Skip to content

Commit 65f2d10

Browse files
ci: more sniffs, less exclusions
1 parent 16b926c commit 65f2d10

25 files changed

Lines changed: 143 additions & 128 deletions

includes/admin/class-admin-ajax.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ public function get_list_details()
4646

4747
$list_ids = array_map(function ($raw) {
4848
return preg_replace('/[^a-z0-9]/', '', $raw);
49-
}, (array) explode(',', $_GET['ids']));
49+
}, (array) explode(',', wp_unslash($_GET['ids'])));
5050
$data = [];
5151
$mailchimp = new MC4WP_MailChimp();
5252
foreach ($list_ids as $list_id) {

includes/admin/class-admin-messages.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ public function add_hooks()
3232

3333
private function load()
3434
{
35-
if (is_null($this->bag)) {
35+
if ($this->bag === null) {
3636
$this->bag = get_option('mc4wp_flash_messages', []);
3737
}
3838
}

includes/admin/class-admin-texts.php

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -31,31 +31,13 @@ public function add_hooks()
3131
{
3232
global $pagenow;
3333

34-
add_filter('admin_footer_text', [ $this, 'footer_text' ]);
35-
3634
// Hooks for Plugins overview page
3735
if ($pagenow === 'plugins.php') {
3836
add_filter('plugin_action_links_' . $this->plugin_file, [ $this, 'add_plugin_settings_link' ], 10, 2);
3937
add_filter('plugin_row_meta', [ $this, 'add_plugin_meta_links' ], 10, 2);
4038
}
4139
}
4240

43-
/**
44-
* Ask for a plugin review in the WP Admin footer, if this is one of the plugin pages.
45-
*
46-
* @param string $text
47-
*
48-
* @return string
49-
*/
50-
public function footer_text($text)
51-
{
52-
if (! empty($_GET['page']) && strpos($_GET['page'], 'mailchimp-for-wp') === 0) {
53-
$text = sprintf('If you enjoy using <strong>Mailchimp for WordPress</strong>, please <a href="%s" target="_blank">leave us a ★★★★★ plugin review on WordPress.org</a>.', 'https://wordpress.org/support/plugin/mailchimp-for-wp/reviews/#new-post');
54-
}
55-
56-
return $text;
57-
}
58-
5941
/**
6042
* Add the settings link to the Plugins overview
6143
*

includes/admin/class-admin-tools.php

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,7 @@ public function get_plugin_page()
1111
return '';
1212
}
1313

14-
$prefix = 'mailchimp-for-wp';
15-
$page = ltrim(substr($_GET['page'], strlen($prefix)), '-');
16-
return $page;
14+
return ltrim(substr(wp_unslash($_GET['page']), strlen('mailchimp-for-wp')), '-');
1715
}
1816

1917
/**
@@ -24,8 +22,8 @@ public function get_plugin_page()
2422
public function on_plugin_page($page = null)
2523
{
2624
// any settings page
27-
if (is_null($page)) {
28-
return isset($_GET['page']) && strpos($_GET['page'], 'mailchimp-for-wp') === 0;
25+
if ($page === null) {
26+
return isset($_GET['page']) && strpos(wp_unslash($_GET['page']), 'mailchimp-for-wp') === 0;
2927
}
3028

3129
// specific page

includes/admin/class-admin.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -118,11 +118,11 @@ public function listen_for_actions()
118118
}
119119

120120
// verify nonce
121-
if (! isset($_REQUEST['_wpnonce']) || false === wp_verify_nonce($_REQUEST['_wpnonce'], '_mc4wp_action')) {
121+
if (! isset($_REQUEST['_wpnonce']) || false === wp_verify_nonce(wp_unslash($_REQUEST['_wpnonce']), '_mc4wp_action')) {
122122
wp_nonce_ays('_mc4wp_action');
123123
}
124124

125-
$action = (string) $_REQUEST['_mc4wp_action'];
125+
$action = (string) wp_unslash($_REQUEST['_mc4wp_action']);
126126

127127
/**
128128
* Allows you to hook into requests containing `_mc4wp_action` => action name.
@@ -138,9 +138,9 @@ public function listen_for_actions()
138138

139139
// redirect back to where we came from (to prevent double submit)
140140
if (! empty($_POST['_redirect_to'])) {
141-
$redirect_url = $_POST['_redirect_to'];
141+
$redirect_url = wp_unslash($_POST['_redirect_to']);
142142
} elseif (! empty($_GET['_redirect_to'])) {
143-
$redirect_url = $_GET['_redirect_to'];
143+
$redirect_url = wp_unslash($_GET['_redirect_to']);
144144
} else {
145145
$redirect_url = remove_query_arg('_mc4wp_action');
146146
}

includes/api/class-api-v3-client.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -164,9 +164,9 @@ private function get_headers()
164164
'User-Agent' => sprintf('mc4wp/%s; WordPress/%s; %s', MC4WP_VERSION, $wp_version, home_url()),
165165
];
166166

167-
// Copy Accept-Language from browser headers
167+
// Copy Accept-Language from browser headers because Mailchimp uses is to determine subscriber language
168168
if (! empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
169-
$headers['Accept-Language'] = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
169+
$headers['Accept-Language'] = wp_unslash($_SERVER['HTTP_ACCEPT_LANGUAGE']);
170170
}
171171

172172
return $headers;

includes/class-dynamic-content-tags.php

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -197,7 +197,7 @@ protected function get_cookie($args = [])
197197
$default = isset($args['default']) ? $args['default'] : '';
198198

199199
if (isset($_COOKIE[$name])) {
200-
return $_COOKIE[$name];
200+
return wp_unslash($_COOKIE[$name]);
201201
}
202202

203203
return $default;
@@ -248,16 +248,21 @@ protected function get_post_property($args = [])
248248
*/
249249
protected function get_email()
250250
{
251-
if (! empty($_REQUEST['EMAIL'])) {
252-
return sanitize_email($_REQUEST['EMAIL']);
251+
// first, try to get from request data
252+
$keys = [ 'EMAIL', 'email', 'email_address', 'email-address' ];
253+
foreach ($keys as $k) {
254+
if (! empty($_REQUEST[$k])) {
255+
return sanitize_email(wp_unslash($_REQUEST[$k]));
256+
}
253257
}
254258

255-
// then , try logged-in user
259+
// then, try logged-in user
256260
if (is_user_logged_in()) {
257261
$user = wp_get_current_user();
258262
return $user->user_email;
259263
}
260264

265+
261266
// TODO: Read from cookie? Or add $_COOKIE support to {data} tag?
262267
return '';
263268
}

includes/class-queue.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ public function __construct($option_name)
4444
*/
4545
protected function load()
4646
{
47-
if (! is_null($this->jobs)) {
47+
if ($this->jobs !== null) {
4848
return;
4949
}
5050

@@ -183,7 +183,7 @@ public function reset()
183183
*/
184184
public function save()
185185
{
186-
if (! $this->dirty || is_null($this->jobs)) {
186+
if (! $this->dirty || $this->jobs === null) {
187187
return false;
188188
}
189189

includes/forms/class-admin.php

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -148,7 +148,13 @@ public function add_menu_item($items)
148148
*/
149149
public function process_add_form()
150150
{
151-
$form_data = $_POST['mc4wp_form'];
151+
// phpcs:ignore WordPress.Security.NonceVerification.Missing -- nonce check is done in action dispatcher
152+
$request = $_POST;
153+
if (! isset($request['mc4wp_form'])) {
154+
wp_nonce_ays('add_form');
155+
}
156+
157+
$form_data = wp_unslash($request['mc4wp_form']);
152158
$form_content = include MC4WP_PLUGIN_DIR . '/config/default-form-content.php';
153159

154160
// Fix for MultiSite stripping KSES for roles other than administrator
@@ -238,7 +244,7 @@ public function sanitize_form_data(array $data)
238244
$data['content'] = preg_replace('/<\/?form(.|\s)*?>/i', '', $data['content']);
239245

240246
// replace lowercased name="name" to prevent 404
241-
$data['content'] = str_ireplace(' name=\"name\"', ' name=\"NAME\"', $data['content']);
247+
$data['content'] = str_ireplace(' name="name"', ' name="NAME"', $data['content']);
242248

243249
// sanitize text fields
244250
$data['settings']['redirect'] = sanitize_text_field($data['settings']['redirect']);
@@ -282,22 +288,28 @@ public function sanitize_form_data(array $data)
282288
*/
283289
public function process_save_form()
284290
{
291+
// phpcs:disable WordPress.Security.NonceVerification.Missing -- noce check is handled in action dispatcher
285292
// save global settings (if submitted)
286293
if (isset($_POST['mc4wp']) && is_array($_POST['mc4wp'])) {
287294
$options = get_option('mc4wp', []);
288-
$posted = $_POST['mc4wp'];
295+
$posted = wp_unslash($_POST['mc4wp']);
289296
foreach ($posted as $key => $value) {
290297
$options[$key] = trim($value);
291298
}
292299
update_option('mc4wp', $options);
293300
}
294301

302+
if (! isset($_POST['mc4wp_form_id']) || ! isset($_POST['mc4wp_form'])) {
303+
wp_nonce_ays('save_form');
304+
}
305+
295306
// update form, settings and messages
296307
$form_id = (int) $_POST['mc4wp_form_id'];
297-
$form_data = $_POST['mc4wp_form'];
308+
$form_data = wp_unslash($_POST['mc4wp_form']);
298309

299310
$this->save_form($form_id, $form_data);
300311
$this->messages->flash(__('Form saved.', 'mailchimp-for-wp'));
312+
// phpcs:enable WordPress.Security.NonceVerification.Missing
301313
}
302314

303315
/**
@@ -372,7 +384,7 @@ public function redirect_to_form_action()
372384
*/
373385
public function show_forms_page()
374386
{
375-
$view = ! empty($_GET['view']) ? $_GET['view'] : '';
387+
$view = ! empty($_GET['view']) ? wp_unslash($_GET['view']) : '';
376388

377389
/**
378390
* @ignore
@@ -406,14 +418,8 @@ public function show_edit_page()
406418
}
407419

408420
$opts = $form->settings;
409-
$active_tab = isset($_GET['tab']) ? trim($_GET['tab']) : 'fields';
410-
411-
$form_preview_url = add_query_arg(
412-
[
413-
'mc4wp_preview_form' => $form_id,
414-
],
415-
site_url('/', 'admin')
416-
);
421+
$active_tab = isset($_GET['tab']) ? wp_unslash($_GET['tab']) : 'fields';
422+
$form_preview_url = add_query_arg(['mc4wp_preview_form' => $form_id], site_url('/', 'admin'));
417423

418424
require __DIR__ . '/views/edit-form.php';
419425
}
@@ -436,7 +442,7 @@ public function show_add_page()
436442
*
437443
* @since 3.0
438444
* @internal
439-
* @param $tab
445+
* @param string $tab
440446
* @return string
441447
*/
442448
public function tab_url($tab)

includes/forms/class-form-listener.php

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,20 +23,22 @@ public function add_hooks()
2323

2424
public function action_init()
2525
{
26-
if (empty($_POST['_mc4wp_form_id'])) {
26+
// phpcs:ignore WordPress.Security.NonceVerification.Missing -- forms are for logged-out visitors, explicitly not using a nonce here
27+
$form_data = $_POST;
28+
if (empty($form_data['_mc4wp_form_id'])) {
2729
return;
2830
}
2931

3032
// get form instance
3133
try {
32-
$form_id = (int) $_POST['_mc4wp_form_id'];
34+
$form_id = (int) $form_data['_mc4wp_form_id'];
3335
$form = mc4wp_get_form($form_id);
3436
} catch (Exception $e) {
3537
return;
3638
}
3739

3840
// sanitize request data
39-
$request_data = mc4wp_sanitize_deep($_POST);
41+
$request_data = mc4wp_sanitize_deep($form_data);
4042

4143
// bind request to form & validate
4244
$form->handle_request($request_data);
@@ -288,7 +290,7 @@ public function respond(MC4WP_Form $form)
288290

289291
private function request_wants_json()
290292
{
291-
if (isset($_SERVER['HTTP_ACCEPT']) && false !== strpos($_SERVER['HTTP_ACCEPT'], 'application/json')) {
293+
if (isset($_SERVER['HTTP_ACCEPT']) && false !== strpos(wp_unslash($_SERVER['HTTP_ACCEPT']), 'application/json')) {
292294
return true;
293295
}
294296

0 commit comments

Comments
 (0)