Fix PHPCS errors on the Form block and tweak the PHPCS configuration

composer.json

@@ -29,7 +29,7 @@
 		"yoast/phpunit-polyfills": "^1.0.1"
 	},
 	"scripts": {
-		"lint": "@php ./vendor/bin/phpcs",
+		"lint": "@php ./vendor/bin/phpcs --runtime-set ignore_warnings_on_exit 1",
 		"lint:fix": "@php ./vendor/bin/phpcbf",
 		"test": "@php ./vendor/bin/phpunit"
 	}

includes/class-coblocks-block-assets.php

@@ -528,23 +528,23 @@ protected function is_page_gutenberg() {
 			return false;
 		}
 
-		if ( false !== strpos( $admin_page, 'post-new.php' ) && empty( $_GET['post_type'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'post-new.php' ) && empty( $_GET['post_type'] ) ) {
 			return true;
 		}
 
-		if ( false !== strpos( $admin_page, 'post-new.php' ) && isset( $_GET['post_type'] ) && $this->is_post_type_gutenberg( filter_input( INPUT_GET, wp_unslash( $_GET['post_type'] ), FILTER_SANITIZE_STRING ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'post-new.php' ) && isset( $_GET['post_type'] ) && $this->is_post_type_gutenberg( filter_input( INPUT_GET, wp_unslash( $_GET['post_type'] ), FILTER_SANITIZE_STRING ) ) ) {
 			return true;
 		}
 
-		if ( false !== strpos( $admin_page, 'post.php' ) && isset( $_GET['post'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$wp_post = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['post'] ), FILTER_SANITIZE_STRING ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'post.php' ) && isset( $_GET['post'] ) ) {
+			$wp_post = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['post'] ), FILTER_SANITIZE_STRING ) );
 			if ( isset( $wp_post ) && isset( $wp_post->post_type ) && $this->is_post_type_gutenberg( $wp_post->post_type ) ) {
 				return true;
 			}
 		}
 
-		if ( false !== strpos( $admin_page, 'revision.php' ) && isset( $_GET['revision'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$wp_post     = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['revision'] ), FILTER_SANITIZE_STRING ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		if ( false !== strpos( $admin_page, 'revision.php' ) && isset( $_GET['revision'] ) ) {
+			$wp_post     = get_post( filter_input( INPUT_GET, wp_unslash( $_GET['revision'] ), FILTER_SANITIZE_STRING ) );
 			$post_parent = get_post( $wp_post->post_parent );
 			if ( isset( $post_parent ) && isset( $post_parent->post_type ) && $this->is_post_type_gutenberg( $post_parent->post_type ) ) {
 				return true;

includes/class-coblocks-form.php

@@ -225,14 +225,14 @@ public function render_form( $atts, $content ) {
 			?>
 
 			<form action="<?php echo esc_url( sprintf( '%1$s#%2$s', set_url_scheme( get_the_permalink() ), $this->form_hash ) ); ?>" method="post">
-				<?php echo do_blocks( $content ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
+				<?php echo do_blocks( $content ); ?>
 				<input class="coblocks-field verify" type="email" name="coblocks-verify-email" autocomplete="off" placeholder="<?php esc_attr_e( 'Email', 'coblocks' ); ?>" tabindex="-1">
 				<input type="hidden" name="form-hash" value="<?php echo esc_attr( $this->form_hash ); ?>">
 
 				<?php
 				// Output a submit button if it's not found in the block content.
 				if ( false === strpos( $content, 'coblocks-form__submit' ) ) :
-					echo $this->render_field_submit_button( $atts ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+					echo $this->render_field_submit_button( $atts );
 				endif;
 				?>
 			</form>
@@ -897,8 +897,8 @@ public function process_form_submission( $atts ) {
 
 		$post_id        = filter_input( INPUT_GET, 'post', FILTER_SANITIZE_NUMBER_INT );
 		$post_title     = get_bloginfo( 'name' ) . ( ( false === $post_id ) ? '' : sprintf( ' - %s', get_the_title( $post_id ) ) );
-		$email_field_id = isset( $_POST['email-field-id'] ) ? esc_html( $_POST['email-field-id'] ) : 'field-email';
-		$name_field_id  = isset( $_POST['name-field-id'] ) ? esc_html( $_POST['name-field-id'] ) : 'field-name';
+		$email_field_id = isset( $_POST['email-field-id'] ) ? sanitize_text_field( $_POST['email-field-id'] ) : 'field-email';
+		$name_field_id  = isset( $_POST['name-field-id'] ) ? sanitize_text_field( $_POST['name-field-id'] ) : 'field-name';
 
 		$to = isset( $atts['to'] ) ? sanitize_email( $atts['to'] ) : get_option( 'admin_email' );
 
@@ -907,7 +907,7 @@ public function process_form_submission( $atts ) {
 		$recaptcha_site_key   = get_option( 'coblocks_google_recaptcha_site_key' );
 		$recaptcha_secret_key = get_option( 'coblocks_google_recaptcha_secret_key' );
 		if ( $recaptcha_site_key && $recaptcha_secret_key ) {
-			if ( ! isset( $_POST['g-recaptcha-token'] ) || ! $this->verify_recaptcha( $_POST['g-recaptcha-token'] ) ) {
+			if ( ! isset( $_POST['g-recaptcha-token'] ) || ! $this->verify_recaptcha( sanitize_text_field( $_POST['g-recaptcha-token'] ) ) ) {
 
 				$this->remove_url_form_hash();
 
@@ -944,13 +944,19 @@ public function process_form_submission( $atts ) {
 		 */
 		$to = (string) apply_filters( 'coblocks_form_email_to', $to, $_POST, $post_id );
 
+		$name_field_value  = sanitize_text_field( $_POST[ $name_field_id ]['value'] );
+		$email_field_value = sanitize_text_field( $_POST[ $email_field_id ]['value'] );
 		/**
 		 * Filter the email subject
 		 *
 		 * @param string $subject Email subject.
 		 * @param array  $_POST   Submitted form data.
 		 */
-		$subject = (string) apply_filters( 'coblocks_form_email_subject', $this->setup_email_subject( $atts, $email_field_id, $name_field_id ), $_POST );
+		$subject = (string) apply_filters(
+			'coblocks_form_email_subject',
+			$this->setup_email_subject( $atts, $name_field_value, $email_field_value ),
+			$_POST
+		);
 
 		/**
 		 * Filter the form email content.
@@ -961,8 +967,8 @@ public function process_form_submission( $atts ) {
 		 */
 		$email_content = (string) apply_filters( 'coblocks_form_email_content', $this->email_content, $_POST, $post_id );
 
-		$sender_email = isset( $_POST[ $email_field_id ]['value'] ) ? esc_html( $_POST[ $email_field_id ]['value'] ) : '';
-		$sender_name  = isset( $_POST[ $name_field_id ]['value'] ) ? esc_html( $_POST[ $name_field_id ]['value'] ) : '';
+		$sender_email = isset( $_POST[ $email_field_id ]['value'] ) ? sanitize_text_field( $_POST[ $email_field_id ]['value'] ) : '';
+		$sender_name  = isset( $_POST[ $name_field_id ]['value'] ) ? sanitize_text_field( $_POST[ $name_field_id ]['value'] ) : '';
 
 		$headers = array();
 
@@ -1011,11 +1017,11 @@ public function process_form_submission( $atts ) {
 	 *       [name] will be replaced with the value of field-name etc.
 	 *
 	 * @param  array  $atts           Block attributes array.
-	 * @param  string $email_field_id Email field ID.
-	 * @param  string $name_field_id  Nane field ID.
+	 * @param  string $name_field_value Name field value.
+	 * @param  string $email_field_value Email field value.
 	 * @return string Email subject.
 	 */
-	private function setup_email_subject( $atts, $email_field_id, $name_field_id ) {
+	private function setup_email_subject( $atts, $name_field_value, $email_field_value ) {
 
 		$subject = isset( $atts['subject'] ) ? sanitize_text_field( $atts['subject'] ) : self::default_subject();
 
@@ -1025,25 +1031,21 @@ private function setup_email_subject( $atts, $email_field_id, $name_field_id ) {
 
 			array_walk(
 				$matches[1],
-				function( $match, $key ) use ( $matches, &$subject, &$email_field_id, &$name_field_id ) {
+				function( $match, $key ) use ( $matches, &$subject, &$name_field_value, &$email_field_value ) {
 					$slug_match = strtolower( str_replace( ' ', '', $match ) );
 
-					// phpcs:disable WordPress.Security.NonceVerification.Missing
 					if ( __( 'name', 'coblocks' ) === $slug_match ) {
 
-						if ( isset( $_POST[ $name_field_id ]['value'] ) ) {
-
-							$name_field_value = is_array( $_POST[ $name_field_id ]['value'] ) ? sanitize_text_field( implode( ' ', $_POST[ $name_field_id ]['value'] ) ) : sanitize_text_field( $_POST[ $name_field_id ]['value'] );
-							$value            = empty( $name_field_value ) ? $matches[0][ $key ] : $name_field_value;
-
+						if ( isset( $name_field_value ) ) {
+							$value = empty( $name_field_value ) ? $matches[0][ $key ] : $name_field_value;
 						} else {
 
 							$value = $matches[0][ $key ];
 
 						}
 					} elseif ( __( 'email', 'coblocks' ) === $slug_match ) {
 
-						$value = isset( $_POST[ $email_field_id ]['value'] ) ? sanitize_text_field( $_POST[ $email_field_id ]['value'] ) : $matches[0][ $key ];
+						$value = isset( $email_field_value ) ? $email_field_value : $matches[0][ $key ];
 
 					}
 

phpcs.xml

@@ -19,6 +19,19 @@
 	<!-- Whenever possible, cache the scan results and re-use those for unchanged files on the next scan. -->
 	<arg name="cache" value="/tmp/phpcs-coblocks-cache"/>
 
+	<!-- (Subset of?) the rules from the Plugin Review Team -->
+	<rule ref="WordPress.Security.ValidatedSanitizedInput.InputNotSanitized">
+		<type>warning</type>
+	</rule>
+	<rule ref="WordPress.Security.NonceVerification.Recommended" />
+	<rule ref="WordPress.DateTime.RestrictedFunctions.date_date" />
+	<rule ref="WordPress.Security.EscapeOutput.OutputNotEscaped">
+		<type>warning</type>
+	</rule>
+	<rule ref="WordPress.Security.NonceVerification.Missing" />
+	<rule ref="WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents" />
+	<rule ref="WordPress.WP.EnqueuedResources.NonEnqueuedScript" />
+
 	<!-- Include the WordPress-Extra standard. -->
 	<rule ref="WordPress-Extra">
 		<!--