diff --git a/mailpoet/lib/AdminPages/PageRenderer.php b/mailpoet/lib/AdminPages/PageRenderer.php index 6abf50956f..97966b8e55 100644 --- a/mailpoet/lib/AdminPages/PageRenderer.php +++ b/mailpoet/lib/AdminPages/PageRenderer.php @@ -81,12 +81,9 @@ class PageRenderer { $this->subscribersCountCacheRecalculation->schedule(); } - // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - // phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter // We are in control of the template and the data can be considered safe at this point + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->renderer->render($template, $data + $defaults); - // phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped } catch (\Exception $e) { $notice = new WPNotice(WPNotice::TYPE_ERROR, $e->getMessage()); $notice->displayWPNotice(); diff --git a/mailpoet/lib/Automation/Engine/Migrations/Migrator.php b/mailpoet/lib/Automation/Engine/Migrations/Migrator.php index e0871ade08..ef20010fd0 100644 --- a/mailpoet/lib/Automation/Engine/Migrations/Migrator.php +++ b/mailpoet/lib/Automation/Engine/Migrations/Migrator.php @@ -73,10 +73,9 @@ class Migrator { private function runQuery(string $query): int { $this->wpdb->hide_errors(); - // phpcs:disable WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter // It's a private method and all Queries in this class are safe + // phpcs:ignore WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter $result = $this->wpdb->query($query); - // phpcs:enable WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter if ($result === false) { throw Exceptions::migrationFailed($this->wpdb->last_error ?: 'Unknown error'); diff --git a/mailpoet/lib/Config/MP2Migrator.php b/mailpoet/lib/Config/MP2Migrator.php index 7ad5b02cfe..8c5c31dd17 100644 --- a/mailpoet/lib/Config/MP2Migrator.php +++ b/mailpoet/lib/Config/MP2Migrator.php @@ -610,7 +610,7 @@ class MP2Migrator { $sql = $wpdb->prepare(" SELECT u.* FROM `$table` u - WHERE u.user_id > %d + WHERE u.user_id > %s ORDER BY u.user_id LIMIT %d ", $lastId, $limit); diff --git a/mailpoet/lib/Config/Populator.php b/mailpoet/lib/Config/Populator.php index 4234b99fd7..00769c3d60 100644 --- a/mailpoet/lib/Config/Populator.php +++ b/mailpoet/lib/Config/Populator.php @@ -538,12 +538,11 @@ class Populator { }, array_keys($columns), $columns); $table = esc_sql($tableName); - // phpcs:disable WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter // $conditions is escaped + // phpcs:ignore WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter return $wpdb->get_var( "SELECT COUNT(*) FROM $table WHERE " . implode(' AND ', $conditions) ) > 0; - // phpcs:enable WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter } private function insertRow($table, $row) { diff --git a/mailpoet/lib/Cron/Workers/SendingQueue/Migration.php b/mailpoet/lib/Cron/Workers/SendingQueue/Migration.php index 19d289df07..0c6f4a2c68 100644 --- a/mailpoet/lib/Cron/Workers/SendingQueue/Migration.php +++ b/mailpoet/lib/Cron/Workers/SendingQueue/Migration.php @@ -136,8 +136,8 @@ class Migration extends SimpleWorker { foreach ($queueBatch as $queue) { // create a new scheduled task of type "sending" - // phpcs:disable WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter - // The only moving part is casted. $columnList and MP_SCHEDULED_TASKS_TABLE are fixed. + // Constants are safe, queue ID is cast to int. + // phpcs:ignore WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter $wpdb->query(sprintf( 'INSERT IGNORE INTO %1$s (`type`, %2$s) ' . 'SELECT "sending", %2$s FROM %3$s WHERE `id` = %4$s', @@ -146,7 +146,6 @@ class Migration extends SimpleWorker { MP_SENDING_QUEUES_TABLE, (int)$queue['id'] )); - // phpcs:enable WordPressDotOrg.sniffs.DirectDB.UnescapedDBParameter // link the queue with the task via task_id $newTaskId = $wpdb->insert_id; // phpcs:ignore Squiz.NamingConventions.ValidVariableName.MemberNotCamelCaps diff --git a/mailpoet/lib/Form/PreviewWidget.php b/mailpoet/lib/Form/PreviewWidget.php index 08401685ed..78c293a10a 100644 --- a/mailpoet/lib/Form/PreviewWidget.php +++ b/mailpoet/lib/Form/PreviewWidget.php @@ -22,11 +22,8 @@ class PreviewWidget extends \WP_Widget { * Output the widget itself. */ public function widget($args, $instance = null) { - // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - // phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter // We control the html + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->formHtml; - // phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped } } diff --git a/mailpoet/lib/Form/Widget.php b/mailpoet/lib/Form/Widget.php index e39be3424f..2efa2797e0 100644 --- a/mailpoet/lib/Form/Widget.php +++ b/mailpoet/lib/Form/Widget.php @@ -93,12 +93,9 @@ class Widget extends \WP_Widget { ]; try { - // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - // phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter // We control the template and the data is sanitized + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->renderer->render('form/iframe.html', $data); - // phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped } catch (\Exception $e) { echo esc_html($e->getMessage()); } @@ -269,12 +266,9 @@ class Widget extends \WP_Widget { } if ($formType === 'widget') { - // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - // phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter // We control the template and the data is sanitized + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $output; - // phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped } else { return $output; } diff --git a/mailpoet/lib/Router/Endpoints/ViewInBrowser.php b/mailpoet/lib/Router/Endpoints/ViewInBrowser.php index 76abf435ae..ae088e021c 100644 --- a/mailpoet/lib/Router/Endpoints/ViewInBrowser.php +++ b/mailpoet/lib/Router/Endpoints/ViewInBrowser.php @@ -35,7 +35,8 @@ class ViewInBrowser { private function displayNewsletter($result) { header('Content-Type: text/html; charset=utf-8'); - echo $result; //phpcs:ignore + // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped + echo $result; exit; } diff --git a/mailpoet/lib/Statistics/Track/Opens.php b/mailpoet/lib/Statistics/Track/Opens.php index 0241e41c23..baecbdece1 100644 --- a/mailpoet/lib/Statistics/Track/Opens.php +++ b/mailpoet/lib/Statistics/Track/Opens.php @@ -86,7 +86,8 @@ class Opens { header('Content-Type: image/gif'); // Output of base64_decode is predetermined and safe in this case - echo base64_decode('R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw=='); // phpcs:ignore + // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter, WordPress.Security.EscapeOutput.OutputNotEscaped + echo base64_decode('R0lGODlhAQABAJAAAP8AAAAAACH5BAUQAAAALAAAAAABAAEAAAICBAEAOw=='); exit; } } diff --git a/mailpoet/lib/Subscription/Manage.php b/mailpoet/lib/Subscription/Manage.php index 0ed48cdb24..b8f0e0aa03 100644 --- a/mailpoet/lib/Subscription/Manage.php +++ b/mailpoet/lib/Subscription/Manage.php @@ -89,10 +89,9 @@ class Manage { return sanitize_text_field($value); }; - //phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized // custom sanitization via $sanitize + //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $subscriberData = array_map($sanitize, wp_unslash((array)$_POST['data'])); - //phpcs:enable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $subscriberData = $this->fieldNameObfuscator->deobfuscateFormPayload($subscriberData); $result = []; diff --git a/mailpoet/lib/WP/Functions.php b/mailpoet/lib/WP/Functions.php index a7ddee8020..4ea8d854ac 100644 --- a/mailpoet/lib/WP/Functions.php +++ b/mailpoet/lib/WP/Functions.php @@ -57,10 +57,14 @@ class Functions { return __($text, $domain); } - public function _e($text, $domain = 'default') { //phpcs:ignore - return _e($text, $domain); //phpcs:ignore + // phpcs:disable WordPress.Security.EscapeOutput.UnsafePrintingFunction, WordPress.Security.EscapeOutput.OutputNotEscaped + public function _e($text, $domain = 'default') { + return _e($text, $domain); } + // phpcs:enable WordPress.Security.EscapeOutput.UnsafePrintingFunction, WordPress.Security.EscapeOutput.OutputNotEscaped + + public function _n($single, $plural, $number, $domain = 'default') { return _n($single, $plural, $number, $domain); } diff --git a/mailpoet/lib/WooCommerce/Settings.php b/mailpoet/lib/WooCommerce/Settings.php index 817c591adc..c04f7b0f1f 100644 --- a/mailpoet/lib/WooCommerce/Settings.php +++ b/mailpoet/lib/WooCommerce/Settings.php @@ -30,19 +30,18 @@ class Settings { return; } - //phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - //phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter //The templates are in our control and the inputs are sanitized. + //phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->renderer->render('woocommerce/settings_button.html', [ 'woocommerce_template_id' => (int)$this->settings->get(TransactionalEmails::SETTING_EMAIL_ID), ]); if (!(bool)$this->settings->get('woocommerce.use_mailpoet_editor')) { return; } + // The templates are in our control and the inputs are sanitized. + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->renderer->render('woocommerce/settings_overlay.html', [ 'woocommerce_template_id' => (int)$this->settings->get(TransactionalEmails::SETTING_EMAIL_ID), ]); - //phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - //phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped } } diff --git a/mailpoet/lib/WooCommerce/TransactionalEmailHooks.php b/mailpoet/lib/WooCommerce/TransactionalEmailHooks.php index faf8e32e29..28ba138b72 100644 --- a/mailpoet/lib/WooCommerce/TransactionalEmailHooks.php +++ b/mailpoet/lib/WooCommerce/TransactionalEmailHooks.php @@ -57,21 +57,15 @@ class TransactionalEmailHooks { throw new InvalidStateException('WooCommerce email template is missing!'); } $this->renderer->render($newsletterModel, $emailHeading); - // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - // phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter // The HTML is generated from a $newsletter entity and can be considered safe + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->renderer->getHTMLBeforeContent(); - // phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped } }); $this->wp->addAction('woocommerce_email_footer', function() { - // phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped - // phpcs:disable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter // The HTML is generated from a $newsletter entity and can be considered safe + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter echo $this->renderer->getHTMLAfterContent(); - // phpcs:enable WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter - // phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped }); $this->wp->addAction('woocommerce_email_styles', [$this->renderer, 'prefixCss']); }); diff --git a/mailpoet/mailpoet_initializer.php b/mailpoet/mailpoet_initializer.php index df72c4067f..7a0b4a4e5f 100644 --- a/mailpoet/mailpoet_initializer.php +++ b/mailpoet/mailpoet_initializer.php @@ -45,7 +45,8 @@ if (WP_DEBUG && PHP_VERSION_ID >= 70100 && file_exists($tracyPath)) { $tracyScriptHtml .= "\n"; // just minor adjustments to Debugger::renderLoader() output - echo $tracyScriptHtml; // phpcs:ignore + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped, WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter + echo $tracyScriptHtml; } add_action('admin_enqueue_scripts', 'render_tracy', PHP_INT_MAX, 0);