PHP compatability and changes to escaping functions

mailchimp · Jun 6, 2024 · 925ea4a · 925ea4a
1 parent de25910
commit 925ea4a
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 24 deletions.
diff --git a/lib/mailchimp/mailchimp.php b/lib/mailchimp/mailchimp.php
@@ -44,7 +44,7 @@ class MailChimp_API {
 	 * @param  string $api_key The API key.
 	 * @throws Exception If no api key is set
 	 */
-	public function __construct( string $api_key ) {
+	public function __construct( $api_key ) {
 		$api_key = trim( $api_key );
 		if ( ! $api_key ) {
 			throw new Exception(

diff --git a/mailchimp.php b/mailchimp.php
@@ -85,14 +85,14 @@ function mailchimp_sf_plugin_init() {
  * @param array $links - Links for the plugin
  * @return array - Links
  */
-function mailchimp_sd_plugin_action_links( $links ) {
+function mailchimp_sf_plugin_action_links( $links ) {
 	$settings_page = add_query_arg( array( 'page' => 'mailchimp_sf_options' ), admin_url( 'options-general.php' ) );
 	$settings_link = '<a href="' . esc_url( $settings_page ) . '">' . __( 'Settings', 'mailchimp_i18n' ) . '</a>';
 	array_unshift( $links, $settings_link );
 	return $links;
 }
 
-add_filter( 'plugin_action_links_' . plugin_basename( __FILE__ ), 'mailchimp_sd_plugin_action_links', 10, 1 );
+add_filter( 'plugin_action_links_' . plugin_basename( __FILE__ ), 'mailchimp_sf_plugin_action_links', 10, 1 );
 
 /**
  * Loads the appropriate JS and CSS resources depending on
@@ -165,8 +165,8 @@ function mc_datepicker_load() {
  * @return void
  */
 function mailchimp_sf_early_request_handler() {
-	if ( isset( $_GET['mcsf_action'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		switch ( $_GET['mcsf_action'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+	if ( isset( $_GET['mcsf_action'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- ignoring because this is only adding CSS
+		switch ( $_GET['mcsf_action'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- ignoring because this is only adding CSS
 			case 'main_css':
 				header( 'Content-type: text/css' );
 				mailchimp_sf_main_css();
@@ -277,8 +277,7 @@ function mailchimp_sf_request_handler() {
 						if ( ! headers_sent() ) { // just in case...
 							header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT', true, 200 );
 						}
-						// Don't esc_html this, b/c we've already escaped it
-						echo mailchimp_sf_global_msg(); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+						echo wp_kses_post( mailchimp_sf_global_msg() );
 						exit;
 				}
 		}
@@ -1132,7 +1131,7 @@ function mailchimp_sf_groups_submit( $igs ) {
 						$ig_ids = array_map(
 							'sanitize_text_field',
 							array_keys(
-								stripslashes_deep( $_POST['group'][ $ig_id ] ) // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+								stripslashes_deep( $_POST['group'][ $ig_id ] ) // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- ignoring becuase this is sanitized through array_map above
 							)
 						);
 						foreach ( $ig_ids as $id ) {
@@ -1203,7 +1202,7 @@ function mailchimp_sf_verify_key( $api ) {
 function mailchimp_sf_update_profile_url( $email ) {
 	$dc = get_option( 'mc_datacenter' );
 	// This is the expected encoding for emails.
-	$eid     = base64_encode( $email ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+	$eid     = base64_encode( $email ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- ignoring because this is the expected data for the endpoint
 	$user    = get_option( 'mc_user' );
 	$list_id = get_option( 'mc_list_id' );
 	$url     = 'http://' . $dc . '.list-manage.com/subscribe/send-email?u=' . $user['account_id'] . '&id=' . $list_id . '&e=' . $eid;

diff --git a/mailchimp_compat.php b/mailchimp_compat.php
@@ -14,7 +14,7 @@
 	 * @param array $args Signup form args.
 	 * @return void
 	 */
-	function mc_display_widget( $args = array() ): void {
+	function mc_display_widget( $args = array() ) {
 		mailchimp_sf_signup_form( $args );
 	}
 }
@@ -26,7 +26,7 @@ function mc_display_widget( $args = array() ): void {
 	 * @param array $args Signup form args.
 	 * @return void
 	 */
-	function mailchimp_sf_display_widget( $args = array() ): void {
+	function mailchimp_sf_display_widget( $args = array() ) {
 		mailchimp_sf_signup_form( $args );
 	}
 }

diff --git a/mailchimp_widget.php b/mailchimp_widget.php
@@ -30,7 +30,7 @@ function mailchimp_sf_signup_form( $args = array() ) {
 			echo wp_kses(
 				__(
 					'Sorry, there was a problem loading your Mailchimp details. Please navigate to <strong>Settings</strong> and click <strong>Mailchimp Setup</strong> to try again.',
-					'mailchimp_i18n',
+					'mailchimp_i18n'
 				),
 				[
 					'strong' => [],
@@ -54,10 +54,10 @@ function mailchimp_sf_signup_form( $args = array() ) {
 		// See if we need to wrap the header content in our own div
 		if ( strlen( $header ) === strlen( wp_strip_all_tags( $header ) ) ) {
 			echo ! empty( $before_title ) ? wp_kses_post( $before_title ) : '<div class="mc_custom_border_hdr">';
-			echo wp_kses_post( $header ); // don't escape $header b/c it may have HTML allowed
+			echo wp_kses_post( $header );
 			echo ! empty( $after_title ) ? wp_kses_post( $after_title ) : '</div><!-- /mc_custom_border_hdr -->';
 		} else {
-			echo wp_kses_post( $header ); // don't escape $header b/c it may have HTML allowed
+			echo wp_kses_post( $header );
 		}
 	}
 
@@ -153,7 +153,7 @@ function mailchimp_sf_signup_form( $args = array() ) {
 	if ( $sub_heading ) {
 		?>
 		<div id="mc_subheader">
-			<?php echo esc_html( $sub_heading ); ?>
+			<?php echo wp_kses_post( $sub_heading ); ?>
 		</div><!-- /mc_subheader -->
 		<?php
 	}
@@ -162,7 +162,7 @@ function mailchimp_sf_signup_form( $args = array() ) {
 	<div class="mc_form_inside">
 
 		<div class="updated" id="mc_message">
-			<?php echo esc_html( mailchimp_sf_global_msg() ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+			<?php echo wp_kses_post( mailchimp_sf_global_msg() ); ?>
 		</div><!-- /mc_message -->
 
 		<?php
@@ -183,9 +183,9 @@ function mailchimp_sf_signup_form( $args = array() ) {
 		// Loop over our vars, and output the ones that are set to display
 		foreach ( $mv as $mv_var ) {
 			if ( ! $mv_var['public'] ) {
-				echo '<div style="display:none;">' . mailchimp_form_field( $mv_var, $num_fields ) . '</div>'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo '<div style="display:none;">' . mailchimp_form_field( $mv_var, $num_fields ) . '</div>'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Ignoring because form field is escaped in function
 			} else {
-				echo mailchimp_form_field( $mv_var, $num_fields ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+				echo mailchimp_form_field( $mv_var, $num_fields ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Ignoring because form field is escaped in function
 			}
 		}
 
@@ -231,11 +231,11 @@ function mailchimp_sf_signup_form( $args = array() ) {
 		if ( get_option( 'mc_email_type_option' ) ) {
 			?>
 		<div class="mergeRow">
-			<label class="mc_email_format"><?php echo esc_html__( 'Preferred Format', 'mailchimp_i18n' ); ?></label>
+			<label class="mc_email_format"><?php esc_html_e( 'Preferred Format', 'mailchimp_i18n' ); ?></label>
 			<div class="field-group groups mc_email_options">
 				<ul class="mc_list">
-					<li><input type="radio" name="email_type" id="email_type_html" value="html" checked="checked"><label for="email_type_html" class="mc_email_type"><?php echo esc_html__( 'HTML', 'mailchimp_i18n' ); ?></label></li>
-					<li><input type="radio" name="email_type" id="email_type_text" value="text"><label for="email_type_text" class="mc_email_type"><?php echo esc_html__( 'Text', 'mailchimp_i18n' ); ?></label></li>
+					<li><input type="radio" name="email_type" id="email_type_html" value="html" checked="checked"><label for="email_type_html" class="mc_email_type"><?php esc_html_e( 'HTML', 'mailchimp_i18n' ); ?></label></li>
+					<li><input type="radio" name="email_type" id="email_type_text" value="text"><label for="email_type_text" class="mc_email_type"><?php esc_html_( 'Text', 'mailchimp_i18n' ); ?></label></li>
 				</ul>
 			</div>
 		</div>
@@ -342,7 +342,7 @@ function mailchimp_interest_group_field( $ig ) {
 			}
 			break;
 	}
-	echo $html; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+	echo $html; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Ignoring because html is previously escaped
 }
 
 /**

diff --git a/views/setup_page.php b/views/setup_page.php
@@ -21,9 +21,8 @@
 
 // Display our success/error message(s) if have them
 if ( mailchimp_sf_global_msg() !== '' ) {
-	// Message has already been html escaped, so we don't want to 2x escape it here
 	?>
-	<div id="mc_message" class=""><?php echo esc_html( mailchimp_sf_global_msg() ); ?></div>
+	<div id="mc_message" class=""><?php echo wp_kses_post( mailchimp_sf_global_msg() ); ?></div>
 	<?php
 }