Sanitizes the shortcode attributes

gsarig · Dec 14, 2024 · 3611db1 · 3611db1
1 parent 4a91e11
commit 3611db1
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 13 deletions.
diff --git a/composer.json b/composer.json
@@ -8,7 +8,7 @@
 	}
   ],
   "require": {
-	"php": ">=7.4"
+	"php": ">=8.2"
   },
   "autoload": {
 	"psr-4": {

diff --git a/composer.lock b/composer.lock
diff --git a/includes/classes/Helper.php b/includes/classes/Helper.php
@@ -13,12 +13,45 @@ class Helper {
 	/**
 	 * Asset Providers.
 	 *
+	 * @param array $options Options to be used with json_decode().
+	 *
 	 * @return mixed
 	 */
-	public static function providers() {
+	public static function providers( array $options = [] ): mixed {
 		$json_file = OOTB_PLUGIN_PATH . 'assets/providers.json';
 
-		return wp_json_file_decode( $json_file );
+		return wp_json_file_decode( $json_file, $options );
+	}
+
+	/**
+	 * The valid map types.
+	 *
+	 * @return string[]
+	 */
+	public static function map_types(): array {
+		return [ 'markers', 'polygon', 'polyline' ];
+	}
+
+	/**
+	 * Get the default values.
+	 *
+	 * @param string $key The key to check.
+	 *
+	 * @return string
+	 */
+	public static function get_default( string $key = '' ): string {
+		if ( empty( $key ) ) {
+			return '';
+		}
+		$defaults = [
+			'height'    => '400px',
+			'post_type' => 'post',
+		];
+		if ( empty( $defaults[ $key ] ) ) {
+			return '';
+		}
+
+		return $defaults[ $key ];
 	}
 
 	/**
@@ -300,4 +333,44 @@ public static function get_marker_attr_from_url( string $img_src = '' ) {
 
 		return urlencode( $jsonStr );
 	}
+
+	public static function sanitize_attrs( array $attrs ): array {
+		$valid_args = [
+			'source',
+			'post_type',
+			'posts_per_page',
+			'post_ids',
+			'height',
+			'provider',
+			'maptype',
+			'touchzoom',
+			'scrollwheelzoom',
+			'dragging',
+			'doubleclickzoom',
+			'marker',
+		];
+
+		foreach ( $attrs as $key => $value ) {
+			if ( ! in_array( $key, $valid_args, true ) ) {
+				unset( $attrs[ $key ] );
+			}
+			$attrs[ $key ] = match ( $key ) {
+				'source' => in_array( $value, [ 'geodata', 'block' ], true ) ? $value : '',
+				'post_type' => in_array( $value, array_column( self::get_post_types(), 'value' ), true ) ? $value : self::get_default('post_type'),
+				'posts_per_page' => ( is_int( $value ) || $value === - 1 ) ? $value : Query::get_posts_per_page(),
+				'post_ids' => ( preg_match( '/^(\d+,)*\d+$/', $value ) === 1 ) ? $value : '',
+				'height' => ( preg_match( '/^\d+px$/', $value ) === 1 ) ? $value : self::get_default( 'height' ),
+				'provider' => in_array( $value, array_keys( self::providers( [ 'associative' => true ] ) ), true ) ? $value : '',
+				'maptype' => in_array( $value, self::map_types(), true ) ? $value : '',
+				'touchzoom', 'scrollwheelzoom', 'dragging', 'doubleclickzoom' => in_array( $value, [
+					'true',
+					'false'
+				], true ) ? $value : '',
+				'marker' => ( filter_var( $value, FILTER_VALIDATE_URL ) !== false ) ? $value : '',
+				default => $value,
+			};
+		}
+
+		return $attrs;
+	}
 }
diff --git a/includes/classes/Query.php b/includes/classes/Query.php
@@ -35,7 +35,7 @@ private static function get_post_type( string $fallback = 'post' ) {
 	 *
 	 * @return mixed|null
 	 */
-	private static function get_posts_per_page( int $fallback = 100 ) {
+	public static function get_posts_per_page( int $fallback = 100 ): mixed {
 		return apply_filters( 'ootb_query_posts_per_page', $fallback );
 	}
 
@@ -287,10 +287,10 @@ public function shortcode( $attrs ) {
 			array_merge(
 				[
 					'source'         => '',
-					'post_type'      => 'post',
+					'post_type'      => Helper::get_default( 'post_type' ),
 					'posts_per_page' => self::get_posts_per_page(),
 					'post_ids'       => '',
-					'height'         => '400px',
+					'height'         => Helper::get_default( 'height' ),
 				],
 				self::overridable_attrs()
 			)
@@ -314,7 +314,7 @@ public function shortcode( $attrs ) {
 			'queryArgs'        => $queryArgs,
 		];
 
-		$escaped_attrs = array_map( 'esc_attr', $attrs );
+		$escaped_attrs = array_map( 'esc_attr', Helper::sanitize_attrs( $attrs ) );
 
 		$content = sprintf(
 			'<div class="ootb-openstreetmap--map" %1$s style="height: %2$s;"></div>',

diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'ootb/openstreetmap',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '0a58ab4508357006bdfae698f380216973a5e832',
+        'reference' => '4a91e119807e9317b38834b750192cab2b79a7af',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'ootb/openstreetmap' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '0a58ab4508357006bdfae698f380216973a5e832',
+            'reference' => '4a91e119807e9317b38834b750192cab2b79a7af',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

diff --git a/vendor/composer/platform_check.php b/vendor/composer/platform_check.php
@@ -4,8 +4,8 @@
 
 $issues = array();
 
-if (!(PHP_VERSION_ID >= 70400)) {
-    $issues[] = 'Your Composer dependencies require a PHP version ">= 7.4.0". You are running ' . PHP_VERSION . '.';
+if (!(PHP_VERSION_ID >= 80200)) {
+    $issues[] = 'Your Composer dependencies require a PHP version ">= 8.2.0". You are running ' . PHP_VERSION . '.';
 }
 
 if ($issues) {