Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include a way to get request variables without sanatization #2232

Merged
merged 10 commits into from
Oct 23, 2024
Merged

Include a way to get request variables without sanatization #2232

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
96ad789
Include a way to get request variables without sanatization, not the …
bordoni Oct 22, 2024
103d825
Introduced tec_ methods and avoided new param like Dimi suggested.
bordoni Oct 22, 2024
48080c7
Make usage of the new method tec_get_request_var_raw
bordoni Oct 22, 2024
6e5fccb
Address some PHPCS comments.
bordoni Oct 22, 2024
bf7965c
Much cleaner usaged of methods!
bordoni Oct 22, 2024
604855a
Clean up to re-use methods
bordoni Oct 22, 2024
270966f
Better variable names
bordoni Oct 22, 2024
8be035f
PHPCS stuff
bordoni Oct 22, 2024
45661f9
Update src/functions/utils.php
bordoni Oct 22, 2024
f5e32a4
Add changelog
bordoni Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Tribe/Settings.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1181,7 +1181,7 @@ public function validate() {
*/
protected function validate_field( $field_id, $field ) {
// Get the value.
$value = tribe_get_request_var( $field_id, null );
$value = tec_get_request_var_raw( $field_id, null );
$value = apply_filters( 'tribe_settings_validate_field_value', $value, $field_id, $field );

// Make sure it has validation set up for it, else do nothing.
Expand Down
79 changes: 69 additions & 10 deletions src/functions/utils.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,36 +156,95 @@ function tribe_exit( $status = '' ) {
* The variable being tested for can be an array if you wish to find a nested value.
*
* @since 4.9.17 Included explicit check against $_REQUEST.
* @since TBD Renamed from `tribe_get_request_var` to `tec_get_request_var`.
*
* @see Tribe__Utils__Array::get()
* @see tec_get_request_var()
*
* @param string|array $var
* @param mixed $default
* @param string|array $request_var The variable to check for.
* @param mixed $default_value The default value to return if the variable is not set.
*
* @return mixed
*/
function tribe_get_request_var( $var, $default = null ) {
function tribe_get_request_var( $request_var, $default_value = null ) {
return tec_get_request_var( $request_var, $default_value );
}
}

if ( ! function_exists( 'tec_get_request_var' ) ) {
/**
* Tests to see if the requested variable is set either as a post field or as a URL
* param and returns the value if so.
*
* Post data takes priority over fields passed in the URL query. If the field is not
* set then $default (null unless a different value is specified) will be returned.
*
* The variable being tested for can be an array if you wish to find a nested value.
*
* This function will sanitize the value before returning it.
*
* @since TBD
*
* @see Tribe__Utils__Array::get_in_any()
* @see tribe_sanitize_deep()
*
* @param string|array $request_var The variable to check for.
* @param mixed $default_value The default value to return if the variable is not set.
*
* @return mixed
*/
function tec_get_request_var( $request_var, $default_value = null ) {
$unsafe = tec_get_request_var_raw( $request_var, $default_value );

bordoni marked this conversation as resolved.
Show resolved Hide resolved
// Sanitize and return.
return tribe_sanitize_deep( $unsafe );
}
}

if ( ! function_exists( 'tec_get_request_var_raw' ) ) {
/**
* Tests to see if the requested variable is set either as a post field or as a URL
* param and returns the value if so.
*
* Post data takes priority over fields passed in the URL query. If the field is not
* set then $default (null unless a different value is specified) will be returned.
*
* The variable being tested for can be an array if you wish to find a nested value.
*
* This function will NOT sanitize the value before returning it.
*
* @since TBD
*
* @see Tribe__Utils__Array::get_in_any()
*
* @param string|array $request_var The variable to check for.
* @param mixed $default_value The default value to return if the variable is not set.
*
* @return mixed
*/
function tec_get_request_var_raw( $request_var, $default_value = null ) {
$requests = [];

// Prevent a slew of warnings every time we call this.
if ( isset( $_REQUEST ) ) {
$requests[] = (array) $_REQUEST;
$requests[] = (array) $_REQUEST; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing
}

if ( isset( $_GET ) ) {
$requests[] = (array) $_GET;
$requests[] = (array) $_GET; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing
}

if ( isset( $_POST ) ) {
$requests[] = (array) $_POST;
$requests[] = (array) $_POST; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing
}

if ( empty( $requests ) ) {
return $default;
return $default_value;
}

$unsafe = Tribe__Utils__Array::get_in_any( $requests, $var, $default );
return tribe_sanitize_deep( $unsafe );
$unsafe = Tribe__Utils__Array::get_in_any( $requests, $request_var, $default_value );

// Return the value as is.
return $unsafe;
bordoni marked this conversation as resolved.
Show resolved Hide resolved
}
}

Expand Down
Loading