Skip to content

PHPCS - WordPress.Security.ValidatedSanitizedInput #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rkoopmans merged 13 commits into from
Jun 4, 2026
Merged

PHPCS - WordPress.Security.ValidatedSanitizedInput #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
b65a9c5
PHPCS - WordPress.Security.EscapeOutput (#110)
tijmenbruggeman May 26, 2026
d4b401a
Merge branch 'tinify:master' into master
tijmenbruggeman Jun 3, 2026
c1cd3d8
enable sanitization sniff
tijmenbruggeman Jun 3, 2026
01f06e0
sanitize and unslash ids
tijmenbruggeman Jun 3, 2026
47ec997
sanitize notice name
tijmenbruggeman Jun 3, 2026
2ea99ca
autoformat
tijmenbruggeman Jun 3, 2026
1a2a197
parse getter
tijmenbruggeman Jun 3, 2026
42cef18
sanitize and unslash on register
tijmenbruggeman Jun 3, 2026
2b04bd0
unslash and sanitize update api key
tijmenbruggeman Jun 3, 2026
cb284ec
sanitize media library bulk action
tijmenbruggeman Jun 3, 2026
05072eb
sanitize rpc request
tijmenbruggeman Jun 3, 2026
d46420d
sanitize compress_image_for_bulk
tijmenbruggeman Jun 3, 2026
5b13e47
replace sanitize_key with sanitize_text_field due to lowercasing
tijmenbruggeman Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion phpcs.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
<exclude name="Squiz.PHP.CommentedOutCode.Found" />

<!-- Fix security issues -->
<exclude name="WordPress.Security.ValidatedSanitizedInput" />
<exclude name="WordPress.Security.NonceVerification" />

<!-- Fix AlternativeFunctons-->
Expand Down
3 changes: 2 additions & 1 deletion src/class-tiny-notices.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,8 @@ public function dismiss() {
exit();
}
$this->load_dismissals();
$this->dismissals[ $_POST['name'] ] = true;
$notice_name = sanitize_key( wp_unslash( $_POST['name'] ) );
$this->dismissals[ $notice_name ] = true;
$this->save_dismissals();
echo json_encode( true );
exit();
Expand Down
57 changes: 40 additions & 17 deletions src/class-tiny-plugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,15 +437,18 @@ public function async_compress_on_upload( $metadata, $attachment_id ) {
public function process_rpc_request() {
if (
empty( $_POST['tiny_rpc_action'] ) ||
empty( $_POST['tiny_rpc_hash'] ) ||
32 !== strlen( $_POST['tiny_rpc_hash'] )
empty( $_POST['tiny_rpc_hash'] )
) {
exit();
}

$rpc_hash = sanitize_key( $_POST['tiny_rpc_hash'] );
$user_id = absint( get_transient( 'tiny_rpc_' . $rpc_hash ) );
$user = $user_id ? get_userdata( $user_id ) : false;
$rpc_hash = sanitize_key( wp_unslash( $_POST['tiny_rpc_hash'] ) );
if ( 32 !== strlen( $rpc_hash ) ) {
exit();
}

$user_id = absint( get_transient( 'tiny_rpc_' . $rpc_hash ) );
$user = $user_id ? get_userdata( $user_id ) : false;

/* We no longer need the transient. */
delete_transient( 'tiny_rpc_' . $rpc_hash );
Expand All @@ -460,7 +463,7 @@ public function process_rpc_request() {
}

/* Now that everything is checked, perform the actual action. */
$action = $_POST['tiny_rpc_action'];
$action = sanitize_key( wp_unslash( $_POST['tiny_rpc_action'] ) );
unset(
$_POST['action'],
$_POST['tiny_rpc_action'],
Expand All @@ -471,12 +474,17 @@ public function process_rpc_request() {
}

public function compress_on_upload() {
if ( ! wp_verify_nonce( $_POST['_ajax_nonce'], 'new_media-' . $_POST['attachment_id'] ) ) {
$nonce = isset( $_POST['_ajax_nonce'] ) ?
sanitize_key( wp_unslash( $_POST['_ajax_nonce'] ) ) : '';
$attachment_id = isset( $_POST['attachment_id'] ) ?
intval( wp_unslash( $_POST['attachment_id'] ) ) : 0;

if ( ! wp_verify_nonce( $nonce, 'new_media-' . $attachment_id ) ) {
exit;
}
if ( current_user_can( 'upload_files' ) ) {
$attachment_id = intval( $_POST['attachment_id'] );
$metadata = $_POST['metadata'];
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$metadata = isset( $_POST['metadata'] ) ? wp_unslash( $_POST['metadata'] ) : array();
if ( is_array( $metadata ) ) {
$tiny_image = new Tiny_Image( $this->settings, $attachment_id, $metadata );

Expand Down Expand Up @@ -606,7 +614,9 @@ public function compress_image_for_bulk() {
);
wp_update_attachment_metadata( $id, $tiny_image->get_wp_metadata() );

$current_library_size = intval( $_POST['current_size'] );
$current_library_size = isset( $_POST['current_size'] ) ?
intval( wp_unslash( $_POST['current_size'] ) )
: 0;
$size_after = $image_statistics['compressed_total_size'];
$new_library_size = $current_library_size + $size_after - $size_before;

Expand Down Expand Up @@ -670,33 +680,46 @@ public function ajax_compression_status() {

public function media_library_bulk_action() {
$valid_actions = array( 'tiny_bulk_action', 'tiny_bulk_mark_compressed' );
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
$action2 = isset( $_REQUEST['action2'] ) ? $_REQUEST['action2'] : '';
$action = isset( $_REQUEST['action'] ) ?
sanitize_key( wp_unslash( $_REQUEST['action'] ) ) : '';
$action2 = isset( $_REQUEST['action2'] ) ?
sanitize_key( wp_unslash( $_REQUEST['action2'] ) ) : '';

if (
! in_array( $action, $valid_actions, true ) &&
! in_array( $action2, $valid_actions, true )
) {
return;
}
if ( empty( $_REQUEST['media'] ) || ( ! $_REQUEST['media'] ) ) {
$media = isset( $_REQUEST['media'] ) ?
array_map( 'intval', wp_unslash( (array) $_REQUEST['media'] ) )
: array();
if ( empty( $media ) ) {
$_REQUEST['action'] = '';
return;
}
check_admin_referer( 'bulk-media' );
$ids = implode( '-', array_map( 'intval', $_REQUEST['media'] ) );
$ids = implode( '-', $media );
$location = 'upload.php?mode=list&ids=' . $ids;

$location = add_query_arg( 'action', $_REQUEST['action'], $location );
$location = add_query_arg( 'action', $action, $location );

Comment on lines 688 to 706
if ( ! empty( $_REQUEST['paged'] ) ) {
$location = add_query_arg( 'paged', absint( $_REQUEST['paged'] ), $location );
}
if ( ! empty( $_REQUEST['s'] ) ) {
$location = add_query_arg( 's', $_REQUEST['s'], $location );
$location = add_query_arg(
's',
sanitize_text_field( wp_unslash( $_REQUEST['s'] ) ),
$location
);
}
if ( ! empty( $_REQUEST['m'] ) ) {
$location = add_query_arg( 'm', $_REQUEST['m'], $location );
$location = add_query_arg(
'm',
sanitize_text_field( wp_unslash( $_REQUEST['m'] ) ),
$location
);
}

wp_safe_redirect( admin_url( $location ) );
Expand Down
19 changes: 12 additions & 7 deletions src/class-tiny-settings.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,10 @@ public function add_options_to_page() {

public function image_sizes_notice() {
if ( current_user_can( 'manage_options' ) ) {
$selected_sizes = isset( $_GET['image_sizes_selected'] ) ?
intval( $_GET['image_sizes_selected'] ) : 0;
$this->render_size_checkboxes_description(
Comment on lines +164 to 166
$_GET['image_sizes_selected'],
$selected_sizes,
isset( $_GET['resize_original'] ),
isset( $_GET['compress_wr2x'] ),
self::get_conversion_enabled()
Expand Down Expand Up @@ -835,7 +837,7 @@ public function create_api_key() {
'message' => 'This feature requires certain user capabilities',
);
} elseif ( $compressor->can_create_key() ) {
if ( ! isset( $_POST['name'] ) || ! $_POST['name'] ) {
if ( empty( $_POST['name'] ) ) {
$status = (object) array(
'ok' => false,
'message' => __(
Expand All @@ -847,7 +849,7 @@ public function create_api_key() {
exit();
}

if ( ! isset( $_POST['email'] ) || ! $_POST['email'] ) {
if ( empty( $_POST['email'] ) ) {
$status = (object) array(
'ok' => false,
'message' => __(
Expand All @@ -868,9 +870,9 @@ public function create_api_key() {
$identifier = 'WordPress plugin for ' . $site;
$link = $this->get_absolute_url();
$compressor->create_key(
$_POST['email'],
sanitize_email( wp_unslash( $_POST['email'] ) ),
array(
'name' => $_POST['name'],
'name' => sanitize_text_field( wp_unslash( $_POST['name'] ) ),
'identifier' => $identifier,
Comment on lines 872 to 876
'link' => $link,
)
Expand Down Expand Up @@ -903,24 +905,27 @@ public function create_api_key() {
}

public function update_api_key() {
$key = $_POST['key'];
if ( ! $this->check_ajax_referer() ) {
exit;
}

$key = null;
if ( ! current_user_can( 'manage_options' ) ) {
$status = (object) array(
'ok' => false,
'message' => 'This feature requires certain user capabilities',
);
} elseif ( empty( $key ) ) {
} elseif ( empty( $_POST['key'] ) ) {
/* Always save if key is blank, so the key can be deleted. */
$status = (object) array(
'ok' => true,
'message' => null,
);
} else {
Comment on lines +912 to 924
$key = sanitize_text_field( wp_unslash( $_POST['key'] ) );
$status = Tiny_Compress::create( $key )->get_status();
}

if ( $status->ok ) {
update_option( self::get_prefixed_name( 'api_key_pending' ), false );
update_option( self::get_prefixed_name( 'api_key' ), $key );
Expand Down
3 changes: 2 additions & 1 deletion src/views/compress-details.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@

$images_to_compress = array();
if ( ! empty( $_REQUEST['ids'] ) ) {
$images_to_compress = array_map( 'intval', explode( '-', $_REQUEST['ids'] ) );
$request_ids = sanitize_text_field( wp_unslash( $_REQUEST['ids'] ) );
$images_to_compress = array_map( 'intval', explode( '-', $request_ids ) );
}
?>
<div class="details-container">
Expand Down
Loading