search

webtions / i-recommend-this

This plugin allows your visitors to simply like/recommend your posts instead of comment on it.
22 stars 10 forks source link

Sanitize, escape, and validate all POST calls #19

Closed hchouhan closed 6 years ago

hchouhan commented 6 years ago

Please sanitize, escape, and validate your POST calls

When you include POST/GET/REQUEST calls in your plugin, it's important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.

SANITIZE: All instances where generated content is inserted into the database, or into a file, or being otherwise processed by WordPress, the data MUST be properly sanitized for security. By sanitizing your POST data when used to make action calls or URL redirects, you will lessen the possibility of XSS vulnerabilities. You should never have a raw data inserted into the database, even by a update function, and even with a prepare() call.

VALIDATE: In addition to sanitization, you should validate all your calls. If a $_POST call should only be a number, ensure it's an int() before you pass it through anything. Even if you're sanitizing or using WordPress functions to ensure things are safe, we ask you please validate for sanity's sake. Any time you are adding data to the database, it should be the right data.

ESCAPE: Similarly, when you're outputting data, make sure to escape it properly, so it can't hijack admin screens. There are many esc_*() functions you can use to make sure you don't show people the wrong data.

In all cases, using stripslashes or strip_tags is not enough. You need to use the most appropriate method associated with the type of content you're processing. Check that a URL is a URL and don't just be lazy and use sanitize_text please. The ultimate goal is that you should ensure that invalid and unsafe data is NEVER processed or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.

Please review this document and update your code accordingly: https://developer.wordpress.org/plugins/security/securing-input/

Example:

$post_id = str_replace('dot-irecommendthis-', '', $_POST['recommend_id']);

and

$text_more_suffix = strip_tags($text_more_suffix);

and

$options['show_count'] = $_POST['mrp-show-count'];

hchouhan commented 6 years ago

7f984b6288df7dd24049e69dd9e777f87dd49c8d