Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feedback from using the new plugin check #534

Open
Zodiac1978 opened this issue Sep 22, 2023 · 1 comment
Open

Feedback from using the new plugin check #534

Zodiac1978 opened this issue Sep 22, 2023 · 1 comment
Labels
needs dev feedback

Comments

@Zodiac1978
Copy link
Member

Zodiac1978 commented Sep 22, 2023
edited
Loading

There is a new plugin for checking plugins:
https://wordpress.org/plugins/plugin-check/
https://github.com/10up/plugin-check

I have checked ASB with it ang got some issues:

WordPress.Security.NonceVerification.Recommended Line 83 of file inc/columns.class.php.
Processing form data without nonce verification.
$orderby = isset( $_GET['orderby'] ) ? sanitize_text_field( wp_unslash( $_GET['orderby'] ) ) : '';

WordPress.Security.NonceVerification.Recommended Line 108 of file inc/columns.class.php.
Processing form data without nonce verification.
$spam_reason = isset( $_GET['comment_spam_reason'] ) ? sanitize_text_field( wp_unslash( $_GET['comment_spam_reason'] ) ) : '';

WordPress.Security.NonceVerification.Recommended Line 133 of file inc/columns.class.php.
Processing form data without nonce verification.
$spam_reason = isset( $_GET['comment_spam_reason'] ) ? sanitize_text_field( wp_unslash( $_GET['comment_spam_reason'] ) ) : '';

WordPress.Security.NonceVerification.Recommended Line 240 of file antispam_bee.php.
Processing form data without nonce verification.
if ( ! empty( $_GET['comment_status'] ) && 'spam' === $_GET['comment_status'] && ! self::get_option( 'no_notice' ) ) {

WordPress.Security.NonceVerification.Recommended Line 549 of file antispam_bee.php.
Processing form data without nonce verification.
return ( ! empty( $_GET['page'] ) && 'antispam_bee' === $_GET['page'] );

WordPress.WP.AlternativeFunctions.file_system_read_file_put_contents Line 2429 of file antispam_bee.php.
File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: file_put_contents().
file_put_contents(

WordPress.WP.AlternativeFunctions.strip_tags_strip_tags Line 2605 of file antispam_bee.php.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
$content = strip_tags( stripslashes( $comment['comment_content'] ) );

WordPress.WP.AlternativeFunctions.strip_tags_strip_tags Line 2626 of file antispam_bee.php.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
strip_tags( $post->post_title )

WordPress.WP.AlternativeFunctions.strip_tags_strip_tags Line 2630 of file antispam_bee.php.
strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.
( empty( $comment['comment_author'] ) ? '' : strip_tags( $comment['comment_author'] ) )
@Zodiac1978
Copy link
Member Author

So we have 1 recommendation:
WordPress.Security.NonceVerification.Recommended

And two bugs:
WordPress.WP.AlternativeFunctions.file_system_read_file_put_contents
WordPress.WP.AlternativeFunctions.strip_tags_strip_tags

Using wp_strip_all_tags has this notice:

This differs from strip_tags() because it removes the contents of the <script> and <style> tags. E.g. strip_tags( '<script>something</script>' ) will return ‘something’. wp_strip_all_tags will return ”

Not sure about the other one. There are 8597 plugins in the directory (including WooCommerce, Yoast, Jetpack) which are using it:
https://wpdirectory.net/search/01HAYN7Q221PBQ7TFVKGHTS1WB

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs dev feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Zodiac1978