digitalFAQ.com Forum - How to sanitize WordPress function against single domain?

digitalFAQ.com Forum (https://www.digitalfaq.com/forum/)

- Website and Server Troubleshooting (https://www.digitalfaq.com/forum/web-tech/)

- - How to sanitize WordPress function against single domain? (https://www.digitalfaq.com/forum/web-tech/4576-how-sanitize-wordpress.html)

How to sanitize WordPress function against single domain?

Anybody have an idea on how this WordPress include page function could be sanitized to only work with pulling content from a single domain?

PHP Code:


		
			
function show_file_func( $atts ) {
  extract( shortcode_atts( array(
    'file' => ''
  ), $atts ) );
 
  if ($file!='')
    return @file_get_contents($file);
}
add_shortcode( 'show_file', 'show_file_func' );

The above function adds this shortcode:

PHP Code:


		
			
[show_file file="http://www.somesite.com/somepage.html"]

... which then includes that entire page inside the WordPress page/post.

I see this as a potential exploit, unless you're able to sanitize it against a single (or multiple) chosen safe domains. I'm only interested in a single valid domain -- at least at the moment. I'm trying to dev a site right now, and this part is eluding me. It's going to pull static pages from a CDN (cdn.somesite.com), if I can get it working.

I solved it.

This is the function:

PHP Code:


		
			
function show_file_func( $atts ) {
$url = 'http://somesite.com/';
  extract( shortcode_atts( array('file' => ''), $atts ) );
  if ($file!='')
    return @file_get_contents($url.$file);
}
add_shortcode( 'show_file', 'show_file_func' );

And the new shortcode is now:

PHP Code:


		
			
[show_file file="somepage.html"]

All times are GMT -5. The time now is 02:01 AM