diff --git a/.github/workflows/wporg-validator.yml b/.github/workflows/wporg-validator.yml new file mode 100644 index 00000000..e1dd30f5 --- /dev/null +++ b/.github/workflows/wporg-validator.yml @@ -0,0 +1,13 @@ +# On push, run the action-wporg-validator workflow. +name: WP.org Validator +on: [push] +jobs: + wporg-validation: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: WP.org Validator + uses: pantheon-systems/action-wporg-validator@1.0.0 + with: + type: plugin diff --git a/CHANGELOG.md b/CHANGELOG.md index 52ab8b38..be37e741 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Updates CONTRIBUTING.md [[#585](https://github.com/pantheon-systems/solr-power/pull/585)] * Fixes typo in var which caused undefined notice [[#582](https://github.com/pantheon-systems/solr-power/pull/582)] * Update Composer dependencies [[#576](https://github.com/pantheon-systems/solr-power/pull/576)] [[#574](https://github.com/pantheon-systems/solr-power/pull/583)] [[#573](https://github.com/pantheon-systems/solr-power/pull/584)] +* Adds WP.org Validation GitHub action [[#590](https://github.com/pantheon-systems/solr-power/pull/590)] * Updates security policy [[#589](https://github.com/pantheon-systems/solr-power/pull/589)] ### 2.4.5 (April 9, 2023) ### diff --git a/includes/class-solrpower-batch-index.php b/includes/class-solrpower-batch-index.php index df612bd3..9337ec3a 100644 --- a/includes/class-solrpower-batch-index.php +++ b/includes/class-solrpower-batch-index.php @@ -104,7 +104,7 @@ public function __construct( $query_args = array() ) { $this->query_args = $clean_query_args; // Cache the 'paged' value for resuming. delete_option( $this->batch_cache_key ); - add_option( $this->batch_cache_key, $this->query_args['paged'], null, false ); + add_option( $this->batch_cache_key, $this->query_args['paged'], '', false ); $query = new WP_Query( $clean_query_args ); $this->post_ids = $query->posts; $found_posts = $query->found_posts; @@ -206,7 +206,7 @@ public function fetch_next_posts() { public function increment_page() { $this->query_args['paged']++; delete_option( $this->batch_cache_key ); - add_option( $this->batch_cache_key, $this->query_args['paged'], null, false ); + add_option( $this->batch_cache_key, $this->query_args['paged'], '', false ); } /** diff --git a/includes/class-solrpower-facet-widget.php b/includes/class-solrpower-facet-widget.php index 94b80d40..993ffe7f 100644 --- a/includes/class-solrpower-facet-widget.php +++ b/includes/class-solrpower-facet-widget.php @@ -36,9 +36,9 @@ public function __construct() { */ public function widget( $args, $instance ) { $this->dummy_query(); - echo $args['before_widget']; + echo wp_kses_post( $args['before_widget'] ); if ( ! empty( $instance['title'] ) ) { - echo $args['before_title'] . $instance['title'] . $args['after_title']; + echo wp_kses_post( $args['before_title'] . $instance['title'] . $args['after_title'] ); } $this->facets = filter_input( INPUT_GET, 'facet', FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_REQUIRE_ARRAY ); echo '
'; @@ -47,7 +47,7 @@ public function widget( $args, $instance ) { $this->fetch_facets(); echo ''; echo '
'; - echo $args['after_widget']; + echo wp_kses_post( $args['after_widget'] ); } /** @@ -190,7 +190,7 @@ function fetch_facets( $echo = true ) { } // End foreach(). if ( $echo ) { - echo $output; + echo $output; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter } else { return $output; } @@ -236,7 +236,7 @@ public function render_searchbox() { * * @param string $html the search box html. */ - echo apply_filters( 'solr_facet_searchbox', $html ); + echo wp_kses_post( apply_filters( 'solr_facet_searchbox', $html ) ); } /** diff --git a/includes/class-solrpower-options.php b/includes/class-solrpower-options.php index f9f3760a..e49d1688 100644 --- a/includes/class-solrpower-options.php +++ b/includes/class-solrpower-options.php @@ -106,7 +106,7 @@ public function action_wpmuadminedit() { update_site_option( $option, $value ); } $goback = add_query_arg( 'settings-updated', 'true', wp_get_referer() ); - wp_redirect( $goback ); + wp_safe_redirect( $goback ); exit; } diff --git a/includes/class-solrpower-sync.php b/includes/class-solrpower-sync.php index 0fbcabcc..184d62c6 100644 --- a/includes/class-solrpower-sync.php +++ b/includes/class-solrpower-sync.php @@ -651,7 +651,7 @@ function load_all_posts( $prev, $post_type = 'post', $limit = 5, $echo = true ) $end = true; $results = sprintf( '{"type": "' . $post_type . '", "last": "%s", "end": true, "percent": "%.2f"}', $last, 100 ); if ( $echo ) { - echo $results; + echo $results; // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped } die(); } @@ -685,7 +685,7 @@ function load_all_posts( $prev, $post_type = 'post', $limit = 5, $echo = true ) $results = sprintf( '{"type\": "' . $post_type . '", "last": "%s", "end": false, "percent": "%.2f"}', $last, $percent ); } if ( $echo ) { - echo $results; + echo $results; // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped return; } diff --git a/includes/class-solrpower.php b/includes/class-solrpower.php index a2777770..a9b400ca 100644 --- a/includes/class-solrpower.php +++ b/includes/class-solrpower.php @@ -72,15 +72,15 @@ public function activate( $networkwide ) { $schema_message = SolrPower_Api::get_instance()->submit_schema(); if ( strpos( $schema_message, 'Error' ) ) { // Translators: 1 The error message, 2: The SOLR_PATH constant. - $message = wp_kses( __( 'Submitting the schema failed with the message: %1$s

%2$s', 'solr-for-wordpress-on-pantheon' ), [ 'br' => [] ] ); - wp_die( sprintf( $message, esc_html( $schema_message ), $solr_path ) ); + $message = __( 'Submitting the schema failed with the message: %1$s

%2$s', 'solr-for-wordpress-on-pantheon' ); + wp_die( sprintf( wp_kses( $message, [ 'br' => [] ] ), esc_html( $schema_message ), esc_textarea( $solr_path ) ) ); } } if ( is_multisite() && ! $networkwide ) { // Translators: 1: The URL to the network admin plugins page. - $message = wp_kses_post( __( 'You are attempting to activate the plugin on a multisite as a single-site plugin. For WordPress multisites, you need to activate network-wide. Go to your your Network Admin Plugins page and click the Network Activate link there.', 'solr-for-wordpress-on-pantheon' ) ); - wp_die( sprintf( $message, get_admin_url( 1, 'network/plugins.php' ) ) ); + $message = __( 'You are attempting to activate the plugin on a multisite as a single-site plugin. For WordPress multisites, you need to activate network-wide. Go to your your Network Admin Plugins page and click the Network Activate link there.', 'solr-for-wordpress-on-pantheon' ); + wp_die( sprintf( wp_kses_post( $message ), esc_url_raw( get_admin_url( 1, 'network/plugins.php' ) ) ) ); } SolrPower_Options::get_instance()->initalize_options(); @@ -210,9 +210,9 @@ public function template_redirect() { } // If there is a template file then we use it. - if ( file_exists( TEMPLATEPATH . '/s4wp_search.php' ) ) { + if ( file_exists( get_template_directory() . '/s4wp_search.php' ) ) { // use theme file. - include_once( TEMPLATEPATH . '/s4wp_search.php' ); + include_once( get_template_directory() . '/s4wp_search.php' ); } elseif ( file_exists( dirname( __FILE__ ) . '/template/s4wp_search.php' ) ) { // use plugin supplied file. add_action( 'wp_head', array( $this, 'default_head' ) ); diff --git a/includes/legacy-functions.php b/includes/legacy-functions.php index f2bf2c3e..1e39aa72 100644 --- a/includes/legacy-functions.php +++ b/includes/legacy-functions.php @@ -39,7 +39,7 @@ function s4wp_search_form() { } $form = ''; - printf( $form, filter_input( INPUT_GET, 'ssearch', FILTER_SANITIZE_FULL_SPECIAL_CHARS ), $sortval, $orderval, $serverval ); + printf( $form, filter_input( INPUT_GET, 'ssearch', FILTER_SANITIZE_FULL_SPECIAL_CHARS ), $sortval, $orderval, $serverval ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } /** @@ -319,16 +319,16 @@ function s4wp_print_facet_items( $items, $pre = '', $before if ( ! $items ) { return; } - printf( "%s\n", $pre ); + printf( "%s\n", wp_kses_post( $pre ) ); foreach ( $items as $item ) { - printf( "%s%s (%s)%s\n", $before, $item['link'], $item['name'], $item['count'], $after ); + printf( "%s%s (%s)%s\n", wp_kses_post( $before ), esc_url_raw( $item['link'] ), esc_textarea( $item['name'] ), esc_textarea( $item['count'] ), wp_kses_post( $after ) ); $item_items = isset( $item['items'] ) ? true : false; if ( $item_items ) { s4wp_print_facet_items( $item['items'], $nestedpre, $nestedpost, $nestedbefore, $nestedafter, $nestedpre, $nestedpost, $nestedbefore, $nestedafter ); } } - printf( "%s\n", $post ); + printf( "%s\n", wp_kses_post( $post ) ); } /** diff --git a/readme.txt b/readme.txt index d3becd07..85e739a6 100644 --- a/readme.txt +++ b/readme.txt @@ -236,6 +236,7 @@ Please report security bugs found in the source code of the Solr Power plugin th * Updates CONTRIBUTING.md [[#585](https://github.com/pantheon-systems/solr-power/pull/585)] * Fixes typo in var which caused undefined notice [[#582](https://github.com/pantheon-systems/solr-power/pull/582)] * Update Composer dependencies [[#576](https://github.com/pantheon-systems/solr-power/pull/576)] [[#574](https://github.com/pantheon-systems/solr-power/pull/583)] [[#573](https://github.com/pantheon-systems/solr-power/pull/584)] +* Adds WP.org Validation GitHub action [[#590](https://github.com/pantheon-systems/solr-power/pull/590)] * Updates security policy [[#589](https://github.com/pantheon-systems/solr-power/pull/589)] = 2.4.5 (April 9, 2023) = diff --git a/template/s4w_search.php b/template/s4w_search.php index 366d6c16..de813da9 100644 --- a/template/s4w_search.php +++ b/template/s4w_search.php @@ -23,7 +23,7 @@
Response time: {$results['qtime']} s" ); + printf( "" ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } // if server id has been defined keep hold of it. @@ -37,7 +37,7 @@
@@ -52,9 +52,9 @@ %s hits", $results['firstresult'], $results['hits'] ); + printf( "Displaying result %s of %s hits", $results['firstresult'], $results['hits'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } else { - printf( "Displaying results %s-%s of %s hits", $results['firstresult'], $results['lastresult'], $results['hits'] ); + printf( "Displaying results %s-%s of %s hits", $results['firstresult'], $results['lastresult'], $results['hits'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } ?> @@ -62,11 +62,11 @@
    -
  1. Relevance
    2. -
  2. Newest
    3. -
  3. Oldest
    4. -
  4. Most Comments
    5. -
  5. Least Comments
    6. +
  6. Relevance
    7. +
  7. Newest
    8. +
  8. Oldest
    9. +
  9. Most Comments
    10. +
  10. Least Comments
Sort by:
@@ -87,29 +87,29 @@ printf( "
    \n" ); foreach ( $results['results'] as $result ) { - printf( "
  1. \n", $result['permalink'] ); - printf( "

    %s

    \n", $result['permalink'], $result['title'] ); + printf( "
  2. \n", esc_url_raw( $result['permalink'] ) ); + printf( "

    %s

    \n", esc_url_raw( $result['permalink'] ), esc_textarea( $result['title'] ) ); echo '

    '; foreach ( explode( '...', $result['teaser'] ) as $this_result ) { if ( ! empty( $this_result ) ) { - echo '...' . $this_result . '...

    '; + echo '...' . $this_result . '...

    '; // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped } } if ( $result['numcomments'] > 0 ) { - printf( "(comment match)", $result['comment_link'] ); + printf( "(comment match)", esc_url_raw( $result['comment_link'] ) ); } echo "

    \n"; printf( "\n", - $result['authorlink'], - $result['author'], - get_the_category_list( ', ', '', $result['id'] ), - gmdate( 'm/d/Y', strtotime( $result['date'] ) ), - $result['comment_link'], - $result['numcomments'] + esc_url_raw( $result['authorlink'] ), + esc_textarea( $result['author'] ), + wp_kses_post( get_the_category_list( ', ', '', $result['id'] ) ), + esc_textarea( gmdate( 'm/d/Y', strtotime( $result['date'] ) ) ), + esc_url_raw( $result['comment_link'] ), + esc_textarea( $result['numcomments'] ) ); printf( "
    3. \n" ); } @@ -146,15 +146,15 @@ } if ( '' !== $prev ) { - printf( 'Previous', $prev ); + printf( 'Previous', esc_url_raw( $prev ) ); } foreach ( $itemlinks as $itemlink ) { - echo $itemlink; + echo wp_kses_post( $itemlink ); } if ( '' !== $next ) { - printf( 'Next', $next ); + printf( 'Next', esc_url_raw( $next ) ); } printf( "\n" ); @@ -173,7 +173,7 @@ %sx', $selectedfacet['removelink'], $selectedfacet['name'] ); + printf( '
  3. %sx
    4. ', esc_url_raw( $selectedfacet['removelink'] ), esc_textarea( $selectedfacet['name'] ) ); } } ?> @@ -185,7 +185,7 @@ foreach ( $results['facets'] as $facet ) { // don't display facets with only 1 value. if ( isset( $facet['items'] ) and sizeof( $facet['items'] ) > 1 ) { - printf( "
  4. \n

    %s

    \n", $facet['name'] ); + printf( "
  5. \n

    %s

    \n", wp_kses_post( $facet['name'] ) ); s4wp_print_facet_items( $facet['items'], '
      ', '
    ', '
  6. ', '
    7. ', '
    7. ', '
    8. ', '
  8. ', '
    9. ' ); printf( "\n" ); } diff --git a/template/s4wp_search.php b/template/s4wp_search.php index 366d6c16..ee514185 100644 --- a/template/s4wp_search.php +++ b/template/s4wp_search.php @@ -23,7 +23,7 @@
    Response time: {$results['qtime']} s" ); + printf( "" ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } // if server id has been defined keep hold of it. @@ -37,7 +37,7 @@
    @@ -52,9 +52,9 @@ %s hits", $results['firstresult'], $results['hits'] ); + printf( "Displaying result %s of %s hits", $results['firstresult'], $results['hits'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } else { - printf( "Displaying results %s-%s of %s hits", $results['firstresult'], $results['lastresult'], $results['hits'] ); + printf( "Displaying results %s-%s of %s hits", $results['firstresult'], $results['lastresult'], $results['hits'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } ?> @@ -62,11 +62,11 @@
      -
    1. Relevance
      2. -
    2. Newest
      3. -
    3. Oldest
      4. -
    4. Most Comments
      5. -
    5. Least Comments
      6. +
    6. Relevance
      7. +
    7. Newest
      8. +
    8. Oldest
      9. +
    9. Most Comments
      10. +
    10. Least Comments
    Sort by:
    @@ -87,29 +87,29 @@ printf( "
      \n" ); foreach ( $results['results'] as $result ) { - printf( "
    1. \n", $result['permalink'] ); - printf( "

      %s

      \n", $result['permalink'], $result['title'] ); + printf( "
    2. \n", esc_url_raw( $result['permalink'] ) ); + printf( "

      %s

      \n", esc_url_raw( $result['permalink'] ), wp_kses_post( $result['title'] ) ); echo '

      '; foreach ( explode( '...', $result['teaser'] ) as $this_result ) { if ( ! empty( $this_result ) ) { - echo '...' . $this_result . '...

      '; + echo '...' . $this_result . '...

      '; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter } } if ( $result['numcomments'] > 0 ) { - printf( "(comment match)", $result['comment_link'] ); + printf( "(comment match)", esc_url_raw( $result['comment_link'] ) ); } echo "

      \n"; printf( "\n", - $result['authorlink'], - $result['author'], - get_the_category_list( ', ', '', $result['id'] ), - gmdate( 'm/d/Y', strtotime( $result['date'] ) ), - $result['comment_link'], - $result['numcomments'] + esc_url_raw( $result['authorlink'] ), + esc_textarea( $result['author'] ), + wp_kses_post( get_the_category_list( ', ', '', $result['id'] ) ), + esc_textarea( gmdate( 'm/d/Y', strtotime( $result['date'] ) ) ), + esc_url_raw( $result['comment_link'] ), + esc_textarea( $result['numcomments'] ) ); printf( "
      3. \n" ); } @@ -146,15 +146,15 @@ } if ( '' !== $prev ) { - printf( 'Previous', $prev ); + printf( 'Previous', esc_url_raw( $prev ) ); } foreach ( $itemlinks as $itemlink ) { - echo $itemlink; + echo wp_kses_post( $itemlink ); } if ( '' !== $next ) { - printf( 'Next', $next ); + printf( 'Next', esc_url_raw( $next ) ); } printf( "\n" ); @@ -173,7 +173,7 @@ %sx', $selectedfacet['removelink'], $selectedfacet['name'] ); + printf( '
    3. %sx
      4. ', $selectedfacet['removelink'], $selectedfacet['name'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped } } ?> @@ -185,7 +185,7 @@ foreach ( $results['facets'] as $facet ) { // don't display facets with only 1 value. if ( isset( $facet['items'] ) and sizeof( $facet['items'] ) > 1 ) { - printf( "
    4. \n

      %s

      \n", $facet['name'] ); + printf( "
    5. \n

      %s

      \n", esc_textarea( $facet['name'] ) ); s4wp_print_facet_items( $facet['items'], '
        ', '
      ', '
    6. ', '
      7. ', '
      7. ', '
      8. ', '
    8. ', '
      9. ' ); printf( "\n" ); } diff --git a/templates/solr-search-results.php b/templates/solr-search-results.php index 6832b78c..131a6ef6 100644 --- a/templates/solr-search-results.php +++ b/templates/solr-search-results.php @@ -25,7 +25,7 @@ if ( in_array( 'category', get_object_taxonomies( get_post_type() ) ) ) : ?>
      - +
      str_replace( $big, '%#%', get_pagenum_link( $big, false ) ), 'format' => '?paged=%#%',