Merge pull request #1248 from Codeinwp/bugfix/pro/515

vytisbulkevicius · web-flow · commit 7421bf5865c9 · 2026-03-03T19:57:51.000+02:00
Prevent cross site scripting
diff --git a/classes/Visualizer/Gutenberg/Block.php b/classes/Visualizer/Gutenberg/Block.php
@@ -596,12 +596,15 @@ public function update_chart_data( $data ) {
 			}
 			$chart_type = sanitize_text_field( $data['visualizer-chart-type'] );
 			$source_type = sanitize_text_field( $data['visualizer-source'] );
+			$default_data  = (int) $data['visualizer-default-data'];
+			$series_data   = map_deep( $data['visualizer-series'], array( $this, 'sanitize_value' ) );
+			$settings_data = map_deep( $data['visualizer-settings'], array( $this, 'sanitize_value' ) );
 
 			update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_TYPE, $chart_type );
 			update_post_meta( $data['id'], Visualizer_Plugin::CF_SOURCE, $source_type );
-			update_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $data['visualizer-default-data'] );
-			update_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $data['visualizer-series'] );
-			update_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $data['visualizer-settings'] );
+			update_post_meta( $data['id'], Visualizer_Plugin::CF_DEFAULT_DATA, $default_data );
+			update_post_meta( $data['id'], Visualizer_Plugin::CF_SERIES, $series_data );
+			update_post_meta( $data['id'], Visualizer_Plugin::CF_SETTINGS, $settings_data );
 
 			if ( $data['visualizer-chart-url'] && $data['visualizer-chart-schedule'] >= 0 ) {
 				$chart_url = esc_url_raw( $data['visualizer-chart-url'] );
@@ -628,8 +631,8 @@ public function update_chart_data( $data ) {
 				}
 
 				if ( 'Visualizer_Source_Csv_Remote' === $source_type ) {
-					$schedule_url = $data['visualizer-chart-url'];
-					$schedule_id  = $data['visualizer-chart-schedule'];
+					$schedule_url = esc_url_raw( $data['visualizer-chart-url'] );
+					$schedule_id  = intval( $data['visualizer-chart-schedule'] );
 					update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_URL, $schedule_url );
 					update_post_meta( $data['id'], Visualizer_Plugin::CF_CHART_SCHEDULE, $schedule_id );
 				} else {
@@ -642,8 +645,8 @@ public function update_chart_data( $data ) {
 				$json_schedule = intval( $data['visualizer-json-schedule'] );
 				$json_url = esc_url_raw( $data['visualizer-json-url'] );
 				$json_headers = esc_url_raw( $data['visualizer-json-headers'] );
-				$json_root = $data['visualizer-json-root'];
-				$json_paging = $data['visualizer-json-paging'];
+				$json_root   = sanitize_text_field( $data['visualizer-json-root'] );
+				$json_paging = sanitize_text_field( $data['visualizer-json-paging'] );
 
 				update_post_meta( $data['id'], Visualizer_Plugin::CF_JSON_SCHEDULE, $json_schedule );
 				update_post_meta( $data['id'], Visualizer_Plugin::CF_JSON_URL, $json_url );
@@ -664,7 +667,8 @@ public function update_chart_data( $data ) {
 			}
 
 			if ( Visualizer_Module::is_pro() ) {
-				update_post_meta( $data['id'], Visualizer_Pro::CF_PERMISSIONS, $data['visualizer-permissions'] );
+				$permissions_data = map_deep( $data['visualizer-permissions'], array( $this, 'sanitize_value' ) );
+				update_post_meta( $data['id'], Visualizer_PRO::CF_PERMISSIONS, $permissions_data );
 			}
 
 			if ( $data['visualizer-chart-url'] ) {
@@ -863,4 +867,18 @@ public function add_rest_query_vars( $args, \WP_REST_Request $request ) {
 		}
 		return $args;
 	}
+
+	/**
+	 * Sanitize value.
+	 *
+	 * @param mixed $value The value to sanitize.
+	 * @return mixed Sanitized value.
+	 */
+	private function sanitize_value( $value ) {
+		if ( is_string( $value ) ) {
+			return sanitize_text_field( $value );
+		}
+
+		return $value;
+	}
 }
