Skip to content

Commit c2c8532

Browse files
montalimontali
committed
Sanitized POST
1 parent 7b048b9 commit c2c8532

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

trelire.php

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* Version: 1.0.0
66
* Author: Simone Montali @ Caffeina
77
* Author URI: https://caffeina.com/
8-
* Plugin URI: https://github.com/simmontali/trelire
8+
* Plugin URI: https://github.com/caffeinalab/trelire
99
*/
1010

1111

@@ -17,23 +17,23 @@ function trel_check_admin_post()
1717
{
1818
$retrieved_nonce = $_REQUEST['_wpnonce'];
1919
if (!wp_verify_nonce($retrieved_nonce, 'trel_send_mail')) die('Failed security check');
20-
if (isset($_POST['to']) && isset($_POST['mail_content'])) {
21-
$to = explode(',', $_POST['to']);
20+
if (!empty(sanitize_text_field($_POST['to'])) && !empty(sanitize_text_field($_POST['mail_content']))) {
21+
$to = explode(',', sanitize_text_field($_POST['to']));
2222
$to = trel_email_array_validator($to);
23-
if (preg_match('/^(text\/plain|text\/html)$/', $_POST['content-type']))
24-
$content_type = $_POST['content-type'];
23+
if (preg_match('/^(text\/plain|text\/html)$/', sanitize_text_field($_POST['content-type'])))
24+
$content_type = sanitize_text_field($_POST['content-type']);
2525
else
2626
$content_type = 'text/plain';
2727
$from = sanitize_email($_POST['from']);
28-
$reply_to=sanitize_email($_POST['reply-to']);
29-
$cc = explode(',', $_POST['cc']);
28+
$reply_to = sanitize_email($_POST['reply-to']);
29+
$cc = explode(',', sanitize_text_field($_POST['cc']));
3030
$cc = trel_email_array_validator($cc);
31-
$bcc = explode(',', $_POST['bcc']);
31+
$bcc = explode(',', sanitize_text_field($_POST['bcc']));
3232
$bcc = trel_email_array_validator($bcc);
3333
$subject = sanitize_text_field($_POST['subject']);
3434
$message = wp_kses_post($_POST['mail_content']);
3535
$attachments = [];
36-
$inserted_attachments = (!empty($_POST['attachment'])) ? explode(',', $_POST['attachment']) : '';
36+
$inserted_attachments = (!empty(sanitize_text_field($_POST['attachment']))) ? explode(',', sanitize_text_field($_POST['attachment'])) : '';
3737
if (is_array($inserted_attachments)) {
3838
foreach ($inserted_attachments as $inserted_attachment) {
3939
$attachments[] = get_attached_file(intval($inserted_attachment));

0 commit comments

Comments
 (0)