Conversation
obiPlabon
left a comment
obiPlabon
left a comment
There was a problem hiding this comment.
There are more issues similar to the feedback I shared. Please check them
| ?> | ||
| <div class="atbd_rated_stars"> | ||
| <?php echo ATBDP()->review->print_static_rating($average); ?> | ||
| <?php echo esc_html( ATBDP()->review->print_static_rating( $average ) ); ?> |
There was a problem hiding this comment.
this method returns html and doesn't need to be escaped.
| $listing_id = 0; | ||
| $current_url = $current_url="//".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; | ||
| $current_listing_type = isset( $_GET['directory_type'] ) ? $_GET['directory_type'] : get_post_meta( $listing_id, '_directory_type', true ); | ||
| $current_url = $current_url="//". sanitize_text_field( $_SERVER['HTTP_HOST'] ) . sanitize_text_field( $_SERVER['REQUEST_URI'] ); |
There was a problem hiding this comment.
I think there's a typo $current_url = $current_url="//"
Looks like we don't need the HTTP_HOST here only the REQUEST_URI is enough. Please recheck...
| 'please_login' => __( 'Please login first', 'directorist' ), | ||
| 'select_listing_map' => $select_listing_map, | ||
| 'Miles' => !empty( $_GET['miles'] ) ? $_GET['miles'] : $miles, | ||
| 'Miles' => ! empty( $_GET['miles'] ) ? sanitize_text_field( $_GET['miles'] ) : $miles, |
There was a problem hiding this comment.
$_GET['miles'] is an integer whereas $miles is a string. Looks like the translation string in incorrect. Supposed to be $miles_text = __( '%d Miles', 'directorist' ); $miles = ! empty( $_GET['miles'] ) ? absint( $_GET['miles'] ) : 0; and `'Miles' => sprintf( $miles_text, $miles )
| $action = ! empty( $_GET['atbdp_action'] ) ? $_GET['atbdp_action'] : ''; | ||
| $listing_id = ! empty( $_GET['atbdp_listing'] ) ? absint( $_GET['atbdp_listing'] ) : 0; | ||
| $action = ! empty( $_GET['atbdp_action'] ) ? sanitize_text_field( $_GET['atbdp_action'] ) : ''; | ||
| $listing_id = ! empty( $_GET['atbdp_listing'] ) ? absint( sanitize_text_field( $_GET['atbdp_listing'] ) ) : 0; |
There was a problem hiding this comment.
sanitize_text_field unnecessary
| echo '</p></div>'; | ||
|
|
||
| echo "<script type='text/javascript'>jQuery('." . $this->client->slug . "-insights-data-we-collect').on('click', function(e) { | ||
| echo "<script type='text/javascript'>jQuery('." . esc_attr( $this->client->slug ) . "-insights-data-we-collect').on('click', function(e) { |
There was a problem hiding this comment.
use esc_js for all inline and internal js
| Comment::clear_transients( $comment->comment_post_ID ); | ||
|
|
||
| $cpage = isset( $_POST['cpage'] ) ? absint( $_POST['cpage'] ) : 0; | ||
| $cpage = isset( $_POST['cpage'] ) ? absint( sanitize_text_field( $_POST['cpage'] ) ) : 0; |
There was a problem hiding this comment.
absint( $_POST['cpage'] )
| } | ||
|
|
||
| if ( empty( $_POST['comment'] ) || empty( trim( $_POST['comment'] ) ) ) { | ||
| if ( empty( $_POST['comment'] ) || empty( trim( sanitize_text_field( $_POST['comment'] ) ) ) ) { |
There was a problem hiding this comment.
It's a textarea field so using sanitize_text_field will remove newline characters.
$comment = isset( $_POST['comment'] ) ? trim( sanitize_textarea_field( $_POST['comment'] ) : '';
if ( empty( $comment ) ) {
....
}
// And online line 83-87
$comment_data = array(
...
...
'comment_content' => $comment
);| $nonce = ! empty( $_REQUEST['nonce'] ) ? $_REQUEST['nonce'] : ''; | ||
| $post_id = ! empty( $_REQUEST['post_id'] ) ? absint( $_REQUEST['post_id'] ) : 0; | ||
| $comment_id = ! empty( $_REQUEST['comment_id'] ) ? absint( $_REQUEST['comment_id'] ) : 0; | ||
| $nonce = ! empty( $_REQUEST['nonce'] ) ? sanitize_text_field( $_REQUEST['nonce'] ) : ''; |
There was a problem hiding this comment.
wp_unslash( $_REQUEST['nonce'] )
| $post_id = ! empty( $_REQUEST['post_id'] ) ? absint( $_REQUEST['post_id'] ) : 0; | ||
| $comment_id = ! empty( $_REQUEST['comment_id'] ) ? absint( $_REQUEST['comment_id'] ) : 0; | ||
| $nonce = ! empty( $_REQUEST['nonce'] ) ? sanitize_text_field( $_REQUEST['nonce'] ) : ''; | ||
| $post_id = ! empty( $_REQUEST['post_id'] ) ? absint( sanitize_text_field( $_REQUEST['post_id'] ) ) : 0; |
There was a problem hiding this comment.
absint( $_REQUEST['post_id'] )
| $comment_id = ! empty( $_REQUEST['comment_id'] ) ? absint( $_REQUEST['comment_id'] ) : 0; | ||
| $nonce = ! empty( $_REQUEST['nonce'] ) ? sanitize_text_field( $_REQUEST['nonce'] ) : ''; | ||
| $post_id = ! empty( $_REQUEST['post_id'] ) ? absint( sanitize_text_field( $_REQUEST['post_id'] ) ) : 0; | ||
| $comment_id = ! empty( $_REQUEST['comment_id'] ) ? absint( sanitize_text_field( $_REQUEST['comment_id'] ) ) : 0; |
There was a problem hiding this comment.
absint( $_REQUEST['comment_id'] )
| $radius_search_unit = get_directorist_option( 'radius_search_unit', 'miles' ); | ||
| $default_radius_distance = get_directorist_option( 'search_default_radius_distance', 0 ); | ||
|
|
||
| $miles = ! empty( $_GET['miles'] ) ? absint( $_GET['miles'] ) : 0; |
There was a problem hiding this comment.
improvements should go into different PR, only security fixes here
vairafiq
left a comment
vairafiq
left a comment
There was a problem hiding this comment.
Review broke in single listing
There was a problem hiding this comment.
PHP error found
[02-Aug-2022 06:46:52 UTC] PHP Parse error: syntax error, unexpected ')' in /media/k/SSD/xampp/htdocs/wpwax/directorist/wp-content/plugins/directorist/includes/helper-functions.php on line 9009
[02-Aug-2022 06:46:52 UTC] PHP Fatal error: Exception thrown without a stack frame in Unknown on line 0
4 participants
No description provided.