Security fixes: CSV injection, policy body output, invite hashing, slot datetimes
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
CI / Coding Standards (pull_request) Successful in 1m11s
CI / PHPStan (pull_request) Successful in 1m20s
CI / Build Plugin Zip (pull_request) Has been skipped
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
CI / Coding Standards (pull_request) Successful in 1m11s
CI / PHPStan (pull_request) Successful in 1m20s
CI / Build Plugin Zip (pull_request) Has been skipped
Four fixes from a security review pass: - Neutralise CSV formula injection in the payments export: fields with a leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are apostrophe-prefixed in PaymentReport::csvLine() so they open as text in Excel/Google Sheets. Fixes #39. - Sanitise policy bodies with wp_kses_post at output in PolicyEndpoint::index() (the booking JS renders that HTML raw), so a future write path that forgets kses can never become stored XSS. Fixes #40. - Store invite tokens hashed (SHA-256) at rest: a database leak can no longer redeem pending invites. The registration link is shown once, at creation; the pending list shows email/invited date; lookups hash the submitted token. Existing plaintext pending invites must be re-issued. Fixes #41. - Validate availability slot datetimes on both creation paths (REST and admin form) via AvailabilitySlot::normalizeDateTime(): canonical and datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start are rejected (REST 400) instead of reaching the DATETIME column or throwing inside the weekly-series date arithmetic. Fixes #42. composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -9,11 +9,19 @@ if (! defined('ABSPATH')) {
|
||||
* @var list<\Unsupervised\Schedular\Auth\Invite> $pendingInvites
|
||||
* @var int $registrationPageId
|
||||
* @var string $registrationPageUrl
|
||||
* @var string $newInviteUrl One-time registration link for a just-created invite.
|
||||
*/
|
||||
?>
|
||||
<div class="wrap">
|
||||
<h1><?php esc_html_e('Invites', 'unsupervised-schedular'); ?></h1>
|
||||
<p class="description"><?php esc_html_e('Invite a student by email, then send them the registration link below. They complete signup and accept any required policies through the [us_student_register] page.', 'unsupervised-schedular'); ?></p>
|
||||
<p class="description"><?php esc_html_e('Invite a student by email, then send them the registration link. They complete signup and accept any required policies through the [us_student_register] page.', 'unsupervised-schedular'); ?></p>
|
||||
|
||||
<?php if ($newInviteUrl !== '') : ?>
|
||||
<div class="notice notice-success inline">
|
||||
<p><?php esc_html_e('Invite created. Copy the registration link now — for security it is not stored and cannot be shown again. To re-send a lost link, revoke the invite and create a new one.', 'unsupervised-schedular'); ?></p>
|
||||
<p><input type="text" class="large-text code" readonly value="<?php echo esc_attr($newInviteUrl); ?>" onclick="this.select()"></p>
|
||||
</div>
|
||||
<?php endif; ?>
|
||||
|
||||
<h2><?php esc_html_e('Registration Page', 'unsupervised-schedular'); ?></h2>
|
||||
<form method="post">
|
||||
@@ -67,15 +75,13 @@ if (! defined('ABSPATH')) {
|
||||
<thead>
|
||||
<tr>
|
||||
<th><?php esc_html_e('Email', 'unsupervised-schedular'); ?></th>
|
||||
<th><?php esc_html_e('Registration link', 'unsupervised-schedular'); ?></th>
|
||||
<th><?php esc_html_e('Invited', 'unsupervised-schedular'); ?></th>
|
||||
<th><?php esc_html_e('Actions', 'unsupervised-schedular'); ?></th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<?php $linkBase = $registrationPageUrl !== '' ? $registrationPageUrl : home_url('/'); ?>
|
||||
<?php $now = current_time('mysql'); ?>
|
||||
<?php foreach ($pendingInvites as $invite) : ?>
|
||||
<?php $link = esc_url(add_query_arg('us_invite', $invite->token, $linkBase)); ?>
|
||||
<tr>
|
||||
<td>
|
||||
<?php echo esc_html($invite->email); ?>
|
||||
@@ -84,7 +90,7 @@ if (! defined('ABSPATH')) {
|
||||
<?php endif; ?>
|
||||
</td>
|
||||
<td>
|
||||
<input type="text" class="large-text code" readonly value="<?php echo esc_attr($link); ?>" onclick="this.select()">
|
||||
<?php echo esc_html((string) $invite->createdAt); ?>
|
||||
</td>
|
||||
<td>
|
||||
<form method="post" style="display:inline;">
|
||||
|
||||
Reference in New Issue
Block a user