From 894dbabe1944d69142c76e1900d874d2fb2e901d Mon Sep 17 00:00:00 2001
From: Steve Sutton <steve@gaslightmedia.com>
Date: Fri, 11 Dec 2015 13:07:55 -0500
Subject: [PATCH] Adding sanitizing of option fields.

Validate the emails.
---
 controllers/admin.php | 64 ++++++++++++++++++++++++++++++++++++-------
 glm-employment.php    |  2 +-
 views/optionsPage.php | 11 ++++----
 3 files changed, 61 insertions(+), 16 deletions(-)

diff --git a/controllers/admin.php b/controllers/admin.php
index 07bb7c3..bbb5029 100644
--- a/controllers/admin.php
+++ b/controllers/admin.php
@@ -94,10 +94,6 @@ class staffords_employment_admin
 
     public function job_settings_init()
     {
-        //add_filter(
-            //'option_page_capability_job-setting-group',
-            //array($this, 'staffords_option_page_capability')
-        //);
         add_settings_section(
             'staffordsjobs_setting_section_two',
             'Edit Confirmations',
@@ -107,7 +103,7 @@ class staffords_employment_admin
         add_settings_field(
             'thank_you_text',
             'Thank You Message',
-            array($this, 'glmclientinfoRenderTextArea'),
+            array($this, 'render_textarea_field'),
             'staffordsjobs_settings',
             'staffordsjobs_setting_section_two',
             'thank_you_text'
@@ -182,17 +178,65 @@ class staffords_employment_admin
                 $field['type']
             );
         }
-        register_setting(STAFFORDS_EMP_SETTINGS, STAFFORDS_EMP_SETTING_NAME);
+        register_setting(STAFFORDS_EMP_SETTINGS, STAFFORDS_EMP_SETTING_NAME, array($this, 'sanitize_options'));
+    }
+
+    public function sanitize_options($input)
+    {
+        if ( !$valid_notification_email = $this->validate_email_string($input['notification_email']) ) {
+            add_settings_error(
+                STAFFORDS_EMP_SETTINGS,
+                'setting-error-notify-email',
+                'invalid email for Staffords Notify: Email',
+                'error'
+            );
+        }
+        $terms = get_terms(
+            STAFFORDS_EMP_TAX_DEPARTMENTS,
+            array(
+                'hide_empty' => false
+            )
+        );
+        foreach ( $terms as $term ) {
+            if ( !$valid_email = $this->validate_email_string( $input[$term->slug . '_notification_email'] ) ) {
+                add_settings_error(
+                    STAFFORDS_EMP_SETTINGS,
+                    'setting-error-notify-email',
+                    'invalid email for ' . $term->name . ': Email',
+                    'error'
+                );
+            }
+        }
+        return $input;
+    }
+
+    public function validate_email_string($string)
+    {
+        if ( isset( $string ) && strpos( $string, ',' ) ) {
+            $emails = explode( ',', $string );
+            foreach ( $emails as $email ) {
+                $validEmail = filter_var(trim($email), FILTER_VALIDATE_EMAIL);
+                if ( !$validEmail ) {
+                    return false;
+                }
+            }
+        } else if ( isset( $string ) && $string ) {
+            $validEmail = filter_var($string, FILTER_VALIDATE_EMAIL);
+            if ( !$validEmail ) {
+                return false;
+            }
+        }
+        return true;
     }
 
     public function staffords_add_setting_text_field($name, $label, $type)
     {
         switch ($type) {
             case 'text':
-                $callback = 'glmclientinfoRenderText';
+                $callback = 'render_text_field';
                 break;
             case 'textarea':
-                $callback = 'glmclientinfoRenderTextArea';
+                $callback = 'render_textarea_field';
                 break;
             case 'state':
                 $callback = 'glmclientinfoRenderStateSelect';
@@ -211,7 +255,7 @@ class staffords_employment_admin
         );
     }
 
-    public function glmclientinfoRenderText($fieldName)
+    public function render_text_field($fieldName)
     {
         static $options;
         if (!$options) {
@@ -220,7 +264,7 @@ class staffords_employment_admin
         include $this->pluginDirName . 'views/text.php';
     }
 
-    public function glmclientinfoRenderTextArea($fieldName)
+    public function render_textarea_field($fieldName)
     {
         static $options;
         $options = get_option(STAFFORDS_EMP_SETTINGS);
diff --git a/glm-employment.php b/glm-employment.php
index 93e994f..65bb2bc 100644
--- a/glm-employment.php
+++ b/glm-employment.php
@@ -16,7 +16,7 @@ define('STAFFORDS_EMP_PLUGIN_PATH_FILE', __FILE__);
 define('STAFFORDS_EMP_VERSION', '0.2.1');
 define('STAFFORDS_EMP_SETTING_NAME', 'staffordsjobs_settings');
 define('STAFFORDS_EMP_SETTINGS', 'staffordsjobs_settings');
-define('STAFFORDS_EMP_NEW_CAPABILITY', 'staffordsjobs_edit_jobs');
+define('STAFFORDS_EMP_NEW_CAPABILITY', 'edit_staffords_jobs');
 define('STAFFORDS_EMP_BUILT_IN_CAPABILITY', 'edit_posts');
 define('STAFFORDS_EMP_VRS_OPTION_NAME', 'staffords_jobs_db_version');
 define('STAFFORDS_EMP_POST_TYPE', 'staffords_jobs');
diff --git a/views/optionsPage.php b/views/optionsPage.php
index 0c8005e..1b67b96 100644
--- a/views/optionsPage.php
+++ b/views/optionsPage.php
@@ -6,10 +6,11 @@ table.form-table td textarea {width: 500px; height: 200px;}
 <div class="wrap">
     <form action="options.php" method="post">
         <h2>Employment Plugin Settings</h2>
-        <?php
-            settings_fields(STAFFORDS_EMP_SETTINGS);
-            do_settings_sections(STAFFORDS_EMP_SETTINGS);
-            submit_button();
-        ?>
+<?php
+settings_errors(STAFFORDS_EMP_SETTINGS);
+settings_fields(STAFFORDS_EMP_SETTINGS);
+do_settings_sections(STAFFORDS_EMP_SETTINGS);
+submit_button();
+?>
     </form>
 </div>
-- 
2.17.1