Fix plugin checks for wp.org #56
Description
We need to make sure the code base passed the plugin check ran by wp.org before we can submit the plugin for inclusion in the repository.
It will be run as part of the review process or we can run it ourselves with the plugin
Basically it runs phpcs and reports any security problems. I find it easier just to run vendor/bin/phpcs as configured in the project to find security problems. I already fixed most of the escaping related ones but there are more to do.
Steps to complete this issue:
- Run vendor/bin/phpcs
- Review WordPress.Security.EscapeOutput errors
- Add esc_html, esc_attr, esc_url, or wp_kses if appropriate. Use
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscapedif out really doesn't need escaped. - Review WordPress.Security.NonceVerification errors
- Add a nonce check if needed. If the request makes any changes to the database or state then a check is needed, other was add
// phpcs:ignore WordPress.Security.NonceVerification - Review WordPress.Security.ValidatedSanitizedInput errors
- Sanitize All user inputs. Usually this looks like
sanitize_text_field(wp_unslash($_SERVER['HTTP_USER_AGENT'] ?? '')but the sanitize function should match the type of input expected.