From 0ee1266c30cb292fbab25485ac8f82aaa492d8c7 Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Wed, 26 Apr 2023 17:23:28 +0200 Subject: [PATCH] add sanitize callbacks --- includes/collection/class-followers.php | 49 ++++++++++++++++++++++--- includes/model/class-follower.php | 8 ++-- 2 files changed, 48 insertions(+), 9 deletions(-) diff --git a/includes/collection/class-followers.php b/includes/collection/class-followers.php index 98971b9..f520702 100644 --- a/includes/collection/class-followers.php +++ b/includes/collection/class-followers.php @@ -2,6 +2,7 @@ namespace Activitypub\Collection; use WP_Error; +use Exception; use WP_Term_Query; use Activitypub\Webfinger; use Activitypub\Model\Activity; @@ -67,7 +68,9 @@ class Followers { array( 'type' => 'string', 'single' => true, - //'sanitize_callback' => array( self::class, 'validate_displayname' ), + 'sanitize_callback' => function( $value ) { + return sanitize_user( $value ); + }, ) ); @@ -77,7 +80,9 @@ class Followers { array( 'type' => 'string', 'single' => true, - //'sanitize_callback' => array( self::class, 'validate_username' ), + 'sanitize_callback' => function( $value ) { + return sanitize_user( $value, true ); + }, ) ); @@ -87,7 +92,13 @@ class Followers { array( 'type' => 'string', 'single' => true, - //'sanitize_callback' => array( self::class, 'validate_avatar' ), + 'sanitize_callback' => function( $value ) { + if ( filter_var( $value, FILTER_VALIDATE_URL ) === false ) { + return ''; + } + + return esc_url_raw( $value ); + }, ) ); @@ -97,7 +108,29 @@ class Followers { array( 'type' => 'string', 'single' => true, - //'sanitize_callback' => array( self::class, 'validate_inbox' ), + 'sanitize_callback' => function( $value ) { + if ( filter_var( $value, FILTER_VALIDATE_URL ) === false ) { + throw new Exception( '"inbox" has to be a valid URL' ); + } + + return esc_url_raw( $value ); + }, + ) + ); + + register_term_meta( + self::TAXONOMY, + 'shared_inbox', + array( + 'type' => 'string', + 'single' => true, + 'sanitize_callback' => function( $value ) { + if ( filter_var( $value, FILTER_VALIDATE_URL ) === false ) { + return null; + } + + return esc_url_raw( $value ); + }, ) ); @@ -107,7 +140,13 @@ class Followers { array( 'type' => 'string', 'single' => true, - //'sanitize_callback' => array( self::class, 'validate_updated_at' ), + 'sanitize_callback' => function( $value ) { + if ( ! is_numeric( $value ) && (int) $value !== $value ) { + $value = strtotime( 'now' ); + } + + return $value; + }, ) ); diff --git a/includes/model/class-follower.php b/includes/model/class-follower.php index 84c6b0a..f3f8f7b 100644 --- a/includes/model/class-follower.php +++ b/includes/model/class-follower.php @@ -229,21 +229,21 @@ class Follower { foreach ( $this->map_meta as $remote => $internal ) { if ( ! empty( $meta[ $remote ] ) ) { - update_term_meta( $this->id, $internal, esc_html( $meta[ $remote ] ), true ); + update_term_meta( $this->id, $internal, $meta[ $remote ], true ); $this->$internal = $meta[ $remote ]; } } if ( ! empty( $meta['icon']['url'] ) ) { - update_term_meta( $this->id, 'avatar', esc_url_raw( $meta['icon']['url'] ), true ); + update_term_meta( $this->id, 'avatar', $meta['icon']['url'], true ); $this->avatar = $meta['icon']['url']; } if ( ! empty( $meta['endpoints']['sharedInbox'] ) ) { - update_term_meta( $this->id, 'shared_inbox', esc_url_raw( $meta['endpoints']['sharedInbox'] ), true ); + update_term_meta( $this->id, 'shared_inbox', $meta['endpoints']['sharedInbox'], true ); $this->shared_inbox = $meta['endpoints']['sharedInbox']; } elseif ( ! empty( $meta['inbox'] ) ) { - update_term_meta( $this->id, 'shared_inbox', esc_url_raw( $meta['inbox'] ), true ); + update_term_meta( $this->id, 'shared_inbox', $meta['inbox'], true ); $this->shared_inbox = $meta['inbox']; }