PHPCS - WordPress.Security.ValidatedSanitizedInput#112
Merged
Conversation
* autofixes * remove prefix underscores * fix spacing in resize text * move whitespace * Do not escale error messages before being outputted to html * Unexclude escape output * phpcs: bulk-optimization.php * phpcs account-status-create-advanced * phpcs compress-details-processing * fix create-simpel * phpcs dashboard-widget * phpcs optimization-chart * phpcs status-connected * phpcs compress-details * phpcs upgrade notice * notice-feedback * exceptions are handled on client usage in views * phpcs notices * phpcs class-tiny-compress.php * phpcs settings * phpcs tiny-plugin * remove parameter * use Tiny_Image * typo * ignore exception, is not outputted * use esc_url instead of esc_html on urls * add checked mock func * fix test
There was a problem hiding this comment.
Pull request overview
This pull request removes the PHPCS exclusion for WordPress.Security.ValidatedSanitizedInput and updates several request-handling code paths to unslash/sanitize superglobal inputs in line with WordPress security standards.
Changes:
- Sanitizes/unslashes
$_REQUEST,$_GET, and$_POSTinputs across multiple admin/AJAX handlers and views. - Tightens validation in RPC and upload AJAX flows (sanitized action/hash/nonces).
- Updates PHPCS configuration to enforce
WordPress.Security.ValidatedSanitizedInput(no longer excluded).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/views/compress-details.php |
Sanitizes ids request parameter before parsing attachment IDs. |
src/class-tiny-settings.php |
Sanitizes/simplifies settings AJAX inputs (API key, create-key fields) and notice rendering inputs. |
src/class-tiny-plugin.php |
Sanitizes RPC/upload/bulk-action request parameters and query args. |
src/class-tiny-notices.php |
Sanitizes notice dismissal name before persisting dismissal state. |
phpcs.xml |
Removes the exclusion for WordPress.Security.ValidatedSanitizedInput. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+164
to
166
| $selected_sizes = isset( $_GET['image_sizes_selected'] ) ? | ||
| intval( $_GET['image_sizes_selected'] ) : 0; | ||
| $this->render_size_checkboxes_description( |
Comment on lines
872
to
876
| $compressor->create_key( | ||
| $_POST['email'], | ||
| sanitize_email( wp_unslash( $_POST['email'] ) ), | ||
| array( | ||
| 'name' => $_POST['name'], | ||
| 'name' => sanitize_text_field( wp_unslash( $_POST['name'] ) ), | ||
| 'identifier' => $identifier, |
Comment on lines
+912
to
924
| $key = null; | ||
| if ( ! current_user_can( 'manage_options' ) ) { | ||
| $status = (object) array( | ||
| 'ok' => false, | ||
| 'message' => 'This feature requires certain user capabilities', | ||
| ); | ||
| } elseif ( empty( $key ) ) { | ||
| } elseif ( empty( $_POST['key'] ) ) { | ||
| /* Always save if key is blank, so the key can be deleted. */ | ||
| $status = (object) array( | ||
| 'ok' => true, | ||
| 'message' => null, | ||
| ); | ||
| } else { |
Comment on lines
688
to
706
| if ( | ||
| ! in_array( $action, $valid_actions, true ) && | ||
| ! in_array( $action2, $valid_actions, true ) | ||
| ) { | ||
| return; | ||
| } | ||
| if ( empty( $_REQUEST['media'] ) || ( ! $_REQUEST['media'] ) ) { | ||
| $media = isset( $_REQUEST['media'] ) ? | ||
| array_map( 'intval', wp_unslash( (array) $_REQUEST['media'] ) ) | ||
| : array(); | ||
| if ( empty( $media ) ) { | ||
| $_REQUEST['action'] = ''; | ||
| return; | ||
| } | ||
| check_admin_referer( 'bulk-media' ); | ||
| $ids = implode( '-', array_map( 'intval', $_REQUEST['media'] ) ); | ||
| $ids = implode( '-', $media ); | ||
| $location = 'upload.php?mode=list&ids=' . $ids; | ||
|
|
||
| $location = add_query_arg( 'action', $_REQUEST['action'], $location ); | ||
| $location = add_query_arg( 'action', $action, $location ); | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Solved every violation of WordPress.Security.ValidatedSanitizedInput