Skip to content

Commit e00a08f

Browse files
andrewlimazaandrewlimaza
committed
Sanitization.
Improve sanitization and escaping.
1 parent cce9abf commit e00a08f

File tree

1 file changed

+22
-20
lines changed

1 file changed

+22
-20
lines changed

import-users-from-csv.php

Lines changed: 22 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ class IS_IU_Import_Users {
6868
*
6969
* @since 0.1
7070
**/
71-
public function init() {
71+
public static function init() {
7272
add_action( 'admin_menu', array( __CLASS__, 'add_admin_pages' ) );
7373
add_action( 'init', array( __CLASS__, 'process_csv' ) );
7474

@@ -84,7 +84,7 @@ public function init() {
8484
*
8585
* @since 0.1
8686
**/
87-
public function add_admin_pages() {
87+
public static function add_admin_pages() {
8888
add_users_page( __( 'Import From CSV' , 'import-users-from-csv'), __( 'Import From CSV' , 'import-users-from-csv'), 'create_users', 'import-users-from-csv', array( __CLASS__, 'users_page' ) );
8989
}
9090

@@ -93,21 +93,21 @@ public function add_admin_pages() {
9393
*
9494
* @since 0.1
9595
**/
96-
public function process_csv() {
96+
public static function process_csv() {
9797
if ( isset( $_POST['_wpnonce-is-iu-import-users-users-page_import'] ) ) {
9898
check_admin_referer( 'is-iu-import-users-users-page_import', '_wpnonce-is-iu-import-users-users-page_import' );
9999

100100
if ( !empty( $_FILES['users_csv']['tmp_name'] ) ) {
101101
/* Setup settings variables */
102-
$filename = $_FILES['users_csv']['tmp_name'];
103-
$password_nag = isset( $_POST['password_nag'] ) ? $_POST['password_nag'] : false;
104-
$users_update = isset( $_POST['users_update'] ) ? $_POST['users_update'] : false;
105-
$new_user_notification = isset( $_POST['new_user_notification'] ) ? $_POST['new_user_notification'] : false;
102+
$filename = sanitize_text_field( $_FILES['users_csv']['tmp_name'] );
103+
$password_nag = isset( $_POST['password_nag'] ) ? sanitize_text_field( $_POST['password_nag'] ) : false;
104+
$users_update = isset( $_POST['users_update'] ) ? sanitize_text_field( $_POST['users_update'] ) : false;
105+
$new_user_notification = isset( $_POST['new_user_notification'] ) ? sanitize_text_field( $_POST['new_user_notification'] ) : false;
106106

107107
$results = self::import_csv( $filename, array(
108-
'password_nag' => $password_nag,
109-
'new_user_notification' => $new_user_notification,
110-
'users_update' => $users_update
108+
'password_nag' => intval( $password_nag ),
109+
'new_user_notification' => intval( $new_user_notification ),
110+
'users_update' => intval( $users_update )
111111
) );
112112

113113
if ( ! $results['user_ids'] ){
@@ -133,7 +133,7 @@ public function process_csv() {
133133
*
134134
* @since 0.1
135135
**/
136-
public function users_page() {
136+
public static function users_page() {
137137
if ( ! current_user_can( 'create_users' ) ){
138138
wp_die( __( 'You do not have sufficient permissions to access this page.' , 'import-users-from-csv') );
139139
}
@@ -153,13 +153,15 @@ public function users_page() {
153153
}
154154
}
155155

156-
if ( isset( $_GET['import'] ) ) {
156+
$import = isset( $_GET['import'] ) ? sanitize_text_field( $_GET['import'] ) : false;
157+
158+
if ( $import ) {
157159
$error_log_msg = '';
158160
if ( file_exists( $error_log_file ) ){
159-
$error_log_msg = sprintf( __( ', please <a href="%s">check the error log</a>' , 'import-users-from-csv'), $error_log_url );
161+
$error_log_msg = sprintf( __( ", please <a href='%s' target='_blank'>check the error log</a>", 'import-users-from-csv'), esc_url( $error_log_url ) );
160162
}
161163

162-
switch ( $_GET['import'] ) {
164+
switch ( $import ) {
163165
case 'file':
164166
$message = __( 'Error during file upload.' , 'import-users-from-csv');
165167
self::render_notice('error', $message);
@@ -203,7 +205,7 @@ public function users_page() {
203205
<input type="file" id="users_csv" name="users_csv" value="" class="all-options" /><br />
204206
<span class="description">
205207
<?php
206-
echo sprintf( __( 'You may want to see <a href="%s">the example of the CSV file</a>.' , 'import-users-from-csv'), plugin_dir_url(__FILE__).'examples/import.csv');
208+
echo sprintf( __( 'You may want to see <a href="%s">the example of the CSV file</a>.' , 'import-users-from-csv'), esc_url( plugin_dir_url(__FILE__).'examples/import.csv' ) );
207209
?>
208210
</span>
209211
</td>
@@ -448,7 +450,7 @@ public static function import_csv( $filename, $args ) {
448450
}
449451

450452
if ( $new_user_notification ) {
451-
wp_new_user_notification( $user_id, $userdata['user_pass'] );
453+
wp_new_user_notification( $user_id, null, 'user' );
452454
}
453455
}
454456

@@ -488,7 +490,7 @@ private static function log_errors( $errors ) {
488490
}
489491

490492
$log = @fopen( self::$log_dir_path . 'is_iu_errors.log', 'a' );
491-
@fwrite( $log, sprintf( __( 'BEGIN %s' , 'import-users-from-csv'), date( 'Y-m-d H:i:s', time() ) ) . "\n" );
493+
@fwrite( $log, sprintf( __( 'BEGIN %s' , 'import-users-from-csv'), date_i18n( 'Y-m-d H:i:s', time() ) ) . "\n" );
492494

493495
foreach ( $errors as $key => $error ) {
494496
$line = $key + 1;
@@ -500,16 +502,16 @@ private static function log_errors( $errors ) {
500502
}
501503

502504
/**
503-
* Echo out a notice withs specific class
505+
* Echo out a notice withs specific class.
504506
*
505507
* @param $class - class to add to div
506-
* @param $message - The content of the notice
508+
* @param $message - The content of the notice. This should be escaped before being passed in to ensure proper escaping is done.
509+
*
507510
*
508511
* @since 1.0.1
509512
*/
510513
private static function render_notice($class, $message){
511514
$class = esc_attr($class);
512-
$message = esc_attr($message);
513515
echo "<div class='$class'><p><strong>$message</strong></p></div>";
514516
}
515517
}

0 commit comments

Comments
 (0)