sanitized input and output

wpugph · Nov 1, 2019 · e08c76f · e08c76f
1 parent 91400fe
commit e08c76f
Show file tree

Hide file tree

Showing 6 changed files with 157 additions and 52 deletions.
diff --git a/includes/class-tika-doc-pdf-indexer-functions.php b/includes/class-tika-doc-pdf-indexer-functions.php
@@ -102,13 +102,13 @@ function tdpi_restrict_mimetypes( $mimes ) {
 
 	$allowed_array = array();
 	if ( in_array( 'pdf', $allowed, true ) ) {
-		$allowed_array['pdf'] = 'application/pdf';
+		$allowed_array['pdf'] = array( 'application/pdf' );
 	}
 	if ( in_array( 'txt', $allowed, true ) ) {
-		$allowed_array['txt'] = 'text/plain';
+		$allowed_array['txt'] = array( 'text/plain' );
 	}
 	if ( in_array( 'doc', $allowed, true ) ) {
-		$allowed_array['doc'] = 'application/msword';
+		$allowed_array['doc'] = array( 'application/msword' );
 	}
 	global $post_type;
 	if ( 'tdpi_doc' === $post_type ) {
@@ -280,3 +280,4 @@ function tdpi_save_tika_meta( $post_id, $post ) {
 // on upload existing file, attach data.
 // make the upload file required
 // default to upload and restric from selcting uploaded file or the recent file should be indexed.
+// Settings should file checks if correct or existing..
diff --git a/includes/class-tika-doc-pdf-indexer-settings.php b/includes/class-tika-doc-pdf-indexer-settings.php
@@ -50,6 +50,91 @@ class Tika_Doc_PDF_Indexer_Settings {
 	 */
 	public $settings = array();
 
+	/**
+	 * Allowed html.
+	 *
+	 * @var array
+	 */
+	public $allowed_htmls_form = [
+		'a'      => [
+			'href'  => [],
+			'title' => [],
+		],
+		'input'  => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'class'       => [],
+		],
+		'select' => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+		],
+		'option' => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+			'selected'    => [],
+		],
+		'label'  => [
+			'for'   => [],
+			'title' => [],
+		],
+		'span'   => [
+			'class' => [],
+			'title' => [],
+		],
+		'div'    => [
+			'class' => [],
+			'id'    => [],
+		],
+		'table'  => [
+			'scope' => [],
+			'title' => [],
+			'class' => [],
+			'role'  => [],
+		],
+		'tbody'  => [
+			'scope' => [],
+			'title' => [],
+			'class' => [],
+			'role'  => [],
+		],
+		'th'     => [
+			'scope' => [],
+			'title' => [],
+		],
+		'tr'     => [],
+		'td'     => [],
+		'p'      => [],
+		'br'     => [],
+		'h2'     => [],
+		'em'     => [],
+		'strong' => [],
+		'th'     => [],
+		'form'   => [
+			'method'      => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+			'selected'    => [],
+			'action'      => [],
+			'enctype'     => [],
+		],
+
+	];
+
 	/**
 	 * Constructor function.
 	 *
@@ -195,17 +280,7 @@ public function register_settings() {
 		if ( is_array( $this->settings ) ) {
 
 			// Check posted/selected tab.
-			//phpcs:disable
 			$current_section = '';
-			if ( isset( $_POST['tab'] ) && $_POST['tab'] ) {
-				$current_section = $_POST['tab'];
-			} else {
-				if ( isset( $_GET['tab'] ) && $_GET['tab'] ) {
-					$current_section = $_GET['tab'];
-				}
-			}
-			//phpcs:enable
-
 			foreach ( $this->settings as $section => $data ) {
 
 				if ( $current_section && $current_section !== $section ) {
@@ -256,8 +331,8 @@ public function register_settings() {
 	 * @return void
 	 */
 	public function settings_section( $section ) {
-		$html = '<p> ' . $this->settings[ $section['id'] ]['description'] . '</p>' . "\n";
-		echo $html; //phpcs:ignore
+		$html = $this->settings[ $section['id'] ]['description'] . "\n";
+		echo esc_html( $html );
 	}
 
 	/**
@@ -288,7 +363,7 @@ public function settings_page() {
 			$html         .= '</form>' . "\n";
 		$html             .= '</div>' . "\n";
 
-		echo $html; //phpcs:ignore
+		echo wp_kses( $html, $this->allowed_htmls_form );
 	}
 
 	/**

diff --git a/includes/class-tika-doc-pdf-indexer.php b/includes/class-tika-doc-pdf-indexer.php
@@ -272,20 +272,25 @@ private function _log_version_number() { //phpcs:ignore
 		update_option( $this->_token . '_version', $this->_version );
 	} // End _log_version_number ()
 
+	/**
+	 * Register document post type.
+	 *
+	 * @return void
+	 */
 	public function register_doc_postype() {
-		$options = array(
+		$options     = array(
 			'menu_icon' => 'dashicons-media-document',
 			'supports'  => array( 'title', 'thumbnail' ),
 		);
 		$description = '';
 
 		$this->register_post_type(
-			'tdpi_doc', 
-			__( 'Documents', 'tika-doc-pdf-indexer' ), 
+			'tdpi_doc',
+			__( 'Documents', 'tika-doc-pdf-indexer' ),
 			__( 'Document', 'tika-doc-pdf-indexer' ),
 			$description,
 			$options
-		);		
+		);
 	}
 
 	/**
@@ -315,7 +320,6 @@ public function __construct( $file = '', $version = '1.0.0' ) {
 		// Load admin JS & CSS.
 		add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_scripts' ), 10, 1 );
 		add_action( 'admin_enqueue_scripts', array( $this, 'admin_enqueue_styles' ), 10, 1 );
-
 
 		// Load API for generic admin functions.
 		if ( is_admin() ) {

diff --git a/includes/lib/class-tika-doc-pdf-indexer-admin-api.php b/includes/lib/class-tika-doc-pdf-indexer-admin-api.php
@@ -21,6 +21,54 @@ public function __construct() {
 		add_action( 'save_post', array( $this, 'save_meta_boxes' ), 10, 1 );
 	}
 
+	/**
+	 * Allowed html.
+	 *
+	 * @var array
+	 */
+	public $allowed_htmls = [
+		'a'      => [
+			'href'  => [],
+			'title' => [],
+		],
+		'input'  => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+		],
+		'select' => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+		],
+		'option' => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+			'selected'    => [],
+		],
+		'label'  => [
+			'for'   => [],
+			'title' => [],
+		],
+		'span'   => [
+			'class' => [],
+			'title' => [],
+		],
+		'br'     => [],
+		'em'     => [],
+		'strong' => [],
+
+	];
+
 	/**
 	 * Generate HTML for displaying fields.
 	 *
@@ -171,16 +219,6 @@ public function display_field( $data = array(), $post = false, $echo = true ) {
 				$html .= '<input id="' . $option_name . '" class="image_data_field" type="hidden" name="' . $option_name . '" value="' . $data . '"/><br/>' . "\n";
 				break;
 
-			case 'color':
-				//phpcs:disable
-				?><div class="color-picker" style="position:relative;">
-					<input type="text" name="<?php esc_attr_e( $option_name ); ?>" class="color" value="<?php esc_attr_e( $data ); ?>" />
-					<div style="position:absolute;background:#FFF;z-index:99;border-radius:100%;" class="colorpicker"></div>
-				</div>
-				<?php
-				//phpcs:enable
-				break;
-
 			case 'editor':
 				wp_editor(
 					$data,
@@ -218,8 +256,7 @@ public function display_field( $data = array(), $post = false, $echo = true ) {
 			return $html;
 		}
 
-		echo esc_html( $html );
-
+		echo wp_kses( $html, $this->allowed_htmls );
 	}
 
 	/**
@@ -345,8 +382,10 @@ public function save_meta_boxes( $post_id = 0 ) {
 		}
 
 		foreach ( $fields as $field ) {
-			if ( isset( $_REQUEST[ $field['id'] ] ) ) { //phpcs:ignore
-				update_post_meta( $post_id, $field['id'], $this->validate_field( $_REQUEST[ $field['id'] ], $field['type'] ) ); //phpcs:ignore
+			if ( isset( $_REQUEST[ $field['id'] ] ) ) {
+				if ( wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST[ $field['id'] ] ) ) ) ) {
+					update_post_meta( $post_id, $field['id'], $this->validate_field( wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST[ $field['id'] ], $field['type'] ) ) ) ) );
+				}
 			} else {
 				update_post_meta( $post_id, $field['id'], '' );
 			}

diff --git a/includes/lib/class-tika-doc-pdf-indexer-post-type.php b/includes/lib/class-tika-doc-pdf-indexer-post-type.php
@@ -159,21 +159,19 @@ public function register_post_type() {
 	 */
 	public function updated_messages( $messages = array() ) {
 		global $post, $post_ID;
-		//phpcs:disable
 		$messages[ $this->post_type ] = array(
 			0  => '',
 			1  => sprintf( __( '%1$s updated. %2$sView %3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '<a href="' . esc_url( get_permalink( $post_ID ) ) . '">', $this->single, '</a>' ),
 			2  => __( 'Custom field updated.', 'tika-doc-pdf-indexer' ),
 			3  => __( 'Custom field deleted.', 'tika-doc-pdf-indexer' ),
 			4  => sprintf( __( '%1$s updated.', 'tika-doc-pdf-indexer' ), $this->single ),
-			5  => isset( $_GET['revision'] ) ? sprintf( __( '%1$s restored to revision from %2$s.', 'tika-doc-pdf-indexer' ), $this->single, wp_post_revision_title( (int) $_GET['revision'], false ) ) : false,
+			5  => sprintf( __( '%1$s restored to previous revision.', 'tika-doc-pdf-indexer' ), $this->single ),
 			6  => sprintf( __( '%1$s published. %2$sView %3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '<a href="' . esc_url( get_permalink( $post_ID ) ) . '">', $this->single, '</a>' ),
 			7  => sprintf( __( '%1$s saved.', 'tika-doc-pdf-indexer' ), $this->single ),
 			8  => sprintf( __( '%1$s submitted. %2$sPreview post%3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '<a target="_blank" href="' . esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ) . '">', $this->single, '</a>' ),
 			9  => sprintf( __( '%1$s scheduled for: %2$s. %3$sPreview %4$s%5$s.', 'tika-doc-pdf-indexer' ), $this->single, '<strong>' . date_i18n( __( 'M j, Y @ G:i', 'tika-doc-pdf-indexer' ), strtotime( $post->post_date ) ) . '</strong>', '<a target="_blank" href="' . esc_url( get_permalink( $post_ID ) ) . '">', $this->single, '</a>' ),
 			10 => sprintf( __( '%1$s draft updated. %2$sPreview %3$s%4$s.', 'tika-doc-pdf-indexer' ), $this->single, '<a target="_blank" href="' . esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ) . '">', $this->single, '</a>' ),
 		);
-		//phpcs:enable
 
 		return $messages;
 	}

diff --git a/lang/tika-doc-pdf-indexer.pot b/lang/tika-doc-pdf-indexer.pot
@@ -4,11 +4,11 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Tika Doc PDF Indexer 1.0\n"
 "Report-Msgid-Bugs-To: http://wordpress.org/tag/WordPress-Plugin-Template\n"
-"POT-Creation-Date: 2014-04-07 11:28:06+00:00\n"
+"POT-Creation-Date: 2019-11-01 11:28:06+00:00\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"PO-Revision-Date: 2014-MO-DA HO:MI+ZONE\n"
+"PO-Revision-Date: 2019-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
 
@@ -393,15 +393,3 @@ msgstr ""
 #. Plugin Name of the plugin/theme
 msgid "Tika Doc PDF Indexer"
 msgstr ""
-
-#. Plugin URI of the plugin/theme
-msgid "http://www.hughlashbrooke.com/"
-msgstr ""
-
-#. Author of the plugin/theme
-msgid "Hugh Lashbrooke"
-msgstr ""
-
-#. Author URI of the plugin/theme
-msgid "http://www.hughlashbrooke.com/"
-msgstr ""