Hi,
it seems that you don't sanitize $_POST data, isn't it?
In P01contact_Form.php line 205:
* @param array $post Sanitized p01-contact data of $_POST
but checkSpam is called by post() line 184:
if ($hasFieldsErrors || $this->checkSpam($posted) !== true) {
and $posted is built by line161:
$posted = $_POST['p01-contact_fields'];
So it seems to me that there's no sanitization.
The announced sanitization seems to be absent indeed.
The only use in checkSpam is to verify a bool for the honeypot, but it is used L170-171 to set the field values, that are processed trough htmlentitieshere.
I didn't analyse that further, feel free to propose an improvement.
nliautaud
commented
2 years ago
Hi, it seems that you don't sanitize $_POST data, isn't it? In P01contact_Form.php line 205:
* @param array $post Sanitized p01-contact data of $_POSTbut checkSpam is called by post() line 184:if ($hasFieldsErrors || $this->checkSpam($posted) !== true) {and $posted is built by line161:$posted = $_POST['p01-contact_fields'];So it seems to me that there's no sanitization.Maybe i'm wrong and missing something obvious...