sync + phpcs changes

includes/classes/Command.php

@@ -1255,6 +1255,7 @@ public function custom_get_transient( $pre_transient, $transient ) {
 		} else {
 			$options = $wpdb->options;
 
+			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			$should_interrupt_sync = $wpdb->get_var(
 				// phpcs:disable
 				$wpdb->prepare(

includes/classes/Elasticsearch.php

@@ -1624,8 +1624,9 @@ public function add_elasticpress_version_to_user_agent( $user_agent ) {
 	 */
 	protected function add_query_log( $query ) {
 		if ( ( defined( 'WP_DEBUG' ) && WP_DEBUG ) || ( defined( 'WP_EP_DEBUG' ) && WP_EP_DEBUG ) ) {
+			// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_wp_debug_backtrace_summary
 			$query['backtrace'] = wp_debug_backtrace_summary( null, 1, false ); // VIP: Search Dev Tools relies on this backtrace
-			$this->queries[] = $query;
+			$this->queries[]    = $query;
 		}
 
 		/**

includes/classes/Feature/Facets/Facets.php

@@ -470,7 +470,7 @@ public function build_query_url( $filters ) {
 		 */
 		$query_string = apply_filters( 'ep_facet_query_string', $query_string, $query_param );
 
-		$url        = $_SERVER['REQUEST_URI'];
+		$url        = isset( $_SERVER['REQUEST_URI'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) : '';
 		$pagination = strpos( $url, '/page' );
 		if ( false !== $pagination ) {
 			$url = substr( $url, 0, $pagination );

includes/classes/Feature/Search/Weighting.php

@@ -8,7 +8,6 @@
 namespace ElasticPress\Feature\Search;
 
 use ElasticPress\Features;
-use ElasticPress\Indexable\Post\Post;
 use ElasticPress\Utils as Utils;
 
 /**
@@ -220,8 +219,8 @@ public function render_settings_page() {
 				<input type="hidden" name="action" value="ep-weighting">
 				<?php wp_nonce_field( 'save-weighting', 'ep-weighting-nonce' ); ?>
 				<?php
-				if ( isset( $_GET['settings-updated'] ) ) : // phpcs:ignore WordPress.Security.NonceVerification
-					if ( $_GET['settings-updated'] ) : // phpcs:ignore WordPress.Security.NonceVerification
+				if ( isset( $_GET['settings-updated'] ) ) : // phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+					if ( $_GET['settings-updated'] ) : // phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 						?>
 						<div class="notice notice-success is-dismissible">
 							<p><?php esc_html_e( 'Changes Saved!', 'elasticpress' ); ?></p>
@@ -335,6 +334,7 @@ public function render_settings_section( $post_type, $field, $current_values ) {
 	 * Handles processing the new weighting values and saving them to the elasticpress.io service
 	 */
 	public function handle_save() {
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_POST['ep-weighting-nonce'] ) || ! wp_verify_nonce( $_POST['ep-weighting-nonce'], 'save-weighting' ) ) {
 			return;
 		}
@@ -343,6 +343,7 @@ public function handle_save() {
 			return;
 		}
 
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		$this->save_weighting_configuration( $_POST );
 
 		$redirect_url = admin_url( 'admin.php?page=elasticpress-weighting' );

includes/classes/Feature/SearchOrdering/SearchOrdering.php

@@ -452,7 +452,7 @@ public function save_post( $post_id, $post ) {
 		/** Post Indexable @var Post $post_indexable */
 		$post_indexable = Indexables::factory()->get( 'post' );
 
-		if ( ! isset( $_POST['search-ordering-nonce'] ) || ! wp_verify_nonce( $_POST['search-ordering-nonce'], 'save-search-ordering' ) ) {
+		if ( ! isset( $_POST['search-ordering-nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['search-ordering-nonce'] ), 'save-search-ordering' ) ) {
 			return;
 		}
 
@@ -466,7 +466,8 @@ public function save_post( $post_id, $post ) {
 		$previous_order_data = get_post_meta( $post_id, 'pointers', true );
 		$previous_post_ids   = ! empty( $previous_order_data ) ? array_flip( wp_list_pluck( $previous_order_data, 'ID' ) ) : [];
 
-		$ordered_posts = json_decode( wp_unslash( $_POST['ordered_posts'] ), true );
+		$ordered_posts = isset( $_POST['ordered_posts'] ) ? wp_unslash( $_POST['ordered_posts'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+		$ordered_posts = json_decode( $ordered_posts, true );
 
 		$posts_per_page = (int) get_option( 'posts_per_page', 10 );
 
@@ -847,7 +848,7 @@ public function handle_post_untrash( $post_id ) {
 	protected function assign_term_to_post( $post_id, $term_taxonomy_id, $order ) {
 		global $wpdb;
 
-		$result = $wpdb->query(
+		$result = $wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 			$wpdb->prepare(
 				"INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id, term_order) VALUES ( %d, %d, %d ) ON DUPLICATE KEY UPDATE term_order = VALUES(term_order)",
 				$post_id,

includes/classes/Feature/WooCommerce/WooCommerce.php

@@ -511,7 +511,7 @@ public function translate_args( $query ) {
 		 * Also make sure the orderby param affects only the main query
 		 */
 		if ( ! empty( $_GET['orderby'] ) && $query->is_main_query() ) { // phpcs:ignore WordPress.Security.NonceVerification
-			$orderby = sanitize_text_field( $_GET['orderby'] ); // phpcs:ignore WordPress.Security.NonceVerification
+			$orderby = sanitize_text_field( $_GET['orderby'] ); // phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 			switch ( $orderby ) { // phpcs:ignore WordPress.Security.NonceVerification
 				case 'popularity':
 					$query->set( 'orderby', $this->get_orderby_meta_mapping( 'total_sales' ) );
@@ -656,9 +656,13 @@ public function search_order( $wp ) {
 			return;
 		}
 
-		$search_key_safe = str_replace( array( 'Order #', '#' ), '', wc_clean( $_GET['s'] ) ); // phpcs:ignore WordPress.Security.NonceVerification
-		unset( $wp->query_vars['post__in'] );
-		$wp->query_vars['s'] = $search_key_safe;
+		// phpcs:disable WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput
+		if ( isset( $_GET['s'] ) ) {
+			$search_key_safe = str_replace( array( 'Order #', '#' ), '', wc_clean( $_GET['s'] ) );
+			unset( $wp->query_vars['post__in'] );
+			$wp->query_vars['s'] = $search_key_safe;
+		}
+		// phpcs:enable WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput
 	}
 
 	/**
@@ -892,10 +896,12 @@ public function price_filter( $args, $query_args, $query ) {
 			unset( $args['query']['bool']['should'] );
 
 			if ( ! empty( $_GET['min_price'] ) ) {
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 				$args['query']['bool']['must'][0]['range']['meta._price.long']['gte'] = $_GET['min_price'];
 			}
 
 			if ( ! empty( $_GET['max_price'] ) ) {
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 				$args['query']['bool']['must'][0]['range']['meta._price.long']['lte'] = $_GET['max_price'];
 			}
 
@@ -904,13 +910,16 @@ public function price_filter( $args, $query_args, $query ) {
 		} else {
 			unset( $args['query']['match_all'] );
 
+			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 			$args['query']['range']['meta._price.long']['gte'] = ! empty( $_GET['min_price'] ) ? $_GET['min_price'] : 0;
 
 			if ( ! empty( $_GET['min_price'] ) ) {
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 				$args['query']['range']['meta._price.long']['gte'] = $_GET['min_price'];
 			}
 
 			if ( ! empty( $_GET['max_price'] ) ) {
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 				$args['query']['range']['meta._price.long']['lte'] = $_GET['max_price'];
 			}
 
@@ -1037,7 +1046,7 @@ public function translate_args_admin_products_list( $query ) {
 		}
 
 		// WooCommerce unsets the search term right after using it to fetch product IDs. Here we add it back.
-		$search_term = ! empty( $_GET['s'] ) ? sanitize_text_field( $_GET['s'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification
+		$search_term = ! empty( $_GET['s'] ) ? sanitize_text_field( $_GET['s'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 		if ( ! empty( $search_term ) ) {
 			$query->set( 's', sanitize_text_field( $search_term ) ); // phpcs:ignore WordPress.Security.NonceVerification
 
@@ -1068,7 +1077,7 @@ public function translate_args_admin_products_list( $query ) {
 
 		// Sets the meta query for `product_type` if needed. Also removed from the WP_Query by WC in `WC_Admin_List_Table_Products::query_filters()`.
 		$product_type_query = $query->get( 'product_type', '' );
-		$product_type_url   = ! empty( $_GET['product_type'] ) ? sanitize_text_field( $_GET['product_type'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification
+		$product_type_url   = ! empty( $_GET['product_type'] ) ? sanitize_text_field( $_GET['product_type'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 		$allowed_prod_types = [ 'virtual', 'downloadable' ];
 		if ( empty( $product_type_query ) && ! empty( $product_type_url ) && in_array( $product_type_url, $allowed_prod_types, true ) ) {
 			$meta_query   = $query->get( 'meta_query', [] );

includes/classes/Indexable/Post/Post.php

@@ -479,34 +479,34 @@ public function prepare_document( $post_id ) {
 		$post_content_filtered_allowed = apply_filters( 'ep_allow_post_content_filtered_index', true );
 
 		$post_args = array(
-			'post_id'               => $post_id,
-			'ID'                    => $post_id,
-			'post_author'           => $user_data,
-			'post_date'             => $post_date,
-			'post_date_gmt'         => $post_date_gmt,
-			'post_title'            => $post->post_title,
-			'post_excerpt'          => $post->post_excerpt,
-			'post_content_filtered' => $post_content_filtered_allowed ? apply_filters( 'the_content', $post->post_content ) : '',
-			'post_content'          => $post->post_content,
-			'post_status'           => $post->post_status,
-			'post_name'             => $post->post_name,
-			'post_modified'         => $post_modified,
-			'post_modified_gmt'     => $post_modified_gmt,
-			'post_parent'           => $post->post_parent,
-			'post_type'             => $post->post_type,
-			'post_mime_type'        => $post->post_mime_type,
-			'permalink'             => get_permalink( $post_id ),
-			'terms'                 => $this->prepare_terms( $post ),
-			'meta'                  => $this->prepare_meta_types( $this->prepare_meta( $post ) ), // post_meta removed in 2.4.
-			'date_terms'            => $this->prepare_date_terms( $post_date ),
+			'post_id'                 => $post_id,
+			'ID'                      => $post_id,
+			'post_author'             => $user_data,
+			'post_date'               => $post_date,
+			'post_date_gmt'           => $post_date_gmt,
+			'post_title'              => $post->post_title,
+			'post_excerpt'            => $post->post_excerpt,
+			'post_content_filtered'   => $post_content_filtered_allowed ? apply_filters( 'the_content', $post->post_content ) : '',
+			'post_content'            => $post->post_content,
+			'post_status'             => $post->post_status,
+			'post_name'               => $post->post_name,
+			'post_modified'           => $post_modified,
+			'post_modified_gmt'       => $post_modified_gmt,
+			'post_parent'             => $post->post_parent,
+			'post_type'               => $post->post_type,
+			'post_mime_type'          => $post->post_mime_type,
+			'permalink'               => get_permalink( $post_id ),
+			'terms'                   => $this->prepare_terms( $post ),
+			'meta'                    => $this->prepare_meta_types( $this->prepare_meta( $post ) ), // post_meta removed in 2.4.
+			'date_terms'              => $this->prepare_date_terms( $post_date ),
 			'date_gmt_terms'          => $this->prepare_date_terms( $post_date_gmt ),
 			'modified_date_terms'     => $this->prepare_date_terms( $post_modified ),
 			'modified_date_gmt_terms' => $this->prepare_date_terms( $post_modified_gmt ),
-			'comment_count'         => $comment_count,
-			'comment_status'        => $comment_status,
-			'ping_status'           => $ping_status,
-			'menu_order'            => $menu_order,
-			'guid'                  => $post->guid,
+			'comment_count'           => $comment_count,
+			'comment_status'          => $comment_status,
+			'ping_status'             => $ping_status,
+			'menu_order'              => $menu_order,
+			'guid'                    => $post->guid,
 			// VIP: Removed thumbnail
 		);
 
@@ -722,7 +722,7 @@ protected function get_term_order( $term_taxonomy_id, $object_id ) {
 		$term_orders = wp_cache_get( $cache_key );
 
 		if ( false === $term_orders ) {
-			$results = $wpdb->get_results(
+			$results = $wpdb->get_results( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 				$wpdb->prepare(
 					"SELECT term_taxonomy_id, term_order from $wpdb->term_relationships where object_id=%d;",
 					$object_id

includes/classes/Indexable/Post/SyncManager.php

@@ -483,7 +483,9 @@ public function action_edited_term( $term_id, $tt_id, $taxonomy ) {
 		}
 
 		// Find ID of all attached posts (query lifted from wp_delete_term())
-		$object_ids = (array) $wpdb->get_col( $wpdb->prepare( "SELECT object_id FROM $wpdb->term_relationships WHERE term_taxonomy_id = %d", $tt_id ) );
+		$object_ids = (array) $wpdb->get_col( // phpcs:disable WordPress.DB.DirectDatabaseQuery
+			$wpdb->prepare( "SELECT object_id FROM {$wpdb->term_relationships} WHERE term_taxonomy_id = %d", $tt_id )
+		);
 
 		if ( ! count( $object_ids ) ) {
 			return;

includes/classes/Indexable/Term/QueryIntegration.php

@@ -253,7 +253,7 @@ protected function format_hits_as_terms( $terms, $new_terms, $query_vars ) {
 			}
 
 			$term->elasticsearch = true; // Super useful for debugging.
-			$term = new \WP_Term( $term ); // Necessary for WordPress actions that expect WP_Term as the object type.
+			$term                = new \WP_Term( $term ); // Necessary for WordPress actions that expect WP_Term as the object type.
 
 			if ( $term ) {
 				$new_terms[] = $term;

includes/classes/Indexable/User/User.php

@@ -754,11 +754,12 @@ public function query_db( $args ) {
 		 * WP_User_Query doesn't let us get users across all blogs easily. This is the best
 		 * way to do that.
 		 */
-		// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+		// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 		$objects = $wpdb->get_results( $wpdb->prepare( "SELECT SQL_CALC_FOUND_ROWS ID FROM {$wpdb->users} {$orderby} LIMIT %d, %d", (int) $args['offset'], (int) $args['number'] ) );
 
 		return [
 			'objects'       => $objects,
+			// phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			'total_objects' => ( 0 === count( $objects ) ) ? 0 : (int) $wpdb->get_var( 'SELECT FOUND_ROWS()' ),
 		];
 	}

includes/classes/Installer.php

@@ -113,7 +113,7 @@ public function get_install_status() {
 	 * Check if it should use the features selected during the install to update the settings.
 	 */
 	public function maybe_set_features() {
-		if ( empty( $_POST['ep_install_page_nonce'] ) || ! wp_verify_nonce( $_POST['ep_install_page_nonce'], 'ep_install_page' ) ) {
+		if ( empty( $_POST['ep_install_page_nonce'] ) || ! wp_verify_nonce( sanitize_key( $_POST['ep_install_page_nonce'] ), 'ep_install_page' ) ) {
 			return;
 		}
 

includes/classes/Screen.php

@@ -56,7 +56,7 @@ public function determine_screen() {
 		// VIP: We removed the block about returning false depending on network admin or in network mode && not network admin
 
 		// phpcs:disable WordPress.Security.NonceVerification
-		if ( ! empty( $_GET['page'] ) && false !== strpos( $_GET['page'], 'elasticpress' ) ) {
+		if ( ! empty( $_GET['page'] ) && false !== strpos( sanitize_key( $_GET['page'] ), 'elasticpress' ) ) {
 			$install_status = Installer::factory()->get_install_status();
 
 			$this->screen = 'install';

includes/classes/Upgrades.php

@@ -146,13 +146,15 @@ public function upgrade_3_6_6() {
 			return;
 		}
 
+		// phpcs:disable WordPress.DB.DirectDatabaseQuery
 		$synonyms_example_ids = $wpdb->get_col(
 			$wpdb->prepare(
 				"SELECT ID FROM {$wpdb->posts} WHERE post_type = %s AND post_content = %s LIMIT 100",
 				$synonyms::POST_TYPE_NAME,
 				$synonyms->example_synonym_list()
 			)
 		);
+		// phpcs:enable WordPress.DB.DirectDatabaseQuery
 
 		if ( ! $synonyms_example_ids ) {
 			return;

includes/dashboard.php

@@ -189,7 +189,7 @@ function maybe_skip_install() {
 		return;
 	}
 
-	if ( empty( $_GET['ep-skip-install'] ) || empty( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'], 'ep-skip-install' ) || ! in_array( Screen::factory()->get_current_screen(), [ 'install' ], true ) ) { // phpcs:ignore WordPress.Security.NonceVerification
+	if ( empty( $_GET['ep-skip-install'] ) || empty( $_GET['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_GET['nonce'] ), 'ep-skip-install' ) || ! in_array( Screen::factory()->get_current_screen(), [ 'install' ], true ) ) { // phpcs:ignore WordPress.Security.NonceVerification
 		return;
 	}
 
@@ -235,6 +235,7 @@ function maybe_clear_es_info_cache() {
 
 	if ( ! empty( $_GET['ep-retry'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
 		wp_safe_redirect( remove_query_arg( 'ep-retry' ) );
+		exit();
 	}
 }
 
@@ -382,7 +383,7 @@ function action_wp_ajax_ep_notice_dismiss() {
 		exit;
 	}
 
-	AdminNotices::factory()->dismiss_notice( $_POST['notice'] );
+	AdminNotices::factory()->dismiss_notice( sanitize_key( $_POST['notice'] ) );
 
 	wp_send_json_success();
 }
@@ -420,9 +421,9 @@ function action_wp_ajax_ep_cancel_index() {
  * @since  2.2
  */
 function action_wp_ajax_ep_save_feature() {
-	$_POST = wp_unslash( $_POST );
+	$post = wp_unslash( $_POST );
 
-	if ( empty( $_POST['feature'] ) || empty( $_POST['settings'] ) || ! check_ajax_referer( 'ep_dashboard_nonce', 'nonce', false ) ) {
+	if ( empty( $post['feature'] ) || empty( $post['settings'] ) || ! check_ajax_referer( 'ep_dashboard_nonce', 'nonce', false ) ) {
 		wp_send_json_error();
 		exit;
 	}
@@ -434,10 +435,10 @@ function action_wp_ajax_ep_save_feature() {
 		exit;
 	}
 
-	$data = Features::factory()->update_feature( $_POST['feature'], $_POST['settings'] );
+	$data = Features::factory()->update_feature( $post['feature'], $post['settings'] );
 
 	// Since we deactivated, delete auto activate notice.
-	if ( empty( $_POST['settings']['active'] ) ) {
+	if ( empty( $post['settings']['active'] ) ) {
 		Utils\delete_option( 'ep_feature_auto_activated_sync' );
 	}
 
@@ -577,20 +578,23 @@ function action_admin_init() {
 	if ( defined( 'EP_IS_NETWORK' ) && EP_IS_NETWORK && isset( $_POST['ep_language'] ) ) {
 		check_admin_referer( 'elasticpress-options' );
 
+		// phpcs:disable WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		$language = sanitize_text_field( $_POST['ep_language'] );
 		Utils\update_option( 'ep_language', $language );
 
 		if ( isset( $_POST['ep_host'] ) ) {
 			$host = esc_url_raw( trim( $_POST['ep_host'] ) );
 			Utils\update_option( 'ep_host', $host );
 		}
+		// phpcs:enable WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 
 		if ( isset( $_POST['ep_prefix'] ) ) {
 			$prefix = ( isset( $_POST['ep_prefix'] ) ) ? sanitize_text_field( wp_unslash( $_POST['ep_prefix'] ) ) : '';
 			Utils\update_option( 'ep_prefix', $prefix );
 		}
 
 		if ( isset( $_POST['ep_credentials'] ) ) {
+			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 			$credentials = ( isset( $_POST['ep_credentials'] ) ) ? Utils\sanitize_credentials( $_POST['ep_credentials'] ) : [
 				'username' => '',
 				'token'    => '',