diff options
| author | Daniel Weipert <code@drogueronin.de> | 2020-12-25 10:38:41 +0100 |
|---|---|---|
| committer | Daniel Weipert <code@drogueronin.de> | 2020-12-25 10:38:41 +0100 |
| commit | 2bc27f08e28d0d6ae3b1f6e3960c11bf60b4f508 (patch) | |
| tree | 9cc64233566119d049226cfb21e6ed9ffc33bdbf | |
| parent | 3e0721eb5d64ef49b5e2d99f22195af8aef0fcb8 (diff) | |
Fixing ajax array sanitization
| -rw-r--r-- | composer.json | 3 | ||||
| -rw-r--r-- | src/class-draggable-post-order.php | 7 |
2 files changed, 5 insertions, 5 deletions
diff --git a/composer.json b/composer.json index a3c1e6c..908af46 100644 --- a/composer.json +++ b/composer.json @@ -21,7 +21,8 @@ }, "scripts": { "test:unit": "phpunit", - "test:cs": "phpcs" + "test:cs": "phpcs", + "format:cbf": "phpcbf" }, "autoload": { "classmap": [ diff --git a/src/class-draggable-post-order.php b/src/class-draggable-post-order.php index a976816..ee9156c 100644 --- a/src/class-draggable-post-order.php +++ b/src/class-draggable-post-order.php @@ -136,11 +136,10 @@ class Draggable_Post_Order { $page = intval( $_POST['page'] ); $per_page = intval( $_POST['perPage'] ); - //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized - parse_str( $_POST['postOrder'], $post_order ); + parse_str( sanitize_text_field( wp_unslash( $_POST['postOrder'] ) ), $post_order ); - foreach ( $post_order['post'] as $order => $post_id ) { - $order = intval( $order ) + 1; + foreach ( $post_order['post'] as $idx => $post_id ) { + $order = intval( $idx ) + 1; update_post_meta( $post_id, self::$meta_key, ( ( $page - 1 ) * $per_page ) + $order ); } } |