Safer vars

Author: lloc

MultisiteLanguageSwitcher.php

@@ -76,6 +76,7 @@ function get_the_msls( $attr ): string {
 	 * @param string[] $arr
 	 */
 	function the_msls( array $arr = array() ): void {
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo get_the_msls( $arr );
 	}
 

includes/ContentImport/ContentImporter.php

@@ -9,6 +9,7 @@
 use lloc\Msls\MslsMain;
 use lloc\Msls\MslsOptionsPost;
 use lloc\Msls\MslsRegistryInstance;
+use lloc\Msls\MslsRequest;
 
 /**
  * Class ContentImporter
@@ -166,11 +167,12 @@ protected function pre_flight_check( array $data = array() ) {
 	 * @return array|bool
 	 */
 	public function parse_sources() {
-		if ( ! isset( $_POST['msls_import'] ) ) {
+		if ( ! MslsRequest::has_var( 'msls_import' ) ) {
 			return false;
 		}
 
-		$import_data = array_filter( explode( '|', trim( $_POST['msls_import'] ) ), 'is_numeric' );
+		$msls_import = MslsRequest::get_var( 'msls_import' );
+		$import_data = array_filter( explode( '|', trim( $msls_import ) ), 'is_numeric' );
 
 		if ( count( $import_data ) !== 2 ) {
 			return false;
@@ -195,8 +197,9 @@ protected function get_the_blog_post_ID( $blog_id ) {
 			return $id;
 		}
 
-		if ( isset( $_REQUEST['post'] ) && filter_var( $_REQUEST['post'], FILTER_VALIDATE_INT ) ) {
-			return (int) $_REQUEST['post'];
+		$request = MslsRequest::get_request( array( 'post' ) );
+		if ( ! empty( $request['post'] ) ) {
+			return (int) $request['post'];
 		}
 
 		$data = array(

includes/ContentImport/Importers/WithRequestPostAttributes.php

@@ -10,6 +10,8 @@
 
 namespace lloc\Msls\ContentImport\Importers;
 
+use lloc\Msls\MslsRequest;
+
 /**
  * Trait WithRequestPostAttributes
  *
@@ -24,14 +26,11 @@ trait WithRequestPostAttributes {
 	 * @param string $default The default post type to return if none is specified in the `$_REQUEST` super-global.
 	 *
 	 * @return string Either the post type read from the `$_REQUEST` super-global, or the default value.
-	 * @since TBD
-	 *
+\    *
 	 */
 	protected function read_post_type_from_request( $default = 'post' ) {
-		if ( ! isset( $_REQUEST['post_type'] ) ) {
-			return $default;
-		}
+		$request = MslsRequest::get_request( array( 'post_type' ), $default );
 
-		return filter_var( $_REQUEST['post_type'], FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ?: 'post';
+		return $request['post_type'];
 	}
 }

includes/ContentImport/MetaBox.php

@@ -121,7 +121,7 @@ protected function inline_thickbox_html( $echo = true, array $data = array() ):
 		?>
 		<div style="display: none;" id="msls-import-dialog-<?php echo esc_attr( $slug ); ?>">
 			<h3><?php esc_html_e( 'Select what should be imported and how', 'multisite-language-switcher' ); ?></h3>
-			<form action="<?php echo add_query_arg( array() ); ?>" method="post">
+			<form action="<?php echo esc_url( add_query_arg( array() ) ); ?>" method="post">
 				<?php wp_nonce_field( MslsPlugin::path(), 'msls_noncename' ); ?>
 				<?php foreach ( $data as $key => $value ) : ?>
 					<input type="hidden" name="<?php echo esc_attr( $key ); ?>" value="<?php echo esc_attr( $value ); ?>">
@@ -172,7 +172,7 @@ protected function inline_thickbox_html( $echo = true, array $data = array() ):
 		$html = ob_get_clean();
 
 		if ( $echo ) {
-			echo $html;
+			echo wp_kses_post( $html );
 		}
 
 		return $html;

includes/MslsFields.php

@@ -13,6 +13,8 @@ class MslsFields {
 	const FIELD_MSLS_NONCENAME = 'msls_noncename';
 	const FIELD_MSLS_ID        = 'msls_id';
 	const FIELD_MSLS_LANG      = 'msls_lang';
+	const FIELD_MSLS_IMPORT    = 'msls_import';
+	const FIELD_POST           = 'post';
 
 	const CONFIG = array(
 		self::FIELD_BLOG_ID        => array(
@@ -51,5 +53,13 @@ class MslsFields {
 			INPUT_GET,
 			FILTER_SANITIZE_FULL_SPECIAL_CHARS,
 		),
+		self::FIELD_MSLS_IMPORT    => array(
+			INPUT_POST,
+			FILTER_SANITIZE_FULL_SPECIAL_CHARS,
+		),
+		self::FIELD_POST           => array(
+			INPUT_GET,
+			FILTER_SANITIZE_NUMBER_INT,
+		),
 	);
 }

includes/MslsMetaBox.php

@@ -222,7 +222,8 @@ public function render_select(): void {
 				restore_current_blog();
 			}
 
-			printf( '<ul>%s</ul>', $lis );
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			echo ( new Wrapper( 'ul', $lis ) )->render();
 
 			$post = $temp;
 		} else {