Add missing input var validation and sanitization

Also updates a whitelisting comment for points settings. While we might want to consider performing sanitization of some sort here in the future, it is no easy task when we are dealing with an arbitrarily deep array that might contain HTML snippets. See #324
WordPoints · May 2, 2015 · 16ce7c0 · 16ce7c0
1 parent ccd1a69
commit 16ce7c0
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/src/components/points/admin/includes/ajax.php b/src/components/points/admin/includes/ajax.php
@@ -38,11 +38,12 @@ function wordpoints_ajax_points_hooks_order() {
 	}
 
 	// Save hooks order for all points types.
-	if ( is_array( $_POST['points_types'] ) ) {
+	if ( isset( $_POST['points_types'] ) && is_array( $_POST['points_types'] ) ) {
 
 		$points_types_hooks = array();
+		$points_types = array_map( 'sanitize_text_field', $_POST['points_types'] );
 
-		foreach ( $_POST['points_types'] as $points_type => $hooks ) {
+		foreach ( $points_types as $points_type => $hooks ) {
 
 			$points_type_hooks = array();
 
@@ -181,7 +182,7 @@ function wordpoints_ajax_save_points_hook() {
 		$settings = false;
 
 		if ( isset( $_POST[ 'hook-' . $id_base ] ) && is_array( $_POST[ 'hook-' . $id_base ] ) ) {
-			$settings = wp_unslash( $_POST[ 'hook-' . $id_base ] ); // XSS pass WPCS.
+			$settings = wp_unslash( $_POST[ 'hook-' . $id_base ] ); // WPCS: sanitization OK.
 		}
 
 		$points_types_hooks = WordPoints_Points_Hooks::get_points_types_hooks();