Improve PHPCS WordPress compliance (#330)

* use filter_input * Remove some phpcs:disables by being more explicit and verbose * Stronger condition * Re-add phpcs:ignore * Re-add phpcs:ignore * Add missing cache time
akirk · Jun 26, 2024 · aa25554 · aa25554
1 parent 2510de7
commit aa25554
Show file tree

Hide file tree

Showing 6 changed files with 182 additions and 95 deletions.
diff --git a/feed-parsers/class-feed-parser-activitypub.php b/feed-parsers/class-feed-parser-activitypub.php
@@ -823,7 +823,11 @@ public function handle_received_activity( $activity, $user_id, $type ) {
 		if ( is_wp_error( $user_feed ) || ! Friends::check_url( $actor_url ) ) {
 			$meta = $this->get_metadata( $actor_url );
 			if ( ! $meta || is_wp_error( $meta ) || ! isset( $meta['url'] ) ) {
-				$error = is_wp_error( $meta ) ? $meta->get_error_message() . ' ' . print_r( $meta->get_error_data(), true ) : 'No URL found'; // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
+				$error = 'No URL found';
+				if ( is_wp_error( $meta ) ) {
+					$error = $meta->get_error_message();
+					$error .= ' ' . print_r( $meta->get_error_data(), true ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
+				}
 				$this->log( 'Received invalid meta for ' . $actor_url . ' ' . $error, $meta );
 				return false;
 			}
@@ -1447,20 +1451,17 @@ function () use ( $message, $error ) {
 	public function cache_reply_to_boost() {
 		$url = false;
 		$append_to_redirect = '';
-		 // phpcs:disable WordPress.Security.NonceVerification.Recommended
-		if ( isset( $_GET['in_reply_to'] ) ) {
-			$url = sanitize_text_field( wp_unslash( $_GET['in_reply_to'] ) );
-			if ( ! wp_parse_url( $url ) ) {
-				return;
-			}
+
+		// The ignores are not necessary now but when https://github.com/WordPress/WordPress-Coding-Standards/issues/2299 comes into effect.
+		$in_reply_to = filter_input( INPUT_GET, 'in_reply_to', FILTER_SANITIZE_URL ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$boost = filter_input( INPUT_GET, 'boost', FILTER_SANITIZE_URL ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( $in_reply_to ) {
+			$url = $in_reply_to;
 			$append_to_redirect .= '#comment';
-		} elseif ( isset( $_GET['boost'] ) ) {
-			$url = sanitize_text_field( wp_unslash( $_GET['boost'] ) );
-			if ( ! wp_parse_url( $url ) ) {
-				return;
-			}
+		} elseif ( $boost ) {
+			$url = $boost;
 		}
-		// phpcs:enable WordPress.Security.NonceVerification.Recommended
+
 		if ( ! $url ) {
 			return;
 		}
@@ -1572,13 +1573,14 @@ public function replace_with_links( array $result ) {
 	}
 
 	public function activitypub_save_settings( User $friend ) {
-		if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'edit-friend-feeds-' . $friend->user_login ) ) {
+		if ( ! isset( $_POST['_wpnonce'] ) || wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'edit-friend-feeds-' . $friend->user_login ) ) {
+			return;
+		}
 
-			if ( isset( $_POST['friends_show_replies'] ) && intval( $_POST['friends_show_replies'] ) ) {
-				$friend->update_user_option( 'activitypub_friends_show_replies', '1' );
-			} else {
-				$friend->delete_user_option( 'activitypub_friends_show_replies' );
-			}
+		if ( isset( $_POST['friends_show_replies'] ) && boolval( $_POST['friends_show_replies'] ) ) {
+			$friend->update_user_option( 'activitypub_friends_show_replies', '1' );
+		} else {
+			$friend->delete_user_option( 'activitypub_friends_show_replies' );
 		}
 	}
 
@@ -2141,7 +2143,7 @@ public function activitypub_unannounce( $url, $user_id ) {
 	 * @return     bool    Whether the comment is approved.
 	 */
 	public function pre_comment_approved( $approved, $commentdata ) {
-		if ( ! $approved || ( is_string( $approved ) && 'activitypub' === $commentdata['comment_meta']['protocol'] ) ) {
+		if ( is_string( $approved ) && 'activitypub' === $commentdata['comment_meta']['protocol'] ) {
 			// If the author is someone we already follow.
 			$user_feed = User_Feed::get_by_url( $commentdata['comment_author_url'] );
 			if ( $user_feed instanceof User_Feed ) {

diff --git a/includes/class-access-control.php b/includes/class-access-control.php
@@ -86,7 +86,7 @@ public function get_authenticated_feed_user() {
 	 * @return bool The authentication status of the feed.
 	 */
 	public static function private_rss_is_authenticated() {
-		if ( isset( $_GET['auth'] ) && get_option( 'friends_private_rss_key' ) === $_GET['auth'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( filter_input( INPUT_GET, 'auth' ) === get_option( 'friends_private_rss_key' ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			return true;
 		}
 

diff --git a/includes/class-admin.php b/includes/class-admin.php
@@ -1328,11 +1328,11 @@ public function process_admin_edit_friend_feeds() {
 					update_user_option( get_current_user_id(), 'friends_hide_from_friends_page', $hide_from_friends_page );
 			}
 
-			if ( $friend->set_retention_number_enabled( isset( $_POST['friends_enable_retention_number'] ) && intval( $_POST['friends_enable_retention_number'] ) ) && isset( $_POST['friends_retention_number'] ) ) {
-				$friend->set_retention_number( intval( $_POST['friends_retention_number'] ) );
+			if ( $friend->set_retention_number_enabled( filter_input( INPUT_POST, 'friends_enable_retention_number', FILTER_VALIDATE_BOOL ) ) && isset( $_POST['friends_retention_number'] ) ) {
+				$friend->set_retention_number( filter_input( INPUT_POST, 'friends_retention_number', FILTER_SANITIZE_NUMBER_INT ) );
 			}
-			if ( $friend->set_retention_days_enabled( isset( $_POST['friends_enable_retention_days'] ) && intval( $_POST['friends_enable_retention_days'] ) ) && isset( $_POST['friends_retention_days'] ) ) {
-				$friend->set_retention_days( intval( $_POST['friends_retention_days'] ) );
+			if ( $friend->set_retention_days_enabled( filter_input( INPUT_POST, 'friends_enable_retention_days', FILTER_VALIDATE_BOOL ) ) && isset( $_POST['friends_retention_days'] ) ) {
+				$friend->set_retention_days( filter_input( INPUT_POST, 'friends_retention_days', FILTER_SANITIZE_NUMBER_INT ) );
 			}
 
 			$hide_from_friends_page = get_user_option( 'friends_hide_from_friends_page' );

diff --git a/includes/class-automatic-status-list-table.php b/includes/class-automatic-status-list-table.php
@@ -106,7 +106,7 @@ protected function get_post_status_counts( $post_type ) {
 			$counts[ $row->post_status ] = $row->count;
 		}
 		$counts = (object) $counts;
-		wp_cache_set( $cache_key, $counts, 'friends' );
+		wp_cache_set( $cache_key, $counts, 'friends', HOUR_IN_SECONDS );
 
 		return $counts;
 	}

diff --git a/includes/class-subscription.php b/includes/class-subscription.php
@@ -196,7 +196,8 @@ public function get_post_stats() {
 		$post_types = apply_filters( 'friends_frontend_post_types', array() );
 		$post_stats = $wpdb->get_row( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 			$wpdb->prepare(
-				'SELECT SUM(
+				sprintf(
+					'SELECT SUM(
 					LENGTH( ID ) +
 					LENGTH( post_author ) +
 					LENGTH( post_date ) +
@@ -222,7 +223,16 @@ public function get_post_stats() {
 					LENGTH( comment_count )
 					) AS total_size,
 					COUNT(*) as post_count
-				FROM ' . $wpdb->posts . ' p, ' . $wpdb->term_taxonomy . ' t, ' . $wpdb->term_relationships . ' r WHERE r.object_id = p.ID AND r.term_taxonomy_id = t.term_taxonomy_id AND t.term_id = %d AND p.post_type IN ( ' . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' )',
+					FROM %s p, %s t, %s r
+					WHERE r.object_id = p.ID
+					AND r.term_taxonomy_id = t.term_taxonomy_id
+					AND t.term_id = %%d
+					AND p.post_type IN ( %s )',
+					$wpdb->posts,
+					$wpdb->term_taxonomy,
+					$wpdb->term_relationships,
+					implode( ', ', array_fill( 0, count( $post_types ), '%s' ) )
+				),
 				array_merge( array( $this->get_term_id() ), $post_types )
 			),
 			ARRAY_A
@@ -232,7 +242,19 @@ public function get_post_stats() {
 			'U',
 			$wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 				$wpdb->prepare(
-					"SELECT MIN(post_date) FROM $wpdb->posts p, $wpdb->term_taxonomy t, $wpdb->term_relationships r WHERE r.object_id = p.ID AND r.term_taxonomy_id = t.term_taxonomy_id AND t.term_id = %d AND p.post_status = 'publish' AND p.post_type IN ( " . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' )',
+					sprintf(
+						'SELECT MIN(post_date)
+						FROM %s p, %s t, %s r
+						WHERE r.object_id = p.ID
+						AND r.term_taxonomy_id = t.term_taxonomy_id
+						AND t.term_id = %%d
+						AND p.post_status = "publish"
+						AND p.post_type IN ( %s )',
+						$wpdb->posts,
+						$wpdb->term_taxonomy,
+						$wpdb->term_relationships,
+						implode( ', ', array_fill( 0, count( $post_types ), '%s' ) )
+					),
 					array_merge( array( $this->get_term_id() ), $post_types )
 				)
 			)
@@ -244,18 +266,32 @@ public function get_post_stats() {
 
 	public function get_all_post_ids() {
 		global $wpdb;
-		$post_types_to_delete = implode( "', '", apply_filters( 'friends_frontend_post_types', array() ) );
+		$post_types = apply_filters( 'friends_frontend_post_types', array() );
 
-		$cache_key = 'get_all_post_ids_' . $this->ID . '_' . $post_types_to_delete;
+		$cache_key = 'get_all_post_ids_' . $this->ID . '_' . implode( '_', $post_types );
 		$post_ids = wp_cache_get( $cache_key, 'friends' );
 		if ( false !== $post_ids ) {
 			return $post_ids;
 		}
-		// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
-		$post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT p.ID FROM $wpdb->posts p, $wpdb->term_relationships r WHERE r.object_id = p.ID AND r.term_taxonomy_id = %d AND p.post_type IN ('$post_types_to_delete')", $this->get_term_id() ) );
-		// phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+
+		$post_ids = $wpdb->get_col( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
+			$wpdb->prepare(
+				sprintf(
+					'SELECT p.ID
+					FROM %s p, %s r
+					WHERE r.object_id = p.ID
+					AND r.term_taxonomy_id = %%d
+					AND p.post_type IN ( %s )',
+					$wpdb->posts,
+					$wpdb->term_relationships,
+					implode( ', ', array_fill( 0, count( $post_types ), '%s' ) )
+				),
+				array_merge(
+					array( $this->get_term_id() ),
+					$post_types
+				)
+			)
+		);
 
 		wp_cache_set( $cache_key, $post_ids, 'friends', HOUR_IN_SECONDS - 60 );
 
@@ -291,8 +327,7 @@ public function get_post_count_by_post_format() {
 		global $wpdb;
 
 		$counts = array();
- 		// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		$counts['standard'] = $wpdb->get_var(
+		$counts['standard'] = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 			$wpdb->prepare(
 				sprintf(
 					"SELECT COUNT(DISTINCT posts.ID)
@@ -306,13 +341,12 @@ public function get_post_count_by_post_format() {
 					AND relationships_post_format.object_id = posts.ID
 					AND relationships_author.object_id = posts.ID
 					AND taxonomy_author.term_taxonomy_id = relationships_author.term_taxonomy_id
-					AND taxonomy_author.term_id = %s",
+					AND taxonomy_author.term_id = %%d",
 					$wpdb->posts,
 					$wpdb->term_relationships,
 					$wpdb->term_taxonomy,
 					$wpdb->term_relationships,
-					implode( ',', array_fill( 0, count( $post_types ), '%s' ) ),
-					'%d'
+					implode( ',', array_fill( 0, count( $post_types ), '%s' ) )
 				),
 				array_merge(
 					$post_types,
@@ -322,7 +356,7 @@ public function get_post_count_by_post_format() {
 		);
 
 		if ( ! empty( $post_formats_term_ids ) ) {
-			$post_format_counts = $wpdb->get_results(
+			$post_format_counts = $wpdb->get_results( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 				$wpdb->prepare(
 					sprintf(
 						"SELECT relationships_post_format.term_taxonomy_id AS post_format_id, COUNT(relationships_post_format.term_taxonomy_id) AS count
@@ -337,15 +371,14 @@ public function get_post_count_by_post_format() {
 						AND relationships_post_format.term_taxonomy_id IN ( %s )
 						AND relationships_author.object_id = posts.ID
 						AND taxonomy_author.term_taxonomy_id = relationships_author.term_taxonomy_id
-						AND taxonomy_author.term_id = %s
+						AND taxonomy_author.term_id = %%d
 						GROUP BY relationships_post_format.term_taxonomy_id",
 						$wpdb->posts,
 						$wpdb->term_relationships,
 						$wpdb->term_taxonomy,
 						$wpdb->term_relationships,
 						implode( ',', array_fill( 0, count( $post_types ), '%s' ) ),
-						implode( ',', array_fill( 0, count( $post_formats_term_ids ), '%d' ) ),
-						'%d'
+						implode( ',', array_fill( 0, count( $post_formats_term_ids ), '%d' ) )
 					),
 					array_merge(
 						$post_types,
@@ -354,7 +387,7 @@ public function get_post_count_by_post_format() {
 					)
 				)
 			);
-			// phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery
+
 			foreach ( $post_format_counts as $row ) {
 				$counts[ $post_formats_term_ids[ $row->post_format_id ] ] = $row->count;
 				$counts['standard'] -= $row->count;
@@ -382,16 +415,25 @@ public function get_post_in_trash_count() {
 		if ( false !== wp_cache_get( $cache_key, 'friends' ) ) {
 			return wp_cache_get( $cache_key, 'friends' );
 		}
-		// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
-		$count = $wpdb->get_var(
+
+		$count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 			$wpdb->prepare(
-				"SELECT COUNT(*) FROM $wpdb->posts p, $wpdb->term_taxonomy t, $wpdb->term_relationships r WHERE r.object_id = p.ID AND r.term_taxonomy_id = t.term_taxonomy_id AND t.term_id = %d AND post_type IN ( " . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' ) AND post_status = "trash"',
+				sprintf(
+					'SELECT COUNT(*)
+					FROM %s p, %s t, %s r
+					WHERE r.object_id = p.ID
+					AND r.term_taxonomy_id = t.term_taxonomy_id
+					AND t.term_id = %%d
+					AND post_type IN ( %s )
+					AND post_status = "trash"',
+					$wpdb->posts,
+					$wpdb->term_taxonomy,
+					$wpdb->term_relationships,
+					implode( ', ', array_fill( 0, count( $post_types ), '%s' ) )
+				),
 				array_merge( array( $this->get_term_id() ), $post_types )
 			)
 		);
-		// phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
 
 		wp_cache_set( $cache_key, intval( $count ), 'friends', HOUR_IN_SECONDS - 60 );
 		return intval( $count );
@@ -484,12 +526,24 @@ public static function convert_from_user( User $user ) {
 
 		global $wpdb;
 		// Convert feeds.
-
-		// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:disable WordPress.DB.DirectDatabaseQuery.NoCaching
-		$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->term_relationships JOIN $wpdb->term_taxonomy ON $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id SET object_id = %d WHERE object_id = %d AND $wpdb->term_taxonomy.taxonomy = %s", $subscription->get_term_id(), $user->ID, User_Feed::TAXONOMY ) );
-		// phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:enable WordPress.DB.DirectDatabaseQuery.NoCaching
+		$wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+			$wpdb->prepare(
+				'UPDATE %s
+				JOIN %s
+				ON %s.term_taxonomy_id = %s.term_taxonomy_id
+				SET object_id = %d
+				WHERE object_id = %d
+				AND %s.taxonomy = %s',
+				$wpdb->term_relationships,
+				$wpdb->term_taxonomy,
+				$wpdb->term_relationships,
+				$wpdb->term_taxonomy,
+				$subscription->get_term_id(),
+				$user->ID,
+				$wpdb->term_taxonomy,
+				User_Feed::TAXONOMY
+			)
+		);
 
 		foreach ( self::MIGRATE_USER_OPTIONS as $option_name ) {
 			$subscription->update_user_option( $option_name, $user->get_user_option( $option_name ) );
@@ -521,11 +575,24 @@ public static function convert_to_user( Subscription $subscription ) {
 
 		global $wpdb;
 		// Convert feeds.
-		// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:disable WordPress.DB.DirectDatabaseQuery.NoCaching
-		$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->term_relationships JOIN $wpdb->term_taxonomy ON $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id SET object_id = %d WHERE object_id = %d AND $wpdb->term_taxonomy.taxonomy = %s", $user->ID, $subscription->get_term_id(), User_Feed::TAXONOMY ) );
-		// phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery
-		// phpcs:enable WordPress.DB.DirectDatabaseQuery.NoCaching
+		$wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+			$wpdb->prepare(
+				'UPDATE %s
+				JOIN %s
+				ON %s.term_taxonomy_id = %s.term_taxonomy_id
+				SET object_id = %d
+				WHERE object_id = %d
+				AND %s.taxonomy = %s',
+				$wpdb->term_relationships,
+				$wpdb->term_taxonomy,
+				$wpdb->term_relationships,
+				$wpdb->term_taxonomy,
+				$user->ID,
+				$subscription->get_term_id(),
+				$wpdb->term_taxonomy,
+				User_Feed::TAXONOMY
+			)
+		);
 
 		foreach ( self::MIGRATE_USER_OPTIONS as $option_name ) {
 			$user->update_user_option( $option_name, $subscription->get_user_option( $option_name ) );