Automattic · trepmal · Jun 4, 2021 · Jun 4, 2021 · Jun 4, 2021
@@ -272,14 +272,16 @@ function update_options( $new_options ) {
 	 */
 	function handle_admin_action() {
 
-		if ( !wp_verify_nonce( $_REQUEST['nonce'], 'acm-admin-action' ) )
-			wp_die( __( 'Doing something fishy, eh?', 'ad-code-manager' ) );
+		if ( ! isset( $_REQUEST['nonce'] ) || !wp_verify_nonce( $_REQUEST['nonce'], 'acm-admin-action' ) )
+			wp_die( esc_html__( 'Doing something fishy, eh?', 'ad-code-manager' ) );
 
 		if ( !current_user_can( $this->manage_ads_cap ) )
-			wp_die( __( 'You do not have the necessary permissions to perform this action', 'ad-code-manager' ) );
+			wp_die( esc_html__( 'You do not have the necessary permissions to perform this action', 'ad-code-manager' ) );
+
+		$method = isset( $_REQUEST['method'] ) ? $_REQUEST['method'] : '';
 
 		// Depending on the method we're performing, sanitize the requisite data and do it
-		switch ( $_REQUEST['method'] ) {
+		switch ( $method ) {
 		case 'add':
 		case 'edit':
 			$id = ( isset( $_REQUEST['id'] ) ) ? (int)$_REQUEST['id'] : 0;
@@ -290,16 +292,16 @@ function handle_admin_action() {
 				'operator' => $operator,
 			);
 			foreach ( $this->current_provider->ad_code_args as $arg ) {
-				$ad_code_vals[$arg['key']] = sanitize_text_field( $_REQUEST['acm-column'][$arg['key']] );
+				$ad_code_vals[$arg['key']] = sanitize_text_field( isset( $_REQUEST['acm-column'][$arg['key']] ) ? $_REQUEST['acm-column'][$arg['key']] : '' );
 			}
-			if ( $_REQUEST['method'] == 'add' )
+			if ( $method == 'add' )
 				$id = $this->create_ad_code( $ad_code_vals );
 			else
 				$id = $this->edit_ad_code( $id, $ad_code_vals );
 			if ( is_wp_error( $id ) ) {
 				// We can die with an error if this is an edit/ajax request
 				if ( isset( $id->errors['edit-error'][0] ) )
-					die( '<div class="error">' . $id->errors['edit-error'][0] . '</div>' );
+					die( '<div class="error">' . esc_html( $id->errors['edit-error'][0] ) . '</div>' );
 				else
 					$message = 'error-adding-editing-ad-code';
 				break;
@@ -317,7 +319,7 @@ function handle_admin_action() {
 					$new_conditionals[] = $conditional;
 				}
 			}
-			if ( $_REQUEST['method'] == 'add' ) {
+			if ( $method == 'add' ) {
 				foreach ( $new_conditionals as $new_conditional ) {
 					$this->create_conditional( $id, $new_conditional );
 				}
@@ -346,19 +348,21 @@ function handle_admin_action() {
 		}
 
 		if ( isset( $_REQUEST['doing_ajax'] ) && $_REQUEST['doing_ajax'] ) {
-			switch ( $_REQUEST['method'] ) {
+			switch ( $method ) {
 			case 'edit':
 				set_current_screen( 'ad-code-manager' );
 				$this->wp_list_table = new $this->providers->{$this->current_provider_slug}['table'];
 				$this->wp_list_table->prepare_items();
 				$new_ad_code = $this->get_ad_code( $id );
+				// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- escaped in function
 				echo $this->wp_list_table->single_row( $new_ad_code );
 				break;
 			}
 		} else {
 			// @todo support ajax and non-ajax requests
 			$redirect_url = add_query_arg( 'message', $message, remove_query_arg( 'message', wp_get_referer() ) );
 			wp_safe_redirect( $redirect_url );
+			exit; // satisfy phpcs
 		}
 		exit;
 	}
@@ -459,6 +463,7 @@ function get_ad_code( $post_id ) {
 	 * Flush cache
 	 */
 	function flush_cache() {
+		echo 'hello';
 		wp_cache_delete( 'ad_codes', 'acm' );
 	}
 
@@ -614,7 +619,7 @@ function action_load_ad_code_manager() {
 		switch ( $this->wp_list_table->current_action() ) {
 		case 'delete':
 			check_admin_referer( 'acm-bulk-action', 'bulk-action-nonce' );
-			$ad_code_ids = array_map( 'intval', $_REQUEST['ad-codes'] );
+			$ad_code_ids = array_map( 'intval', ( isset( $_REQUEST['ad-codes'] ) ? $_REQUEST['ad-codes'] : [] ) );
 			foreach ( $ad_code_ids as $ad_code_id ) {
 				$this->delete_ad_code( $ad_code_id );
 			}
@@ -633,9 +638,7 @@ function admin_view_controller() {
 	}
 
 	function parse_readme_into_contextual_help() {
-		ob_start();
-		include_once AD_CODE_MANAGER_ROOT . '/readme.txt';
-		$readme = ob_get_clean();
+		$readme = file_get_contents( AD_CODE_MANAGER_ROOT . '/readme.txt' );
 		$sections = preg_split( "/==(.*)==/", $readme );
 		// Something's wrong with readme, fail silently
 		if ( 5 > count( $sections ) )
@@ -886,6 +889,7 @@ function action_acm_tag( $tag_id, $echo = true ) {
 
 		if ( $echo )
 			// Print the ad code
+			// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			echo $output_html;
 		else
 			return $output_html;

@@ -67,11 +67,13 @@ public function action_do_robotstxt() {
 		if ( ! is_array( $disallowed ) || empty( $disallowed ) )
 			return;
 
+		// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo 'User-agent: ' . $this->crawler_user_agent . PHP_EOL;
 
 		foreach ( $disallowed as $disallow ) {
 			echo 'Disallow: ' . $disallow . PHP_EOL;
 		}
+		// phpcs:enable
 
 		echo PHP_EOL;
 	}

@@ -27,23 +27,23 @@ function form( $instance ) {
 		$zone = $instance['ad_zone'];
 		global $ad_code_manager;
 ?>
-			<p><label>Title: <input class="widefat" name="<?php echo $this->get_field_name( 'title' ); ?>"  type="text" value="<?php echo esc_attr( $title ); ?>" /></label></p>
+			<p><label>Title: <input class="widefat" name="<?php echo esc_attr( $this->get_field_name( 'title' ) ); ?>"  type="text" value="<?php echo esc_attr( $title ); ?>" /></label></p>
 
 			<p>
 			<?php if ( !empty( $ad_code_manager->ad_codes ) ): ?>
-			<label for="<?php echo $this->get_field_id( 'ad_zone' ); ?>">Choose Ad Zone</label>
-			<select id="<?php echo $this->get_field_id( 'ad_zone' ); ?>" name="<?php echo $this->get_field_name( 'ad_zone' ); ?>">
+			<label for="<?php echo esc_attr( $this->get_field_id( 'ad_zone' ) ); ?>">Choose Ad Zone</label>
+			<select id="<?php echo esc_attr( $this->get_field_id( 'ad_zone' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'ad_zone' ) ); ?>">
 				<?php
 		foreach ( $ad_code_manager->ad_codes as $key => $value ) {
 ?>
-					<option value="<?php echo $key; ?>" <?php selected( $key, $zone ); ?>><?php echo $key; ?></option>
+					<option value="<?php echo esc_attr( $key ); ?>" <?php selected( $key, $zone ); ?>><?php echo esc_html( $key ); ?></option>
 					<?php
 		}
 ?>
 			</select>
 			<?php else: ?>
 			<?php $create_url = add_query_arg( 'page', $ad_code_manager->plugin_slug, admin_url( 'tools.php' ) ); ?>
-			<span class="description"><?php echo sprintf( __( "No ad codes have been added yet. <a href='%s'>Please create one</a>.", 'ad-code-manager' ), $create_url ); ?></span>
+			<span class="description"><?php echo wp_kses( sprintf( __( "No ad codes have been added yet. <a href='%s'>Please create one</a>.", 'ad-code-manager' ), $create_url ), [ 'a' => [ 'href' => true ] ] ); ?></span>
 			<?php endif; ?>
 			</p>
 
@@ -61,13 +61,15 @@ function update( $new_instance, $old_instance ) {
 	// Display the widget
 	function widget( $args, $instance ) {
 		extract( $args );
+		// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo $before_widget;
 		$title = apply_filters( 'widget_title', $instance['title'] );
 
 		if ( !empty( $title ) ) {
-			echo $before_title . $title . $after_title;
+			echo $before_title . esc_html( $title ) . $after_title;
 		}
 		do_action( 'acm_tag', $instance['ad_zone'] );
 		echo $after_widget;
+		// phpcs:enable
 	}
 }
@@ -135,9 +135,9 @@ function no_items() {
 	function single_row( $item ) {
 		static $alternate_class = '';
 		$alternate_class = ( $alternate_class == '' ? ' alternate' : '' );
-		$row_class = ' class="term-static' . $alternate_class . '"';
 
-		echo '<tr id="ad-code-' . $item['post_id'] . '"' . $row_class . '>';
+		echo '<tr id="ad-code-' . esc_attr( $item['post_id'] ) . '" class="term-static' . esc_attr( $row_class ) . '">';
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		echo $this->single_row_columns( $item );
 		echo '</tr>';
 	}
@@ -228,7 +228,7 @@ function column_id( $item ) {
 			if ( isset( $ad_code_arg['type'] ) && 'select' == $ad_code_arg['type'] ) {
 				$output .= '<select name="' . esc_attr( $column_id ) . '">';
 				foreach ( $ad_code_arg['options'] as $key => $label ) {
-					$output .= '<option value="' . esc_attr( $key ) . '" ' . selected( $value, $key, false ) . '>' . esc_attr( $label ) . '</option>';
+					$output .= '<option value="' . esc_attr( $key ) . '" ' . selected( $value, $key, false ) . '>' . esc_html( $label ) . '</option>';
 				}
 				$output .= '</select>';
 			} else {
@@ -251,7 +251,7 @@ function column_id( $item ) {
 			'AND'    => __( 'AND', 'ad-code-manager' ),
 		);
 		foreach ( $operators as $key => $label ) {
-			$output .= '<option ' . selected( $item['operator'], $key ) . '>' . esc_attr( $label ) . '</option>';
+			$output .= '<option ' . selected( $item['operator'], $key ) . '>' . esc_html( $label ) . '</option>';
 		}
 		$output .= '</select>';
 		$output .= '</div>';
@@ -316,8 +316,8 @@ function row_actions_output( $item ) {
 	 */
 	function inline_edit() {
 ?>
-	<form method="POST" action="<?php echo admin_url( 'admin-ajax.php' ); ?>"><table style="display: none"><tbody id="inlineedit">
-		<tr id="inline-edit" class="inline-edit-row" style="display: none"><td colspan="<?php echo $this->get_column_count(); ?>" class="colspanchange">
+	<form method="POST" action="<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>"><table style="display: none"><tbody id="inlineedit">
+		<tr id="inline-edit" class="inline-edit-row" style="display: none"><td colspan="<?php echo (int) $this->get_column_count(); ?>" class="colspanchange">
 			<fieldset><div class="inline-edit-col">
 				<input type="hidden" name="id" value="" />
 				<input type="hidden" name="action" value="acm_admin_action" />

@@ -2776,4 +2776,3 @@ function _doAbbreviations_callback( $matches ) {
 software, even if advised of the possibility of such damage.
 
 */
-?>
@@ -56,9 +56,9 @@
 <div class="acm-global-options">
 	<h3><?php _e( 'Configuration', 'ad-code-manager' ); ?></h3>
 	<div class="form-wrap">
-	<form action="<?php echo admin_url( 'admin-ajax.php' ); ?>" method="post" name="updatesettings" id="updatesettings">
+	<form action="<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>" method="post" name="updatesettings" id="updatesettings">
 	<div id="provider-field" class="form-field form-required">
-		<label for="provider"><?php _e( 'Select a provider:', 'ad-code-manager' ); ?></label>
+		<label for="provider"><?php esc_html_e( 'Select a provider:', 'ad-code-manager' ); ?></label>
 		<select name="provider" id="provider">
 		<?php $current_provider = $this->get_option( 'provider' );
 foreach ( $this->providers as $slug => $provider ) :
@@ -81,7 +81,7 @@
 </div>
 <?php endif; ?>
 <h3><?php _e( 'Add New Ad Code', 'ad-code-manager' ); ?></h3>
-<form id="add-adcode" method="POST" action="<?php echo admin_url( 'admin-ajax.php' ); ?>" class="validate">
+<form id="add-adcode" method="POST" action="<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>" class="validate">
 <input type="hidden" name="action" value="acm_admin_action" />
 <input type="hidden" name="method" value="add" />
 <input type="hidden" name="priority" value="10" />
@@ -102,8 +102,8 @@
 if ( isset( $arg['type'] ) && 'select' == $arg['type'] ) :
 ?>
 <div class="form-field form-required">
-	<label for="<?php echo esc_attr( $column_id ) ?>"><?php echo esc_html( $arg['label'] ) ?></label>
-	<select name="<?php echo esc_attr( $column_id ) ?>" id="<?php echo esc_attr( $column_id ) ?>" aria-required="<?php echo $arg['required'] ?>">
+	<label for="<?php echo esc_attr( $column_id ); ?>"><?php echo esc_html( $arg['label'] ); ?></label>
+	<select name="<?php echo esc_attr( $column_id ); ?>" id="<?php echo esc_attr( $column_id ); ?>" aria-required="<?php echo esc_attr( $arg['required'] ); ?>">
 		<?php foreach ( $arg['options'] as $value => $label ) : ?>
 		<option value="<?php echo esc_attr( $value ); ?>"><?php echo esc_html( $label ); ?></option>
 		<?php endforeach; ?>
@@ -113,8 +113,8 @@
 else : // field_type conditional
 ?>
 <div class="form-field form-required">
-	<label for="<?php echo esc_attr( $column_id ) ?>"><?php echo esc_html( $arg['label'] ) ?></label>
-	<input name="<?php echo esc_attr( $column_id ) ?>" id="<?php echo esc_attr( $column_id ) ?>" type="text" value="" size="40" aria-required="<?php echo $arg['required'] ?>">
+	<label for="<?php echo esc_attr( $column_id ); ?>"><?php echo esc_html( $arg['label'] ); ?></label>
+	<input name="<?php echo esc_attr( $column_id ); ?>" id="<?php echo esc_attr( $column_id ); ?>" type="text" value="" size="40" aria-required="<?php echo esc_attr( $arg['required'] ); ?>">
 </div>
 <?php
 	endif;
@@ -126,11 +126,11 @@
 	<div class="conditional-single-field" id="conditional-single-field-master">
 	<div class="conditional-function">
 	<select name="acm-conditionals[]">
-<option value=""><?php _e( 'Select conditional', 'ad-code-manager' ); ?></option>
+<option value=""><?php esc_html_e( 'Select conditional', 'ad-code-manager' ); ?></option>
 <?php
 foreach ( $this->whitelisted_conditionals as $key ):
 ?>
-<option value="<?php echo esc_attr( $key ) ?>"><?php echo esc_html( ucfirst( str_replace( '_', ' ', $key ) ) ) ?></option>
+<option value="<?php echo esc_attr( $key ); ?>"><?php echo esc_html( ucfirst( str_replace( '_', ' ', $key ) ) ); ?></option>
 <?php endforeach; ?>
 	</select>
 	</div>

@@ -193,4 +193,3 @@ function column_tag( $item ) {
 		return $output;
 	}
 }
-?>
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2776,4 +2776,3 @@ function _doAbbreviations_callback( $matches ) {
		software, even if advised of the possibility of such damage.

		*/
		?>
-Original file line number
+Diff line change
@@ Expand Up / @@ -193,4 +193,3 @@ function column_tag( $item ) { @@
     		return $output;
     	}
     }
-    ?>