json form sanitization

mlooft · Feb 2, 2024 · 1a518d5 · 1a518d5
1 parent 44e48cc
commit 1a518d5
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 19 deletions.
diff --git a/includes/admin/msf-admin.class.php b/includes/admin/msf-admin.class.php
@@ -281,22 +281,73 @@ private function notice($type, $message) {
 		<?php
 	}
 
-	private function import_json($json) {
-		$aa = json_decode($json, true);
-		if (!$aa) {
-			$this->notice('error', __('Invalid JSON-File. Check your syntax.', 'multi-step-form'));
-		} else {
-			if (!class_exists('Multi_Step_Form_Plus')) {
-				$step_count = count($aa['wizard']['steps']);
-				for ($i = 0; $i < $step_count; $i++) {
-					if ($i > 4) {
-						unset($aa['wizard']['steps'][ $i ]);
-					}
-				}
-			}
-			$this->_wizard_service->save(0, $aa);
-		}
-	}
+	function sanitize_json_data($data) {
+
+        // Sanitizing the wizard title
+        $data['wizard']['title'] = sanitize_text_field($data['wizard']['title']);
+
+        foreach ($data['wizard']['steps'] as &$step) {
+            // Sanitize step fields
+            $step['title'] = sanitize_text_field($step['title']);
+            $step['headline'] = sanitize_text_field($step['headline']);
+            $step['copy_text'] = sanitize_text_field($step['copy_text']);
+
+            foreach ($step['parts'] as &$part) {
+                // Sanitize part title
+                $part['title'] = sanitize_text_field($part['title']);
+
+                foreach ($part['blocks'] as &$block) {
+
+                    if (isset($block['label'])) {
+                        $block['label'] = sanitize_text_field($block['label']);
+                    }
+
+                    if (isset($block['customError'])) {
+                        $block['customError'] = sanitize_text_field($block['customError']);
+                    }
+                    if (isset($block['text'])) {
+                        $block['text'] = sanitize_text_field($block['text']);
+                    }
+                    if (isset($block['elements'])) {
+                        $block['elements'] = array_map('sanitize_text_field', $block['elements']);
+                    }
+
+                }
+            }
+        }
+
+        // Sanitize settings fields
+        $settings_fields = ['thankyou', 'to', 'frommail', 'fromname', 'subject', 'header', 'headers', 'replyto', 'usercopy', 'optin', 'optin_success', 'replacements'];
+        foreach ($settings_fields as $field) {
+            if (isset($data['wizard']['settings'][$field])) {
+                $data['wizard']['settings'][$field] = sanitize_text_field($data['wizard']['settings'][$field]);
+            }
+        }
+
+        // Return the sanitized array directly
+        return $data;
+    }
+
+    private function import_json($json) {
+        $aa = json_decode($json, true);
+        if (!$aa) {
+            $this->notice('error', __('Invalid JSON-File. Check your syntax.', 'multi-step-form'));
+        } else {
+            // Sanitize the JSON data
+            $sanitizedData = $this->sanitize_json_data($aa); // because $aa is the array
+
+            if (!class_exists('Multi_Step_Form_Plus')) {
+                $step_count = count($aa['wizard']['steps']);
+                for ($i = 0; $i < $step_count; $i++) {
+                    if ($i > 4) {
+                        unset($aa['wizard']['steps'][$i]);
+                    }
+                }
+            }
+            // Proceed to save the sanitized data
+            $this->_wizard_service->save(0, $sanitizedData);
+        }
+    }
 
 	private function handle_json_upload() {
 		if (isset($_FILES['json-import'])) {

diff --git a/mondula-form-wizard.php b/mondula-form-wizard.php
@@ -1,7 +1,7 @@
 <?php
 /*
  * Plugin Name: Multi Step Form
- * Version: 1.7.16
+ * Version: 1.7.17
  * Plugin URI: http://www.mondula.com/
  * Description: Create and embed Multi Step Form.
  * Author: Mondula GmbH
@@ -82,7 +82,7 @@ function msf_drop_tables($tables = array(), $blog_id = null) {
  * @return object Mondula_Form_Wizard
  */
 function Mondula_Form_Wizard() {
-	$instance = Mondula_Form_Wizard::instance(__FILE__, '1.7.16');
+	$instance = Mondula_Form_Wizard::instance(__FILE__, '1.7.17');
 
 	if (is_null($instance->settings)) {
 		$instance->settings = Mondula_Form_Wizard_Settings::instance($instance);

diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: mondula2016
 Tags: multi, step, forms, multi step form, multi-step, steps, feedback, email, contact form, progress bar, form builder, dynamic, ajax, formular
 Requires at least: 5.0
 Tested up to: 6.3.1
-Stable tag: 1.7.16
+Stable tag: 1.7.17
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -84,6 +84,9 @@ A.  **[Find them here](https://mondula.com/en/multi-step-form-faqs/ "Multi Step
 
 == Changelog ==
 
+= 1.7.17 =
+* json form sanitization
+
 = 1.7.16 =
 * fixed a problem with the recaptcha form