Merge branch 'master' of github.com:stuttter/wp-multi-network into is…

…sue/199 Includes fixes/changes to form action creation & escaping. See #199.
stuttter · Jan 29, 2025 · d82fa52 · d82fa52
2 parents b4f1504 + 2f907a2
commit d82fa52
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 32 deletions.
diff --git a/composer.json b/composer.json
@@ -17,14 +17,14 @@
   },
   "require": {
     "php": ">=5.2",
-    "composer/installers": "^1.0"
+    "composer/installers": "^1.0 || ^2.0"
   },
   "require-dev": {
-    "phpunit/phpunit": ">4.8.20 <6.0",
-    "squizlabs/php_codesniffer": "3.*",
-    "wp-coding-standards/wpcs": "^2.2",
-    "phpcompatibility/phpcompatibility-wp": "^2.1",
-    "dealerdirect/phpcodesniffer-composer-installer": "^0.7.1"
+    "phpunit/phpunit": "^9.6.0",
+    "squizlabs/php_codesniffer": "^3.11.0",
+    "wp-coding-standards/wpcs": "^3.1.0",
+    "phpcompatibility/phpcompatibility-wp": "^2.1.0",
+    "dealerdirect/phpcodesniffer-composer-installer": "^1.0.0"
   },
   "config": {
     "allow-plugins": {

diff --git a/phpcs.xml.dist b/phpcs.xml.dist
@@ -18,18 +18,28 @@
 			<property name="text_domain" type="array">
 				<element value="wp-multi-network" />
 			</property>
-			<property name="check_translator_comments" value="true" />
 		</properties>
 	</rule>
 	<rule ref="PHPCompatibilityWP" />
+	<rule ref="WordPress.WP.Capabilities">
+		<properties>
+			<property name="custom_capabilities" type="array">
+				<element value="create_networks" />
+				<element value="manage_networks" />
+				<element value="list_networks" />
+				<element value="delete_network" />
+				<element value="delete_networks" />
+				<element value="edit_network" />
+			</property>
+		</properties>
+	</rule>
 
 	<config name="testVersion" value="5.6-" />
 
 	<file>.</file>
 
 	<!-- Exclude directories we don't need to check. -->
-  <exclude-pattern>*/node_modules/*</exclude-pattern>
-  <exclude-pattern>*/tests/*</exclude-pattern>
+	<exclude-pattern>*/node_modules/*</exclude-pattern>
+	<exclude-pattern>*/tests/*</exclude-pattern>
 	<exclude-pattern>*/vendor/*</exclude-pattern>
-
 </ruleset>
diff --git a/wp-multi-network/includes/classes/class-wp-ms-network-command.php b/wp-multi-network/includes/classes/class-wp-ms-network-command.php
@@ -287,7 +287,7 @@ function ( $file ) {
 			foreach ( $this->fetcher->get_many( $args ) as $plugin ) {
 				$status = $this->get_status( $plugin->file );
 				if ( $all && in_array( $status, array( 'active', 'active-network' ), true ) ) {
-					$needing_activation --;
+					--$needing_activation;
 					continue;
 				}
 

diff --git a/wp-multi-network/includes/classes/class-wp-ms-networks-admin.php b/wp-multi-network/includes/classes/class-wp-ms-networks-admin.php
@@ -417,7 +417,7 @@ public function page_edit_network() {
 
 			<hr class="wp-header-end">
 
-			<form method="post" id="edit-network-form" action="">
+			<form method="post" action="" id="edit-network-form">
 				<div id="poststuff" class="poststuff">
 					<div id="post-body" class="metabox-holder columns-2">
 						<div id="post-body-content">
@@ -491,7 +491,7 @@ private function page_all_networks() {
 				<input type="hidden" name="action" value="domains">
 			</form>
 
-			<form method="post" id="form-domain-list" action="<?php echo esc_url( $all_networks_url ); ?>">
+			<form method="post" action="<?php echo esc_url( $all_networks_url ); ?>" id="form-domain-list">
 				<?php $wp_list_table->display(); ?>
 			</form>
 		</div>
@@ -541,7 +541,9 @@ private function page_move_site() {
 			array( $site )
 		);
 
+		// URLs to escape.
 		$add_network_url = $this->admin_url( array( 'page' => 'add-new-network' ) );
+		$form_action_url = $this->admin_url( array( 'action' => 'move', 'blog_id' => $site_id ) );
 		?>
 
 		<div class="wrap">
@@ -559,7 +561,7 @@ private function page_move_site() {
 
 			<hr class="wp-header-end">
 
-			<form method="post" action="<?php echo esc_attr( $_SERVER['REQUEST_URI'] ); ?>">
+			<form method="post" action="<?php echo esc_url( $form_action_url ); ?>">
 				<div id="poststuff">
 					<div id="post-body" class="metabox-holder columns-2">
 						<div id="postbox-container-1" class="postbox-container">
@@ -618,7 +620,7 @@ private function page_delete_network() {
 
 			<hr class="wp-header-end">
 
-			<form method="post" action="<?php echo esc_attr( remove_query_arg( 'action' ) ); ?>">
+			<form method="post" action="<?php echo esc_url( remove_query_arg( 'action' ) ); ?>">
 				<?php
 
 				if ( ! empty( $sites ) ) {
@@ -871,14 +873,14 @@ public function page_my_networks() {
 								 * @param string     $network_actions Network action links, separated by pipe ( | ) characters.
 								 * @param WP_Network $network         Current network object.
 								 */
-								echo apply_filters( 'mynetworks_network_actions', $network_actions, $network ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+								echo apply_filters( 'mynetworks_network_actions', $network_actions, $network ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 								?>
 							</p>
 						</td>
 
 						<?php
 						restore_current_network();
-						$i++;
+						++$i;
 					}
 					echo '</tr>';
 				}
@@ -914,7 +916,7 @@ private function handle_add_network() {
 			$clone = get_current_site()->id;
 		}
 
-		// Sanitize values.
+		// Unslash posted values.
 		$network_title  = ! empty( $_POST['title'] )
 			? wp_unslash( $_POST['title'] )
 			: '';
@@ -928,7 +930,7 @@ private function handle_add_network() {
 			? wp_unslash( $_POST['new_site'] )
 			: '';
 
-		// Additional formatting.
+		// Additional sanitization.
 		$network_title  = sanitize_text_field( $network_title );
 		$network_domain = str_replace( ' ', '', strtolower( sanitize_text_field( $network_domain ) ) );
 		$network_path   = str_replace( ' ', '', strtolower( sanitize_text_field( $network_path ) ) );
@@ -1012,7 +1014,7 @@ private function handle_update_network() {
 			wp_die( esc_html__( 'Invalid network id.', 'wp-multi-network' ) );
 		}
 
-		// Sanitize values.
+		// Unslash posted values.
 		$network_title  = ! empty( $_POST['title'] )
 			? wp_unslash( $_POST['title'] )
 			: '';
@@ -1022,11 +1024,8 @@ private function handle_update_network() {
 		$network_path   = ! empty( $_POST['path'] )
 			? wp_unslash( $_POST['path'] )
 			: '';
-		$site_name      = ! empty( $_POST['new_site'] )
-			? wp_unslash( $_POST['new_site'] )
-			: '';
 
-		// Additional formatting.
+		// Additional sanitization.
 		$network_title  = sanitize_text_field( $network_title );
 		$network_domain = str_replace( ' ', '', strtolower( sanitize_text_field( $network_domain ) ) );
 		$network_path   = str_replace( ' ', '', strtolower( sanitize_text_field( $network_path ) ) );

diff --git a/wp-multi-network/includes/classes/class-wp-ms-networks-capabilities.php b/wp-multi-network/includes/classes/class-wp-ms-networks-capabilities.php
@@ -36,7 +36,7 @@ public function add_hooks() {
 	 * @param array  $args    Additional context for the capability check.
 	 * @return array Filtered required capabilities.
 	 */
-	public function map_meta_cap( $caps, $cap, $user_id, $args ) {
+	public function map_meta_cap( $caps, $cap, $user_id, $args ) { // phpcs:ignore Generic.CodeAnalysis.UnusedFunctionParameter.FoundAfterLastUsed
 
 		// Map our meta capabilities to primitive capabilities first.
 		switch ( $cap ) {

diff --git a/wp-multi-network/includes/classes/class-wp-ms-networks-list-table.php b/wp-multi-network/includes/classes/class-wp-ms-networks-list-table.php
@@ -328,8 +328,8 @@ public function column_title( $network ) {
 
 		<strong>
 			<?php
-			echo $link; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
-			echo $network_states; // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+			echo $link; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			echo $network_states; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			?>
 		</strong>
 

diff --git a/wp-multi-network/includes/functions.php b/wp-multi-network/includes/functions.php
@@ -586,8 +586,8 @@ function add_network( $args = array() ) {
 		 * @since 2.5.3
 		 */
 		do_action( 'added_network_blog', $new_blog_id, $new_network_id, $r );
-    
-    // add new blog id as network meta data against the new network
+
+		// add new blog id as network meta data against the new network.
 		$r['network_meta']['main_site'] = $new_blog_id;
 
 		if ( empty( $r['network_meta']['site_name'] ) ) {

diff --git a/wp-multi-network/includes/metaboxes/edit-network.php b/wp-multi-network/includes/metaboxes/edit-network.php
@@ -52,7 +52,7 @@ function wpmn_edit_network_details_metabox( $network = null ) {
 			</td>
 		</tr>
 
-		<?php do_action('wpmn_edit_network_details_metabox_after_group', $network); ?>
+		<?php do_action( 'wpmn_edit_network_details_metabox_after_group', $network ); ?>
 	</table>
 
 	<?php
@@ -67,7 +67,7 @@ function wpmn_edit_network_new_site_metabox() {
 	?>
 
 	<table class="edit-network form-table">
-		<?php do_action('wpmn_edit_network_new_site_metabox_before_group'); ?>
+		<?php do_action( 'wpmn_edit_network_new_site_metabox_before_group' ); ?>
 
 		<tr class="form-field form-required">
 			<th scope="row">
@@ -79,7 +79,7 @@ function wpmn_edit_network_new_site_metabox() {
 			</td>
 		</tr>
 
-		<?php do_action('wpmn_edit_network_new_site_metabox_after_group'); ?>
+		<?php do_action( 'wpmn_edit_network_new_site_metabox_after_group' ); ?>
 	</table>
 
 	<?php