RyanBayne
commented
5 years ago I think I meant to increase validation rather than sanitize the string further.
Decided against this - text sanitize offers enough security. As for validation - there is the chance of causing problems in future when scopes change but data holds old scopes and uses those invalidation.
Slim but right now this extra validation on the scope value isn't a priority.
Write a function specifically for sanitizing the scope in $_GET returned by an API.
Replace the use of sanitize_text_field() where applicable.
http://localhost/twitchpress/branches/alpha/?code=e7fzcm459ijadluo6zmjky93d3fkie&scope=channel_check_subscription+channel_commercial+channel_editor+channel_feed_edit+channel_feed_read+channel_read+channel_stream+channel_subscriptions+chat_login+collections_edit+communities_edit+communities_moderate+user_blocks_edit+user_blocks_read+user_follows_edit+user_read+user_subscriptions+viewing_activity_read+openid&state=67809352105548