Conversation
12a8e19 to
8a2826e
Compare
There was a problem hiding this comment.
Pull request overview
This PR aims to mitigate an XSS vector by sanitizing chart-related data before persisting it (notably from the Gutenberg REST update endpoint), in the context of issue #515.
Changes:
- Sanitize/cast several REST payload fields before saving chart meta (default data, series, settings, schedule URL/ID, JSON root/paging, permissions).
- Loosen
_getChartArray()parameter typing in the chart module.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
classes/Visualizer/Gutenberg/Block.php |
Adds sanitization/casting for REST “update-chart” payload fields before writing to post meta. |
classes/Visualizer/Module/Chart.php |
Removes the nullable WP_Post type hint from _getChartArray(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * @return array The array of chart data. | ||
| */ | ||
| private function _getChartArray( ?WP_Post $chart = null ) { | ||
| private function _getChartArray( $chart = null ) { |
There was a problem hiding this comment.
Dropping the ?WP_Post type from _getChartArray reduces type-safety without changing the actual requirements (the method still assumes an object with ->ID). If this wasn’t strictly required for compatibility, consider restoring the nullable WP_Post type (or adding an explicit runtime validation + updating the docblock) so invalid callers fail fast with a clear error.
| private function _getChartArray( $chart = null ) { | |
| private function _getChartArray( ?WP_Post $chart = null ) { |
HardeepAsrani
left a comment
There was a problem hiding this comment.
Looks good, let's follow the Copilot advice. We implemented that type hint change yesterday and I believe you had an unsync branch thus undid the change. 😄
Summary
Sanitized the data to prevent the cross site scripting.
Check before Pull Request is ready:
Closes https://github.com/Codeinwp/visualizer-pro/issues/515