Skip to content

fix: resolve Plugin Check input-handling warnings#18

Open
faisalahammad wants to merge 1 commit into
barn2plugins:mainfrom
faisalahammad:fix/plugin-check-warnings
Open

fix: resolve Plugin Check input-handling warnings#18
faisalahammad wants to merge 1 commit into
barn2plugins:mainfrom
faisalahammad:fix/plugin-check-warnings

Conversation

@faisalahammad

Copy link
Copy Markdown

Summary

Resolves the input-handling warnings from a WordPress.org Plugin Check report that fall inside our codebase. The remaining warnings in the report are in phpScoper-scoped vendored code under dependencies/ or dev-only tests/, so they are left untouched.

Fixes #N/A

Changes

src/Simple_Document_Library.php

Before:

$draw   = isset( $_POST['draw'] ) ? intval( $_POST['draw'] ) : 1;
$order  = isset( $_POST['order'] ) && is_array( $_POST['order'] ) ? $_POST['order'] : [];

After:

$draw   = isset( $_POST['draw'] ) ? intval( wp_unslash( $_POST['draw'] ) ) : 1;
$order  = isset( $_POST['order'] ) && is_array( $_POST['order'] ) ? wp_unslash( $_POST['order'] ) : [];

Why: AJAX table paging/sort/search reads $_POST without wp_unslash(), inconsistent with the file's own pattern. The order array is now range-checked against the columns list and sort_order only accepts asc/desc. Nonce is still verified at the dll_load_posts route, so no change there.

src/Admin/Settings.php

Before:

$option_page = isset( $_REQUEST['option_page'] ) ? sanitize_key( $_REQUEST['option_page'] ) : '';

After:

$option_page = isset( $_REQUEST['option_page'] )
    ? sanitize_key( wp_unslash( $_REQUEST['option_page'] ) )
    : '';

Why: $_REQUEST['option_page'] was read raw with no wp_unslash(). WP core already verifies the options nonce in options.php before this callback runs, so the nonce warning is a false positive; the raw read was the real gap.

src/Admin/Metabox/Document_Link.php

Before:

if ( ! isset( $_POST['dll_document_link_nonce'] ) || ! wp_verify_nonce( $_POST['dll_document_link_nonce'], 'dll_save_document_link' ) ) {

After:

if ( ! isset( $_POST['dll_document_link_nonce'] ) || ! wp_verify_nonce( wp_unslash( $_POST['dll_document_link_nonce'] ), 'dll_save_document_link' ) ) {

Why: The nonce check, capability check, and autosave guard were already correct. Only the input read needed the WP-standard wp_unslash().

Testing

Test 1: AJAX table paging, sort, and search

  1. Add [doc_library lazy_load="true"] to a page with several documents.
  2. Load the page and use pagination, column sort, and the search box.
    Result: works with no PHP warnings in the log.

Test 2: Settings save

  1. WP admin > Documents > Settings, change a value on any tab, save.
    Result: setting persists, no PHP warning on save.

Test 3: Document metabox save

  1. Edit a dlp_document, change the document link type, save.
    Result: metabox value persists, no PHP warning on save.

Screenshots

Not applicable (no visible UI changes).

Unslash and sanitize superglobal reads flagged by WordPress.org Plugin Check
in our own code. Vendored dependencies/ and dev-only tests/ were left untouched.

- Simple_Document_Library::get_table() now wp_unslash()'s the DataTables AJAX
  POST params and validates the order array (scalar column index range-checked
  against the column list, sort direction restricted to asc/desc).
- Settings::sanitize_shortcode_settings() guards, unslashes and sanitize_key()'s
  the option_page request var.
- Document_Link::save() unslashes the nonce before wp_verify_nonce().

Skipped: ~56 warnings in phpScoper-scoped vendor libraries, test scaffolding,
the core the_content hook, and the intentional taxonomy tax_query. The
readme.txt mismatched_plugin_name item is intentionally excluded from this build.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant