improved sanitizing

wpugph · Oct 28, 2019 · 91400fe · 91400fe
1 parent 6e6e361
commit 91400fe
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 15 deletions.
diff --git a/includes/class-tika-doc-pdf-indexer-functions.php b/includes/class-tika-doc-pdf-indexer-functions.php
@@ -102,16 +102,16 @@ function tdpi_restrict_mimetypes( $mimes ) {
 
 	$allowed_array = array();
 	if ( in_array( 'pdf', $allowed, true ) ) {
-		$allowed_array[ 'pdf' ] = 'application/pdf';
+		$allowed_array['pdf'] = 'application/pdf';
 	}
 	if ( in_array( 'txt', $allowed, true ) ) {
-		$allowed_array[ 'txt' ] = 'text/plain';
+		$allowed_array['txt'] = 'text/plain';
 	}
 	if ( in_array( 'doc', $allowed, true ) ) {
-		$allowed_array[ 'doc' ] = 'application/msword';
+		$allowed_array['doc'] = 'application/msword';
 	}
 	global $post_type;
-	if ( 'tdpi_doc' == $post_type ) {
+	if ( 'tdpi_doc' === $post_type ) {
 		$mimes = $allowed_array;
 	}
 	return $mimes;
@@ -126,9 +126,8 @@ function tdpi_restrict_mimetypes( $mimes ) {
  */
 function tdpi_file_upload() {
 	global $post;
-	echo '<input type="hidden" name="tdpi_nonce" id="tdpi_nonce" value="' .
-	esc_attr( wp_create_nonce( plugin_basename( __FILE__ ) ) ) .
-	'" />';
+	$nonce = sanitize_text_field( wp_create_nonce( plugin_basename( __FILE__ ) ) );
+	echo '<input type="hidden" name="tdpi_nonce" id="tdpi_nonce" value="' . esc_html( $nonce ) . '" />';
 	global $wpdb;
 	$filename   = get_post_meta( $post->ID, $key = 'tdpi_file', true );
 	$media_file = get_post_meta( $post->ID, $key = '_wp_attached_file', true );
@@ -280,4 +279,4 @@ function tdpi_save_tika_meta( $post_id, $post ) {
 // eliminate unneecessary functions
 // on upload existing file, attach data.
 // make the upload file required
-// default to upload and restric from selcting uploaded file or the recent file should be indexed
+// default to upload and restric from selcting uploaded file or the recent file should be indexed.
diff --git a/includes/class-tika-doc-pdf-indexer-settings.php b/includes/class-tika-doc-pdf-indexer-settings.php
@@ -132,7 +132,7 @@ public function add_settings_link( $links ) {
 	private function settings_fields() {
 
 		$settings['standard'] = array(
-			'description' => __( 'Essential settings that will make the PDF Doc Indexer will work.', 'tika-doc-pdf-indexer' ),
+			'description' => __( 'Essential settings that will make the PDF Doc Indexer work.', 'tika-doc-pdf-indexer' ),
 			'fields'      => array(
 				array(
 					'id'          => 'java_location',
@@ -282,8 +282,8 @@ public function settings_page() {
 				$html .= ob_get_clean();
 
 				$html     .= '<p class="submit">' . "\n";
-					$html .= '<input type="hidden" name="tab" value="' . esc_attr( $tab ) . '" />' . "\n";
-					$html .= '<input name="Submit" type="submit" class="button-primary" value="' . esc_attr( __( 'Save Settings', 'tika-doc-pdf-indexer' ) ) . '" />' . "\n";
+					$html .= '<input type="hidden" name="tab" value="' . sanitize_text_field( $tab ) . '" />' . "\n";
+					$html .= '<input name="Submit" type="submit" class="button-primary" value="' . sanitize_text_field( __( 'Save Settings', 'tika-doc-pdf-indexer' ) ) . '" />' . "\n";
 				$html     .= '</p>' . "\n";
 			$html         .= '</form>' . "\n";
 		$html             .= '</div>' . "\n";

diff --git a/includes/lib/class-tika-doc-pdf-indexer-admin-api.php b/includes/lib/class-tika-doc-pdf-indexer-admin-api.php
@@ -203,7 +203,7 @@ public function display_field( $data = array(), $post = false, $echo = true ) {
 
 			default:
 				if ( ! $post ) {
-					$html .= '<label for="' . esc_attr( $field['id'] ) . '">' . "\n";
+					$html .= '<label for="' . esc_html( $field['id'] ) . '">' . "\n";
 				}
 
 				$html .= '<span class="description">' . $field['description'] . '</span>' . "\n";
@@ -218,7 +218,7 @@ public function display_field( $data = array(), $post = false, $echo = true ) {
 			return $html;
 		}
 
-		echo $html; //phpcs:ignore
+		echo esc_html( $html );
 
 	}
 
@@ -233,7 +233,7 @@ public function validate_field( $data = '', $type = 'text' ) {
 
 		switch ( $type ) {
 			case 'text':
-				$data = esc_attr( $data );
+				$data = sanitize_text_field( $data );
 				break;
 			case 'url':
 				$data = esc_url( $data );
@@ -321,7 +321,7 @@ public function display_meta_box_field( $field = array(), $post ) {
 
 		$field = '<p class="form-field"><label for="' . $field['id'] . '">' . $field['label'] . '</label>' . $this->display_field( $field, $post, false ) . '</p>' . "\n";
 
-		echo $field; //phpcs:ignore
+		echo esc_html( $field );
 	}
 
 	/**