Issues in class-popup.php (master) - Issues in master - ThemeAvenue/BetterOptin - Measure and Improve Code Quality continuously with Scrutinizer

Issues (103)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/class-popup.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * BetterOptin Popup Class
 *
 * @package   BetterOptin/Popup Class
 * @author    ThemeAvenue <[email protected]>
 * @license   GPL-2.0+
 * @link      http://themeavenue.net
 * @copyright 2015 ThemeAvenue
 */

// If this file is called directly, abort.
if ( ! defined( 'WPINC' ) ) {
	die;
}

class WPBO_Popup {

	/**
	 * ID of the popup to work with
	 *
	 * @var int
	 * @since 2.0
	 */
	private $popup_id;

	private $settings;

	public function __construct( $popup_id = 0 ) {

		if ( self::popup_exists( $popup_id ) ) {
			$this->popup_id = (int) $popup_id;
			$this->get_settings();
		}

	}

	/**
	 * Check if a popup exists
	 *
	 * @since 2.0
	 *
	 * @param $popup_id
	 *
	 * @return bool
	 */
	public static function popup_exists( $popup_id ) {

		$post_type = get_post_type( $popup_id );

		return 'wpbo-popup' === $post_type ? true : false;

	}

	/**
	 * Check if the popup is currently active
	 *
	 * @since 2.0
	 * @return bool
	 */
	protected function is_popup_active() {

	}

	/**
	 * Get the popup settings
	 *
	 * @since 2.0
	 * @return void
	 */
	private function get_settings() {

		$this->settings = get_post_meta( $this->popup_id, '_wpbo_settings', true );

		if ( ! is_array( $this->settings ) ) {
			$this->settings = (array) $this->settings;
		}

	}

	/**
	 * Get popup option
	 *
	 * @since 2.0
	 *
	 * @param string $option  Popup option to get the value for
	 * @param mixed  $default Default option to return if the value doesn't exist
	 *
	 * @return mixed
	 */
	public function option( $option, $default = '' ) {
		return array_key_exists( $option, $this->settings ) ? $this->settings[ $option ] : $default;
	}

	/**
	 * Get the popup template
	 *
	 * @since 2.0
	 * @return string
	 */
	public function get_template() {

		$template = get_post_meta( $this->popup_id, 'wpbo_template', true );

		if ( empty( $template ) ) {
			return '';
		}

		$file     = $template . '.php';
		$filepath = WPBO_PATH . 'templates/' . $file;
		$output   = '';

		if ( file_exists( $filepath ) ) {

			/* Turn on buffering */
			ob_start();

			require( $filepath );

			/* Get the buffered content into a var */
			$output = ob_get_contents();

			/* Clean buffer */
			ob_end_clean();

		}

		return $output;

	}

	/**
	 * Get a popup markup.
	 *
	 * Retrieve the markup for a specific popup. Check if the popup
	 * was customized first, otherwise just load the default HTML file.
	 *
	 * @since  1.0.0
	 * @return string            HTML markup of the popup to display
	 */
	public function get_markup() {

		/* Check if the template was customized */
		if ( '' != ( $customized = get_post_meta( $this->popup_id, '_wpbo_template_display', true ) ) ) {

			if ( is_admin() ) {
				$output = html_entity_decode( get_post_meta( $this->popup_id, '_wpbo_template_editor', true ), ENT_COMPAT | ENT_HTML401, 'UTF-8' );
			} else {
				$output = html_entity_decode( $customized, ENT_COMPAT | ENT_HTML401, 'UTF-8' );
			}
		} else {
			$output = $this->get_template();
		}

		if ( ! is_admin() ) {

			global $post;

			/**
			 * Get the return URL and filter it
			 *
			 * @since  1.0.0
			 */
			$return_url = apply_filters( 'wpbo_return_url', $this->get_return_url(), $this->popup_id, $post->ID );

			/* Add the form */
			$output = sprintf( "<form role='form' class='optform' id='%s' action='%s' method='post'>\r\n", 'wpbo-popup-' . $this->popup_id, get_permalink( $post->ID ) ) . $output . "\r\n";

			/* Add all hidden fields */
			$output .= "\t" . wp_nonce_field( 'subscribe', 'wpbo_nonce', false, false ) . "\r\n";
			$output .= sprintf( "\t<input type='hidden' name='wpbo_id' id='wpbo_id' value='%s'>\r\n", $this->popup_id );
			$output .= sprintf( "\t<input type='hidden' name='post_id' id='post_id' value='%s'>\r\n", $post->ID );
			$output .= sprintf( "\t<input type='hidden' name='return_url' id='return_url' value='%s'>\r\n", $return_url );

			/**
			 * Fires right before the form is closed
			 *
			 * @since  1.0.0
			 * @var    int $popup_id ID of the popup to be triggered
			 * @var    int $post_id  ID of the post being viewed
			 */
			do_action( 'wpbo_popup_markup_after', $this->popup_id, $post->ID );

			/* Close the form */
			$output .= '</form>';

		}

		return $output;

	}

	/**
	 * Get popup return URL
	 *
	 * @since 2.0
	 * @return string
	 */
	public function get_return_url() {

		$returl = $this->option( 'return_url', '' );

		if ( empty( $returl ) ) {
			$returl = wpbo_get_option( 'return_url', home_url() );
		}

		if ( is_numeric( $returl ) ) {

			$post = get_post( (int) $returl );

			if ( ! is_null( $post ) ) {
				$returl = get_permalink( $post->ID );
			}

		}

		return esc_url( $returl );

	}

	/**
	 * Get the rendered popup HTML markup
	 *
	 * @since  1.0.0
	 * @return string
	 */
	private function get_popup() {

		$output   = false;
$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

		if ( false === $this->popup_id ) {
			return '';
		}

		/**
		 * wpbo_popup_output hook
		 *
		 * @since  1.0.0
		 */
		$output = apply_filters( 'wpbo_popup_output', $this->get_markup(), $this->popup_id );

		if ( false === $output ) {
			$output = "<!-- No template selected for popup #$this->popup_id -->";
		}

		/**
		 * wpbo_before_popup_form hook
		 *
		 * @since  1.0.0
		 */
		do_action( 'wpbo_before_popup_form', $this->popup_id );

		/* Echo the popup */
		$output = '<div class="wpbo wpbo-popup-' . $this->popup_id . '">' . $output . '</div>';

		/**
		 * wpbo_after_popup_form hook
		 *
		 * @since  1.0.0
		 */
		do_action( 'wpbo_after_popup_form', $this->popup_id );

		return $output;

	}

	public function popup() {
		echo $this->get_popup();
	}

	/**
	 * Get the number of impressions for this popup
	 *
	 * @since 2.0
	 * @return int
	 */
	public function get_impressions() {
		return (int) get_post_meta( $this->popup_id, 'wpbo_impressions', true );
	}

	/**
	 * Record popup impression.
	 *
	 * @since  1.0.0
	 * @return int|WP_Error
	 */
	public function new_impression() {

		/* Log the impression */
		$log = wpbo_db_insert_data( array(
			'popup_id'   => $this->popup_id,
			'data_type'  => 'impression',
			'ip_address' => wpbo_get_ip_address(),
			'referer'    => esc_url( $_SERVER['HTTP_REFERER'] ),
			'user_agent' => $_SERVER['HTTP_USER_AGENT']
		), true );

		return $log;

	}

	/**
	 * Log a new popup conversion
	 *
	 * @since 2.0
	 * @return int|WP_Error
	 */
	public function new_conversion() {

		$log = wpbo_db_insert_data( array(
			'popup_id'   => $this->popup_id,
			'data_type'  => 'conversion',
			'ip_address' => wpbo_get_ip_address(),
			'referer'    => esc_url( $_SERVER['HTTP_REFERER'] ),
			'user_agent' => $_SERVER['HTTP_USER_AGENT']
		), false );

		return $log;

	}

	/**
	 * Clean the post.
	 *
	 * Filter the post data and only keep
	 * values that are actually supported
	 * by the API.
	 *
	 * @since  1.0.0
	 *
	 * @param array $data Data to sanitize
	 *
	 * @return array Clean list of merge fields
	 */
	protected function get_clean_fields( $data = array() ) {

		$fields = wpbo_get_form_fields();

		if ( empty( $data ) && ! empty( $_POST ) ) {
			$data = $_POST;
		}

		$clean = array();

		foreach ( $fields as $field_id => $atts ) {

			if ( ! function_exists( $atts['sanitize_callback'] ) ) {
				$atts['sanitize_callback'] = 'sanitize_text_field';
			}

			if ( isset( $data[ $atts['form_name'] ] ) ) {
				$clean[ $field_id ] = call_user_func( $atts['sanitize_callback'], $data[ $atts['form_name'] ] );
			}

		}

		return $clean;

	}

	/**
	 * Trigger form submission.
	 *
	 * @since  1.0.0
	 * @return void
	 */
	public function submit() {

		if ( ! wpbo_is_provider_ready() ) {
			return;
		}

		$data   = $this->get_clean_fields();
		$result = call_user_func( array( wpbo_get_provider_class(), 'submit' ), $data );

		// Log the conversion
		$conversion = $this->new_conversion();

		$first_name = isset( $data['first_name'] ) ? $data['first_name'] : $data['name'];
		$last_name  = isset( $data['last_name'] ) ? $data['last_name'] : '';

		// Dismiss the popup
		wpbo_dismiss_popup( $this->popup_id );

		// Backup the subscriber in case something went wrong
		if ( true !== $result ) {

			$failsafe = array(
				'conversion_id' => $conversion,
				'first_name'    => $first_name,
				'last_name'     => $last_name,
				'email'         => $data['email'],
				'status'        => 'failed',
			);

			wpbo_failsafe_add_subscriber( $failsafe );

		}

		// Redirect
		wp_redirect( $this->get_return_url() );
		exit;

	}

	/**
	 * Shows a confirmation alert.
	 *
	 * This is only used if the used didn't set a custom
	 * thank you page.
	 *
	 * @since  1.0.0
	 */
	public function submission_confirmation_fallback() { ?>

		<script type="text/javascript">if(window.location.search.indexOf("wpbo_submit=done")>-1){alert("<?php esc_html_e( 'You have successfully registered!', 'betteroptin' ); ?>")}if(window.location.search.indexOf("wpbo_submit=fail")>-1){alert("<?php _e( 'Fail. Please try again.', 'wpbo' ); ?>")}</script>

	<?php }

}

1		<?php
2		/**
3		* BetterOptin Popup Class
4		*
5		* @package BetterOptin/Popup Class
6		* @author ThemeAvenue <[email protected]>
7		* @license GPL-2.0+
8		* @link http://themeavenue.net
9		* @copyright 2015 ThemeAvenue
10		*/
11
12		// If this file is called directly, abort.
13		if ( ! defined( 'WPINC' ) ) {
14		die;
15		}
16
17		class WPBO_Popup {
18
19		/**
20		* ID of the popup to work with
21		*
22		* @var int
23		* @since 2.0
24		*/
25		private $popup_id;
26
27		private $settings;
28
29		public function __construct( $popup_id = 0 ) {
30
31		if ( self::popup_exists( $popup_id ) ) {
32		$this->popup_id = (int) $popup_id;
33		$this->get_settings();
34		}
35
36		}
37
38		/**
39		* Check if a popup exists
40		*
41		* @since 2.0
42		*
43		* @param $popup_id
44		*
45		* @return bool
46		*/
47		public static function popup_exists( $popup_id ) {
48
49		$post_type = get_post_type( $popup_id );
50
51		return 'wpbo-popup' === $post_type ? true : false;
52
53		}
54
55		/**
56		* Check if the popup is currently active
57		*
58		* @since 2.0
59		* @return bool
60		*/
61		protected function is_popup_active() {
62
63		}
64
65		/**
66		* Get the popup settings
67		*
68		* @since 2.0
69		* @return void
70		*/
71		private function get_settings() {
72
73		$this->settings = get_post_meta( $this->popup_id, '_wpbo_settings', true );
74
75		if ( ! is_array( $this->settings ) ) {
76		$this->settings = (array) $this->settings;
77		}
78
79		}
80
81		/**
82		* Get popup option
83		*
84		* @since 2.0
85		*
86		* @param string $option Popup option to get the value for
87		* @param mixed $default Default option to return if the value doesn't exist
88		*
89		* @return mixed
90		*/
91		public function option( $option, $default = '' ) {
92		return array_key_exists( $option, $this->settings ) ? $this->settings[ $option ] : $default;
93		}
94
95		/**
96		* Get the popup template
97		*
98		* @since 2.0
99		* @return string
100		*/
101		public function get_template() {
102
103		$template = get_post_meta( $this->popup_id, 'wpbo_template', true );
104
105		if ( empty( $template ) ) {
106		return '';
107		}
108
109		$file = $template . '.php';
110		$filepath = WPBO_PATH . 'templates/' . $file;
111		$output = '';
112
113		if ( file_exists( $filepath ) ) {
114
115		/* Turn on buffering */
116		ob_start();
117
118		require( $filepath );
119
120		/* Get the buffered content into a var */
121		$output = ob_get_contents();
122
123		/* Clean buffer */
124		ob_end_clean();
125
126		}
127
128		return $output;
129
130		}
131
132		/**
133		* Get a popup markup.
134		*
135		* Retrieve the markup for a specific popup. Check if the popup
136		* was customized first, otherwise just load the default HTML file.
137		*
138		* @since 1.0.0
139		* @return string HTML markup of the popup to display
140		*/
141		public function get_markup() {
142
143		/* Check if the template was customized */
144		if ( '' != ( $customized = get_post_meta( $this->popup_id, '_wpbo_template_display', true ) ) ) {
145
146		if ( is_admin() ) {
147		$output = html_entity_decode( get_post_meta( $this->popup_id, '_wpbo_template_editor', true ), ENT_COMPAT \| ENT_HTML401, 'UTF-8' );
148		} else {
149		$output = html_entity_decode( $customized, ENT_COMPAT \| ENT_HTML401, 'UTF-8' );
150		}
151		} else {
152		$output = $this->get_template();
153		}
154
155		if ( ! is_admin() ) {
156
157		global $post;
158
159		/**
160		* Get the return URL and filter it
161		*
162		* @since 1.0.0
163		*/
164		$return_url = apply_filters( 'wpbo_return_url', $this->get_return_url(), $this->popup_id, $post->ID );
165
166		/* Add the form */
167		$output = sprintf( "<form role='form' class='optform' id='%s' action='%s' method='post'>\r\n", 'wpbo-popup-' . $this->popup_id, get_permalink( $post->ID ) ) . $output . "\r\n";
168
169		/* Add all hidden fields */
170		$output .= "\t" . wp_nonce_field( 'subscribe', 'wpbo_nonce', false, false ) . "\r\n";
171		$output .= sprintf( "\t<input type='hidden' name='wpbo_id' id='wpbo_id' value='%s'>\r\n", $this->popup_id );
172		$output .= sprintf( "\t<input type='hidden' name='post_id' id='post_id' value='%s'>\r\n", $post->ID );
173		$output .= sprintf( "\t<input type='hidden' name='return_url' id='return_url' value='%s'>\r\n", $return_url );
174
175		/**
176		* Fires right before the form is closed
177		*
178		* @since 1.0.0
179		* @var int $popup_id ID of the popup to be triggered
180		* @var int $post_id ID of the post being viewed
181		*/
182		do_action( 'wpbo_popup_markup_after', $this->popup_id, $post->ID );
183
184		/* Close the form */
185		$output .= '</form>';
186
187		}
188
189		return $output;
190
191		}
192
193		/**
194		* Get popup return URL
195		*
196		* @since 2.0
197		* @return string
198		*/
199		public function get_return_url() {
200
201		$returl = $this->option( 'return_url', '' );
202
203		if ( empty( $returl ) ) {
204		$returl = wpbo_get_option( 'return_url', home_url() );
205		}
206
207		if ( is_numeric( $returl ) ) {
208
209		$post = get_post( (int) $returl );
210
211		if ( ! is_null( $post ) ) {
212		$returl = get_permalink( $post->ID );
213		}
214
215		}
216
217		return esc_url( $returl );
218
219		}
220
221		/**
222		* Get the rendered popup HTML markup
223		*
224		* @since 1.0.0
225		* @return string
226		*/
227		private function get_popup() {
228
229		$output = false;
		0 ignored issues – show Unused Code introduced 2015-11-30 08:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$output` is not used, you could remove the assignment. This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently. $myVar = 'Value'; $higher = false; if (rand(1, 6) > 3) { $higher = true; } else { $higher = false; } Both the `$myVar` assignment in line 1 and the `$higher` assignment in line 2 are dead. The first because `$myVar` is never used and the second because `$higher` is always overwritten for every possible time line. Loading history...
230
231		if ( false === $this->popup_id ) {
232		return '';
233		}
234
235		/**
236		* wpbo_popup_output hook
237		*
238		* @since 1.0.0
239		*/
240		$output = apply_filters( 'wpbo_popup_output', $this->get_markup(), $this->popup_id );
241
242		if ( false === $output ) {
243		$output = "<!-- No template selected for popup #$this->popup_id -->";
244		}
245
246		/**
247		* wpbo_before_popup_form hook
248		*
249		* @since 1.0.0
250		*/
251		do_action( 'wpbo_before_popup_form', $this->popup_id );
252
253		/* Echo the popup */
254		$output = '<div class="wpbo wpbo-popup-' . $this->popup_id . '">' . $output . '</div>';
255
256		/**
257		* wpbo_after_popup_form hook
258		*
259		* @since 1.0.0
260		*/
261		do_action( 'wpbo_after_popup_form', $this->popup_id );
262
263		return $output;
264
265		}
266
267		public function popup() {
268		echo $this->get_popup();
269		}
270
271		/**
272		* Get the number of impressions for this popup
273		*
274		* @since 2.0
275		* @return int
276		*/
277		public function get_impressions() {
278		return (int) get_post_meta( $this->popup_id, 'wpbo_impressions', true );
279		}
280
281		/**
282		* Record popup impression.
283		*
284		* @since 1.0.0
285		* @return int\|WP_Error
286		*/
287	View Code Duplication	public function new_impression() {
288
289		/* Log the impression */
290		$log = wpbo_db_insert_data( array(
291		'popup_id' => $this->popup_id,
292		'data_type' => 'impression',
293		'ip_address' => wpbo_get_ip_address(),
294		'referer' => esc_url( $_SERVER['HTTP_REFERER'] ),
295		'user_agent' => $_SERVER['HTTP_USER_AGENT']
296		), true );
297
298		return $log;
299
300		}
301
302		/**
303		* Log a new popup conversion
304		*
305		* @since 2.0
306		* @return int\|WP_Error
307		*/
308	View Code Duplication	public function new_conversion() {
309
310		$log = wpbo_db_insert_data( array(
311		'popup_id' => $this->popup_id,
312		'data_type' => 'conversion',
313		'ip_address' => wpbo_get_ip_address(),
314		'referer' => esc_url( $_SERVER['HTTP_REFERER'] ),
315		'user_agent' => $_SERVER['HTTP_USER_AGENT']
316		), false );
317
318		return $log;
319
320		}
321
322		/**
323		* Clean the post.
324		*
325		* Filter the post data and only keep
326		* values that are actually supported
327		* by the API.
328		*
329		* @since 1.0.0
330		*
331		* @param array $data Data to sanitize
332		*
333		* @return array Clean list of merge fields
334		*/
335		protected function get_clean_fields( $data = array() ) {
336
337		$fields = wpbo_get_form_fields();
338
339		if ( empty( $data ) && ! empty( $_POST ) ) {
340		$data = $_POST;
341		}
342
343		$clean = array();
344
345		foreach ( $fields as $field_id => $atts ) {
346
347		if ( ! function_exists( $atts['sanitize_callback'] ) ) {
348		$atts['sanitize_callback'] = 'sanitize_text_field';
349		}
350
351		if ( isset( $data[ $atts['form_name'] ] ) ) {
352		$clean[ $field_id ] = call_user_func( $atts['sanitize_callback'], $data[ $atts['form_name'] ] );
353		}
354
355		}
356
357		return $clean;
358
359		}
360
361		/**
362		* Trigger form submission.
363		*
364		* @since 1.0.0
365		* @return void
366		*/
367		public function submit() {
368
369		if ( ! wpbo_is_provider_ready() ) {
370		return;
371		}
372
373		$data = $this->get_clean_fields();
374		$result = call_user_func( array( wpbo_get_provider_class(), 'submit' ), $data );
375
376		// Log the conversion
377		$conversion = $this->new_conversion();
378
379		$first_name = isset( $data['first_name'] ) ? $data['first_name'] : $data['name'];
380		$last_name = isset( $data['last_name'] ) ? $data['last_name'] : '';
381
382		// Dismiss the popup
383		wpbo_dismiss_popup( $this->popup_id );
384
385		// Backup the subscriber in case something went wrong
386		if ( true !== $result ) {
387
388		$failsafe = array(
389		'conversion_id' => $conversion,
390		'first_name' => $first_name,
391		'last_name' => $last_name,
392		'email' => $data['email'],
393		'status' => 'failed',
394		);
395
396		wpbo_failsafe_add_subscriber( $failsafe );
397
398		}
399
400		// Redirect
401		wp_redirect( $this->get_return_url() );
402		exit;
403
404		}
405
406		/**
407		* Shows a confirmation alert.
408		*
409		* This is only used if the used didn't set a custom
410		* thank you page.
411		*
412		* @since 1.0.0
413		*/
414		public function submission_confirmation_fallback() { ?>
415
416		<script type="text/javascript">if(window.location.search.indexOf("wpbo_submit=done")>-1){alert("<?php esc_html_e( 'You have successfully registered!', 'betteroptin' ); ?>")}if(window.location.search.indexOf("wpbo_submit=fail")>-1){alert("<?php _e( 'Fail. Please try again.', 'wpbo' ); ?>")}</script>
417
418		<?php }
419
420		}

ThemeAvenue / BetterOptin

Issues (103)

Security Analysis not enabled

includes/class-popup.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like