From 8e533df41e57c91f4b5f62ac8c2ab5205b76b8c5 Mon Sep 17 00:00:00 2001 From: Sasa Todorovic Date: Tue, 11 Jul 2023 09:36:57 +0200 Subject: [PATCH] Use sanitize_url to sanitize canonical field in the taxonomy metabox --- admin/taxonomy/class-taxonomy.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/admin/taxonomy/class-taxonomy.php b/admin/taxonomy/class-taxonomy.php index d86fe44ff3f..434da699d02 100644 --- a/admin/taxonomy/class-taxonomy.php +++ b/admin/taxonomy/class-taxonomy.php @@ -208,8 +208,9 @@ public function update_term( $term_id, $tt_id, $taxonomy ) { foreach ( WPSEO_Taxonomy_Meta::$defaults_per_term as $key => $default ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Reason: Nonce is already checked by WordPress before executing this action. if ( isset( $_POST[ $key ] ) && is_string( $_POST[ $key ] ) ) { - // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Reason: Nonce is already checked by WordPress before executing this action. - $new_meta_data[ $key ] = sanitize_text_field( wp_unslash( $_POST[ $key ] ) ); + // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Reason: $data is getting sanitized later. + $data = \wp_unslash( $_POST[ $key ] ); + $new_meta_data[ $key ] = ( $key !== 'wpseo_canonical' ) ? WPSEO_Utils::sanitize_text_field( $data ) : WPSEO_Utils::sanitize_url( $data ); } // If analysis is disabled remove that analysis score value from the DB. @@ -217,7 +218,6 @@ public function update_term( $term_id, $tt_id, $taxonomy ) { $new_meta_data[ $key ] = ''; } } - unset( $key, $default ); // Saving the values. WPSEO_Taxonomy_Meta::set_values( $term_id, $taxonomy, $new_meta_data );