User.php uses escapeshellcmd for paths/URLs, causing undefined function errors and incorrect sanitization with PHP 8.2 #80
Description
Problem
- escapeshellcmd is intended for shell command strings, not URL/path construction.
- In this plugin context it can surface as an undefined function error.
- Even when available, it may alter path values in ways that are not appropriate for this use case.
Expected behavior
- App names should be sanitized for filename safety.
- URLs and local paths should be built directly (without shell escaping) and remain valid.
- React app assets and CRA asset-manifest.json should load without errors.
Suggested fix
- Replace escapeshellcmd(...) usage with:
- sanitize_file_name($current_app['appname']) for app name normalization.
- Direct string concatenation for REPR_APPS_URL / REPR_APPS_PATH path building.
Reproduction notes
- Load a page that triggers repr_load_react_app() / setup_cra_application_files().
- Observe runtime/static-analysis error related to escapeshellcmd.
- After patch, verify assets enqueue correctly and the error is gone.
Impact
- Fixes plugin reliability for environments where this call fails.
- Uses context-appropriate sanitization/path handling.
- Reduces risk of broken asset URLs/paths.
PR Submitted with resolution: