[FIX] Fixes around escaping and sanitzing.

Author: James Amner

admin/class-jerc-admin.php

@@ -151,7 +151,7 @@ private function getFilteredQuery()
         foreach ($filters as $key => $value) {
 
             if ($key !== 'time_from' && $key !== 'time_to') {
-                $q .= ' AND ' . $key . ' = \'' . $value . '\'';
+                $q .= ' AND ' . esc_sql($key) . ' = \'' . esc_sql($value) . '\'';
             } 
         }
 
@@ -184,7 +184,7 @@ private function getData($paging = true)
         $q = $this->getFilteredQuery();
 
         if ($paging) {
-            $q .= ' LIMIT ' . (isset($_REQUEST['paged']) ? 10 * $_REQUEST['paged'] : 0) . ', 10';
+            $q .= ' LIMIT ' . esc_sql(intval(isset($_REQUEST['paged']) ? 10 * $_REQUEST['paged'] : 0)) . ', 10';
         }
         global $wpdb;
         return $wpdb->get_results($q);
@@ -237,8 +237,8 @@ private function getFilters()
     {
         $filters = array();
         foreach ($this->getFilterKeys() as $key) {
-            if (isset($_REQUEST[$key]) && $_REQUEST[$key] !== '') {
-                $filters[$key] = $_REQUEST[$key];
+            if (isset($_REQUEST[$key]) && ($_REQUEST[$key] !== '') && is_string($_REQUEST[$key])) {
+                $filters[$key] = sanitize_text_field($_REQUEST[$key]);
             }
         }
         return $filters;
@@ -332,7 +332,7 @@ private function displayPagination()
             number_format_i18n($this->getCount())
         ) . '</span>';
 
-        $current = isset($_REQUEST['paged']) ? $_REQUEST['paged'] : 1;
+        $current = intval(isset($_REQUEST['paged']) ? $_REQUEST['paged'] : 1);
         $total_pages = floor($this->getCount() / 10);
 
         $current_url = set_url_scheme('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
@@ -425,6 +425,6 @@ private function displayPagination()
             $page_class = ' no-pages';
         }
 
-        echo "<div class='tablenav-pages{$page_class}'>$output</div>";
+        echo wp_kses_post("<div class='tablenav-pages{$page_class}'>$output</div>");
     }    
 }

admin/partials/jerc-admin-display.php

@@ -17,37 +17,37 @@
 <div class="wrap">
     <h1>Javascript Error Reporting</h1>
     <form>
-        <input type='hidden' name='page' value='<?php echo $this->name; ?>'>
+        <input type='hidden' name='page' value='<?php echo esc_attr($this->name); ?>'>
         <div class="tablenav top">
 
             <div class="alignleft">
                 <label for="date-from-select" class="">Between:</label>
-                <input type='datetime-local' name="time_from" id="date-from-select" value='<?php echo isset($_REQUEST['time_from']) ? $_REQUEST['time_from'] : ''; ?>'></input>
+                <input type='datetime-local' name="time_from" id="date-from-select" value='<?php echo esc_attr(isset($_REQUEST['time_from']) ? $_REQUEST['time_from'] : ''); ?>'></input>
                 <label for="date-to-select" class=""> : </label>
-                <input type='datetime-local' name="time_to" id="date-to-select" value='<?php echo isset($_REQUEST['time_to']) ? $_REQUEST['time_to'] : ''; ?>'></input>
+                <input type='datetime-local' name="time_to" id="date-to-select" value='<?php echo esc_attr(isset($_REQUEST['time_to']) ? $_REQUEST['time_to'] : ''); ?>'></input>
                 <input type="submit" id="doaction" class="button action" value="Filter">
 
 
                 <?php foreach ($this->getFilters() as $key => $value) : ?>
                     <?php if ($key !== 'time_from' && $key !== 'time_to') : ?>
-                        <input type='hidden' name='<?php echo $key; ?>' value='<?php echo $value; ?>'>
-                        <a class='button' href='<?php echo $this->removeFilterUrl($key); ?>'>
+                        <input type='hidden' name='<?php echo esc_attr($key); ?>' value='<?php echo esc_attr($value); ?>'>
+                        <a class='button' href='<?php echo esc_url($this->removeFilterUrl($key)); ?>'>
                             <span class="dashicons dashicons-remove" style='line-height:1.4;'></span>
                             <?php 
                             if ($key === 'userId') {
                                 if ($value == 0) {
                                     echo "Anonymous";
                                 } else {
-                                    echo get_userdata($value)->user_nicename;
+                                    echo wp_kses_post(get_userdata($value)->user_nicename);
                                 }
                             } else {
-                                echo $value;
+                                echo wp_kses_post($value);
                             }
                             ?>
                         </a>
                     <?php endif; ?>
                 <?php endforeach; ?>
-                <a class="button" href="?page=<?php echo $this->name; ?>">Reset</a>
+                <a class="button" href="?page=<?php echo esc_attr($this->name); ?>">Reset</a>
             </div>
             <?php $this->displayPagination(); ?>
             <br class="clear">
@@ -74,36 +74,36 @@
                             $user = get_userdata($row->userId);
                         } ?>
                         <td>
-                            <?php echo $row->timestamp; ?>
+                            <?php echo wp_kses_post($row->timestamp); ?>
                         </td>
                         <td>
-                            <a href='<?php echo $this->getFilterUrl('message', $row->message); ?>'>
-                                <?php echo $row->message; ?>
+                            <a href='<?php echo esc_url($this->getFilterUrl('message', $row->message)); ?>'>
+                                <?php echo wp_kses_post($row->message); ?>
                             </a>
                         </td>
                         <td>
-                            <a href='<?php echo $this->getFilterUrl('script', $row->script); ?>'>
-                                <?php echo $row->script; ?>
+                            <a href='<?php echo esc_url($this->getFilterUrl('script', $row->script)); ?>'>
+                                <?php echo wp_kses_post($row->script); ?>
                             </a>
                         </td>
                         <td>
-                            <a href='<?php echo $this->getFilterUrl('userId', (isset($user) ? $user->ID : 0)); ?>'>
-                                <?php echo (isset($user) ? $user->user_nicename : 'Anonymous'); ?>
+                            <a href='<?php echo esc_url($this->getFilterUrl('userId', (isset($user) ? $user->ID : 0))); ?>'>
+                                <?php echo wp_kses_post(isset($user) ? $user->user_nicename : 'Anonymous'); ?>
                             </a>
                         </td>
                         <td>
-                            <a href='<?php echo $this->getFilterUrl('userIp', $row->userIp); ?>'>
-                                <?php echo $row->userIp; ?>
+                            <a href='<?php echo esc_url($this->getFilterUrl('userIp', $row->userIp)); ?>'>
+                                <?php echo wp_kses_post($row->userIp); ?>
                             </a>
                         </td>
                         <td>
-                            <a href='<?php echo $this->getFilterUrl('pageUrl', $row->pageUrl); ?>'>
-                                <?php echo $row->pageUrl; ?>
+                            <a href='<?php echo esc_url($this->getFilterUrl('pageUrl', $row->pageUrl)); ?>'>
+                                <?php echo wp_kses_post($row->pageUrl); ?>
                             </a>
                         </td>
                         <td>
-                            <a href='<?php echo $this->getFilterUrl('agent', $row->agent); ?>'>
-                                <?php echo $row->agent; ?>
+                            <a href='<?php echo esc_url($this->getFilterUrl('agent', $row->agent)); ?>'>
+                                <?php echo wp_kses_post($row->agent); ?>
                             </a>
                         </td>
                     </tr>
@@ -113,12 +113,12 @@
     </form>
     <div class='tablenav bottom'>
         <div class='alignleft'>
-            <form method='POST' action='<?php echo admin_url('admin-post.php'); ?>'>
+            <form method='POST' action='<?php echo esc_url(admin_url('admin-post.php')); ?>'>
                 <?php wp_nonce_field($this->action); ?>
                 <?php foreach ($this->getFilters() as $key => $value) : ?>
-                    <input type='hidden' name='<?php echo $key; ?>' value='<?php echo $value; ?>'>
+                    <input type='hidden' name='<?php echo esc_attr($key); ?>' value='<?php echo esc_attr($value); ?>'>
                 <?php endforeach; ?>
-                <button class='button' type='submit' name='action' value='<?php echo $this->action; ?>'>Export CSV</button>
+                <button class='button' type='submit' name='action' value='<?php echo esc_attr($this->action); ?>'>Export CSV</button>
             </form>
         </div>
         <?php $this->displayPagination(); ?>

jerc.php

@@ -16,7 +16,7 @@
  * Plugin Name:       Javascript Error Reporting Client
  * Plugin URI:        https://www.amner.me/
  * Description:       A plugin to collect data about client javascript errors.
- * Version:           1.1.0
+ * Version:           1.0.0
  * Author:            James Amner <jdamner@me.com>
  * Author URI:        https://www.amner.me
  */

public/class-jerc-public.php

@@ -122,6 +122,8 @@ public function handleAjax()
         global $wpdb;
         $table_name = $wpdb->prefix . $this->plugin_name . "_data";
 
+        // No need to escape SQL input;
+        // @see https://developer.wordpress.org/reference/classes/wpdb/insert/
         $data = array(
             "message" => $request['message'],
             "script" => $request['script'] . ":" . $request['lineNo'] . ":" . $request['columnNo'],