fix: prevent cross site scripting

Author: girishpanchal30

classes/Visualizer/Gutenberg/Block.php

@@ -596,12 +596,15 @@ public function update_chart_data( $data ) {
 			}
 			$chart_type = sanitize_text_field( $data['visualizer-chart-type'] );
 			$source_type = sanitize_text_field( $data['visualizer-source'] );
+			$default_data  = (int) $data['visualizer-default-data'];
+			$series_data   = map_deep( $data['visualizer-series'], 'sanitize_text_field' );
+			$settings_data = map_deep( $data['visualizer-settings'], 'sanitize_text_field' );
 
 			update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_TYPE, $chart_type );
 			update_post_meta( $data['id'], Visualizer_Plugin::CF_SOURCE, $source_type );
-			update_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $data['visualizer-default-data'] );
-			update_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $data['visualizer-series'] );
-			update_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $data['visualizer-settings'] );
+			update_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $default_data );
+			update_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $series_data );
+			update_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $settings_data );
 
 			if ( $data['visualizer-chart-url'] && $data['visualizer-chart-schedule'] >= 0 ) {
 				$chart_url = esc_url_raw( $data['visualizer-chart-url'] );
@@ -628,8 +631,8 @@ public function update_chart_data( $data ) {
 				}
 
 				if ( 'Visualizer_Source_Csv_Remote' === $source_type ) {
-					$schedule_url = $data['visualizer-chart-url'];
-					$schedule_id  = $data['visualizer-chart-schedule'];
+					$schedule_url = esc_url_raw( $data['visualizer-chart-url'] );
+					$schedule_id  = intval( $data['visualizer-chart-schedule'] );
 					update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_URL, $schedule_url );
 					update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_SCHEDULE, $schedule_id );
 				} else {
@@ -642,8 +645,8 @@ public function update_chart_data( $data ) {
 				$json_schedule = intval( $data['visualizer-json-schedule'] );
 				$json_url = esc_url_raw( $data['visualizer-json-url'] );
 				$json_headers = esc_url_raw( $data['visualizer-json-headers'] );
-				$json_root = $data['visualizer-json-root'];
-				$json_paging = $data['visualizer-json-paging'];
+				$json_root   = sanitize_text_field( $data['visualizer-json-root'] );
+				$json_paging = sanitize_text_field( $data['visualizer-json-paging'] );
 
 				update_post_meta( $data['id'], Visualizer_Plugin::CF_JSON_SCHEDULE, $json_schedule );
 				update_post_meta( $data['id'], Visualizer_Plugin::CF_JSON_URL, $json_url );
@@ -664,7 +667,8 @@ public function update_chart_data( $data ) {
 			}
 
 			if ( Visualizer_Module::is_pro() ) {
-				update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $data['visualizer-permissions'] );
+				$permissions_data = map_deep( $data['visualizer-permissions'], 'sanitize_text_field' );
+				update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $permissions_data );
 			}
 
 			if ( $data['visualizer-chart-url'] ) {

classes/Visualizer/Module/Chart.php

@@ -379,7 +379,7 @@ public function getCharts() {
 	 *
 	 * @return array The array of chart data.
 	 */
-	private function _getChartArray( ?WP_Post $chart = null ) {
+	private function _getChartArray( $chart = null ) {
 		if ( is_null( $chart ) ) {
 			$chart = $this->_chart;
 		}