PluginProbe ʕ •ᴥ•ʔ
Meta Box / 5.7.5
Meta Box v5.7.5
trunk 4.1.10 4.1.11 4.10 4.10.1 4.10.2 4.10.3 4.10.4 4.11 4.11.1 4.11.2 4.12.1 4.12.4 4.12.5 4.12.6 4.13.0 4.13.1 4.13.2 4.13.3 4.13.4 4.14.0 4.14.1 4.14.10 4.14.11 4.14.2 4.14.4 4.14.5 4.14.6 4.14.7 4.14.8 4.14.9 4.15.0 4.15.1 4.15.2 4.15.3 4.15.4 4.15.5 4.15.6 4.15.7 4.15.8 4.15.9 4.16.0 4.16.1 4.16.2 4.16.3 4.17.0 4.17.1 4.17.2 4.17.3 4.18.0 4.18.1 4.18.2 4.18.3 4.18.4 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.3 4.3.1 4.3.10 4.3.11 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.3.8 4.3.9 4.4.0 4.4.1 4.4.3 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.5.5 4.5.6 4.5.7 4.6 4.7 4.7.1 4.7.2 4.7.3 4.8.0 4.8.1 4.8.2 4.8.3 4.8.4 4.8.5 4.8.6 4.8.7 4.9 4.9.1 4.9.2 4.9.3 4.9.4 4.9.5 4.9.6 4.9.7 4.9.8 5.0.0 5.0.1 5.1.0 5.1.1 5.1.2 5.10.0 5.10.1 5.10.10 5.10.11 5.10.12 5.10.13 5.10.14 5.10.15 5.10.16 5.10.17 5.10.18 5.10.19 5.10.2 5.10.3 5.10.4 5.10.5 5.10.6 5.10.7 5.10.8 5.10.9 5.11.0 5.11.1 5.11.2 5.11.3 5.11.4 5.12.0 5.2.0 5.2.1 5.2.10 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.3.0 5.3.1 5.3.10 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8 5.3.9 5.4.0 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7 5.4.8 5.5.0 5.5.1 5.6.0 5.6.1 5.6.10 5.6.11 5.6.12 5.6.13 5.6.14 5.6.15 5.6.16 5.6.17 5.6.18 5.6.2 5.6.3 5.6.4 5.6.5 5.6.6 5.6.7 5.6.8 5.6.9 5.7.0 5.7.1 5.7.2 5.7.3 5.7.4 5.7.5 5.8.0 5.8.1 5.8.2 5.9.0 5.9.1 5.9.10 5.9.11 5.9.2 5.9.3 5.9.4 5.9.5 5.9.6 5.9.7 5.9.8 5.9.9
meta-box / inc / sanitizer.php
meta-box / inc Last commit date
about 2 years ago fields 2 years ago helpers 2 years ago interfaces 3 years ago storages 2 years ago templates 2 years ago walkers 2 years ago autoloader.php 2 years ago clone.php 3 years ago core.php 3 years ago field-registry.php 3 years ago field.php 3 years ago functions.php 3 years ago loader.php 2 years ago media-modal.php 2 years ago meta-box-registry.php 3 years ago meta-box.php 3 years ago request.php 3 years ago sanitizer.php 2 years ago shortcode.php 3 years ago storage-registry.php 3 years ago validation.php 2 years ago wpml.php 2 years ago
sanitizer.php
250 lines
1 <?php
2 /**
3 * Sanitize field value before saving.
4 */
5 class RWMB_Sanitizer {
6 public function init() {
7 add_filter( 'rwmb_sanitize', [ $this, 'sanitize' ], 10, 4 );
8 }
9
10 /**
11 * Sanitize a field value.
12 *
13 * @param mixed $value The submitted new value.
14 * @param array $field The field settings.
15 * @param mixed $old_value The old field value in the database.
16 * @param int $object_id The object ID.
17 */
18 public function sanitize( $value, $field, $old_value = null, $object_id = null ) {
19 // Allow developers to bypass the sanitization.
20 if ( 'none' === $field['sanitize_callback'] ) {
21 return $value;
22 }
23
24 $callback = $this->get_callback( $field );
25
26 return is_callable( $callback ) ? call_user_func( $callback, $value, $field, $old_value, $object_id ) : $value;
27 }
28
29 /**
30 * Get sanitize callback for a field.
31 *
32 * @param array $field Field settings.
33 * @return callable
34 */
35 private function get_callback( $field ) {
36 // User-defined callback.
37 if ( is_callable( $field['sanitize_callback'] ) ) {
38 return $field['sanitize_callback'];
39 }
40
41 $callbacks = [
42 'autocomplete' => [ $this, 'sanitize_choice' ],
43 'background' => [ $this, 'sanitize_background' ],
44 'button_group' => [ $this, 'sanitize_choice' ],
45 'checkbox' => [ $this, 'sanitize_checkbox' ],
46 'checkbox_list' => [ $this, 'sanitize_choice' ],
47 'color' => [ $this, 'sanitize_color' ],
48 'date' => [ $this, 'sanitize_datetime' ],
49 'datetime' => [ $this, 'sanitize_datetime' ],
50 'email' => 'sanitize_email',
51 'fieldset_text' => [ $this, 'sanitize_text' ],
52 'file' => [ $this, 'sanitize_file' ],
53 'file_advanced' => [ $this, 'sanitize_object' ],
54 'file_input' => [ $this, 'sanitize_url' ],
55 'file_upload' => [ $this, 'sanitize_object' ],
56 'hidden' => 'sanitize_text_field',
57 'image' => [ $this, 'sanitize_file' ],
58 'image_advanced' => [ $this, 'sanitize_object' ],
59 'image_select' => [ $this, 'sanitize_choice' ],
60 'image_upload' => [ $this, 'sanitize_object' ],
61 'key_value' => [ $this, 'sanitize_text' ],
62 'map' => [ $this, 'sanitize_map' ],
63 'number' => [ $this, 'sanitize_number' ],
64 'oembed' => [ $this, 'sanitize_url' ],
65 'osm' => [ $this, 'sanitize_map' ],
66 'password' => 'sanitize_text_field',
67 'post' => [ $this, 'sanitize_object' ],
68 'radio' => [ $this, 'sanitize_choice' ],
69 'range' => [ $this, 'sanitize_number' ],
70 'select' => [ $this, 'sanitize_choice' ],
71 'select_advanced' => [ $this, 'sanitize_choice' ],
72 'sidebar' => [ $this, 'sanitize_text' ],
73 'single_image' => 'absint',
74 'slider' => [ $this, 'sanitize_slider' ],
75 'switch' => [ $this, 'sanitize_checkbox' ],
76 'taxonomy' => [ $this, 'sanitize_object' ],
77 'taxonomy_advanced' => [ $this, 'sanitize_taxonomy_advanced' ],
78 'text' => 'sanitize_text_field',
79 'text_list' => [ $this, 'sanitize_text' ],
80 'textarea' => 'wp_kses_post',
81 'time' => 'sanitize_text_field',
82 'url' => [ $this, 'sanitize_url' ],
83 'user' => [ $this, 'sanitize_object' ],
84 'video' => [ $this, 'sanitize_object' ],
85 'wysiwyg' => 'wp_kses_post',
86 ];
87
88 $type = $field['type'];
89
90 return $callbacks[ $type ] ?? null;
91 }
92
93 /**
94 * Set the value of checkbox to 1 or 0 instead of 'checked' and empty string.
95 * This prevents using default value once the checkbox has been unchecked.
96 *
97 * @link https://github.com/rilwis/meta-box/issues/6
98 * @param string $value Checkbox value.
99 */
100 private function sanitize_checkbox( $value ): int {
101 return (int) ! empty( $value );
102 }
103
104 /**
105 * Sanitize numeric value.
106 *
107 * @param string $value The number value.
108 * @return string
109 */
110 private function sanitize_number( $value ) {
111 return is_numeric( $value ) ? $value : '';
112 }
113
114 private function sanitize_color( string $value ): string {
115 if ( str_contains( $value, 'hsl' ) ) {
116 return wp_unslash( $value );
117 }
118
119 if ( ! str_contains( $value, 'rgb' ) ) {
120 return sanitize_hex_color( $value );
121 }
122
123 // rgba value.
124 $red = '';
125 $green = '';
126 $blue = '';
127 $alpha = 1;
128
129 if ( str_contains( $value, 'rgba' ) ) {
130 sscanf( $value, 'rgba(%d,%d,%d,%f)', $red, $green, $blue, $alpha );
131 } else {
132 sscanf( $value, 'rgb(%d,%d,%d)', $red, $green, $blue );
133 }
134
135 return 'rgba(' . $red . ',' . $green . ',' . $blue . ',' . $alpha . ')';
136 }
137
138 /**
139 * Sanitize value for a choice field.
140 *
141 * @param string|array $value The submitted value.
142 * @param array $field The field settings.
143 * @return string|array
144 */
145 private function sanitize_choice( $value, $field ) {
146 $options = RWMB_Choice_Field::transform_options( $field['options'] );
147 $options = wp_list_pluck( $options, 'value' );
148 $value = wp_unslash( $value );
149 return is_array( $value ) ? array_intersect( $value, $options ) : ( in_array( $value, $options ) ? $value : '' );
150 }
151
152 /**
153 * Sanitize object & media field.
154 *
155 * @param int|array $value The submitted value.
156 * @return int|array
157 */
158 private function sanitize_object( $value ) {
159 return is_array( $value ) ? array_filter( array_map( 'absint', $value ) ) : ( $value ? absint( $value ) : '' );
160 }
161
162 /**
163 * Sanitize background field.
164 *
165 * @param array $value The submitted value.
166 * @return array
167 */
168 private function sanitize_background( $value ) {
169 $value = wp_parse_args( $value, [
170 'color' => '',
171 'image' => '',
172 'repeat' => '',
173 'attachment' => '',
174 'position' => '',
175 'size' => '',
176 ] );
177 $value['color'] = $this->sanitize_color( $value['color'] );
178 $value['image'] = esc_url_raw( $value['image'] );
179
180 $value['repeat'] = in_array( $value['repeat'], [ 'no-repeat', 'repeat', 'repeat-x', 'repeat-y', 'inherit' ], true ) ? $value['repeat'] : '';
181 $value['position'] = in_array( $value['position'], [ 'top left', 'top center', 'top right', 'center left', 'center center', 'center right', 'bottom left', 'bottom center', 'bottom right' ], true ) ? $value['position'] : '';
182 $value['attachment'] = in_array( $value['attachment'], [ 'fixed', 'scroll', 'inherit' ], true ) ? $value['attachment'] : '';
183 $value['size'] = in_array( $value['size'], [ 'inherit', 'cover', 'contain' ], true ) ? $value['size'] : '';
184
185 return $value;
186 }
187
188 /**
189 * Sanitize text field.
190 *
191 * @param string|array $value The submitted value.
192 * @return string|array
193 */
194 private function sanitize_text( $value ) {
195 return is_array( $value ) ? array_map( __METHOD__, $value ) : sanitize_text_field( $value );
196 }
197
198 /**
199 * Sanitize file, image field.
200 *
201 * @param array $value The submitted value.
202 * @param array $field The field settings.
203 * @return array
204 */
205 private function sanitize_file( $value, $field ) {
206 return $field['upload_dir'] ? array_map( 'esc_url_raw', $value ) : $this->sanitize_object( $value );
207 }
208
209 /**
210 * Sanitize slider field.
211 *
212 * @param mixed $value The submitted value.
213 * @param array $field The field settings.
214 * @return string|int|float
215 */
216 private function sanitize_slider( $value, $field ) {
217 return true === $field['js_options']['range'] ? sanitize_text_field( $value ) : $this->sanitize_number( $value );
218 }
219
220 /**
221 * Sanitize datetime field.
222 *
223 * @param mixed $value The submitted value.
224 * @param array $field The field settings.
225 * @return float|string
226 */
227 private function sanitize_datetime( $value, $field ) {
228 return $field['timestamp'] ? (float) $value : sanitize_text_field( $value );
229 }
230
231 private function sanitize_map( $value ): string {
232 $value = sanitize_text_field( $value );
233 list( $latitude, $longitude, $zoom ) = explode( ',', $value . ',,' );
234
235 $latitude = (float) $latitude;
236 $longitude = (float) $longitude;
237 $zoom = (int) $zoom;
238
239 return "$latitude,$longitude,$zoom";
240 }
241
242 private function sanitize_taxonomy_advanced( $value ): string {
243 return implode( ',', wp_parse_id_list( $value ) );
244 }
245
246 private function sanitize_url( string $value ): string {
247 return esc_url_raw( $value );
248 }
249 }
250