wpallstars/wp-multisite-waas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep Plugin for release on WordPress.org

Browse Source 
Escape everything that should be escaped.
Add nonce checks where needed.
Sanitize all inputs.
Apply Code style changes across the codebase.
Correct many deprecation notices.
Optimize load order of many filters.
This commit is contained in:
David Stone
2025-04-07 09:15:21 -06:00
parent f05ab77418
commit a815fdf179
290 changed files with 2999 additions and 3269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
inc/ui/class-base-element.php
View File

@ -611,16 +611,17 @@ abstract class Base_Element {
* @since 2.0.0
*
* @param string $name The parameter name.
* @param mixed $default The default value.
* @param mixed $default_value The default value.
*
* @return mixed
*/
public function get_pre_loaded_attribute($name, $default = false) {
public function get_pre_loaded_attribute($name, $default_value = false) {
if (false === $this->pre_loaded_attributes || ! is_array($this->pre_loaded_attributes)) {
return false;
}
return wu_get_isset($this->pre_loaded_attributes, $name, $default);
return wu_get_isset($this->pre_loaded_attributes, $name, $default_value);
}
/**
@ -971,7 +972,6 @@ abstract class Base_Element {
if ( ! $this->should_display()) {
return; // bail if the display was set to false.
}
$this->dependencies();
@ -1095,7 +1095,7 @@ abstract class Base_Element {
echo '<div class="wu-inline-widget-body ' . esc_attr($control_classes) . '">';
echo $this->display($atts);
echo $this->display($atts); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo '</div>';
@ -1174,9 +1174,9 @@ abstract class Base_Element {
$this->get_title(),
function () use ($atts, $control_classes) {
echo '<div class="wu-metabox-widget ' . $control_classes . '">';
echo '<div class="wu-metabox-widget ' . esc_attr($control_classes) . '">';
echo $this->display($atts);
echo $this->display($atts); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo '</div>';
@ -1204,32 +1204,23 @@ abstract class Base_Element {
$should_display = $this->should_display_customize_controls();
if ($should_display) {
// translators: %1$s is the URL to the customize modal. %2$s is the URL of the shortcode generation modal
$message = __('<a class="wubox wu-no-underline" title="Customize" href="%1$s">Customize this element</a>, or <a class="wubox wu-no-underline" title="Shortcode" href="%2$s">generate a shortcode</a> to use it on the front-end!', 'wp-multisite-waas');
$message .= wu_tooltip(__('You are seeing this because you are a super admin', 'wp-multisite-waas'));
$link_shortcode = wu_get_form_url("shortcode_{$this->id}");
$link_customize = wu_get_form_url("customize_{$this->id}");
$text = sprintf(
$message,
$link_customize,
$link_shortcode
);
$html = '
?>
<div class="wu-styling">
<div class="wu-widget-inset">
<div class="wubox wu-no-underline wu-p-4 wu-bg-gray-200 wu-block wu-mt-4 wu-text-center wu-text-sm wu-text-gray-600 wu-m-auto wu-border-solid wu-border-0 wu-border-t wu-border-gray-400">
' . $text . '
<a class="wubox wu-no-underline" title="Customize" href="<?php echo esc_attr(wu_get_form_url("shortcode_{$this->id}")); ?>">
<?php esc_html_e('Customize this element', 'wp-multisite-waas'); ?>
</a>
<?php esc_html_e(', or'); ?>
<a class="wubox wu-no-underline" title="Shortcode" href="<?php echo esc_attr(wu_get_form_url("customize_{$this->id}")); ?>">
<?php esc_html_e('generate a shortcode', 'wp-multisite-waas'); ?>
</a>
<?php esc_html_e('to use it on the front-end!', 'wp-multisite-waas'); ?>
<?php echo wu_tooltip(__('You are seeing this because you are a super admin', 'wp-multisite-waas')); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
</div>
</div>
</div>
';
echo $html;
<?php
}
}

27
inc/ui/class-checkout-element.php
View File

@ -9,7 +9,6 @@
namespace WP_Ultimo\UI;
use WP_Ultimo\UI\Base_Element;
use ScssPhp\ScssPhp\Compiler;
use WP_Ultimo\Database\Memberships\Membership_Status;
@ -266,7 +265,7 @@ class Checkout_Element extends Base_Element {
}"
)->getCss();
printf('<style>%s</style>', $custom_css);
printf('<style>%s</style>', $custom_css); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
}
}
@ -316,7 +315,7 @@ class Checkout_Element extends Base_Element {
/**
* Allow developers bypass the output and set a new one
*
* @param string|boll $bypass If we should bypass the checkout form or a string to return instead of the form.
* @param string|bool $bypass If we should bypass the checkout form or a string to return instead of the form.
* @param array $atts Parameters of the checkout block/shortcode.
*/
$bypass = apply_filters('wu_bypass_checkout_form', false, $atts);
@ -354,8 +353,8 @@ class Checkout_Element extends Base_Element {
* Allow developers to change the message if membership have a pending payment
*
* @param string $message The HTML message to print in screen.
* @param WP_Ultimo\Models\Membership $membership The membership in use.
* @param WP_Ultimo\Models\Customer $customer The active customer in use.
* @param \WP_Ultimo\Models\Membership $membership The membership in use.
* @param \WP_Ultimo\Models\Customer $customer The active customer in use.
*/
return apply_filters('wu_checkout_pending_payment_error_message', $message, $membership, $customer);
}
@ -373,7 +372,7 @@ class Checkout_Element extends Base_Element {
/**
* Enqueue thank you page scripts to handle resend email verification link
*/
wp_register_script('wu-thank-you', wu_get_asset('thank-you.js', 'js'), [], wu_get_version());
wp_register_script('wu-thank-you', wu_get_asset('thank-you.js', 'js'), [], wu_get_version(), true);
wp_localize_script(
'wu-thank-you',
@ -401,8 +400,8 @@ class Checkout_Element extends Base_Element {
* Allow developers to change the message if membership have a pending payment
*
* @param string $message The HTML message to print in screen.
* @param WP_Ultimo\Models\Membership $membership The membership in use.
* @param WP_Ultimo\Models\Customer $customer The active customer in use.
* @param \WP_Ultimo\Models\Membership $membership The membership in use.
* @param \WP_Ultimo\Models\Customer $customer The active customer in use.
*/
return apply_filters('wu_checkout_membership_status_error_message', $message, $membership, $customer);
}
@ -436,7 +435,7 @@ class Checkout_Element extends Base_Element {
* Allow developers to change the message about the limitation of a single membership for customer.
*
* @param string $message The HTML message to print in screen.
* @param WP_Ultimo\Models\Customer $customer The active customer in use.
* @param \WP_Ultimo\Models\Customer $customer The active customer in use.
*/
return apply_filters('wu_checkout_single_membership_message', $message, $customer);
}
@ -449,8 +448,8 @@ class Checkout_Element extends Base_Element {
* Allow developers to change the message if customer is not part of the membership
*
* @param string $message The HTML message to print in screen.
* @param WP_Ultimo\Models\Membership $membership The membership in use.
* @param WP_Ultimo\Models\Customer $customer The active customer in use.
* @param \WP_Ultimo\Models\Membership $membership The membership in use.
* @param \WP_Ultimo\Models\Customer $customer The active customer in use.
*/
return apply_filters('wu_checkout_customer_error_message', $message, $membership, $customer);
}
@ -529,8 +528,8 @@ class Checkout_Element extends Base_Element {
* @param string $limitation The limitation name.
* @param int $limit_max The allowed limit.
* @param int $used_limit The limit used in membership.
* @param WP_Ultimo\Models\Membership $membership The membership in use.
* @param WP_Ultimo\Models\Customer $customer The active customer in use.
* @param \WP_Ultimo\Models\Membership $membership The membership in use.
* @param \WP_Ultimo\Models\Customer $customer The active customer in use.
*/
return apply_filters('wu_checkout_membership_limit_message', $message, $limitation, $limit_max, $used_limit, $membership, $customer);
}
@ -683,7 +682,7 @@ class Checkout_Element extends Base_Element {
window.wu_auto_submittable_field = %s;
',
json_encode($auto_submittable_field)
wp_json_encode($auto_submittable_field)
),
'after'
);

2
inc/ui/class-current-site-element.php
View File

@ -9,8 +9,6 @@
namespace WP_Ultimo\UI;
use WP_Ultimo\UI\Base_Element;
// Exit if accessed directly
defined('ABSPATH') || exit;

6
inc/ui/class-domain-mapping-element.php
View File

@ -377,7 +377,7 @@ class Domain_Mapping_Element extends Base_Element {
'field_wrapper_classes' => 'wu-w-full wu-box-border wu-items-center wu-flex wu-justify-between wu-p-4 wu-m-0 wu-border-t wu-border-l-0 wu-border-r-0 wu-border-b-0 wu-border-gray-300 wu-border-solid',
'html_attr' => [
'data-wu-app' => 'add_new_domain',
'data-state' => json_encode(
'data-state' => wp_json_encode(
[
'ready' => 0,
'primary_domain' => false,
@ -502,7 +502,7 @@ class Domain_Mapping_Element extends Base_Element {
'field_wrapper_classes' => 'wu-w-full wu-box-border wu-items-center wu-flex wu-justify-between wu-p-4 wu-m-0 wu-border-t wu-border-l-0 wu-border-r-0 wu-border-b-0 wu-border-gray-300 wu-border-solid',
'html_attr' => [
'data-wu-app' => 'user_delete_domain_modal',
'data-state' => json_encode(
'data-state' => wp_json_encode(
[
'confirmed' => false,
]
@ -586,7 +586,7 @@ class Domain_Mapping_Element extends Base_Element {
'field_wrapper_classes' => 'wu-w-full wu-box-border wu-items-center wu-flex wu-justify-between wu-p-4 wu-m-0 wu-border-t wu-border-l-0 wu-border-r-0 wu-border-b-0 wu-border-gray-300 wu-border-solid',
'html_attr' => [
'data-wu-app' => 'user_delete_domain_modal',
'data-state' => json_encode(
'data-state' => wp_json_encode(
[
'confirmed' => false,
]

13
inc/ui/class-jumper.php
View File

@ -136,10 +136,10 @@ class Jumper {
*/
public function rebuild_menu(): void {
if (isset($_GET[ $this->reset_slug ]) && current_user_can('manage_network')) {
if (isset($_GET[ $this->reset_slug ]) && isset($_GET['nonce']) && current_user_can('manage_network') && wp_verify_nonce(sanitize_text_field(wp_unslash($_GET['nonce'])), 'reset_password')) {
delete_site_transient($this->transient_key);
wp_redirect(network_admin_url());
wp_safe_redirect(network_admin_url());
exit;
}
@ -243,7 +243,7 @@ class Jumper {
*
* @since 2.0.0
*/
function get_defined_trigger_key(): string {
public function get_defined_trigger_key(): string {
return substr((string) wu_get_setting('jumper_key', 'g'), 0, 1);
}
@ -259,7 +259,7 @@ class Jumper {
* @param string $os OS to get the key combination for. Options: win or osx.
* @return array
*/
function get_keys($os = 'win') {
public function get_keys($os = 'win') {
$trigger_key = $this->get_defined_trigger_key();
@ -285,7 +285,7 @@ class Jumper {
return $text;
}
$os = stristr((string) $_SERVER['HTTP_USER_AGENT'], 'mac') ? 'osx' : 'win';
$os = isset($_SERVER['HTTP_USER_AGENT']) && stristr(sanitize_text_field(wp_unslash($_SERVER['HTTP_USER_AGENT'])), 'mac') ? 'osx' : 'win';
$keys = $this->get_keys($os);
@ -425,7 +425,7 @@ class Jumper {
$string = wu_get_isset($title, 0, '');
$title = preg_replace('/[0-9]+/', '', strip_tags($string));
$title = preg_replace('/[0-9]+/', '', wp_strip_all_tags($string));
// If parent does not exists, skip
if ( ! empty($title) && is_array($submenu_items)) {
@ -435,7 +435,6 @@ class Jumper {
$url = $this->get_target_url($submenu_item[2]);
// Add to our choices the admin urls
$choices[ $title ][ $url ] = preg_replace('/[0-9]+/', '', strip_tags((string) $submenu_item[0]));
}
}
}

18
inc/ui/class-login-form-element.php
View File

@ -9,7 +9,6 @@
namespace WP_Ultimo\UI;
use WP_Ultimo\UI\Base_Element;
use WP_Ultimo\Checkout\Checkout_Pages;
// Exit if accessed directly
@ -398,7 +397,7 @@ class Login_Form_Element extends Base_Element {
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
if (isset($_GET['key']) && isset($_GET['login'])) {
$value = sprintf('%s:%s', wp_unslash($_GET['login']), wp_unslash($_GET['key']));
$value = sprintf('%s:%s', sanitize_text_field(wp_unslash($_GET['login'])), sanitize_text_field(wp_unslash($_GET['key'])));
setcookie(
$rp_cookie,
@ -494,8 +493,7 @@ class Login_Form_Element extends Base_Element {
}
// In this case, WP will not redirect, so we need to do it here
wp_redirect($redirect_to);
wp_safe_redirect($redirect_to);
exit;
}
@ -512,10 +510,9 @@ class Login_Form_Element extends Base_Element {
} elseif ('customer_site' === $redirect_type) {
$user_site = get_active_blog_for_user($user->ID);
wp_redirect($user_site->siteurl . $requested_redirect_to);
wp_safe_redirect($user_site->siteurl . $requested_redirect_to);
exit;
} elseif ('main_site' === $redirect_type) {
wp_redirect(network_site_url($requested_redirect_to));
exit;
}
@ -603,12 +600,12 @@ class Login_Form_Element extends Base_Element {
} elseif ($this->is_reset_password_page()) {
$rp_cookie = 'wp-resetpass-' . COOKIEHASH;
if (isset($_COOKIE[ $rp_cookie ]) && 0 < strpos((string) $_COOKIE[ $rp_cookie ], ':')) {
[$rp_login, $rp_key] = explode(':', wp_unslash($_COOKIE[ $rp_cookie ]), 2);
if (isset($_COOKIE[ $rp_cookie ]) && str_contains(sanitize_text_field(wp_unslash($_COOKIE[ $rp_cookie ])), ':')) {
[$rp_login, $rp_key] = explode(':', sanitize_text_field(wp_unslash($_COOKIE[ $rp_cookie ])), 2);
$user = check_password_reset_key($rp_key, $rp_login);
if (isset($_POST['pass1']) && ! hash_equals($rp_key, $_POST['rp_key'])) {
if (isset($_POST['pass1']) && isset($_POST['rp_key']) && ! hash_equals(wp_unslash($_POST['rp_key']), wp_unslash($_POST['rp_key']))) {
$user = false;
}
} else {
@ -747,8 +744,7 @@ class Login_Form_Element extends Base_Element {
];
if (isset($_GET['redirect_to'])) {
$atts['redirect_type'] = 'query_redirect';
$fields['redirect_to']['value'] = $_GET['redirect_to'];
$atts['redirect_type'] = 'query_redirect';
} elseif ('customer_site' === $atts['redirect_type']) {
$fields['redirect_to']['value'] = $atts['customer_redirect_path'];
} elseif ('main_site' === $atts['redirect_type']) {

19
inc/ui/class-site-actions-element.php
View File

@ -9,7 +9,6 @@
namespace WP_Ultimo\UI;
use WP_Ultimo\UI\Base_Element;
use WP_Ultimo\Database\Memberships\Membership_Status;
use WP_Ultimo\Models\Site;
use WP_Ultimo\Models\Membership;
@ -594,23 +593,21 @@ class Site_Actions_Element extends Base_Element {
return new \WP_Error('error', __('You are not allowed to do this.', 'wp-multisite-waas'));
}
$wpdb->query('START TRANSACTION');
$wpdb->query('START TRANSACTION'); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
try {
$saved = $site->delete();
if (is_wp_error($saved)) {
$wpdb->query('ROLLBACK');
return $saved;
}
} catch (\Throwable $e) {
$wpdb->query('ROLLBACK');
$wpdb->query('ROLLBACK'); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
return new \WP_Error('exception', $e->getMessage());
}
$wpdb->query('COMMIT');
$wpdb->query('COMMIT'); // phpcs:ignore WordPress.DB.DirectDatabaseQuery
$redirect_url = wu_request('redirect_url');
@ -659,9 +656,7 @@ class Site_Actions_Element extends Base_Element {
'value' => 'save',
'classes' => 'button button-primary wu-w-full',
'wrapper_classes' => 'wu-items-end',
'html_attr' => [
// 'v-bind:disabled' => '!confirmed',
],
'html_attr' => [],
],
];
@ -726,11 +721,11 @@ class Site_Actions_Element extends Base_Element {
// Log-in again.
wp_set_auth_cookie($user->ID);
wp_set_current_user($user->ID);
do_action('wp_login', $user->user_login, $user); // PHPCS:ignore
do_action('wp_login', $user->user_login, $user); // PHPCS:ignore WordPress.NamingConventions
wp_send_json_success(
[
'redirect_url' => add_query_arg('updated', 1, $_SERVER['HTTP_REFERER']),
'redirect_url' => add_query_arg('updated', 1, $_SERVER['HTTP_REFERER']), // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
]
);
}
@ -812,7 +807,7 @@ class Site_Actions_Element extends Base_Element {
wp_send_json_success(
[
'redirect_url' => add_query_arg('updated', 1, $_SERVER['HTTP_REFERER']),
'redirect_url' => add_query_arg('updated', 1, $_SERVER['HTTP_REFERER']), // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
]
);
}

14
inc/ui/class-site-maintenance-element.php
View File

@ -9,8 +9,6 @@
namespace WP_Ultimo\UI;
use WP_Ultimo\UI\Base_Element;
// Exit if accessed directly
defined('ABSPATH') || exit;
@ -46,6 +44,8 @@ class Site_Maintenance_Element extends Base_Element {
*/
protected $public = true;
private \WP_Ultimo\Models\Site $site;
/**
* Initializes the singleton.
*
@ -209,12 +209,12 @@ class Site_Maintenance_Element extends Base_Element {
*/
public function setup(): void {
$this->site = WP_Ultimo()->currents->get_site();
$site = WP_Ultimo()->currents->get_site();
if ( ! $this->site || ! $this->site->is_customer_allowed()) {
if ( ! $site || ! $site->is_customer_allowed()) {
$this->set_display(false);
return;
} else {
$this->site = $site;
}
}
@ -237,7 +237,7 @@ class Site_Maintenance_Element extends Base_Element {
*/
public function register_scripts(): void {
wp_register_script('wu-site-maintenance', wu_get_asset('site-maintenance.js', 'js'), ['jquery', 'wu-functions'], wu_get_version());
wp_register_script('wu-site-maintenance', wu_get_asset('site-maintenance.js', 'js'), ['jquery', 'wu-functions'], wu_get_version(), true);
wp_localize_script(
'wu-site-maintenance',

2
inc/ui/class-thank-you-element.php
View File

@ -419,7 +419,7 @@ class Thank_You_Element extends Base_Element {
);
foreach ($conversion_placeholders as $placeholder => $value) {
$conversion_snippets = preg_replace('/\%\%\s?' . $placeholder . '\s?\%\%/', json_encode($value), (string) $conversion_snippets);
$conversion_snippets = preg_replace('/\%\%\s?' . $placeholder . '\s?\%\%/', wp_json_encode($value), (string) $conversion_snippets);
}
add_action(