Sanitize option names in admin save

john-shaffer · john-shaffer · commit d828910b6ae2 · 2025-10-01T13:44:45.000-05:00
diff --git a/src/Options.php b/src/Options.php
@@ -634,7 +634,12 @@ public static function saveFromAdmin(
         foreach ( $option_specs as $option_spec ) {
             $name = $option_spec->name;
             // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification is handled by calling function
-            $v = $_POST[ $name ] ?? '';
+            if ( isset( $_POST[ $name ] ) ) {
+                // phpcs:ignore WordPress.Security.NonceVerification.Missing
+                $v = sanitize_text_field( wp_unslash( $_POST[ $name ] ) );
+            } else {
+                $v = '';
+            }
             OptionData::fromUserInput( $option_spec, $v )->save();
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -634,7 +634,12 @@ public static function saveFromAdmin(`
`634`	`634`	`foreach ( $option_specs as $option_spec ) {`
`635`	`635`	`$name = $option_spec->name;`
`636`	`636`	`// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification is handled by calling function`
`637`		`- $v = $_POST[ $name ] ?? '';`
	`637`	`+ if ( isset( $_POST[ $name ] ) ) {`
	`638`	`+ // phpcs:ignore WordPress.Security.NonceVerification.Missing`
	`639`	`+ $v = sanitize_text_field( wp_unslash( $_POST[ $name ] ) );`
	`640`	`+ } else {`
	`641`	`+ $v = '';`
	`642`	`+ }`
`638`	`643`	`OptionData::fromUserInput( $option_spec, $v )->save();`
`639`	`644`	`}`
`640`	`645`	`}`