Forms: Fix fatal error due to unexpected input type (#40183)

Automattic · Nov 18, 2024 · 3acb7ab · 3acb7ab
1 parent afe4ad8
commit 3acb7ab
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 6 deletions.
diff --git a/projects/packages/forms/.phan/baseline.php b/projects/packages/forms/.phan/baseline.php
@@ -12,7 +12,7 @@
     // PhanTypeMismatchArgument : 20+ occurrences
     // PhanPluginDuplicateConditionalNullCoalescing : 10+ occurrences
     // PhanTypeMismatchReturnProbablyReal : 9 occurrences
-    // PhanTypeMismatchArgumentInternal : 7 occurrences
+    // PhanTypeMismatchArgumentInternal : 6 occurrences
     // PhanTypeMismatchArgumentProbablyReal : 6 occurrences
     // PhanRedundantCondition : 4 occurrences
     // PhanTypePossiblyInvalidDimOffset : 3 occurrences
@@ -24,7 +24,6 @@
     // PhanPluginDuplicateAdjacentStatement : 1 occurrence
     // PhanPluginMixedKeyNoKey : 1 occurrence
     // PhanPossiblyNullTypeMismatchProperty : 1 occurrence
-    // PhanPossiblyUndeclaredVariable : 1 occurrence
     // PhanTypeArraySuspiciousNullable : 1 occurrence
     // PhanTypeMismatchReturnNullable : 1 occurrence
     // PhanUndeclaredProperty : 1 occurrence
@@ -33,7 +32,7 @@
     // Currently, file_suppressions and directory_suppressions are the only supported suppressions
     'file_suppressions' => [
         'src/class-wpcom-rest-api-v2-endpoint-forms.php' => ['PhanTypePossiblyInvalidDimOffset'],
-        'src/contact-form/class-admin.php' => ['PhanPluginDuplicateConditionalNullCoalescing', 'PhanPossiblyUndeclaredVariable', 'PhanRedundantCondition', 'PhanTypeArraySuspiciousNullable', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchReturn'],
+        'src/contact-form/class-admin.php' => ['PhanPluginDuplicateConditionalNullCoalescing', 'PhanRedundantCondition', 'PhanTypeArraySuspiciousNullable', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchReturn'],
         'src/contact-form/class-contact-form-field.php' => ['PhanParamTooMany', 'PhanPluginDuplicateConditionalNullCoalescing', 'PhanPossiblyNullTypeMismatchProperty', 'PhanTypeConversionFromArray', 'PhanTypeMismatchArgument', 'PhanTypeMismatchReturnProbablyReal', 'PhanUndeclaredProperty'],
         'src/contact-form/class-contact-form-plugin.php' => ['PhanPluginDuplicateAdjacentStatement', 'PhanPluginDuplicateConditionalNullCoalescing', 'PhanPluginRedundantAssignment', 'PhanTypeMismatchArgument', 'PhanTypeMismatchArgumentInternal', 'PhanTypeMismatchArgumentProbablyReal', 'PhanTypeMismatchReturnProbablyReal'],
         'src/contact-form/class-contact-form-shortcode.php' => ['PhanPluginDuplicateConditionalNullCoalescing', 'PhanTypeMismatchReturnProbablyReal'],

diff --git a/projects/packages/forms/changelog/fix-usort-grunion-shortcode-argument-expectation b/projects/packages/forms/changelog/fix-usort-grunion-shortcode-argument-expectation
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Fix a fatal error occurring due to a function receiving an unexpected input type.
diff --git a/projects/packages/forms/src/contact-form/class-admin.php b/projects/packages/forms/src/contact-form/class-admin.php
@@ -981,12 +981,29 @@ public function grunion_ajax_shortcode() {
 			}
 		}
 
+		$field_shortcodes = array();
+
 		if ( isset( $_POST['fields'] ) && is_array( $_POST['fields'] ) ) {
-			$fields = sanitize_text_field( stripslashes_deep( $_POST['fields'] ) );
+			$fields = array_map(
+				function ( $field ) {
+					if ( is_array( $field ) ) {
+
+						foreach ( array( 'label', 'type', 'required' ) as $key ) {
+							if ( isset( $field[ $key ] ) ) {
+								$field[ $key ] = sanitize_text_field( wp_unslash( $field[ $key ] ) );
+							}
+						}
+
+						if ( isset( $field['options'] ) && is_array( $field['options'] ) ) {
+							$field['options'] = array_map( 'sanitize_text_field', array_map( 'wp_unslash', $field['options'] ) );
+						}
+					}
+					return $field;
+				},
+				$_POST['fields'] // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- each item sanitized above.
+			);
 			usort( $fields, array( $this, 'grunion_sort_objects' ) );
 
-			$field_shortcodes = array();
-
 			foreach ( $fields as $field ) {
 				$field_attributes = array();
 

diff --git a/projects/plugins/jetpack/changelog/fix-usort-grunion-shortcode-argument-expectation b/projects/plugins/jetpack/changelog/fix-usort-grunion-shortcode-argument-expectation
@@ -0,0 +1,4 @@
+Significance: patch
+Type: bugfix
+
+Forms: Fix an error occurring due to a function receiving an unexpected input type.