Prevent shortcode execution in user input sanitization.

Added `strip_shortcodes` across various sanitization routines to ensure user inputs do not execute shortcodes. This enhances security by blocking unintended shortcode processing in fields such as text, email, URLs, and form descriptions.
This commit is contained in:
Mykyta Synelnikov
2025-06-24 17:16:28 +03:00
parent 524670ad53
commit a102d22ce1
2 changed files with 13 additions and 13 deletions
+10 -10
View File
@@ -857,10 +857,10 @@ if ( ! class_exists( 'um\core\Form' ) ) {
'allowfullscreen' => true,
);
}
$form[ $k ] = wp_kses( $form[ $k ], $allowed_html );
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
} else {
$form[ $k ] = sanitize_textarea_field( $form[ $k ] );
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
}
break;
case 'oembed':
@@ -915,9 +915,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
}
}
$form[ $k ] = esc_url_raw( $v );
$form[ $k ] = esc_url_raw( strip_shortcodes( $v ) );
} else {
$form[ $k ] = esc_url_raw( $form[ $k ] );
$form[ $k ] = esc_url_raw( strip_shortcodes( $form[ $k ] ) );
}
break;
case 'password':
@@ -939,12 +939,12 @@ if ( ! class_exists( 'um\core\Form' ) ) {
case 'soundcloud_track':
case 'spotify':
case 'tel':
$form[ $k ] = sanitize_text_field( $form[ $k ] );
$form[ $k ] = sanitize_text_field( strip_shortcodes( $form[ $k ] ) );
break;
case 'multiselect':
case 'radio':
case 'checkbox':
$form[ $k ] = is_array( $form[ $k ] ) ? array_map( 'sanitize_text_field', $form[ $k ] ) : sanitize_text_field( $form[ $k ] );
$form[ $k ] = is_array( $form[ $k ] ) ? array_map( 'sanitize_text_field', array_map( 'strip_shortcodes', $form[ $k ] ) ) : sanitize_text_field( strip_shortcodes( $form[ $k ] ) );
break;
}
}
@@ -997,11 +997,11 @@ if ( ! class_exists( 'um\core\Form' ) ) {
'allowfullscreen' => true,
);
}
$form[ $description_key ] = wp_kses( $form[ $description_key ], $allowed_html );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
} else {
$form[ $description_key ] = sanitize_textarea_field( $form[ $description_key ] );
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
}
}
}
@@ -1025,11 +1025,11 @@ if ( ! class_exists( 'um\core\Form' ) ) {
'allowfullscreen' => true,
);
}
$form[ $description_key ] = wp_kses( $form[ $description_key ], $allowed_html );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), $allowed_html );
add_filter( 'wp_kses_allowed_html', array( &$this, 'wp_kses_user_desc' ), 10, 2 );
} else {
$form[ $description_key ] = sanitize_textarea_field( $form[ $description_key ] );
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
}
}
}
+3 -3
View File
@@ -329,11 +329,11 @@ function um_submit_account_details( $args ) {
}
if ( 'first_name' === $k || 'last_name' === $k || 'user_password' === $k ) {
$v = sanitize_text_field( $v );
$v = sanitize_text_field( strip_shortcodes( $v ) );
} elseif ( 'user_email' === $k ) {
$v = sanitize_email( $v );
$v = sanitize_email( strip_shortcodes( $v ) );
} elseif ( 'hide_in_members' === $k || 'um_show_last_login' === $k ) {
$v = array_map( 'sanitize_text_field', $v );
$v = array_map( 'sanitize_text_field', array_map( 'strip_shortcodes', $v ) );
}
$changes[ $k ] = $v;