Fix escaping, requests

friends-of-sunlight-cms · Aug 26, 2023 · a831922 · a831922
1 parent a6db5a3
commit a831922
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/plugins/extend/hcaptcha/class/ConfigAction.php b/plugins/extend/hcaptcha/class/ConfigAction.php
@@ -30,6 +30,8 @@ protected function getFields(): array
 
     private function createInput(string $type, string $name, $attributes = null): string
     {
+        $config = $this->plugin->getConfig();
+
         $attr = [];
         if (is_array($attributes)) {
             foreach ($attributes as $k => $v) {
@@ -41,9 +43,9 @@ private function createInput(string $type, string $name, $attributes = null): st
             }
         }
         if ($type === 'checkbox') {
-            $result = '<input type="checkbox" name="config[' . $name . ']" value="1"' . implode(' ', $attr) . Form::activateCheckbox($this->plugin->getConfig()->offsetGet($name)) . '>';
+            $result = '<input type="checkbox" name="config[' . $name . ']" value="1"' . implode(' ', $attr) . Form::activateCheckbox($config[$name]) . '>';
         } else {
-            $result = '<input type="' . $type . '" name="config[' . $name . ']" value="' . $this->plugin->getConfig()->offsetGet($name) . '"' . implode(' ', $attr) . '>';
+            $result = '<input type="' . $type . '" name="config[' . $name . ']" value="' . Form::restorePostValue($name, $config[$name], false) . '"' . implode(' ', $attr) . '>';
         }
         return $result;
     }

diff --git a/plugins/extend/hcaptcha/event/captcha_check.php b/plugins/extend/hcaptcha/event/captcha_check.php
@@ -2,22 +2,23 @@
 
 use Sunlight\Core;
 use Sunlight\User;
+use Sunlight\Util\Request;
 
 return function (array $args) {
     if (User::isLoggedIn()) {
         return;
     }
 
-    if (empty($_POST['h-captcha-response'])) {
+    if (empty(Request::post('h-captcha-response'))) {
         $args['value'] = false;
         return;
     }
 
     $config = $this->getConfig();
 
     $data = [
-        'secret' => $config['secret_key'],
-        'response' => $_POST['h-captcha-response'],
+        'secret' => _e($config['secret_key']),
+        'response' => Request::post('h-captcha-response'),
         'remoteip' => Core::getClientIp()
     ];
 

diff --git a/plugins/extend/hcaptcha/event/captcha_init.php b/plugins/extend/hcaptcha/event/captcha_init.php
@@ -8,7 +8,7 @@
     }
 
     $config = $this->getConfig();
-    $content = "<div class='h-captcha' data-sitekey='" . $config['site_key'] . "'" . ($config['dark_mode'] ? ' data-theme="dark"' : '') . "></div>";
+    $content = "<div class='h-captcha' data-sitekey='" . _e($config['site_key']) . "'" . ($config['dark_mode'] ? ' data-theme="dark"' : '') . "></div>";
     $args['value'] = [
         'label' => _lang('captcha.input'),
         'content' => $content,