2e993b2f96
Products module had NO sanitization - fixed to match Orders/Coupons/Customers Issue: ❌ No sanitization in create_product ❌ No sanitization in update_product ❌ Direct assignment of raw user input ❌ Potential XSS and injection vulnerabilities ❌ Inconsistent with other modules Changes Made: 1. Created Sanitization Helpers (Lines 23-65): ✅ sanitize_text() - Text fields (name, SKU) ✅ sanitize_textarea() - Descriptions (allows newlines) ✅ sanitize_number() - Prices, dimensions (removes non-numeric) ✅ sanitize_slug() - URL slugs (uses sanitize_title) 2. Fixed create_product() (Lines 278-317): ✅ Name → sanitize_text() ✅ Slug → sanitize_slug() ✅ Status → sanitize_key() ✅ Description → sanitize_textarea() ✅ Short description → sanitize_textarea() ✅ SKU → sanitize_text() ✅ Regular price → sanitize_number() ✅ Sale price → sanitize_number() ✅ Weight → sanitize_number() ✅ Length → sanitize_number() ✅ Width → sanitize_number() ✅ Height → sanitize_number() 3. Fixed update_product() (Lines 377-398): ✅ Same sanitization as create ✅ All text fields sanitized ✅ All numeric fields sanitized ✅ Status fields use sanitize_key() Sanitization Logic: Text Fields: - sanitize_text_field() + trim() - Prevents XSS attacks - Example: '<script>alert(1)</script>' → '' Textarea Fields: - sanitize_textarea_field() + trim() - Allows newlines for descriptions - Prevents XSS but keeps formatting Numbers: - Remove non-numeric except . and - - Example: 'abc123.45' → '123.45' - Example: '10,000' → '10000' Slugs: - sanitize_title() - Creates URL-safe slugs - Example: 'Product Name!' → 'product-name' Module Audit Results: ✅ Orders: FIXED (comprehensive sanitization) ✅ Coupons: GOOD (already has sanitization) ✅ Customers: GOOD (already has sanitization) ✅ Products: FIXED (added comprehensive sanitization) All modules now have consistent, secure data handling!
25 KiB
25 KiB