Merge pull request #144 from 10up/feature/updated-linting

Feature/updated linting

.eslintrc.js

@@ -0,0 +1,3 @@
+module.exports = {
+	extends: ['@10up/eslint-config/wordpress'],
+};

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           reporter: github-pr-review
           stylelint_input: '**/*.css'
-          stylelint_config: 'stylelint.config.js'
+          stylelint_config: '.stylelintrc.js'
           fail_on_error: true
   eslint:
     name: eslint

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx lint-staged

.lintstagedrc.json

@@ -0,0 +1,11 @@
+{
+  "*.css": [
+    "10up-toolkit lint-style"
+  ],
+  "*.js": [
+    "10up-toolkit lint-js"
+  ],
+  "*.php": [
+    "./vendor/bin/phpcs --extensions=php --warning-severity=8 -s"
+  ]
+}

.stylelintrc.js

@@ -0,0 +1,8 @@
+module.exports = {
+	extends: [
+		"@10up/stylelint-config",
+	],
+	rules: {
+		"scale-unlimited/declaration-strict-value": null,
+	},
+}

composer.json

@@ -35,12 +35,12 @@
     "squizlabs/php_codesniffer": "3.*"
   },
   "scripts": {
-    "lint": "phpcs .",
+    "lint": "phpcs --extensions=php --warning-severity=8 -s .",
     "lint-fix": "phpcbf ."
   },
   "config": {
     "allow-plugins": {
       "dealerdirect/phpcodesniffer-composer-installer": true
     }
   }
-}
+}

includes/classes/AdminCustomizations/Customizations.php

@@ -84,7 +84,7 @@ public function main_screen() {
 				?>
 				</div>
 
-			<a class="tenup-badge" href="http://10up.com" target="_blank"><span aria-label="<?php esc_html_e( 'Link to 10up.com', 'tenup' ); ?>">10up.com</span></a>
+			<a class="tenup-badge" href="http://10up.com" target="_blank"><span aria-label="<?php esc_attr_e( 'Link to 10up.com', 'tenup' ); ?>">10up.com</span></a>
 
 			<div class="feature-section one-col">
 				<h2><?php esc_html_e( 'Thanks for working with team 10up!', 'tenup' ); ?></h2>

includes/classes/Authentication/Passwords.php

@@ -106,6 +106,8 @@ public function ms_save_settings() {
 			return;
 		}
 
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'siteoptions' ) ) {
 			return;
 		}
@@ -291,6 +293,8 @@ public function validate_resetpass_form( $user_data ) {
 	public function validate_strong_password( $errors, $user_data ) {
 		$password_ok = true;
 		$enforce     = true;
+		// This is being sanitized later in the function, no need to sanitize for isset().
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		$password    = ( isset( $_POST['pass1'] ) && trim( $_POST['pass1'] ) ) ? sanitize_text_field( $_POST['pass1'] ) : false;
 		$role        = isset( $_POST['role'] ) ? sanitize_text_field( $_POST['role'] ) : false;
 		$user_id     = isset( $user_data->ID ) ? sanitize_text_field( $user_data->ID ) : false;
@@ -322,7 +326,7 @@ public function validate_strong_password( $errors, $user_data ) {
 			if ( function_exists( 'mb_ord' ) && version_compare( PHP_VERSION, '7.2.0' ) >= 0 ) {
 				$zxcvbn = new Zxcvbn();
 
-				$pw = $zxcvbn->passwordStrength( $_POST['pass1'] );
+				$pw = $zxcvbn->passwordStrength( $password );
 
 				if ( 3 > (int) $pw['score'] ) {
 					$password_ok = false;

includes/classes/SSO/SSO.php

@@ -71,15 +71,19 @@ public function ms_save_settings() {
 			return;
 		}
 
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'siteoptions' ) ) {
 			return;
 		}
 
+		// We're only checking if the var exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( ! isset( $_POST['tenup_allow_sso'] ) ) {
 			return;
 		}
 
-		$setting = $this->validate_sso_setting( $_POST['tenup_allow_sso'] );
+		$setting = $this->validate_sso_setting( sanitize_text_field( $_POST['tenup_allow_sso'] ) );
 
 		update_site_option( 'tenup_allow_sso', $setting );
 	}
@@ -270,9 +274,11 @@ public function process_client_login() {
 				$redirect_to           = admin_url();
 				$requested_redirect_to = '';
 
+				// We're only checking if the var exists here, so no need to sanitize.
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 				if ( isset( $_REQUEST['redirect_to'] ) ) {
-					$redirect_to           = $_REQUEST['redirect_to'];
-					$requested_redirect_to = $_REQUEST['redirect_to'];
+					$redirect_to           = sanitize_text_field( $_REQUEST['redirect_to'] );
+					$requested_redirect_to = sanitize_text_field( $_REQUEST['redirect_to'] );
 				}
 
 				$redirect_to = apply_filters( 'login_redirect', $redirect_to, $requested_redirect_to, $user );
@@ -297,8 +303,8 @@ public function process_client_login() {
 			$tenup_login_failed = true;
 		} else {
 			$redirect_url = wp_login_url();
-			if ( isset( $_REQUEST['redirect_to'] ) && is_string( $_REQUEST['redirect_to'] ) ) {
-				$redirect_url = add_query_arg( 'redirect_to', rawurlencode( $_REQUEST['redirect_to'] ), $redirect_url );
+			if ( isset( $_REQUEST['redirect_to'] ) && is_string( sanitize_text_field( $_REQUEST['redirect_to'] ) ) ) {
+				$redirect_url = add_query_arg( 'redirect_to', rawurlencode( sanitize_text_field( $_REQUEST['redirect_to'] ) ), $redirect_url );
 			}
 
 			$proxy_url = add_query_arg(
@@ -321,10 +327,11 @@ public function process_client_login() {
 	public function update_login_form() {
 		$google_login = add_query_arg( 'action', '10up-login', wp_login_url() );
 		if ( isset( $_REQUEST['redirect_to'] ) ) {
-			$google_login = add_query_arg( 'redirect_to', rawurlencode( $_REQUEST['redirect_to'] ), $google_login );
+			$google_login = add_query_arg( 'redirect_to', rawurlencode( sanitize_text_field( $_REQUEST['redirect_to'] ) ), $google_login );
 		}
 
-		?><script type="text/javascript">
+		?>
+		<script type="text/javascript">
 			(function() {
 				document.getElementById('loginform').insertAdjacentHTML(
 					'beforebegin',

includes/classes/SupportMonitor/Debug.php

@@ -81,6 +81,8 @@ public function register_network_menu() {
 	 * @since 1.7
 	 */
 	public function empty_log() {
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_GET['tenup_support_monitor_nonce'] ) || ! wp_verify_nonce( $_GET['tenup_support_monitor_nonce'], 'tenup_sm_empty_action' ) ) {
 			return;
 		}
@@ -89,13 +91,13 @@ public function empty_log() {
 			delete_site_option( 'tenup_support_monitor_log' );
 
 			wp_safe_redirect( network_admin_url( 'settings.php?page=tenup_support_monitor' ) );
+			exit;
 		} else {
 			delete_option( 'tenup_support_monitor_log' );
 
 			wp_safe_redirect( admin_url( 'tools.php?page=tenup_support_monitor' ) );
+			exit;
 		}
-
-		exit;
 	}
 
 	/**
@@ -104,6 +106,8 @@ public function empty_log() {
 	 * @since 1.7
 	 */
 	public function test_message() {
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_GET['tenup_support_monitor_nonce'] ) || ! wp_verify_nonce( $_GET['tenup_support_monitor_nonce'], 'tenup_sm_test_message_action' ) ) {
 			return;
 		}
@@ -112,11 +116,11 @@ public function test_message() {
 
 		if ( TENUP_EXPERIENCE_IS_NETWORK ) {
 			wp_safe_redirect( network_admin_url( 'settings.php?page=tenup_support_monitor' ) );
+			exit;
 		} else {
 			wp_safe_redirect( admin_url( 'tools.php?page=tenup_support_monitor' ) );
+			exit;
 		}
-
-		exit;
 	}
 
 	/**

includes/classes/SupportMonitor/Monitor.php

@@ -56,6 +56,8 @@ public function ms_save_settings() {
 			return;
 		}
 
+		// We're only checking if the nonce exists here, so no need to sanitize.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 		if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'siteoptions' ) ) {
 			return;
 		}