Cavemanon/piratepoet
7
Fork 0
Code Pull Requests Actions Releases 16 Activity

Handle sanitization as early as possible per best practices

Browse Source 
Per WP security best practices, sanitization should be handled as early
as possible. So this commit move updates the calls to sanitize the
segment name and description to the part of the code where the user
input is first processed, instead of when the data is saved to the
database.

[MAILPOET-5232]
This commit is contained in:
Rodrigo Primo
2023-04-17 11:30:40 -03:00
parent db23bffee1
commit aa5b052e66
5 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
mailpoet/lib/API/JSON/v1/DynamicSegments.php
View File

@ -105,6 +105,8 @@ class DynamicSegments extends APIEndpoint {
public function save($data) { public function save($data) {
try { try {
$data['name'] = isset($data['name']) ? sanitize_text_field($data['name']) : '';
$data['description'] = isset($data['description']) ? sanitize_textarea_field($data['description']) : '';
$segment = $this->saveController->save($data); $segment = $this->saveController->save($data);
return $this->successResponse($this->segmentsResponseBuilder->build($segment)); return $this->successResponse($this->segmentsResponseBuilder->build($segment));
} catch (InvalidFilterException $e) { } catch (InvalidFilterException $e) {

2
mailpoet/lib/API/JSON/v1/ImportExport.php
View File

@ -108,6 +108,8 @@ class ImportExport extends APIEndpoint {
public function addSegment($data) { public function addSegment($data) {
try { try {
$data['name'] = isset($data['name']) ? sanitize_text_field($data['name']) : '';
$data['description'] = isset($data['description']) ? sanitize_textarea_field($data['description']) : '';
$segment = $this->segmentSavecontroller->save($data); $segment = $this->segmentSavecontroller->save($data);
$response = $this->segmentsResponseBuilder->build($segment); $response = $this->segmentsResponseBuilder->build($segment);
return $this->successResponse($response); return $this->successResponse($response);

2
mailpoet/lib/API/JSON/v1/Segments.php
View File

@ -119,6 +119,8 @@ class Segments extends APIEndpoint {
public function save($data = []) { public function save($data = []) {
try { try {
$data['name'] = isset($data['name']) ? sanitize_text_field($data['name']) : '';
$data['description'] = isset($data['description']) ? sanitize_textarea_field($data['description']) : '';
$segment = $this->segmentSavecontroller->save($data); $segment = $this->segmentSavecontroller->save($data);
} catch (ValidationException $exception) { } catch (ValidationException $exception) {
return $this->badRequest([ return $this->badRequest([

9
mailpoet/lib/API/MP/v1/Segments.php
View File

@ -42,7 +42,7 @@ class Segments {
$this->validateSegmentName($data); $this->validateSegmentName($data);
try { try {
$name = sanitize_text_field($data['name']); $name = isset($data['name']) ? sanitize_text_field($data['name']) : '';
$description = isset($data['description']) ? sanitize_textarea_field($data['description']) : ''; $description = isset($data['description']) ? sanitize_textarea_field($data['description']) : '';
$segment = $this->segmentsRepository->createOrUpdate($name, $description); $segment = $this->segmentsRepository->createOrUpdate($name, $description);
} catch (\Exception $e) { } catch (\Exception $e) {
@ -65,10 +65,13 @@ class Segments {
// update is supported only for default segment type // update is supported only for default segment type
$this->validateSegmentType((string)$data['id']); $this->validateSegmentType((string)$data['id']);
$name = isset($data['name']) ? sanitize_text_field($data['name']) : '';
$description = isset($data['description']) ? sanitize_textarea_field($data['description']) : '';
try { try {
$segment = $this->segmentsRepository->createOrUpdate( $segment = $this->segmentsRepository->createOrUpdate(
$data['name'], $name,
$data['description'] ?? '', $description,
SegmentEntity::TYPE_DEFAULT, SegmentEntity::TYPE_DEFAULT,
[], [],
(int)$data['id'] (int)$data['id']

3
mailpoet/lib/Segments/SegmentsRepository.php
View File

@ -139,9 +139,6 @@ class SegmentsRepository extends Repository {
): SegmentEntity { ): SegmentEntity {
$displayInManageSubPage = $type === SegmentEntity::TYPE_DEFAULT ? $displayInManageSubscriptionPage : false; $displayInManageSubPage = $type === SegmentEntity::TYPE_DEFAULT ? $displayInManageSubscriptionPage : false;
$name = sanitize_text_field($name);
$description = sanitize_textarea_field($description);
if ($id) { if ($id) {
$segment = $this->findOneById($id); $segment = $this->findOneById($id);
if (!$segment instanceof SegmentEntity) { if (!$segment instanceof SegmentEntity) {