Merge pull request #362 from skaut/meta-fix

marekdedic · web-flow · commit 6ae3f32c5ad9 · 2022-10-03T17:37:54.000+02:00
Fixed meta sanitization
diff --git a/src/php/src/utils/class-request-parameter-helpers.php b/src/php/src/utils/class-request-parameter-helpers.php
@@ -85,7 +85,7 @@ public static function post_int_variable( $name, $default = -1 ) {
 	 * @return mixed The POST variable value
 	 */
 	public static function post_meta_variable( $name, $meta_name, $default = '' ) {
-		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.NonceVerification.Missing
-		return isset( $_POST[ $name ] ) ? sanitize_meta( $meta_name, wp_unslash( strval( $_POST[ $name ] ) ), 'post' ) : $default;
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+		return isset( $_POST[ $name ] ) ? sanitize_meta( $meta_name, $_POST[ $name ], 'post' ) : $default;
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ public static function post_int_variable( $name, $default = -1 ) {`
`85`	`85`	`* @return mixed The POST variable value`
`86`	`86`	`*/`
`87`	`87`	`public static function post_meta_variable( $name, $meta_name, $default = '' ) {`
`88`		`- // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.NonceVerification.Missing`
`89`		`- return isset( $_POST[ $name ] ) ? sanitize_meta( $meta_name, wp_unslash( strval( $_POST[ $name ] ) ), 'post' ) : $default;`
	`88`	`+ // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash`
	`89`	`+ return isset( $_POST[ $name ] ) ? sanitize_meta( $meta_name, $_POST[ $name ], 'post' ) : $default;`
`90`	`90`	`}`
`91`	`91`	`}`