Skip to content

security: fix 5 critical vulnerabilities (v0.6.0 release blockers) #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stephenfeather merged 1 commit into from
Feb 2, 2026
Merged

security: fix 5 critical vulnerabilities (v0.6.0 release blockers) #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions src/Admin/Pages/FilesPage.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,13 +304,13 @@
$alternateClass = (++$i % 2 == 0) ? 'alternate' : '';
$fileType = $this->getFileTypeName($file->name);
?>
<tr class="file <?php echo $alternateClass ?>" id="u-file-<?php echo $file->id ?>">
<th style="text-align:center" scope="row"><?php echo $file->id ?></th>
<td id="u-name-<?php echo $file->id ?>"><?php echo $this->getFileBasename($file->name) ?></td>
<td style="text-align:center"><?php echo $fileType ?></td>
<tr class="file <?php echo esc_attr($alternateClass) ?>" id="u-file-<?php echo (int) $file->id ?>">
<th style="text-align:center" scope="row"><?php echo (int) $file->id ?></th>
<td id="u-name-<?php echo (int) $file->id ?>"><?php echo esc_html($this->getFileBasename($file->name)) ?></td>

Check notice on line 309 in src/Admin/Pages/FilesPage.php

View check run for this annotation

codefactor.io / CodeFactor

src/Admin/Pages/FilesPage.php#L309 

Line exceeds 120 characters; contains 126 characters. (Generic.Files.LineLength)
<td style="text-align:center"><?php echo esc_html($fileType) ?></td>
<td style="text-align:center">
<a href="<?php echo admin_url("admin.php?page=sermon-browser/new_sermon.php&amp;getid3={$file->id}"); ?>"><?php _e('Create sermon', 'sermon-browser') ?></a> |
<button type="button" id="u-link-<?php echo $file->id; ?>" class="button-link" onclick="rename(<?php echo $file->id; ?>, '<?php echo $file->name; ?>')"><?php _e('Rename', 'sermon-browser'); ?></button> | <button type="button" class="button-link" onclick="if(confirm('Do you really want to delete <?php echo str_replace("'", '', $file->name); ?>?')) kill(<?php echo $file->id; ?>, '<?php echo $file->name; ?>')"><?php _e('Delete', 'sermon-browser'); ?></button>
<a href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&amp;getid3={(int) $file->id}")); ?>"><?php esc_html_e('Create sermon', 'sermon-browser') ?></a> |

Check notice on line 312 in src/Admin/Pages/FilesPage.php

View check run for this annotation

codefactor.io / CodeFactor

src/Admin/Pages/FilesPage.php#L312 

Line exceeds 120 characters; contains 201 characters. (Generic.Files.LineLength)
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Syntax error in URL string interpolation.

The {(int) $file->id} syntax inside a double-quoted string won't cast to int as intended. The cast operation is not supported within curly brace interpolation.

🐛 Proposed fix 
-                    <a href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&amp;getid3={(int) $file->id}")); ?>"><?php esc_html_e('Create sermon', 'sermon-browser') ?></a> |
+                    <a href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&getid3=" . (int) $file->id)); ?>"><?php esc_html_e('Create sermon', 'sermon-browser') ?></a> |

Note: Also removed &amp; since esc_url handles encoding, and using &amp; before esc_url would double-encode it.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
<a href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&amp;getid3={(int) $file->id}")); ?>"><?php esc_html_e('Create sermon', 'sermon-browser') ?></a> |
<a href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&getid3=" . (int) $file->id)); ?>"><?php esc_html_e('Create sermon', 'sermon-browser') ?></a> |
🧰 Tools
🪛 GitHub Check: CodeFactor

[notice] 312-312: src/Admin/Pages/FilesPage.php#L312
Line exceeds 120 characters; contains 201 characters. (Generic.Files.LineLength)

🤖 Prompt for AI Agents 
In `@src/Admin/Pages/FilesPage.php` at line 312, The URL string in the anchor uses
invalid interpolation "{(int) $file->id}" and double-encodes the ampersand; fix
by casting $file->id to int before building the query and concatenating it into
admin_url, e.g. build the path using string concatenation with (int) $file->id
and a plain '&getid3=' (not '&amp;'), then pass that full URL to esc_url within
the href; update the anchor generation in FilesPage (the line calling admin_url
and esc_url) accordingly.

<button type="button" id="u-link-<?php echo (int) $file->id; ?>" class="button-link" onclick="rename(<?php echo (int) $file->id; ?>, '<?php echo esc_js($file->name); ?>')"><?php esc_html_e('Rename', 'sermon-browser'); ?></button> | <button type="button" class="button-link" onclick="if(confirm('Do you really want to delete <?php echo esc_js($file->name); ?>?')) kill(<?php echo (int) $file->id; ?>, '<?php echo esc_js($file->name); ?>')"><?php esc_html_e('Delete', 'sermon-browser'); ?></button>

Check notice on line 313 in src/Admin/Pages/FilesPage.php

View check run for this annotation

codefactor.io / CodeFactor

src/Admin/Pages/FilesPage.php#L313 

Line exceeds 120 characters; contains 516 characters. (Generic.Files.LineLength)

Check warning on line 313 in src/Admin/Pages/FilesPage.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Admin/Pages/FilesPage.php#L313 

Use of echo language construct is discouraged.
</td>
</tr>
<?php
Expand Down Expand Up @@ -364,24 +364,24 @@
foreach ($files as $file) {
$alternateClass = (++$i % 2 == 0) ? 'alternate' : '';
$fileType = $this->getFileTypeName($file->name);
$safeName = str_replace("'", '', $file->name);
$safeTitle = str_replace("'", '', $file->title);
$safeName = esc_js($file->name);
$safeTitle = esc_js($file->title);
?>
<tr class="file <?php echo $alternateClass ?>" id="l-file-<?php echo $file->id ?>">
<th style="text-align:center" scope="row"><?php echo $file->id ?></th>
<td id="l-name-<?php echo $file->id ?>"><?php echo $this->getFileBasename($file->name) ?></td>
<td style="text-align:center"><?php echo $fileType ?></td>
<td><?php echo stripslashes($file->title) ?></td>
<tr class="file <?php echo esc_attr($alternateClass) ?>" id="l-file-<?php echo (int) $file->id ?>">
<th style="text-align:center" scope="row"><?php echo (int) $file->id ?></th>
<td id="l-name-<?php echo (int) $file->id ?>"><?php echo esc_html($this->getFileBasename($file->name)) ?></td>

Check notice on line 372 in src/Admin/Pages/FilesPage.php

View check run for this annotation

codefactor.io / CodeFactor

src/Admin/Pages/FilesPage.php#L372 

Line exceeds 120 characters; contains 126 characters. (Generic.Files.LineLength)
<td style="text-align:center"><?php echo esc_html($fileType) ?></td>
<td><?php echo esc_html(stripslashes($file->title)) ?></td>
<td style="text-align:center">
<script type="text/javascript">
function deletelinked_<?php echo $file->id;?>(filename, filesermon) {
function deletelinked_<?php echo (int) $file->id;?>(filename, filesermon) {
if (confirm('Do you really want to delete '+filename+'?')) {
return confirm('This file is linked to the sermon called ['+filesermon+']. Are you sure you want to delete it?');
}
return false;
}
</script>
<button type="button" id="l-link-<?php echo $file->id; ?>" class="button-link" onclick="rename(<?php echo $file->id; ?>, '<?php echo $file->name ?>')"><?php _e('Rename', 'sermon-browser') ?></button> | <button type="button" class="button-link" onclick="if(deletelinked_<?php echo $file->id;?>('<?php echo $safeName; ?>', '<?php echo $safeTitle; ?>')) kill(<?php echo $file->id; ?>, '<?php echo $file->name; ?>')"><?php _e('Delete', 'sermon-browser'); ?></button>
<button type="button" id="l-link-<?php echo (int) $file->id; ?>" class="button-link" onclick="rename(<?php echo (int) $file->id; ?>, '<?php echo $safeName ?>')"><?php esc_html_e('Rename', 'sermon-browser') ?></button> | <button type="button" class="button-link" onclick="if(deletelinked_<?php echo (int) $file->id;?>('<?php echo $safeName; ?>', '<?php echo $safeTitle; ?>')) kill(<?php echo (int) $file->id; ?>, '<?php echo $safeName; ?>')"><?php esc_html_e('Delete', 'sermon-browser'); ?></button>

Check notice on line 384 in src/Admin/Pages/FilesPage.php

View check run for this annotation

codefactor.io / CodeFactor

src/Admin/Pages/FilesPage.php#L384 

Line exceeds 120 characters; contains 518 characters. (Generic.Files.LineLength)
</td>
</tr>
<?php
Expand Down
24 changes: 24 additions & 0 deletions src/Admin/Services/FileActionHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,18 @@
*/
public function handleUrlImport(): void
{
// Security: Verify nonce to prevent CSRF attacks.
if (
!isset($_POST['sb_file_import_nonce']) ||

Check warning on line 35 in src/Admin/Services/FileActionHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Admin/Services/FileActionHandler.php#L35 

Direct use of $_POST Superglobal detected.

Check warning on line 35 in src/Admin/Services/FileActionHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Admin/Services/FileActionHandler.php#L35 

Operator ! prohibited; use === FALSE instead
!wp_verify_nonce($_POST['sb_file_import_nonce'], 'sb_file_import')

Check failure on line 36 in src/Admin/Services/FileActionHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Admin/Services/FileActionHandler.php#L36 

$_POST['sb_file_import_nonce'] not unslashed before sanitization. Use wp_unslash() or similar

Check warning on line 36 in src/Admin/Services/FileActionHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Admin/Services/FileActionHandler.php#L36 

Direct use of $_POST Superglobal detected.

Check warning on line 36 in src/Admin/Services/FileActionHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Admin/Services/FileActionHandler.php#L36 

Operator ! prohibited; use === FALSE instead
) {
wp_die(
esc_html__('Security check failed. Please refresh the page and try again.', 'sermon-browser'),
esc_html__('Security Error', 'sermon-browser'),
['response' => 403]
);
}

$url = esc_url($_POST['url']);

// Validate URL scheme to prevent SSRF attacks.
Expand Down Expand Up @@ -129,6 +141,18 @@
*/
public function handleFileUpload(): void
{
// Security: Verify nonce to prevent CSRF attacks.
if (
!isset($_POST['sb_file_upload_nonce']) ||
!wp_verify_nonce($_POST['sb_file_upload_nonce'], 'sb_file_upload')
) {
wp_die(
esc_html__('Security check failed. Please refresh the page and try again.', 'sermon-browser'),
esc_html__('Security Error', 'sermon-browser'),
['response' => 403]
);
}

if ($_FILES['upload']['error'] !== UPLOAD_ERR_OK) {
return;
}
Expand Down
2 changes: 2 additions & 0 deletions src/Admin/UploadHelper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ public static function renderForm(): void
?>
<table style="width:100%; border-spacing:2px" class="widefat">
<form method="post" enctype="multipart/form-data" action ="<?php echo admin_url('admin.php?page=sermon-browser/files.php'); ?>" >
<?php wp_nonce_field('sb_file_upload', 'sb_file_upload_nonce'); ?>
<?php wp_nonce_field('sb_file_import', 'sb_file_import_nonce'); ?>
<thead>
<tr>
<th scope="col" colspan="3"><?php
Expand Down
151 changes: 116 additions & 35 deletions src/Ajax/LegacyAjaxHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,20 @@
*/
class LegacyAjaxHandler
{
/**
* Nonce actions for legacy AJAX requests, keyed by operation type.
*
* @var array<string, string>
*/
private const NONCE_ACTIONS = [
'preacher' => 'sb_preacher_nonce',
'service' => 'sb_service_nonce',
'series' => 'sb_series_nonce',
'file' => 'sb_file_nonce',
'file_pagination' => 'sb_file_nonce',
'sermon' => 'sb_sermon_nonce',
];

/**
* Handle incoming AJAX request.
*
Expand All @@ -37,24 +51,89 @@
{
define('SB_AJAX', true);

// Route to appropriate handler based on POST parameters
if (isset($_POST['pname'])) {
self::handlePreacher();
} elseif (isset($_POST['sname'])) {
self::handleService();
} elseif (isset($_POST['ssname'])) {
self::handleSeries();
} elseif (isset($_POST['fname']) && validate_file(sb_get_option('upload_dir') . $_POST['fname']) === 0) {
self::handleFile();
} elseif (isset($_POST['fetch'])) {
self::handleSermonPagination();
} elseif (isset($_POST['fetchU']) || isset($_POST['fetchL']) || isset($_POST['search'])) {
self::handleFilePagination();
// Determine operation type and verify appropriate nonce
$operationType = self::determineOperationType();

if ($operationType === null || !self::verifyNonce($operationType)) {
wp_die(
esc_html__('Security check failed. Please refresh the page and try again.', 'sermon-browser'),
esc_html__('Security Error', 'sermon-browser'),
['response' => 403]
);
}

// Route to appropriate handler based on operation type
switch ($operationType) {
case 'preacher':
self::handlePreacher();
break;
case 'service':
self::handleService();
break;
case 'series':
self::handleSeries();
break;
case 'file':
self::handleFile();
break;
case 'sermon':
self::handleSermonPagination();
break;
case 'file_pagination':
self::handleFilePagination();
break;
}

die();
}

/**
* Determine the operation type from POST parameters.
*
* @return string|null The operation type or null if unknown.
*/
private static function determineOperationType(): ?string
{
if (isset($_POST['pname'])) {
return 'preacher';
}
if (isset($_POST['sname'])) {

Check warning on line 100 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L100 

Direct use of $_POST Superglobal detected.

Check warning on line 100 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L100 

Implicit true comparisons prohibited; use === TRUE instead

Check failure on line 100 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L100 

Processing form data without nonce verification.
return 'service';
}
if (isset($_POST['ssname'])) {

Check warning on line 103 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L103 

Direct use of $_POST Superglobal detected.

Check warning on line 103 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L103 

Implicit true comparisons prohibited; use === TRUE instead

Check failure on line 103 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L103 

Processing form data without nonce verification.
return 'series';
}
if (isset($_POST['fname']) && validate_file(sb_get_option('upload_dir') . $_POST['fname']) === 0) {

Check failure on line 106 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L106 

$_POST['fname'] not unslashed before sanitization. Use wp_unslash() or similar

Check warning on line 106 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L106 

Direct use of $_POST Superglobal detected.

Check warning on line 106 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L106 

Implicit true comparisons prohibited; use === TRUE instead

Check failure on line 106 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L106 

Processing form data without nonce verification.
return 'file';
Comment on lines +106 to +107
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Form data accessed before nonce verification.

$_POST['fname'] is passed to validate_file() before the nonce is verified. While validate_file() is a safe function (only checks path validity), this pattern could mask timing-based information disclosure about file paths.

Consider restructuring to verify the nonce first, then determine the specific operation type from validated input.

♻️ Suggested restructure 
-        if (isset($_POST['fname']) && validate_file(sb_get_option('upload_dir') . $_POST['fname']) === 0) {
+        if (isset($_POST['fname'])) {
             return 'file';
         }

Then move the validate_file() check into handleFile() after nonce verification:

private static function handleFile(): void
{
    // Validate file path after nonce verification
    if (validate_file(sb_get_option('upload_dir') . $_POST['fname']) !== 0) {
        echo 'invalid';
        die();
    }
    
    $fname = sanitize_file_name($_POST['fname']);
    // ... rest of handler
}
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis

[failure] 106-106: src/Ajax/LegacyAjaxHandler.php#L106
$_POST['fname'] not unslashed before sanitization. Use wp_unslash() or similar

[warning] 106-106: src/Ajax/LegacyAjaxHandler.php#L106
Direct use of $_POST Superglobal detected.

[warning] 106-106: src/Ajax/LegacyAjaxHandler.php#L106
Implicit true comparisons prohibited; use === TRUE instead

[failure] 106-106: src/Ajax/LegacyAjaxHandler.php#L106
Processing form data without nonce verification.

🤖 Prompt for AI Agents 
In `@src/Ajax/LegacyAjaxHandler.php` around lines 106 - 107, The code reads
$_POST['fname'] and calls validate_file(sb_get_option('upload_dir') .
$_POST['fname']) before the request nonce is verified; move the file-access
logic behind the nonce check by returning the operation type without reading
fname, then perform validate_file(sb_get_option('upload_dir') . $_POST['fname'])
inside handleFile() after verifying the nonce (use the same nonce check function
your codebase uses, e.g., check_ajax_referer or wp_verify_nonce), and if
validate_file() fails echo 'invalid' and exit; also sanitize the filename with
sanitize_file_name($_POST['fname']) before using it in handleFile() to avoid
unsafe input.

}
if (isset($_POST['fetch'])) {

Check warning on line 109 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L109 

Direct use of $_POST Superglobal detected.

Check warning on line 109 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L109 

Implicit true comparisons prohibited; use === TRUE instead

Check failure on line 109 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L109 

Processing form data without nonce verification.
return 'sermon';
}
if (isset($_POST['fetchU']) || isset($_POST['fetchL']) || isset($_POST['search'])) {

Check warning on line 112 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L112 

Direct use of $_POST Superglobal detected.

Check warning on line 112 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L112 

Implicit true comparisons prohibited; use === TRUE instead

Check failure on line 112 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L112 

Processing form data without nonce verification.
return 'file_pagination';
}

return null;
}

/**
* Verify the nonce for the AJAX request.
*
* @param string $operationType The type of operation (preacher, service, series, file, sermon).
* @return bool True if nonce is valid, false otherwise.
*/
private static function verifyNonce(string $operationType): bool
{
$nonce = $_REQUEST['_wpnonce'] ?? $_REQUEST['_sb_nonce'] ?? '';
$action = self::NONCE_ACTIONS[$operationType] ?? '';

if (empty($action)) {
return false;
}

return (bool) wp_verify_nonce($nonce, $action);
}

/**
* Handle preacher CRUD operations.
*/
Expand Down Expand Up @@ -247,18 +326,18 @@
++$i;
?>
<tr class="<?php echo $i % 2 == 0 ? 'alternate' : '' ?>">
<th style="text-align:center" scope="row"><?php echo $sermon->id ?></th>
<td><?php echo stripslashes($sermon->title) ?></td>
<td><?php echo stripslashes($sermon->pname) ?></td>
<td><?php echo ($sermon->datetime == '1970-01-01 00:00:00') ? __('Unknown', 'sermon-browser') : wp_date('d M y', strtotime($sermon->datetime)); ?></td>
<td><?php echo stripslashes($sermon->sname) ?></td>
<td><?php echo stripslashes($sermon->ssname) ?></td>
<td><?php echo sb_sermon_stats($sermon->id) ?></td>
<th style="text-align:center" scope="row"><?php echo (int) $sermon->id ?></th>

Check failure on line 329 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L329 

`Echo`ing user input risks cross-site scripting vulnerability.
<td><?php echo esc_html(stripslashes($sermon->title)) ?></td>
<td><?php echo esc_html(stripslashes($sermon->pname)) ?></td>
<td><?php echo ($sermon->datetime == '1970-01-01 00:00:00') ? esc_html__('Unknown', 'sermon-browser') : esc_html(wp_date('d M y', strtotime($sermon->datetime))); ?></td>

Check notice on line 332 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L332 

Line exceeds 120 characters; contains 185 characters. (Generic.Files.LineLength)
<td><?php echo esc_html(stripslashes($sermon->sname)) ?></td>
<td><?php echo esc_html(stripslashes($sermon->ssname)) ?></td>
<td><?php echo esc_html(sb_sermon_stats($sermon->id)) ?></td>
<td style="text-align:center">
<?php if (current_user_can('edit_posts')) { ?>
<a href="<?php echo admin_url("admin.php?page=sermon-browser/new_sermon.php&mid={$sermon->id}"); ?>"><?php _e('Edit', 'sermon-browser') ?></a> | <a onclick="return confirm('Are you sure?')" href="<?php echo admin_url("admin.php?page=sermon-browser/sermon.php&mid={$sermon->id}"); ?>"><?php _e('Delete', 'sermon-browser'); ?></a> |
<a href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&mid={$sermon->id}")); ?>"><?php esc_html_e('Edit', 'sermon-browser') ?></a> | <a onclick="return confirm('<?php echo esc_js(__('Are you sure?', 'sermon-browser')); ?>')" href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/sermon.php&mid={$sermon->id}")); ?>"><?php esc_html_e('Delete', 'sermon-browser'); ?></a> |

Check notice on line 338 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L338 

Line exceeds 120 characters; contains 435 characters. (Generic.Files.LineLength)

Check failure on line 338 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L338 

`Echo`ing user input risks cross-site scripting vulnerability.
<?php } ?>
<a href="<?php echo sb_display_url() . sb_query_char(true) . 'sermon_id=' . $sermon->id;?>">View</a>
<a href="<?php echo esc_url(sb_display_url() . sb_query_char(true) . 'sermon_id=' . $sermon->id); ?>">View</a>

Check notice on line 340 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L340 

Line exceeds 120 characters; contains 130 characters. (Generic.Files.LineLength)

Check failure on line 340 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

src/Ajax/LegacyAjaxHandler.php#L340 

`Echo`ing user input risks cross-site scripting vulnerability.
</td>
</tr>
<?php endforeach ?>
Expand All @@ -282,7 +361,7 @@
$isUnlinked = isset($_POST['fetchU']);

if (count($files) === 0) {
echo '<tr><td>' . __('No results', 'sermon-browser') . '</td></tr>';
echo '<tr><td>' . esc_html__('No results', 'sermon-browser') . '</td></tr>';
die();
}

Expand Down Expand Up @@ -335,12 +414,12 @@
$fileBasename = substr($file->name, 0, strrpos($file->name, '.'));
$fileTypeName = $filetypes[$fileExt]['name'] ?? strtoupper($fileExt);
?>
<tr class="file <?php echo $altClass ?>" id="<?php echo $prefix ?>file<?php echo $file->id ?>">
<th style="text-align:center" scope="row"><?php echo $file->id ?></th>
<td id="<?php echo $prefix ?><?php echo $file->id ?>"><?php echo $fileBasename ?></td>
<td style="text-align:center"><?php echo $fileTypeName ?></td>
<tr class="file <?php echo esc_attr($altClass) ?>" id="<?php echo esc_attr($prefix) ?>file<?php echo (int) $file->id ?>">

Check notice on line 417 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L417 

Line exceeds 120 characters; contains 129 characters. (Generic.Files.LineLength)
<th style="text-align:center" scope="row"><?php echo (int) $file->id ?></th>
<td id="<?php echo esc_attr($prefix) ?><?php echo (int) $file->id ?>"><?php echo esc_html($fileBasename) ?></td>

Check notice on line 419 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L419 

Line exceeds 120 characters; contains 124 characters. (Generic.Files.LineLength)
<td style="text-align:center"><?php echo esc_html($fileTypeName) ?></td>
<?php if (!$isUnlinked) : ?>
<td><?php echo stripslashes($file->title) ?></td>
<td><?php echo esc_html(stripslashes($file->title)) ?></td>
<?php endif; ?>
<td style="text-align:center">
<?php self::renderFileRowActions($file, $isUnlinked); ?>
Expand All @@ -357,24 +436,26 @@
*/
private static function renderFileRowActions(object $file, bool $isUnlinked): void
{
$safeName = str_replace("'", '', $file->name);
$safeTitle = str_replace("'", '', $file->title);
// Escape values for safe use in JavaScript strings.
$safeName = esc_js($file->name);
$safeTitle = esc_js($file->title);
$fileId = (int) $file->id;
?>
<script type="text/javascript" language="javascript">
function deletelinked_<?php echo $file->id;?>(filename, filesermon) {
if (confirm('Do you really want to delete '+filename+'?')) {
function deletelinked_<?php echo $fileId;?>(filename, filesermon) {
if (confirm('<?php echo esc_js(__('Do you really want to delete', 'sermon-browser')); ?> '+filename+'?')) {
if (filesermon != '') {
return confirm('This file is linked to the sermon called ['+filesermon+']. Are you sure you want to delete it?');
return confirm('<?php echo esc_js(__('This file is linked to the sermon called', 'sermon-browser')); ?> ['+filesermon+']. <?php echo esc_js(__('Are you sure you want to delete it?', 'sermon-browser')); ?>');

Check notice on line 448 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L448 

Line exceeds 120 characters; contains 227 characters. (Generic.Files.LineLength)
}
return true;
}
return false;
}
</script>
<?php if ($isUnlinked) : ?>
<a id="" href="<?php echo admin_url("admin.php?page=sermon-browser/new_sermon.php&amp;getid3={$file->id}"); ?>"><?php _e('Create sermon', 'sermon-browser') ?></a> |
<a id="" href="<?php echo esc_url(admin_url("admin.php?page=sermon-browser/new_sermon.php&amp;getid3={$fileId}")); ?>"><?php esc_html_e('Create sermon', 'sermon-browser') ?></a> |

Check notice on line 456 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L456 

Line exceeds 120 characters; contains 191 characters. (Generic.Files.LineLength)
<?php endif; ?>
<button type="button" id="link<?php echo $file->id ?>" class="button-link" onclick="rename(<?php echo $file->id ?>, '<?php echo $file->name ?>')"><?php _e('Rename', 'sermon-browser') ?></button> | <button type="button" class="button-link" onclick="if(deletelinked_<?php echo $file->id;?>('<?php echo $safeName ?>', '<?php echo $safeTitle ?>')){kill(<?php echo $file->id ?>, '<?php echo $file->name ?>');}"><?php _e('Delete', 'sermon-browser') ?></button>
<button type="button" id="link<?php echo $fileId ?>" class="button-link" onclick="rename(<?php echo $fileId ?>, '<?php echo $safeName ?>')"><?php esc_html_e('Rename', 'sermon-browser') ?></button> | <button type="button" class="button-link" onclick="if(deletelinked_<?php echo $fileId; ?>('<?php echo $safeName ?>', '<?php echo $safeTitle ?>')){kill(<?php echo $fileId ?>, '<?php echo $safeName ?>');}"><?php esc_html_e('Delete', 'sermon-browser') ?></button>

Check notice on line 458 in src/Ajax/LegacyAjaxHandler.php

View check run for this annotation

codefactor.io / CodeFactor

src/Ajax/LegacyAjaxHandler.php#L458 

Line exceeds 120 characters; contains 467 characters. (Generic.Files.LineLength)
<?php
}
}
Loading