PHPCS - WordPress.Security.ValidatedSanitizedInput (#112)

tijmenbruggeman · web-flow · commit 01e2c46449ac · 2026-06-04T12:27:12.000+02:00
* PHPCS - WordPress.Security.EscapeOutput (#110) * autofixes * remove prefix underscores * fix spacing in resize text * move whitespace * Do not escale error messages before being outputted to html * Unexclude escape output * phpcs: bulk-optimization.php * phpcs account-status-create-advanced * phpcs compress-details-processing * fix create-simpel * phpcs dashboard-widget * phpcs optimization-chart * phpcs status-connected * phpcs compress-details * phpcs upgrade notice * notice-feedback * exceptions are handled on client usage in views * phpcs notices * phpcs class-tiny-compress.php * phpcs settings * phpcs tiny-plugin * remove parameter * use Tiny_Image * typo * ignore exception, is not outputted * use esc_url instead of esc_html on urls * add checked mock func * fix test * enable sanitization sniff * sanitize and unslash ids * sanitize notice name * autoformat * parse getter * sanitize and unslash on register * unslash and sanitize update api key * sanitize media library bulk action * sanitize rpc request * sanitize compress_image_for_bulk * replace sanitize_key with sanitize_text_field due to lowercasing
diff --git a/phpcs.xml b/phpcs.xml
@@ -11,7 +11,6 @@
     <exclude name="Squiz.PHP.CommentedOutCode.Found" />
 
     <!-- Fix security issues -->
-    <exclude name="WordPress.Security.ValidatedSanitizedInput" />
     <exclude name="WordPress.Security.NonceVerification" />
 
     <!-- Fix AlternativeFunctons-->
diff --git a/src/class-tiny-notices.php b/src/class-tiny-notices.php
@@ -153,7 +153,8 @@ public function dismiss() {
 			exit();
 		}
 		$this->load_dismissals();
-		$this->dismissals[ $_POST['name'] ] = true;
+		$notice_name                      = sanitize_key( wp_unslash( $_POST['name'] ) );
+		$this->dismissals[ $notice_name ] = true;
 		$this->save_dismissals();
 		echo json_encode( true );
 		exit();
diff --git a/src/class-tiny-plugin.php b/src/class-tiny-plugin.php
@@ -437,15 +437,18 @@ public function async_compress_on_upload( $metadata, $attachment_id ) {
 	public function process_rpc_request() {
 		if (
 			empty( $_POST['tiny_rpc_action'] ) ||
-			empty( $_POST['tiny_rpc_hash'] ) ||
-			32 !== strlen( $_POST['tiny_rpc_hash'] )
+			empty( $_POST['tiny_rpc_hash'] )
 		) {
 			exit();
 		}
 
-		$rpc_hash = sanitize_key( $_POST['tiny_rpc_hash'] );
-		$user_id  = absint( get_transient( 'tiny_rpc_' . $rpc_hash ) );
-		$user     = $user_id ? get_userdata( $user_id ) : false;
+		$rpc_hash = sanitize_key( wp_unslash( $_POST['tiny_rpc_hash'] ) );
+		if ( 32 !== strlen( $rpc_hash ) ) {
+			exit();
+		}
+
+		$user_id = absint( get_transient( 'tiny_rpc_' . $rpc_hash ) );
+		$user    = $user_id ? get_userdata( $user_id ) : false;
 
 		/* We no longer need the transient. */
 		delete_transient( 'tiny_rpc_' . $rpc_hash );
@@ -460,7 +463,7 @@ public function process_rpc_request() {
 		}
 
 		/* Now that everything is checked, perform the actual action. */
-		$action = $_POST['tiny_rpc_action'];
+		$action = sanitize_key( wp_unslash( $_POST['tiny_rpc_action'] ) );
 		unset(
 			$_POST['action'],
 			$_POST['tiny_rpc_action'],
@@ -471,12 +474,17 @@ public function process_rpc_request() {
 	}
 
 	public function compress_on_upload() {
-		if ( ! wp_verify_nonce( $_POST['_ajax_nonce'], 'new_media-' . $_POST['attachment_id'] ) ) {
+		$nonce         = isset( $_POST['_ajax_nonce'] ) ?
+			sanitize_key( wp_unslash( $_POST['_ajax_nonce'] ) ) : '';
+		$attachment_id = isset( $_POST['attachment_id'] ) ?
+			intval( wp_unslash( $_POST['attachment_id'] ) ) : 0;
+
+		if ( ! wp_verify_nonce( $nonce, 'new_media-' . $attachment_id ) ) {
 			exit;
 		}
 		if ( current_user_can( 'upload_files' ) ) {
-			$attachment_id = intval( $_POST['attachment_id'] );
-			$metadata      = $_POST['metadata'];
+			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+			$metadata = isset( $_POST['metadata'] ) ? wp_unslash( $_POST['metadata'] ) : array();
 			if ( is_array( $metadata ) ) {
 				$tiny_image = new Tiny_Image( $this->settings, $attachment_id, $metadata );
 
@@ -606,7 +614,9 @@ public function compress_image_for_bulk() {
 		);
 		wp_update_attachment_metadata( $id, $tiny_image->get_wp_metadata() );
 
-		$current_library_size = intval( $_POST['current_size'] );
+		$current_library_size = isset( $_POST['current_size'] ) ?
+			intval( wp_unslash( $_POST['current_size'] ) )
+			: 0;
 		$size_after           = $image_statistics['compressed_total_size'];
 		$new_library_size     = $current_library_size + $size_after - $size_before;
 
@@ -670,33 +680,46 @@ public function ajax_compression_status() {
 
 	public function media_library_bulk_action() {
 		$valid_actions = array( 'tiny_bulk_action', 'tiny_bulk_mark_compressed' );
-		$action        = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
-		$action2       = isset( $_REQUEST['action2'] ) ? $_REQUEST['action2'] : '';
+		$action        = isset( $_REQUEST['action'] ) ?
+			sanitize_key( wp_unslash( $_REQUEST['action'] ) ) : '';
+		$action2       = isset( $_REQUEST['action2'] ) ?
+			sanitize_key( wp_unslash( $_REQUEST['action2'] ) ) : '';
 
 		if (
 			! in_array( $action, $valid_actions, true ) &&
 			! in_array( $action2, $valid_actions, true )
 		) {
 			return;
 		}
-		if ( empty( $_REQUEST['media'] ) || ( ! $_REQUEST['media'] ) ) {
+		$media = isset( $_REQUEST['media'] ) ?
+			array_map( 'intval', wp_unslash( (array) $_REQUEST['media'] ) )
+			: array();
+		if ( empty( $media ) ) {
 			$_REQUEST['action'] = '';
 			return;
 		}
 		check_admin_referer( 'bulk-media' );
-		$ids      = implode( '-', array_map( 'intval', $_REQUEST['media'] ) );
+		$ids      = implode( '-', $media );
 		$location = 'upload.php?mode=list&ids=' . $ids;
 
-		$location = add_query_arg( 'action', $_REQUEST['action'], $location );
+		$location = add_query_arg( 'action', $action, $location );
 
 		if ( ! empty( $_REQUEST['paged'] ) ) {
 			$location = add_query_arg( 'paged', absint( $_REQUEST['paged'] ), $location );
 		}
 		if ( ! empty( $_REQUEST['s'] ) ) {
-			$location = add_query_arg( 's', $_REQUEST['s'], $location );
+			$location = add_query_arg(
+				's',
+				sanitize_text_field( wp_unslash( $_REQUEST['s'] ) ),
+				$location
+			);
 		}
 		if ( ! empty( $_REQUEST['m'] ) ) {
-			$location = add_query_arg( 'm', $_REQUEST['m'], $location );
+			$location = add_query_arg(
+				'm',
+				sanitize_text_field( wp_unslash( $_REQUEST['m'] ) ),
+				$location
+			);
 		}
 
 		wp_safe_redirect( admin_url( $location ) );
diff --git a/src/class-tiny-settings.php b/src/class-tiny-settings.php
@@ -161,8 +161,10 @@ public function add_options_to_page() {
 
 	public function image_sizes_notice() {
 		if ( current_user_can( 'manage_options' ) ) {
+			$selected_sizes = isset( $_GET['image_sizes_selected'] ) ?
+				intval( $_GET['image_sizes_selected'] ) : 0;
 			$this->render_size_checkboxes_description(
-				$_GET['image_sizes_selected'],
+				$selected_sizes,
 				isset( $_GET['resize_original'] ),
 				isset( $_GET['compress_wr2x'] ),
 				self::get_conversion_enabled()
@@ -835,7 +837,7 @@ public function create_api_key() {
 				'message' => 'This feature requires certain user capabilities',
 			);
 		} elseif ( $compressor->can_create_key() ) {
-			if ( ! isset( $_POST['name'] ) || ! $_POST['name'] ) {
+			if ( empty( $_POST['name'] ) ) {
 				$status = (object) array(
 					'ok'      => false,
 					'message' => __(
@@ -847,7 +849,7 @@ public function create_api_key() {
 				exit();
 			}
 
-			if ( ! isset( $_POST['email'] ) || ! $_POST['email'] ) {
+			if ( empty( $_POST['email'] ) ) {
 				$status = (object) array(
 					'ok'      => false,
 					'message' => __(
@@ -868,9 +870,9 @@ public function create_api_key() {
 				$identifier = 'WordPress plugin for ' . $site;
 				$link       = $this->get_absolute_url();
 				$compressor->create_key(
-					$_POST['email'],
+					sanitize_email( wp_unslash( $_POST['email'] ) ),
 					array(
-						'name'       => $_POST['name'],
+						'name'       => sanitize_text_field( wp_unslash( $_POST['name'] ) ),
 						'identifier' => $identifier,
 						'link'       => $link,
 					)
@@ -903,24 +905,27 @@ public function create_api_key() {
 	}
 
 	public function update_api_key() {
-		$key = $_POST['key'];
 		if ( ! $this->check_ajax_referer() ) {
 			exit;
 		}
+
+		$key = null;
 		if ( ! current_user_can( 'manage_options' ) ) {
 			$status = (object) array(
 				'ok'      => false,
 				'message' => 'This feature requires certain user capabilities',
 			);
-		} elseif ( empty( $key ) ) {
+		} elseif ( empty( $_POST['key'] ) ) {
 			/* Always save if key is blank, so the key can be deleted. */
 			$status = (object) array(
 				'ok'      => true,
 				'message' => null,
 			);
 		} else {
+			$key    = sanitize_text_field( wp_unslash( $_POST['key'] ) );
 			$status = Tiny_Compress::create( $key )->get_status();
 		}
+
 		if ( $status->ok ) {
 			update_option( self::get_prefixed_name( 'api_key_pending' ), false );
 			update_option( self::get_prefixed_name( 'api_key' ), $key );
diff --git a/src/views/compress-details.php b/src/views/compress-details.php
@@ -24,7 +24,8 @@
 
 $images_to_compress = array();
 if ( ! empty( $_REQUEST['ids'] ) ) {
-	$images_to_compress = array_map( 'intval', explode( '-', $_REQUEST['ids'] ) );
+	$request_ids        = sanitize_text_field( wp_unslash( $_REQUEST['ids'] ) );
+	$images_to_compress = array_map( 'intval', explode( '-', $request_ids ) );
 }
 ?>
 <div class="details-container">

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,8 @@`
`24`	`24`
`25`	`25`	`$images_to_compress = array();`
`26`	`26`	`if ( ! empty( $_REQUEST['ids'] ) ) {`
`27`		`- $images_to_compress = array_map( 'intval', explode( '-', $_REQUEST['ids'] ) );`
	`27`	`+ $request_ids = sanitize_text_field( wp_unslash( $_REQUEST['ids'] ) );`
	`28`	`+ $images_to_compress = array_map( 'intval', explode( '-', $request_ids ) );`
`28`	`29`	`}`
`29`	`30`	`?>`
`30`	`31`	`<div class="details-container">`