dwindown/WooNooW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e993b2f967667baf13c97111ac136e8faffb69f
WooNooW/includes
History
dwindown 2e993b2f96 fix(products): Add comprehensive data sanitization 
Products module had NO sanitization - fixed to match Orders/Coupons/Customers

Issue:
 No sanitization in create_product
 No sanitization in update_product
 Direct assignment of raw user input
 Potential XSS and injection vulnerabilities
 Inconsistent with other modules

Changes Made:

1. Created Sanitization Helpers (Lines 23-65):
 sanitize_text() - Text fields (name, SKU)
 sanitize_textarea() - Descriptions (allows newlines)
 sanitize_number() - Prices, dimensions (removes non-numeric)
 sanitize_slug() - URL slugs (uses sanitize_title)

2. Fixed create_product() (Lines 278-317):
 Name → sanitize_text()
 Slug → sanitize_slug()
 Status → sanitize_key()
 Description → sanitize_textarea()
 Short description → sanitize_textarea()
 SKU → sanitize_text()
 Regular price → sanitize_number()
 Sale price → sanitize_number()
 Weight → sanitize_number()
 Length → sanitize_number()
 Width → sanitize_number()
 Height → sanitize_number()

3. Fixed update_product() (Lines 377-398):
 Same sanitization as create
 All text fields sanitized
 All numeric fields sanitized
 Status fields use sanitize_key()

Sanitization Logic:

Text Fields:
- sanitize_text_field() + trim()
- Prevents XSS attacks
- Example: '<script>alert(1)</script>' → ''

Textarea Fields:
- sanitize_textarea_field() + trim()
- Allows newlines for descriptions
- Prevents XSS but keeps formatting

Numbers:
- Remove non-numeric except . and -
- Example: 'abc123.45' → '123.45'
- Example: '10,000' → '10000'

Slugs:
- sanitize_title()
- Creates URL-safe slugs
- Example: 'Product Name!' → 'product-name'

Module Audit Results:

 Orders: FIXED (comprehensive sanitization)
 Coupons: GOOD (already has sanitization)
 Customers: GOOD (already has sanitization)
 Products: FIXED (added comprehensive sanitization)

All modules now have consistent, secure data handling!
2025-11-21 00:11:29 +07:00
..
Admin
fix: Auto-detect dev server URL for Local by Flywheel
2025-11-16 13:48:23 +07:00
Api
fix(products): Add comprehensive data sanitization
2025-11-21 00:11:29 +07:00
Compat
fix(ui): Ensure Customer module UI/UX consistency with SOP
2025-11-20 23:15:29 +07:00
Core
feat: Phase 3 - MetaFieldsRegistry system (Level 1 COMPLETE)
2025-11-20 12:35:25 +07:00
Email
fix: Card success styling and ensure list support
2025-11-19 18:35:34 +07:00
Branding.php
fix: Image upload, remove WP login branding, implement dark mode
2025-11-10 23:18:56 +07:00