From 234c45016e7a0024fc46c6ac39fbde9188de1fdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Fri, 14 Apr 2023 11:40:11 -0400 Subject: [PATCH 1/7] replace usage of FILTER_SANITIZE_STRING --- classes/Bulk/Bulk.php | 11 +- inc/classes/class-imagify-admin-ajax-post.php | 24 +-- .../class-imagify-files-list-table.php | 118 +++++--------- inc/classes/class-imagify-settings.php | 3 +- inc/classes/class-imagify-views.php | 153 ++++++------------ 5 files changed, 107 insertions(+), 202 deletions(-) diff --git a/classes/Bulk/Bulk.php b/classes/Bulk/Bulk.php index 822afa8f8..2080c8a81 100644 --- a/classes/Bulk/Bulk.php +++ b/classes/Bulk/Bulk.php @@ -413,13 +413,14 @@ public function can_optimize() { * * @since 1.9 * - * @param string $method The method used: 'GET' (default), or 'POST'. - * @param string $parameter The name of the parameter to look for. + * @param string $method The method used: 'GET' (default), or 'POST'. + * @param string $parameter The name of the parameter to look for. + * * @return string */ public function get_context( $method = 'GET', $parameter = 'context' ) { - $method = 'POST' === $method ? INPUT_POST : INPUT_GET; - $context = filter_input( $method, $parameter, FILTER_SANITIZE_STRING ); + $context = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $context = htmlspecialchars( $context ); return imagify_sanitize_context( $context ); } @@ -557,7 +558,7 @@ public function bulk_info_seen_callback() { public function bulk_get_stats_callback() { imagify_check_nonce( 'imagify-bulk-optimize' ); - $folder_types = filter_input( INPUT_GET, 'types', FILTER_SANITIZE_STRING, FILTER_REQUIRE_ARRAY ); + $folder_types = filter_input( INPUT_GET, 'types', FILTER_REQUIRE_ARRAY ); $folder_types = is_array( $folder_types ) ? array_filter( $folder_types, 'is_string' ) : []; if ( ! $folder_types ) { diff --git a/inc/classes/class-imagify-admin-ajax-post.php b/inc/classes/class-imagify-admin-ajax-post.php index f1655269d..a64511f87 100755 --- a/inc/classes/class-imagify-admin-ajax-post.php +++ b/inc/classes/class-imagify-admin-ajax-post.php @@ -1148,7 +1148,7 @@ public function imagify_dismiss_ad_callback() { imagify_die(); } - $notice = filter_input( INPUT_GET, 'ad', FILTER_SANITIZE_STRING ); + $notice = htmlspecialchars( $_GET['ad'] ); if ( ! $notice ) { imagify_maybe_redirect(); @@ -1215,8 +1215,8 @@ public function get_optimization_level( $method = 'GET', $parameter = 'optimizat * @return string */ public function get_context( $method = 'GET', $parameter = 'context' ) { - $method = 'POST' === $method ? INPUT_POST : INPUT_GET; - $context = filter_input( $method, $parameter, FILTER_SANITIZE_STRING ); + $context = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $context = htmlspecialchars( $context ); return imagify_sanitize_context( $context ); } @@ -1246,14 +1246,15 @@ public function get_media_id( $method = 'GET', $parameter = 'attachment_id' ) { * * @since 1.9 * - * @param string $method The method used: 'GET' (default), or 'POST'. - * @param string $parameter The name of the parameter to look for. + * @param string $method The method used: 'GET' (default), or 'POST'. + * @param string $parameter The name of the parameter to look for. + * * @return string */ public function get_folder_type( $method = 'GET', $parameter = 'folder_type' ) { - $method = 'POST' === $method ? INPUT_POST : INPUT_GET; + $folder_type = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; - return filter_input( $method, $parameter, FILTER_SANITIZE_STRING ); + return htmlspecialchars( $folder_type ); } /** @@ -1261,13 +1262,14 @@ public function get_folder_type( $method = 'GET', $parameter = 'folder_type' ) { * * @since 1.9 * - * @param string $method The method used: 'GET' (default), or 'POST'. - * @param string $parameter The name of the parameter to look for. + * @param string $method The method used: 'GET' (default), or 'POST'. + * @param string $parameter The name of the parameter to look for. + * * @return string */ public function get_imagify_action( $method = 'GET', $parameter = 'imagify_action' ) { - $method = 'POST' === $method ? INPUT_POST : INPUT_GET; - $action = filter_input( $method, $parameter, FILTER_SANITIZE_STRING ); + $action = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $action = htmlspecialchars( $action ); return $action ? $action : 'optimize'; } diff --git a/inc/classes/class-imagify-files-list-table.php b/inc/classes/class-imagify-files-list-table.php index a959522a2..28a1fd76a 100755 --- a/inc/classes/class-imagify-files-list-table.php +++ b/inc/classes/class-imagify-files-list-table.php @@ -4,62 +4,54 @@ /** * Class that display the "custom folders" files. * - * @package Imagify - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 */ class Imagify_Files_List_Table extends WP_List_Table { /** * Class version. * - * @var string + * @var string * @since 1.7 - * @author Grégory Viguier */ const VERSION = '1.1'; /** * Class version. * - * @var string + * @var string * @since 1.7 - * @author Grégory Viguier */ const PER_PAGE_OPTION = 'imagify_files_per_page'; /** * List of the folders containing the listed files. * - * @var array - * @since 1.7 - * @author Grégory Viguier + * @var array + * @since 1.7 */ protected $folders = array(); /** * Filesystem object. * - * @var object Imagify_Filesystem - * @since 1.7.1 - * @author Grégory Viguier + * @var Imagify_Filesystem + * @since 1.7.1 */ protected $filesystem; /** * Views object. * - * @var object Imagify_Views - * @since 1.9 - * @author Grégory Viguier + * @var Imagify_Views + * @since 1.9 */ protected $views; /** * Constructor. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param array $args An associative array of arguments. */ @@ -80,8 +72,7 @@ public function __construct( $args = array() ) { /** * Prepares the list of items for displaying. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 */ public function prepare_items() { global $wpdb; @@ -108,8 +99,8 @@ public function prepare_items() { $file_ids = array(); $where = ''; - $sent_orderby = filter_input( INPUT_GET, 'orderby', FILTER_SANITIZE_STRING ); - $sent_order = filter_input( INPUT_GET, 'order', FILTER_SANITIZE_STRING ); + $sent_orderby = htmlspecialchars( $_GET['orderby'] ); + $sent_order = htmlspecialchars( $_GET['order'] ); $folder_filter = self::get_folder_filter(); $status_filter = self::get_status_filter(); @@ -227,8 +218,7 @@ public function prepare_items() { /** * Message to be displayed when there are no items. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 */ public function no_items() { if ( self::get_status_filter() ) { @@ -295,8 +285,7 @@ public function no_items() { /** * Display views. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 */ public function views() { global $wpdb; @@ -412,8 +401,7 @@ public function views() { /** * Get an associative array ( option_name => option_title ) with the list of bulk actions available on this table. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return array */ @@ -427,8 +415,7 @@ public function get_bulk_actions() { * Get a list of columns. The format is: * 'internal-name' => 'Title' * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return array */ @@ -452,8 +439,7 @@ public function get_columns() { * * The second format will make the initial sorting order be descending. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return array */ @@ -469,8 +455,7 @@ public function get_sortable_columns() { /** * Get a column contents. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param string $column The column "name": "cb", "title", "optimization_level", etc. * @param object $item The current item. It must contain at least a $process property. @@ -489,8 +474,7 @@ public function get_column( $column, $item ) { /** * Handles the checkbox column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -505,8 +489,7 @@ public function column_cb( $item ) { /** * Handles the title column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -555,8 +538,7 @@ public function column_title( $item ) { /** * Handles the parent folder column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -590,8 +572,7 @@ public function column_folder( $item ) { /** * Handles the optimization data column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -642,8 +623,7 @@ public function column_optimization( $item ) { /** * Handles the status column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -677,8 +657,7 @@ public function column_status( $item ) { /** * Handles the optimization level column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -693,8 +672,7 @@ public function column_optimization_level( $item ) { /** * Handles the actions column output. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -730,8 +708,7 @@ public function column_actions( $item ) { /** * Prints a button to optimize the file. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -758,8 +735,7 @@ protected function optimize_button( $item ) { /** * Prints a button to retry to optimize the file. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -789,8 +765,7 @@ protected function retry_button( $item ) { /** * Prints buttons to re-optimize the file to other levels. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -833,8 +808,7 @@ protected function reoptimize_buttons( $item ) { /** * Prints a button to generate WebP versions if they are missing. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -849,8 +823,7 @@ protected function generate_webp_versions_button( $item ) { /** * Prints a button to delete WebP versions when the status is "already_optimized". * - * @since 1.9.6 - * @author Grégory Viguier + * @since 1.9.6 * * @param object $item The current item. It must contain at least a $process property. */ @@ -865,8 +838,7 @@ protected function delete_webp_versions_button( $item ) { /** * Prints a button to restore the file. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -888,8 +860,7 @@ protected function restore_button( $item ) { /** * Prints a button to check if the file has been modified or not. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -905,8 +876,7 @@ protected function refresh_status_button( $item ) { /** * Prints a button for the comparison tool (before / after optimization). * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. */ @@ -952,8 +922,7 @@ protected function comparison_tool_button( $item ) { * Add the folder_id and folder_path properties to the $item if not set yet. * It may happen if the $item doesn't come from the prepare() method. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param object $item The current item. It must contain at least a $process property. * @return object The current item. @@ -988,8 +957,7 @@ protected function maybe_set_item_folder( $item ) { /** * Get the name of the default primary column. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return string Name of the default primary column, in this case, 'title'. */ @@ -1000,8 +968,7 @@ protected function get_default_primary_column_name() { /** * Get a list of CSS classes for the WP_List_Table table tag. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return array List of CSS classes for the table tag. */ @@ -1012,8 +979,7 @@ protected function get_table_classes() { /** * Allow to save the screen options when submitted by the user. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @param bool|int $status Screen option value. Default false to skip. * @param string $option The option name. @@ -1031,8 +997,7 @@ public static function save_screen_options( $status, $option, $value ) { /** * Get the requested folder filter. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return string */ @@ -1050,8 +1015,7 @@ public static function get_folder_filter() { /** * Get the requested status filter. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 * * @return string */ @@ -1067,7 +1031,7 @@ public static function get_status_filter() { 'unoptimized' => 1, 'errors' => 1, ); - $filter = trim( filter_input( INPUT_GET, 'status-filter', FILTER_SANITIZE_STRING ) ); + $filter = trim( htmlspecialchars( $_GET['status-filter'] ) ); $filter = isset( $values[ $filter ] ) ? $filter : ''; return $filter; diff --git a/inc/classes/class-imagify-settings.php b/inc/classes/class-imagify-settings.php index 7e89d73d7..a2fe3e71b 100644 --- a/inc/classes/class-imagify-settings.php +++ b/inc/classes/class-imagify-settings.php @@ -131,10 +131,9 @@ public function get_form_action() { * @return bool */ public function is_form_submit() { - return filter_input( INPUT_POST, 'option_page', FILTER_SANITIZE_STRING ) === $this->settings_group && filter_input( INPUT_POST, 'action', FILTER_SANITIZE_STRING ) === 'update'; + return htmlspecialchars( $_POST['option_page'] ) === $this->settings_group && htmlspecialchars( $_POST['action'] ) === 'update'; } - /** ----------------------------------------------------------------------------------------- */ /** ON FORM SUBMIT ========================================================================== */ /** ----------------------------------------------------------------------------------------- */ diff --git a/inc/classes/class-imagify-views.php b/inc/classes/class-imagify-views.php index a439839ad..89bfe4611 100644 --- a/inc/classes/class-imagify-views.php +++ b/inc/classes/class-imagify-views.php @@ -4,15 +4,14 @@ /** * Class that handles templates and menus. * - * @since 1.7 - * @author Grégory Viguier + * @since 1.7 */ class Imagify_Views { /** * Class version. * - * @var string + * @var string * @since 1.7 */ const VERSION = '1.1'; @@ -20,64 +19,56 @@ class Imagify_Views { /** * Slug used for the settings page URL. * - * @var string - * @since 1.7 - * @access protected + * @var string + * @since 1.7 */ protected $slug_settings; /** * Slug used for the bulk optimization page URL. * - * @var string - * @since 1.7 - * @access protected + * @var string + * @since 1.7 */ protected $slug_bulk; /** * Slug used for the "custom folders" page URL. * - * @var string - * @since 1.7 - * @access protected + * @var string + * @since 1.7 */ protected $slug_files; /** * A list of JS templates to print at the end of the page. * - * @var array - * @since 1.9 - * @access protected + * @var array + * @since 1.9 */ protected $templates_in_footer = []; /** * Stores the "custom folders" files list instance. * - * @var object Imagify_Files_List_Table - * @since 1.7 - * @access protected + * @var Imagify_Files_List_Table + * @since 1.7 */ protected $list_table; /** * Filesystem object. * - * @var object Imagify_Filesystem - * @since 1.7.1 - * @access protected - * @author Grégory Viguier + * @var Imagify_Filesystem + * @since 1.7.1 */ protected $filesystem; /** * The single instance of the class. * - * @var object - * @since 1.7 - * @access protected + * @var object + * @since 1.7 */ protected static $_instance; @@ -89,9 +80,7 @@ class Imagify_Views { /** * The constructor. * - * @since 1.7 - * @author Grégory Viguier - * @access protected + * @since 1.7 */ protected function __construct() { $this->slug_settings = IMAGIFY_SLUG; @@ -103,9 +92,7 @@ protected function __construct() { /** * Get the main Instance. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @return object Main instance. */ @@ -120,9 +107,7 @@ public static function get_instance() { /** * Launch the hooks. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function init() { // Menu items. @@ -152,9 +137,7 @@ public function init() { /** * Add sub-menus for all sites. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function add_site_menus() { $wp_context = imagify_get_context( 'wp' ); @@ -187,9 +170,7 @@ public function add_site_menus() { /** * Add menu and sub-menus in the network admin when Imagify is network-activated. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function add_network_menus() { global $submenu; @@ -232,9 +213,7 @@ public function add_network_menus() { /** * Add links to the plugin row in the plugins list. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @param array $actions An array of action links. * @return array @@ -254,9 +233,7 @@ public function plugin_action_links( $actions ) { /** * The main settings page. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function display_settings_page() { $this->print_template( 'page-settings' ); @@ -265,9 +242,7 @@ public function display_settings_page() { /** * The bulk optimization page. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function display_bulk_page() { $types = array(); @@ -363,9 +338,7 @@ public function display_bulk_page() { /** * The page displaying the "custom folders" files. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function display_files_list() { $this->print_template( 'page-files-list' ); @@ -374,9 +347,7 @@ public function display_files_list() { /** * Initiate the "custom folders" list table data. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 */ public function load_files_list() { // Instantiate the list. @@ -396,9 +367,7 @@ public function load_files_list() { /** * Get the settings page slug. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @return string */ @@ -409,9 +378,7 @@ public function get_settings_page_slug() { /** * Get the bulk optimization page slug. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @return string */ @@ -422,9 +389,7 @@ public function get_bulk_page_slug() { /** * Get the "custom folders" files page slug. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @return string */ @@ -440,16 +405,14 @@ public function get_files_page_slug() { /** * Tell if we’re displaying the settings page. * - * @since 1.9 - * @author Grégory Viguier - * @access public + * @since 1.9 * * @return bool */ public function is_settings_page() { global $pagenow; - $page = filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ); + $page = htmlspecialchars( $_GET['page'] ); if ( $this->get_settings_page_slug() !== $page ) { return false; @@ -465,16 +428,14 @@ public function is_settings_page() { /** * Tell if we’re displaying the bulk optimization page. * - * @since 1.9 - * @author Grégory Viguier - * @access public + * @since 1.9 * * @return bool */ public function is_bulk_page() { global $pagenow; - $page = filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ); + $page = htmlspecialchars( $_GET['page'] ); return 'upload.php' === $pagenow && $this->get_bulk_page_slug() === $page; } @@ -482,16 +443,14 @@ public function is_bulk_page() { /** * Tell if we’re displaying the custom files list page. * - * @since 1.9 - * @author Grégory Viguier - * @access public + * @since 1.9 * * @return bool */ public function is_files_page() { global $pagenow; - $page = filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ); + $page = htmlspecialchars( $_GET['page'] ); return 'upload.php' === $pagenow && $this->get_files_page_slug() === $page; } @@ -499,16 +458,14 @@ public function is_files_page() { /** * Tell if we’re displaying the WP media library page. * - * @since 1.9 - * @author Grégory Viguier - * @access public + * @since 1.9 * * @return bool */ public function is_wp_library_page() { global $pagenow; - $page = filter_input( INPUT_GET, 'page', FILTER_SANITIZE_STRING ); + $page = htmlspecialchars( $_GET['page'] ); return 'upload.php' === $pagenow && ! $page; } @@ -516,9 +473,7 @@ public function is_wp_library_page() { /** * Tell if we’re displaying a media page. * - * @since 1.9 - * @author Grégory Viguier - * @access public + * @since 1.9 * * @return bool */ @@ -536,9 +491,7 @@ public function is_media_page() { /** * Get the remaining quota in percent. * - * @since 1.8.1 - * @author Grégory Viguier - * @access public + * @since 1.8.1 * * @return int */ @@ -558,9 +511,7 @@ public function get_quota_percent() { /** * Get the HTML class used for the quota (to change the color when out of quota for example). * - * @since 1.8.1 - * @author Grégory Viguier - * @access public + * @since 1.8.1 * * @return string */ @@ -588,9 +539,7 @@ public function get_quota_class() { /** * Get the HTML tag used for the quota (the weather-like icon). * - * @since 1.8.1 - * @author Grégory Viguier - * @access public + * @since 1.8.1 * * @return string */ @@ -622,9 +571,7 @@ public function get_quota_icon() { /** * Get a template contents. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @param string $template The template name. * @param mixed $data Some data to pass to the template. @@ -648,9 +595,7 @@ public function get_template( $template, $data = array() ) { /** * Print a template. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @param string $template The template name. * @param mixed $data Some data to pass to the template. @@ -662,9 +607,7 @@ public function print_template( $template, $data = array() ) { /** * Add a template to the list of JS templates to print at the end of the page. * - * @since 1.7 - * @author Grégory Viguier - * @access public + * @since 1.7 * * @param string $template The template name. */ @@ -691,9 +634,7 @@ public function print_js_template_in_footer( $template ) { /** * Print the JS templates that have been added to the "queue". * - * @since 1.9 - * @author Grégory Viguier - * @access public + * @since 1.9 */ public function print_js_templates() { if ( ! $this->templates_in_footer ) { @@ -717,9 +658,7 @@ public function print_js_templates() { /** * Create HTML attributes from an array. * - * @since 1.9 - * @access public - * @author Grégory Viguier + * @since 1.9 * * @param array $attributes A list of attribute pairs. * @return string HTML attributes. From 89816b5c487604ad3237337cb0c6a92679cb0f89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Fri, 14 Apr 2023 11:59:28 -0400 Subject: [PATCH 2/7] fix PHPCS --- classes/Bulk/Bulk.php | 2 +- inc/classes/class-imagify-admin-ajax-post.php | 8 ++++---- inc/classes/class-imagify-files-list-table.php | 6 +++--- inc/classes/class-imagify-settings.php | 2 +- inc/classes/class-imagify-views.php | 8 ++++---- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/classes/Bulk/Bulk.php b/classes/Bulk/Bulk.php index 2080c8a81..a18d593c1 100644 --- a/classes/Bulk/Bulk.php +++ b/classes/Bulk/Bulk.php @@ -419,7 +419,7 @@ public function can_optimize() { * @return string */ public function get_context( $method = 'GET', $parameter = 'context' ) { - $context = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $context = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); //phpcs:ignore WordPress.Security.NonceVerification.Missing $context = htmlspecialchars( $context ); return imagify_sanitize_context( $context ); diff --git a/inc/classes/class-imagify-admin-ajax-post.php b/inc/classes/class-imagify-admin-ajax-post.php index a64511f87..9513241a0 100755 --- a/inc/classes/class-imagify-admin-ajax-post.php +++ b/inc/classes/class-imagify-admin-ajax-post.php @@ -1148,7 +1148,7 @@ public function imagify_dismiss_ad_callback() { imagify_die(); } - $notice = htmlspecialchars( $_GET['ad'] ); + $notice = htmlspecialchars( wp_unslash( $_GET['ad'] ) ); if ( ! $notice ) { imagify_maybe_redirect(); @@ -1215,7 +1215,7 @@ public function get_optimization_level( $method = 'GET', $parameter = 'optimizat * @return string */ public function get_context( $method = 'GET', $parameter = 'context' ) { - $context = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $context = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing $context = htmlspecialchars( $context ); return imagify_sanitize_context( $context ); @@ -1252,7 +1252,7 @@ public function get_media_id( $method = 'GET', $parameter = 'attachment_id' ) { * @return string */ public function get_folder_type( $method = 'GET', $parameter = 'folder_type' ) { - $folder_type = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $folder_type = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing return htmlspecialchars( $folder_type ); } @@ -1268,7 +1268,7 @@ public function get_folder_type( $method = 'GET', $parameter = 'folder_type' ) { * @return string */ public function get_imagify_action( $method = 'GET', $parameter = 'imagify_action' ) { - $action = 'POST' === $method ? $_POST[ $parameter ] : $_GET[$parameter ]; + $action = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing $action = htmlspecialchars( $action ); return $action ? $action : 'optimize'; diff --git a/inc/classes/class-imagify-files-list-table.php b/inc/classes/class-imagify-files-list-table.php index 28a1fd76a..7f7ea2dad 100755 --- a/inc/classes/class-imagify-files-list-table.php +++ b/inc/classes/class-imagify-files-list-table.php @@ -99,8 +99,8 @@ public function prepare_items() { $file_ids = array(); $where = ''; - $sent_orderby = htmlspecialchars( $_GET['orderby'] ); - $sent_order = htmlspecialchars( $_GET['order'] ); + $sent_orderby = htmlspecialchars( wp_unslash( $_GET['orderby'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $sent_order = htmlspecialchars( wp_unslash( $_GET['order'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing $folder_filter = self::get_folder_filter(); $status_filter = self::get_status_filter(); @@ -1031,7 +1031,7 @@ public static function get_status_filter() { 'unoptimized' => 1, 'errors' => 1, ); - $filter = trim( htmlspecialchars( $_GET['status-filter'] ) ); + $filter = trim( htmlspecialchars( wp_unslash( $_GET['status-filter'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing $filter = isset( $values[ $filter ] ) ? $filter : ''; return $filter; diff --git a/inc/classes/class-imagify-settings.php b/inc/classes/class-imagify-settings.php index a2fe3e71b..605097bca 100644 --- a/inc/classes/class-imagify-settings.php +++ b/inc/classes/class-imagify-settings.php @@ -131,7 +131,7 @@ public function get_form_action() { * @return bool */ public function is_form_submit() { - return htmlspecialchars( $_POST['option_page'] ) === $this->settings_group && htmlspecialchars( $_POST['action'] ) === 'update'; + return htmlspecialchars( wp_unslash( $_POST['option_page'] ) ) === $this->settings_group && htmlspecialchars( wp_unslash( $_POST['action'] ) ) === 'update'; // phpcs:ignore WordPress.Security.NonceVerification.Missing } /** ----------------------------------------------------------------------------------------- */ diff --git a/inc/classes/class-imagify-views.php b/inc/classes/class-imagify-views.php index 89bfe4611..67b651c24 100644 --- a/inc/classes/class-imagify-views.php +++ b/inc/classes/class-imagify-views.php @@ -412,7 +412,7 @@ public function get_files_page_slug() { public function is_settings_page() { global $pagenow; - $page = htmlspecialchars( $_GET['page'] ); + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing if ( $this->get_settings_page_slug() !== $page ) { return false; @@ -435,7 +435,7 @@ public function is_settings_page() { public function is_bulk_page() { global $pagenow; - $page = htmlspecialchars( $_GET['page'] ); + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing return 'upload.php' === $pagenow && $this->get_bulk_page_slug() === $page; } @@ -450,7 +450,7 @@ public function is_bulk_page() { public function is_files_page() { global $pagenow; - $page = htmlspecialchars( $_GET['page'] ); + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing return 'upload.php' === $pagenow && $this->get_files_page_slug() === $page; } @@ -465,7 +465,7 @@ public function is_files_page() { public function is_wp_library_page() { global $pagenow; - $page = htmlspecialchars( $_GET['page'] ); + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing return 'upload.php' === $pagenow && ! $page; } From 48ef10718aa569ea90df44dea3747a3c8f88dab3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Fri, 14 Apr 2023 12:02:26 -0400 Subject: [PATCH 3/7] fix PHPCS --- inc/classes/class-imagify-files-list-table.php | 6 +++--- inc/classes/class-imagify-views.php | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/inc/classes/class-imagify-files-list-table.php b/inc/classes/class-imagify-files-list-table.php index 7f7ea2dad..335ae51fe 100755 --- a/inc/classes/class-imagify-files-list-table.php +++ b/inc/classes/class-imagify-files-list-table.php @@ -99,8 +99,8 @@ public function prepare_items() { $file_ids = array(); $where = ''; - $sent_orderby = htmlspecialchars( wp_unslash( $_GET['orderby'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing - $sent_order = htmlspecialchars( wp_unslash( $_GET['order'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $sent_orderby = htmlspecialchars( wp_unslash( $_GET['orderby'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended + $sent_order = htmlspecialchars( wp_unslash( $_GET['order'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended $folder_filter = self::get_folder_filter(); $status_filter = self::get_status_filter(); @@ -1031,7 +1031,7 @@ public static function get_status_filter() { 'unoptimized' => 1, 'errors' => 1, ); - $filter = trim( htmlspecialchars( wp_unslash( $_GET['status-filter'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $filter = trim( htmlspecialchars( wp_unslash( $_GET['status-filter'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended $filter = isset( $values[ $filter ] ) ? $filter : ''; return $filter; diff --git a/inc/classes/class-imagify-views.php b/inc/classes/class-imagify-views.php index 67b651c24..81549d4c5 100644 --- a/inc/classes/class-imagify-views.php +++ b/inc/classes/class-imagify-views.php @@ -412,7 +412,7 @@ public function get_files_page_slug() { public function is_settings_page() { global $pagenow; - $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended if ( $this->get_settings_page_slug() !== $page ) { return false; @@ -435,7 +435,7 @@ public function is_settings_page() { public function is_bulk_page() { global $pagenow; - $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended return 'upload.php' === $pagenow && $this->get_bulk_page_slug() === $page; } @@ -450,7 +450,7 @@ public function is_bulk_page() { public function is_files_page() { global $pagenow; - $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended return 'upload.php' === $pagenow && $this->get_files_page_slug() === $page; } @@ -465,7 +465,7 @@ public function is_files_page() { public function is_wp_library_page() { global $pagenow; - $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended return 'upload.php' === $pagenow && ! $page; } From 7b232f7acf36bf7f2d3102a12e4284bc2834eaae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Fri, 14 Apr 2023 12:04:16 -0400 Subject: [PATCH 4/7] fix PHPCS --- inc/classes/class-imagify-admin-ajax-post.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inc/classes/class-imagify-admin-ajax-post.php b/inc/classes/class-imagify-admin-ajax-post.php index 9513241a0..3ed638203 100755 --- a/inc/classes/class-imagify-admin-ajax-post.php +++ b/inc/classes/class-imagify-admin-ajax-post.php @@ -1215,7 +1215,7 @@ public function get_optimization_level( $method = 'GET', $parameter = 'optimizat * @return string */ public function get_context( $method = 'GET', $parameter = 'context' ) { - $context = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $context = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended $context = htmlspecialchars( $context ); return imagify_sanitize_context( $context ); @@ -1252,7 +1252,7 @@ public function get_media_id( $method = 'GET', $parameter = 'attachment_id' ) { * @return string */ public function get_folder_type( $method = 'GET', $parameter = 'folder_type' ) { - $folder_type = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $folder_type = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended return htmlspecialchars( $folder_type ); } @@ -1268,7 +1268,7 @@ public function get_folder_type( $method = 'GET', $parameter = 'folder_type' ) { * @return string */ public function get_imagify_action( $method = 'GET', $parameter = 'imagify_action' ) { - $action = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing + $action = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended $action = htmlspecialchars( $action ); return $action ? $action : 'optimize'; From e1bb615f9f6b3e0e0d5a200e4db780170df4de2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Fri, 14 Apr 2023 12:04:21 -0400 Subject: [PATCH 5/7] fix PHPCS --- classes/Bulk/Bulk.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/Bulk/Bulk.php b/classes/Bulk/Bulk.php index a18d593c1..ef13f783a 100644 --- a/classes/Bulk/Bulk.php +++ b/classes/Bulk/Bulk.php @@ -419,7 +419,7 @@ public function can_optimize() { * @return string */ public function get_context( $method = 'GET', $parameter = 'context' ) { - $context = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); //phpcs:ignore WordPress.Security.NonceVerification.Missing + $context = 'POST' === $method ? wp_unslash( $_POST[ $parameter ] ) : wp_unslash( $_GET[ $parameter ] ); //phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended $context = htmlspecialchars( $context ); return imagify_sanitize_context( $context ); From f5b7ab07802ef69dbcd4fbe6438bffe19335cb5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Thu, 25 May 2023 15:42:14 -0400 Subject: [PATCH 6/7] fix PHP notice --- inc/classes/class-imagify-views.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/inc/classes/class-imagify-views.php b/inc/classes/class-imagify-views.php index 81549d4c5..a55c7e957 100644 --- a/inc/classes/class-imagify-views.php +++ b/inc/classes/class-imagify-views.php @@ -465,9 +465,7 @@ public function is_files_page() { public function is_wp_library_page() { global $pagenow; - $page = htmlspecialchars( wp_unslash( $_GET['page'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.NonceVerification.Recommended - - return 'upload.php' === $pagenow && ! $page; + return 'upload.php' === $pagenow && ! isset( $_GET['page'] ); } /** From cc948afa1fb7e20ce6aecdf50e6872ddca5365ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Perona?= Date: Thu, 25 May 2023 15:45:31 -0400 Subject: [PATCH 7/7] add PHPCS ignore --- inc/classes/class-imagify-views.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/classes/class-imagify-views.php b/inc/classes/class-imagify-views.php index a55c7e957..f882a7c55 100644 --- a/inc/classes/class-imagify-views.php +++ b/inc/classes/class-imagify-views.php @@ -465,7 +465,7 @@ public function is_files_page() { public function is_wp_library_page() { global $pagenow; - return 'upload.php' === $pagenow && ! isset( $_GET['page'] ); + return 'upload.php' === $pagenow && ! isset( $_GET['page'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended } /**