From 3ed146d512da46ce2be541e5891ea7fad529c165 Mon Sep 17 00:00:00 2001
From: Lem Smyth <lem@lemsmyth.com>
Date: Sun, 27 Feb 2022 11:40:05 -0600
Subject: [PATCH] sanitize supports add form

---
 classes/LBRY_Admin.php          | 2 +-
 templates/supports-add-form.php | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/classes/LBRY_Admin.php b/classes/LBRY_Admin.php
index a62fbba..efabafc 100644
--- a/classes/LBRY_Admin.php
+++ b/classes/LBRY_Admin.php
@@ -476,7 +476,7 @@ class LBRY_Admin
      */
     public function add_supports()
     {
-        if ( ( $_POST['post_id'] ) && ( $_POST['post_id'] !== null ) ) {
+        if ( ( $_POST['post_id'] ) && ( absint( $_POST['post_id'] ) ) ) {
             $redirect_url = admin_url( add_query_arg( array( 'post' => $_POST['post_id'], 'action' => 'edit' ), 'post.php') );
         } else {
             $redirect_url = admin_url( add_query_arg( array( 'page' => 'lbrypress', 'tab' => 'channels' ), 'options.php' ) );
diff --git a/templates/supports-add-form.php b/templates/supports-add-form.php
index cbe0dc8..ef62cca 100644
--- a/templates/supports-add-form.php
+++ b/templates/supports-add-form.php
@@ -34,10 +34,10 @@ if ( current_user_can( 'manage_options' ) ) {
 	<form action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>" method="post" id="lbry_add_supports_form">	
             		
 		<input type="hidden" name="action" value="lbry_add_supports">
-		<input type="hidden" name="_lbrynonce" value="<?php echo $lbrynonce; ?>">
-        <input type="hidden" name="post_id" value="<?php echo $return_post; ?>">
-        <input type="hidden" name="lbry_url" value="<?php echo esc_attr($lbry_url); ?>">
-        <input type="hidden" name="supporting_channel" value="<?php echo $supporting_channel; ?>">
+		<input type="hidden" name="_lbrynonce" value="<?php echo esc_attr($lbrynonce); ?>">
+        <input type="hidden" name="post_id" value="<?php echo esc_attr($return_post); ?>">
+        <input type="hidden" name="lbry_url" value="<?php echo esc_url($lbry_url); ?>">
+        <input type="hidden" name="supporting_channel" value="<?php echo esc_attr($supporting_channel); ?>">
 
         <h2><?php echo _e( 'Add Supports to Claim:', 'lbrypress' ); ?></h2>
             <?php printf(