From 2bc27f08e28d0d6ae3b1f6e3960c11bf60b4f508 Mon Sep 17 00:00:00 2001
From: Daniel Weipert <code@drogueronin.de>
Date: Fri, 25 Dec 2020 10:38:41 +0100
Subject: Fixing ajax array sanitization

---
 composer.json                      | 3 ++-
 src/class-draggable-post-order.php | 7 +++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/composer.json b/composer.json
index a3c1e6c..908af46 100644
--- a/composer.json
+++ b/composer.json
@@ -21,7 +21,8 @@
     },
     "scripts": {
         "test:unit": "phpunit",
-        "test:cs": "phpcs"
+        "test:cs": "phpcs",
+        "format:cbf": "phpcbf"
     },
     "autoload": {
         "classmap": [
diff --git a/src/class-draggable-post-order.php b/src/class-draggable-post-order.php
index a976816..ee9156c 100644
--- a/src/class-draggable-post-order.php
+++ b/src/class-draggable-post-order.php
@@ -136,11 +136,10 @@ class Draggable_Post_Order {
 
 		$page     = intval( $_POST['page'] );
 		$per_page = intval( $_POST['perPage'] );
-        //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
-		parse_str( $_POST['postOrder'], $post_order );
+		parse_str( sanitize_text_field( wp_unslash( $_POST['postOrder'] ) ), $post_order );
 
-		foreach ( $post_order['post'] as $order => $post_id ) {
-			$order = intval( $order ) + 1;
+		foreach ( $post_order['post'] as $idx => $post_id ) {
+			$order = intval( $idx ) + 1;
 			update_post_meta( $post_id, self::$meta_key, ( ( $page - 1 ) * $per_page ) + $order );
 		}
 	}
-- 
cgit v1.2.3