diff --git a/includes/Wpup/Request.php b/includes/Wpup/Request.php index 0128c8f..0f716ed 100644 --- a/includes/Wpup/Request.php +++ b/includes/Wpup/Request.php @@ -30,8 +30,8 @@ public function __construct($query, $headers, $clientIp = '0.0.0.0', $httpMethod $this->clientIp = $clientIp; $this->httpMethod = strtoupper($httpMethod); - $this->action = $this->param('action', ''); - $this->slug = $this->param('slug', ''); + $this->action = preg_replace('@[^a-z0-9\-_]@i', '', $this->param('action', '')); + $this->slug = preg_replace('@[:?/\\\]@i', '', $this->param('slug', '')); //If the request was made via the WordPress HTTP API we can usually //get WordPress version and site URL from the user agent.