mirror of
https://github.com/10h30/ultimatemember.git
synced 2026-06-05 15:09:37 +09:00
Refactor password handling to bypass wp_unslash.
Introduce a dedicated method to handle password fields securely, avoiding `wp_unslash` for these fields. This enhances consistency and security when processing form data across the plugin.
This commit is contained in:
Mykyta Synelnikov
@@ -453,6 +453,11 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
||||
$arr_restricted_fields = UM()->fields()->get_restricted_fields_for_edit();
|
||||
}
|
||||
|
||||
$password_fields = array(
|
||||
'user_password',
|
||||
'confirm_user_password',
|
||||
);
|
||||
|
||||
$field_types_without_metakey = UM()->builtin()->get_fields_without_metakey();
|
||||
foreach ( $custom_fields as $cf_k => $cf_data ) {
|
||||
if ( ! array_key_exists( 'type', $cf_data ) || in_array( $cf_data['type'], $field_types_without_metakey, true ) ) {
|
||||
@@ -462,6 +467,9 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
||||
if ( array_key_exists( 'type', $cf_data ) && 'password' === $cf_data['type'] ) {
|
||||
$ignore_keys[] = $cf_k;
|
||||
$ignore_keys[] = 'confirm_' . $cf_k;
|
||||
|
||||
$password_fields[] = $cf_k;
|
||||
$password_fields[] = 'confirm_' . $cf_k;
|
||||
}
|
||||
|
||||
if ( 'profile' === $this->form_data['mode'] ) {
|
||||
@@ -557,14 +565,15 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
||||
do_action( 'um_before_submit_form_post', $this );
|
||||
|
||||
$formdata = wp_unslash( $_POST );
|
||||
|
||||
if ( isset( $formdata['form_id'] ) ) {
|
||||
// Don't un-slash passwords in manner of WordPress native password field.
|
||||
$form_id = absint( $formdata['form_id'] );
|
||||
if ( isset( $_POST['user_password-' . $form_id] ) ) {
|
||||
$formdata['user_password-' . $form_id] = trim( $_POST['user_password-' . $form_id] );
|
||||
}
|
||||
if ( isset( $_POST['confirm_user_password-' . $form_id] ) ) {
|
||||
$formdata['confirm_user_password-' . $form_id] = trim( $_POST['confirm_user_password-' . $form_id] );
|
||||
foreach ( $password_fields as &$password_field ) {
|
||||
$password_field .= '-' . $form_id;
|
||||
}
|
||||
unset( $password_field );
|
||||
$formdata = UM()->form()::ignore_formdata_unslash( $formdata, $password_fields );
|
||||
}
|
||||
|
||||
/* save entire form as global */
|
||||
@@ -1120,7 +1129,6 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
||||
return $mode;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get custom field roles
|
||||
*
|
||||
@@ -1177,5 +1185,24 @@ if ( ! class_exists( 'um\core\Form' ) ) {
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Ignore of `wp_unslash()` for form data
|
||||
*
|
||||
* @param array $formdata The form data to process
|
||||
* @param array $fields_map The fields map array
|
||||
*
|
||||
* @return array The updated form data
|
||||
*/
|
||||
public static function ignore_formdata_unslash( $formdata, $fields_map ) {
|
||||
foreach ( $fields_map as $field ) {
|
||||
if ( ! isset( $_POST[ $field ] ) ) {
|
||||
continue;
|
||||
}
|
||||
$formdata[ $field ] = trim( $_POST[ $field ] );
|
||||
}
|
||||
|
||||
return $formdata;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user