From 44ee7ee83921e7dee74a1e0043711997a1200e5a Mon Sep 17 00:00:00 2001
From: Stefan Kalscheuer <stefan@stklcode.de>
Date: Sun, 17 Mar 2019 17:34:57 +0100
Subject: [PATCH] Check regular expressions and prevent saving invalid settings
 (#13)

---
 inc/class-statifyblacklist-admin.php | 20 ++++++++++++++------
 views/settings-page.php              |  7 ++++++-
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/inc/class-statifyblacklist-admin.php b/inc/class-statifyblacklist-admin.php
index 1920157..18692f4 100644
--- a/inc/class-statifyblacklist-admin.php
+++ b/inc/class-statifyblacklist-admin.php
@@ -63,22 +63,26 @@ public static function update_options( $options = null ) {
 		if ( isset( $options ) && current_user_can( 'manage_options' ) ) {
 
 			// Sanitize referer list.
-			$given_referer = $options['referer']['blacklist'];
+			$given_referer   = $options['referer']['blacklist'];
+			$invalid_referer = [];
 			if ( self::MODE_NORMAL === $options['referer']['regexp'] ) {
 				// Sanitize URLs and remove empty inputs.
 				$sanitized_referer = self::sanitize_urls( $given_referer );
 			} elseif ( self::MODE_REGEX === $options['referer']['regexp'] || self::MODE_REGEX_CI === $options['referer']['regexp'] ) {
-				// TODO Check regular expressions.
 				$sanitized_referer = $given_referer;
+				// Check regular expressions.
+				$invalid_referer = self::sanitize_regex( $given_referer );
 			} else {
 				$sanitized_referer = $given_referer;
 			}
 
 			// Sanitize target list.
-			$given_target = $options['target']['blacklist'];
+			$given_target   = $options['target']['blacklist'];
+			$invalid_target = [];
 			if ( self::MODE_REGEX === $options['target']['regexp'] || self::MODE_REGEX_CI === $options['target']['regexp'] ) {
-				// TODO Check regular expressions.
 				$sanitized_target = $given_target;
+				// Check regular expressions.
+				$invalid_target = self::sanitize_regex( $given_target );
 			} else {
 				$sanitized_target = $given_target;
 			}
@@ -92,10 +96,12 @@ public static function update_options( $options = null ) {
 				'referer' => [
 					'sanitized' => $sanitized_referer,
 					'diff'      => array_diff( $given_referer, $sanitized_referer ),
+					'invalid'   => $invalid_referer,
 				],
 				'target'  => [
 					'sanitized' => $sanitized_target,
 					'diff'      => array_diff( $given_target, $sanitized_target ),
+					'invalid'   => $invalid_target,
 				],
 				'ip'      => [
 					'sanitized' => $sanitized_ip,
@@ -103,7 +109,9 @@ public static function update_options( $options = null ) {
 				],
 			];
 			if ( ! empty( $errors['referer']['diff'] )
+				|| ! empty( $errors['referer']['invalid'] )
 				|| ! empty( $errors['target']['diff'] )
+				|| ! empty( $errors['target']['invalid'] )
 				|| ! empty( $errors['ip']['diff'] ) ) {
 				return $errors;
 			}
@@ -343,10 +351,10 @@ function ( $ip ) {
 	 */
 	private static function sanitize_regex( $expressions ) {
 		return array_filter(
-			$expressions,
+			array_flip( $expressions ),
 			function ( $re ) {
 				// Check of preg_match() fails (warnings suppressed).
-				return false === @preg_match( $re, null );
+				return false === @preg_match( StatifyBlacklist::regex( $re, false ), null );
 			}
 		);
 	}
diff --git a/views/settings-page.php b/views/settings-page.php
index b4a69bb..cd073cf 100755
--- a/views/settings-page.php
+++ b/views/settings-page.php
@@ -116,6 +116,9 @@ function ( $a ) {
 			if ( ! empty( $statifyblacklist_update_result['referer']['diff'] ) ) {
 				$statifyblacklist_post_warning[] = __( 'Some URLs are invalid and have been sanitized.', 'statify-blacklist' );
 			}
+			if ( ! empty( $statifyblacklist_update_result['referer']['invalid'] ) ) {
+				$statifyblacklist_post_warning[] = __( 'Some regular expressions are invalid:', 'statify-blacklist' ) . '<br>' . implode( '<br>', $statifyblacklist_update_result['referer']['invalid'] );
+			}
 			if ( ! empty( $statifyblacklist_update_result['ip']['diff'] ) ) {
 				// translators: List of invalid IP addresses (comma separated).
 				$statifyblacklist_post_warning[] = sprintf( __( 'Some IPs are invalid: %s', 'statify-blacklist' ), implode( ', ', $statifyblacklist_update_result['ip']['diff'] ) );
@@ -144,7 +147,9 @@ function ( $a ) {
 	}
 	if ( isset( $statifyblacklist_post_warning ) ) {
 		foreach ( $statifyblacklist_post_warning as $w ) {
-			print '<div class="notice notice-warning"><p>' . esc_html( $w ) . '</p></div>';
+			print '<div class="notice notice-warning"><p>' .
+				wp_kses( $w, [ 'br' => [] ] ) .
+				'</p></div>';
 		}
 		print '<div class="notice notice-warning"><p>' . esc_html( 'Settings have not been saved yet.', 'statify-blacklist' ) . '</p></div>';
 	}