From 0aab3282f42ba682828d6c0edf99dbc2f4ec7062 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Sun, 8 Jan 2017 18:53:01 +0100 Subject: [PATCH] Add more sanitizing These values should be controlled, but additional sanitization is preferable. --- includes/admin/class-wc-admin-log-table-list.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/admin/class-wc-admin-log-table-list.php b/includes/admin/class-wc-admin-log-table-list.php index 09b1db29744..bbf5d18b9d3 100644 --- a/includes/admin/class-wc-admin-log-table-list.php +++ b/includes/admin/class-wc-admin-log-table-list.php @@ -83,7 +83,7 @@ class WC_Admin_Log_Table_List extends WP_List_Table { * @return string */ public function column_cb( $log ) { - return sprintf( '', $log['log_id'] ); + return sprintf( '', esc_attr( $log['log_id'] ) ); } /** @@ -296,7 +296,7 @@ class WC_Admin_Log_Table_List extends WP_List_Table { protected function get_items_query_order() { $valid_orders = array( 'log_id', 'level', 'source', 'timestamp' ); if ( ! empty( $_REQUEST['orderby'] ) && in_array( $_REQUEST['orderby'], $valid_orders ) ) { - $by = $_REQUEST['orderby']; + $by = wc_clean( $_REQUEST['orderby'] ); } else { $by = 'log_id'; } @@ -329,7 +329,7 @@ class WC_Admin_Log_Table_List extends WP_List_Table { } if ( ! empty( $_REQUEST['source'] ) ) { $where_conditions[] = 'source = %s'; - $where_values[] = $_REQUEST['source']; + $where_values[] = wc_clean( $_REQUEST['source'] ); } if ( ! empty( $where_conditions ) ) {