From fd44b978cf6e16a3029010db74d464927dbf7f5f Mon Sep 17 00:00:00 2001 From: Mykyta Synelnikov Date: Mon, 19 Jan 2026 11:55:22 +0200 Subject: [PATCH] Refactor form sanitization to improve data handling. Changed `wp_kses` to utilize 'user_description' instead of dynamic HTML templates, ensuring stricter sanitization. Introduced a new filter, `um_sanitize_form_submission`, for extending form sanitization logic, and preserved the original input in `$submission_input` for additional context. --- includes/core/class-form.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/includes/core/class-form.php b/includes/core/class-form.php index a2bbc284..f3a82cf1 100644 --- a/includes/core/class-form.php +++ b/includes/core/class-form.php @@ -822,6 +822,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { * @return array $form */ public function sanitize( $form ) { + $submission_input = $form; if ( isset( $form['form_id'] ) ) { if ( isset( $this->form_data['custom_fields'] ) ) { $custom_fields = maybe_unserialize( $this->form_data['custom_fields'] ); @@ -843,7 +844,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) { $form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content. $form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field ); - $form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), UM()->get_allowed_html( 'templates' ) ); + $form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), 'user_description' ); } else { $form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) ); } @@ -964,7 +965,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) { $form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content. $form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] ); - $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) ); + $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' ); } else { $form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) ); } @@ -975,7 +976,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { if ( $bio_html ) { $form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content. $form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() ); - $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) ); + $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' ); } else { $form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) ); } @@ -983,7 +984,7 @@ if ( ! class_exists( 'um\core\Form' ) ) { } } - return $form; + return apply_filters( 'um_sanitize_form_submission', $form, $submission_input ); } /**