tmdinosaurcenter
/
tainacan
mirror of https://github.com/tainacan/tainacan
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: using `sanitize_text_field` on `prepare_meta` values

This commit is contained in:
vnmedeiros 2023-11-20 17:29:35 -03:00
parent 19e1f52917
commit 4be287e6f3
2 changed files with 79 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
src/classes/api/class-tainacan-rest-controller.php
View File

@ -231,7 +231,10 @@ abstract class REST_Controller extends \WP_REST_Controller {
foreach ( $query as $mapped_meta => $meta_v ) {
if ( isset( $a[ $mapped_meta ] ) ) {
$args[ $mapped_v ][ $index1 ][ $meta_v ] = $request[ $mapped ][ $index1 ][ $mapped_meta ];
$valeu = is_array($request[ $mapped ][ $index1 ][ $mapped_meta ])
? array_map('sanitize_text_field', $request[ $mapped ][ $index1 ][ $mapped_meta ])
: sanitize_text_field($request[ $mapped ][ $index1 ][ $mapped_meta ]);
$args[ $mapped_v ][ $index1 ][ $meta_v ] = $valeu;
}
}
@ -240,7 +243,9 @@ abstract class REST_Controller extends \WP_REST_Controller {
} else {
foreach ( $query as $mapped_meta => $meta_v ) {
if(isset($request[$mapped][$mapped_meta])) {
$args[ $mapped_v ][ $meta_v ] = $request[ $mapped ][ $mapped_meta ];
$args[ $mapped_v ][ $meta_v ] = is_array($request[ $mapped ][ $mapped_meta ])
? array_map('sanitize_text_field', $request[ $mapped ][ $mapped_meta ])
: sanitize_text_field($request[ $mapped ][ $mapped_meta ]);
}
}
}
@ -405,6 +410,50 @@ abstract class REST_Controller extends \WP_REST_Controller {
* @return array
*/
protected function get_meta_queries_params(){
$metaquery_properties = array(
'key' => array(
'type' => 'string',
'description' => __('Custom metadata key.'),
),
'value' => array(
'type' => ['string', 'array'],
'items' => array('type' => 'string'),
'description' => __('Custom metadata value. It can be an array only when compare is IN, NOT IN, BETWEEN, or NOT BETWEEN. You dont have to specify a value when using the EXISTS or NOT EXISTS comparisons in WordPress 3.9 and up. (Note: Due to bug #23268, value is required for NOT EXISTS comparisons to work correctly prior to 3.9. You must supply some string for the value parameter. An empty string or NULL will NOT work. However, any other string will do the trick and will NOT show up in your SQL when using NOT EXISTS. Need inspiration? How about \'bug #23268\'.'),
'sanitize_callback' => 'sanitize_text_field',
),
'compare' => array(
'type' => 'string',
'description' => __('Operator to test.'),
'default' => '=',
'enum' => array(
'=',
'!=',
'>',
'>=',
'<',
'<=',
'LIKE',
'NOT LIKE',
'IN',
'NOT IN',
'BETWEEN',
'NOT BETWEEN',
'EXISTS',
'NOT EXISTS'
)
),
'relation' => array(
'type' => 'string',
'description' => __('OR or AND, how the sub-arrays should be compared.'),
'default' => 'AND',
),
'metadatumtype' => array(
'type' => 'string',
'description' => __('Custom metadata type. Possible values are NUMERIC, BINARY, CHAR, DATE, DATETIME, DECIMAL, SIGNED, TIME, UNSIGNED. Default value is CHAR. You can also specify precision and scale for the DECIMAL and NUMERIC types (for example, DECIMAL(10,5) or NUMERIC(10) are valid). The type DATE works with the compare value BETWEEN only if the date is stored at the format YYYY-MM-DD and tested with this format.'),
),
);
return array(
'metakey' => array(
'type' => ['integer', 'string'],
@ -413,6 +462,7 @@ abstract class REST_Controller extends \WP_REST_Controller {
'metavalue' => array(
'type' => ['string', 'array'],
'description' => __('Custom metadata value'),
'sanitize_callback' => 'sanitize_text_field',
),
'metavaluenum' => array(
'type' => 'number',
@ -443,51 +493,27 @@ abstract class REST_Controller extends \WP_REST_Controller {
),
'metaquery' => array(
'description' => __('Limits result set to items that have specific custom metadata'),
'type' => ['array', 'object'],
'type' => ['array', 'object',],
'properties' => $metaquery_properties,
'items' => array(
'keys' => array(
'key' => array(
'type' => 'string',
'description' => __('Custom metadata key.'),
),
'value' => array(
'type' => ['string', 'array'],
'description' => __('Custom metadata value. It can be an array only when compare is IN, NOT IN, BETWEEN, or NOT BETWEEN. You dont have to specify a value when using the EXISTS or NOT EXISTS comparisons in WordPress 3.9 and up.
(Note: Due to bug #23268, value is required for NOT EXISTS comparisons to work correctly prior to 3.9. You must supply some string for the value parameter. An empty string or NULL will NOT work. However, any other string will do the trick and will NOT show up in your SQL when using NOT EXISTS. Need inspiration? How about \'bug #23268\'.'),
),
'compare' => array(
'type' => 'string',
'description' => __('Operator to test.'),
'default' => '=',
'enum' => array(
'=',
'!=',
'>',
'>=',
'<',
'<=',
'LIKE',
'NOT LIKE',
'IN',
'NOT IN',
'BETWEEN',
'NOT BETWEEN',
'EXISTS',
'NOT EXISTS'
)
),
'relation' => array(
'type' => 'string',
'description' => __('OR or AND, how the sub-arrays should be compared.'),
'default' => 'AND',
),
'metadatumtype' => array(
'type' => 'string',
'description' => __('Custom metadata type. Possible values are NUMERIC, BINARY, CHAR, DATE, DATETIME, DECIMAL, SIGNED, TIME, UNSIGNED. Default value is CHAR. You can also specify precision and scale for the DECIMAL and NUMERIC types (for example, DECIMAL(10,5) or NUMERIC(10) are valid). The type DATE works with the compare value BETWEEN only if the date is stored at the format YYYY-MM-DD and tested with this format.'),
),
),
'type' => ['array', 'object']
'type' => 'object',
'properties' => $metaquery_properties,
),
// 'sanitize_callback' => function($value, $request, $param) {
// if(isset($value['value'])) {
// $value['value'] = sanitize_text_field($value['value']);
// } else if(is_array($value)) {
// $value = array_map( function($v) {
// if( isset($v['value']))
// $v['value'] = is_array($v['value'])
// ? array_map('sanitize_text_field', $v['value'])
// : sanitize_text_field($v['value']);
// return $v;
// }, $value);
// }
// error_log("sanitize_callback" . json_encode($value));
// return $value;
// }
),
'datequery' => array(
'description' => __('Limits the result set to items that were created or modified in some specific date'),
@ -586,6 +612,7 @@ abstract class REST_Controller extends \WP_REST_Controller {
),
'terms' => array(
'type' => ['integer', 'string', 'array'],
'sanitize_callback' => 'sanitize_text_field',
'description' => __('Taxonomy term(s).'),
),
'operator' => array(

13
src/classes/api/endpoints/class-tainacan-rest-items-controller.php
View File

@ -57,13 +57,13 @@ class REST_Items_Controller extends REST_Controller {
'callback' => array($this, 'get_items'),
'permission_callback' => array($this, 'get_items_permissions_check'),
'args' => array_merge([
'collection_id' => [
'description' => __( 'Collection ID', 'tainacan' ),
'required' => true,
'collection_id' => [
'description' => __( 'Collection ID', 'tainacan' ),
'required' => true,
],
],
],
$this->get_wp_query_params()
),
$this->get_wp_query_params()
),
),
array(
'methods' => \WP_REST_Server::CREATABLE,
@ -457,6 +457,7 @@ class REST_Items_Controller extends REST_Controller {
private function prepare_filters_arguments ( $args, $collection_id = false ) {
$filters_arguments = array();
$meta_query = isset($args['meta_query']) ? $args['meta_query'] : [];
if(isset($meta_query['value'])) $meta_query = [$meta_query];
$tax_query = isset($args['tax_query']) ? $args['tax_query'] : [];
foreach($tax_query as $tax) {