fix: improve validation on wp action hooks

v3/onesignal-admin/onesignal-admin.php

@@ -26,57 +26,80 @@ function admin_files()
   wp_enqueue_style('style', plugins_url('onesignal-admin.css', __FILE__), array(), $cache_buster);
 }
 
-if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
-  if (isset($_POST["submit"]) && $_POST["submit"] === "Save Settings") {
-    // Get existing settings with default values
-    $onesignal_settings = get_option('OneSignalWPSetting', onesignal_get_default_settings());
+// Hook settings save handler to admin_init
+add_action('admin_init', 'onesignal_handle_settings_save');
 
-    if (isset($_POST['onesignal_app_id']) && !empty($_POST['onesignal_app_id'])) {
-        $onesignal_settings['app_id'] = sanitize_text_field($_POST['onesignal_app_id']);
-    }
+function onesignal_handle_settings_save() {
+  // Only process POST requests
+  if (!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] !== 'POST') {
+    return;
+  }
 
-    if (isset($_POST['onesignal_rest_api_key']) && !empty($_POST['onesignal_rest_api_key'])) {
-        $onesignal_settings['app_rest_api_key'] = sanitize_text_field($_POST['onesignal_rest_api_key']);
-    }
+  // Only process when submit button is clicked
+  if (!isset($_POST["submit"]) || $_POST["submit"] !== "Save Settings") {
+    return;
+  }
 
-    if (isset($_POST['utm_additional_url_params'])) {
-        $onesignal_settings['utm_additional_url_params'] = sanitize_text_field($_POST['utm_additional_url_params']);
-    }
+  // Verify nonce - dies on failure with error message
+  check_admin_referer('onesignal_v3_save_settings', 'onesignal_v3_settings_nonce');
 
-    if (isset($_POST['allowed_custom_post_types'])) {
-        $onesignal_settings['allowed_custom_post_types'] = sanitize_text_field($_POST['allowed_custom_post_types']);
-    }
+  // Verify user capability
+  if (!current_user_can('manage_options')) {
+    wp_die(
+      __('You do not have sufficient permissions to access this page.', 'onesignal'),
+      __('Permission Denied', 'onesignal'),
+      array('response' => 403)
+    );
+  }
+
+  // Get existing settings with default values
+  $onesignal_settings = get_option('OneSignalWPSetting', onesignal_get_default_settings());
 
-    // Save the auto send notifications setting for posts
-    $auto_send = isset($_POST['onesignal_auto_send']) ? 1 : 0;
-    $onesignal_settings['notification_on_post'] = $auto_send;
+  if (isset($_POST['onesignal_app_id']) && !empty($_POST['onesignal_app_id'])) {
+      $onesignal_settings['app_id'] = sanitize_text_field($_POST['onesignal_app_id']);
+  }
 
-    // Save the auto send notifications setting for pages
-    $auto_send_pages = isset($_POST['onesignal_auto_send_pages']) ? 1 : 0;
-    $onesignal_settings['notification_on_page'] = $auto_send_pages;
+  if (isset($_POST['onesignal_rest_api_key']) && !empty($_POST['onesignal_rest_api_key'])) {
+      $onesignal_settings['app_rest_api_key'] = sanitize_text_field($_POST['onesignal_rest_api_key']);
+  }
 
-    // Save the notification on post from plugin setting
-    $notification_on_post_from_plugin = isset($_POST['notification_on_post_from_plugin']) ? 1 : 0;
-    $onesignal_settings['notification_on_post_from_plugin'] = $notification_on_post_from_plugin;
+  if (isset($_POST['utm_additional_url_params'])) {
+      $onesignal_settings['utm_additional_url_params'] = sanitize_text_field($_POST['utm_additional_url_params']);
+  }
 
-    // Save the mobile subscribers setting
-    $send_to_mobile = isset($_POST['onesignal_send_to_mobile']) ? 1 : 0;
-    $onesignal_settings['send_to_mobile_platforms'] = $send_to_mobile;
+  if (isset($_POST['allowed_custom_post_types'])) {
+      $onesignal_settings['allowed_custom_post_types'] = sanitize_text_field($_POST['allowed_custom_post_types']);
+  }
 
-    // Save the auto send notifications setting for post updates
-    $auto_send_post_update = isset($_POST['onesignal_auto_send_post_update']) ? 1 : 0;
-    $onesignal_settings['notification_on_post_update'] = $auto_send_post_update;
+  // Save the auto send notifications setting for posts
+  $auto_send = isset($_POST['onesignal_auto_send']) ? 1 : 0;
+  $onesignal_settings['notification_on_post'] = $auto_send;
 
-    // Save the auto send notifications setting for page updates
-    $auto_send_page_update = isset($_POST['onesignal_auto_send_page_update']) ? 1 : 0;
-    $onesignal_settings['notification_on_page_update'] = $auto_send_page_update;
+  // Save the auto send notifications setting for pages
+  $auto_send_pages = isset($_POST['onesignal_auto_send_pages']) ? 1 : 0;
+  $onesignal_settings['notification_on_page'] = $auto_send_pages;
 
-    // Update with autoload set to 'no' to prevent caching issues
-    update_option('OneSignalWPSetting', $onesignal_settings, 'no');
+  // Save the notification on post from plugin setting
+  $notification_on_post_from_plugin = isset($_POST['notification_on_post_from_plugin']) ? 1 : 0;
+  $onesignal_settings['notification_on_post_from_plugin'] = $notification_on_post_from_plugin;
 
-    // Force refresh the settings in cache
-    wp_cache_delete('OneSignalWPSetting', 'options');
-  }
+  // Save the mobile subscribers setting
+  $send_to_mobile = isset($_POST['onesignal_send_to_mobile']) ? 1 : 0;
+  $onesignal_settings['send_to_mobile_platforms'] = $send_to_mobile;
+
+  // Save the auto send notifications setting for post updates
+  $auto_send_post_update = isset($_POST['onesignal_auto_send_post_update']) ? 1 : 0;
+  $onesignal_settings['notification_on_post_update'] = $auto_send_post_update;
+
+  // Save the auto send notifications setting for page updates
+  $auto_send_page_update = isset($_POST['onesignal_auto_send_page_update']) ? 1 : 0;
+  $onesignal_settings['notification_on_page_update'] = $auto_send_page_update;
+
+  // Update with autoload set to 'no' to prevent caching issues
+  update_option('OneSignalWPSetting', $onesignal_settings, 'no');
+
+  // Force refresh the settings in cache
+  wp_cache_delete('OneSignalWPSetting', 'options');
 }
 
 // Add this function near the top of the file
@@ -114,6 +137,7 @@ function onesignal_admin_page()
     }
     ?>
     <form method="post">
+      <?php wp_nonce_field('onesignal_v3_save_settings', 'onesignal_v3_settings_nonce'); ?>
       <label for="appid">OneSignal App ID</label>
       <div class="input-with-icon">
         <input type="text" id="appid" name="onesignal_app_id"

v3/onesignal-metabox/onesignal-metabox.php

@@ -53,6 +53,8 @@ function onesignal_metabox($post)
   }
 
   // Meta box content -> js file hides sections depending on whats checked.
+  // Add nonce field for security
+  wp_nonce_field('onesignal_v3_metabox_save', 'onesignal_v3_metabox_nonce');
 ?>
   <label for="os_update">
   <input type="checkbox" name="os_update" id="os_update"
@@ -141,6 +143,38 @@ function onesignal_meta_files()
 
 function onesignal_save_meta($post_id)
 {
+  // Check if nonce is set
+  if (!isset($_POST['onesignal_v3_metabox_nonce'])) {
+    return;
+  }
+
+  // Verify nonce
+  if (!wp_verify_nonce($_POST['onesignal_v3_metabox_nonce'], 'onesignal_v3_metabox_save')) {
+    return;
+  }
+
+  // Skip autosaves
+  if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {
+    return;
+  }
+
+  // Check user capability to edit this specific post
+  if (!current_user_can('edit_post', $post_id)) {
+    return;
+  }
+
+  // Skip revisions
+  if (wp_is_post_revision($post_id)) {
+    return;
+  }
+
+  // Verify post type is allowed
+  $post = get_post($post_id);
+  if (!$post || !onesignal_is_post_type_allowed($post->post_type)) {
+    return;
+  }
+
+  // Process and sanitize metadata fields
   $fields = [
     'os_update',
     'os_segment',
@@ -154,7 +188,12 @@ function onesignal_save_meta($post_id)
 
   foreach ($fields as $field) {
     if (array_key_exists($field, $_POST)) {
-      $meta_values[$field] = sanitize_text_field($_POST[$field]);
+      // Sanitize based on field type
+      if ($field === 'os_mobile_url') {
+        $meta_values[$field] = sanitize_url($_POST[$field]);
+      } else {
+        $meta_values[$field] = sanitize_text_field($_POST[$field]);
+      }
     } else {
       unset($meta_values[$field]);
     }

v3/onesignal-notification.php

@@ -137,22 +137,50 @@ function onesignal_create_notification($post, $notification_options = array())
 function onesignal_schedule_notification($new_status, $old_status, $post)
 {
     if (($new_status === 'publish') || ($new_status === 'future')) {
-        // check if update is on.
-        $update = !empty($_POST['os_update']) ? $_POST['os_update'] : $post->os_update;
-
-        // do not send notification if not enabled
+        $update = null;
+        $notification_options = array();
+
+        // Check if this is a direct user submission with POST data
+        if (!empty($_POST) && isset($_POST['onesignal_v3_metabox_nonce'])) {
+            // Verify nonce for user-initiated posts
+            if (!wp_verify_nonce($_POST['onesignal_v3_metabox_nonce'], 'onesignal_v3_metabox_save')) {
+                return; // Invalid nonce, abort
+            }
+
+            // Verify capability
+            if (!current_user_can('edit_post', $post->ID)) {
+                return; // Insufficient permissions, abort
+            }
+
+            // Use POST data for user-initiated publishes
+            $update = !empty($_POST['os_update']) ? $_POST['os_update'] : null;
+            $notification_options = array(
+                'title' => !empty($_POST['os_title']) ? sanitize_text_field($_POST['os_title']) : null,
+                'content' => !empty($_POST['os_content']) ? sanitize_text_field($_POST['os_content']) : null,
+                'segment' => isset($_POST['os_segment']) ? sanitize_text_field($_POST['os_segment']) : 'All',
+                'mobile_url' => isset($_POST['os_mobile_url']) ? sanitize_url($_POST['os_mobile_url']) : ''
+            );
+        } else {
+            // Scheduled posts, REST API, or plugin-triggered posts
+            // Load from saved metadata (no nonce required)
+            $os_meta = get_post_meta($post->ID, 'os_meta', true);
+            $update = !empty($os_meta['os_update']) ? $os_meta['os_update'] : null;
+
+            if (is_array($os_meta)) {
+                $notification_options = array(
+                    'title' => isset($os_meta['os_title']) ? $os_meta['os_title'] : null,
+                    'content' => isset($os_meta['os_content']) ? $os_meta['os_content'] : null,
+                    'segment' => isset($os_meta['os_segment']) ? $os_meta['os_segment'] : 'All',
+                    'mobile_url' => isset($os_meta['os_mobile_url']) ? $os_meta['os_mobile_url'] : ''
+                );
+            }
+        }
+
+        // Do not send notification if not enabled
         if (empty($update)) {
             return;
         }
 
-        // Prepare notification options from POST data
-        $notification_options = array(
-            'title' => !empty($_POST['os_title']) ? sanitize_text_field($_POST['os_title']) : null,
-            'content' => !empty($_POST['os_content']) ? sanitize_text_field($_POST['os_content']) : null,
-            'segment' => $_POST['os_segment'] ?? 'All',
-            'mobile_url' => $_POST['os_mobile_url'] ?? ''
-        );
-
         // Call the core notification function
         onesignal_create_notification($post, $notification_options);
     }
@@ -161,6 +189,11 @@ function onesignal_schedule_notification($new_status, $old_status, $post)
 // Function to handle quick-edit publish date changes
 function onesignal_handle_quick_edit_date_change($post_id, $post, $update)
 {
+    // Check user capability to edit this post
+    if (!current_user_can('edit_post', $post_id)) {
+        return;
+    }
+
     // Check if this is an autosave, revision, or not an update
     if (wp_is_post_autosave($post_id) || wp_is_post_revision($post_id) || !$update) {
         return;
@@ -202,11 +235,21 @@ function onesignal_handle_quick_edit_date_change($post_id, $post, $update)
         update_post_meta($post_id, 'os_previous_publish_date', $current_publish_date);
 
         // Honor the "Send notification when post is published" preference.
-        $should_send = !empty($_POST['os_update']);
+        $should_send = false;
+
+        // Check POST data with nonce verification
+        if (!empty($_POST) && isset($_POST['onesignal_v3_metabox_nonce'])) {
+            if (wp_verify_nonce($_POST['onesignal_v3_metabox_nonce'], 'onesignal_v3_metabox_save')) {
+                $should_send = !empty($_POST['os_update']);
+            }
+        }
+
+        // Fallback to saved metadata if no POST data or failed nonce
         if (!$should_send) {
             $os_meta = get_post_meta($post_id, 'os_meta', true);
             $should_send = !empty($os_meta['os_update']);
         }
+
         if (!$should_send) {
             return;
         }