Add wraper function for input_filter, and replace it

Author: dhaval-parekh

admin/rt-retranscode-admin.php

@@ -235,20 +235,23 @@ public function add_bulk_actions_via_javascript() {
 	 */
 	public function bulk_action_handler() {
 
-		$action  = filter_input( INPUT_POST, 'action', FILTER_SANITIZE_STRING );
-		$action2 = filter_input( INPUT_POST, 'action2', FILTER_SANITIZE_STRING );
+		$action  = transcoder_filter_input( INPUT_REQUEST, 'action', FILTER_SANITIZE_STRING );
+		$action2 = transcoder_filter_input( INPUT_REQUEST, 'action2', FILTER_SANITIZE_STRING );
+		$media   = transcoder_filter_input( INPUT_REQUEST, 'media', FILTER_SANITIZE_NUMBER_INT, FILTER_REQUIRE_ARRAY );
 
-		if ( empty( $action ) || ( 'bulk_retranscode_media' !== $action && 'bulk_retranscode_media' !== $action2 ) ) {
+		if ( empty( $action ) || empty( $media ) || ! is_array( $media ) ||
+			( 'bulk_retranscode_media' !== $action && 'bulk_retranscode_media' !== $action2 )
+		) {
 			return;
 		}
 
-		if ( empty( $_REQUEST['media'] ) || ! is_array( $_REQUEST['media'] ) ) {
+		if ( empty( $media ) || ! is_array( $media ) ) {
 			return;
 		}
 
 		check_admin_referer( 'bulk-media' );
 
-		$ids = implode( ',', array_map( 'intval', $_REQUEST['media'] ) );
+		$ids = implode( ',', $media );
 
 		// Can't use wp_nonce_url() as it escapes HTML entities.
 		$redirect_url = add_query_arg(
@@ -287,9 +290,11 @@ public function retranscode_interface() {
 
 			$file_size = 0;
 			$files     = array();
+
 			// Create the list of image IDs.
 			$usage_info = get_site_option( 'rt-transcoding-usage' );
-			$ids        = filter_input( INPUT_POST, 'ids', FILTER_SANITIZE_STRING );
+			$ids        = transcoder_filter_input( INPUT_REQUEST, 'ids', FILTER_SANITIZE_NUMBER_INT, FILTER_REQUIRE_ARRAY );
+
 			if ( ! empty( $ids ) ) {
 				if ( is_array( $ids ) ) {
 					$ids = implode( ',', $ids );
@@ -594,17 +599,20 @@ function RetranscodeMedia( id ) {
 	public function ajax_process_retranscode_request() {
 
 		header( 'Content-type: application/json' );
-		$id = filter_input( INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT );
-		if ( empty( $id ) ) {
-			$id = filter_input( INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT );
+
+		$id = transcoder_filter_input( INPUT_REQUEST, 'id', FILTER_SANITIZE_NUMBER_INT );
+		$id = intval( $id );
+
+		if ( empty( $id ) || 0 >= $id ) {
+			wp_send_json_error();
 		}
 
 		$media = get_post( $id );
 
 		if ( ! $media || 'attachment' !== $media->post_type || ( 'audio/' !== substr( $media->post_mime_type, 0, 6 ) && 'video/' !== substr( $media->post_mime_type, 0, 6 ) ) ) {
 
 			// translators: Media id of the invalid media type.
-			die( wp_json_encode( array( 'error' => sprintf( __( 'Sending Failed: %s is an invalid media ID/type.', 'transcoder' ), esc_html( $id ) ) ) ) );
+			die( wp_json_encode( array( 'error' => sprintf( __( 'Sending Failed: %d is an invalid media ID/type.', 'transcoder' ), intval( $id ) ) ) ) );
 		}
 
 		if ( 'audio/mpeg' === $media->post_mime_type ) {

admin/rt-transcoder-actions.php

@@ -174,7 +174,7 @@ function rtt_rtmedia_vedio_editor_content() {
 	function rtt_set_video_thumbnail( $id ) {
 		$media_type    = rtmedia_type( $id );
 		$attachment_id = rtmedia_media_id( $id );      // Get the wp attachment ID.
-		$thumbnail     = filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_URL );
+		$thumbnail     = transcoder_filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_URL );
 		if ( 'video' === $media_type && ! empty( $thumbnail ) ) {
 
 			if ( ! is_numeric( $thumbnail ) ) {

admin/rt-transcoder-admin.php

@@ -185,7 +185,7 @@ public function disable_encoding() {
 	public function enqueue_scripts_styles() {
 		global $pagenow;
 
-		$page = filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING );
+		$page = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING );
 
 		if ( 'admin.php' !== $pagenow || 'rt-transcoder' !== $page ) {
 			return;
@@ -375,7 +375,7 @@ public function edit_video_thumbnail_( $form_fields, $post ) {
 	 * @return array $form_fields
 	 */
 	public function save_video_thumbnail( $post ) {
-		$rtmedia_thumbnail = filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_STRING );
+		$rtmedia_thumbnail = transcoder_filter_input( INPUT_POST, 'rtmedia-thumbnail', FILTER_SANITIZE_STRING );
 		$id                = $post['post_ID'];
 		if ( isset( $rtmedia_thumbnail ) ) {
 			if ( class_exists( 'rtMedia' ) ) {

admin/rt-transcoder-functions.php

@@ -829,7 +829,7 @@ function rt_transcoder_enqueue_block_editor_assets() {
 function rtt_ajax_process_check_status_request() {
 
 	check_ajax_referer( 'check-transcoding-status-ajax-nonce', 'security', true );
-	$post_id = filter_input( INPUT_POST, 'postid', FILTER_SANITIZE_NUMBER_INT );
+	$post_id = transcoder_filter_input( INPUT_POST, 'postid', FILTER_SANITIZE_NUMBER_INT );
 
 	if ( ! empty( $post_id ) ) {
 		echo esc_html( rtt_get_transcoding_status( $post_id ) );
@@ -998,7 +998,7 @@ function rtt_media_update_usage( $wp_metadata, $attachment_id, $autoformat = tru
 function get_server_var( $server_key, $filter_type = FILTER_SANITIZE_STRING ) {
 	$server_val = '';
 	if ( function_exists( 'filter_input' ) && filter_has_var( INPUT_SERVER, $server_key ) ) {
-		$server_val = filter_input( INPUT_SERVER, $server_key, $filter_type );
+		$server_val = transcoder_filter_input( INPUT_SERVER, $server_key, $filter_type );
 	} elseif ( isset( $_SERVER[ $server_key ] ) ) {
 		$server_val = $_SERVER[ $server_key ]; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 	}

admin/rt-transcoder-handler.php

@@ -406,9 +406,9 @@ public function usage_quota_over() {
 	 * @since   1.0.0
 	 */
 	public function save_api_key() {
-		$is_api_key_updated     = filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING );
-		$is_invalid_license_key = filter_input( INPUT_GET, 'invalid-license-key', FILTER_SANITIZE_STRING );
-		$is_localhost           = filter_input( INPUT_GET, 'need-public-host', FILTER_SANITIZE_STRING );
+		$is_api_key_updated     = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING );
+		$is_invalid_license_key = transcoder_filter_input( INPUT_GET, 'invalid-license-key', FILTER_SANITIZE_STRING );
+		$is_localhost           = transcoder_filter_input( INPUT_GET, 'need-public-host', FILTER_SANITIZE_STRING );
 
 		if ( $is_api_key_updated ) {
 			if ( is_multisite() ) {
@@ -430,8 +430,8 @@ public function save_api_key() {
 			add_action( 'admin_notices', array( $this, 'public_host_needed_notice' ) );
 		}
 
-		$apikey = trim( filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_STRING ) );
-		$page   = filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING );
+		$apikey = trim( transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_STRING ) );
+		$page   = transcoder_filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING );
 
 		if ( ! empty( $apikey ) && is_admin() && ! empty( $page ) && ( 'rt-transcoder' === $page ) ) {
 			/* Do not activate transcoding service on localhost */
@@ -528,7 +528,7 @@ public function successfully_subscribed_notice() {
 		<div class="updated">
 			<p>
 				<?php
-				$api_key_updated = filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING );
+				$api_key_updated = transcoder_filter_input( INPUT_GET, 'api-key-updated', FILTER_SANITIZE_STRING );
 				printf(
 					wp_kses(
 						__( 'You have successfully subscribed.', 'transcoder' ),
@@ -1004,29 +1004,27 @@ public function get_post_id_by_meta_key_and_value( $key, $value ) {
 	public function handle_callback() {
 		require_once ABSPATH . 'wp-admin/includes/image.php';
 
-		$job_id      = filter_input( INPUT_POST, 'job_id', FILTER_SANITIZE_STRING );
-		$file_status = filter_input( INPUT_POST, 'file_status', FILTER_SANITIZE_STRING );
-		$error_msg   = filter_input( INPUT_POST, 'error_msg', FILTER_SANITIZE_STRING );
-		$job_for     = filter_input( INPUT_POST, 'job_for', FILTER_SANITIZE_STRING );
-		$thumbnail   = filter_input( INPUT_POST, 'thumbnail', FILTER_SANITIZE_STRING );
-		$format      = filter_input( INPUT_POST, 'format', FILTER_SANITIZE_STRING );
+		$job_id      = transcoder_filter_input( INPUT_POST, 'job_id', FILTER_SANITIZE_STRING );
+		$file_status = transcoder_filter_input( INPUT_POST, 'file_status', FILTER_SANITIZE_STRING );
+		$error_msg   = transcoder_filter_input( INPUT_POST, 'error_msg', FILTER_SANITIZE_STRING );
+		$job_for     = transcoder_filter_input( INPUT_POST, 'job_for', FILTER_SANITIZE_STRING );
+		$thumbnail   = transcoder_filter_input( INPUT_POST, 'thumbnail', FILTER_SANITIZE_STRING );
+		$format      = transcoder_filter_input( INPUT_POST, 'format', FILTER_SANITIZE_STRING );
 
 		if ( ! empty( $job_id ) && ! empty( $file_status ) && ( 'error' === $file_status ) ) {
 			$this->nofity_transcoding_failed( $job_id, $error_msg );
 			echo esc_html__( 'Something went wrong. Invalid post request.', 'transcoder' );
 			die();
 		}
 
+		$mail = defined( 'RT_TRANSCODER_NO_MAIL' ) ? false : true;
+
 		$attachment_id = '';
 
 		if ( isset( $job_for ) && ( 'wp-media' === $job_for ) ) {
 			if ( isset( $job_id ) ) {
 				$has_thumbs = isset( $thumbnail ) ? true : false;
 				$flag       = false;
-				$mail       = true;
-				if ( defined( 'RT_TRANSCODER_NO_MAIL' ) ) {
-					$mail = false;
-				}
 
 				$id = $this->get_post_id_by_meta_key_and_value( '_rt_transcoding_job_id', $job_id );
 
@@ -1072,21 +1070,25 @@ public function handle_callback() {
 				die();
 			}
 		} else {
-			if ( isset( $job_id ) ) {
-				$has_thumbs   = isset( $thumbnail ) ? true : false;
-				$flag         = false;
-				$model        = new RTDBModel( 'rtm_media_meta', false, 10, true );
+			if ( isset( $job_id ) && class_exists( 'RTDBModel' ) ) {
+
+				$has_thumbs = isset( $thumbnail ) ? true : false;
+				$flag       = false;
+				$model      = new RTDBModel( 'rtm_media_meta', false, 10, true );
+
 				$meta_details = $model->get(
 					array(
 						'meta_value' => sanitize_text_field( wp_unslash( $job_id ) ), // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
 						'meta_key'   => 'rtmedia-transcoding-job-id', // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
 					) 
 				);
+
 				if ( ! isset( $meta_details[0] ) ) {
 					$id = $this->get_post_id_by_meta_key_and_value( '_rt_transcoding_job_id', $job_id );
 				} else {
 					$id = $meta_details[0]->media_id;
 				}
+
 				if ( isset( $id ) && is_numeric( $id ) ) {
 					$model              = new RTMediaModel();
 					$media              = $model->get_media( array( 'media_id' => $id ), 0, 1 );
@@ -1164,7 +1166,7 @@ public function hide_transcoding_notice() {
 	 * @since 1.0
 	 */
 	public function enter_api_key() {
-		$apikey = filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_STRING );
+		$apikey = transcoder_filter_input( INPUT_GET, 'apikey', FILTER_SANITIZE_STRING );
 		if ( ! empty( $apikey ) ) {
 			echo wp_json_encode( array( 'apikey' => $apikey ) );
 		} else {

inc/helpers/custom-functions.php

@@ -0,0 +1,142 @@
+<?php
+/**
+ * Custom functions.
+ *
+ * @package transcoder
+ */
+
+
+/**
+ * This method is an improved version of PHP's filter_input() and
+ * works well on PHP CLI as well which PHP default method does not.
+ * Also Provide support INPUT_REQUEST.
+ *
+ *
+ * Reference:
+ * - https://bugs.php.net/bug.php?id=49184
+ * - https://bugs.php.net/bug.php?id=54672
+ *
+ * @param int    $type          One of INPUT_GET, INPUT_POST, INPUT_REQUEST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV.
+ * @param string $variable_name Name of a variable to get.
+ * @param int    $filter        The ID of the filter to apply.
+ * @param mixed  $options       filter to apply.
+ *
+ * @return mixed Value of the requested variable on success, FALSE if the filter fails, or NULL if the
+ *               variable_name variable is not set.
+ */
+function transcoder_filter_input( $type, $variable_name, $filter = FILTER_DEFAULT, $options = null ) {
+
+	/**
+	 * Provide support of INPUT_REQUEST
+	 *
+	 * Reference: https://bugs.php.net/bug.php?id=54672
+	 */
+	if ( INPUT_REQUEST === $type ) {
+
+		if ( isset( $_POST[ $variable_name ] ) ) {
+			$type = INPUT_POST;
+		} elseif ( isset( $_GET[ $variable_name ] ) ) {
+			$type = INPUT_GET;
+		} else {
+			return null;
+		}
+
+	}
+
+	if ( php_sapi_name() !== 'cli' ) {
+
+		/**
+		 * We can not have code coverage since.
+		 * Since this will only execute when sapi is "fpm-fcgi".
+		 * While Unit test case run on "cli"
+		 */
+		// @codeCoverageIgnoreStart
+
+		$sanitized_variable = filter_input( $type, $variable_name, $filter, $options );
+
+		/**
+		 * Code is not running on PHP Cli and we are in clear.
+		 * Use the PHP method and bail out.
+		 */
+		if ( ! empty( $sanitized_variable ) && FILTER_SANITIZE_STRING === $filter ) {
+			$sanitized_variable = sanitize_text_field( $sanitized_variable );
+		}
+
+		return $sanitized_variable;
+		// @codeCoverageIgnoreEnd
+	}
+
+	/**
+	 * Code is running on PHP Cli and INPUT_SERVER returns NULL
+	 * even for set vars when run on Cli
+	 * See: https://bugs.php.net/bug.php?id=49184
+	 *
+	 * This is a workaround for that bug till its resolved in PHP binary
+	 * which doesn't look to be anytime soon. This is a friggin' 10 year old bug.
+	 */
+
+	$input = '';
+
+	$allowed_html_tags = wp_kses_allowed_html( 'post' );
+
+	/**
+	 * Marking the switch() block below to be ignored by PHPCS
+	 * because PHPCS squawks on using superglobals like $_POST or $_GET
+	 * directly but it can't be helped in this case as this code
+	 * is running on Cli.
+	 */
+
+	// phpcs:disable WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
+
+	switch ( $type ) {
+
+		case INPUT_GET:
+			if ( ! isset( $_GET[ $variable_name ] ) ) {
+				return null;
+			}
+
+			$input = wp_kses( $_GET[ $variable_name ], $allowed_html_tags );
+			break;
+
+		case INPUT_POST:
+			if ( ! isset( $_POST[ $variable_name ] ) ) {
+				return null;
+			}
+
+			$input = wp_kses( $_POST[ $variable_name ], $allowed_html_tags );
+			break;
+
+		case INPUT_COOKIE:
+			if ( ! isset( $_COOKIE[ $variable_name ] ) ) {
+				return null;
+			}
+
+			$input = wp_kses( $_COOKIE[ $variable_name ], $allowed_html_tags );
+			break;
+
+		case INPUT_SERVER:
+			if ( ! isset( $_SERVER[ $variable_name ] ) ) {
+				return null;
+			}
+
+			$input = wp_kses( $_SERVER[ $variable_name ], $allowed_html_tags );
+			break;
+
+		case INPUT_ENV:
+			if ( ! isset( $_ENV[ $variable_name ] ) ) {
+				return null;
+			}
+
+			$input = wp_kses( $_ENV[ $variable_name ], $allowed_html_tags );
+			break;
+
+		default:
+			return null;
+
+	}
+
+	// phpcs:enable WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing, WordPressVIPMinimum.Variables.RestrictedVariables.cache_constraints___COOKIE
+
+	return filter_var( $input, $filter );
+
+}

rt-transcoder.php

@@ -47,6 +47,7 @@
 }
 
 require_once RT_TRANSCODER_PATH . 'inc/helpers/autoloader.php'; // phpcs:ignore WordPressVIPMinimum.Files.IncludingFile.UsingCustomConstant.
+require_once RT_TRANSCODER_PATH . 'inc/helpers/custom-functions.php'; // phpcs:ignore WordPressVIPMinimum.Files.IncludingFile.UsingCustomConstant.
 require_once RT_TRANSCODER_PATH . 'admin/rt-transcoder-functions.php'; // phpcs:ignore WordPressVIPMinimum.Files.IncludingFile.UsingCustomConstant.
 require_once RT_TRANSCODER_PATH . 'admin/rt-transcoder-admin.php'; // phpcs:ignore WordPressVIPMinimum.Files.IncludingFile.UsingCustomConstant.