Merge pull request #912 from Codeinwp/bugfix/pro/339

Fix security vulnerability

Author: vytisbulkevicius

classes/Visualizer/Gutenberg/Block.php

@@ -750,8 +750,12 @@ public function upload_csv_data( $data ) {
 			return false;
 		}
 
-		if ( $data['url'] && ! is_wp_error( $data['url'] ) && filter_var( $data['url'], FILTER_VALIDATE_URL ) ) {
-			$source = new Visualizer_Source_Csv_Remote( $data['url'] );
+		$remote_data = false;
+		if ( isset( $data['url'] ) && function_exists( 'wp_http_validate_url' ) ) {
+			$remote_data = wp_http_validate_url( $data['url'] );
+		}
+		if ( false !== $remote_data && ! is_wp_error( $remote_data ) ) {
+			$source = new Visualizer_Source_Csv_Remote( $remote_data );
 			if ( $source->fetch() ) {
 				$temp = $source->getData();
 				if ( is_string( $temp ) && is_array( unserialize( $temp ) ) ) {

classes/Visualizer/Module/Chart.php

@@ -1111,10 +1111,15 @@ public function uploadData() {
 
 		$source = null;
 		$render = new Visualizer_Render_Page_Update();
-		if ( isset( $_POST['remote_data'] ) && filter_var( $_POST['remote_data'], FILTER_VALIDATE_URL ) ) {
-			$source = new Visualizer_Source_Csv_Remote( $_POST['remote_data'] );
+
+		$remote_data = false;
+		if ( isset( $_POST['remote_data'] ) && function_exists( 'wp_http_validate_url' ) ) {
+			$remote_data = wp_http_validate_url( $_POST['remote_data'] );
+		}
+		if ( false !== $remote_data ) {
+			$source = new Visualizer_Source_Csv_Remote( $remote_data );
 			if ( isset( $_POST['vz-import-time'] ) ) {
-				apply_filters( 'visualizer_pro_chart_schedule', $chart_id, $_POST['remote_data'], $_POST['vz-import-time'] );
+				apply_filters( 'visualizer_pro_chart_schedule', $chart_id, $remote_data, $_POST['vz-import-time'] );
 			}
 			// phpcs:ignore WordPress.PHP.StrictComparisons.LooseComparison
 		} elseif ( isset( $_FILES['local_data'] ) && $_FILES['local_data']['error'] == 0 ) {