From c56f3473b1ccb99bc87702560910d310de424cef Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 23 Jun 2026 12:26:18 -0500
Subject: [PATCH] =?UTF-8?q?fix:=20review=20round=202=20=E2=80=94=20geocode?=
 =?UTF-8?q?=200-coord,=20tel:=20sanitization,=20Factory=20ACL?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix geocoding trigger: use isset+is_numeric instead of !empty for
  coordinate detection (same 0.0 bug pattern as Haversine fix)
- Sanitize tel: href to digits/+/-/() only (prevents URI injection)
- Use Factory::getApplication() for ACL check (consistent with codebase)

Authored-by: Moko Consulting
---
 .../admin/src/Controller/ImportController.php                  | 3 ++-
 .../admin/src/Model/LocationModel.php                          | 3 ++-
 .../com_mokosuitestorelocator/site/tmpl/location/default.php   | 3 ++-
 .../com_mokosuitestorelocator/site/tmpl/locations/default.php  | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/source/packages/com_mokosuitestorelocator/admin/src/Controller/ImportController.php b/source/packages/com_mokosuitestorelocator/admin/src/Controller/ImportController.php
index 9f309e5..58585f0 100644
--- a/source/packages/com_mokosuitestorelocator/admin/src/Controller/ImportController.php
+++ b/source/packages/com_mokosuitestorelocator/admin/src/Controller/ImportController.php
@@ -10,6 +10,7 @@ namespace Moko\Component\MokoSuiteStoreLocator\Administrator\Controller;
 
 defined('_JEXEC') or die;
 
+use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\MVC\Controller\BaseController;
 use Joomla\CMS\Router\Route;
@@ -34,7 +35,7 @@ class ImportController extends BaseController
 		Session::checkToken() or jexit(Text::_('JINVALID_TOKEN'));
 
 		// ACL check — user must have create permission
-		if (!$this->app->getIdentity()->authorise('core.create', 'com_mokosuitestorelocator'))
+		if (!Factory::getApplication()->getIdentity()->authorise('core.create', 'com_mokosuitestorelocator'))
 		{
 			$this->setMessage(Text::_('JLIB_APPLICATION_ERROR_CREATE_RECORD_NOT_PERMITTED'), 'error');
 			$this->setRedirect(Route::_('index.php?option=com_mokosuitestorelocator&view=locations', false));
diff --git a/source/packages/com_mokosuitestorelocator/admin/src/Model/LocationModel.php b/source/packages/com_mokosuitestorelocator/admin/src/Model/LocationModel.php
index bbbc150..aed8fff 100644
--- a/source/packages/com_mokosuitestorelocator/admin/src/Model/LocationModel.php
+++ b/source/packages/com_mokosuitestorelocator/admin/src/Model/LocationModel.php
@@ -99,7 +99,8 @@ class LocationModel extends AdminModel
 	 */
 	public function save($data)
 	{
-		$hasCoords = !empty($data['latitude']) && !empty($data['longitude']);
+		$hasCoords = isset($data['latitude'], $data['longitude'])
+			&& is_numeric($data['latitude']) && is_numeric($data['longitude']);
 		$hasAddress = !empty($data['address']) || !empty($data['city']) || !empty($data['postcode']);
 
 		if (!$hasCoords && $hasAddress)
diff --git a/source/packages/com_mokosuitestorelocator/site/tmpl/location/default.php b/source/packages/com_mokosuitestorelocator/site/tmpl/location/default.php
index f6463e5..fa9d171 100644
--- a/source/packages/com_mokosuitestorelocator/site/tmpl/location/default.php
+++ b/source/packages/com_mokosuitestorelocator/site/tmpl/location/default.php
@@ -71,7 +71,8 @@ $item = $this->item;
 			<?php if ($item->phone) : ?>
 				<div>
 					<strong><?php echo Text::_('COM_MOKOJOOMSTORELOCATOR_FIELD_PHONE'); ?>:</strong>
-					<a href="tel:<?php echo $this->escape($item->phone); ?>" itemprop="telephone">
+					<?php $safePhone = preg_replace('/[^0-9+\-() ]/', '', $item->phone); ?>
+					<a href="tel:<?php echo $this->escape($safePhone); ?>" itemprop="telephone">
 						<?php echo $this->escape($item->phone); ?>
 					</a>
 				</div>
diff --git a/source/packages/com_mokosuitestorelocator/site/tmpl/locations/default.php b/source/packages/com_mokosuitestorelocator/site/tmpl/locations/default.php
index 2732468..e5e21dd 100644
--- a/source/packages/com_mokosuitestorelocator/site/tmpl/locations/default.php
+++ b/source/packages/com_mokosuitestorelocator/site/tmpl/locations/default.php
@@ -54,7 +54,8 @@ use Joomla\CMS\Router\Route;
 
 						<?php if ($item->phone) : ?>
 							<div class="com-mokosuitestorelocator-location-card__phone">
-								<a href="tel:<?php echo $this->escape($item->phone); ?>" itemprop="telephone">
+								<?php $safePhone = preg_replace('/[^0-9+\-() ]/', '', $item->phone); ?>
+								<a href="tel:<?php echo $this->escape($safePhone); ?>" itemprop="telephone">
 									<?php echo $this->escape($item->phone); ?>
 								</a>
 							</div>