Making WordPress.org


Ignore:
Timestamp:
01/16/2019 03:36:24 PM (5 years ago)
Author:
vedjain
Message:

WCPT: Applies code standard changes to wcpt plugin.

Most of the changes are small, but these are some important ones:

  1. Added nonce check in multiple places. This will ensure that request is always coming from the intended page.
  1. Escaped output HTML in many places. These are not necessarily XSS vulnerabilities, and in most places they were hardcoded. But its a good practice to always escape regardless of source.

Summary:

  • wcpt-event/class-event-admin.php
    • Added nonce check in metabox_save.
    • Escaped output in dislpay_meta_boxes
  • wcpt-event/class-event-application.php
    • Change definition of submit_application to pass $POST arguments
  • wcpt-loader.php
    • Indent whole file by 1 indent.
  • wcpt-meetup/class-meetup-admin.php
    • Added nonce check in maybe_update_meetup_data
  • wcpt-wordcamp/wordcamp-admin.php
    • Escaping in user_profile_wordcamp, column_data
    • Escaping using kses in post_row_actions
    • Use post_data_raw instead of $_POST in enforce_post_status
File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-meetup/class-meetup-admin.php

    r8084 r8085  
    120120        /**
    121121         * Checks if a field is read only.
     122         *
    122123         * @param string $key Name of the field.
    123124         *
     
    168169         * TODO: Remove quickedit action.
    169170         *
    170          * @param $actions
    171          * @param $post
     171         * @param array   $actions
     172         * @param WP_Post $post
    172173         *
    173174         * @return mixed
     
    296297                $last_synced_on = 'Never';
    297298            } else {
    298                 $last_synced_on = date( "Y-m-d",  substr( $last_synced_on, 0, 10 ) );
     299                $last_synced_on = date( 'Y-m-d',  substr( $last_synced_on, 0, 10 ) );
    299300            }
    300301            ?>
    301302            <div class="wcb submitbox">
    302303                <div class="misc-pub-section">
    303                     <label>Last sync: <?php echo $last_synced_on ?></label>
     304                    <label>Last sync: <?php echo esc_html( $last_synced_on ); ?></label>
    304305                </div>
    305306                <div class="misc-pub-section">
    306307                    <label>
    307                         <input type="checkbox" name="<?php echo $element_name ?>" >
     308                        <input type="checkbox" name="<?php echo esc_html( $element_name ); ?>" >
    308309                        Sync Now
    309310                    </label>
     
    316317         * Updates meetup fields using meetup.com API only if Sync now checkbox is checked.
    317318         *
    318          * @param int   $post_id
    319          * @param array $original_meta_values
    320          */
    321         public function maybe_update_meetup_data( $post_id ){
     319         * @param int $post_id
     320         */
     321        public function maybe_update_meetup_data( $post_id ) {
    322322            if ( $this->get_event_type() !== get_post_type() ) {
    323323                return;
    324324            }
    325325
    326             $should_sync = $_POST[ 'sync_with_meetup_api' ] ?? false;
     326            //phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified in `metabox_save` in class-event-admin.php.
     327            $should_sync = $_POST['sync_with_meetup_api'] ?? false;
    327328            if ( ! $should_sync ) {
    328329                return;
     
    340341         * Update meetup fields using meetup.com API
    341342         *
    342          * @param $post_id
     343         * @param int $post_id
    343344         *
    344345         * @return array|WP_Error
     
    350351            $parsed_url = wp_parse_url( $meetup_url, -1 );
    351352
    352             if( ! $parsed_url ) {
     353            if ( ! $parsed_url ) {
    353354                return new WP_Error( 'invalid-url', __('Provided Meetup URL is not a valid URL.', 'wordcamporg' ) );
    354355            }
     
    391392                foreach ( $group_leads as $event_host ) {
    392393                    if ( WCPT_WORDPRESS_MEETUP_ID === $event_host['id'] ) {
    393                         // Skip WordPress admin user
     394                        // Skip WordPress admin user.
    394395                        continue;
    395396                    }
    396397                    $event_hosts[] = array(
    397                             'name' => $event_host['name'],
    398                             'id'   => $event_host['id'],
     398                        'name' => $event_host['name'],
     399                        'id'   => $event_host['id'],
    399400                    );
    400401                }
     
    406407            update_post_meta( $post_id, 'Meetup group created on', $group_details['created'] / 1000 );
    407408
    408 
    409409            if ( isset( $group_details['last_event'] ) && is_array( $group_details['last_event'] ) ) {
    410410                update_post_meta( $post_id, 'Number of past meetups', $group_details['past_event_count'] );
     
    423423         * @param array $original_data
    424424         */
    425         public function meetup_organizers_changed( $post_id, $original_data ){
     425        public function meetup_organizers_changed( $post_id, $original_data ) {
    426426            global $post;
    427427
     
    509509         * Send notification when a new Meetup groups is added to the chapter.
    510510         *
    511          * @param WP_Post $meetup Meetup post object
     511         * @param WP_Post $meetup Meetup post object.
    512512         *
    513513         * @return bool|string
     
    519519            $organizer_slack = get_post_meta( $meetup->ID, 'Slack', true );
    520520            $meetup_link     = get_post_meta( $meetup->ID, 'Meetup URL', true );
    521             $title           = "New meetup group added";
     521            $title           = 'New meetup group added';
    522522
    523523            $message = sprintf(
     
    557557         * Helper method which triggers action `update_meetup_organizers`
    558558         *
    559          * @param $organizers
    560          * @param $post
     559         * @param array   $organizers
     560         * @param WP_Post $post
    561561         */
    562562        protected function update_meetup_organizers( $organizers, $post ) {
     
    580580                'invalid-response'   => array(
    581581                    'type'   => 'notice',
    582                     'notice' => __( 'Received invalid response from Meetup API. Please make sure Meetup URL is correct, or try again after some time.', 'wordcamporg' )
     582                    'notice' => __( 'Received invalid response from Meetup API. Please make sure Meetup URL is correct, or try again after some time.', 'wordcamporg' ),
    583583                ),
    584584                'group_error'        => array(
    585585                    'type'   => 'notice',
    586                     'notice' => __( 'Received invalid response from Meetup API. Please make sure Meetup URL is correct, or try again after some time.', 'wordcamporg' )
     586                    'notice' => __( 'Received invalid response from Meetup API. Please make sure Meetup URL is correct, or try again after some time.', 'wordcamporg' ),
    587587                ),
    588588                'http_response_code' => array(
    589589                    'type'   => 'notice',
    590                     'notice' => __( 'Received invalid response code from Meetup API. Please make sure Meetup URL is correct, or try again after some time.', 'wordcamporg' )
     590                    'notice' => __( 'Received invalid response code from Meetup API. Please make sure Meetup URL is correct, or try again after some time.', 'wordcamporg' ),
    591591                ),
    592592            );
     
    597597         * Render list of co-organizer of meetup linking to their profile on meetup.com
    598598         *
    599          * @param string $key Name of meetup field. Should be 'Meetup Co-organizer names'
     599         * @param string $key Name of meetup field. Should be 'Meetup Co-organizer names'.
    600600         */
    601601        public function render_co_organizers_list( $key ) {
     
    605605            }
    606606            $organizers = get_post_meta( $post_id, $key, true );
    607             if ( isset ( $organizers ) && is_array( $organizers ) ) {
     607            if ( isset( $organizers ) && is_array( $organizers ) ) {
    608608                $group_slug = get_post_meta( $post_id, 'Meetup URL', true );
    609                 if ( empty ( $group_slug ) ) {
     609                if ( empty( $group_slug ) ) {
    610610                    echo 'Invalid Meetup Group URL';
    611611                    return;
     
    625625                echo '</ul>';
    626626            } else {
    627                 echo __( 'No meetup organizers set.', 'wordcamp.org' );
     627                esc_html_e( 'No meetup organizers set.', 'wordcamp.org' );
    628628            }
    629629        }
     
    742742         */
    743743        public static function meetup_api_sync() {
    744             $query = new WP_Query( array(
    745                 'post_type'   => self::get_event_type(),
    746                 'post_status' => 'wcpt-mtp-active',
    747                 'fields'      => 'ids',
    748                 'posts_per_page' => -1,
    749             ) );
     744            $query = new WP_Query(
     745                array(
     746                    'post_type'      => self::get_event_type(),
     747                    'post_status'    => 'wcpt-mtp-active',
     748                    'fields'         => 'ids',
     749                    'posts_per_page' => - 1,
     750                )
     751            );
    750752
    751753            $new_meetup_org_data = array();
     
    769771                }
    770772
    771                 if ( empty ( $new_ids ) ) {
     773                if ( empty( $new_ids ) ) {
    772774                    continue;
    773775                }
     
    802804            $count = 0;
    803805            foreach ( $new_meetup_org_data as $post_id => $new_meetup_org ) {
    804                 $count += 1;
     806                $count ++;
    805807                $title = get_the_title( $post_id );
    806808                $meetup_tracker_url = get_site_url() . "/wp-admin/post.php?post=$post_id&action=edit";
     
    813815                    $meetup_members[] = "<a href='$meetup_group_url/members/$organizer_id' target='_blank' rel='noreferrer' >$organizer_name</a>";
    814816                }
    815                 $template = $template . join( ', ', $meetup_members ) . "<br>";
    816 
    817                 // Add a tag for meetup
     817                $template = $template . join( ', ', $meetup_members ) . '<br>';
     818
     819                // Add a tag for meetup.
    818820                wp_set_object_terms( $post_id, 'Needs to update Organizer list', 'meetup_tags', true );
    819821            }
Note: See TracChangeset for help on using the changeset viewer.