1 files changed, 12 insertions, 11 deletions

diff --git a/plugins/jetpack/modules/wpcom-block-editor/class-jetpack-wpcom-block-editor.php b/plugins/jetpack/modules/wpcom-block-editor/class-jetpack-wpcom-block-editor.php
index 6fc48967..799b8272 100644
--- a/plugins/jetpack/modules/wpcom-block-editor/class-jetpack-wpcom-block-editor.php
+++ b/plugins/jetpack/modules/wpcom-block-editor/class-jetpack-wpcom-block-editor.php
@@ -91,8 +91,8 @@ class Jetpack_WPCOM_Block_Editor {
 	 * Prevents frame options header from firing if this is a allowed iframe request.
 	 */
 	public function disable_send_frame_options_header() {
-		// phpcs:ignore WordPress.Security.NonceVerification
-		if ( $this->framing_allowed( $_GET['frame-nonce'] ) ) {
+		// phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput
+		if ( isset( $_GET['frame-nonce'] ) && $this->framing_allowed( $_GET['frame-nonce'] ) ) {
 			remove_action( 'admin_init', 'send_frame_options_header' );
 		}
 	}
@@ -104,8 +104,8 @@ class Jetpack_WPCOM_Block_Editor {
 	 * @return string
 	 */
 	public function add_iframed_body_class( $classes ) {
-		// phpcs:ignore WordPress.Security.NonceVerification
-		if ( $this->framing_allowed( $_GET['frame-nonce'] ) ) {
+		// phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput
+		if ( isset( $_GET['frame-nonce'] ) && $this->framing_allowed( $_GET['frame-nonce'] ) ) {
 			$classes .= ' is-iframed ';
 		}
 
@@ -118,12 +118,12 @@ class Jetpack_WPCOM_Block_Editor {
 	 * force the editor to break out of the iFrame.
 	 */
 	private function check_iframe_cookie_setting() {
-		if ( ! isset( $_SERVER['QUERY_STRING'] ) || ! strpos( $_SERVER['QUERY_STRING'], 'calypsoify%3D1%26block-editor' ) || isset( $_COOKIE['wordpress_test_cookie'] ) ) {
+		if ( ! isset( $_SERVER['QUERY_STRING'] ) || ! strpos( filter_var( wp_unslash( $_SERVER['QUERY_STRING'] ) ), 'calypsoify%3D1%26block-editor' ) || isset( $_COOKIE['wordpress_test_cookie'] ) ) {
 			return;
 		}
 
-		if ( empty( $_GET['calypsoify_cookie_check'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			header( 'Location: ' . esc_url_raw( $_SERVER['REQUEST_URI'] . '&calypsoify_cookie_check=true' ) );
+		if ( isset( $_SERVER['REQUEST_URI'] ) && empty( $_GET['calypsoify_cookie_check'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			header( 'Location: ' . esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) . '&calypsoify_cookie_check=true' ) );
 			exit;
 		}
 
@@ -140,11 +140,12 @@ class Jetpack_WPCOM_Block_Editor {
 		if ( empty( $_REQUEST['redirect_to'] ) ) {
 			return;
 		}
+		// phpcs:ignore WordPress.Security.NonceVerification
+		$redirect_to = esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) );
 
 		$this->check_iframe_cookie_setting();
 
-		// phpcs:ignore WordPress.Security.NonceVerification
-		$query = wp_parse_url( urldecode( $_REQUEST['redirect_to'] ), PHP_URL_QUERY );
+		$query = wp_parse_url( urldecode( $redirect_to ), PHP_URL_QUERY );
 		$args  = wp_parse_args( $query );
 
 		// Check nonce and make sure this is a Gutenframe request.
@@ -188,7 +189,7 @@ class Jetpack_WPCOM_Block_Editor {
 	 */
 	public function add_login_html() {
 		?>
-		<input type="hidden" name="redirect_to" value="<?php echo esc_url( $_REQUEST['redirect_to'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended ?>" />
+		<input type="hidden" name="redirect_to" value="<?php echo isset( $_REQUEST['redirect_to'] ) ? esc_url( wp_unslash( $_REQUEST['redirect_to'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized ?>" />
 		<script type="application/javascript">
 			document.getElementById( 'loginform' ).addEventListener( 'submit' , function() {
 				document.getElementById( 'wp-submit' ).setAttribute( 'disabled', 'disabled' );
@@ -414,7 +415,7 @@ class Jetpack_WPCOM_Block_Editor {
 		global $post;
 		if ( ! $post instanceof WP_Post ) {
 			return false;
-		};
+		}
 
 		if ( ! has_blocks( $post ) ) {
 			return false;