From 3611db14df19230e08bd0a1b6ccede01e425f401 Mon Sep 17 00:00:00 2001
From: gsarig <contact@gsarigiannidis.gr>
Date: Sat, 14 Dec 2024 22:42:45 +0200
Subject: [PATCH] Sanitizes the shortcode attributes

---
 composer.json                      |  2 +-
 composer.lock                      |  4 +-
 includes/classes/Helper.php        | 77 +++++++++++++++++++++++++++++-
 includes/classes/Query.php         |  8 ++--
 vendor/composer/installed.php      |  4 +-
 vendor/composer/platform_check.php |  4 +-
 6 files changed, 86 insertions(+), 13 deletions(-)

diff --git a/composer.json b/composer.json
index 979d7d4..82eb08f 100644
--- a/composer.json
+++ b/composer.json
@@ -8,7 +8,7 @@
 	}
   ],
   "require": {
-	"php": ">=7.4"
+	"php": ">=8.2"
   },
   "autoload": {
 	"psr-4": {
diff --git a/composer.lock b/composer.lock
index 3ad98d1..4e88f0b 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "6739fa4486aa65371173ebc820e1bb07",
+    "content-hash": "9e7cd7865dccc748027cf17c9c079766",
     "packages": [],
     "packages-dev": [],
     "aliases": [],
@@ -13,7 +13,7 @@
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": {
-        "php": ">=7.4"
+        "php": ">=8.2"
     },
     "platform-dev": [],
     "plugin-api-version": "2.6.0"
diff --git a/includes/classes/Helper.php b/includes/classes/Helper.php
index aa612bb..83d0638 100644
--- a/includes/classes/Helper.php
+++ b/includes/classes/Helper.php
@@ -13,12 +13,45 @@ class Helper {
 	/**
 	 * Asset Providers.
 	 *
+	 * @param array $options Options to be used with json_decode().
+	 *
 	 * @return mixed
 	 */
-	public static function providers() {
+	public static function providers( array $options = [] ): mixed {
 		$json_file = OOTB_PLUGIN_PATH . 'assets/providers.json';
 
-		return wp_json_file_decode( $json_file );
+		return wp_json_file_decode( $json_file, $options );
+	}
+
+	/**
+	 * The valid map types.
+	 *
+	 * @return string[]
+	 */
+	public static function map_types(): array {
+		return [ 'markers', 'polygon', 'polyline' ];
+	}
+
+	/**
+	 * Get the default values.
+	 *
+	 * @param string $key The key to check.
+	 *
+	 * @return string
+	 */
+	public static function get_default( string $key = '' ): string {
+		if ( empty( $key ) ) {
+			return '';
+		}
+		$defaults = [
+			'height'    => '400px',
+			'post_type' => 'post',
+		];
+		if ( empty( $defaults[ $key ] ) ) {
+			return '';
+		}
+
+		return $defaults[ $key ];
 	}
 
 	/**
@@ -300,4 +333,44 @@ public static function get_marker_attr_from_url( string $img_src = '' ) {
 
 		return urlencode( $jsonStr );
 	}
+
+	public static function sanitize_attrs( array $attrs ): array {
+		$valid_args = [
+			'source',
+			'post_type',
+			'posts_per_page',
+			'post_ids',
+			'height',
+			'provider',
+			'maptype',
+			'touchzoom',
+			'scrollwheelzoom',
+			'dragging',
+			'doubleclickzoom',
+			'marker',
+		];
+
+		foreach ( $attrs as $key => $value ) {
+			if ( ! in_array( $key, $valid_args, true ) ) {
+				unset( $attrs[ $key ] );
+			}
+			$attrs[ $key ] = match ( $key ) {
+				'source' => in_array( $value, [ 'geodata', 'block' ], true ) ? $value : '',
+				'post_type' => in_array( $value, array_column( self::get_post_types(), 'value' ), true ) ? $value : self::get_default('post_type'),
+				'posts_per_page' => ( is_int( $value ) || $value === - 1 ) ? $value : Query::get_posts_per_page(),
+				'post_ids' => ( preg_match( '/^(\d+,)*\d+$/', $value ) === 1 ) ? $value : '',
+				'height' => ( preg_match( '/^\d+px$/', $value ) === 1 ) ? $value : self::get_default( 'height' ),
+				'provider' => in_array( $value, array_keys( self::providers( [ 'associative' => true ] ) ), true ) ? $value : '',
+				'maptype' => in_array( $value, self::map_types(), true ) ? $value : '',
+				'touchzoom', 'scrollwheelzoom', 'dragging', 'doubleclickzoom' => in_array( $value, [
+					'true',
+					'false'
+				], true ) ? $value : '',
+				'marker' => ( filter_var( $value, FILTER_VALIDATE_URL ) !== false ) ? $value : '',
+				default => $value,
+			};
+		}
+
+		return $attrs;
+	}
 }
diff --git a/includes/classes/Query.php b/includes/classes/Query.php
index 5c556f6..76711b0 100644
--- a/includes/classes/Query.php
+++ b/includes/classes/Query.php
@@ -35,7 +35,7 @@ private static function get_post_type( string $fallback = 'post' ) {
 	 *
 	 * @return mixed|null
 	 */
-	private static function get_posts_per_page( int $fallback = 100 ) {
+	public static function get_posts_per_page( int $fallback = 100 ): mixed {
 		return apply_filters( 'ootb_query_posts_per_page', $fallback );
 	}
 
@@ -287,10 +287,10 @@ public function shortcode( $attrs ) {
 			array_merge(
 				[
 					'source'         => '',
-					'post_type'      => 'post',
+					'post_type'      => Helper::get_default( 'post_type' ),
 					'posts_per_page' => self::get_posts_per_page(),
 					'post_ids'       => '',
-					'height'         => '400px',
+					'height'         => Helper::get_default( 'height' ),
 				],
 				self::overridable_attrs()
 			)
@@ -314,7 +314,7 @@ public function shortcode( $attrs ) {
 			'queryArgs'        => $queryArgs,
 		];
 
-		$escaped_attrs = array_map( 'esc_attr', $attrs );
+		$escaped_attrs = array_map( 'esc_attr', Helper::sanitize_attrs( $attrs ) );
 
 		$content = sprintf(
 			'<div class="ootb-openstreetmap--map" %1$s style="height: %2$s;"></div>',
diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php
index 881c83e..8dc2a4a 100644
--- a/vendor/composer/installed.php
+++ b/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'ootb/openstreetmap',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '0a58ab4508357006bdfae698f380216973a5e832',
+        'reference' => '4a91e119807e9317b38834b750192cab2b79a7af',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'ootb/openstreetmap' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '0a58ab4508357006bdfae698f380216973a5e832',
+            'reference' => '4a91e119807e9317b38834b750192cab2b79a7af',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
diff --git a/vendor/composer/platform_check.php b/vendor/composer/platform_check.php
index 580fa96..d32d90c 100644
--- a/vendor/composer/platform_check.php
+++ b/vendor/composer/platform_check.php
@@ -4,8 +4,8 @@
 
 $issues = array();
 
-if (!(PHP_VERSION_ID >= 70400)) {
-    $issues[] = 'Your Composer dependencies require a PHP version ">= 7.4.0". You are running ' . PHP_VERSION . '.';
+if (!(PHP_VERSION_ID >= 80200)) {
+    $issues[] = 'Your Composer dependencies require a PHP version ">= 8.2.0". You are running ' . PHP_VERSION . '.';
 }
 
 if ($issues) {