Add WP.org validator (#590)

* add the wp.org validator

* update changelog

* use wp_safe_redirect in favor of wp_redirect

* use '' instead of null
null is deprecated

* wporg linting fixes

* escape other things on the same line

* ignore both rules

* move wp_kses_post outside the apply_filters

* sanitize the unsanitized thing

* ignore both rules

* one more

.github/workflows/wporg-validator.yml

@@ -0,0 +1,13 @@
+# On push, run the action-wporg-validator workflow.
+name: WP.org Validator
+on: [push]
+jobs:
+  wporg-validation:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: WP.org Validator
+        uses: pantheon-systems/action-wporg-validator@1.0.0
+        with:
+          type: plugin

CHANGELOG.md

@@ -4,6 +4,7 @@
 * Updates CONTRIBUTING.md [[#585](https://github.com/pantheon-systems/solr-power/pull/585)]
 * Fixes typo in var which caused undefined notice [[#582](https://github.com/pantheon-systems/solr-power/pull/582)]
 * Update Composer dependencies [[#576](https://github.com/pantheon-systems/solr-power/pull/576)] [[#574](https://github.com/pantheon-systems/solr-power/pull/583)] [[#573](https://github.com/pantheon-systems/solr-power/pull/584)]
+* Adds WP.org Validation GitHub action [[#590](https://github.com/pantheon-systems/solr-power/pull/590)]
 * Updates security policy [[#589](https://github.com/pantheon-systems/solr-power/pull/589)]
 
 ### 2.4.5 (April 9, 2023) ###

includes/class-solrpower-batch-index.php

@@ -104,7 +104,7 @@ public function __construct( $query_args = array() ) {
 		$this->query_args = $clean_query_args;
 		// Cache the 'paged' value for resuming.
 		delete_option( $this->batch_cache_key );
-		add_option( $this->batch_cache_key, $this->query_args['paged'], null, false );
+		add_option( $this->batch_cache_key, $this->query_args['paged'], '', false );
 		$query          = new WP_Query( $clean_query_args );
 		$this->post_ids = $query->posts;
 		$found_posts    = $query->found_posts;
@@ -206,7 +206,7 @@ public function fetch_next_posts() {
 	public function increment_page() {
 		$this->query_args['paged']++;
 		delete_option( $this->batch_cache_key );
-		add_option( $this->batch_cache_key, $this->query_args['paged'], null, false );
+		add_option( $this->batch_cache_key, $this->query_args['paged'], '', false );
 	}
 
 	/**

includes/class-solrpower-facet-widget.php

@@ -36,9 +36,9 @@ public function __construct() {
 	 */
 	public function widget( $args, $instance ) {
 		$this->dummy_query();
-		echo $args['before_widget'];
+		echo wp_kses_post( $args['before_widget'] );
 		if ( ! empty( $instance['title'] ) ) {
-			echo $args['before_title'] . $instance['title'] . $args['after_title'];
+			echo wp_kses_post( $args['before_title'] . $instance['title'] . $args['after_title'] );
 		}
 		$this->facets = filter_input( INPUT_GET, 'facet', FILTER_SANITIZE_FULL_SPECIAL_CHARS, FILTER_REQUIRE_ARRAY );
 		echo '<form action="' . esc_url( home_url( '/' ) ) . '" method="get" id="solr_facet">';
@@ -47,7 +47,7 @@ public function widget( $args, $instance ) {
 		$this->fetch_facets();
 		echo '</div>';
 		echo '</form>';
-		echo $args['after_widget'];
+		echo wp_kses_post( $args['after_widget'] );
 	}
 
 	/**
@@ -190,7 +190,7 @@ function fetch_facets( $echo = true ) {
 
 		} // End foreach().
 		if ( $echo ) {
-			echo $output;
+			echo $output; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter
 		} else {
 			return $output;
 		}
@@ -236,7 +236,7 @@ public function render_searchbox() {
 		 *
 		 * @param string $html the search box html.
 		 */
-		echo apply_filters( 'solr_facet_searchbox', $html );
+		echo wp_kses_post( apply_filters( 'solr_facet_searchbox', $html ) );
 	}
 
 	/**

includes/class-solrpower-options.php

@@ -106,7 +106,7 @@ public function action_wpmuadminedit() {
 			update_site_option( $option, $value );
 		}
 		$goback = add_query_arg( 'settings-updated', 'true', wp_get_referer() );
-		wp_redirect( $goback );
+		wp_safe_redirect( $goback );
 		exit;
 	}
 

includes/class-solrpower-sync.php

@@ -651,7 +651,7 @@ function load_all_posts( $prev, $post_type = 'post', $limit = 5, $echo = true )
 				$end     = true;
 				$results = sprintf( '{"type": "' . $post_type . '", "last": "%s", "end": true, "percent": "%.2f"}', $last, 100 );
 				if ( $echo ) {
-					echo $results;
+					echo $results; // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped
 				}
 				die();
 			}
@@ -685,7 +685,7 @@ function load_all_posts( $prev, $post_type = 'post', $limit = 5, $echo = true )
 			$results = sprintf( '{"type\": "' . $post_type . '", "last": "%s", "end": false, "percent": "%.2f"}', $last, $percent );
 		}
 		if ( $echo ) {
-			echo $results;
+			echo $results; // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped
 
 			return;
 		}

includes/class-solrpower.php

@@ -72,15 +72,15 @@ public function activate( $networkwide ) {
 			$schema_message = SolrPower_Api::get_instance()->submit_schema();
 			if ( strpos( $schema_message, 'Error' ) ) {
 				// Translators: 1 The error message, 2: The SOLR_PATH constant.
-				$message = wp_kses( __( 'Submitting the schema failed with the message: %1$s<br /><br />%2$s', 'solr-for-wordpress-on-pantheon' ), [ 'br' => [] ] );
-				wp_die( sprintf( $message, esc_html( $schema_message ), $solr_path ) );
+				$message = __( 'Submitting the schema failed with the message: %1$s<br /><br />%2$s', 'solr-for-wordpress-on-pantheon' );
+				wp_die( sprintf( wp_kses( $message, [ 'br' => [] ] ), esc_html( $schema_message ), esc_textarea( $solr_path ) ) );
 			}
 		}
 
 		if ( is_multisite() && ! $networkwide ) {
 			// Translators: 1: The URL to the network admin plugins page.
-			$message = wp_kses_post( __( 'You are attempting to activate the plugin on a multisite as a single-site plugin. For WordPress multisites, you need to activate network-wide. Go to your <a href="%s">your Network Admin Plugins page</a> and click the Network Activate link there.', 'solr-for-wordpress-on-pantheon' ) );
-			wp_die( sprintf( $message, get_admin_url( 1, 'network/plugins.php' ) ) );
+			$message = __( 'You are attempting to activate the plugin on a multisite as a single-site plugin. For WordPress multisites, you need to activate network-wide. Go to your <a href="%s">your Network Admin Plugins page</a> and click the Network Activate link there.', 'solr-for-wordpress-on-pantheon' );
+			wp_die( sprintf( wp_kses_post( $message ), esc_url_raw( get_admin_url( 1, 'network/plugins.php' ) ) ) );
 		}
 
 		SolrPower_Options::get_instance()->initalize_options();
@@ -210,9 +210,9 @@ public function template_redirect() {
 		}
 
 		// If there is a template file then we use it.
-		if ( file_exists( TEMPLATEPATH . '/s4wp_search.php' ) ) {
+		if ( file_exists( get_template_directory() . '/s4wp_search.php' ) ) {
 			// use theme file.
-			include_once( TEMPLATEPATH . '/s4wp_search.php' );
+			include_once( get_template_directory() . '/s4wp_search.php' );
 		} elseif ( file_exists( dirname( __FILE__ ) . '/template/s4wp_search.php' ) ) {
 			// use plugin supplied file.
 			add_action( 'wp_head', array( $this, 'default_head' ) );

includes/legacy-functions.php

@@ -39,7 +39,7 @@ function s4wp_search_form() {
 	}
 	$form = '<form name="searchbox" method="get" id="searchbox" action=""><input type="text" id="qrybox" name="ssearch" value="%s"/><input type="submit" id="searchbtn" /><label for="sortselect" id="sortlabel">' . esc_html__( 'Sort By:', 'solr-for-wordpress-on-pantheon' ) . '</label><select name="sort" id="sortselect">%s</select><label for="orderselect" id="orderlabel">' . __( 'Order By:', 'solr-for-wordpress-on-pantheon' ) . '</label><select name="order" id="orderselect">%s</select>%s</form>';
 
-	printf( $form, filter_input( INPUT_GET, 'ssearch', FILTER_SANITIZE_FULL_SPECIAL_CHARS ), $sortval, $orderval, $serverval );
+	printf( $form, filter_input( INPUT_GET, 'ssearch', FILTER_SANITIZE_FULL_SPECIAL_CHARS ), $sortval, $orderval, $serverval ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 }
 
 /**
@@ -319,16 +319,16 @@ function s4wp_print_facet_items( $items, $pre = '<ul>', $post = '</ul>', $before
 	if ( ! $items ) {
 		return;
 	}
-	printf( "%s\n", $pre );
+	printf( "%s\n", wp_kses_post( $pre ) );
 	foreach ( $items as $item ) {
-		printf( "%s<a href=\"%s\">%s (%s)</a>%s\n", $before, $item['link'], $item['name'], $item['count'], $after );
+		printf( "%s<a href=\"%s\">%s (%s)</a>%s\n", wp_kses_post( $before ), esc_url_raw( $item['link'] ), esc_textarea( $item['name'] ), esc_textarea( $item['count'] ), wp_kses_post( $after ) );
 		$item_items = isset( $item['items'] ) ? true : false;
 
 		if ( $item_items ) {
 			s4wp_print_facet_items( $item['items'], $nestedpre, $nestedpost, $nestedbefore, $nestedafter, $nestedpre, $nestedpost, $nestedbefore, $nestedafter );
 		}
 	}
-	printf( "%s\n", $post );
+	printf( "%s\n", wp_kses_post( $post ) );
 }
 
 /**

readme.txt

@@ -236,6 +236,7 @@ Please report security bugs found in the source code of the Solr Power plugin th
 * Updates CONTRIBUTING.md [[#585](https://github.com/pantheon-systems/solr-power/pull/585)]
 * Fixes typo in var which caused undefined notice [[#582](https://github.com/pantheon-systems/solr-power/pull/582)]
 * Update Composer dependencies [[#576](https://github.com/pantheon-systems/solr-power/pull/576)] [[#574](https://github.com/pantheon-systems/solr-power/pull/583)] [[#573](https://github.com/pantheon-systems/solr-power/pull/584)]
+* Adds WP.org Validation GitHub action [[#590](https://github.com/pantheon-systems/solr-power/pull/590)]
 * Updates security policy [[#589](https://github.com/pantheon-systems/solr-power/pull/589)]
 
 = 2.4.5 (April 9, 2023) =

template/s4w_search.php

@@ -23,7 +23,7 @@
 		<div class="solr_search">
 	<?php
 	if ( ! empty( $results['qtime'] ) ) {
-		printf( "<label class='solr_response'>Response time: <span id=\"qrytime\">{$results['qtime']}</span> s</label>" );
+		printf( "<label class='solr_response'>Response time: <span id=\"qrytime\">{$results['qtime']}</span> s</label>" ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 	}
 
 	// if server id has been defined keep hold of it.
@@ -37,7 +37,7 @@
 
 			<form name="searchbox" method="get" id="searchbox" action="">
 					<input id="qrybox" name="s" type="text" class="solr_field" value="<?php echo esc_attr( $results['query'] ); ?>"/>
-					<?php echo $serverval; ?>
+					<?php echo $serverval; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
 					<input id="searchbtn" type="submit" value="Search" />
 			</form>
 		</div>
@@ -52,21 +52,21 @@
 	<?php
 	if ( $results['hits'] && $results['query'] && $results['qtime'] ) {
 		if ( $results['firstresult'] === $results['lastresult'] ) {
-			printf( "Displaying result %s of <span id='resultcnt'>%s</span> hits", $results['firstresult'], $results['hits'] );
+			printf( "Displaying result %s of <span id='resultcnt'>%s</span> hits", $results['firstresult'], $results['hits'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		} else {
-			printf( "Displaying results %s-%s of <span id='resultcnt'>%s</span> hits", $results['firstresult'], $results['lastresult'], $results['hits'] );
+			printf( "Displaying results %s-%s of <span id='resultcnt'>%s</span> hits", $results['firstresult'], $results['lastresult'], $results['hits'] ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 	}
 	?>
 
 			</div>
 			<div class="solr_results_headerR">
 				<ol class="solr_sort2">
-					<li class="solr_sort_drop"><a href="<?php echo $results['sorting']['scoredesc'] ?>">Relevance<span></span></a></li>
-					<li><a href="<?php echo $results['sorting']['datedesc'] ?>">Newest</a></li>
-					<li><a href="<?php echo $results['sorting']['dateasc'] ?>">Oldest</a></li>
-					<li><a href="<?php echo $results['sorting']['commentsdesc'] ?>">Most Comments</a></li>
-					<li><a href="<?php echo $results['sorting']['commentsasc'] ?>">Least Comments</a></li>
+					<li class="solr_sort_drop"><a href="<?php echo $results['sorting']['scoredesc'] // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter ?>">Relevance<span></span></a></li>
+					<li><a href="<?php echo $results['sorting']['datedesc'] // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter ?>">Newest</a></li>
+					<li><a href="<?php echo $results['sorting']['dateasc'] // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter ?>">Oldest</a></li>
+					<li><a href="<?php echo $results['sorting']['commentsdesc'] // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter ?>">Most Comments</a></li>
+					<li><a href="<?php echo $results['sorting']['commentsasc'] // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped,WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter ?>">Least Comments</a></li>
 				</ol>
 				<div class="solr_sort">Sort by:</div>
 			</div>
@@ -87,29 +87,29 @@
 		printf( "<ol>\n" );
 		foreach ( $results['results'] as $result ) {
 
-			printf( "<li onclick=\"window.location='%s'\">\n", $result['permalink'] );
-			printf( "<h2><a href='%s'>%s</a></h2>\n", $result['permalink'], $result['title'] );
+			printf( "<li onclick=\"window.location='%s'\">\n", esc_url_raw( $result['permalink'] ) );
+			printf( "<h2><a href='%s'>%s</a></h2>\n", esc_url_raw( $result['permalink'] ), esc_textarea( $result['title'] ) );
 			echo '<p>';
 			foreach ( explode( '...', $result['teaser'] ) as $this_result ) {
 				if ( ! empty( $this_result ) ) {
-					echo '...' . $this_result . '...<br /><br />';
+					echo '...' . $this_result . '...<br /><br />'; // phpcs:ignore WordPressDotOrg.sniffs.OutputEscaping.UnescapedOutputParameter,WordPress.Security.EscapeOutput.OutputNotEscaped
 				}
 			}
 
 			if ( $result['numcomments'] > 0 ) {
-				printf( "<a href='%s'>(comment match)</a>", $result['comment_link'] );
+				printf( "<a href='%s'>(comment match)</a>", esc_url_raw( $result['comment_link'] ) );
 			}
 
 			echo "</p>\n";
 
 			printf(
 				"<label> By <a href='%s'>%s</a> in %s %s - <a href='%s'>%s comments</a></label>\n",
-				$result['authorlink'],
-				$result['author'],
-				get_the_category_list( ', ', '', $result['id'] ),
-				gmdate( 'm/d/Y', strtotime( $result['date'] ) ),
-				$result['comment_link'],
-				$result['numcomments']
+				esc_url_raw( $result['authorlink'] ),
+				esc_textarea( $result['author'] ),
+				wp_kses_post( get_the_category_list( ', ', '', $result['id'] ) ),
+				esc_textarea( gmdate( 'm/d/Y', strtotime( $result['date'] ) ) ),
+				esc_url_raw( $result['comment_link'] ),
+				esc_textarea( $result['numcomments'] )
 			);
 			printf( "</li>\n" );
 		}
@@ -146,15 +146,15 @@
 		}
 
 		if ( '' !== $prev ) {
-			printf( '<a href="%s">Previous</a>', $prev );
+			printf( '<a href="%s">Previous</a>', esc_url_raw( $prev ) );
 		}
 
 		foreach ( $itemlinks as $itemlink ) {
-			echo $itemlink;
+			echo wp_kses_post( $itemlink );
 		}
 
 		if ( '' !== $next ) {
-			printf( '<a href="%s">Next</a>', $next );
+			printf( '<a href="%s">Next</a>', esc_url_raw( $next ) );
 		}
 
 		printf( "</div>\n" );
@@ -173,7 +173,7 @@
 	<?php
 	if ( $results['facets']['selected'] ) {
 		foreach ( $results['facets']['selected'] as $selectedfacet ) {
-			printf( '<li><span></span><a href="%s">%s<b>x</b></a></li>', $selectedfacet['removelink'], $selectedfacet['name'] );
+			printf( '<li><span></span><a href="%s">%s<b>x</b></a></li>', esc_url_raw( $selectedfacet['removelink'] ), esc_textarea( $selectedfacet['name'] ) );
 		}
 	}
 	?>
@@ -185,7 +185,7 @@
 		foreach ( $results['facets'] as $facet ) {
 			// don't display facets with only 1 value.
 			if ( isset( $facet['items'] ) and sizeof( $facet['items'] ) > 1 ) {
-				printf( "<li>\n<h3>%s</h3>\n", $facet['name'] );
+				printf( "<li>\n<h3>%s</h3>\n", wp_kses_post( $facet['name'] ) );
 				s4wp_print_facet_items( $facet['items'], '<ol>', '</ol>', '<li>', '</li>', '<li><ol>', '</ol></li>', '<li>', '</li>' );
 				printf( "</li>\n" );
 			}