feat: better sanitization for settings

Codeinwp · Dec 24, 2024 · b7997bc · b7997bc
1 parent 6f9b650
commit b7997bc
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 40 deletions.
diff --git a/inc/API.php b/inc/API.php
@@ -265,54 +265,88 @@ public function update_settings( $request ) {
 		$validation = apply_filters(
 			'hyve_settings_validation',
 			[
-				'api_key'              => function ( $value ) {
-					return is_string( $value );
-				},
-				'qdrant_api_key'       => function ( $value ) {
-					return is_string( $value );
-				},
-				'qdrant_endpoint'      => function ( $value ) {
-					return is_string( $value );
-				},
-				'chat_enabled'         => function ( $value ) {
-					return is_bool( $value );
-				},
-				'welcome_message'      => function ( $value ) {
-					return is_string( $value );
-				},
-				'default_message'      => function ( $value ) {
-					return is_string( $value );
-				},
-				'chat_model'           => function ( $value ) {
-					return is_string( $value );
-				},
-				'temperature'          => function ( $value ) {
-					return is_numeric( $value );
-				},
-				'top_p'                => function ( $value ) {
-					return is_numeric( $value );
-				},
-				'moderation_threshold' => function ( $value ) {
-					return is_array( $value ) && array_reduce(
-						$value,
-						function ( $carry, $item ) {
-							return $carry && is_int( $item );
-						},
-						true
-					);
-				},
+				'api_key'              => [
+					'validate' => function ( $value ) {
+						return is_string( $value );
+					},
+					'sanitize' => 'sanitize_text_field',
+				],
+				'qdrant_api_key'       => [
+					'validate' => function ( $value ) {
+						return is_string( $value );
+					},
+					'sanitize' => 'sanitize_text_field',
+				],
+				'qdrant_endpoint'      => [
+					'validate' => function ( $value ) {
+						return is_string( $value );
+					},
+					'sanitize' => 'sanitize_url',
+				],
+				'chat_enabled'         => [
+					'validate' => function ( $value ) {
+						return is_bool( $value );
+					},
+					'sanitize' => 'rest_sanitize_boolean',
+				],
+				'welcome_message'      => [
+					'validate' => function ( $value ) {
+						return is_string( $value );
+					},
+					'sanitize' => 'sanitize_text_field',
+				],
+				'default_message'      => [
+					'validate' => function ( $value ) {
+						return is_string( $value );
+					},
+					'sanitize' => 'sanitize_text_field',
+				],
+				'chat_model'           => [
+					'validate' => function ( $value ) {
+						return is_string( $value );
+					},
+					'sanitize' => 'sanitize_text_field',
+				],
+				'temperature'          => [
+					'validate' => function ( $value ) {
+						return is_numeric( $value );
+					},
+					'sanitize' => 'floatval',
+				],
+				'top_p'                => [
+					'validate' => function ( $value ) {
+						return is_numeric( $value );
+					},
+					'sanitize' => 'floatval',
+				],
+				'moderation_threshold' => [
+					'validate' => function ( $value ) {
+						return is_array( $value ) && array_reduce(
+							$value,
+							function ( $carry, $item ) {
+								return $carry && is_int( $item );
+							},
+							true
+						);
+					},
+					'sanitize' => function ( $value ) {
+						return array_map( 'intval', $value );
+					},
+				],
 			]
 		);
 
 		foreach ( $updated as $key => $value ) {
-			if ( ! $validation[ $key ]( $value ) ) {
+			if ( ! $validation[ $key ]['validate']( $value ) ) {
 				return rest_ensure_response(
 					[
 						// translators: %s: option key.
 						'error' => sprintf( __( 'Invalid value: %s', 'hyve-lite' ), $key ),
 					]
 				);
 			}
+
+			$updated[ $key ] = $validation[ $key ]['sanitize']( $value );
 		}
 
 		foreach ( $updated as $key => $value ) {
@@ -662,7 +696,7 @@ function ( $message ) use ( $run_id ) {
 
 		$settings = Main::get_settings();
 
-		$response = ( isset( $message['success'] ) && true === $message['success'] && isset( $message['response'] ) ) ? $message['response'] : $settings['default_message'];
+		$response = ( isset( $message['success'] ) && true === $message['success'] && isset( $message['response'] ) ) ? $message['response'] : esc_html( $settings['default_message'] );
 
 		do_action( 'hyve_chat_response', $run_id, $thread_id, $query, $record_id, $message, $response );
 

diff --git a/inc/Main.php b/inc/Main.php
@@ -269,7 +269,7 @@ public function enqueue_assets() {
 						'click' => HYVE_LITE_URL . 'assets/audio/click.mp3',
 						'ping'  => HYVE_LITE_URL . 'assets/audio/ping.mp3',
 					],
-					'welcome'   => $settings['welcome_message'] ?? '',
+					'welcome'   => esc_html( $settings['welcome_message'] ) ?? '',
 					'isEnabled' => $settings['chat_enabled'],
 					'strings'   => [
 						'reply'       => __( 'Write a reply…', 'hyve-lite' ),

diff --git a/src/backend/parts/settings/Assistant.js b/src/backend/parts/settings/Assistant.js
@@ -85,7 +85,7 @@ const Assistant = () => {
 								value: 'gpt-3.5-turbo-0125'
 							}
 						] }
-						value={ settings.model }
+						value={ settings.chat_model }
 						disabled={ isSaving }
 						onChange={ ( newValue ) => setSetting( 'chat_model', newValue ) }
 					/>