diff --git a/php/classes/class-all-episode-stats.php b/php/classes/class-all-episode-stats.php index 7d6b6cf..01bc778 100644 --- a/php/classes/class-all-episode-stats.php +++ b/php/classes/class-all-episode-stats.php @@ -70,12 +70,13 @@ public function render_all_episodes_stats(){ $pagenum = 1; } $total_pages = intval( ceil( $this->total_posts / $this->total_per_page ) ); - $order_by = isset( $_GET['orderby'] ) ? '&orderby=' . sanitize_text_field( $_GET['orderby'] ) : ""; - $order = isset( $_GET['order'] ) ? '&order=' . sanitize_text_field( $_GET['order'] ) : ""; + $order_by_qry = isset( $_GET['orderby'] ) ? '&orderby=' . esc_attr( $_GET['orderby'] ) : ""; + $order = $this->get_requested_order(); + $order_qry = $order ? '&order=' . esc_attr( $order ) : ""; $prev_page = ( $pagenum <= 1 ) ? 1 : $pagenum - 1; - $prev_page_url = admin_url( "edit.php?post_type=" . SSP_CPT_PODCAST . "&page=podcast_stats" . $order_by . $order . "&pagenum=" . $prev_page . "#last-three-months-container" ); + $prev_page_url = admin_url( "edit.php?post_type=" . SSP_CPT_PODCAST . "&page=podcast_stats" . $order_by_qry . $order_qry . "&pagenum=" . $prev_page . "#last-three-months-container" ); $next_page = $pagenum + 1; - $next_page_url = admin_url( "edit.php?post_type=" . SSP_CPT_PODCAST . "&page=podcast_stats" . $order_by . $order . "&pagenum=" . $next_page . "#last-three-months-container" ); + $next_page_url = admin_url( "edit.php?post_type=" . SSP_CPT_PODCAST . "&page=podcast_stats" . $order_by_qry . $order_qry . "&pagenum=" . $next_page . "#last-three-months-container" ); ob_start(); require_once SSP_STATS_DIR_PATH . 'partials/stats-all-episodes-pagination.php'; $html .= ob_get_clean(); @@ -84,6 +85,20 @@ public function render_all_episodes_stats(){ return $html; } + /** + * + * @return string|null + */ + private function get_requested_order() { + if ( ! isset( $_GET['order'] ) ) { + return null; + } + $order = strtolower( $_GET['order'] ); + $allowed_orders = array( 'asc', 'desc' ); + + return in_array( $order, $allowed_orders ) ? $order : null; + } + /** * Get all episode stats to be rendered in the stats-all-episode partial * diff --git a/php/classes/class-ssp-stats.php b/php/classes/class-ssp-stats.php index 363c1e2..a01fb4a 100755 --- a/php/classes/class-ssp-stats.php +++ b/php/classes/class-ssp-stats.php @@ -275,8 +275,6 @@ public function set_filters() { */ public function load_episode_ids () { - - switch( $this->filter ) { case 'series': if( 'all' != $this->series ) {