WordPress.org

Plugin Directory

Changeset 1607426


Ignore:
Timestamp:
03/03/17 20:31:21 (7 months ago)
Author:
sareiodata
Message:

sanitizing $_GET and $_POST variables before using them.

Location:
profile-builder/trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • profile-builder/trunk/admin/add-ons.php

    r1607125 r1607426  
    343343 */ 
    344344function wppb_add_on_get_new_plugin_data() { 
    345     $wppb_add_on_name = $_POST['wppb_add_on_name']; 
     345    if(isset( $_POST['wppb_add_on_name'] ) ){ 
     346        $wppb_add_on_name = strip_tags($_POST['wppb_add_on_name']); 
     347    } 
    346348 
    347349    $wppb_get_all_plugins = get_plugins(); 
  • profile-builder/trunk/admin/admin-functions.php

    r1581866 r1607426  
    134134 
    135135        if( isset( $_POST['wppb_password_strength'] ) && !empty( $wppb_generalSettings['minimum_password_strength'] ) ){ 
    136  
    137136            $password_strength_array = array( 'short' => 0, 'bad' => 1, 'good' => 2, 'strong' => 3 ); 
    138137            $password_strength_text = array( 'short' => __( 'Very weak', 'profile-builder' ), 'bad' => __( 'Weak', 'profile-builder' ), 'good' => __( 'Medium', 'profile-builder' ), 'strong' => __( 'Strong', 'profile-builder' ) ); 
  • profile-builder/trunk/assets/lib/wck-api/wordpress-creation-kit.php

    r1607125 r1607426  
    767767        check_ajax_referer( "wck-add-meta" ); 
    768768        if( !empty( $_POST['meta'] ) ) 
    769             $meta = sanitize_text_field( $_POST['meta'] ); 
     769            $meta = strip_tags( $_POST['meta'] ); 
    770770        else 
    771771            $meta = ''; 
     
    774774        else  
    775775            $id = ''; 
    776         if( !empty( $_POST['values'] ) ) 
     776        if( !empty( $_POST['values'] ) && is_array( $_POST['values'] ) ) 
    777777            $values = $_POST['values']; 
    778778        else 
     
    835835        check_ajax_referer( "wck-update-entry" ); 
    836836        if( !empty( $_POST['meta'] ) ) 
    837             $meta = $_POST['meta']; 
     837            $meta = strip_tags( $_POST['meta'] ); 
    838838        else  
    839839            $meta = ''; 
     
    846846        else  
    847847            $element_id = 0; 
    848         if( !empty( $_POST['values'] ) ) 
     848        if( !empty( $_POST['values'] ) && is_array( $_POST['values']) ) 
    849849            $values = $_POST['values']; 
     850        else 
     851            $values = array(); 
    850852         
    851853        // Security checks 
     
    10471049    function wck_reorder_meta(){ 
    10481050        if( !empty( $_POST['meta'] ) ) 
    1049             $meta = sanitize_text_field( $_POST['meta'] ); 
     1051            $meta = strip_tags( $_POST['meta'] ); 
    10501052        else  
    10511053            $meta = ''; 
     
    10541056        else  
    10551057            $id = ''; 
    1056         if( !empty( $_POST['values'] ) ) 
     1058        if( !empty( $_POST['values'] ) && is_array( $_POST['values'] ) ) 
    10571059            $elements_id = $_POST['values']; 
    10581060        else  
     
    12841286    function wck_sync_translation_ajax(){        
    12851287            if( !empty( $_POST['id'] ) )  
    1286                 $post_id = $_POST['id']; 
     1288                $post_id = absint( $_POST['id'] ); 
    12871289            else  
    12881290                $post_id = ''; 
  • profile-builder/trunk/front-end/class-formbuilder.php

    r1592512 r1607426  
    255255 
    256256                    if( isset( $_POST['custom_field_user_role'] ) ) { 
    257                         $user_role = $_POST['custom_field_user_role']; 
     257                        $user_role = strip_tags($_POST['custom_field_user_role']); 
    258258                    } elseif( isset( $this->args['role'] ) ) { 
    259259                        $user_role = $this->args['role']; 
  • profile-builder/trunk/front-end/edit-profile.php

    r1592512 r1607426  
    1919 
    2020            /* we get the form_name through $_POST so we can apply correctly the filter so we generate the correct fields in the current form  */ 
    21             $form_fields = apply_filters( 'wppb_change_form_fields', get_option( 'wppb_manage_fields' ), array( 'form_type'=> 'edit_profile', 'form_fields' => array(), 'form_name' => $_POST['form_name'], 'role' => '', 'ID' => Profile_Builder_Form_Creator::wppb_get_form_id_from_form_name( $_POST['form_name'], 'edit_profile' ), 'context' => 'edit_profile_auto_login_after_password_change' ) ); 
     21            $form_fields = apply_filters( 'wppb_change_form_fields', get_option( 'wppb_manage_fields' ), array( 'form_type'=> 'edit_profile', 'form_fields' => array(), 'form_name' => strip_tags( $_POST['form_name'] ), 'role' => '', 'ID' => Profile_Builder_Form_Creator::wppb_get_form_id_from_form_name( strip_tags( $_POST['form_name'] ), 'edit_profile' ), 'context' => 'edit_profile_auto_login_after_password_change' ) ); 
    2222            if( !empty( $form_fields ) ){ 
    2323 
  • profile-builder/trunk/front-end/recover.php

    r1602144 r1607426  
    244244    } 
    245245    // If the user used the correct key-code, update his/her password 
    246     elseif ( 'POST' == $_SERVER['REQUEST_METHOD'] && !empty( $_POST['action2'] ) && $_POST['action2'] == 'recover_password2' && wp_verify_nonce( $_POST['password_recovery_nonce_field2'], 'verify_true_password_recovery2_'.$_POST['userData'] ) ) { 
     246    elseif ( 'POST' == $_SERVER['REQUEST_METHOD'] && !empty( $_POST['action2'] ) && $_POST['action2'] == 'recover_password2' && wp_verify_nonce( $_POST['password_recovery_nonce_field2'], 'verify_true_password_recovery2_'.absint( $_POST['userData'] ) ) ) { 
    247247 
    248248        if( ( $_POST['passw1'] == $_POST['passw2'] ) && ( !empty( $_POST['passw1'] ) && !empty( $_POST['passw2'] ) ) ){ 
     
    264264                $messageNo2 = '1'; 
    265265 
    266                 $userID = $_POST['userData']; 
     266                $userID = absint( $_POST['userData'] ); 
    267267                $new_pass = $_POST['passw1']; 
    268268 
Note: See TracChangeset for help on using the changeset viewer.