Nonce verified; capabilities checked; input sanitized

views/settings_page.php

@@ -1,17 +1,40 @@
 <?php
 
+/* Quit */
+defined('ABSPATH') OR exit;
+
 /* Update plugin options */
 if ( !empty($_POST['statifyblacklist']) ) {
+  /* Verify nonce */
+  check_admin_referer( 'statify-blacklist-settings' );
+
+  /* Check user capabilities */
+  if (!current_user_can('manage_options')) {
+    die(_e('Are you sure you want to do this?'));
+  }
+
   if (!empty($_POST['cleanUp'])) {
     /* CleanUp DB */
     StatifyBlacklist_Admin::cleanup_database();
   } else {
-    StatifyBlacklist::update_options(
+    /* Extract referer array */
+    if (empty(trim($_POST['statifyblacklist']['referer']))) $referer = array();
+    else $referer = explode("\r\n", $_POST['statifyblacklist']['referer']);
+
+    /* Update options (data will be sanitized) */
+    $statifyBlacklistUpdateResult= StatifyBlacklist_Admin::update_options(
       array(
         'active_referer' => (int)@$_POST['statifyblacklist']['active_referer'],
-        'referer' => explode("\r\n", $_POST['statifyblacklist']['referer'])
+        'referer' => $referer
       )
     );
+
+    /* Generate messages */
+    if ($statifyBlacklistUpdateResult !== false) {
+      $statifyBlacklistPostWarning = 'Some URLs are invalid and have been sanitized. Settings have not been saved yet.';
+    } else {
+      $statifyBlacklistPostSuccess = 'Settings updated successfully.';
+    }
   }
 }
 
@@ -19,7 +42,23 @@ if ( !empty($_POST['statifyblacklist']) ) {
 
 <div class="wrap">
     <h1><?php _e( 'Statify Blacklist', 'statify-blacklist') ?></h1>
-    <?php if (is_plugin_inactive('statify/statify.php')) { print '<div class="notice notice-warning"><p>'; esc_html_e('Statify plugin is not active.', 'statify-blacklist'); print '</p></div>'; } ?>
+    <?php
+    if (is_plugin_inactive('statify/statify.php')) {
+      print '<div class="notice notice-warning"><p>';
+      esc_html_e('Statify plugin is not active.', 'statify-blacklist');
+      print '</p></div>';
+    }
+    if (isset($statifyBlacklistPostWarning)) {
+      print '<div class="notice notice-warning"><p>';
+      esc_html_e($statifyBlacklistPostWarning);
+      print '</p></div>';
+    }
+    if (isset($statifyBlacklistPostSuccess)) {
+      print '<div class="notice notice-success"><p>';
+      esc_html_e($statifyBlacklistPostSuccess);
+      print '</p></div>';
+    }
+    ?>
     <form action="" method="post" id="statify-blacklist-settings">
         <ul style="list-style: none;">
             <li>
@@ -31,7 +70,12 @@ if ( !empty($_POST['statifyblacklist']) ) {
             <li>
                 <label for="statify-blacklist_referer">
                     <?php  esc_html_e('Referer blacklist:', 'statify-blacklist'); ?><br />
-                    <textarea cols="40" rows="5" name="statifyblacklist[referer]" id="statify-blacklist_referer"><?php print implode("\r\n", StatifyBlacklist::$_options['referer']); ?></textarea><br />
+                    <textarea cols="40" rows="5" name="statifyblacklist[referer]" id="statify-blacklist_referer"><?php
+                      if (isset($statifyBlacklistUpdateResult) &&$statifyBlacklistUpdateResult !== false)
+                        print esc_html(implode("\r\n", $statifyBlacklistUpdateResult));
+                      else
+                        print esc_html(implode("\r\n", StatifyBlacklist::$_options['referer']));
+                    ?></textarea><br />
                     <small>(<?php esc_html_e('Add one domain (without subdomains) each line, e.g. example.com', 'statify-blacklist'); ?>)</small>
                 </label>
             </li>
@@ -44,7 +88,7 @@ if ( !empty($_POST['statifyblacklist']) ) {
           <input class="button-secondary" type="submit" name="cleanUp" value="<?php esc_html_e('CleanUp Database', 'statify-blacklist') ?>"
                  onclick="return confirm('Do you really want to apply filters to database? This cannot be undone.');">
           <br>
-          <small>(<?php esc_html_e('Applies filter (even if disabled) to data stored in database. This cannot be undone!', 'statify-blacklist'); ?>)</small>
+          <small><?php esc_html_e('Applies filter (even if disabled) to data stored in database. This cannot be undone!', 'statify-blacklist'); ?></small>
         </p>
     </form>
 </div>