Ensure all parameters values are properly sanitized

petitphp · petitphp · commit 29c4ae72e62f · 2022-09-08T18:29:23.000+02:00
diff --git a/includes/Admin/SharedBlocksListTable.php b/includes/Admin/SharedBlocksListTable.php
@@ -47,7 +47,7 @@ public function prepare_items(): void {
 		$query = new Query(
 			[
 				'per_page' => $per_page,
-				's'        => $_GET['s'] ?? '',
+				's'        => isset( $_GET['s'] ) ? sanitize_text_field( $_GET['s'] ) : '',
 				'site__in' => isset( $_GET['on_current_site'] ) ? get_current_blog_id() : '',
 			]
 		);
diff --git a/includes/Preview.php b/includes/Preview.php
@@ -35,8 +35,8 @@ public function maybe_do_preview(): void {
 
 		$site_id       = (int) ( $_GET['site_id'] ?? 0 );
 		$post_id       = (int) ( $_GET['post_id'] ?? 0 );
-		$block_id      = (string) ( $_GET['block_id'] ?? '' );
-		$request_token = (string) ( $_GET['token'] ?? '' );
+		$block_id      = isset( $_GET['block_id'] ) ? sanitize_text_field( (string) $_GET['block_id'] ) : '';
+		$request_token = isset( $_GET['token'] ) ? sanitize_text_field( (string) $_GET['token'] ) : '';
 		//phpcs:enable WordPress.Security.NonceVerification.Recommended
 
 		if ( 0 === $site_id || 0 === $post_id || '' === $block_id || '' === $request_token ) {

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ public function prepare_items(): void {`
`47`	`47`	`$query = new Query(`
`48`	`48`	`[`
`49`	`49`	`'per_page' => $per_page,`
`50`		`- 's' => $_GET['s'] ?? '',`
	`50`	`+ 's' => isset( $_GET['s'] ) ? sanitize_text_field( $_GET['s'] ) : '',`
`51`	`51`	`'site__in' => isset( $_GET['on_current_site'] ) ? get_current_blog_id() : '',`
`52`	`52`	`]`
`53`	`53`	`);`