search

hlashbrooke / WordPress-Plugin-Template

A robust code template for creating a standards-compliant WordPress plugin.
https://hughlashbrooke.com/
GNU General Public License v2.0
1.03k stars 329 forks source link

PHP-codesniffer says: use a nonce on the tabbed settings. #78

Closed seezee closed 5 years ago

seezee commented 5 years ago

PHPCS throws this warning when run against includes/class-my-plugin-settings.php: WARNING | Processing form data without nonce verification. I've included all of the errors for thoroughness but most of them are easy fixes. The nonce error I have no idea how to fix, or even if it should be fixed.

The affected lines are 251, 252, 254, 255, 317, 318, & 331.

--------------------------------------------------------------------------------------
FOUND 9 ERRORS AND 15 WARNINGS AFFECTING 17 LINES
--------------------------------------------------------------------------------------
  15 | WARNING | Property name "$_instance" should not be prefixed with an underscore
     |         | to indicate visibility
  91 | WARNING | In footer ($in_footer) is not set explicitly wp_register_script; It
     |         | is recommended to load scripts in the footer. Please set this value
     |         | to `true` to load it in the footer, or explicitly `false` if it
     |         | should be loaded in the header.
 251 | ERROR   | Processing form data without nonce verification.
 251 | ERROR   | Processing form data without nonce verification.
 252 | ERROR   | Processing form data without nonce verification.
 254 | WARNING | Processing form data without nonce verification.
 254 | WARNING | Processing form data without nonce verification.
 255 | WARNING | Processing form data without nonce verification.
 261 | WARNING | Found: !=. Use strict comparisons (=== or !==).
 303 | ERROR   | All output should be run through an escaping function (see the
     |         | Security sections in the WordPress Developer Handbooks), found
     |         | '$html'.
 317 | WARNING | Processing form data without nonce verification.
 317 | WARNING | Processing form data without nonce verification.
 318 | WARNING | Processing form data without nonce verification.
 331 | WARNING | Processing form data without nonce verification.
 332 | WARNING | Found: ==. Use strict comparisons (=== or !==).
 336 | WARNING | Processing form data without nonce verification.
 336 | WARNING | Found: ==. Use strict comparisons (=== or !==).
 336 | WARNING | Processing form data without nonce verification.
 343 | WARNING | Processing form data without nonce verification.
 371 | ERROR   | All output should be run through an escaping function (see the
     |         | Security sections in the WordPress Developer Handbooks), found
     |         | '$html'.
 397 | ERROR   | All output should be run through an escaping function (see the
     |         | Security sections in the WordPress Developer Handbooks), found '__'.
 397 | ERROR   | All output should be run through an escaping function (see the
     |         | Security sections in the WordPress Developer Handbooks), found
     |         | '$this'.
 406 | ERROR   | All output should be run through an escaping function (see the
     |         | Security sections in the WordPress Developer Handbooks), found '__'.
 406 | ERROR   | All output should be run through an escaping function (see the
     |         | Security sections in the WordPress Developer Handbooks), found
     |         | '$this'.
--------------------------------------------------------------------------------------
jonathanbossenger commented 5 years ago

@seezee thanks for posting. There's quite a large PR that needs to be merged that will fix a lot of the WPCS issues #76. I'm in the process of reviewing with an aim to merge it in the coming weeks.

jonathanbossenger commented 5 years ago

@seezee TravisCI checks are now passing :tada: