WooNooW

Files

dwindown 2e993b2f96 fix(products): Add comprehensive data sanitization

Products module had NO sanitization - fixed to match Orders/Coupons/Customers

Issue:
❌ No sanitization in create_product
❌ No sanitization in update_product
❌ Direct assignment of raw user input
❌ Potential XSS and injection vulnerabilities
❌ Inconsistent with other modules

Changes Made:

1. Created Sanitization Helpers (Lines 23-65):
✅ sanitize_text() - Text fields (name, SKU)
✅ sanitize_textarea() - Descriptions (allows newlines)
✅ sanitize_number() - Prices, dimensions (removes non-numeric)
✅ sanitize_slug() - URL slugs (uses sanitize_title)

2. Fixed create_product() (Lines 278-317):
✅ Name → sanitize_text()
✅ Slug → sanitize_slug()
✅ Status → sanitize_key()
✅ Description → sanitize_textarea()
✅ Short description → sanitize_textarea()
✅ SKU → sanitize_text()
✅ Regular price → sanitize_number()
✅ Sale price → sanitize_number()
✅ Weight → sanitize_number()
✅ Length → sanitize_number()
✅ Width → sanitize_number()
✅ Height → sanitize_number()

3. Fixed update_product() (Lines 377-398):
✅ Same sanitization as create
✅ All text fields sanitized
✅ All numeric fields sanitized
✅ Status fields use sanitize_key()

Sanitization Logic:

Text Fields:
- sanitize_text_field() + trim()
- Prevents XSS attacks
- Example: '<script>alert(1)</script>' → ''

Textarea Fields:
- sanitize_textarea_field() + trim()
- Allows newlines for descriptions
- Prevents XSS but keeps formatting

Numbers:
- Remove non-numeric except . and -
- Example: 'abc123.45' → '123.45'
- Example: '10,000' → '10000'

Slugs:
- sanitize_title()
- Creates URL-safe slugs
- Example: 'Product Name!' → 'product-name'

Module Audit Results:

✅ Orders: FIXED (comprehensive sanitization)
✅ Coupons: GOOD (already has sanitization)
✅ Customers: GOOD (already has sanitization)
✅ Products: FIXED (added comprehensive sanitization)

All modules now have consistent, secure data handling!