Refactor form sanitization to improve data handling.

Changed `wp_kses` to utilize 'user_description' instead of dynamic HTML templates, ensuring stricter sanitization. Introduced a new filter, `um_sanitize_form_submission`, for extending form sanitization logic, and preserved the original input in `$submission_input` for additional context.
This commit is contained in:
Mykyta Synelnikov
2026-01-19 11:55:22 +02:00
parent 6299aa2503
commit fd44b978cf
+5 -4
View File
@@ -822,6 +822,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
* @return array $form * @return array $form
*/ */
public function sanitize( $form ) { public function sanitize( $form ) {
$submission_input = $form;
if ( isset( $form['form_id'] ) ) { if ( isset( $form['form_id'] ) ) {
if ( isset( $this->form_data['custom_fields'] ) ) { if ( isset( $this->form_data['custom_fields'] ) ) {
$custom_fields = maybe_unserialize( $this->form_data['custom_fields'] ); $custom_fields = maybe_unserialize( $this->form_data['custom_fields'] );
@@ -843,7 +844,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) { if ( ! empty( $field['html'] ) || ( UM()->profile()->get_show_bio_key( $form ) === $k && UM()->options()->get( 'profile_show_html_bio' ) ) ) {
$form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content. $form[ $k ] = html_entity_decode( $form[ $k ] ); // required because WP_Editor send sometimes encoded content.
$form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field ); $form[ $k ] = self::maybe_apply_tidy( $form[ $k ], $field );
$form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), UM()->get_allowed_html( 'templates' ) ); $form[ $k ] = wp_kses( strip_shortcodes( $form[ $k ] ), 'user_description' );
} else { } else {
$form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) ); $form[ $k ] = sanitize_textarea_field( strip_shortcodes( $form[ $k ] ) );
} }
@@ -964,7 +965,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) { if ( ! empty( $custom_fields[ $description_key ]['html'] ) && $bio_html ) {
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content. $form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] ); $form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], $custom_fields[ $description_key ] );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) ); $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
} else { } else {
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) ); $form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
} }
@@ -975,7 +976,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
if ( $bio_html ) { if ( $bio_html ) {
$form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content. $form[ $description_key ] = html_entity_decode( $form[ $description_key ] ); // required because WP_Editor send sometimes encoded content.
$form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() ); $form[ $description_key ] = self::maybe_apply_tidy( $form[ $description_key ], array() );
$form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), UM()->get_allowed_html( 'templates' ) ); $form[ $description_key ] = wp_kses( strip_shortcodes( $form[ $description_key ] ), 'user_description' );
} else { } else {
$form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) ); $form[ $description_key ] = sanitize_textarea_field( strip_shortcodes( $form[ $description_key ] ) );
} }
@@ -983,7 +984,7 @@ if ( ! class_exists( 'um\core\Form' ) ) {
} }
} }
return $form; return apply_filters( 'um_sanitize_form_submission', $form, $submission_input );
} }
/** /**