Insecure superglobal usage - Githubissues

dmchale / disable-json-api

Public repo for the "Disable REST API" WordPress plugin, currently with 90,000+ active installs in the wordpress.org repository

10 stars 9 forks source link

Insecure superglobal usage #11

Closed tangrufus closed 7 years ago

tangrufus commented 7 years ago

https://github.com/dmchale/disable-json-api/blob/6c33f1d5fabee23245012c688e2abd516e46ad73/classes/disable-rest-api.php#L172

As per WordPress coding standards:

wp_unslash() should go before sanitization
we are missing sanitization
WordPress' esc_html seems better than htmlspecialchars

See:

dmchale commented 7 years ago

Done as part of larger commit where the admin page is now php-based: made sense to address this while refactoring the rest of the logic since the code comparing current routes in the loop to the database values anyway : https://github.com/dmchale/disable-json-api/commit/6af19e4377efdc639ad53ee08dbdc3df15753f95