Add some missing sanitisation and output escapes

Thanks plugins@wordpress.org for pointing these out!

Author: Antti Kuosmanen

classes/class-cpt-wplf-form.php

@@ -389,7 +389,14 @@ function save_cpt( $post_id ) {
 
     // save title format
     if ( isset( $_POST['wplf_title_format'] ) ) {
-      update_post_meta( $post_id, '_wplf_title_format', $_POST['wplf_title_format'] );
+      $safe_title_format = $_POST['wplf_title_format']; // TODO: are there any applicable sanitize functions?
+
+      // A typical title format will include characters like <, >, %, -.
+      // which means all sanitize_* fuctions will probably mess with the field
+      // The only place the title formats are displayed are within value=""
+      // attributes where of course they are escaped using esc_attr() so it
+      // should be fine to save the meta field without further sanitisaton
+      update_post_meta( $post_id, '_wplf_title_format', $safe_title_format );
     }
   }
 
@@ -419,8 +426,8 @@ function wplf_form( $id , $content = '', $xclass = '' ) {
 ?>
 <form class="libre-form libre-form-<?php echo $id . ' ' . $xclass; ?>">
   <?php echo apply_filters( 'wplf_form', $content ); ?>
-  <input type="hidden" name="referrer" value="<?php echo get_the_permalink(); ?>">
-  <input type="hidden" name="_form_id" value="<?php echo $id; ?>">
+  <input type="hidden" name="referrer" value="<?php the_permalink(); ?>">
+  <input type="hidden" name="_form_id" value="<?php esc_attr_e( $id ); ?>">
 </form>
 <?php
       $output = ob_get_clean();

classes/class-cpt-wplf-submission.php

@@ -75,13 +75,13 @@ public static function register_cpt() {
   function custom_columns_display_cpt( $column, $post_id ) {
     if( 'referrer' === $column ) {
       if( $referrer = get_post_meta($post_id, 'referrer', true) ) {
-        echo '<a href="' . esc_url( $referrer ) . '">' . $referrer . '</a>';
+        echo '<a href="' . esc_url_raw( $referrer ) . '">' . esc_url( $referrer ) . '</a>';
       }
     }
     if( 'form' === $column ) {
       if( $form_id = get_post_meta($post_id, '_form_id', true) ) {
         $form = get_post( $form_id );
-        echo '<a href="' . get_edit_post_link( $form_id, '' ) . '" target="_blank">' . $form->post_title . '</a>';
+        echo '<a href="' . get_edit_post_link( $form_id, '' ) . '" target="_blank">' . esc_html( $form->post_title ) . '</a>';
       }
     }
   }
@@ -186,9 +186,9 @@ function metabox_submission() {
         <tr>
           <th><strong><?php echo $field; ?></strong></th>
           <?php if( strlen( $value ) > 60 || strpos( $value, "\n" ) ) : ?>
-          <td><textarea style="width:100%" readonly><?php echo $value; ?></textarea></td>
+          <td><textarea style="width:100%" readonly><?php echo esc_textarea( $value ); ?></textarea></td>
           <?php else : ?>
-          <td><input style="width:100%" type="text" value="<?php echo $value; ?>" readonly></td>
+          <td><input style="width:100%" type="text" value="<?php esc_attr_e( $value ); ?>" readonly></td>
           <?php endif; ?>
         </tr>
         <?php endif; ?>

inc/wplf-ajax.php

@@ -13,13 +13,12 @@ function wplf_ajax_submit_handler() {
   do_action('wplf_pre_validate_submission');
 
   // validate form fields
-  // see wplf-form-validation.php
+  // @see: wplf-form-validation.php
   $return = apply_filters( 'wplf_validate_submission', $return );
 
   if( $return->ok ) {
-
     // form existence has already been validated via filters
-    $form = get_post( $_POST['_form_id'] );
+    $form = get_post( intval( $_POST['_form_id'] ) );
 
     // the title is the value of whatever the first field was in the form
     $title_format = get_post_meta( $form->ID, '_wplf_title_format', true );
@@ -31,7 +30,7 @@ function wplf_ajax_submit_handler() {
     foreach($toks[1] as $tok) {
       $replace = '';
       if( array_key_exists( $tok, $_POST ) ) {
-        $replace = $_POST[$tok];
+        $replace = sanitize_text_field( $_POST[$tok] );
       }
       $post_title = preg_replace('/%.+?%/', $replace, $post_title, 1);
     }

inc/wplf-form-actions.php

@@ -3,17 +3,17 @@
 /**
  * Send a copy of the form fields email if feature is enabled
  */
-add_action( 'wplf_post_validate_submission', 'wplf_send_email_copy' );
+add_action( 'wplf_post_validate_submission', 'wplf_send_email_copy', 20 );
 function wplf_send_email_copy( $return ) {
   // do nothing if form validation failed
   if( ! $return->ok ) {
     return;
   }
 
-  $form_id = $_POST['_form_id'];
-  $form_title = get_the_title( $form_id );
+  $form_id = intval( $_POST['_form_id'] ); // _form_id is already validated and we know it exists by this point
+  $form_title = esc_html( get_the_title( $form_id ) );
   $form_meta = get_post_meta( $form_id );
-  $referrer = $_POST['referrer'];
+  $referrer = esc_url_raw( $_POST['referrer'] );
 
   if( isset($form_meta['_wplf_email_copy_enabled']) && $form_meta['_wplf_email_copy_enabled'][0] ) {
     $to = isset($form_meta['_wplf_email_copy_to']) ? $form_meta['_wplf_email_copy_to'][0] : get_option( 'admin_email' );

inc/wplf-form-validation.php

@@ -10,7 +10,7 @@ function wplf_validate_form_exists( $return ) {
     return $return;
   }
 
-  if( ! isset($_POST['_form_id']) || 'publish' != get_post_status( $_POST['_form_id'] ) || 'wplf-form' != get_post_type( $_POST['_form_id'] ) ) {
+  if( ! isset( $_POST['_form_id'] ) || ! is_numeric( $_POST['_form_id'] ) || 'publish' != get_post_status( $_POST['_form_id'] ) || 'wplf-form' != get_post_type( $_POST['_form_id'] ) ) {
     $return->ok = 0;
     $return->error = sprintf( __("Form id %d doesn't exist!", 'wp-libre-form'), intval( $_POST['_form_id'] ) );
   }

readme.md

@@ -66,9 +66,11 @@ function my_email_thankyou( $return ) {
     return;
   }
 
-  $to = '"' . $_POST['name'] . '" <' . sanitize_email( $_POST['email'] ) . '>';
+  $name = sanitize_text_field( $_POST['name'] );
+  $email = sanitize_email( $_POST['email'] );
+  $to = '"' . $name . '" <' . $email . '>';
   $subject = __( 'Thank You For Submitting A Form' );
-  $content = wp_sprintf( __('Thanks, %s for clicking Submit on this glorious HTML5 Form!'), $_POST['name'] );
+  $content = wp_sprintf( __('Thanks, %s for clicking Submit on this glorious HTML5 Form!'), $name );
   wp_mail( $to, $subject, $content );
 }
 ```