Closed amberhinds closed 2 years ago
HI @amberhinds—thanks for reporting this!
:memo: As a friendly note for the future, I'd ask first of all that you report any other security issues via HackerOne. This is our preferred way to handle possible security issues (and I'll make a note to update our readme file to make this clearer, as I don't think we currently cover this).
So there a lot of warnings in this file and they fall into a few categories.
// phpcs:ignore <rule>
comment as needed to suppress the warnings.wp_safe_redirect()
then we'll be covered from a safety and security perspective (if so, we should still add a // phpcs:ignore <rule>
comment and, if not, we ought to pass through a suitable sanitizing function).There's a lot in this set of warnings, and if you feel confident addressing some or all we'll certainly review any PR you submit (or, alternatively, we'll circle back and tidy things up from our side).
Thanks again! :smile_cat:
Opened an extensive PR here https://github.com/woocommerce/action-scheduler/pull/763 to address these
Hello!
We've included Action Scheduler in one of our plugins (thank you!) and while doing security audits on our plugin, identified problems related to Action Scheduler.
We ran the plugin through WP Engine's linting test which helps identify best practices and potential problems. For this process, we are using PHP Codesniffer with rules derived from both the WordPress Coding Standards and PHPCompatibility rulesets. Below is a detailed line-by-line report of the sniff violation.
Can you please let me know if these are actual errors that require fixes? If so, we may be able to submit a pull request with fixes.