add sanitize callbacks

includes/collection/class-followers.php

@@ -2,6 +2,7 @@
 namespace Activitypub\Collection;
 
 use WP_Error;
+use Exception;
 use WP_Term_Query;
 use Activitypub\Webfinger;
 use Activitypub\Model\Activity;
@@ -67,7 +68,9 @@ class Followers {
 			array(
 				'type'              => 'string',
 				'single'            => true,
-				//'sanitize_callback' => array( self::class, 'validate_displayname' ),
+				'sanitize_callback' => function( $value ) {
+					return sanitize_user( $value );
+				},
 			)
 		);
 
@@ -77,7 +80,9 @@ class Followers {
 			array(
 				'type'              => 'string',
 				'single'            => true,
-				//'sanitize_callback' => array( self::class, 'validate_username' ),
+				'sanitize_callback' => function( $value ) {
+					return sanitize_user( $value, true );
+				},
 			)
 		);
 
@@ -87,7 +92,13 @@ class Followers {
 			array(
 				'type'              => 'string',
 				'single'            => true,
-				//'sanitize_callback' => array( self::class, 'validate_avatar' ),
+				'sanitize_callback' => function( $value ) {
+					if ( filter_var( $value, FILTER_VALIDATE_URL ) === false ) {
+						return '';
+					}
+
+					return esc_url_raw( $value );
+				},
 			)
 		);
 
@@ -97,7 +108,29 @@ class Followers {
 			array(
 				'type'              => 'string',
 				'single'            => true,
-				//'sanitize_callback' => array( self::class, 'validate_inbox' ),
+				'sanitize_callback' => function( $value ) {
+					if ( filter_var( $value, FILTER_VALIDATE_URL ) === false ) {
+						throw new Exception( '"inbox" has to be a valid URL' );
+					}
+
+					return esc_url_raw( $value );
+				},
+			)
+		);
+
+		register_term_meta(
+			self::TAXONOMY,
+			'shared_inbox',
+			array(
+				'type'              => 'string',
+				'single'            => true,
+				'sanitize_callback' => function( $value ) {
+					if ( filter_var( $value, FILTER_VALIDATE_URL ) === false ) {
+						return null;
+					}
+
+					return esc_url_raw( $value );
+				},
 			)
 		);
 
@@ -107,7 +140,13 @@ class Followers {
 			array(
 				'type'              => 'string',
 				'single'            => true,
-				//'sanitize_callback' => array( self::class, 'validate_updated_at' ),
+				'sanitize_callback' => function( $value ) {
+					if ( ! is_numeric( $value ) && (int) $value !== $value ) {
+						$value = strtotime( 'now' );
+					}
+
+					return $value;
+				},
 			)
 		);
 

includes/model/class-follower.php

@@ -229,21 +229,21 @@ class Follower {
 
 		foreach ( $this->map_meta as $remote => $internal ) {
 			if ( ! empty( $meta[ $remote ] ) ) {
-				update_term_meta( $this->id, $internal, esc_html( $meta[ $remote ] ), true );
+				update_term_meta( $this->id, $internal, $meta[ $remote ], true );
 				$this->$internal = $meta[ $remote ];
 			}
 		}
 
 		if ( ! empty( $meta['icon']['url'] ) ) {
-			update_term_meta( $this->id, 'avatar', esc_url_raw( $meta['icon']['url'] ), true );
+			update_term_meta( $this->id, 'avatar', $meta['icon']['url'], true );
 			$this->avatar = $meta['icon']['url'];
 		}
 
 		if ( ! empty( $meta['endpoints']['sharedInbox'] ) ) {
-			update_term_meta( $this->id, 'shared_inbox', esc_url_raw( $meta['endpoints']['sharedInbox'] ), true );
+			update_term_meta( $this->id, 'shared_inbox', $meta['endpoints']['sharedInbox'], true );
 			$this->shared_inbox = $meta['endpoints']['sharedInbox'];
 		} elseif ( ! empty( $meta['inbox'] ) ) {
-			update_term_meta( $this->id, 'shared_inbox', esc_url_raw( $meta['inbox'] ), true );
+			update_term_meta( $this->id, 'shared_inbox', $meta['inbox'], true );
 			$this->shared_inbox = $meta['inbox'];
 		}