mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-07-11 18:56:10 +09:00
Refactor form sanitization to improve data handling.
Changed `wp_kses` to utilize 'user_description' instead of dynamic HTML templates, ensuring stricter sanitization. Introduced a new filter, `um_sanitize_form_submission`, for extending form sanitization logic, and preserved the original input in `$submission_input` for additional context.
This commit is contained in:
@@ -822,6 +822,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
* @return array $form
|
* @return array $form
|
||||||
*/
|
*/
|
||||||
public function sanitize( $form ) {
|
public function sanitize( $form ) {
|
||||||
|
$submission_input = $form;
|
||||||
if ( isset( $form['form_id'] ) ) {
|
if ( isset( $form['form_id'] ) ) {
|
||||||
if ( isset( $this->form_data['custom_fields'] ) ) {
|
if ( isset( $this->form_data['custom_fields'] ) ) {
|
||||||
$custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
|
$custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
|
||||||
@@ -843,7 +844,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
|
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
|
||||||
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
|
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
|
||||||
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
|
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
|
||||||
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), UM()->get_allowed_html( 'templates' ) );
|
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), 'user_description' );
|
||||||
} else {
|
} else {
|
||||||
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
|
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
|
||||||
}
|
}
|
||||||
@@ -964,7 +965,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
|
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
|
||||||
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
||||||
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
|
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
|
||||||
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) );
|
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
|
||||||
} else {
|
} else {
|
||||||
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
||||||
}
|
}
|
||||||
@@ -975,7 +976,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
if ( $bio_html ) {
|
if ( $bio_html ) {
|
||||||
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
|
||||||
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() );
|
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() );
|
||||||
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) );
|
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
|
||||||
} else {
|
} else {
|
||||||
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
|
||||||
}
|
}
|
||||||
@@ -983,7 +984,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return $form;
|
return apply_filters( 'um_sanitize_form_submission', $form, $submission_input );
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
Reference in New Issue
Block a user