From be594106c2df862baa088d3b0c0718f4eb3731ce Mon Sep 17 00:00:00 2001
From: Grzegorz Rola <grola@seostudio.pl>
Date: Fri, 6 Mar 2020 11:09:25 +0000
Subject: [PATCH] Added sanitization on posted AJAX data

---
 .gitlab-ci.yml                    | 1 +
 CHANGELOG.md                      | 4 ++++
 src/WPDesk/Notice/AjaxHandler.php | 4 ++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2306ffc..fdc61bc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,7 @@
 variables:
   DISABLE_FUNCTIONAL: 1
   DISABLE_ACCEPTANCE: 1
+  DISABLE_CODECEPTION: 1
   IS_LIBRARY: 1
 
 include: 'https://gitlab.com/wpdesk/gitlab-ci/raw/master/gitlab-ci-1.2.yml'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6a6a268..12c5546 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## [3.1.2] - 2020-03-05
+### Added
+- sanitization on posted AJAX data
+
 ## [3.1.1] - 2019-07-30
 ### Fixed
 - Security for templates as side effect is generated there. Also required for prefixer compatibility
diff --git a/src/WPDesk/Notice/AjaxHandler.php b/src/WPDesk/Notice/AjaxHandler.php
index 168763f..4b2648d 100644
--- a/src/WPDesk/Notice/AjaxHandler.php
+++ b/src/WPDesk/Notice/AjaxHandler.php
@@ -82,10 +82,10 @@ class AjaxHandler implements HookablePluginDependant
     public function processAjaxNoticeDismiss()
     {
         if (isset($_POST[self::POST_FIELD_NOTICE_NAME])) {
-            $noticeName = $_POST[self::POST_FIELD_NOTICE_NAME];
+            $noticeName = sanitize_text_field($_POST[self::POST_FIELD_NOTICE_NAME]);
 
             if (isset($_POST[self::POST_FIELD_SOURCE])) {
-                $source = $_POST[ self::POST_FIELD_SOURCE ];
+                $source = sanitize_text_field($_POST[ self::POST_FIELD_SOURCE ]);
             } else {
                 $source = null;
             }
-- 
GitLab