Skip to content
This repository has been archived by the owner on Mar 29, 2021. It is now read-only.

Commit

Permalink
fix all wordpress standards codesniff issues and security issues in p…
Browse files Browse the repository at this point in the history 
…hp files
  • Loading branch information
@dsifford
dsifford committed Jan 6, 2018
1 parent 0f26d2e commit dd6eca8
Show file tree
Hide file tree
Showing 8 changed files with 541 additions and 580 deletions.
42 changes: 31 additions & 11 deletions src/academic-bloggers-toolkit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
define( 'ABT_VERSION', '4.12.0' );
define( 'ABT_ROOT_URI', plugin_dir_url( __FILE__ ) );
define( 'ABT_ROOT_PATH', plugin_dir_path( __FILE__ ) );
define( 'ABT_OPTIONS_KEY', 'abt_options' );

/**
* Load plugin translations.
Expand Down Expand Up @@ -44,7 +45,7 @@ function enable_csl_mime( $mimes ) {
* Cleans up options during uninstall.
*/
function uninstall() {
delete_option( 'abt_options' );
delete_option( ABT_OPTIONS_KEY );
}
if ( function_exists( 'register_uninstall_hook' ) ) {
register_uninstall_hook( __FILE__, 'ABT\uninstall' );
Expand All @@ -58,17 +59,17 @@ function uninstall() {
* http://www.jsoneditoronline.org/?id=8f65b4f64daaf41e5ed94c4a006ba264
*/
function refactor_options() {
$options = get_option( 'abt_options' );
if ( ABT_VERSION === $options['VERSION'] ) {
$options = get_option( ABT_OPTIONS_KEY );
if ( version_compare( ABT_VERSION, $options['VERSION'], '<=' ) ) {
return;
}

$new_options = [];

$new_options['citation_style'] = [
'prefer_custom' => isset( $options['citation_style']['prefer_custom'] ) ? $options['citation_style']['prefer_custom'] : false,
'style' => ( ! empty( $options['citation_style']['style'] ) ? $options['citation_style']['style'] : ( ! empty( $options['abt_citation_style'] ) ? $options['abt_citation_style'] : 'american-medical-association' ) ),
'custom_url' => ! empty( $options['citation_style']['custom_url'] ) ? $options['citation_style']['custom_url'] : '',
'kind' => isset( $options['citation_style']['kind'] ) ? $options['citation_style']['kind'] : 'predefined',
'label' => isset( $options['citation_style']['label'] ) ? $options['citation_style']['label'] : 'American Medical Association',
'value' => isset( $options['citation_style']['id'] ) ? $options['citation_style']['id'] : 'american-medical-association',
];

$new_options['custom_css'] = ! empty( $options['custom_css'] ) ? $options['custom_css'] : '';
Expand All @@ -82,7 +83,7 @@ function refactor_options() {

$new_options['VERSION'] = ABT_VERSION;

update_option( 'abt_options', $new_options );
update_option( ABT_OPTIONS_KEY, $new_options );
}
add_action( 'admin_init', 'ABT\refactor_options' );

Expand Down Expand Up @@ -123,15 +124,34 @@ function add_donate_link( $links, $file ) {
* Enqueues frontend JS and CSS.
*/
function frontend_enqueues() {
wp_enqueue_style( 'abt-css', ABT_ROOT_URI . 'css/frontend.css', [], ABT_VERSION );
$options = get_option( ABT_OPTIONS_KEY );
$custom_css = wp_kses( $options['custom_css'], [ "\'", '\"' ] );

wp_enqueue_style( 'abt-frontend-styles', ABT_ROOT_URI . 'css/frontend.css', [], ABT_VERSION );
if ( isset( $custom_css ) && ! empty( $custom_css ) ) {
wp_add_inline_style( 'abt-frontend-styles', $custom_css );
}

if ( is_singular() ) {
wp_enqueue_script( 'abt-frontend', ABT_ROOT_URI . 'js/frontend.js', [], ABT_VERSION, true );
wp_enqueue_script( 'abt-frontend-script', ABT_ROOT_URI . 'js/frontend.js', [], ABT_VERSION, true );
}
}
add_action( 'wp_enqueue_scripts', 'ABT\frontend_enqueues' );

/**
* Grabs the citation styles from the vendor array, decodes the JSON to an
* associative array and return it.
*/
function get_citation_styles() {
// @codingStandardsIgnoreStart
// Ignoring the `file_get_contents` warning here because it's a misfire.
// the warning is meant for flagging remote calls. This is a local file.
$json = json_decode( file_get_contents( ABT_ROOT_PATH . '/vendor/citation-styles.json' ), true );
// @codingStandardsIgnoreEnd
return $json;
}

require_once __DIR__ . '/php/dom-injects.php';
require_once __DIR__ . '/php/backend.php';
require_once __DIR__ . '/php/options-page.php';
require_once __DIR__ . '/php/class-backend.php';
require_once __DIR__ . '/php/class-options.php';
require_once __DIR__ . '/php/endpoints.php';
145 changes: 69 additions & 76 deletions src/php/backend.php → src/php/class-backend.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,27 +6,45 @@

require_once __DIR__ . '/i18n.php';

if ( is_admin() ) {
add_action( 'load-post.php', [ 'ABT\Backend', 'init' ] );
add_action( 'load-post-new.php', [ 'ABT\Backend', 'init' ] );
}

/**
* Main Backend Class.
*/
class Backend {
/**
* @var \ABT\Backend
*/
private static $instance = null;

/**
* Instantiates the class and calls hooks on load.
*/
static function init() {
if ( is_null( self::$instance ) ) {
self::$instance = new \ABT\Backend();
}
return self::$instance;
}

/**
* Sets up all actions and filters for the backend class.
*/
public function __construct() {
if ( is_admin() ) {
add_action( 'load-post.php', [ $this, 'load_post' ] );
add_action( 'load-post-new.php', [ $this, 'load_post' ] );
}
}

function load_post() {
$post_type = get_current_screen()->post_type;
$disabled_post_types = apply_filters( 'abt_disabled_post_types', [ 'acf', 'um_form' ] );
$is_invalid_post_type = in_array(
$post_type,
array_merge(
[ 'attachment' ],
is_array( $disabled_post_types ) ? $disabled_post_types : []
)
),
true
);

if ( $is_invalid_post_type ) {
Expand All @@ -41,24 +59,27 @@ public function __construct() {
add_filter( 'mce_css', [ $this, 'load_tinymce_css' ] );
}

/**
* Instantiates the class and calls hooks on load.
*/
public static function init() {
$class = __CLASS__;
new $class();
}

/**
* Alerts the user that the plugin will not work if he/she doesn't have 'Rich Editing' enabled.
*/
public function user_alert() {
if ( 'true' === get_user_option( 'rich_editing' ) ) {
return;
}
$class = 'notice notice-warning is-dismissible';
$message = __( "<strong>Notice:</strong> Rich editing must be enabled to use the Academic Blogger's Toolkit plugin", 'academic-bloggers-toolkit' );
printf( '<div class="%1$s"><p>%2$s</p></div>', $class, $message );
echo wp_kses(
sprintf(
'<div class="notice notice-warning is-dismissible"><p><strong>%1s</strong>: %2s</p></div>',
__( 'Notice', 'academic-bloggers-toolkit' ),
__( "Rich editing must be enabled to use the Academic Blogger's Toolkit plugin", 'academic-bloggers-toolkit' )
),
[
'div' => [
'class' => [],
],
'p' => [],
'strong' => [],
]
);
}

/**
Expand All @@ -67,7 +88,6 @@ public function user_alert() {
public function init_tinymce() {
if ( 'true' === get_user_option( 'rich_editing' ) ) {
add_filter( 'mce_external_plugins', [ $this, 'register_tinymce_plugins' ] );
echo '<link href="https://fonts.googleapis.com/css?family=Roboto:300,400,500,700&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel="stylesheet">';
}
}

Expand Down Expand Up @@ -130,24 +150,31 @@ public function render_reference_list() {
* @param string $post_id The post ID.
*/
public function save_meta( $post_id ) {
$is_autosave = wp_is_post_autosave( $post_id );
$is_revision = wp_is_post_revision( $post_id );
$is_valid_nonce = ( isset( $_POST['abt_nonce'] ) && wp_verify_nonce( $_POST['abt_nonce'], basename( __FILE__ ) ) ) ? true : false;

if ( $is_autosave || $is_revision || ! $is_valid_nonce ) {
if ( wp_is_post_autosave( $post_id ) || wp_is_post_revision( $post_id ) ) {
return;
}

$reflist_state = $_POST['abt-reflist-state'];
update_post_meta( $post_id, '_abt-reflist-state', $reflist_state );
// @codingStandardsIgnoreStart
// Ignoring the next line because the WordPress Standards are still flagging
// this as unsanitized. They are wrong.
if (
isset( $_POST['abt-reflist-state'], $_POST['abt_nonce'] )
&& wp_verify_nonce( sanitize_key( $_POST['abt_nonce'] ), basename( __FILE__ ) ) ) {
$reflist_state = wp_unslash( $_POST['abt-reflist-state'] );
update_post_meta( $post_id, '_abt-reflist-state', $reflist_state );
}
// @codingStandardsIgnoreEnd
}

/**
* Registers all styles and scripts.
*/
public function register_scripts() {
wp_register_style( 'abt-reference-list', ABT_ROOT_URI . 'css/reference-list.css', [], ABT_VERSION );
wp_register_script( 'abt-reference-list', ABT_ROOT_URI . 'js/reference-list/index.js', [], ABT_VERSION );
wp_register_style( 'abt-fonts', '//fonts.googleapis.com/css?family=Roboto:300,400,500,700&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese', [], null );
wp_register_style( 'abt-reference-list', ABT_ROOT_URI . 'css/reference-list.css', [ 'dashicons', 'abt-fonts' ], ABT_VERSION );

wp_register_script( 'abt-reference-list', ABT_ROOT_URI . 'js/reference-list.js', [], ABT_VERSION );
wp_register_script( 'abt-changelog', '//cdn.headwayapp.co/widget.js', [], null, true );
}

/**
Expand All @@ -156,19 +183,14 @@ public function register_scripts() {
public function enqueue_scripts() {
global $post;

$ABT_i18n = i18n\generate_translations();
$translations = i18n\generate_translations();
$state = json_decode( get_post_meta( $post->ID, '_abt-reflist-state', true ), true );
$opts = get_option( 'abt_options' );

$custom_preferred = $opts['citation_style']['prefer_custom'] === true;
$custom_valid = file_exists( $opts['citation_style']['custom_url'] );

$style = $custom_preferred && $custom_valid ? 'abt-user-defined' : $opts['citation_style']['style'];
$opts = get_option( ABT_OPTIONS_KEY );

if ( empty( $state ) ) {
$state = [
'cache' => [
'style' => $style,
'style' => $opts['citation_style'],
'locale' => get_locale(),
],
'citationByIndex' => [],
Expand All @@ -183,7 +205,7 @@ public function enqueue_scripts() {
'style' => $opts['display_options']['bibliography'],
];

// Fix legacy post meta.
// Begin legacy checks.
if ( array_key_exists( 'processorState', $state ) ) {
$state['CSL'] = $state['processorState'];
unset( $state['processorState'] );
Expand All @@ -194,30 +216,27 @@ public function enqueue_scripts() {
unset( $state['citations'] );
}

if ( is_string( $state['cache']['style'] ) ) {
$state['cache']['style'] = $opts['citation_style'];
}
// End legacy checks.

wp_localize_script( 'abt-reference-list', 'ABT', [
'i18n' => $translations,
'options' => $opts,
'state' => $state,
'i18n' => $ABT_i18n,
'styles' => $this->get_citation_styles(),
'styles' => get_citation_styles(),
'wp' => $this->localize_wordpress_constants(),
'custom_csl' => $this->get_user_defined_csl( $opts['citation_style']['custom_url'] ),
] );

wp_dequeue_script( 'autosave' );
wp_enqueue_style( 'dashicons' );
wp_enqueue_style( 'abt-reference-list' );
wp_enqueue_script( 'abt-reference-list' );
wp_enqueue_script( 'abt-changelog' );
}

/**
* Returns an array of citation styles from citationstyles.php.
*/
private function get_citation_styles() {
$json = json_decode( file_get_contents( ABT_ROOT_PATH . '/vendor/citation-styles.json' ), true );
return $json;
}

/**
* Returns an array of a few select wordpress constants ( for use in JS ).
* Returns an array of a few select WordPress constants (for use in JS).
*/
private function localize_wordpress_constants() {
return [
Expand All @@ -241,31 +260,5 @@ private function localize_wordpress_constants() {
],
];
}

/**
* Checks to see if custom CSL XML is saved and available. If so, returns an
* array containing the XML, label, and value. If not, returns an array
* containing only the key 'value' with the value of null.
*
* @param string $path path to CSL XML file.
*
* @return mixed[] array as described above
*/
private function get_user_defined_csl( $path ) {
if ( ! file_exists( $path ) ) {
return [ 'value' => null ];
}

$contents = file_get_contents( $path );
$xml = new SimpleXMLElement( $contents );
$label = $xml->info->title->__toString() !== ''
? $xml->info->title->__toString()
: 'ABT Custom Style';

return [
'label' => $label,
'value' => 'abt-user-defined',
'CSL' => $contents,
];
}
}
\ABT\Backend::init();
Loading

0 comments on commit dd6eca8

Please sign in to comment.