From 3ff3ab6423ec67b84c84fa30c88e6fb463521208 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20=C5=BDoljom?= <denis.zoljom@infobip.com>
Date: Thu, 11 Apr 2024 15:59:02 +0200
Subject: [PATCH 1/2] Improve sanitization in params preparation

---
 src/Rest/Routes/AbstractUtilsBaseRoute.php | 23 ++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/Rest/Routes/AbstractUtilsBaseRoute.php b/src/Rest/Routes/AbstractUtilsBaseRoute.php
index d648539..8615c84 100644
--- a/src/Rest/Routes/AbstractUtilsBaseRoute.php
+++ b/src/Rest/Routes/AbstractUtilsBaseRoute.php
@@ -190,8 +190,27 @@ static function ($item) {
 					return $innerNotEmpty[0];
 				}
 
-				// Just decode value.
-				return \json_decode(\sanitize_text_field($item), true);
+				// Try to clean the string.
+				// Parts of the code taken from https://developer.wordpress.org/reference/functions/_sanitize_text_fields/
+				$item = \wp_check_invalid_utf8($item);
+				$item = \wp_strip_all_tags($item);
+
+				$filtered = trim($item);
+
+				// Remove percent-encoded characters.
+				$found = false;
+				while (preg_match('/%[a-f0-9]{2}/i', $filtered, $match)) {
+					$filtered = str_replace($match[0], '', $filtered);
+					$found = true;
+				}
+
+				if ($found) {
+					// Strip out the whitespace that may now exist after removing percent-encoded characters.
+					$filtered = trim(preg_replace('/ +/', ' ', $filtered));
+				}
+
+				// Decode value.
+				return \json_decode($filtered, true);
 			},
 			$params
 		);

From 36c67c22268dece3f98bdcf394d046d36fb27993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20=C5=BDoljom?= <denis.zoljom@infobip.com>
Date: Thu, 11 Apr 2024 16:12:22 +0200
Subject: [PATCH 2/2] phpcs fixes

---
 src/Rest/Routes/AbstractUtilsBaseRoute.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/Rest/Routes/AbstractUtilsBaseRoute.php b/src/Rest/Routes/AbstractUtilsBaseRoute.php
index 8615c84..41718ad 100644
--- a/src/Rest/Routes/AbstractUtilsBaseRoute.php
+++ b/src/Rest/Routes/AbstractUtilsBaseRoute.php
@@ -191,22 +191,22 @@ static function ($item) {
 				}
 
 				// Try to clean the string.
-				// Parts of the code taken from https://developer.wordpress.org/reference/functions/_sanitize_text_fields/
+				// Parts of the code taken from https://developer.wordpress.org/reference/functions/_sanitize_text_fields/.
 				$item = \wp_check_invalid_utf8($item);
 				$item = \wp_strip_all_tags($item);
 
-				$filtered = trim($item);
+				$filtered = \trim($item);
 
 				// Remove percent-encoded characters.
 				$found = false;
-				while (preg_match('/%[a-f0-9]{2}/i', $filtered, $match)) {
-					$filtered = str_replace($match[0], '', $filtered);
+				while (\preg_match('/%[a-f0-9]{2}/i', $filtered, $match)) {
+					$filtered = \str_replace($match[0], '', $filtered);
 					$found = true;
 				}
 
 				if ($found) {
 					// Strip out the whitespace that may now exist after removing percent-encoded characters.
-					$filtered = trim(preg_replace('/ +/', ' ', $filtered));
+					$filtered = \trim(\preg_replace('/ +/', ' ', $filtered));
 				}
 
 				// Decode value.