Closed vladolaru closed 2 years ago
Two things with this.
Once those two items are resolved I think we can test and merge.
I only touched places where it felt safe doing so. I will do another run and see if there are places where I could apply the same logic.
I did another pass and I believe I've caught everything. I also made some minor improvements where I came across (since PHPStorm was screaming at me), mainly to not do echo wp_send_json() since it already does it and then die().
This all started from using a AWS S3 secret key with '+' and '/' in it. This key didn't get saved properly and hence everything failed with relation to S3. It turned out this is a general issue with WPCD forms that pass their values through AJAX to be saved/deployed, etc.
I've applied URIEncode in JS to make sure the values are safe to be sent through URL queries. But this led to the necessity of proper decoding and sanitization on the PHP side since
sanitize_text_field()
applied beforewp_parse_args()
would strip away those URI encodings. The proper order is to:wp_unslash()
, just to be safewp_parse_args()
to split the query string into individual arguments (using the PHP coreparse_str()
behind the scene)sanitize_text_field()
)