@@ -148,7 +148,13 @@ public function add_menu_item($items)
148148 */
149149 public function process_add_form ()
150150 {
151- $ form_data = $ _POST ['mc4wp_form ' ];
151+ // phpcs:ignore WordPress.Security.NonceVerification.Missing -- nonce check is done in action dispatcher
152+ $ request = $ _POST ;
153+ if (! isset ($ request ['mc4wp_form ' ])) {
154+ wp_nonce_ays ('add_form ' );
155+ }
156+
157+ $ form_data = wp_unslash ($ request ['mc4wp_form ' ]);
152158 $ form_content = include MC4WP_PLUGIN_DIR . '/config/default-form-content.php ' ;
153159
154160 // Fix for MultiSite stripping KSES for roles other than administrator
@@ -238,7 +244,7 @@ public function sanitize_form_data(array $data)
238244 $ data ['content ' ] = preg_replace ('/<\/?form(.|\s)*?>/i ' , '' , $ data ['content ' ]);
239245
240246 // replace lowercased name="name" to prevent 404
241- $ data ['content ' ] = str_ireplace (' name=\ "name\ " ' , ' name=\ "NAME\ " ' , $ data ['content ' ]);
247+ $ data ['content ' ] = str_ireplace (' name="name" ' , ' name="NAME" ' , $ data ['content ' ]);
242248
243249 // sanitize text fields
244250 $ data ['settings ' ]['redirect ' ] = sanitize_text_field ($ data ['settings ' ]['redirect ' ]);
@@ -282,22 +288,28 @@ public function sanitize_form_data(array $data)
282288 */
283289 public function process_save_form ()
284290 {
291+ // phpcs:disable WordPress.Security.NonceVerification.Missing -- noce check is handled in action dispatcher
285292 // save global settings (if submitted)
286293 if (isset ($ _POST ['mc4wp ' ]) && is_array ($ _POST ['mc4wp ' ])) {
287294 $ options = get_option ('mc4wp ' , []);
288- $ posted = $ _POST ['mc4wp ' ];
295+ $ posted = wp_unslash ( $ _POST ['mc4wp ' ]) ;
289296 foreach ($ posted as $ key => $ value ) {
290297 $ options [$ key ] = trim ($ value );
291298 }
292299 update_option ('mc4wp ' , $ options );
293300 }
294301
302+ if (! isset ($ _POST ['mc4wp_form_id ' ]) || ! isset ($ _POST ['mc4wp_form ' ])) {
303+ wp_nonce_ays ('save_form ' );
304+ }
305+
295306 // update form, settings and messages
296307 $ form_id = (int ) $ _POST ['mc4wp_form_id ' ];
297- $ form_data = $ _POST ['mc4wp_form ' ];
308+ $ form_data = wp_unslash ( $ _POST ['mc4wp_form ' ]) ;
298309
299310 $ this ->save_form ($ form_id , $ form_data );
300311 $ this ->messages ->flash (__ ('Form saved. ' , 'mailchimp-for-wp ' ));
312+ // phpcs:enable WordPress.Security.NonceVerification.Missing
301313 }
302314
303315 /**
@@ -372,7 +384,7 @@ public function redirect_to_form_action()
372384 */
373385 public function show_forms_page ()
374386 {
375- $ view = ! empty ($ _GET ['view ' ]) ? $ _GET ['view ' ] : '' ;
387+ $ view = ! empty ($ _GET ['view ' ]) ? wp_unslash ( $ _GET ['view ' ]) : '' ;
376388
377389 /**
378390 * @ignore
@@ -406,14 +418,8 @@ public function show_edit_page()
406418 }
407419
408420 $ opts = $ form ->settings ;
409- $ active_tab = isset ($ _GET ['tab ' ]) ? trim ($ _GET ['tab ' ]) : 'fields ' ;
410-
411- $ form_preview_url = add_query_arg (
412- [
413- 'mc4wp_preview_form ' => $ form_id ,
414- ],
415- site_url ('/ ' , 'admin ' )
416- );
421+ $ active_tab = isset ($ _GET ['tab ' ]) ? wp_unslash ($ _GET ['tab ' ]) : 'fields ' ;
422+ $ form_preview_url = add_query_arg (['mc4wp_preview_form ' => $ form_id ], site_url ('/ ' , 'admin ' ));
417423
418424 require __DIR__ . '/views/edit-form.php ' ;
419425 }
@@ -436,7 +442,7 @@ public function show_add_page()
436442 *
437443 * @since 3.0
438444 * @internal
439- * @param $tab
445+ * @param string $tab
440446 * @return string
441447 */
442448 public function tab_url ($ tab )
0 commit comments