Making WordPress.org


Ignore:
Timestamp:
01/16/2019 03:36:24 PM (5 years ago)
Author:
vedjain
Message:

WCPT: Applies code standard changes to wcpt plugin.

Most of the changes are small, but these are some important ones:

  1. Added nonce check in multiple places. This will ensure that request is always coming from the intended page.
  1. Escaped output HTML in many places. These are not necessarily XSS vulnerabilities, and in most places they were hardcoded. But its a good practice to always escape regardless of source.

Summary:

  • wcpt-event/class-event-admin.php
    • Added nonce check in metabox_save.
    • Escaped output in dislpay_meta_boxes
  • wcpt-event/class-event-application.php
    • Change definition of submit_application to pass $POST arguments
  • wcpt-loader.php
    • Indent whole file by 1 indent.
  • wcpt-meetup/class-meetup-admin.php
    • Added nonce check in maybe_update_meetup_data
  • wcpt-wordcamp/wordcamp-admin.php
    • Escaping in user_profile_wordcamp, column_data
    • Escaping using kses in post_row_actions
    • Use post_data_raw instead of $_POST in enforce_post_status
File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-event/class-event-application.php

    r8083 r8085  
    5353
    5454    /**
    55      * Render the output the of the [meetup-organizer-application] shortcode.
     55     * Render the output the of the application forms shortcode.
    5656     *
    5757     * @todo Use force_login_to_view_form() and populate_form_based_on_user().
     
    6262        ob_start();
    6363
     64        // phpcs:ignore WordPress.Security.NonceVerification.Missing -- We do not verify nonce for frontend forms because WP Super Cache may cache an expired nonce token.
    6465        if ( isset( $_POST['submit-application'] ) ) {
    65             $this->submit_application();
     66            $this->submit_application( $_POST );
    6667        } else {
    6768            $countries = wcorg_get_countries();
     
    8384    /**
    8485     * Submit application details. Calls `create_post` to actually create the event.
    85      */
    86     public function submit_application() {
    87         $application_data = $this->validate_data( $_POST );
     86     *
     87     * @param array $post_data Form params.
     88     */
     89    public function submit_application( $post_data ) {
     90        $application_data = $this->validate_data( $post_data );
    8891
    8992        if ( $this->is_rate_limited() ) {
     
    9699            $this->create_post( $application_data );
    97100            $this->notify_applicant_application_received(
    98                     $this->get_organizer_email(),
    99                     $this->get_event_location()
     101                $this->get_organizer_email(),
     102                $this->get_event_location()
    100103            );
    101104
     
    223226        $message = sprintf(
    224227            __(
    225                 "Thank you for applying to organize a %s in %s! We'll send you a follow-up e-mail once we've had a chance to review your application.",
     228                "Thank you for applying to organize a %1\$s in %2\$s! We'll send you a follow-up e-mail once we've had a chance to review your application.",
    226229                'wpct'
    227230            ),
    228             $this->get_event_label(), sanitize_text_field( $event_city )
     231            $this->get_event_label(),
     232            sanitize_text_field( $event_city )
    229233        );
    230234
     
    238242
    239243        // Not translating because this will be sent to community events slack channel.
    240         $message = sprintf( "A %s application for %s has been received.", $this->get_event_label(), $this->get_event_location() );
     244        $message = sprintf( 'A %s application for %s has been received.', $this->get_event_label(), $this->get_event_location() );
    241245
    242246        $public_report_url = $this->get_application_report_url();
    243247        if ( isset( $public_report_url ) ) {
    244248            // `<%s|here> is syntax for slack message to hyperlink text `here` with url provided in `%s`
    245             $message = sprintf( "%s Public status can be followed on <%s|%s application report page>.", $message, $public_report_url, $this->get_event_label() );
     249            $message = sprintf( '%s Public status can be followed on <%s|%s application report page>.', $message, $public_report_url, $this->get_event_label() );
    246250        }
    247251
    248252        $default_status = $this->get_default_status();
    249         $queue_size = wp_count_posts( $post_type=$this->get_event_type() )->$default_status;
     253        $queue_size = wp_count_posts( $this->get_event_type() )->$default_status;
    250254        if ( isset( $queue_size ) ) {
    251255            $singular = "is $queue_size application";
    252256            $plural   = "are $queue_size applications";
    253257            $message = sprintf(
    254                     "%s\n _There %s in vetting queue._",
    255                     $message,
    256                     1 === $queue_size ? $singular : $plural );
    257         }
    258 
    259         $attachment = create_event_attachment( $message,  sprintf( "New %s application ", $this->get_event_label() ) );
     258                "%s\n _There %s in vetting queue._",
     259                $message,
     260                1 === $queue_size ? $singular : $plural
     261            );
     262        }
     263
     264        $attachment = create_event_attachment( $message,  sprintf( 'New %s application ', $this->get_event_label() ) );
    260265        return wcpt_slack_notify( COMMUNITY_TEAM_SLACK, $attachment );
    261266    }
Note: See TracChangeset for help on using the changeset viewer.