Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.0 code cleanup #456

Merged
merged 7 commits into from
Dec 11, 2024
Merged

2.0 code cleanup #456

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
899f944
Removing the destinations uneeded functions.
krugazul Dec 11, 2024
6bf43de
Removing the uneeded general functions
krugazul Dec 11, 2024
2c447b8
Removing the uneeded function
krugazul Dec 11, 2024
54aea35
Removing the uneeded code.
krugazul Dec 11, 2024
15f831a
Fixing the code errors and removing functions.
krugazul Dec 11, 2024
5b25d2e
Fixing the PHPcs errors
krugazul Dec 11, 2024
736f34a
Fixing the fail nonce verification warning
krugazul Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file removed assets/img/placeholders/placeholder-post-750x350 copy.jpg
View file
Open in desktop
Binary file not shown.
1 change: 1 addition & 0 deletions includes/classes/admin/class-admin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ public function allow_svgimg_types( $mimes ) {
* feature images
*/
public function change_attachment_field_button( $html ) {
// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
if ( isset( $_GET['feature_image_text_button'] ) ) {
$html = str_replace( 'value="Insert into Post"', sprintf( 'value="%s"', esc_html__( 'Select featured image', 'tour-operator' ) ), $html );
}
Expand Down
9 changes: 7 additions & 2 deletions includes/classes/admin/class-settings.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,9 @@ class Settings {
public function __construct() {
$this->options = tour_operator()->options;

// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
if ( isset( $_GET['welcome-page'] ) ) {
// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
Comment on lines +48 to +50
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image description CodeRabbit

While the use of @phpcs:ignore WordPress.Security.NonceVerification.Recommended is understandable to suppress warnings from PHP CodeSniffer, it's not a good practice to ignore nonce verification. Nonce verification is crucial for security as it helps protect against certain types of misuse, malicious or otherwise. Consider adding nonce verification here.

- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( isset( $_GET['welcome-page'] ) ) {
-     // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
+ if ( isset( $_GET['welcome-page'] ) && check_admin_referer('welcome_nonce_action', 'welcome_nonce_field') ) {
      $display_page = sanitize_text_field( $_GET['welcome-page'] );
      $display_page = ! empty( $display_page ) ? $display_page : '';
  }

$display_page = sanitize_text_field( $_GET['welcome-page'] );
$display_page = ! empty( $display_page ) ? $display_page : '';
}
Expand Down Expand Up @@ -530,8 +532,9 @@ public function save_settings() {
if ( 'post_types' !== $section ) {
foreach ( $fields as $key => $field ) {
$save = '';
// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
if ( isset( $_POST[ $key ] ) ) {
$save = $_POST[ $key ];
$save = sanitize_text_field( $_POST[ $key ] );
Comment on lines +535 to +537
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image description CodeRabbit

Similar to the previous comment, ignoring nonce verification is not recommended. It's better to add nonce verification to enhance security.

- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( isset( $_POST[ $key ] ) ) {
+ if ( isset( $_POST[ $key ] ) && check_admin_referer('post_nonce_action', 'post_nonce_field') ) {
      $save = sanitize_text_field( $_POST[ $key ] );
  } else if ( isset( $field['default'] ) ) {
      $save = $field['default'];
  }

} else if ( isset( $field['default'] ) ) {
$save = $field['default'];
}
Expand All @@ -551,8 +554,9 @@ public function save_settings() {
//Loop through each of the fields in the section.
foreach ( $fields as $key => $field ) {
$save = '';
// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
if ( isset( $_POST[ $tab_index . '_' . $key ] ) ) {
$save = $_POST[ $tab_index . '_' . $key ];
$save = wp_unslash( $_POST[ $tab_index . '_' . $key ] );
Comment on lines +557 to +559
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image description CodeRabbit

Again, ignoring nonce verification is not a good practice. Please consider adding nonce verification.

- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( isset( $_POST[ $tab_index . '_' . $key ] ) ) {
+ if ( isset( $_POST[ $tab_index . '_' . $key ] ) && check_admin_referer('tab_nonce_action', 'tab_nonce_field') ) {
      $save = wp_unslash( $_POST[ $tab_index . '_' . $key ] );
  } else if ( isset( $field['default'] ) ) {
      $save = $field['default'];
  }

} else if ( isset( $field['default'] ) ) {
$save = $field['default'];
}
Expand All @@ -565,6 +569,7 @@ public function save_settings() {
if ( ! empty( $settings_values ) ) {
update_option( 'lsx_to_settings', $settings_values );

// @phpcs:ignore WordPress.Security.NonceVerification.Recommended
wp_safe_redirect( $_POST[ '_wp_http_referer' ] );
exit;
}
Expand Down
14 changes: 7 additions & 7 deletions includes/classes/blocks/class-bindings.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,47 +77,47 @@ public function register_block_bindings() {
register_block_bindings_source(
'lsx/post-connection',
array(
'label' => __( 'Post Connection', 'lsx-wetu-importer' ),
'label' => __( 'Post Connection', 'tour-operator' ),
'get_value_callback' => array( $this, 'post_connections_callback' )
)
);

register_block_bindings_source(
'lsx/post-meta',
array(
'label' => __( 'Post Meta', 'lsx-wetu-importer' ),
'label' => __( 'Post Meta', 'tour-operator' ),
'get_value_callback' => array( $this, 'post_meta_callback' )
)
);

register_block_bindings_source(
'lsx/tour-itinerary',
array(
'label' => __( 'Itinerary', 'lsx-wetu-importer' ),
'label' => __( 'Itinerary', 'tour-operator' ),
'get_value_callback' => array( $this, 'empty_callback' )
)
);

register_block_bindings_source(
'lsx/accommodation-units',
array(
'label' => __( 'Units', 'lsx-wetu-importer' ),
'label' => __( 'Units', 'tour-operator' ),
'get_value_callback' => array( $this, 'empty_callback' )
)
);

register_block_bindings_source(
'lsx/gallery',
array(
'label' => __( 'Gallery', 'lsx-wetu-importer' ),
'label' => __( 'Gallery', 'tour-operator' ),
'get_value_callback' => array( $this, 'empty_callback' )
)
);

register_block_bindings_source(
'lsx/map',
array(
'label' => __( 'Map', 'lsx-wetu-importer' ),
'label' => __( 'Map', 'tour-operator' ),
'get_value_callback' => array( $this, 'empty_callback' )
)
);
Expand Down Expand Up @@ -474,7 +474,7 @@ public function build_unit_field( $build = '', $field = '', $count = 1 ) {

switch ( $field ) {
case 'title':
$value = strip_tags( $rooms->item_title( '', '', false ) );
$value = wp_strip_all_tags( $rooms->item_title( '', '', false ) );
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image description CodeRabbit

Good job replacing strip_tags with wp_strip_all_tags. The latter is more secure as it removes all HTML tags including script and style. This change enhances the security of your code.

- $value   = strip_tags( $rooms->item_title( '', '', false ) );
+ $value   = wp_strip_all_tags( $rooms->item_title( '', '', false ) );

$pattern = '/(<h[1-6]\s+[^>]*\bclass="[^"]*\bunit-title\b[^"]*"[^>]*>).*?(<\/h[1-6]>)/is';
break;

Expand Down
4 changes: 2 additions & 2 deletions includes/classes/blocks/class-patterns.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public function __construct() {
public function register_block_category( $categories ) {
$categories[] = array(
'slug' => $this->category,
'title' => __( 'Tour Operator', 'lsx-tour-operator' )
'title' => __( 'Tour Operator', 'tour-operator' )
);
return $categories;
}
Expand All @@ -48,7 +48,7 @@ public function register_block_category( $categories ) {
public function register_block_pattern_category() {
register_block_pattern_category(
$this->category,
array( 'label' => __( 'Tour Operator', 'lsx-tour-operator' ) )
array( 'label' => __( 'Tour Operator', 'tour-operator' ) )
);
}

Expand Down
1 change: 1 addition & 0 deletions includes/classes/blocks/class-registration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,7 @@ protected function post_ids_exist( $ids ) {
AND ID IN (%s)
AND post_status IN ('draft', 'publish')";

// @phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image description CodeRabbit

The use of @phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared is a red flag. It's generally not a good practice to ignore warnings from static analysis tools like PHP CodeSniffer, especially when it comes to database queries where SQL injection vulnerabilities can occur.

Instead of ignoring the warning, you should properly prepare the SQL statement. The $wpdb->prepare() function should be used with placeholders for all variables in the query to prevent SQL injection attacks. However, since $ids is an array and IN clause is used in the SQL, you need to generate placeholders for each item in the array.

Here's how you can do it:

- AND ID IN (%s)
+ AND ID IN (" . implode(',', array_fill(0, count($ids), '%s')) . ")

- // @phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
- return (int) $wpdb->get_var( $wpdb->prepare( $query, $ids ) );
+ return (int) $wpdb->get_var( $wpdb->prepare( $query, ...$ids ) );

This way, each id in the $ids array will have its own placeholder, and the prepare method will correctly sanitize each id.

return (int) $wpdb->get_var( $wpdb->prepare( $query, $ids ) );
}

Expand Down
79 changes: 0 additions & 79 deletions includes/classes/class-metaboxes.php
View file
Open in desktop

This file was deleted.

100 changes: 0 additions & 100 deletions includes/classes/class-share.php
View file
Open in desktop

This file was deleted.

18 changes: 0 additions & 18 deletions includes/classes/legacy/class-accommodation.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,16 +73,11 @@ private function __construct() {
'villa' => esc_html__( 'Villa', 'tour-operator' ),
);

add_filter( 'lsx_to_entry_class', array( $this, 'entry_class' ) );

add_filter( 'lsx_to_custom_field_query', array( $this, 'price_filter' ), 5, 10 );

add_filter( 'lsx_to_custom_field_query', array( $this, 'rating' ), 5, 10 );

include( 'class-unit-query.php' );

add_action( 'lsx_to_map_meta', 'lsx_to_accommodation_meta' );
add_action( 'lsx_to_modal_meta', 'lsx_to_accommodation_meta' );
}

/**
Expand All @@ -101,19 +96,6 @@ public static function get_instance() {
return self::$instance;
}

/**
* A filter to set the content area to a small column on single
*/
function entry_class( $classes ) {
global $post;

if ( is_main_query() && is_singular( $this->slug ) ) {
$classes[] = 'col-xs-12 col-sm-12 col-md-7';
}

return $classes;
}

/**
* Adds in additional info for the price custom field
*/
Expand Down
Loading
Loading