fix: resolve Plugin Check input-handling warnings#18
Open
faisalahammad wants to merge 1 commit into
Open
Conversation
Unslash and sanitize superglobal reads flagged by WordPress.org Plugin Check in our own code. Vendored dependencies/ and dev-only tests/ were left untouched. - Simple_Document_Library::get_table() now wp_unslash()'s the DataTables AJAX POST params and validates the order array (scalar column index range-checked against the column list, sort direction restricted to asc/desc). - Settings::sanitize_shortcode_settings() guards, unslashes and sanitize_key()'s the option_page request var. - Document_Link::save() unslashes the nonce before wp_verify_nonce(). Skipped: ~56 warnings in phpScoper-scoped vendor libraries, test scaffolding, the core the_content hook, and the intentional taxonomy tax_query. The readme.txt mismatched_plugin_name item is intentionally excluded from this build.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the input-handling warnings from a WordPress.org Plugin Check report that fall inside our codebase. The remaining warnings in the report are in phpScoper-scoped vendored code under
dependencies/or dev-onlytests/, so they are left untouched.Fixes #N/A
Changes
src/Simple_Document_Library.php
Before:
After:
Why: AJAX table paging/sort/search reads
$_POSTwithoutwp_unslash(), inconsistent with the file's own pattern. Theorderarray is now range-checked against the columns list andsort_orderonly acceptsasc/desc. Nonce is still verified at thedll_load_postsroute, so no change there.src/Admin/Settings.php
Before:
After:
Why:
$_REQUEST['option_page']was read raw with nowp_unslash(). WP core already verifies the options nonce inoptions.phpbefore this callback runs, so the nonce warning is a false positive; the raw read was the real gap.src/Admin/Metabox/Document_Link.php
Before:
After:
Why: The nonce check, capability check, and autosave guard were already correct. Only the input read needed the WP-standard
wp_unslash().Testing
Test 1: AJAX table paging, sort, and search
[doc_library lazy_load="true"]to a page with several documents.Result: works with no PHP warnings in the log.
Test 2: Settings save
Result: setting persists, no PHP warning on save.
Test 3: Document metabox save
dlp_document, change the document link type, save.Result: metabox value persists, no PHP warning on save.
Screenshots
Not applicable (no visible UI changes).