From 8a2826e07ee494fc3e5b5a57c03daf2ea1a87557 Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Fri, 27 Feb 2026 11:31:30 +0530 Subject: [PATCH 1/2] fix: prevent cross site scripting --- classes/Visualizer/Gutenberg/Block.php | 20 ++++++++++++-------- classes/Visualizer/Module/Chart.php | 2 +- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/classes/Visualizer/Gutenberg/Block.php b/classes/Visualizer/Gutenberg/Block.php index af3b0ae9..91c56baa 100644 --- a/classes/Visualizer/Gutenberg/Block.php +++ b/classes/Visualizer/Gutenberg/Block.php @@ -596,12 +596,15 @@ public function update_chart_data( $data ) { } $chart_type = sanitize_text_field( $data['visualizer-chart-type'] ); $source_type = sanitize_text_field( $data['visualizer-source'] ); + $default_data = (int) $data['visualizer-default-data']; + $series_data = map_deep( $data['visualizer-series'], 'sanitize_text_field' ); + $settings_data = map_deep( $data['visualizer-settings'], 'sanitize_text_field' ); update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_TYPE, $chart_type ); update_post_meta( $data['id'], Visualizer_Plugin::CF_SOURCE, $source_type ); - update_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $data['visualizer-default-data'] ); - update_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $data['visualizer-series'] ); - update_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $data['visualizer-settings'] ); + update_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $default_data ); + update_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $series_data ); + update_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $settings_data ); if ( $data['visualizer-chart-url'] && $data['visualizer-chart-schedule'] >= 0 ) { $chart_url = esc_url_raw( $data['visualizer-chart-url'] ); @@ -628,8 +631,8 @@ public function update_chart_data( $data ) { } if ( 'Visualizer_Source_Csv_Remote' === $source_type ) { - $schedule_url = $data['visualizer-chart-url']; - $schedule_id = $data['visualizer-chart-schedule']; + $schedule_url = esc_url_raw( $data['visualizer-chart-url'] ); + $schedule_id = intval( $data['visualizer-chart-schedule'] ); update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_URL, $schedule_url ); update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_SCHEDULE, $schedule_id ); } else { @@ -642,8 +645,8 @@ public function update_chart_data( $data ) { $json_schedule = intval( $data['visualizer-json-schedule'] ); $json_url = esc_url_raw( $data['visualizer-json-url'] ); $json_headers = esc_url_raw( $data['visualizer-json-headers'] ); - $json_root = $data['visualizer-json-root']; - $json_paging = $data['visualizer-json-paging']; + $json_root = sanitize_text_field( $data['visualizer-json-root'] ); + $json_paging = sanitize_text_field( $data['visualizer-json-paging'] ); update_post_meta( $data['id'], Visualizer_Plugin::CF_JSON_SCHEDULE, $json_schedule ); update_post_meta( $data['id'], Visualizer_Plugin::CF_JSON_URL, $json_url ); @@ -664,7 +667,8 @@ public function update_chart_data( $data ) { } if ( Visualizer_Module::is_pro() ) { - update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $data['visualizer-permissions'] ); + $permissions_data = map_deep( $data['visualizer-permissions'], 'sanitize_text_field' ); + update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $permissions_data ); } if ( $data['visualizer-chart-url'] ) { diff --git a/classes/Visualizer/Module/Chart.php b/classes/Visualizer/Module/Chart.php index 8bf503f6..78140ced 100644 --- a/classes/Visualizer/Module/Chart.php +++ b/classes/Visualizer/Module/Chart.php @@ -379,7 +379,7 @@ public function getCharts() { * * @return array The array of chart data. */ - private function _getChartArray( ?WP_Post $chart = null ) { + private function _getChartArray( $chart = null ) { if ( is_null( $chart ) ) { $chart = $this->_chart; } From 09c83bc54fbb518088e84093f856cb4e4d0a3b1d Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Fri, 27 Feb 2026 11:50:35 +0530 Subject: [PATCH 2/2] fix: improve data sanitization --- classes/Visualizer/Gutenberg/Block.php | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/classes/Visualizer/Gutenberg/Block.php b/classes/Visualizer/Gutenberg/Block.php index 91c56baa..49868e66 100644 --- a/classes/Visualizer/Gutenberg/Block.php +++ b/classes/Visualizer/Gutenberg/Block.php @@ -597,8 +597,8 @@ public function update_chart_data( $data ) { $chart_type = sanitize_text_field( $data['visualizer-chart-type'] ); $source_type = sanitize_text_field( $data['visualizer-source'] ); $default_data = (int) $data['visualizer-default-data']; - $series_data = map_deep( $data['visualizer-series'], 'sanitize_text_field' ); - $settings_data = map_deep( $data['visualizer-settings'], 'sanitize_text_field' ); + $series_data = map_deep( $data['visualizer-series'], array( $this, 'sanitize_value' ) ); + $settings_data = map_deep( $data['visualizer-settings'], array( $this, 'sanitize_value' ) ); update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_TYPE, $chart_type ); update_post_meta( $data['id'], Visualizer_Plugin::CF_SOURCE, $source_type ); @@ -667,7 +667,7 @@ public function update_chart_data( $data ) { } if ( Visualizer_Module::is_pro() ) { - $permissions_data = map_deep( $data['visualizer-permissions'], 'sanitize_text_field' ); + $permissions_data = map_deep( $data['visualizer-permissions'], array( $this, 'sanitize_value' ) ); update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $permissions_data ); } @@ -867,4 +867,18 @@ public function add_rest_query_vars( $args, \WP_REST_Request $request ) { } return $args; } + + /** + * Sanitize value. + * + * @param mixed $value The value to sanitize. + * @return mixed Sanitized value. + */ + private function sanitize_value( $value ) { + if ( is_string( $value ) ) { + return sanitize_text_field( $value ); + } + + return $value; + } }