Connection Owner Deletion Notice: Fix display bug and sanitize… (#14082)

The 'Delete Connection Owner' Notice doesn't display when the connection owner is about to be deleted. This happens because the arguments to in_array() are an int and an array of strings. Fix this by converting the elements of the $user_ids_to_delete array to ints. Also, santize and unslash the $_REQUEST variable before using it.
Automattic · Nov 21, 2019 · 3ce846f · 3ce846f
1 parent 4dddd80
commit 3ce846f
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/packages/jitm/src/class-jitm.php b/packages/jitm/src/class-jitm.php
@@ -183,13 +183,13 @@ public function delete_user_update_connection_owner_notice() {
 		// Bail if we're not trying to delete connection owner.
 		$user_ids_to_delete = array();
 		if ( isset( $_REQUEST['users'] ) ) {
-			$user_ids_to_delete = $_REQUEST['users'];
+			$user_ids_to_delete = array_map( 'sanitize_text_field', wp_unslash( $_REQUEST['users'] ) );
 		} elseif ( isset( $_REQUEST['user'] ) ) {
-			$user_ids_to_delete[] = $_REQUEST['user'];
+			$user_ids_to_delete[] = sanitize_text_field( wp_unslash( $_REQUEST['user'] ) );
 		}
 
 		// phpcs:enable
-
+		$user_ids_to_delete        = array_map( 'absint', $user_ids_to_delete );
 		$deleting_connection_owner = in_array( $connection_owner_id, (array) $user_ids_to_delete, true );
 		if ( ! $deleting_connection_owner ) {
 			return;