fix(phpcs): Add sanitization for required input data.

Author: Akash-Raj-ST

src/inc/api/class-part.php

@@ -158,7 +158,7 @@ public function maybe_process_update() {
 		if ( ! isset( $_POST['_wpnonce'] ) ) {
 			return false;
 		}
-		$wpnonce = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? filter_input( INPUT_POST, '_wpnonce' ) : null;
+		$wpnonce = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? sanitize_text_field( $_POST['_wpnonce'] ) : null;
 
 		// Only allow class to be used by panel OR encrypted pwds never updated after insert.
 		if ( empty( $wpnonce ) || wp_verify_nonce( $wpnonce ) ) {
@@ -251,15 +251,15 @@ public function input_value( $type, $established_data, $use_data_value = false )
 	 * @return bool|string
 	 */
 	public function run_save_process() {
-		$nonce               = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? filter_input( INPUT_POST, '_wpnonce' ) : null;
+		$nonce               = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? sanitize_text_field( $_POST['_wpnonce'] ) : null;
 		$page_slug_as_action = $this->section->panel->page->slug;
 		if ( empty( $nonce ) || false === wp_verify_nonce( $nonce, $page_slug_as_action ) ) {
 			return false; // Only run logic if asked to run & auth'd by nonce.
 		}
 
 		$type = ( ! empty( $this->field_type ) ) ? $this->field_type : $this->input_type;
 
-		$field_input = isset( $_POST[ $this->id ] ) ? filter_input( INPUT_POST, $this->id ) : false;
+		$field_input = isset( $_POST[ $this->id ] ) ? sanitize_text_field( $_POST[ $this->id ] ) : false;
 
 		$sanitize_input = $this->sanitize_data_input( $type, $this->id, $field_input );
 
@@ -311,7 +311,7 @@ protected function sanitize_data_input( $input_type, $id, $value ) {
 		if ( ! isset( $_POST['_wpnonce'] ) ) {
 			return false;
 		}
-		$wpnonce = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? filter_input( INPUT_POST, '_wpnonce' ) : null;
+		$wpnonce = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? sanitize_text_field( $_POST['_wpnonce'] ) : null;
 
 		// Only allow class to be used by panel OR encrypted pwds never updated after insert.
 		if ( empty( $wpnonce ) || wp_verify_nonce( $wpnonce ) ) {
@@ -320,7 +320,7 @@ protected function sanitize_data_input( $input_type, $id, $value ) {
 
 		switch ( $input_type ) {
 			case 'password':
-				$hidden_pwd_field = isset( $_POST[ 'stored_' . $id ] ) ? filter_input( INPUT_POST, 'stored_' . $id ) : null;
+				$hidden_pwd_field = isset( $_POST[ 'stored_' . $id ] ) ? sanitize_text_field( $_POST[ 'stored_' . $id ] ) : null;
 
 				if ( $hidden_pwd_field === $value && ! empty( $value ) ) {
 					return '### wpop-encrypted-pwd-field-val-unchanged ###';

src/inc/api/class-update.php

@@ -15,7 +15,7 @@
  */
 class Update {
 	/**
-	 * Update constructor.
+	 * Save data wrapper for nonce check.
 	 *
 	 * @param string $page_slug Page URL.
 	 * @param string $type      Type.
@@ -31,7 +31,7 @@ public function get_save_data( $page_slug, $type, $key, $value, $obj_id = null,
 		if ( ! isset( $_POST['_wpnonce'] ) ) {
 			return false;
 		}
-		$wpnonce = isset( $_POST['_wpnonce'] ) ? filter_input( INPUT_POST, '_wpnonce' ) : null;
+		$wpnonce = isset( $_POST['_wpnonce'] ) ? sanitize_text_field( $_POST['_wpnonce'] ) : null;
 
 		// Only allow class to be used by panel OR encrypted pwds never updated after insert.
 		if ( ! wp_verify_nonce( $wpnonce, $page_slug ) || '### wpop-encrypted-pwd-field-val-unchanged ###' === $value ) {

src/inc/class-page.php

@@ -239,8 +239,12 @@ public function build_parts() {
 					/**
 					 * Print WordPress Notices with Panel Information
 					 */
-					if ( ! empty( filter_input( INPUT_GET, 'submit' ) ) ) {
-						$this->echo_notifications();
+					if ( isset( $_GET['submit'] ) && isset( $_GET['_wpnonce'] ) ) {
+						$nonce = sanitize_text_field( $_GET['_wpnonce'] );
+
+						if ( wp_verify_nonce( $nonce, $this->slug ) ) {
+							$this->echo_notifications();
+						}
 					}
 
 					$this->page_header();

src/inc/fields/class-multiselect.php

@@ -77,14 +77,15 @@ public function __construct( &$section, $i, $m ) {
 	 * @return bool|string
 	 */
 	public function run_save_process() {
-		$nonce = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? filter_input( INPUT_POST, '_wpnonce' ) : null;
+		$nonce = ( isset( $_POST['submit'] ) && isset( $_POST['_wpnonce'] ) ) ? sanitize_text_field( $_POST['_wpnonce'] ) : null;
 		if ( empty( $nonce ) || false === wp_verify_nonce( $nonce, $this->section->panel->page->slug ) ) {
 			return false; // Only run logic if asked to run & auth'd by nonce.
 		}
 
 		$type = ( ! empty( $this->field_type ) ) ? $this->field_type : $this->input_type;
 
-		$field_input = isset( $_POST[ $this->id ] ) ? filter_input( INPUT_POST, $this->id, FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) : false;
+		// Sanitized in the next line. 
+		$field_input = isset( $_POST[ $this->id ] ) ? filter_input( INPUT_POST, $this->id, FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) : false; // phpcs:ignore WordPressVIPMinimum.Security.PHPFilterFunctions.RestrictedFilter 
 
 		$sanitize_input = $this->sanitize_data_input( $type, $this->id, $field_input );
 

src/inc/page-parts/class-panel.php

@@ -214,10 +214,10 @@ public function __toString() {
 	public function detect_data_api_and_permissions() {
 		$api = null;
 
-		$page = array_key_exists( 'page', $_GET ) ? filter_input( INPUT_GET, 'page' ) : null;
-		$post = array_key_exists( 'post', $_GET ) ? filter_input( INPUT_GET, 'post' ) : null;
-		$user = array_key_exists( 'user', $_GET ) ? filter_input( INPUT_GET, 'user' ) : null;
-		$term = array_key_exists( 'term', $_GET ) ? filter_input( INPUT_GET, 'term' ) : null;
+		$page = array_key_exists( 'page', $_GET ) ? filter_input( INPUT_GET, 'page', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$post = array_key_exists( 'post', $_GET ) ? filter_input( INPUT_GET, 'post', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$user = array_key_exists( 'user', $_GET ) ? filter_input( INPUT_GET, 'user', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$term = array_key_exists( 'term', $_GET ) ? filter_input( INPUT_GET, 'term', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 
 		if ( ! empty( $page ) ) {
 			if ( isset( $post ) && absint( $post ) ) {
@@ -281,11 +281,11 @@ public function detect_data_api_and_permissions() {
 	public function maybe_capture_wp_object_id() {
 		switch ( $this->api ) {
 			case 'post':
-				return array_key_exists( 'post', $_GET ) ? filter_input( INPUT_GET, 'post' ) : null;
+				return array_key_exists( 'post', $_GET ) ? filter_input( INPUT_GET, 'post', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			case 'user':
-				return array_key_exists( 'user', $_GET ) ? filter_input( INPUT_GET, 'user' ) : null;
+				return array_key_exists( 'user', $_GET ) ? filter_input( INPUT_GET, 'user', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			case 'term':
-				return array_key_exists( 'term', $_GET ) ? filter_input( INPUT_GET, 'term' ) : null;
+				return array_key_exists( 'term', $_GET ) ? filter_input( INPUT_GET, 'term', FILTER_VALIDATE_INT ) : null; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			default:
 				return null;
 		}