Skip to content

Prevent cross site scripting#1248

Open
girishpanchal30 wants to merge 2 commits intodevelopmentfrom
bugfix/pro/515
Open

Prevent cross site scripting#1248
girishpanchal30 wants to merge 2 commits intodevelopmentfrom
bugfix/pro/515

Conversation

@girishpanchal30
Copy link
Contributor

@girishpanchal30 girishpanchal30 commented Feb 27, 2026

Summary

Sanitized the data to prevent the cross site scripting.

Check before Pull Request is ready:

Closes https://github.com/Codeinwp/visualizer-pro/issues/515

@girishpanchal30 girishpanchal30 added the pr-checklist-skip Allow this Pull Request to skip checklist. label Feb 27, 2026
@pirate-bot pirate-bot added pr-checklist-complete The Pull Request checklist is complete. (automatic label) labels Feb 27, 2026
@pirate-bot
Copy link
Contributor

pirate-bot commented Feb 27, 2026
edited
Loading

Plugin build for 09c83bc is ready 🛎️!

Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to mitigate an XSS vector by sanitizing chart-related data before persisting it (notably from the Gutenberg REST update endpoint), in the context of issue #515.

Changes:

  • Sanitize/cast several REST payload fields before saving chart meta (default data, series, settings, schedule URL/ID, JSON root/paging, permissions).
  • Loosen _getChartArray() parameter typing in the chart module.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
classes/Visualizer/Gutenberg/Block.php Adds sanitization/casting for REST “update-chart” payload fields before writing to post meta.
classes/Visualizer/Module/Chart.php Removes the nullable WP_Post type hint from _getChartArray().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

classes/Visualizer/Module/Chart.php
* @return array The array of chart data.
*/
private function _getChartArray( ?WP_Post $chart = null ) {
private function _getChartArray( $chart = null ) {
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dropping the ?WP_Post type from _getChartArray reduces type-safety without changing the actual requirements (the method still assumes an object with ->ID). If this wasn’t strictly required for compatibility, consider restoring the nullable WP_Post type (or adding an explicit runtime validation + updating the docblock) so invalid callers fail fast with a clear error.

Suggested change
private function _getChartArray( $chart = null ) {
private function _getChartArray( ?WP_Post $chart = null ) {

Copilot uses AI. Check for mistakes.
HardeepAsrani
HardeepAsrani approved these changes Feb 27, 2026
View reviewed changes
Copy link
Member

@HardeepAsrani HardeepAsrani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, let's follow the Copilot advice. We implemented that type hint change yesterday and I believe you had an unsync branch thus undid the change. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@HardeepAsrani HardeepAsrani HardeepAsrani approved these changes

Assignees

No one assigned

Labels

pr-checklist-complete The Pull Request checklist is complete. (automatic label) pr-checklist-skip Allow this Pull Request to skip checklist.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@girishpanchal30 @pirate-bot @HardeepAsrani