HEX
Server: LiteSpeed
System: Linux s787.bom1.mysecurecloudhost.com 4.18.0-477.13.1.lve.el8.x86_64 #1 SMP Thu Jun 1 16:40:47 EDT 2023 x86_64
User: mobilech (5348)
PHP: 8.1.34
Disabled: NONE
Upload Files
File: //proc/thread-self/cwd/wp-content/plugins/html5-video-player/inc/Model/Ajax.php
<?php

namespace H5VP\Model;

if (!defined('ABSPATH'))
    exit; // Exit if accessed directly

class Ajax
{

    protected static $_instance = null;
    private $params = [];
    private $requestType;
    private $requestMethod;
    private $requestModel;
    private $model;

    public function __construct()
    {
    }

    public function register()
    {
        add_action('wp_ajax_h5vp_ajax_handler', [$this, 'prepareAjax']);


    }

    public static function instance()
    {
        if (!self::$_instance) {
            self::$_instance = new self();
        }
        return self::$_instance;
    }

    public function isset($array, $key, $default = false)
    {
        if (isset($array[$key])) {
            return $array[$key];
        }
        return $default;
    }

    private function getAllowedActions(): array
    {
        return [
            'Video' => ['class' => \H5VP\Model\Video::class, 'methods' => ['create']],
        ];
    }

    public function prepareAjax()
    {
        if (!current_user_can('edit_posts')) {
            wp_send_json_error('403 Forbidden');
        }

        if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'] ?? '')), 'h5vp_ajax_handler')) {
            wp_send_json_error('403 Forbidden');
        }

        // Raw request data. Models are responsible for whitelisting/sanitizing
        // every field before it reaches the DB layer.
        $this->params = wp_unslash($_POST);
        $this->requestType = 'POST';
        $this->proceedRequest();
    }

    public function proceedRequest()
    {
        $data = $this->params;

        $this->requestModel = sanitize_text_field($this->isset($data, 'model', ''));
        $this->requestMethod = sanitize_text_field($this->isset($data, 'method', ''));

        $allowedActions = $this->getAllowedActions();

        if (!isset($allowedActions[$this->requestModel]) || !\in_array($this->requestMethod, $allowedActions[$this->requestModel]['methods'], true)) {
            wp_send_json_error('Action not allowed!');
        }

        // The class name comes solely from the server-side allow-list — request
        // data is only ever used as an array key, never to build a class name.
        $this->model = $allowedActions[$this->requestModel]['class'];

        if (!class_exists($this->model)) {
            wp_send_json_error('Model does not exists!');
        }

        $model = new $this->model();


        if (method_exists($model, $this->requestMethod)) {
            unset($this->params['method'], $this->params['action'], $this->params['nonce'], $this->params['model']);

            $result = $model->{$this->requestMethod}($this->params);
            wp_send_json_success($result);
        } else {
            wp_send_json_error('Method does not exists!');
        }


    }

}