refactor: WordPress.Security.EscapeOutput.OutputNotEscaped, WordPress.Security.EscapeOutput.ExceptionNotEscaped escaping (#2270)

* refactor: page view scripts load from template

* refactor: escaping tooltip text

* refactor: escaping dokan withdraw method title

* refactor: escaping installed error message

* style: ignore scaping wc_esc_json function

* refactor: escaping note and ship info

* refactor: heading control description

* style: ignore escaping the svg label image from radio image control

* refactor: shop order custom columns data

* refactor: escaping some text

* style: ignore escaping for back trace message

* refactor: escaping some variables

* style: ignore escaping for back trace message

* reactor: escaping some variables and some are ignored

* style: ignore escaping for some variables

* style: ignore escaping some variables

* update: add phpcs rule for exception output

* style: ignore escaping for dynamic content

* style: ignore escaping for dynamic content

* update: php method doc

* update: php method doc

* style: ignore escaping for dynamic content

* update: php method doc

* style: ignore escaping for dynamic content

* style: ignore escaping for dynamic content

* refactor: escpaing php variables

* refactor: escaping some variables

* refactor: escaping variables

* refactor: title text

* refactor: ecaping some text

* refactor: escaping localize text

* refactor: ecaping some text

* refactor: dynamic time format data

* update: phpcs rule set for capabilities

* update: phpcs config

* update: phpcs rule as per woocommerce

* refactor: phpcs issues

* added: Available roles in the phpcs for PHPCS check

* refactor: fix wp data sanitization errors for SetupWizard.php

* refactor: fix wp data sanitization errors for SetupWizardNoWC.php

* refactor: fix wp data sanitization errors for SetupWizard.php

* added: rules for custom sanitizing functions

* refactor: html markup escaping

* fix: template load issue for Page view

* refactor: docblock for return type `dokan_get_product_types`

* Update includes/Ajax.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update templates/settings/store-form.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* refactor: WordPress coding standards and security issues

* refactor: WordPress coding standards and security issues

* refactor: WordPress coding standards and security issues skip for non required code

* update: enqueue script instead of template `templates/page-views.php`

* update: using escaping `wp_kses_post($this->description);` instead of `wp_kses( $this->description, wp_kses_allowed_html( 'user_description' ) );`

* delete: old tempalte for `page-views.php`

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: mralaminahamed

assets/js/page-views.js

@@ -0,0 +1,32 @@
+/*
+ * ATTENTION: The "eval" devtool has been used (maybe by default in mode: "development").
+ * This devtool is neither made for production nor for readable output files.
+ * It uses "eval()" calls to create a separate source file in the browser devtools.
+ * If you are trying to read the output file, select a different devtool (https://webpack.js.org/configuration/devtool/)
+ * or disable the default devtool with "devtool: false".
+ * If you are looking for production-ready output files, see mode: "production" (https://webpack.js.org/configuration/mode/).
+ */
+/******/ (() => { // webpackBootstrap
+/******/ 	var __webpack_modules__ = ({
+
+/***/ "./assets/src/js/page-views.js":
+/*!*************************************!*\
+  !*** ./assets/src/js/page-views.js ***!
+  \*************************************/
+/***/ (() => {
+
+eval("/* global dokanPageViewsParams */\n\njQuery(document).ready(function ($) {\n  if (!localStorage) {\n    return;\n  }\n  if (!window.dokanPageViewsParams) {\n    return;\n  }\n\n  // Get today's date in the format of YYYY-MM-DD\n  let newDate = new Date().toISOString().slice(0, 10);\n  let dokanPageViewCount = JSON.parse(localStorage.getItem(\"dokan_pageview_count\"));\n\n  // If there is no data in local storage or today's date is not same as the date in local storage.\n  if (dokanPageViewCount === null || dokanPageViewCount.today && dokanPageViewCount.today !== newDate) {\n    dokanPageViewCount = {\n      \"today\": newDate,\n      \"post_ids\": []\n    };\n  }\n\n  // If the post id is not in the local storage, then send the ajax request.\n  if (!dokanPageViewCount.post_ids.includes(window.dokanPageViewsParams.post_id)) {\n    $.post(window.dokanPageViewsParams.ajax_url, {\n      action: \"dokan_pageview\",\n      _ajax_nonce: window.dokanPageViewsParams.nonce,\n      post_id: window.dokanPageViewsParams.post_id\n    });\n\n    // Add the post id to the local storage.\n    dokanPageViewCount.post_ids.push(window.dokanPageViewsParams.post_id);\n    localStorage.setItem(\"dokan_pageview_count\", JSON.stringify(dokanPageViewCount));\n  }\n});\n\n//# sourceURL=webpack://dokan/./assets/src/js/page-views.js?");
+
+/***/ })
+
+/******/ 	});
+/************************************************************************/
+/******/ 	
+/******/ 	// startup
+/******/ 	// Load entry module and return exports
+/******/ 	// This entry module can't be inlined because the eval devtool is used.
+/******/ 	var __webpack_exports__ = {};
+/******/ 	__webpack_modules__["./assets/src/js/page-views.js"]();
+/******/ 	
+/******/ })()
+;

assets/src/js/page-views.js

@@ -0,0 +1,33 @@
+/* global dokanPageViewsParams */
+
+jQuery( document ).ready( function( $ ) {
+    if( ! localStorage ) {
+        return;
+    }
+
+    if ( ! window.dokanPageViewsParams ) {
+        return;
+    }
+
+    // Get today's date in the format of YYYY-MM-DD
+    let newDate = new Date().toISOString().slice(0, 10);
+    let dokanPageViewCount = JSON.parse(localStorage.getItem("dokan_pageview_count"));
+
+    // If there is no data in local storage or today's date is not same as the date in local storage.
+    if ( dokanPageViewCount === null || ( dokanPageViewCount.today && dokanPageViewCount.today !== newDate ) ) {
+        dokanPageViewCount = { "today": newDate, "post_ids": [] };
+    }
+
+    // If the post id is not in the local storage, then send the ajax request.
+    if ( ! dokanPageViewCount.post_ids.includes( window.dokanPageViewsParams.post_id )  ) {
+        $.post( window.dokanPageViewsParams.ajax_url, {
+            action: "dokan_pageview",
+            _ajax_nonce: window.dokanPageViewsParams.nonce,
+            post_id: window.dokanPageViewsParams.post_id,
+        } );
+
+        // Add the post id to the local storage.
+        dokanPageViewCount.post_ids.push( window.dokanPageViewsParams.post_id );
+        localStorage.setItem( "dokan_pageview_count", JSON.stringify( dokanPageViewCount ) );
+    }
+} );

includes/Admin/Hooks.php

@@ -96,7 +96,7 @@ class="dokan_product_author_override"
             data-minimum_input_length="0"
             data-data='<?php echo wp_json_encode( $user ); ?>'
         >
-        </select> <?php echo wc_help_tip( __( 'You can search vendors and assign them.', 'dokan-lite' ) ); ?>
+        </select> <?php echo wp_kses( wc_help_tip( esc_html__( 'You can search vendors and assign them.', 'dokan-lite' ) ), wp_kses_allowed_html( 'user_description' ) ); ?>
         <?php
     }
 
@@ -165,9 +165,9 @@ public function search_vendors() {
      *
      * @return void
      */
-    public function override_product_author_by_admin( $product_id, $post ) {
+    public function override_product_author_by_admin( $product_id ) {
         $product          = wc_get_product( $product_id );
-        $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? intval( wp_unslash( $_POST['dokan_product_author_override'] ) ) : 0; // phpcs:ignore
+        $posted_vendor_id = ! empty( $_POST['dokan_product_author_override'] ) ? (int) sanitize_key( wp_unslash( $_POST['dokan_product_author_override'] ) ) : 0; // phpcs:ignore WordPress.Security.NonceVerification.Missing
 
         if ( ! $posted_vendor_id ) {
             return;

includes/Admin/SetupWizard.php

@@ -515,7 +515,7 @@ public function dokan_setup_withdraw() {
                                     <div class="wc-wizard-service-description">
                                         <?php
                                         // translators: %s: withdraw method name
-                                        printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), dokan_withdraw_get_method_title( $key ) );
+                                        printf( esc_html__( 'Enable %s for your vendor as a withdraw method', 'dokan-lite' ), esc_html( dokan_withdraw_get_method_title( $key ) ) );
                                         ?>
                                     </div>
                                     <div class="dokan-wizard-service-enable">
@@ -732,9 +732,15 @@ public function dokan_setup_withdraw_save() {
 
         $options                          = get_option( 'dokan_withdraw', [] );
         $options['withdraw_methods']      = ! empty( $_POST['withdraw_methods'] ) ? wc_clean( wp_unslash( $_POST['withdraw_methods'] ) ) : [];
-        $options['withdraw_limit']        = ! empty( $_POST['withdraw_limit'] ) ? (float) wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) < 0 ? 0 : wc_format_decimal( sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) ) ) : 0;
         $options['withdraw_order_status'] = ! empty( $_POST['withdraw_order_status'] ) ? wc_clean( wp_unslash( $_POST['withdraw_order_status'] ) ) : [];
 
+		if ( ! empty( $_POST['withdraw_limit'] ) ) {
+				$input_limit                = sanitize_text_field( wp_unslash( $_POST['withdraw_limit'] ) );
+				$options['withdraw_limit']  = is_numeric( $input_limit ) && $input_limit >= 0 ? wc_format_decimal( $input_limit ) : 0;
+		} else {
+			$options['withdraw_limit'] = 0;
+		}
+
         /**
          * Filter dokan_withdraw options before saving in setup wizard
          *

includes/Admin/SetupWizardNoWC.php

@@ -129,7 +129,7 @@ public function install_woocommerce() {
         delete_transient( '_wc_activation_redirect' );
 
         if ( is_wp_error( $installed ) ) {
-            wp_die( $installed->get_error_message(), __( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
+            wp_die( esc_html( $installed->get_error_message() ), esc_html__( 'Error installing WooCommerce plugin', 'dokan-lite' ) );
         }
 
         set_transient( 'dokan_setup_wizard_no_wc', true, 15 * MINUTE_IN_SECONDS );

includes/Ajax.php

@@ -265,8 +265,8 @@ public function grant_access_to_download() {
 
                         include dirname( __DIR__ ) . '/templates/orders/order-download-permission-html.php';
 
-                        $loop ++;
-                        $file_count ++;
+                        ++$loop;
+                        ++$file_count;
                     }
                 }
             }
@@ -414,7 +414,7 @@ public function add_order_note() {
                 echo 'customer-note';
             }
             echo '"><div class="note_content">';
-            echo wpautop( wptexturize( $note ) ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( wpautop( wptexturize( $note ) ) );
             echo '</div><p class="meta"><a href="#" class="delete_note">' . esc_html__( 'Delete note', 'dokan-lite' ) . '</a></p>';
             echo '</li>';
         }
@@ -484,7 +484,7 @@ public function add_shipping_tracking_info() {
             echo '<li rel="' . esc_attr( $comment_id ) . '" class="note ';
             echo 'customer-note';
             echo '"><div class="note_content">';
-            echo wpautop( wptexturize( $ship_info ) ); // phpcs:ignore WordPress.XSS.EscapeOutput.OutputNotEscaped
+            echo wp_kses_post( wpautop( wptexturize( $ship_info ) ) );
             echo '</div><p class="meta"><a href="#" class="delete_note">' . esc_html__( 'Delete', 'dokan-lite' ) . '</a></p>';
             echo '</li>';
 
@@ -692,6 +692,7 @@ public function dokan_json_search_products_tags() {
 
         $drop_down_tags = apply_filters(
             'dokan_search_product_tags_for_vendor_products', [
+                'taxonomy'   => 'product_tag',
                 'name__like' => $name,
                 'hide_empty' => 0,
                 'orderby'    => 'name',
@@ -701,7 +702,7 @@ public function dokan_json_search_products_tags() {
             ]
         );
 
-        $product_tags = get_terms( 'product_tag', $drop_down_tags );
+        $product_tags = get_terms( $drop_down_tags );
 
         if ( $product_tags ) {
             foreach ( $product_tags as $pro_term ) {

includes/Customizer/HeadingControl.php

@@ -28,7 +28,9 @@ protected function render_content() {
         <?php } ?>
 
         <?php if ( ! empty( $this->description ) ) { ?>
-            <span class="description customize-control-description"><?php echo $this->description; ?></span>
+            <span class="description customize-control-description">
+                <?php echo wp_kses_post( $this->description ); ?>
+            </span>
         <?php } ?>
         <?php
     }

includes/Customizer/RadioImageControl.php

@@ -80,7 +80,7 @@ public function render_content() {
                     <label for="<?php echo esc_attr( $this->id ) . esc_attr( $value ); ?>">
                         <?php
                         if ( isset( $label['svg'] ) ) {
-                            echo $label['svg'];
+                            echo $label['svg']; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
                         } else {
                             ?>
                             <img src="<?php echo esc_html( $label['src'] ); ?>" alt="<?php echo esc_attr( $label['label'] ); ?>" title="<?php echo esc_attr( $label['label'] ); ?>">

includes/Order/Admin/Hooks.php

@@ -158,7 +158,7 @@ public function shop_order_custom_columns( $col, $post_id ) {
         }
 
         if ( ! empty( $output ) ) {
-            echo apply_filters( "dokan_manage_shop_order_custom_columns_{$col}", $output, $order );
+            echo wp_kses_post( apply_filters( "dokan_manage_shop_order_custom_columns_{$col}", $output, $order ) );
         }
     }
 
@@ -168,15 +168,15 @@ public function shop_order_custom_columns( $col, $post_id ) {
      * @since 3.8.0 Moved from includes/Admin/Hooks.php file
      * @since 3.8.0 Rewritten for HPOS
      *
-     * @param string[] $classes An array of post class names.
-     * @param string[] $class   An array of additional class names added to the post.
+     * @param string[] $classes     An array of post class names.
+     * @param string[] $css_class   An array of additional class names added to the post.
      * @param int      $post_id The post ID.
      *
      * @global WP_Post $post
      *
      * @return array
      */
-    public function admin_shop_order_row_classes( $classes, $class, $post_id ) {
+    public function admin_shop_order_row_classes( $classes, $css_class, $post_id ) {
         if ( ! OrderUtil::is_order( $post_id ) ) {
             return $classes;
         }

includes/PageViews.php

@@ -3,83 +3,84 @@
 namespace WeDevs\Dokan;
 
 /**
- * Pageviews - for counting product post views.
+ * Page views - for counting product post views.
  */
 class PageViews {
 
-    private $meta_key = 'pageview';
-
-    public function __construct() {
-        /* Registers the entry views extension scripts if we're on the correct page. */
-        add_action( 'template_redirect', array( $this, 'load_views' ), 25 );
-
-        /* Add the entry views AJAX actions to the appropriate hooks. */
-        add_action( 'wp_ajax_dokan_pageview', array( $this, 'update_ajax' ) );
-        add_action( 'wp_ajax_nopriv_dokan_pageview', array( $this, 'update_ajax' ) );
-    }
-
-    public function load_scripts() {
-        $nonce = wp_create_nonce( 'dokan_pageview' );
-
-        echo '<script type="text/javascript">
-            jQuery(document).ready( function($) {
-                if(localStorage){
-                    let new_date = new Date().toISOString().slice(0, 10);
-                    let dokan_pageview_count = JSON.parse(localStorage.getItem("dokan_pageview_count"));
-                    let post_id = ' . get_the_ID() . ';
-
-                    if ( dokan_pageview_count === null || ( dokan_pageview_count.today && dokan_pageview_count.today !== new_date ) ) {
-                        dokan_pageview_count = { "today": new_date, "post_ids": [] };
-                    }
-                    if ( ! dokan_pageview_count.post_ids.includes( post_id )  ) {
-                        var data = {
-                            action: "dokan_pageview",
-                            _ajax_nonce: "' . esc_html( $nonce ) . '",
-                            post_id: ' . get_the_ID() . ',
-                        }
-                        $.post( "' . esc_url( admin_url( 'admin-ajax.php' ) ) . '", data );
-                        dokan_pageview_count.post_ids.push( post_id );
-                        localStorage.setItem("dokan_pageview_count", JSON.stringify(dokan_pageview_count));
-                    }
-                }
-            } );
-            </script>';
-    }
-
-    public function load_views() {
-        if ( is_singular( 'product' ) ) {
-            global $post;
-
-            if ( $post->post_author !== dokan_get_current_user_id() ) {
-                wp_enqueue_script( 'jquery' );
-                add_action( 'wp_footer', array( $this, 'load_scripts' ) );
-            }
-        }
-    }
-
-    public function update_view( $post_id = '' ) {
-        if ( ! empty( $post_id ) ) {
-            $old_views = get_post_meta( $post_id, $this->meta_key, true );
-            $new_views = absint( $old_views ) + 1;
-
-            update_post_meta( $post_id, $this->meta_key, $new_views, $old_views );
-            $seller_id = get_post_field( 'post_author', $post_id );
-            Cache::delete( "pageview_{$seller_id}" );
-        }
-    }
-
-    public function update_ajax() {
-        check_ajax_referer( 'dokan_pageview' );
-
-        if ( isset( $_POST['post_id'] ) ) {
-            $post_id = absint( $_POST['post_id'] );
-        }
-
-        if ( ! empty( $post_id ) ) {
-            $this->update_view( $post_id );
-        }
-
-        wp_die();
-    }
-
+	private $meta_key = 'pageview';
+
+	public function __construct() {
+		/* Registers the entry views extension scripts if we're on the correct page. */
+		add_action( 'template_redirect', array( $this, 'load_views' ), 25 );
+
+		/* Add the entry views AJAX actions to the appropriate hooks. */
+		add_action( 'wp_ajax_dokan_pageview', array( $this, 'update_ajax' ) );
+		add_action( 'wp_ajax_nopriv_dokan_pageview', array( $this, 'update_ajax' ) );
+	}
+
+	/**
+	 * Load the scripts
+	 *
+	 * @return void
+	 */
+	public function load_scripts() {
+		wp_enqueue_script( 'dokan-page-views', DOKAN_PLUGIN_ASSEST . '/js/page-views.js', array( 'jquery' ), DOKAN_PLUGIN_VERSION, true );
+		wp_localize_script(
+			'dokan-page-views',
+			'dokanPageViewsParams',
+			array(
+				'nonce'    => wp_create_nonce( 'dokan_pageview' ),
+				'post_id'  => get_the_ID(),
+				'ajax_url' => admin_url( 'admin-ajax.php' ),
+			)
+		);
+	}
+
+	public function load_views() {
+		if ( is_singular( 'product' ) ) {
+			global $post;
+
+			if ( dokan_get_current_user_id() !== $post->post_author ) {
+				wp_enqueue_script( 'jquery' );
+				add_action( 'wp_footer', array( $this, 'load_scripts' ) );
+			}
+		}
+	}
+
+	/**
+	 * Update the view count
+	 *
+	 * @param int $post_id The post ID
+	 *
+	 * @return void
+	 */
+	public function update_view( $post_id = '' ) {
+		if ( ! empty( $post_id ) ) {
+			$old_views = get_post_meta( $post_id, $this->meta_key, true );
+			$new_views = absint( $old_views ) + 1;
+
+			update_post_meta( $post_id, $this->meta_key, $new_views, $old_views );
+			$seller_id = get_post_field( 'post_author', $post_id );
+			Cache::delete( "pageview_{$seller_id}" );
+		}
+	}
+
+	/**
+	 * Update the view count via AJAX
+	 *
+	 * @return void
+	 */
+	public function update_ajax() {
+		check_ajax_referer( 'dokan_pageview' );
+
+		if ( isset( $_POST['post_id'] ) ) {
+			$post_id = absint( $_POST['post_id'] );
+		}
+
+		if ( ! empty( $post_id ) ) {
+			$this->update_view( $post_id );
+		}
+
+		wp_die();
+	}
 }