10h30/ultimatemember
1
0
Fork 0
mirror of https://github.com/10h30/ultimatemember.git synced 2026-06-05 15:09:37 +09:00
Code Issues Packages Projects Releases Wiki Activity

- fixed security issue with Profile/Registration form;

Browse Source
This commit is contained in:
nikitasinelnikov
2019-05-08 16:05:27 +03:00
parent f5752e9248
commit f628703b12
8 changed files with 125 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
includes/core/class-validation.php
+48 -1
View File
@@ -22,7 +22,8 @@ if ( ! class_exists( 'um\core\Validation' ) ) {
$this->regex_phone_number = '/\A[\d\-\.\+\(\)\ ]+\z/';
add_filter( 'um_user_pre_updating_files_array', array( $this, 'validate_files' ) );
add_filter( 'um_user_pre_updating_files_array', array( $this, 'validate_files' ), 10, 1 );
add_filter( 'um_before_save_filter_submitted', array( $this, 'validate_fields_values' ), 10, 2 );
}
@@ -46,6 +47,52 @@ if ( ! class_exists( 'um\core\Validation' ) ) {
}
function validate_fields_values( $changes, $args ) {
$fields = array();
if ( ! empty( $args['custom_fields'] ) ) {
$fields = unserialize( $args['custom_fields'] );
}
foreach ( $changes as $key => $value ) {
//rating field validation
if ( isset( $fields[ $key ]['type'] ) && $fields[ $key ]['type'] == 'rating' ) {
if ( ! is_numeric( $value ) ) {
unset( $changes[ $key ] );
} else {
if ( $fields[ $key ]['number'] == 5 ) {
if ( ! in_array( $value, range( 1, 5 ) ) ) {
unset( $changes[ $key ] );
}
} elseif ( $fields[ $key ]['number'] == 10 ) {
if ( ! in_array( $value, range( 1, 10 ) ) ) {
unset( $changes[ $key ] );
}
}
}
}
//validation of correct values from options in wp-admin
if ( in_array( $fields[ $key ]['type'], array( 'select', 'radio' ) ) &&
isset( $value ) && ! empty( $fields[ $key ]['options'] ) &&
! in_array( $value, $fields[ $key ]['options'] ) ) {
unset( $changes[ $key ] );
}
//validation of correct values from options in wp-admin
//the user cannot set invalid value in the hidden input at the page
if ( in_array( $fields[ $key ]['type'], array( 'multiselect', 'checkbox' ) ) &&
isset( $value ) && ! empty( $fields[ $key ]['options'] ) ) {
$changes[ $key ] = array_intersect( $value, $fields[ $key ]['options'] );
}
}
return $changes;
}
/**
* Removes html from any string
*