Adds additional escaping throughout plugin (VIP) #1495
Conversation
tomjn
added
[Type] Bug
[Status] In Progress
[Type] Cleanup and Documentation
[Type] Maintenance
| @@ -139,7 +139,7 @@ public function get_listings() { | |||
| 'orderby' => $orderby, | |||
| 'order' => sanitize_text_field( $_REQUEST['order'] ), | |||
| 'offset' => ( absint( $_REQUEST['page'] ) - 1 ) * absint( $_REQUEST['per_page'] ), | |||
| 'posts_per_page' => absint( $_REQUEST['per_page'] ), | |||
| 'posts_per_page' => max( 1, absint( $_REQUEST['per_page'] ) ), | |||
There was a problem hiding this comment.
As a behavior change, I might cherry-pick this commit to a separate PR, if that works for you? There could be some themes doing things they shouldn't with -1.
There was a problem hiding this comment.
I started doing this and then realized absint() prevented -1 😉 . This commit could probably be removed.
There was a problem hiding this comment.
eh but it does prevent passing 0, I wanted to add a min too so there was an upper limit but i figured that would be problematic
There was a problem hiding this comment.
In testing, 0 resulted in the default per_page, but oh well.
| @@ -48,18 +48,23 @@ public function __construct() { | |||
| public function add_bulk_actions_legacy() { | |||
| global $post_type, $wp_post_types; | |||
|
|
|||
| $bulk_actions = []; | |||
There was a problem hiding this comment.
WPJM still has PHP 5.2 compat, unfortunately. Please expand short array syntax to old school array().
| @@ -48,18 +48,23 @@ public function __construct() { | |||
| public function add_bulk_actions_legacy() { | |||
| global $post_type, $wp_post_types; | |||
|
|
|||
| $bulk_actions = []; | |||
| foreach( $this->get_bulk_actions() as $key => $bulk_action ) { | |||
| $bulk_actions[] = [ | |||
| foreach( $this->get_bulk_actions() as $key => $bulk_action ) { | ||
| $bulk_actions[] = [ | ||
| 'key' => $key, | ||
| 'label' => sprintf( $bulk_action[ 'label' ], $wp_post_types[ 'job_listing' ]->labels->name ) |
There was a problem hiding this comment.
Lint: spacing around single apostrophes in array key.
| @@ -372,16 +371,15 @@ public function jobs_meta_filters() { | |||
| private function jobs_filter_dropdown( $param, $options ) { | |||
| $selected = isset( $_GET[ $param ] ) ? $_GET[ $param ] : ''; | |||
|
|
|||
| $output = "<select name=\"$param\" id=\"dropdown_$param\">"; | |||
| echo '<select name="'.esc_attr( $param ).'" id="dropdown_'.esc_attr( $param ).'">'; | |||
There was a problem hiding this comment.
Lint: spacing around . in string concatenation.
| @@ -753,17 +755,17 @@ public function extend_submitdiv_post_status() { | |||
| $selected AND $display = $name; | |||
|
|
|||
| // Build the options | |||
| $options .= "<option{$selected} value='{$status}'>{$name}</option>"; | |||
| $options .= "<option{$selected} value='{$status}'>".esc_html( $name )."</option>"; | |||
There was a problem hiding this comment.
Lint: spacing around . in string concatenation.
templates/job-submit.php
Outdated
| @@ -40,7 +40,7 @@ | |||
|
|
|||
| <?php foreach ( $job_fields as $key => $field ) : ?> | |||
| <fieldset class="fieldset-<?php echo esc_attr( $key ); ?>"> | |||
| <label for="<?php echo esc_attr( $key ); ?>"><?php echo $field['label'] . apply_filters( 'submit_job_form_required_label', $field['required'] ? '' : ' <small>' . __( '(optional)', 'wp-job-manager' ) . '</small>', $field ); ?></label> | |||
| <label for="<?php echo esc_attr( $key ); ?>"><?php echo esc_html( $field['label']) . wp_kses_post( apply_filters( 'submit_job_form_required_label', $field['required'] ? '' : ' <small>' . __( '(optional)', 'wp-job-manager' ) . '</small>', $field ) ); ?></label> | |||
There was a problem hiding this comment.
Lint: Spacing around argument list (esc_html( $field['label'])).
tests/php/bootstrap.php
Outdated
| @@ -144,7 +144,7 @@ public function convert_to_exception( $errno, $errstr, $errfile, $errline ) { | |||
|
|
|||
| // PHP 5.2 doesn't show the error from Exceptions. | |||
| if ( version_compare( phpversion(), '5.3.0', '<' ) ) { | |||
| echo "Error ($errno) - $description\n"; | |||
| echo "Error (".esc_html( $errno ) ."( - ".esc_html( $description )."\n"; | |||
There was a problem hiding this comment.
Lint: spacing around string concatenation (.).
wp-job-manager-functions.php
Outdated
| @@ -1388,10 +1387,9 @@ function job_manager_duplicate_listing( $post_id ) { | |||
| /* | |||
| * Duplicate post meta, aside from some reserved fields. | |||
| */ | |||
| $post_meta = $wpdb->get_results( $wpdb->prepare( "SELECT meta_key, meta_value FROM {$wpdb->postmeta} WHERE post_id=%d", $post_id ) ); | |||
| $post_meta = get_post_meta( $post_id ); | |||
There was a problem hiding this comment.
Replaced by #1503; please remove from this PR.
(Also line change below)
wp-job-manager-template.php
Outdated
| @@ -1066,11 +1072,10 @@ function the_company_twitter( $before = '', $after = '', $echo = true, $post = n | |||
| if ( strlen( $company_twitter ) == 0 ) | |||
| return; | |||
|
|
|||
| $company_twitter = esc_attr( strip_tags( $company_twitter ) ); | |||
| $company_twitter = $before . '<a href="http://twitter.com/' . $company_twitter . '" class="company_twitter" target="_blank">' . $company_twitter . '</a>' . $after; | |||
| $company_twitter = $before . '<a href="'.esc_url( 'https://twitter.com/' . $company_twitter ) . '" class="company_twitter" target="_blank">' . esc_html( wp_strip_all_tags( $company_twitter ) ) . '</a>' . $after; | |||
There was a problem hiding this comment.
Lint: spacing around string concatenation (.).
templates/account-signin.php
Outdated
| <?php endif; ?> | ||
|
|
||
| <?php elseif ( $account_required ) : ?> | ||
|
|
||
| <?php echo apply_filters( 'submit_job_form_login_required_message', __('You must sign in to create a new listing.', 'wp-job-manager' ) ); ?> | ||
| <?php echo wp_kses_post( apply_filters( 'submit_job_form_login_required_message', __('You must sign in to create a new listing.', 'wp-job-manager' ) ) ); ?> |
There was a problem hiding this comment.
This was an original lint issue, but while editing line, there is a spacing issue in the argument list for __().
|
cc: @tripflex I don't think the escaping happening in the |
jom
force-pushed
the
vip_escaping
branch
2 times, most recently
from
1198a46 to
d72e567
Compare
assets/js/ajax-filters.js
Outdated
| @@ -122,7 +123,8 @@ jQuery( document ).ready( function ( $ ) { | |||
| if ( result ) { | |||
| try { | |||
| if ( result.showing ) { | |||
| $( showing ).show().html( '<span>' + result.showing + '</span>' + result.showing_links ); | |||
| var showing_el = jQuery('<span>').text(result.showing) | |||
| $( showing ).show().html( '').text(result.showing_links).prepend(showing_el); | |||
There was a problem hiding this comment.
result.showing_links contains HTML and gets encoded using $.text().
|
I've force pushed a modified version of that commit with #1503's content removed. I want to test that change with WPML before merging and don't want it to hold up this commit. For further changes, you'll need to do a hard reset to the remote branch.... sorry, since I'm planning on squashing this PR anyway I could have just done a partial revert commit. Can we revert the change to line 125 in There were a few more lint errors not resolved yet but I did them in 09fc708. |
|
@jom my bandwidth at the moment is quite tight, and we've a client waiting on these changes for quite a while now, anything you can do to expedite things would be super helpful |
|
@tomjn I'll revert the change mentioned in |
There's a number of issues flagged during VIP review, I'm currently going through and fixing them by adding in the missing escaping. WIP PR, questions welcome