Prep Plugin for release on WordPress.org

Escape everything that should be escaped. Add nonce checks where needed. Sanitize all inputs. Apply Code style changes across the codebase. Correct many deprecation notices. Optimize load order of many filters.
2025-04-07 09:15:21 -06:00
parent f05ab77418
commit a815fdf179
290 changed files with 2999 additions and 3269 deletions
--- a/inc/managers/class-customer-manager.php
+++ b/inc/managers/class-customer-manager.php
@ -11,7 +11,7 @@

 namespace WP_Ultimo\Managers;

-use WP_Ultimo\Managers\Base_Manager;
+use WP_Ultimo\Checkout\Checkout;
 use WP_Ultimo\Models\Customer;
 use WP_Ultimo\Database\Memberships\Membership_Status;

@ -129,7 +129,7 @@ class Customer_Manager extends Base_Manager {
 	 *
 	 * @since 2.0.0
 	 *
-	 * @param WP_User $user The WP User object of the user that logged in.
+	 * @param \WP_User $user The WP User object of the user that logged in.
 	 * @return void
 	 */
 	public function log_ip_and_last_login($user): void {
@ -200,13 +200,15 @@ class Customer_Manager extends Base_Manager {
 			wp_die(
 				sprintf(
 					/* translators: the placeholder is the login URL */
-					__('You must be authenticated in order to verify your email address. <a href=%s>Click here</a> to access your account.', 'wp-multisite-waas'),
-					wp_login_url(
-						add_query_arg(
-							[
-								'email-verification-key' => $email_verify_key,
-								'customer'               => $customer_hash,
-							]
+					wp_kses_post(__('You must be authenticated in order to verify your email address. <a href=%s>Click here</a> to access your account.', 'wp-multisite-waas')),
+					esc_attr(
+						wp_login_url(
+							add_query_arg(
+								[
+									'email-verification-key' => $email_verify_key,
+									'customer' => $customer_hash,
+								]
+							)
 						)
 					)
 				)
@ -214,31 +216,31 @@ class Customer_Manager extends Base_Manager {
 		}

 		if ( ! $customer_to_verify) {
-			wp_die(__('Invalid verification key.', 'wp-multisite-waas'));
+			wp_die(wp_kses_post(__('<strong>ERROR:</strong> Invalid verification key.', 'wp-multisite-waas')));
 		}

 		$current_customer = wu_get_current_customer();

 		if ( ! $current_customer) {
-			wp_die(__('Invalid verification key.', 'wp-multisite-waas'));
+			wp_die(wp_kses_post(__('<strong>Error:</strong> Invalid verification key.', 'wp-multisite-waas')));
 		}

 		if ($current_customer->get_id() !== $customer_to_verify->get_id()) {
-			wp_die(__('Invalid verification key.', 'wp-multisite-waas'));
+			wp_die(esc_html__('Invalid verification key.', 'wp-multisite-waas'));
 		}

 		if ($customer_to_verify->get_email_verification() !== 'pending') {
-			wp_die(__('Invalid verification key.', 'wp-multisite-waas'));
+			wp_die(esc_html__('Invalid verification key.', 'wp-multisite-waas'));
 		}

 		$key = $customer_to_verify->get_verification_key();

 		if ( ! $key) {
-			wp_die(__('Invalid verification key.', 'wp-multisite-waas'));
+			wp_die(wp_kses_post(__('<strong>Error:</strong> Invalid verification key.', 'wp-multisite-waas')));
 		}

 		if ($key !== $email_verify_key) {
-			wp_die(__('Invalid verification key.', 'wp-multisite-waas'));
+			wp_die(esc_html__('Invalid verification key.', 'wp-multisite-waas'));
 		}

 		/*
@ -287,13 +289,13 @@ class Customer_Manager extends Base_Manager {
 					wu_get_registration_url()
 				);

-				wp_redirect($redirect_url);
+				wp_safe_redirect($redirect_url);

 				exit;
 			}
 		}

-		wp_redirect(get_admin_url($customer_to_verify->get_primary_site_id()));
+		wp_safe_redirect(get_admin_url($customer_to_verify->get_primary_site_id()));

 		exit;
 	}
--- a/inc/managers/class-domain-manager.php
+++ b/inc/managers/class-domain-manager.php
@ -12,7 +12,6 @@

 namespace WP_Ultimo\Managers;

-use WP_Ultimo\Managers\Base_Manager;
 use WP_Ultimo\Domain_Mapping\Helper;

 // Exit if accessed directly
@ -72,7 +71,7 @@ class Domain_Manager extends Base_Manager {
 	 * @since 2.0.0
 	 *
 	 * @param string $id The id of the integration. e.g. runcloud.
-	 * @return WP_Ultimo\Integrations\Host_Providers\Base_Host_Provider
+	 * @return \WP_Ultimo\Integrations\Host_Providers\Base_Host_Provider|false
 	 */
 	public function get_integration_instance($id) {

@ -750,6 +749,7 @@ class Domain_Manager extends Base_Manager {
 			wp_send_json_error(
 				[
 					'message' => sprintf(
+						// translators: %s is the name of the missing constant
 						__('The necessary constants were not found on your wp-config.php file: %s', 'wp-multisite-waas'),
 						implode(', ', $integration->get_missing_constants())
 					),
@ -757,7 +757,7 @@ class Domain_Manager extends Base_Manager {
 			);
 		}

-		return $integration->test_connection();
+		$integration->test_connection();
 	}

 	/**
--- a/inc/managers/class-email-manager.php
+++ b/inc/managers/class-email-manager.php
@ -383,6 +383,9 @@ class Email_Manager extends Base_Manager {
 	 * @return void
 	 */
 	public function register_all_default_system_emails(): void {
+
+		// TODO: Don't render every email until they are used.
+
 		/*
 		 * Payment Successful - Admin
 		 */
--- a/inc/managers/class-event-manager.php
+++ b/inc/managers/class-event-manager.php
@ -11,7 +11,6 @@

 namespace WP_Ultimo\Managers;

-use WP_Ultimo\Managers\Base_Manager;
 use WP_Ultimo\Models\Base_Model;
 use WP_Ultimo\Models\Event;

@ -93,10 +92,11 @@ class Event_Manager extends Base_Manager {
 	 * @param string     $model The model name.
 	 * @param array      $data The data being saved, serialized.
 	 * @param array      $data_unserialized The data being saved, un-serialized.
-	 * @param Base_Model $object The object being saved.
+	 * @param Base_Model $obj The object being saved.
+	 *
 	 * @return void
 	 */
-	public function log_transitions($model, $data, $data_unserialized, $object) {
+	public function log_transitions($model, $data, $data_unserialized, $obj) {

 		if ('event' === $model) {
 			return;
@ -106,7 +106,7 @@ class Event_Manager extends Base_Manager {
 		 * Editing Model
 		 */
 		if (wu_get_isset($data_unserialized, 'id')) {
-			$original = $object->_get_original();
+			$original = $obj->_get_original();

 			$diff = wu_array_recursive_diff($data_unserialized, $original);

@ -147,7 +147,7 @@ class Event_Manager extends Base_Manager {
 					return;
 				}

-				if (empty(json_encode($old_value)) && empty(json_encode($new_value))) {
+				if (empty(wp_json_encode($old_value)) && empty(wp_json_encode($new_value))) {
 					return;
 				}

@ -161,7 +161,7 @@ class Event_Manager extends Base_Manager {
 				'severity'    => Event::SEVERITY_INFO,
 				'slug'        => 'changed',
 				'object_type' => $model,
-				'object_id'   => $object->get_id(),
+				'object_id'   => $obj->get_id(),
 				'payload'     => $changed,
 			];
 		} else {
@ -169,7 +169,7 @@ class Event_Manager extends Base_Manager {
 				'severity'    => Event::SEVERITY_INFO,
 				'slug'        => 'created',
 				'object_type' => $model,
-				'object_id'   => $object->get_id(),
+				'object_id'   => $obj->get_id(),
 				'payload'     => [],
 			];
 		}
@ -179,7 +179,7 @@ class Event_Manager extends Base_Manager {
 			$event_data['author_id'] = get_current_user_id();
 		}

-		return wu_create_event($event_data);
+		wu_create_event($event_data);
 	}

 	/**
@ -231,7 +231,6 @@ class Event_Manager extends Base_Manager {
 			'desc'       => '$desc',
 			'class_name' => '$class_name',
 			'active'     => 'in_array($id, $active_gateways, true)',
-			'active'     => 'in_array($id, $active_gateways, true)',
 			'gateway'    => '$class_name', // Deprecated.
 			'hidden'     => false,
 		];
@ -313,7 +312,7 @@ class Event_Manager extends Base_Manager {
 	 * @since 2.0.0
 	 *
 	 * @param string $slug of the event.
-	 * @return array $event with event params.
+	 * @return array|false $event with event params.
 	 */
 	public function get_event($slug) {

@ -563,13 +562,13 @@ class Event_Manager extends Base_Manager {
 		if (method_exists($obj, 'get_billing_address') || method_exists($obj, 'get_membership')) {
 			if (null !== $model_object) {
 				$payload = method_exists($obj, 'get_billing_address')
-				? array_merge(
-					$payload,
-					$obj->get_billing_address()->to_array()
-				) : array_merge(
-					$payload,
-					$obj->get_membership()->get_billing_address()->to_array()
-				);
+					? array_merge(
+						$payload,
+						$obj->get_billing_address()->to_array()
+					) : array_merge(
+						$payload,
+						$obj->get_membership()->get_billing_address()->to_array()
+					);
 			} else {
 				$payload = array_merge(
 					$payload,
@ -621,6 +620,7 @@ class Event_Manager extends Base_Manager {
 			}
 		}

+		// Translators:  1: Number of successfully removed events.  2: Number of failed events to remove.
 		wu_log_add('wu-cron', sprintf(__('Removed %1$d events successfully. Failed to remove %2$d events.', 'wp-multisite-waas'), $success_count, count($events_to_remove) - $success_count));

 		return true;
@ -657,7 +657,7 @@ class Event_Manager extends Base_Manager {
 	 *
 	 * @since 2.0.0
 	 *
-	 * @param WP_REST_Request $request The request sent.
+	 * @param \WP_REST_Request $request The request sent.
 	 * @return mixed
 	 */
 	public function get_hooks_rest($request) {
--- a/inc/managers/class-gateway-manager.php
+++ b/inc/managers/class-gateway-manager.php
@ -12,7 +12,6 @@
 namespace WP_Ultimo\Managers;

 use Psr\Log\LogLevel;
-use WP_Ultimo\Managers\Base_Manager;
 use WP_Ultimo\Gateways\Ignorable_Exception;

 use WP_Ultimo\Gateways\Free_Gateway;
@ -281,7 +280,7 @@ class Gateway_Manager extends Base_Manager {
 			$error = new \WP_Error('missing_gateway', esc_html__('Missing gateway parameter.', 'wp-multisite-waas'));

 			wp_die(
-				$error,
+				$error, // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 				esc_html__('Error', 'wp-multisite-waas'),
 				[
 					'back_link' => true,
@ -310,8 +309,8 @@ class Gateway_Manager extends Base_Manager {

 			if (is_wp_error($results)) {
 				wp_die(
-					$results,
-					__('Error', 'wp-multisite-waas'),
+					$results, // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					esc_html__('Error', 'wp-multisite-waas'),
 					[
 						'back_link' => true,
 						'response'  => '200',
@ -322,8 +321,8 @@ class Gateway_Manager extends Base_Manager {
 			$error = new \WP_Error('confirm-error-' . $e->getCode(), $e->getMessage());

 			wp_die(
-				$error,
-				__('Error', 'wp-multisite-waas'),
+				$error, // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				esc_html__('Error', 'wp-multisite-waas'),
 				[
 					'back_link' => true,
 					'response'  => '200',
@ -338,7 +337,15 @@ class Gateway_Manager extends Base_Manager {
 			 * Add a filter to bypass the checkout form.
 			 * This is used for PayPal confirmation page.
 			 */
-			add_action('wu_bypass_checkout_form', fn($bypass, $atts) => $output, 10, 2);
+
+			add_action(
+				'wu_bypass_checkout_form',
+				function ($output) {
+					return $output;
+				},
+				10,
+				1
+			);
 		}
 	}

@ -448,7 +455,7 @@ class Gateway_Manager extends Base_Manager {
 	 *
 	 * @since 2.0.0
 	 * @param string $id The id of the gateway.
-	 * @return array
+	 * @return array|false
 	 */
 	public function get_gateway($id) {

@ -471,7 +478,7 @@ class Gateway_Manager extends Base_Manager {

 		// Checks if gateway was already added
 		if ($this->is_gateway_registered($id)) {
-			return;
+			return false;
 		}

 		$active_gateways = (array) wu_get_setting('active_gateways', []);
@ -533,7 +540,7 @@ class Gateway_Manager extends Base_Manager {
 		 */
 		add_action(
 			'wu_checkout_gateway_fields',
-			function ($checkout) use ($gateway) {
+			function () use ($gateway) {

 				$field_content = call_user_func([$gateway, 'fields']);

@ -541,15 +548,13 @@ class Gateway_Manager extends Base_Manager {

 				?>

-			<div v-cloak v-show="gateway == '<?php echo esc_attr($gateway->get_id()); ?>' && order && order.should_collect_payment" class="wu-overflow">
-
-				<?php echo $field_content; ?>
-
-			</div>
+				<div v-cloak v-show="gateway == '<?php echo esc_attr($gateway->get_id()); ?>' && order && order.should_collect_payment" class="wu-overflow">
+					<?php echo $field_content; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+				</div>

 				<?php

-				echo ob_get_clean();
+				echo ob_get_clean(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			}
 		);
 	}
--- a/inc/managers/class-limitation-manager.php
+++ b/inc/managers/class-limitation-manager.php
@ -171,7 +171,7 @@ class Limitation_Manager {
 			'field_wrapper_classes' => 'wu-w-full wu-box-border wu-items-center wu-flex wu-justify-between wu-p-4 wu-m-0 wu-border-t wu-border-l-0 wu-border-r-0 wu-border-b-0 wu-border-gray-300 wu-border-solid',
 			'html_attr'             => [
 				'data-wu-app' => 'reset_limitations',
-				'data-state'  => json_encode(
+				'data-state'  => wp_json_encode(
 					[
 						'confirmed' => false,
 					]
@ -774,11 +774,11 @@ class Limitation_Manager {
 	 *
 	 * @since 2.0.0
 	 *
-	 * @param \WP_Ultimo\Models\Trait\Trait_Limitable $object The model being edited.
-	 * @param array                                   $section The section array.
+	 * @param \WP_Ultimo\Models\Traits\Limitable $obj The model being edited.
+	 * @param array                              $section The section array.
 	 * @return string
 	 */
-	public function get_theme_selection_list($object, &$section) {
+	public function get_theme_selection_list($obj, &$section) {

 		$all_themes = $this->get_all_themes();

@ -787,7 +787,7 @@ class Limitation_Manager {
 			[
 				'section' => $section,
 				'themes'  => $all_themes,
-				'object'  => $object,
+				'object'  => $obj,
 			]
 		);
 	}
--- a/inc/managers/class-notes-manager.php
+++ b/inc/managers/class-notes-manager.php
@ -11,8 +11,6 @@

 namespace WP_Ultimo\Managers;

-use WP_Ultimo\Managers\Base_Manager;
-
 // Exit if accessed directly
 defined('ABSPATH') || exit;

@ -110,11 +108,11 @@ class Notes_Manager extends Base_Manager {
 	 * @since 2.0.0
 	 *
 	 * @param array  $sections Array sections.
-	 * @param object $object   The object.
+	 * @param object $obj   The object.
 	 *
 	 * @return array
 	 */
-	public function add_notes_options_section($sections, $object) {
+	public function add_notes_options_section($sections, $obj) {

 		if ( ! current_user_can('read_notes') && ! current_user_can('edit_notes')) {
 			return $sections;
@ -131,8 +129,8 @@ class Notes_Manager extends Base_Manager {
 			'content'           => wu_get_template_contents(
 				'base/edit/display-notes',
 				[
-					'notes' => $object->get_notes(),
-					'model' => $object->model,
+					'notes' => $obj->get_notes(),
+					'model' => $obj->model,
 				]
 			),
 		];
@ -149,8 +147,8 @@ class Notes_Manager extends Base_Manager {
 					'href'  => wu_get_form_url(
 						'clear_notes',
 						[
-							'object_id' => $object->get_id(),
-							'model'     => $object->model,
+							'object_id' => $obj->get_id(),
+							'model'     => $obj->model,
 						]
 					),
 					'title' => __('Clear Notes', 'wp-multisite-waas'),
@ -168,8 +166,8 @@ class Notes_Manager extends Base_Manager {
 					'href'  => wu_get_form_url(
 						'add_note',
 						[
-							'object_id' => $object->get_id(),
-							'model'     => $object->model,
+							'object_id' => $obj->get_id(),
+							'model'     => $obj->model,
 							'height'    => 306,
 						]
 					),
--- a/inc/managers/class-site-manager.php
+++ b/inc/managers/class-site-manager.php
@ -11,7 +11,6 @@

 namespace WP_Ultimo\Managers;

-use WP_Ultimo\Managers\Base_Manager;
 use WP_Ultimo\Helpers\Screenshot;
 use WP_Ultimo\Database\Sites\Site_Type;
 use WP_Ultimo\Database\Memberships\Membership_Status;
@ -230,7 +229,7 @@ class Site_Manager extends Base_Manager {
 				$redirect_url
 			);

-			wp_redirect($redirect_url);
+			wp_safe_redirect($redirect_url);

 			exit;
 		}
@ -307,18 +306,17 @@ class Site_Manager extends Base_Manager {

 		if (false === $can_access) {
 			if ($redirect_url) {
-				wp_redirect($redirect_url);
+				wp_safe_redirect($redirect_url);

 				exit;
 			}

 			wp_die(
-				new \WP_Error(
+				new \WP_Error( // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 					'not-available',
-				// phpcs:ignore
-				sprintf( __('This site is not available at the moment.<br><small>If you are the site admin, click <a href="%s">here</a> to login.</small>', 'wp-multisite-waas'), wp_login_url()),
+					sprintf(__('This site is not available at the moment.<br><small>If you are the site admin, click <a href="%s">here</a> to login.</small>', 'wp-multisite-waas'), wp_login_url()), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 					[
-						'title' => __('Site not available', 'wp-multisite-waas'),
+						'title' => esc_html__('Site not available', 'wp-multisite-waas'),
 					]
 				),
 				'',
@ -405,10 +403,8 @@ class Site_Manager extends Base_Manager {
 	public function additional_thumbnail_sizes(): void {

 		if (is_main_site()) {
-			add_image_size('wu-thumb-large', 900, 675, ['center', 'top']); // (cropped)
-
-			add_image_size('wu-thumb-medium', 400, 300, ['center', 'top']); // (cropped)
-
+			add_image_size('wu-thumb-large', 900, 675, ['center', 'top']); // cropped
+			add_image_size('wu-thumb-medium', 400, 300, ['center', 'top']); // cropped
 		}
 	}

@ -431,21 +427,22 @@ class Site_Manager extends Base_Manager {
 	 * @since 2.0.0
 	 * @return void
 	 */
-	public function render_no_index_warning(): void { // phpcs:disable ?>
+	public function render_no_index_warning(): void {
+		?>

 		<div class="wu-styling">

 			<div class="wu-border-l-4 wu-border-yellow-500 wu-border-solid wu-border-0 wu-px-4 wu-py-2 wu--m-3">

-				<p><?php _e('Your WP Multisite WaaS settings are configured to <strong>prevent search engines such as Google from indexing your template sites</strong>.', 'wp-multisite-waas'); ?></p>
+				<p><?php echo wp_kses_post(__('Your WP Multisite WaaS settings are configured to <strong>prevent search engines such as Google from indexing your template sites</strong>.', 'wp-multisite-waas')); ?></p>

-				<p><?php printf(__('If you are experiencing negative SEO impacts on other sites in your network, consider disabling this setting <a href="%s">here</a>.', 'wp-multisite-waas'), wu_network_admin_url('wp-ultimo-settings', ['tab' => 'sites'])); ?></p>
+				<p><?php echo wp_kses_post(sprintf(__('If you are experiencing negative SEO impacts on other sites in your network, consider disabling this setting <a href="%s">here</a>.', 'wp-multisite-waas'), wu_network_admin_url('wp-ultimo-settings', ['tab' => 'sites']))); ?></p>

 			</div>

 		</div>

-		<?php // phpcs:enable
+		<?php
 	}

 	/**
@ -467,7 +464,7 @@ class Site_Manager extends Base_Manager {
 				add_filter('wp_robots', 'wp_robots_no_robots'); // WordPress 5.7+

 			} else {
-				wp_no_robots();
+				wp_no_robots(); // phpcs:ignore WordPress.WP.DeprecatedFunctions.wp_no_robotsFound
 			}
 		}
 	}
@ -794,11 +791,10 @@ class Site_Manager extends Base_Manager {
 			 * Site_Type::CUSTOMER_OWNED or without this meta
 			 */
 			$args = [
-				'number'                 => '',
 				'site__in'               => $site_ids,
 				'update_site_meta_cache' => false,
 				'number'                 => 40,
-				'meta_query'             => [
+				'meta_query'             => [ // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
 					'relation' => 'OR',
 					[
 						'key'     => 'wu_type',
--- a/inc/managers/class-webhook-manager.php
+++ b/inc/managers/class-webhook-manager.php
@ -11,7 +11,6 @@

 namespace WP_Ultimo\Managers;

-use WP_Ultimo\Managers\Base_Manager;
 use WP_Ultimo\Models\Webhook;
 use WP_Ultimo\Logger;

@ -126,7 +125,7 @@ class Webhook_Manager extends Base_Manager {
 	public function send_webhook($webhook, $data, $blocking = true, $count = true) {

 		if ( ! $data) {
-			return;
+			return null;
 		}

 		$request = wp_remote_post(
@ -205,9 +204,7 @@ class Webhook_Manager extends Base_Manager {
 		$event = wu_get_event_type($_POST['webhook_event']);

 		$webhook_data = [
-			'webhook_url' => $_POST['webhook_url'],
-			'event'       => $_POST['webhook_event'],
-			'active'      => true,
+			'active' => true,
 		];

 		$webhook = new Webhook($webhook_data);
@ -249,8 +246,7 @@ class Webhook_Manager extends Base_Manager {
 		';

 		if ( ! current_user_can('manage_network')) {
-			echo __('You do not have enough permissions to read the logs of this webhook.', 'wp-multisite-waas');
-
+			esc_html_e('You do not have enough permissions to read the logs of this webhook.', 'wp-multisite-waas');
 			exit;
 		}

@ -271,7 +267,7 @@ class Webhook_Manager extends Base_Manager {
 			Logger::read_lines("webhook-$id", 5)
 		);

-		echo implode('', $logs);
+		echo implode('', $logs); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

 		exit;
 	}
@ -291,7 +287,7 @@ class Webhook_Manager extends Base_Manager {
 	 */
 	protected function create_event($event_name, $id, $url, $data, $response, $is_error = false) {

-		$message = sprintf('Sent a %s event to the URL %s with data: %s ', $event_name, $url, json_encode($data));
+		$message = sprintf('Sent a %s event to the URL %s with data: %s ', $event_name, $url, wp_json_encode($data));

 		if ( ! $is_error) {
 			$message .= empty($response) ? sprintf('Got response: %s', $response) : 'To debug the remote server response, turn the "Wait for Response" option on the WP Multisite WaaS Settings > API & Webhooks Tab';