- sanitizing variables in wp-admin classes;

This commit is contained in:
nikitasinelnikov
2020-02-28 15:51:45 +02:00
parent e0e6030b46
commit 0aab9853d9
14 changed files with 1045 additions and 992 deletions
+31 -19
View File
@@ -183,16 +183,20 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
* @param $action
*/
function duplicate_form( $action ) {
if ( ! is_admin() || ! current_user_can('manage_options') ) die();
if ( ! isset( $_REQUEST['post_id'] ) || ! is_numeric( $_REQUEST['post_id'] ) ) die();
if ( ! is_admin() || ! current_user_can('manage_options') ) {
die();
}
if ( ! isset( $_REQUEST['post_id'] ) || ! is_numeric( $_REQUEST['post_id'] ) ) {
die();
}
$post_id = $_REQUEST['post_id'];
$post_id = absint( $_REQUEST['post_id'] );
$n = array(
'post_type' => 'um_form',
'post_title' => sprintf( __( 'Duplicate of %s', 'ultimate-member' ), get_the_title( $post_id ) ),
'post_status' => 'publish',
'post_author' => get_current_user_id(),
'post_type' => 'um_form',
'post_title' => sprintf( __( 'Duplicate of %s', 'ultimate-member' ), get_the_title( $post_id ) ),
'post_status' => 'publish',
'post_author' => get_current_user_id(),
);
$n_id = wp_insert_post( $n );
@@ -210,10 +214,10 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
}
delete_post_meta($n_id, '_um_core');
delete_post_meta( $n_id, '_um_core' );
$url = admin_url('edit.php?post_type=um_form');
$url = add_query_arg('update','form_duplicated',$url);
$url = admin_url( 'edit.php?post_type=um_form' );
$url = add_query_arg( 'update', 'form_duplicated', $url );
exit( wp_redirect( $url ) );
@@ -241,13 +245,19 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
* @param $action
*/
function user_action( $action ) {
if ( !is_admin() || !current_user_can( 'edit_users' ) ) die();
if ( !isset( $_REQUEST['sub'] ) ) die();
if ( !isset($_REQUEST['user_id']) ) die();
if ( ! is_admin() || ! current_user_can( 'edit_users' ) ) {
die();
}
if ( ! isset( $_REQUEST['sub'] ) ) {
die();
}
if ( ! isset( $_REQUEST['user_id'] ) ) {
die();
}
um_fetch_user( $_REQUEST['user_id'] );
um_fetch_user( absint( $_REQUEST['user_id'] ) );
$subaction = $_REQUEST['sub'];
$subaction = sanitize_key( $_REQUEST['sub'] );
/**
* UM hook
@@ -268,7 +278,7 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
* }
* ?>
*/
do_action( "um_admin_user_action_hook", $subaction );
do_action( 'um_admin_user_action_hook', $subaction );
/**
* UM hook
*
@@ -290,7 +300,7 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
um_reset_user();
wp_redirect( add_query_arg( 'update', 'user_updated', admin_url('?page=ultimatemember') ) );
wp_redirect( add_query_arg( 'update', 'user_updated', admin_url( '?page=ultimatemember' ) ) );
exit;
}
@@ -317,6 +327,8 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
*/
function admin_init() {
if ( is_admin() && current_user_can( 'manage_options' ) && ! empty( $_REQUEST['um_adm_action'] ) ) {
$action = sanitize_key( $_REQUEST['um_adm_action'] );
/**
* UM hook
*
@@ -336,7 +348,7 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
* }
* ?>
*/
do_action( "um_admin_do_action__", $_REQUEST['um_adm_action'] );
do_action( 'um_admin_do_action__', $action );
/**
* UM hook
*
@@ -356,7 +368,7 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
* }
* ?>
*/
do_action( "um_admin_do_action__{$_REQUEST['um_adm_action']}", $_REQUEST['um_adm_action'] );
do_action( "um_admin_do_action__{$action}", $action );
}
}