Escaping and function usage updates (#3094)

* Plugin check suggested updates
* Escaping
* Function changes
* Switching to output butter, and avoid stripping the confirmation prompt
* Removal of content if there's a script or style tag.
* Avoid warning in deprecated function.
* Translator comments.
* Using wp_parse_url instead for consistency on php versions.
* Updating helper to 3.5.8 with escaping.
* Validation of order param.

Author: brianhogg

.changelogs/plugin-check-updates-1.yml

@@ -0,0 +1,3 @@
+significance: patch
+type: security
+entry: Validation of the order param for the quiz Students Without Attempts table.

.changelogs/plugin-check-updates.yml

@@ -0,0 +1,3 @@
+significance: patch
+type: changed
+entry: Various escaping and consistency changes.

composer.json

@@ -31,7 +31,7 @@
     "deliciousbrains/wp-background-processing": "1.0.2",
     "lifterlms/lifterlms-blocks": "2.7.0",
     "lifterlms/lifterlms-cli": "0.0.5",
-    "lifterlms/lifterlms-helper": "3.5.7",
+    "lifterlms/lifterlms-helper": "3.5.8",
     "lifterlms/lifterlms-rest": "1.0.3",
     "woocommerce/action-scheduler": "3.5.4",
     "gocodebox/banner-notifications": "1.1.1"

includes/abstracts/abstract.llms.admin.table.php

@@ -372,8 +372,10 @@ public function get_empty_message() {
 	public function get_filter_placeholder( $column_id, $column_data ) {
 		$placeholder = __( 'Any', 'lifterlms' );
 		if ( is_array( $column_data ) && isset( $column_data['title'] ) ) {
+			/* translators: %s: Column title. */
 			$placeholder = sprintf( __( 'Any %s', 'lifterlms' ), $column_data['title'] );
 		} elseif ( is_string( $column_data ) ) {
+			/* translators: %s: Column title. */
 			$placeholder = sprintf( __( 'Any %s', 'lifterlms' ), $column_data );
 		}
 		/**
@@ -793,7 +795,7 @@ public function output_tfoot_html() {
 						<form action="" method="POST">
 							<button class="llms-button-primary small" name="llms_quiz_resumable_attempt_action" type="submit" value="llms_clear_resumable_attempts">
 								<i class="fa fa-trash-o" aria-hidden="true"></i>
-								<?php _e( 'Clear resumable attempts', 'lifterlms' ); ?>
+								<?php echo esc_html( __( 'Clear resumable attempts', 'lifterlms' ) ); ?>
 							</button>
 							<input type="hidden" name="llms_quiz_id" value="<?php echo esc_attr( $this->quiz_id ); ?>">
 							<?php wp_nonce_field( 'llms_quiz_attempt_actions', '_llms_quiz_attempt_nonce' ); ?>
@@ -814,7 +816,12 @@ public function output_tfoot_html() {
 				<?php if ( $this->is_paginated ) : ?>
 					<div class="llms-table-pagination">
 						<?php if ( $this->max_pages ) : ?>
-							<span class="llms-table-page-count"><?php echo esc_html( sprintf( esc_html_x( '%1$d of %2$d', 'pagination', 'lifterlms' ), $this->current_page, $this->max_pages ) ); ?></span>
+							<span class="llms-table-page-count">
+							<?php
+								/* translators: %1$d: Current page, %2$d: Total page count. */
+								echo esc_html( sprintf( esc_html_x( '%1$d of %2$d', 'pagination', 'lifterlms' ), $this->current_page, $this->max_pages ) );
+							?>
+							</span>
 						<?php endif; ?>
 						<?php if ( 1 !== $this->get_current_page() ) : ?>
 							<?php if ( $this->max_pages ) : ?>

includes/abstracts/abstract.llms.database.query.php

@@ -397,6 +397,7 @@ protected function prepare_query() {
 		} else {
 			_doing_it_wrong(
 				__METHOD__,
+				/* translators: %s: Method name. */
 				esc_html( sprintf( __( "Method '%s' not implemented. Must be overridden in subclass.", 'lifterlms' ), __METHOD__ ) ),
 				'6.0.0'
 			);

includes/abstracts/abstract.llms.payment.gateway.php

@@ -362,6 +362,7 @@ public function get_admin_settings_fields() {
 		$fields[] = array(
 			'autoload'     => true,
 			'id'           => $this->get_option_name( 'enabled' ),
+			/* translators: %s: Payment gateway title. */
 			'desc'         => sprintf( _x( 'Enable %s', 'Payment gateway title', 'lifterlms' ), $this->get_admin_title() ),
 			'desc_tooltip' => __( 'Checking this box will allow users to use this payment gateway.', 'lifterlms' ),
 			'default'      => $this->get_enabled(),
@@ -389,6 +390,7 @@ public function get_admin_settings_fields() {
 
 			$fields[] = array(
 				'id'           => $this->get_option_name( 'test_mode_enabled' ),
+				/* translators: %s: Payment gateway test mode title. */
 				'desc'         => sprintf( _x( 'Enable %s', 'Payment gateway test mode title', 'lifterlms' ), $this->get_test_mode_title() ),
 				'desc_tooltip' => $this->get_test_mode_description(),
 				'default'      => $this->get_test_mode_enabled(),
@@ -401,6 +403,7 @@ public function get_admin_settings_fields() {
 		$fields[] = array(
 			'id'           => $this->get_option_name( 'logging_enabled' ),
 			'desc'         => __( 'Enable debug logging', 'lifterlms' ),
+			/* Translators: %s: Debug log location. */
 			'desc_tooltip' => sprintf( __( 'When enabled, debugging information will be logged to "%s"', 'lifterlms' ), llms_get_log_path( $this->get_id() ) ),
 			'title'        => __( 'Debug Log', 'lifterlms' ),
 			'type'         => 'checkbox',
@@ -803,7 +806,7 @@ public function get_transaction_url( $transaction_id, $api_mode = 'live' ) {
 	public function handle_payment_source_switch( $order, $form_data = array() ) {
 		return llms_add_notice(
 			sprintf(
-				// Translatos: %s = the title of the payment gateway.
+				/* translators: %s: the title of the payment gateway. */
 				esc_html__( 'The selected payment gateway "%s" does not support payment method switching.', 'lifterlms' ),
 				$this->get_title()
 			),

includes/abstracts/abstract.llms.post.model.php

@@ -724,7 +724,7 @@ public function get_price( $key, $price_args = array(), $format = 'html' ) {
 		if ( 'html' === $format || 'raw' === $format ) {
 			$price = llms_price( $price, $price_args );
 			if ( 'raw' === $format ) {
-				$price = strip_tags( $price );
+				$price = wp_strip_all_tags( $price );
 			}
 		} elseif ( 'float' === $format ) {
 			$price = floatval( number_format( $price, get_lifterlms_decimals(), '.', '' ) );
@@ -855,7 +855,7 @@ protected function get_embed( $type = 'video', $prop = '' ) {
 
 		$prop = $prop ? $prop : $type . '_embed';
 		$url  = $this->get( $prop );
-		if ( trim( $url ) && parse_url( $url ) ) {
+		if ( trim( $url ) && wp_parse_url( $url ) ) {
 			$this->get_provider_support( $url );
 
 			$ret = wp_oembed_get( sanitize_url( $url ) );
@@ -1516,6 +1516,7 @@ private function update_meta_properties( $post_meta_properties, $allow_same_meta
 			$u = update_post_meta( $this->id, $this->meta_prefix . $key, wp_slash( $val ) );
 
 			if ( ! ( is_numeric( $u ) || true === $u ) ) {
+				/* translators: %s: Meta key. */
 				$error->add( 'invalid_meta', sprintf( __( 'Cannot insert/update the %s meta', 'lifterlms' ), $key ) );
 			}
 		}

includes/abstracts/abstract.llms.update.php

@@ -73,7 +73,6 @@ public function __construct() {
 				break;
 
 		}
-
 	}
 
 	/**
@@ -90,7 +89,6 @@ private function add_actions() {
 			add_action( $this->get_hook( $func ), array( $this, $func ), 10, 1 );
 
 		}
-
 	}
 
 	/**
@@ -116,7 +114,6 @@ private function check_progress( $progress ) {
 			$this->log( sprintf( 'Progress: %d completed, %d remaining', $completed, $remaining ) );
 
 		}
-
 	}
 
 	/**
@@ -132,7 +129,6 @@ public function complete() {
 		$this->log( sprintf( 'LLMS update tasks completed for version %s', $this->version ) );
 		LLMS_Install::update_db_version( $this->version );
 		delete_option( 'llms_update_' . $this->version );
-
 	}
 
 	/**
@@ -150,7 +146,6 @@ private function enqueue() {
 		}
 
 		$this->log( sprintf( 'LLMS update tasks enqueued for version %s', $this->version ) );
-
 	}
 
 	/**
@@ -168,7 +163,6 @@ protected function function_complete( $function ) {
 		$progress['functions'][ $function ] = 'done';
 		update_option( 'llms_update_' . $this->version, $progress );
 		$this->log( sprintf( '%s::%s() is complete', get_class( $this ), $function ) );
-
 	}
 
 	/**
@@ -198,7 +192,6 @@ private function get_progress() {
 		);
 
 		return get_option( 'llms_update_' . $this->version, $default );
-
 	}
 
 	/**
@@ -242,7 +235,6 @@ private function update_status( $status ) {
 		$p           = $this->get_progress();
 		$p['status'] = $status;
 		update_option( 'llms_update_' . $this->version, $p );
-
 	}
 
 	/**
@@ -258,7 +250,6 @@ protected function log( $msg ) {
 		if ( defined( 'LLMS_BG_UPDATE_LOG' ) && LLMS_BG_UPDATE_LOG ) {
 			llms_log( $msg, 'updater' );
 		}
-
 	}
 
 
@@ -283,9 +274,13 @@ private function output_progress_notice( $progress ) {
 		$max   = count( $progress['functions'] );
 		$width = $val ? ( $val / $max ) * 100 : 0;
 		$html  = '
-			<p>' . sprintf( __( 'LifterLMS Database Upgrade %s Progress Report', 'lifterlms' ), $this->version ) . '</p>
+			';
+		/* translators: %s: Database version. */
+		$html .= '<p>' . sprintf( __( 'LifterLMS Database Upgrade %s Progress Report', 'lifterlms' ), $this->version ) . '</p>
 			<div style="background:#efefef;height:18px;margin:0.5em 0;"><div style="background:#ef476f;display:block;height:18px;width:' . $width . '%;"><span style="padding:0 0.5em;color:#fff;">' . $width . '%</span></div></div>
-			<p><em>' . sprintf( __( 'This completion percentage is an estimate, please be patient and %1$sclick here%2$s for more information.', 'lifterlms' ), '<a href="https://lifterlms.com/docs/lifterlms-database-updates/#upgrade-progress-report" target="_blank">', '</a>' ) . '</em></p>
+			';
+		/* translators: %1$s: Opening link tag, %2$s: closing link tag. */
+		$html .= '<p><em>' . sprintf( __( 'This completion percentage is an estimate, please be patient and %1$sclick here%2$s for more information.', 'lifterlms' ), '<a href="https://lifterlms.com/docs/lifterlms-database-updates/#upgrade-progress-report" target="_blank">', '</a>' ) . '</em></p>
 		';
 
 		LLMS_Admin_Notices::add_notice(
@@ -297,7 +292,5 @@ private function output_progress_notice( $progress ) {
 				'type'        => 'info',
 			)
 		);
-
 	}
-
 }

includes/abstracts/llms-abstract-email-provider.php

@@ -326,9 +326,9 @@ protected function do_remote_install_verify() {
 		}
 
 		if ( ! $this->is_installed() ) {
-			// Translators: %s = title of the email delivery plugin.
 			return array(
 				'code'    => 'llms_' . $this->id . '_not_found',
+				/* translators: %s: title of the email delivery plugin. */
 				'message' => sprintf( __( '%s plugin not found. Please try again.', 'lifterlms' ), $this->get_title() ),
 				'status'  => 400,
 			);

includes/abstracts/llms-abstract-generator-posts.php

@@ -171,6 +171,7 @@ protected function create_post( $type, $raw = array(), $author_id = null ) {
 
 		$class_name = sprintf( 'LLMS_%s', implode( '_', array_map( 'ucfirst', explode( '_', $type ) ) ) );
 		if ( ! class_exists( $class_name ) ) {
+			/* translators: %s: Name of class. */
 			throw new Exception( esc_html( sprintf( __( 'The class "%s" does not exist.', 'lifterlms' ), $class_name ) ), intval( self::ERROR_INVALID_POST ) );
 		}
 
@@ -514,6 +515,7 @@ protected function get_term_id( $term_name, $tax ) {
 			$term = wp_insert_term( $term_name, $tax );
 
 			if ( is_wp_error( $term ) ) {
+				/* translators: %s: name of term. */
 				throw new Exception( esc_html( sprintf( __( 'Error creating new term "%s".', 'lifterlms' ), $term_name ) ), intval( self::ERROR_CREATE_TERM ) );
 			}
 
@@ -811,7 +813,7 @@ protected function sideload_images( $post, $raw ) {
 		$blocked_hosts = apply_filters(
 			'llms_generator_sideload_hosts_blocklist',
 			array(
-				parse_url( get_site_url(), PHP_URL_HOST ),
+				wp_parse_url( get_site_url(), PHP_URL_HOST ),
 			)
 		);
 
@@ -821,7 +823,7 @@ protected function sideload_images( $post, $raw ) {
 		foreach ( $raw['_extras']['images'] as $src ) {
 
 			// Don't sideload images from blocked hosts.
-			if ( in_array( parse_url( $src, PHP_URL_HOST ), $blocked_hosts, true ) ) {
+			if ( in_array( wp_parse_url( $src, PHP_URL_HOST ), $blocked_hosts, true ) ) {
 				continue;
 			}