Changeset 8085 for sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-event/notification.php

Timestamp:

01/16/2019 03:36:24 PM (7 years ago)

Author:

vedjain

Message:

WCPT: Applies code standard changes to wcpt plugin.

Most of the changes are small, but these are some important ones:

1. Added nonce check in multiple places. This will ensure that request is always coming from the intended page.

2. Escaped output HTML in many places. These are not necessarily XSS vulnerabilities, and in most places they were hardcoded. But its a good practice to always escape regardless of source.

Summary:

• wcpt-event/class-event-admin.php
  • Added nonce check in metabox_save.
  • Escaped output in dislpay_meta_boxes

• wcpt-event/class-event-application.php
  • Change definition of submit_application to pass $POST arguments

• wcpt-loader.php
  • Indent whole file by 1 indent.

• wcpt-meetup/class-meetup-admin.php
  • Added nonce check in maybe_update_meetup_data

• wcpt-wordcamp/wordcamp-admin.php
  • Escaping in user_profile_wordcamp, column_data
  • Escaping using kses in post_row_actions
  • Use post_data_raw instead of $_POST in enforce_post_status

File:

• sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-event/notification.php (modified) (7 diffs)

sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-event/notification.php

@@ -5 +5 @@
 
 if ( defined( 'WPORG_SANDBOXED' ) && WPORG_SANDBOXED ) {
-    // If this is sandbox and then send notification of owner of sandbox (as long as sandbox username and slack username matches)
+    // If this is sandbox and then send notification of owner of sandbox (as long as sandbox username and slack username matches).
     if ( defined( 'SANDBOX_SLACK_USERNAME' ) ) {
         $slack_username = SANDBOX_SLACK_USERNAME;
     } else {
-        $slack_username = "@" . str_replace( array( '.dev.ord', '.dev' ), '', WPORG_SANDBOXED );
+        $slack_username = '@' . str_replace( array( '.dev.ord', '.dev' ), '', WPORG_SANDBOXED );
     }
     define( 'COMMUNITY_TEAM_SLACK', $slack_username );
@@ -22 +22 @@
  *
  * @param string $channel Name of the channel we want to send the notification to.
- * @param array  $attachment Attachment object
+ * @param array  $attachment Attachment object.
  *
  * @return bool|string
  */
-function wcpt_slack_notify ( $channel, $attachment ) {
+function wcpt_slack_notify( $channel, $attachment ) {
     if ( ! class_exists( 'Dotorg\Slack\Send' ) ) {
         return false;
@@ -44 +44 @@
  * See the structure of attachment here: https://api.slack.com/docs/message-attachments
  *
- * @param string $message Main text to send in the notification
- * @param string $event_label Label for the event. Would probably be one of `WordCamp` or `Meetup`.
+ * @param string $message Main text to send in the notification.
+ * @param string $title   Title of the notification.
  *
  * @return array
  */
-function create_event_attachment ( $message, $title ) {
+function create_event_attachment( $message, $title ) {
     // Not translating because this will be send to Slack.
     return array(
-        "title" => $title,
-        "text" => $message,
+        'title' => $title,
+        'text'  => $message,
     );
 }
 
+/**
+ * Returns an attachment object to customize notification for slack.
+ * See https://api.slack.com/docs/message-attachments
+ *
+ * @param string $message  Text that should be in the attachment.
+ * @param int    $event_id Post ID of the event. Will be used to gather props.
+ * @param string $title    TItle of the message.
+ *
+ * @return array
+ */
 function create_event_status_attachment( $message, $event_id, $title ) {
     $props = get_props_for_event( $event_id );
 
-    $props_string = implode( ", ", $props );
+    $props_string = implode( ', ', $props );
+
     return array(
-        "title" => $title,
-        "text" => $message,
-        "fields" => array(
+        'title'  => $title,
+        'text'   => $message,
+        'fields' => array(
             array(
                 "title" => "Application processed by",
@@ -82 +93 @@
  * @return array Array of usernames of people who have participated in vetting this application
  */
-function get_props_for_event ( $event_id ) {
+function get_props_for_event( $event_id ) {
     $user_ids = array();
 
@@ -97 +108 @@
     $user_nicenames = get_user_nicenames_from_ids( $user_ids );
 
-    // remove bot user `wordcamp`
+    // remove bot user `wordcamp`.
     $user_nicenames = array_diff( $user_nicenames, array( 'wordcamp' ) );
     return $user_nicenames;
@@ -105 +116 @@
  * Return user names for list of user ids provided in the function
  *
- * @param array $user_ids List of user_ids
+ * @param array $user_ids List of user_ids.
  *
  * @return array List of user nicenames
@@ -114 +125 @@
     }
 
-    $user_query = new WP_User_Query( array( 'include' => $user_ids, 'fields'  => array( 'user_nicename' ), ) );
+    $user_query = new WP_User_Query(
+        array(
+            'include' => $user_ids,
+            'fields'  => array( 'user_nicename' ),
+        )
+    );
 
     $users = $user_query->get_results();