Merge remote-tracking branch 'origin/main'

Author: abdul-kaioum

src/Http/IpTool.php

@@ -50,20 +50,20 @@ public function user()
     private static function checkIP()
     {
         if (getenv('HTTP_CLIENT_IP')) {
-            $ip = getenv('HTTP_CLIENT_IP');
+            $ip = sanitize_text_field(getenv('HTTP_CLIENT_IP'));
         } elseif (getenv('HTTP_X_FORWARDED_FOR')) {
-            $ip = getenv('HTTP_X_FORWARDED_FOR');
+            $ip = sanitize_text_field(getenv('HTTP_X_FORWARDED_FOR'));
         } elseif (getenv('HTTP_X_FORWARDED')) {
-            $ip = getenv('HTTP_X_FORWARDED');
+            $ip = sanitize_text_field(getenv('HTTP_X_FORWARDED'));
         } elseif (getenv('HTTP_FORWARDED_FOR')) {
-            $ip = getenv('HTTP_FORWARDED_FOR');
+            $ip = sanitize_text_field(getenv('HTTP_FORWARDED_FOR'));
         } elseif (getenv('HTTP_FORWARDED')) {
-            $ip = getenv('HTTP_FORWARDED');
+            $ip = sanitize_text_field(getenv('HTTP_FORWARDED'));
         } else {
-            $ip = $_SERVER['REMOTE_ADDR'];
+            $ip = sanitize_text_field($_SERVER['REMOTE_ADDR']);
         }
 
-        return $ip;
+       return filter_var($ip, FILTER_VALIDATE_IP);
     }
 
     /**
@@ -73,7 +73,7 @@ private static function checkDevice()
     {
         return isset(
             $_SERVER['HTTP_USER_AGENT']
-        ) ? self::getBrowserName($_SERVER['HTTP_USER_AGENT']) . '|' . self::getOS($_SERVER['HTTP_USER_AGENT']) : '';
+        ) ? self::getBrowserName(wp_kses($_SERVER['HTTP_USER_AGENT'], [])) . '|' . self::getOS(wp_kses($_SERVER['HTTP_USER_AGENT'], [])) : '';
     }
 
     /**

src/Http/Request/Request.php

@@ -103,7 +103,7 @@ public function body()
 
     public function method()
     {
-        return $_SERVER['REQUEST_METHOD'];
+        return sanitize_text_field($_SERVER['REQUEST_METHOD']);
     }
 
     public function contentType()

src/Http/Router/AjaxRouter.php

@@ -27,30 +27,35 @@ public function registerRoutes()
 
     public function addRoute(RouteRegister $route)
     {
-        if (
-            !isset($_REQUEST['action'])
-            || strpos($_REQUEST['action'], $this->_router->getAjaxPrefix()) === false
-            || !\in_array(strtoupper($_SERVER['REQUEST_METHOD']), $route->getMethods())
+
+        $requestMethod = isset($_SERVER['REQUEST_METHOD']) ? sanitize_text_field($_SERVER['REQUEST_METHOD']) : '';
+        $action = isset($_REQUEST['action']) ? sanitize_text_field($_REQUEST['action']) : '';
+
+        if (strpos($action, $this->_router->getAjaxPrefix()) === false
+            || !\in_array(strtoupper($requestMethod), $route->getMethods())
         ) {
             return;
         }
 
-        $requestPath = str_replace($this->_router->getAjaxPrefix(), '', $_REQUEST['action']);
+        $requestPath = str_replace($this->_router->getAjaxPrefix(), '', $action);
         if (!$this->isRouteMatched($route, $requestPath)) {
             return;
         }
 
-        Hooks::addAction('wp_ajax_' . $_REQUEST['action'], [$route, 'handleRequest']);
+        Hooks::addAction('wp_ajax_' . $action, [$route, 'handleRequest']);
         if ($route->isNoAuth()) {
-            Hooks::addAction('wp_ajax_nopriv_' . $_REQUEST['action'], [$route, 'handleRequest']);
+            Hooks::addAction('wp_ajax_nopriv_' . $action, [$route, 'handleRequest']);
         }
 
         $this->_router->addRegisteredRoute($this->currentRouteName(), $route);
     }
 
     public function currentRouteName()
     {
-        return $_SERVER['REQUEST_METHOD'] . $_REQUEST['action'];
+        $requestMethod = isset($_SERVER['REQUEST_METHOD']) ? sanitize_text_field($_SERVER['REQUEST_METHOD']) : '';
+        $action = isset($_REQUEST['action']) ? sanitize_text_field($_REQUEST['action']) : '';
+        
+        return $requestMethod. $action;
     }
 
     /**

src/Installer.php

@@ -111,28 +111,28 @@ public function checkRequirements()
         if (version_compare(PHP_VERSION, $this->_requirements['php'], '<')) {
             // Str From WP install script
             wp_die(
-                esc_html__(
+                esc_html(
                     sprintf(
                         // translators: 1: Current PHP version, 2: Version required by the uploaded plugin.
-                        __('The PHP version on your server is %1$s, however the uploaded plugin requires %2$s.'),
+                        'The PHP version on your server is %1$s, however the uploaded plugin requires %2$s.',
                         PHP_VERSION,
                         $this->_requirements['php']
                     )
                 ),
-                esc_html__('Requirements Not Met')
+                esc_html('Requirements Not Met')
             );
         }
 
         if (version_compare(get_bloginfo('version'), $this->_requirements['wp'], '<')) {
             wp_die(
-                esc_html__(
+                esc_html(
                     sprintf(
                         // translators: 1: Current WordPress version, 2: Version required by the uploaded plugin.
-                        __('Your WordPress version is %1$s, however the uploaded plugin requires %2$s.'),
+                        'Your WordPress version is %1$s, however the uploaded plugin requires %2$s.',
                         get_bloginfo('version'),
                         $this->_requirements['wp']
                     ),
-                    esc_html__('Requirements Not Met')
+                    esc_html('Requirements Not Met')
                 )
             );
         }