Forms: Fix fatal error due to unexpected input type (#40183)

Committed via a GitHub action: https://github.com/Automattic/jetpack/actions/runs/11889225499 Upstream-Ref: Automattic/jetpack@3acb7ab
Automattic · Nov 18, 2024 · 87e0c0f · 87e0c0f
1 parent 907d2d0
commit 87e0c0f
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,9 @@ This is an alpha version! The changes listed here are not final.
 ### Removed
 - General: Update minimum PHP version to 7.2.
 
+### Fixed
+- Fix a fatal error occurring due to a function receiving an unexpected input type.
+
 ## [0.33.8] - 2024-11-11
 ### Changed
 - Updated package dependencies. [#39999] [#40060]

diff --git a/src/contact-form/class-admin.php b/src/contact-form/class-admin.php
@@ -981,12 +981,29 @@ public function grunion_ajax_shortcode() {
 			}
 		}
 
+		$field_shortcodes = array();
+
 		if ( isset( $_POST['fields'] ) && is_array( $_POST['fields'] ) ) {
-			$fields = sanitize_text_field( stripslashes_deep( $_POST['fields'] ) );
+			$fields = array_map(
+				function ( $field ) {
+					if ( is_array( $field ) ) {
+
+						foreach ( array( 'label', 'type', 'required' ) as $key ) {
+							if ( isset( $field[ $key ] ) ) {
+								$field[ $key ] = sanitize_text_field( wp_unslash( $field[ $key ] ) );
+							}
+						}
+
+						if ( isset( $field['options'] ) && is_array( $field['options'] ) ) {
+							$field['options'] = array_map( 'sanitize_text_field', array_map( 'wp_unslash', $field['options'] ) );
+						}
+					}
+					return $field;
+				},
+				$_POST['fields'] // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- each item sanitized above.
+			);
 			usort( $fields, array( $this, 'grunion_sort_objects' ) );
 
-			$field_shortcodes = array();
-
 			foreach ( $fields as $field ) {
 				$field_attributes = array();