encrypt/gancio
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[WPGancio] Sanitize / validate input/output

Browse Source
This commit is contained in:
les
2021-07-04 00:45:17 +02:00
parent 8e53a1f26a
commit 7acd34f496
2 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
wp-plugin/oauth.php
View File

@@ -4,16 +4,15 @@ defined( 'ABSPATH' ) or die( 'Nope, not accessing this' );
// eventorganizer / triggered after an event has been updated // eventorganizer / triggered after an event has been updated
// http://codex.wp-event-organiser.com/hook-eventorganiser_save_event.html // http://codex.wp-event-organiser.com/hook-eventorganiser_save_event.html
add_action('eventorganiser_save_event', 'wpgancio_save_event', 15); add_action('eventorganiser_save_event', 'wpgancio_save_event', 15);
add_action('wp_trash_post', 'delete_post', 15); add_action('wp_trash_post', 'wpgancio_delete_post', 15);
function delete_post ($post_id) { function wpgancio_delete_post ($post_id) {
$post = get_post($post_id); $post = get_post($post_id);
$instance_url = get_option('wpgancio_instance_url'); $instance_url = get_option('wpgancio_instance_url');
if ($post->post_type == 'event') { if ($post->post_type == 'event') {
$gancio_id = get_post_meta($post_id, 'gancio_id', TRUE); $gancio_id = get_post_meta($post_id, 'wpgancio_gancio_id', TRUE);
if ($gancio_id) { if ($gancio_id) {
$body['id'] = $gancio_id;
$http = _wp_http_get_object(); $http = _wp_http_get_object();
$response = $http->request( "${instance_url}/api/event/${gancio_id}", array( $response = $http->request( "${instance_url}/api/event/${gancio_id}", array(
'method' => 'DELETE', 'method' => 'DELETE',
@@ -28,7 +27,7 @@ function wpgancio_save_event ($post_id) {
$event = get_post( $post_id ); $event = get_post( $post_id );
function tagName ($tag) { function tagName ($tag) {
return $tag->name; return sanitize_title($tag->name);
} }
$tmp_tags = get_the_terms( $event, 'event-tag' ); $tmp_tags = get_the_terms( $event, 'event-tag' );
@@ -39,9 +38,9 @@ function wpgancio_save_event ($post_id) {
return; return;
} }
$gancio_id = get_post_meta($post_id, 'gancio_id', TRUE); $gancio_id = get_post_meta($post_id, 'wpgancio_gancio_id', TRUE);
// image_path // when
$date = eo_get_schedule_start( 'U', $post_id ); $date = eo_get_schedule_start( 'U', $post_id );
// get place details // get place details
@@ -62,7 +61,7 @@ function wpgancio_save_event ($post_id) {
// add image if specified // add image if specified
$image_url = get_the_post_thumbnail_url($post_id); $image_url = get_the_post_thumbnail_url($post_id);
if ($image_url) { if ($image_url) {
$body['image_url'] = $image_url; $body['image_url'] = esc_url($image_url);
} }
// update // update
@@ -84,10 +83,10 @@ function wpgancio_save_event ($post_id) {
} }
if ( is_wp_error( $response ) ) { if ( is_wp_error( $response ) ) {
$error_message = $response->get_error_message(); $error_message = esc_html($response->get_error_message());
echo "<div class='error notice'><p>${error_message}</p></div>"; echo "<div class='error notice'><p>${error_message}</p></div>";
return; return;
} }
$data = json_decode(wp_remote_retrieve_body($response)); $data = json_decode(wp_remote_retrieve_body($response));
update_post_meta($post_id, 'gancio_id', $data->id); update_post_meta($post_id, 'wpgancio_gancio_id', intval($data->id));
} }

19
wp-plugin/settings.php
View File

@@ -22,7 +22,7 @@ function wpgancio_update_options ($old_value, $instance_url) {
$redirect_uri = get_site_url(null, '/wp-admin/options-general.php?page=wpgancio' ); $redirect_uri = get_site_url(null, '/wp-admin/options-general.php?page=wpgancio' );
$query = join('&', array( $query = join('&', array(
'response_type=code', 'response_type=code',
'redirect_uri=' . esc_html($redirect_uri), 'redirect_uri=' . esc_url($redirect_uri),
'scope=event:write', 'scope=event:write',
'client_id=' . get_option('wpgancio_client_id'), 'client_id=' . get_option('wpgancio_client_id'),
)); ));
@@ -53,8 +53,8 @@ function wpgancio_instance_url_validate ($instance_url) {
$response->get_error_message()); $response->get_error_message());
} else { } else {
$data = json_decode( wp_remote_retrieve_body($response), true); $data = json_decode( wp_remote_retrieve_body($response), true);
update_option('wpgancio_client_secret', $data['client_secret']); update_option('wpgancio_client_secret', sanitize_key($data['client_secret']));
update_option('wpgancio_client_id', $data['client_id']); update_option('wpgancio_client_id', sanitize_key($data['client_id']));
return $instance_url; return $instance_url;
} }
} }
@@ -88,7 +88,7 @@ function wpgancio_instance_url_cb( $args ) {
name="wpgancio_instance_url"> name="wpgancio_instance_url">
<p class="description"> <p class="description">
<?php esc_html_e( 'Insert your gancio instance URL', 'wpgancio' ); ?> <?php esc_html( 'Insert your gancio instance URL', 'wpgancio' ); ?>
</p> </p>
<?php <?php
@@ -104,9 +104,7 @@ function wpgancio_options_page_html() {
if ( ! current_user_can( 'manage_options' ) ) { return; } if ( ! current_user_can( 'manage_options' ) ) { return; }
// show error/update messages // show error/update messages
//settings_errors( 'wpgancio_messages' ); $code = sanitize_key($_GET['code']);
$code = $_GET['code'];
if ( $code ) { if ( $code ) {
update_option('wpgancio_code', $code); update_option('wpgancio_code', $code);
$instance_url = get_option( 'wpgancio_instance_url' ); $instance_url = get_option( 'wpgancio_instance_url' );
@@ -127,8 +125,8 @@ function wpgancio_options_page_html() {
settings_errors( 'wpgancio_messages' ); settings_errors( 'wpgancio_messages' );
} else { } else {
$data = json_decode( wp_remote_retrieve_body($response), true); $data = json_decode( wp_remote_retrieve_body($response), true);
update_option('wpgancio_token', $data['access_token']); update_option('wpgancio_token', sanitize_key($data['access_token']));
update_option('wpgancio_refresh', $data['refresh_token']); update_option('wpgancio_refresh', sanitize_key($data['refresh_token']));
add_settings_error('wpgancio_messages', 'wpgancio_messages', 'Association completed!', 'success'); add_settings_error('wpgancio_messages', 'wpgancio_messages', 'Association completed!', 'success');
settings_errors( 'wpgancio_messages' ); settings_errors( 'wpgancio_messages' );
} }
@@ -141,11 +139,14 @@ function wpgancio_options_page_html() {
<h1><?php echo esc_html( get_admin_page_title() ); ?></h1> <h1><?php echo esc_html( get_admin_page_title() ); ?></h1>
<form action="options.php" method="post"> <form action="options.php" method="post">
<?php <?php
// output security fields for the registered setting "wpgancio" // output security fields for the registered setting "wpgancio"
settings_fields( 'wpgancio' ); settings_fields( 'wpgancio' );
// output setting sections and their fields // output setting sections and their fields
// (sections are registered for "wpgancio", each field is registered to a specific section) // (sections are registered for "wpgancio", each field is registered to a specific section)
do_settings_sections( 'wpgancio' ); do_settings_sections( 'wpgancio' );
// output save settings button // output save settings button
submit_button( 'Save Settings' ); submit_button( 'Save Settings' );
?> ?>