Improve output sanitization across various files

The commit includes adjustments in several files to improve the way outputs are sanitized, enhancing the security of the application. Escaping functions were applied to the $filename and $size parameters in class-mime-builder.php, and to $this->id in class-push.php. In addition, minor corrections were made in phpcs comments in class-embed-generic.php and class-tiktok.php, ensuring that they deactivate the corresponding sniffs after the required code, as intended.
alleyinteractive · Nov 1, 2023 · e96caf9 · e96caf9
1 parent 8b2c2e0
commit e96caf9
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/admin/apple-actions/index/class-push.php b/admin/apple-actions/index/class-push.php
@@ -228,7 +228,7 @@ private function push( $user_id = null ) {
 				sprintf(
 					// Translators: Placeholder is a post ID.
 					esc_html__( 'Skipped push of article %d due to the apple_news_skip_push filter.', 'apple-news' ),
-					$this->id // phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped
+					absint( $this->id )
 				)
 			);
 		}
@@ -278,7 +278,7 @@ private function push( $user_id = null ) {
 					sprintf(
 						// Translators: Placeholder is a post ID.
 						esc_html__( 'Skipped push of article %d due to the presence of a skip push taxonomy term.', 'apple-news' ),
-						$this->id // phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped
+						absint( $this->id )
 					)
 				);
 			}

diff --git a/includes/apple-exporter/components/class-embed-generic.php b/includes/apple-exporter/components/class-embed-generic.php
@@ -51,11 +51,11 @@ public static function node_matches( $node ) {
 			&& 'iframe' === $node->childNodes->item( 0 )->nodeName
 		) {
 			return $node;
-			/* phpcs:enable WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */
 		}
 
 		// Anything else isn't supported out of the box.
 		return null;
+		/* phpcs:enable WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */
 	}
 
 	/**

diff --git a/includes/apple-exporter/components/class-tiktok.php b/includes/apple-exporter/components/class-tiktok.php
@@ -46,10 +46,10 @@ public static function node_matches( $node ) {
 			&& self::node_has_class( $node, 'tiktok-embed' )
 		) {
 			return $node;
-			/* phpcs:enable WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */
 		}
 
 		return null;
+		/* phpcs:enable WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase */
 	}
 
 	/**

diff --git a/includes/apple-push-api/class-mime-builder.php b/includes/apple-push-api/class-mime-builder.php
@@ -211,7 +211,7 @@ private function build_attachment( $name, $filename, $content, $mime_type, $size
 				sprintf(
 					// translators: token is an attachment filename.
 					esc_html__( 'The attachment %s could not be included in the request because it was empty.', 'apple-news' ),
-					$filename // phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped
+					esc_html( $filename )
 				)
 			);
 		}
@@ -222,8 +222,8 @@ private function build_attachment( $name, $filename, $content, $mime_type, $size
 				sprintf(
 					// translators: first token is the filename, second is the file size.
 					esc_html__( 'The attachment %1$s could not be included in the request because its size was %2$s.', 'apple-news' ),
-					$filename, // phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped
-					$size // phpcs:ignore WordPress.Security.EscapeOutput.ExceptionNotEscaped
+					esc_html( $filename ),
+					esc_html( $size )
 				)
 			);
 		}