Playground plugin: add missing headers, update composer dependencies and sanitize inputs (#204)

<!-- Thanks for contributing to WordPress Playground Tools! -->

## What?

This PR addresses the feedback we received from the WordPress.org
submission review team.

- Add textdomain, required PHP version, and license headers
- Update composer dependencies and fix related issues
- Ensure inputs are sanitized and outputs are escaped
- Remove unused returnUrl code

<details>
<summary>
WordPress.org submission review feedback
</summary>
Hello,

There are issues with your plugin code preventing it from being approved
immediately. We have pended your submission in order to help you correct
all issues so that it may be approved and published.

We ask you read this email in its entirety, address all listed issues,
and reply to this email with your corrected code attached (or linked).
You have three (3) months to make all corrections, before your plugin
will be rejected. Even so, as long as you reply to this email, we will
be able to continue with your review and eventually publish your code.

Remember in addition to code quality, security and functionality, we
require all plugins adhere to our guidelines. If you have not yet,
please read them:


https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

We know it can be long, but you must follow the directions at the end as
not doing so will result in your review being delayed. It is required
for you to read and reply to these emails, and failure to do so will
result in significant delays with your plugin being accepted.

Finally, should you at any time wish to alter your permalink (aka the
plugin slug), you must explicitly tell us what you want it to be. Just
changing the display name is not sufficient, and we require to you
clearly state your desired permalink. Remember, permalinks cannot be
altered after approval.

Be aware that you will not be able to submit another plugin while this
one is being reviewed.

## No GPL-compatible license declared

It is necessary to declare the license of this plugin. You can do this
using the fields available both in the plugin readme and in the plugin
headers.

Remember that all code, data, and images — anything stored in the plugin
directory hosted on
[WordPress.org](https://github.com/WordPress/playground-tools/compare/update/WordPress.org)
— must comply with the GPL or a GPL-Compatible license. Included
third-party libraries, code, images, or otherwise, must be also
compatible

For a specific list of compatible licenses, [please read the
GPL-Compatible license list on
gnu.org](https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses).

The license declared on this plugin is either no present or it's not GPL
compatible:

ERROR: License declaration not found on playground.php
Please check the header requirements in order to correctly declare the
license of the plugin:
https://developer.wordpress.org/plugins/plugin-basics/header-requirements/
It is necessary to configure the "License: " field in the plugin header
with a valid, GPL-compliant license name.

## Out of Date Libraries

At least one of the 3rd party libraries you're using is out of date.
Please upgrade to the latest stable version for better support and
security. We do not recommend you use beta releases.

From your plugin:

maennchen/zipstream-php 2.2.6 ~ 3.1.0 ZipStream is a library for
dynamically streaming dynamic zip files from PHP without writing to the
disk at all on the server.

## Your admin dashboard has an iframe

Having the admin dashboard include an iframe isn't permitted in the
majority of cases for two main reasons - security and appearance.
Instead, we recommend you change your code to use an API or just link
back to your site so they can configure things there.

If your iframe automatically loads content from your site without prior
notification and acceptance, you may in fact be violating tracking laws
and our own guidelines. People have the right to opt-in to being tracked
or monitored, and it's much harder to do that with an iframe that loads
data right away, versus an API that can simply check 'Am I connected?
No? Prompt for keys please!'

Iframes also make it difficult for people to tell if they're on their
own site or yours, which can make them assume they've logged in to
WordPress, not your service.

Also keep in mind that iframes are not always mobile friendly, and your
plugin may become unusable on a phone or smaller. Finally, having a
remote call like that, which loads an entire page without timeouts, can
cause negative experiences with regards to usability, making a site hang
and run slowly.

Related to this, we do not permit internal iframe usage (using an iframe
on files included in your plugin) because it's a poor coding practice.
PHP can natively include other files, and Javascript can ajaxify your
interface if needed.

Example(s) from your plugin:
playground/templates/playground-page.php:29: <iframe
id="wp-playground"></iframe>


## Data Must be Sanitized, Escaped, and Validated

When you include POST/GET/REQUEST/FILE calls in your plugin, it's
important to sanitize, validate, and escape them. The goal here is to
prevent a user from accidentally sending trash data through the system,
as well as protecting them from potential security issues.

SANITIZE: Data that is input (either by a user or automatically) must be
sanitized as soon as possible. This lessens the possibility of XSS
vulnerabilities and MITM attacks where posted data is subverted.

VALIDATE: All data should be validated, no matter what. Even when you
sanitize, remember that you don’t want someone putting in ‘dog’ when the
only valid values are numbers.

ESCAPE: Data that is output must be escaped properly when it is echo'd,
so it can't hijack admin screens. There are many esc_*() functions you
can use to make sure you don't show people the wrong data.

To help you with this, WordPress comes with a number of sanitization and
escaping functions. You can read about those here:

https://developer.wordpress.org/apis/security/sanitizing/
https://developer.wordpress.org/apis/security/escaping/

Remember: You must use the most appropriate functions for the context.
If you’re sanitizing email, use sanitize_email(), if you’re outputting
HTML, use wp_kses_post(), and so on.

An easy mantra here is this:

Sanitize early
Escape Late
Always Validate

Clean everything, check everything, escape everything, and never trust
the users to always have input sane data. After all, users come from all
walks of life.

Example(s) from your plugin:

playground/playground.php:64 'pluginSlug' => isset($_GET['pluginSlug'])
? $_GET['pluginSlug'] : false,
playground/playground.php:154 $retUrl =
wp_parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) . urlencode('?' .
http_build_query($_GET));
 -----> wp_parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)
 -----> http_build_query($_GET)


## Processing the whole input

We strongly recommend you never attempt to process the whole
$_POST/$_REQUEST/$_GET stack. This makes your plugin slower as you're
needlessly cycling through data you don't need. Instead, you should only
be attempting to process the items within that are required for your
plugin to function.

Example(s) from your plugin:

playground/playground.php:154 $retUrl =
wp_parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) . urlencode('?' .
http_build_query($_GET));
 -----> $_GET


----------------------------------------------

Please note that due to the significant backlog the Plugin Review team
is facing, we have only done a basic review of your plugin. Once the
issues we shared above are fixed, we will do a more in-depth review that
might surface other issues. In order to prevent further delays, we
strongly urge you to [review the
guidelines](https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/)
again before you resubmit it.

If the corrections we requested in this initial review are not completed
within 3 months (90 days), we will reject this submission in order to
keep our queue manageable and you will need to resubmit the plugin from
scratch.

Your next steps are:

Make all the corrections related to the issues we listed.
Review your entire code [following the
guidelines](https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/)
to ensure there are no other related concerns.
Go to ["Add your plugin"](https://wordpress.org/plugins/developers/add/)
and upload an updated version of this plugin. You can update the code
there whenever you need to along the review process, we will check the
latest version.
Reply to this email telling us that you have updated it and letting us
know if there is anything we need to know or have in mind. It is not
necessary to list the changes, as we will check the whole plugin again.
To make this process as quick as possible and to avoid burden on the
volunteers devoting their time to review this plugin's code, we ask you
to thoroughly check all shared issues and fix them before sending the
code back to us.

We again remind you that should you wish to alter your permalink (not
the display name, the plugin slug), you must explicitly tell us what you
want it to be. We require to you clearly state in the body of your email
what your desired permalink is. Permalinks cannot be altered after
approval, and we generally do not accept requests to rename should you
fail to inform us during the review.

If you previously asked for a permalink change and got a reply that is
has been processed, you’re all good! While these emails will still use
the original display name, you don’t need to panic. If you did not get a
reply that we processed the permalink, let us know immediately. While we
have tried to make this review as exhaustive as possible we, like you,
are humans and may have missed things. As such, we will re-review the
entire plugin when you send it back to us. We appreciate your patience
and understanding.

If you have questions, concerns, or need clarification, please reply to
this email and just ask us.


--
WordPress Plugin Review Team |
[plugins@wordpress.org](mailto:plugins@wordpress.org)
https://make.wordpress.org/plugins/

https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/
</details>

## Why?

To address the WordPress.org submission review feedback.

## How?

### Add textdomain, required PHP version, and license headers

By adding missing headers to `playground.php`.

### Update composer dependencies and fix related issues

Updated composer package and updated the `ZipStream` code to work in the
latest version.
I also had to disable Composer platform checks to prevent Composer from
throwing an error (__Composer detected issues in your platform: Your
Composer dependencies require a 64-bit build of PHP.__).

### Ensure inputs are sanitized and outputs are escaped

Checked all inputs and outputs to ensure they are sanitized and escaped.

### Remove unused returnUrl code

This code was unused and didn't match the WP.org guidelines, so I
removed it.

## Testing Instructions

<!-- Please include step by step instructions on how to test this PR.
-->

1. Check out the branch.
2. Open the Playground plugin folder
```
cd packages/playground
```
3. Start a local server or install the Playground plugin on an existing
server
```
wp-env start
```
4. Open the site
5. [Start a sandbox
](https://github.com/WordPress/playground-tools/blob/trunk/packages/playground/README.txt#L25)
6. Confirm that the sandbox loads with a copy of your data

Author: bgrgicak

packages/playground/README.txt

@@ -3,7 +3,7 @@ Contributors: wordpressdotorg, antoniosejas, berislavgrgicak, zieladam
 Tags: playground, staging, sandbox
 Requires at least: 6.0
 Tested up to: 6.4
-Stable tag: 0.0.2
+Stable tag: 0.0.3
 Requires PHP: 7.0
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html

packages/playground/composer.json

@@ -2,6 +2,9 @@
 	"name": "wordpress/playground",
 	"description": "A WordPress plugin for collecting the content of a site and spinning up WordPress Playground with a copy of the site content.",
 	"require": {
-		"maennchen/zipstream-php": "^2.2"
+		"maennchen/zipstream-php": "^3.1.0"
+	},
+	"config": {
+		"platform-check": false
 	}
 }

packages/playground/composer.lock

@@ -1,11 +1,15 @@
 <?php
-/*
-Plugin Name: Playground
-Plugin URI: https://github.com/WordPress/playground-tools/tree/trunk/packages/playground
-Description: Packages your WordPress install and sends it to Playground.
-Author: WordPress Contributors
-Version: 0.0.2
-*/
+
+/**
+ * Plugin Name: Playground
+ * Plugin URI: https://github.com/WordPress/playground-tools/tree/trunk/packages/playground
+ * Description: Packages your WordPress install and sends it to Playground.
+ * Author: WordPress Contributors
+ * Version: 0.0.3
+ * Requires PHP: 8.0
+ * License: GPLv2
+ * Text Domain: playground
+ */
 
 namespace WordPress\Playground;
 
@@ -61,7 +65,7 @@ function enqueue_scripts($current_screen_id)
 			esc_url('https://playground.wordpress.net/remote.html'),
 		),
 		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		'pluginSlug' => isset($_GET['pluginSlug']) ? $_GET['pluginSlug'] : false,
+		'pluginSlug' => isset($_GET['pluginSlug']) ? sanitize_text_field($_GET['pluginSlug']) : false,
 		'userId' => get_current_user_id(),
 	]);
 	wp_enqueue_script('playground');
@@ -150,13 +154,9 @@ function render_playground_page()
  */
 function plugin_install_action_links($action_links, $plugin)
 {
-	// phpcs:ignore WordPress.Security.NonceVerification.Recommended
-	$retUrl = wp_parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) . urlencode('?' . http_build_query($_GET));
-
 	$preview_url = add_query_arg(
 		[
 			'pluginSlug' => esc_attr($plugin['slug']),
-			'returnUrl' => esc_attr($retUrl),
 		],
 		admin_url('admin.php?page=' . PLAYGROUND_ADMIN_PAGE_SLUG)
 	);

packages/playground/playground.php

@@ -7,7 +7,6 @@
 require __DIR__ . '/playground-db.php';
 
 use ZipStream\ZipStream;
-use ZipStream\Option\Archive;
 
 /**
  * Add the wp-content directory to a zip archive.
@@ -48,11 +47,9 @@ function zip_wp_content($zip)
  */
 function zip_collect()
 {
-	$options = new Archive();
-	$options->setSendHttpHeaders(true);
 	$zip = new ZipStream(
-		'playground-package-' . gmdate('Y-m-d_H-i-s') . '.zip',
-		$options
+		outputName: 'playground-package-' . gmdate('Y-m-d_H-i-s') . '.zip',
+		sendHttpHeaders: true
 	);
 
 	zip_wp_content($zip);

packages/playground/src/playground-zip.php

@@ -3,7 +3,6 @@
 namespace WordPress\Playground;
 
 defined('ABSPATH') || exit;
-
 ?>
 <div id="wp-playground-wrapper">
     <div id="wp-playground-toolbar">
@@ -21,7 +20,7 @@
             );
             ?>
         </span>
-        <a href="<?php echo esc_url(admin_url('plugin-install.php')); ?>" id="goBack">
+        <a href="<?php echo admin_url(); ?>" id="goBack">
             <?php esc_attr_e('Go Back', 'playground'); ?>
         </a>
     </div>

packages/playground/templates/playground-page.php

@@ -2,6 +2,24 @@
 
 // autoload.php @generated by Composer
 
+if (PHP_VERSION_ID < 50600) {
+    if (!headers_sent()) {
+        header('HTTP/1.1 500 Internal Server Error');
+    }
+    $err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL;
+    if (!ini_get('display_errors')) {
+        if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') {
+            fwrite(STDERR, $err);
+        } elseif (!headers_sent()) {
+            echo $err;
+        }
+    }
+    trigger_error(
+        $err,
+        E_USER_ERROR
+    );
+}
+
 require_once __DIR__ . '/composer/autoload_real.php';
 
 return ComposerAutoloaderInit8a8b238a252aafe324d5e977d656feb0::getLoader();