Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security fixes: CSV injection, policy body output, invite hashing, slot datetimes
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
Details
CI / Coding Standards (pull_request) Successful in 1m11s
Details
CI / PHPStan (pull_request) Successful in 1m20s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details

Browse Source 
Four fixes from a security review pass:

- Neutralise CSV formula injection in the payments export: fields with a
  leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are
  apostrophe-prefixed in PaymentReport::csvLine() so they open as text in
  Excel/Google Sheets. Fixes #39.
- Sanitise policy bodies with wp_kses_post at output in
  PolicyEndpoint::index() (the booking JS renders that HTML raw), so a
  future write path that forgets kses can never become stored XSS.
  Fixes #40.
- Store invite tokens hashed (SHA-256) at rest: a database leak can no
  longer redeem pending invites. The registration link is shown once, at
  creation; the pending list shows email/invited date; lookups hash the
  submitted token. Existing plaintext pending invites must be re-issued.
  Fixes #41.
- Validate availability slot datetimes on both creation paths (REST and
  admin form) via AvailabilitySlot::normalizeDateTime(): canonical and
  datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start
  are rejected (REST 400) instead of reaching the DATETIME column or
  throwing inside the weekly-series date arithmetic. Fixes #42.

composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
James Griffin-Allwood
2026-06-10 16:36:26 -03:00
parent 693246c1c1
commit f3f5c7801f
16 changed files with 162 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Availability/AvailabilityEndpoint.php
+9 -2
View File
@@ -120,10 +120,17 @@ class AvailabilityEndpoint {
}
}
$startDt = AvailabilitySlot::normalizeDateTime( (string) $request->get_param( 'start_dt' ) );
$endDt = AvailabilitySlot::normalizeDateTime( (string) $request->get_param( 'end_dt' ) );
if ( null === $startDt || null === $endDt || $endDt <= $startDt ) {
return new \WP_Error( 'invalid_datetime', __( 'Provide a valid start and end, with the end after the start.', 'unsupervised-schedular' ), [ 'status' => 400 ] );
}
$slot = new AvailabilitySlot(
instructorId: $instructorId,
startDt: (string) $request->get_param( 'start_dt' ),
endDt: (string) $request->get_param( 'end_dt' ),
startDt: $startDt,
endDt: $endDt,
durationMinutes: $duration > 0 ? $duration : 60,
offeringId: $offeringId > 0 ? $offeringId : null,
);