); // sanitize data
}), el = filterXSS(el.trim());
rowColumnCount = rowData.length; var entityMap = {
"<": "&lt;",
">": "&gt;",
"/": '&#x2F;'
};
el = String(el).replace(/[&<>"'\/]/g, function (s) {
return entityMap[s];
});
return el;
});
var rowColumnCount = rowData.length;
// set the number of row elements based on the first non-empty row // set the number of row elements based on the first non-empty row
if (columnCount === null) { if (columnCount === null) {
columnCount = rowColumnCount; columnCount = rowColumnCount;

2
lib/Subscribers/ImportExport/Import/Import.php
View File

@@ -110,6 +110,8 @@ class Import {
function validateSubscribersFields($subscribers_data, $validation_rules) { function validateSubscribersFields($subscribers_data, $validation_rules) {
$invalid_records = array(); $invalid_records = array();
foreach($subscribers_data as $column => &$data) { foreach($subscribers_data as $column => &$data) {
// sanitize each data field
$data = array_map('sanitize_text_field', $data);
$validation_rule = $validation_rules[$column]; $validation_rule = $validation_rules[$column];
// if this is a custom column // if this is a custom column
if(in_array($column, $this->subscriber_custom_fields)) { if(in_array($column, $this->subscriber_custom_fields)) {