fix: esc

abdul-kaioum · abdul-kaioum · commit 8fe1348c46ee · 2026-05-11T09:26:49.000+06:00
diff --git a/backend/app/Providers/AccessControlProvider.php b/backend/app/Providers/AccessControlProvider.php
@@ -218,7 +218,7 @@ public function scanFile($command, $args)
         }
 
         if (\count($this->scannedResult) > 0) {
-            throw new PreCommandException(wp_strip_all_tags(implode('. >> ', $this->scannedResult)));
+            throw new PreCommandException(esc_html(implode('. >> ', $this->scannedResult)));
         }
     }
 
diff --git a/backend/app/Providers/FileEditValidator.php b/backend/app/Providers/FileEditValidator.php
@@ -41,7 +41,7 @@ public function checkSyntax($content, $realFile)
         if ($wpError instanceof WP_Error) {
             $message = $wpError->get_error_message();
 
-            throw new PreCommandException(wp_strip_all_tags($message));
+            throw new PreCommandException(esc_html($message));
         }
     }
 
diff --git a/backend/app/Providers/PhpSyntaxChecker.php b/backend/app/Providers/PhpSyntaxChecker.php
@@ -91,7 +91,8 @@ private function loopbackRequest()
         // Include Basic auth in loopback requests.
         if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
             $headers['Authorization'] = 'Basic ' . base64_encode(
-                wp_unslash($_SERVER['PHP_AUTH_USER']) . ':' . wp_unslash($_SERVER['PHP_AUTH_PW'])
+                // phpcs:disable WordPress.Security.ValidatedSanitizedInput -- We need to sanitize the username, but the password should be left as-is.
+                sanitize_user(wp_unslash($_SERVER['PHP_AUTH_USER'])) . ':' . wp_unslash($_SERVER['PHP_AUTH_PW'])
             );
         }
 

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ public function scanFile($command, $args)`
`218`	`218`	`}`
`219`	`219`
`220`	`220`	`if (\count($this->scannedResult) > 0) {`
`221`		`- throw new PreCommandException(wp_strip_all_tags(implode('. >> ', $this->scannedResult)));`
	`221`	`+ throw new PreCommandException(esc_html(implode('. >> ', $this->scannedResult)));`
`222`	`222`	`}`
`223`	`223`	`}`
`224`	`224`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ public function checkSyntax($content, $realFile)`
`41`	`41`	`if ($wpError instanceof WP_Error) {`
`42`	`42`	`$message = $wpError->get_error_message();`
`43`	`43`
`44`		`- throw new PreCommandException(wp_strip_all_tags($message));`
	`44`	`+ throw new PreCommandException(esc_html($message));`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,8 @@ private function loopbackRequest()`
`91`	`91`	`// Include Basic auth in loopback requests.`
`92`	`92`	`if (isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {`
`93`	`93`	`$headers['Authorization'] = 'Basic ' . base64_encode(`
`94`		`- wp_unslash($_SERVER['PHP_AUTH_USER']) . ':' . wp_unslash($_SERVER['PHP_AUTH_PW'])`
	`94`	`+ // phpcs:disable WordPress.Security.ValidatedSanitizedInput -- We need to sanitize the username, but the password should be left as-is.`
	`95`	`+ sanitize_user(wp_unslash($_SERVER['PHP_AUTH_USER'])) . ':' . wp_unslash($_SERVER['PHP_AUTH_PW'])`
`95`	`96`	`);`
`96`	`97`	`}`
`97`	`98`