Whitelist for CSRF, not XSS

Author: rmccue

inc/admin/namespace.php

@@ -47,7 +47,7 @@ function get_url( $params = [] ) {
  * @return string One of 'add', 'edit', 'delete', or '' for default (list)
  */
 function get_page_action() {
-	return isset( $_GET['action'] ) ? $_GET['action'] : ''; // WPCS: XSS OK
+	return isset( $_GET['action'] ) ? $_GET['action'] : ''; // WPCS: CSRF OK
 }
 
 /**
@@ -118,9 +118,9 @@ class="add-new-h2"><?php echo esc_html_x( 'Add New', 'application', 'oauth2' );
 			?>
 		</h2>
 		<?php
-		if ( ! empty( $_GET['deleted'] ) ) { // WPCS: XSS OK
+		if ( ! empty( $_GET['deleted'] ) ) { // WPCS: CSRF OK
 			echo '<div id="message" class="updated"><p>' . esc_html__( 'Deleted application.', 'oauth2' ) . '</p></div>';
-		} elseif ( ! empty( $_GET['approved'] ) ) { // WPCS: XSS OK
+		} elseif ( ! empty( $_GET['approved'] ) ) { // WPCS: CSRF OK
 			echo '<div id="message" class="updated"><p>' . esc_html__( 'Approved application.', 'oauth2' ) . '</p></div>';
 		}
 		?>

inc/admin/profile/namespace.php

@@ -124,10 +124,10 @@ function output_profile_messages() {
 		return;
 	}
 
-	if ( ! empty( $_GET['oauth2_revoked'] ) ) {
+	if ( ! empty( $_GET['oauth2_revoked'] ) ) { // WPCS: CSRF OK
 		echo '<div id="message" class="updated"><p>' . __( 'Token revoked.', 'oauth2' ) . '</p></div>';
 	}
-	if ( ! empty( $_GET['oauth2_revocation_failed'] ) ) {
+	if ( ! empty( $_GET['oauth2_revocation_failed'] ) ) { // WPCS: CSRF OK
 		echo '<div id="message" class="updated"><p>' . __( 'Unable to revoke token.', 'oauth2' ) . '</p></div>';
 	}
 }

inc/authentication/namespace.php

@@ -75,11 +75,11 @@ function get_token_from_bearer_header( $header ) {
  * @return string|null Token on succes, null on failure.
  */
 function get_token_from_request() {
-	if ( empty( $_GET['access_token'] ) ) { // WPCS: XSS OK
+	if ( empty( $_GET['access_token'] ) ) { // WPCS: CSRF OK
 		return null;
 	}
 
-	$token = $_GET['access_token']; // WPCS: XSS OK
+	$token = $_GET['access_token']; // WPCS: CSRF OK
 	if ( is_string( $token ) ) {
 		return $token;
 	}

inc/endpoints/class-authorization.php

@@ -18,8 +18,8 @@ public function register_hooks() {
 
 	public function handle_request() {
 		// If the form hasn't been submitted, show it.
-		if ( isset( $_GET['response_type'] ) ) { // WPCS: XSS OK
-			$type = wp_unslash( $_GET['response_type'] ); // WPCS: XSS OK
+		if ( isset( $_GET['response_type'] ) ) { // WPCS: CSRF OK
+			$type = wp_unslash( $_GET['response_type'] ); // WPCS: CSRF OK
 		} else {
 			$type = null;
 		}

inc/types/class-base.php

@@ -35,10 +35,10 @@ public function handle_authorisation() {
 		}
 
 		// Gather parameters.
-		$client_id    = wp_unslash( $_GET['client_id'] ); // WPCS: XSS OK
-		$redirect_uri = isset( $_GET['redirect_uri'] ) ? wp_unslash( $_GET['redirect_uri'] ) : null; // WPCS: XSS OK
-		$scope        = isset( $_GET['scope'] ) ? wp_unslash( $_GET['scope'] ) : null; // WPCS: XSS OK
-		$state        = isset( $_GET['state'] ) ? wp_unslash( $_GET['state'] ) : null; // WPCS: XSS OK
+		$client_id    = wp_unslash( $_GET['client_id'] ); // WPCS: CSRF OK
+		$redirect_uri = isset( $_GET['redirect_uri'] ) ? wp_unslash( $_GET['redirect_uri'] ) : null; // WPCS: CSRF OK
+		$scope        = isset( $_GET['scope'] ) ? wp_unslash( $_GET['scope'] ) : null; // WPCS: CSRF OK
+		$state        = isset( $_GET['state'] ) ? wp_unslash( $_GET['state'] ) : null; // WPCS: CSRF OK
 
 		$client = Client::get_by_id( $client_id );
 		if ( empty( $client ) ) {