More escaping (#62)

* More phpcs for escaping
* Update recaptcha code to not add extra parameter
* Remove or fix a few old ignore statements
* Include an excluded file from phpcs
* phpstan and syntax fixes
* Fix php 8 undefined property
* Use awpcp.min.js if src is not available

Gruntfile.js

@@ -52,7 +52,7 @@ module.exports = function( grunt ) {
 					'**/*', '!**/*~', '!**/**.less', '!**/less/**', '!**/**.css.map',
 					'!**/.*', '!phpcs.xml', '!composer.json', '!**/**.sh',
 					'!composer.lock', '!grunt/**', '!Gruntfile.js',
-					'!**/*.src.js',
+					'!**/*.src.js', '!**/stubs.php', '!**/**.neon',
 					'!node_modules/**', '!package.json', '!package-lock.json',
 					'!phpunit.xml', '!Pipfile*', '!tasks.py',
 					'!Vagrantfile', '!tests/**', '!bin/**', '!vendor/**',

README.TXT

@@ -2,7 +2,7 @@
 Plugin Name: WordPress Classifieds Plugin - Ad Directory & Listings by AWP Classifieds
 Contributors: awpcp, sswells, srwells
 Tags: listings, classified ads, classified, classifieds, directory plugin, classifieds script, classified theme, wp classified, ads
-Requires at least: 4.9
+Requires at least: 6.2.0
 Requires PHP: 5.6
 Tested up to: 6.4.3
 Stable tag: 4.3.2

admin/admin-panel-credit-plans-table.php

@@ -123,9 +123,12 @@ public function column_price($item) {
 
     public function single_row($item) {
         static $row_class = '';
-        $row_class = ( $row_class == '' ? ' class="alternate"' : '' );
+        $row_class = $row_class === '' ? 'alternate' : '';
 
-        echo '<tr id="credit-plan-' . esc_attr( $item->id ) . '" data-id="' . esc_attr( $item->id ) . '"' . $row_class . '>';
+        echo '<tr id="credit-plan-' . esc_attr( $item->id ) . '" data-id="' . esc_attr( $item->id ) . '"';
+        echo ' class="' . esc_attr( $row_class ) . '"';
+        echo '>';
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->single_row_columns( $item );
         echo '</tr>';
     }

admin/admin-panel-fees-table.php

@@ -271,9 +271,12 @@ public function column_private($item) {
 
     public function single_row($item) {
         static $row_class = '';
-        $row_class = ( $row_class == '' ? ' class="alternate"' : '' );
+        $row_class = $row_class === '' ? 'alternate' : '';
 
-        echo '<tr id="fee-' . esc_attr( $item->id ) . '" data-id="' . esc_attr( $item->id ) . '"' . $row_class . '>';
+        echo '<tr id="fee-' . esc_attr( $item->id ) . '" data-id="' . esc_attr( $item->id ) . '"';
+        echo ' class="' . esc_attr( $row_class ) . '"';
+        echo '>';
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->single_row_columns( $item );
         echo '</tr>';
     }

admin/admin-panel.php

@@ -406,21 +406,11 @@ public function notices() {
 		if ( $show_quick_start_quide_notice && is_awpcp_admin_page() && ! $show_drip_autoresponder ) {
             wp_enqueue_style( 'awpcp-admin-style' );
 
-			ob_start();
-				include(AWPCP_DIR . '/admin/templates/admin-quick-start-guide-notice.tpl.php');
-				$html = ob_get_contents();
-			ob_end_clean();
-
-			echo $html;
+			include AWPCP_DIR . '/admin/templates/admin-quick-start-guide-notice.tpl.php';
 		}
 
 		if (get_awpcp_option('show-widget-modification-notice')) {
-			ob_start();
-				include(AWPCP_DIR . '/admin/templates/admin-widget-modification-notice.tpl.php');
-				$html = ob_get_contents();
-			ob_end_clean();
-
-			echo $html;
+			include AWPCP_DIR . '/admin/templates/admin-widget-modification-notice.tpl.php';
 		}
 
         if ( awpcp_get_var( array( 'param' => 'action' ) ) === 'awpcp-manage-credits' ) {
@@ -472,14 +462,7 @@ private function get_message_for_blocking_manual_upgrade_notice() {
     private function load_notice_for_manual_upgrades( $message ) {
         wp_enqueue_style( 'awpcp-admin-style' );
 
-        ob_start();
-            include( AWPCP_DIR . '/admin/templates/admin-pending-manual-upgrade-notice.tpl.php' );
-            $html = ob_get_contents();
-        ob_end_clean();
-
-        echo $html;
-
-        return;
+        include AWPCP_DIR . '/admin/templates/admin-pending-manual-upgrade-notice.tpl.php';
     }
 
     private function load_notice_for_non_blocking_manual_uprades() {

admin/categories/class-delete-categories-admin-page.php

@@ -21,6 +21,7 @@ class AWPCP_Delete_Categories_Admin_Page {
     private $categories_logic;
     private $categories;
     private $request;
+    protected $router;
 
     public function __construct( $categories_logic, $categories, $router, $request ) {
         $this->categories_logic = $categories_logic;

admin/class-csv-exporter.php

@@ -35,6 +35,7 @@ class AWPCP_CSVExporter {
     private $exported = 0;
     private $listing;
     private $listing_data;
+    private $images_archive;
 
     public function __construct( $settings, $settings_api, $workingdir = null, $listings = array() ) {
         $this->settings     = array_merge( $this->settings, $settings );
@@ -300,7 +301,7 @@ private function prepare_images() {
                     continue;
                 }
 
-                $this->images_archive = ( ! isset( $this->images_archive ) ) ? $this->get_pclzip_instance( $this->workingdir . 'images.zip' ) : $this->images_archive;
+                $this->images_archive = $this->images_archive === null ? $this->get_pclzip_instance( $this->workingdir . 'images.zip' ) : $this->images_archive;
                 $success              = $this->images_archive->add( $img_path, PCLZIP_OPT_REMOVE_ALL_PATH );
                 if ( $success ) {
                     $images[] = basename( $img_path );

admin/class-export-settings-admin-page.php

@@ -43,6 +43,11 @@ class AWPCP_Export_Settings_Admin_Page {
      */
     private $template_renderer;
 
+    /**
+     * @var Request
+     */
+    private $request;
+
     /**
      * Constructor.
      */
@@ -66,6 +71,7 @@ public function on_admin_init() {
         header( 'Content-Disposition: attachment; filename=' . $filename );
         header( 'Content-Type: application/json; charset=' . get_option( 'blog_charset' ), true );
 
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->settings_reader->read_all();
 
         exit();

admin/class-import-listings-admin-page.php

@@ -28,6 +28,7 @@ public function enqueue_scripts() {
 	}
 
     public function dispatch() {
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->handle_request();
     }
 

admin/class-missing-paypal-merchant-id-setting-notice.php

@@ -40,6 +40,7 @@ public function maybe_show_notice() {
             return;
         }
 
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->render_notice();
     }
 

admin/fees/class-fees-admin-page.php

@@ -146,9 +146,9 @@ public function transfer() {
             'fees' => AWPCP_Fee::query(),
         );
 
-        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         $template = AWPCP_DIR . '/admin/templates/admin-panel-fees-delete.tpl.php';
 
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->render( $template, $params );
     }
 

admin/form-fields/class-form-fields-table.php

@@ -58,12 +58,14 @@ public function column_slug( $item ) {
 
     public function single_row( $item ) {
         static $row_class = '';
-
-        $row_class = ( $row_class === '' ? ' class="alternate"' : '' );
+        $row_class = $row_class === '' ? 'alternate' : '';
 
         // the 'field-' part in the id attribute is important. The jQuery UI Sortable plugin relies on that
         // to build a serialized string with the current order of fields.
-        echo '<tr id="field-' . esc_attr( $item->get_slug() ) . '" data-id="' . esc_attr( $item->get_slug() ) . '"' . $row_class . '>';
+        echo '<tr id="field-' . esc_attr( $item->get_slug() ) . '" data-id="' . esc_attr( $item->get_slug() ) . '"';
+        echo ' class="' . esc_attr( $row_class ) . '"';
+        echo '>';
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
         echo $this->single_row_columns( $item );
         echo '</tr>';
     }

admin/import/class-csv-importer-delegate.php

@@ -59,6 +59,9 @@ class AWPCP_CSV_Importer_Delegate {
     );
 
     private $messages = array();
+    protected $users_cache = array();
+    protected $options = array();
+    protected $extra_fields;
 
     public function __construct( $import_session, $columns, $listings_payments, $mime_types, $categories_logic, $categories, $listings_logic, $listings, $payments, $media_manager ) {
         $this->import_session    = $import_session;

admin/profile/class-user-profile-contact-information-controller.php

@@ -15,12 +15,7 @@ public function __construct( $request ) {
     public function show_contact_information_fields( $user ) {
         $profile = (array) get_user_meta( $user->ID, 'awpcp-profile', true );
 
-        ob_start();
-        include( AWPCP_DIR . '/templates/admin/profile/contact-information-fields.tpl.php' );
-        $content = ob_get_contents();
-        ob_end_clean();
-
-        echo $content;
+        include AWPCP_DIR . '/templates/admin/profile/contact-information-fields.tpl.php';
     }
 
     public function save_contact_information( $user_id ) {

admin/templates/admin-page.tpl.php

@@ -6,25 +6,28 @@
     <?php endif; ?>
 
         <?php
-            if ( $should_show_title ) {
-                $heading_params = array(
-                    'attributes' => array(
-                        'class' => 'awpcp-page-header',
-                    ),
-                    'content' => $page_title, // no need to escape; title() is allowed to output html
-                    'echo'       => true,
-                );
+        if ( $should_show_title ) {
+            $heading_params = array(
+                'attributes' => array(
+                    'class' => 'awpcp-page-header',
+                ),
+                'content' => $page_title, // no need to escape; title() is allowed to output html
+                'echo'       => true,
+            );
 
-                awpcp_html_admin_first_level_heading( $heading_params );
-            }
-        ?>
+            awpcp_html_admin_first_level_heading( $heading_params );
+        }
 
-        <?php $sidebar = $show_sidebar ? awpcp_admin_sidebar() : ''; ?>
-        <?php echo $sidebar; ?>
+        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+        echo $sidebar = $show_sidebar ? awpcp_admin_sidebar() : '';
+        ?>
 
 		<div class="awpcp-main-content <?php echo empty( $sidebar ) ? 'without-sidebar' : 'with-sidebar'; ?>">
             <div class="awpcp-inner-content">
-            <?php echo $content; ?>
+            <?php
+            // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+            echo $content;
+            ?>
             </div>
         </div>
 

admin/templates/admin-panel-credit-plans-entry-form.tpl.php

@@ -23,7 +23,7 @@
 
         <fieldset class="inline-edit-col-right"><div class="inline-edit-col">
                 <label><span class="title"><?php echo esc_html( __( 'Description', 'another-wordpress-classifieds-plugin' ) ); ?></span></label>
-                <textarea name="description" cols="54" rows="6"><?php echo stripslashes( awpcp_get_property( $entry, 'description' ) ) ?></textarea>
+                <textarea name="description" cols="54" rows="6"><?php echo esc_textarea( stripslashes( awpcp_get_property( $entry, 'description' ) ) ); ?></textarea>
         </fieldset>
 
         <p class="submit inline-edit-save">

admin/templates/admin-panel-credit-plans.tpl.php

@@ -6,8 +6,12 @@
 ?><div class="metabox-holder">
     <div class="awpcp-credit-system-settings-postbox postbox">
         <?php
-        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-        echo awpcp_html_postbox_handle( array( 'content' => esc_html( __( 'Credit System Settings', 'another-wordpress-classifieds-plugin' ) ) ) );
+        awpcp_html_postbox_handle(
+            array(
+                'content' => __( 'Credit System Settings', 'another-wordpress-classifieds-plugin' ),
+                'echo'    => true,
+            )
+        );
         ?>
         <div class="inside">
         <form action="<?php echo esc_attr( admin_url( 'options.php' ) ); ?>" method="post">
@@ -32,7 +36,11 @@
 
     <?php $url = $page->url( array( 'action' => 'add-credit-plan' ) ); ?>
     <?php $label = __( 'Add Credit Plan', 'another-wordpress-classifieds-plugin' ); ?>
-    <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
-    <a class="add button-primary" title="<?php echo esc_attr( $label ); ?>" href="<?php echo esc_attr( $url ); ?>" accesskey="s"><?php echo esc_html( $label ); ?></a>
-    <?php echo $table->display(); ?>
+    <a class="add button-primary" title="<?php echo esc_attr( $label ); ?>" href="<?php echo esc_attr( $url ); ?>" accesskey="s">
+        <?php echo esc_html( $label ); ?>
+    </a>
+    <?php
+    // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+    echo $table->display();
+    ?>
 </form>