Security Issue: Insufficient Input Sanitization in REST API
Description
User input from REST API requests is not consistently sanitized before database operations, which could lead to potential XSS or SQL injection vulnerabilities.
Affected Files
class-pattern-builder-api.php:388-459
Risk Level
Critical - Unsanitized user input could lead to stored XSS attacks or data corruption.
Current Issues
- Title fields are not sanitized with
sanitize_text_field()
- HTML content lacks proper sanitization with
wp_kses_post()
- Array inputs are not sanitized with
array_map() and appropriate sanitization functions
Recommendations
- Add
sanitize_text_field() for all title and text-only fields
- Use
wp_kses_post() for content fields that allow HTML
- Sanitize array inputs using
array_map() with appropriate sanitization callbacks
- Validate data types before processing (strings, arrays, integers)
Implementation Steps
Code Example
// Before
$title = $request->get_param('title');
// After
$title = sanitize_text_field($request->get_param('title'));References
Priority: Immediate fix required
Security Issue: Insufficient Input Sanitization in REST API
Description
User input from REST API requests is not consistently sanitized before database operations, which could lead to potential XSS or SQL injection vulnerabilities.
Affected Files
class-pattern-builder-api.php:388-459Risk Level
Critical - Unsanitized user input could lead to stored XSS attacks or data corruption.
Current Issues
sanitize_text_field()wp_kses_post()array_map()and appropriate sanitization functionsRecommendations
sanitize_text_field()for all title and text-only fieldswp_kses_post()for content fields that allow HTMLarray_map()with appropriate sanitization callbacksImplementation Steps
Code Example
References
Priority: Immediate fix required