Coding standards fixes

Author: spacedmonkey

inc/admin/class-listtable.php

@@ -1,4 +1,9 @@
 <?php
+/**
+ *
+ * @package WordPress
+ * @subpackage JSON API
+ */
 
 namespace WP\OAuth2\Admin;
 
@@ -58,7 +63,7 @@ public function column_cb( $item ) {
 		<label class="screen-reader-text"
 			for="cb-select-<?php echo esc_attr( $item->ID ); ?>"><?php esc_html_e( 'Select consumer', 'oauth2' ); ?></label>
 
-		<input id="cb-select-<?php echo esc_attr( $item->ID ) ?>" type="checkbox"
+		<input id="cb-select-<?php echo esc_attr( $item->ID ); ?>" type="checkbox"
 			name="consumers[]" value="<?php echo esc_attr( $item->ID ); ?>"/>
 
 		<?php

inc/admin/namespace.php

@@ -1,4 +1,9 @@
 <?php
+/**
+ *
+ * @package WordPress
+ * @subpackage JSON API
+ */
 
 namespace WP\OAuth2\Admin;
 
@@ -47,7 +52,7 @@ function get_url( $params = [] ) {
  * @return string One of 'add', 'edit', 'delete', or '' for default (list)
  */
 function get_page_action() {
-	return isset( $_GET['action'] ) ? $_GET['action'] : ''; // WPCS: CSRF OK
+	return isset( $_GET['action'] ) ? sanitize_text_field( wp_unslash( $_GET['action'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 }
 
 /**
@@ -75,7 +80,7 @@ function load() {
 		default:
 			global $wp_list_table;
 
-			$wp_list_table = new ListTable();
+			$wp_list_table = new ListTable(); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
 
 			$wp_list_table->prepare_items();
 
@@ -84,6 +89,9 @@ function load() {
 
 }
 
+/**
+ *
+ */
 function dispatch() {
 	switch ( get_page_action() ) {
 		case 'add':
@@ -112,16 +120,16 @@ function render() {
 
 			if ( current_user_can( 'create_users' ) ) :
 				?>
-				<a href="<?php echo esc_url( get_url( 'action=add' ) ) ?>"
+				<a href="<?php echo esc_url( get_url( 'action=add' ) ); ?>"
 					class="add-new-h2"><?php echo esc_html_x( 'Add New', 'application', 'oauth2' ); ?></a>
 				<?php
 			endif;
 			?>
 		</h2>
 		<?php
-		if ( ! empty( $_GET['deleted'] ) ) { // WPCS: CSRF OK
+		if ( ! empty( $_GET['deleted'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			echo '<div id="message" class="updated"><p>' . esc_html__( 'Deleted application.', 'oauth2' ) . '</p></div>';
-		} elseif ( ! empty( $_GET['approved'] ) ) { // WPCS: CSRF OK
+		} elseif ( ! empty( $_GET['approved'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			echo '<div id="message" class="updated"><p>' . esc_html__( 'Approved application.', 'oauth2' ) . '</p></div>';
 		}
 		?>
@@ -130,7 +138,7 @@ class="add-new-h2"><?php echo esc_html_x( 'Add New', 'application', 'oauth2' );
 
 		<form action="" method="get">
 
-			<?php $wp_list_table->search_box( __( 'Search Applications', 'oauth2' ), 'oauth2' ); ?>
+			<?php $wp_list_table->search_box( esc_html__( 'Search Applications', 'oauth2' ), 'oauth2' ); ?>
 
 			<?php $wp_list_table->display(); ?>
 
@@ -152,22 +160,22 @@ function validate_parameters( $params ) {
 	$valid = [];
 
 	if ( empty( $params['name'] ) ) {
-		return new WP_Error( 'rest_oauth2_missing_name', __( 'Client name is required', 'oauth2' ) );
+		return new WP_Error( 'rest_oauth2_missing_name', esc_html__( 'Client name is required', 'oauth2' ) );
 	}
 	$valid['name'] = wp_kses_post( $params['name'] );
 
 	if ( empty( $params['description'] ) ) {
-		return new WP_Error( 'rest_oauth2_missing_description', __( 'Client description is required', 'oauth2' ) );
+		return new WP_Error( 'rest_oauth2_missing_description', esc_html__( 'Client description is required', 'oauth2' ) );
 	}
 	$valid['description'] = wp_kses_post( $params['description'] );
 
 	if ( empty( $params['type'] ) ) {
-		return new WP_Error( 'rest_oauth2_missing_type', __( 'Type is required.', 'oauth2' ) );
+		return new WP_Error( 'rest_oauth2_missing_type', esc_html__( 'Type is required.', 'oauth2' ) );
 	}
 	$valid['type'] = wp_kses_post( $params['type'] );
 
 	if ( empty( $params['callback'] ) ) {
-		return new WP_Error( 'rest_oauth2_missing_callback', __( 'Client callback is required and must be a valid URL.', 'oauth2' ) );
+		return new WP_Error( 'rest_oauth2_missing_callback', esc_html__( 'Client callback is required and must be a valid URL.', 'oauth2' ) );
 	}
 	if ( ! empty( $params['callback'] ) ) {
 		$valid['callback'] = $params['callback'];
@@ -252,7 +260,7 @@ function handle_edit_submit( Client $consumer = null ) {
  */
 function render_edit_page() {
 	if ( ! current_user_can( 'edit_users' ) ) {
-		wp_die( __( 'You do not have permission to access this page.', 'oauth2' ) );
+		wp_die( esc_html__( 'You do not have permission to access this page.', 'oauth2' ) );
 	}
 
 	// Are we editing?
@@ -263,17 +271,21 @@ function render_edit_page() {
 		$id       = absint( $_REQUEST['id'] );
 		$consumer = Client::get_by_post_id( $id );
 		if ( is_wp_error( $consumer ) || empty( $consumer ) ) {
-			wp_die( __( 'Invalid client ID.', 'oauth2' ) );
+			wp_die( esc_html__( 'Invalid client ID.', 'oauth2' ) );
 		}
 
-		$form_action       = get_url( [
-			'action' => 'edit',
-			'id'     => $id,
-		] );
-		$regenerate_action = get_url( [
-			'action' => 'regenerate',
-			'id'     => $id,
-		] );
+		$form_action       = get_url(
+			[
+				'action' => 'edit',
+				'id'     => $id,
+			]
+		);
+		$regenerate_action = get_url(
+			[
+				'action' => 'regenerate',
+				'id'     => $id,
+			]
+		);
 	}
 
 	// Handle form submission
@@ -292,15 +304,15 @@ function render_edit_page() {
 	if ( ! empty( $_GET['did_action'] ) ) {
 		switch ( $_GET['did_action'] ) {
 			case 'edit':
-				$messages[] = __( 'Updated application.', 'oauth2' );
+				$messages[] = esc_html__( 'Updated application.', 'oauth2' );
 				break;
 
 			case 'regenerate':
-				$messages[] = __( 'Regenerated secret.', 'oauth2' );
+				$messages[] = esc_html__( 'Regenerated secret.', 'oauth2' );
 				break;
 
 			default:
-				$messages[] = __( 'Successfully created application.', 'oauth2' );
+				$messages[] = esc_html__( 'Successfully created application.', 'oauth2' );
 				break;
 		}
 	}
@@ -324,15 +336,17 @@ function render_edit_page() {
 
 	// Header time!
 	global $title, $parent_file, $submenu_file;
-	$title        = $consumer ? __( 'Edit Application', 'oauth2' ) : __( 'Add Application', 'oauth2' );
+	// phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited
+	$title        = $consumer ? esc_html__( 'Edit Application', 'oauth2' ) : esc_html__( 'Add Application', 'oauth2' );
 	$parent_file  = 'users.php';
 	$submenu_file = BASE_SLUG;
+	// phpcs:enable
 
 	include( ABSPATH . 'wp-admin/admin-header.php' );
 	?>
 
 	<div class="wrap">
-		<h2 id="edit-site"><?php echo esc_html( $title ) ?></h2>
+		<h2 id="edit-site"><?php echo esc_html( $title ); ?></h2>
 
 		<?php
 		if ( ! empty( $messages ) ) {
@@ -342,28 +356,28 @@ function render_edit_page() {
 		}
 		?>
 
-		<form method="post" action="<?php echo esc_url( $form_action ) ?>">
+		<form method="post" action="<?php echo esc_url( $form_action ); ?>">
 			<table class="form-table">
 				<tr>
 					<th scope="row">
-						<label for="oauth-name"><?php echo esc_html_x( 'Client Name', 'field name', 'oauth2' ) ?></label>
+						<label for="oauth-name"><?php echo esc_html_x( 'Client Name', 'field name', 'oauth2' ); ?></label>
 					</th>
 					<td>
-						<input type="text" class="regular-text" name="name" id="oauth-name" value="<?php echo esc_attr( $data['name'] ) ?>"/>
-						<p class="description"><?php esc_html_e( 'This is shown to users during authorization and in their profile.', 'oauth2' ) ?></p>
+						<input type="text" class="regular-text" name="name" id="oauth-name" value="<?php echo esc_attr( $data['name'] ); ?>"/>
+						<p class="description"><?php esc_html_e( 'This is shown to users during authorization and in their profile.', 'oauth2' ); ?></p>
 					</td>
 				</tr>
 				<tr>
 					<th scope="row">
-						<label for="oauth-description"><?php echo esc_html_x( 'Description', 'field name', 'oauth2' ) ?></label>
+						<label for="oauth-description"><?php echo esc_html_x( 'Description', 'field name', 'oauth2' ); ?></label>
 					</th>
 					<td>
-					<textarea class="regular-text" name="description" id="oauth-description" cols="30" rows="5" style="width: 500px"><?php echo esc_textarea( $data['description'] ) ?></textarea>
+					<textarea class="regular-text" name="description" id="oauth-description" cols="30" rows="5" style="width: 500px"><?php echo esc_textarea( $data['description'] ); ?></textarea>
 					</td>
 				</tr>
 				<tr>
 					<th scope="row">
-						<?php echo esc_html_x( 'Type', 'field name', 'oauth2' ) ?>
+						<?php echo esc_html_x( 'Type', 'field name', 'oauth2' ); ?>
 					</th>
 					<td>
 						<ul>
@@ -412,11 +426,11 @@ function render_edit_page() {
 				</tr>
 				<tr>
 					<th scope="row">
-						<label for="oauth-callback"><?php echo esc_html_x( 'Callback', 'field name', 'oauth2' ) ?></label>
+						<label for="oauth-callback"><?php echo esc_html_x( 'Callback', 'field name', 'oauth2' ); ?></label>
 					</th>
 					<td>
-						<input type="text" class="regular-text" name="callback" id="oauth-callback" value="<?php echo esc_attr( $data['callback'] ) ?>"/>
-						<p class="description"><?php esc_html_e( "Your application's callback URI or a list of comma separated URIs. The callback passed with the request token must match the scheme, host, port, and path of this URL.", 'oauth2' ) ?></p>
+						<input type="text" class="regular-text" name="callback" id="oauth-callback" value="<?php echo esc_attr( $data['callback'] ); ?>"/>
+						<p class="description"><?php esc_html_e( "Your application's callback URI or a list of comma separated URIs. The callback passed with the request token must match the scheme, host, port, and path of this URL.", 'oauth2' ); ?></p>
 					</td>
 				</tr>
 			</table>
@@ -425,42 +439,42 @@ function render_edit_page() {
 
 			if ( empty( $consumer ) ) {
 				wp_nonce_field( 'rest-oauth2-add' );
-				submit_button( __( 'Create Client', 'oauth2' ) );
+				submit_button( esc_html__( 'Create Client', 'oauth2' ) );
 			} else {
 				echo '<input type="hidden" name="id" value="' . esc_attr( $consumer->get_post_id() ) . '" />';
 				wp_nonce_field( 'rest-oauth2-edit-' . $consumer->get_post_id() );
-				submit_button( __( 'Save Client', 'oauth2' ) );
+				submit_button( esc_html__( 'Save Client', 'oauth2' ) );
 			}
 
 			?>
 		</form>
 
 		<?php if ( ! empty( $consumer ) ) : ?>
-			<form method="post" action="<?php echo esc_url( $regenerate_action ) ?>">
-				<h3><?php esc_html_e( 'OAuth Credentials', 'oauth2' ) ?></h3>
+			<form method="post" action="<?php echo esc_url( $regenerate_action ); ?>">
+				<h3><?php esc_html_e( 'OAuth Credentials', 'oauth2' ); ?></h3>
 
 				<table class="form-table">
 					<tr>
 						<th scope="row">
-							<?php esc_html_e( 'Client Key', 'oauth2' ) ?>
+							<?php esc_html_e( 'Client Key', 'oauth2' ); ?>
 						</th>
 						<td>
-							<code><?php echo esc_html( $consumer->get_id() ) ?></code>
+							<code><?php echo esc_html( $consumer->get_id() ); ?></code>
 						</td>
 					</tr>
 					<tr>
 						<th scope="row">
-							<?php esc_html_e( 'Client Secret', 'oauth2' ) ?>
+							<?php esc_html_e( 'Client Secret', 'oauth2' ); ?>
 						</th>
 						<td>
-							<code><?php echo esc_html( $consumer->get_secret() ) ?></code>
+							<code><?php echo esc_html( $consumer->get_secret() ); ?></code>
 						</td>
 					</tr>
 				</table>
 
 				<?php
 				wp_nonce_field( 'rest-oauth2-regenerate:' . $consumer->get_post_id() );
-				submit_button( __( 'Regenerate Secret', 'oauth2' ), 'delete' );
+				submit_button( esc_html__( 'Regenerate Secret', 'oauth2' ), 'delete' );
 				?>
 			</form>
 		<?php endif ?>
@@ -482,22 +496,21 @@ function handle_delete() {
 
 	if ( ! current_user_can( 'delete_post', $id ) ) {
 		wp_die(
-			'<h1>' . __( 'Cheatin&#8217; uh?', 'oauth2' ) . '</h1>' .
-			'<p>' . __( 'You are not allowed to delete this application.', 'oauth2' ) . '</p>',
+			'<h1>' . esc_html__( 'Cheatin&#8217; uh?', 'oauth2' ) . '</h1>' .
+			'<p>' . esc_html__( 'You are not allowed to delete this application.', 'oauth2' ) . '</p>',
 			403
 		);
 	}
 
 	$client = Client::get_by_post_id( $id );
 	if ( is_wp_error( $client ) ) {
-		wp_die( $client );
+		wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 
 		return;
 	}
 
 	if ( ! $client->delete() ) {
-		$message = 'Invalid client ID';
-		wp_die( $message );
+		wp_die( esc_html__( 'Invalid client ID' ) );
 
 		return;
 	}
@@ -519,20 +532,20 @@ function handle_approve() {
 
 	if ( ! current_user_can( 'publish_post', $id ) ) {
 		wp_die(
-			'<h1>' . __( 'Cheatin&#8217; uh?', 'oauth2' ) . '</h1>' .
-			'<p>' . __( 'You are not allowed to approve this application.', 'oauth2' ) . '</p>',
+			'<h1>' . esc_html__( 'Cheatin&#8217; uh?', 'oauth2' ) . '</h1>' .
+			'<p>' . esc_html__( 'You are not allowed to approve this application.', 'oauth2' ) . '</p>',
 			403
 		);
 	}
 
 	$client = Client::get_by_post_id( $id );
 	if ( is_wp_error( $client ) ) {
-		wp_die( $client );
+		wp_die( $client ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
 
 	$did_approve = $client->approve();
 	if ( is_wp_error( $did_approve ) ) {
-		wp_die( $did_approve );
+		wp_die( $did_approve ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
 
 	wp_safe_redirect( get_url( 'approved=1' ) );
@@ -552,22 +565,26 @@ function handle_regenerate() {
 
 	if ( ! current_user_can( 'edit_post', $id ) ) {
 		wp_die(
-			'<h1>' . __( 'Cheatin&#8217; uh?', 'oauth2' ) . '</h1>' .
-			'<p>' . __( 'You are not allowed to edit this application.', 'oauth2' ) . '</p>',
+			'<h1>' . esc_html__( 'Cheatin&#8217; uh?', 'oauth2' ) . '</h1>' .
+			'<p>' . esc_html__( 'You are not allowed to edit this application.', 'oauth2' ) . '</p>',
 			403
 		);
 	}
 
 	$client = Client::get_by_post_id( $id );
 	$result = $client->regenerate_secret();
 	if ( is_wp_error( $result ) ) {
-		wp_die( $result->get_error_message() );
+		wp_die( esc_html( $result->get_error_message() ) );
 	}
 
-	wp_safe_redirect( get_url( [
-		'action'     => 'edit',
-		'id'         => $id,
-		'did_action' => 'regenerate',
-	] ) );
+	wp_safe_redirect(
+		get_url(
+			[
+				'action'     => 'edit',
+				'id'         => $id,
+				'did_action' => 'regenerate',
+			]
+		)
+	);
 	exit;
 }