Issues (461)

Branch: master

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  Header Injection
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

partials/content-related.php (4 issues)

1
<?php
2
/**
3
 * Template used to display related post content.
4
 *
5
 * @package lsx
6
 */
7
8
?>
9
10
<?php lsx_entry_before(); ?>
11
12
<?php
13
	$no_thumb_post_types   = array(
14
		'audio'   => 'audio',
15
		'gallery' => 'gallery',
16
		'image'   => 'image',
17
		'link'    => 'link',
18
		'quote'   => 'quote',
19
		'video'   => 'video',
20
	);
21
	$no_thumb_post_formats = apply_filters( 'lsx_no_thumb_post_formats', $no_thumb_post_types );
22
23
	$has_thumb = has_post_thumbnail() && ! has_post_format( $no_thumb_post_formats );
24
25
	if ( $has_thumb ) {
26
		$thumb_class = 'has-thumb';
27
	} else {
28
		$thumb_class = 'no-thumb';
29
	}
30
31
	$blog_layout = apply_filters( 'lsx_blog_layout', 'default' );
32
33
	$image_class = '';
34
35
	$thumbnail_id = get_post_thumbnail_id( get_the_ID() );
0 ignored issues
show
It seems like get_the_ID() can also be of type false; however, parameter $post of get_post_thumbnail_id() does only seem to accept WP_Post|integer, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

35
	$thumbnail_id = get_post_thumbnail_id( /** @scrutinizer ignore-type */ get_the_ID() );
Loading history...
36
	$image_arr    = wp_get_attachment_image_src( $thumbnail_id, 'lsx-thumbnail-single' );
37
38
	if ( is_array( $image_arr ) ) {
39
		$image_src = $image_arr[0];
40
	}
41
?>
42
43
<article id="post-<?php the_ID(); ?>" <?php post_class( array( 'lsx-slot', $thumb_class ) ); ?>>
44
	<?php lsx_entry_top(); ?>
45
46
	<div class="entry-layout">
47
		<div class="entry-layout-content entry-layout-content-<?php echo has_post_thumbnail() ? '67' : '100'; ?>">
48
			<header class="entry-header">
49
				<?php if ( $has_thumb ) : ?>
50
					<div class="entry-image <?php echo esc_attr( $image_class ); ?>">
51
						<a class="thumbnail" href="<?php the_permalink(); ?>">
52
							<?php lsx_thumbnail( 'lsx-thumbnail-single' ); ?>
53
						</a>
54
					</div>
55
				<?php endif; ?>
56
57
				<?php
58
				$format = get_post_format();
59
60
				if ( false === $format ) {
61
					$format        = 'standard';
62
					$show_on_front = get_option( 'show_on_front', 'posts' );
63
64
					if ( 'page' === $show_on_front ) {
65
						$archive_link = get_permalink( get_option( 'page_for_posts' ) );
66
					} else {
67
						$archive_link = home_url();
68
					}
69
				} else {
70
					$archive_link = get_post_format_link( $format );
71
				}
72
73
				$format = lsx_translate_format_to_fontawesome( $format );
74
				?>
75
76
				<h2 class="entry-title">
77
					<?php if ( has_post_thumbnail() ) : ?>
78
						<a href="<?php echo esc_url( $archive_link ); ?>" class="format-link has-thumb fa fa-<?php echo esc_attr( $format ); ?>"></a>
79
					<?php else : ?>
80
						<a href="<?php echo esc_url( $archive_link ); ?>" class="format-link fa fa-<?php echo esc_attr( $format ); ?>"></a>
81
					<?php endif; ?>
82
83
					<?php if ( has_post_format( array( 'link' ) ) ) : ?>
84
						<a href="<?php echo esc_url( lsx_get_my_url() ); ?>" rel="bookmark"><?php the_title(); ?> <span class="fa fa-external-link"></span></a>
0 ignored issues
show
It seems like lsx_get_my_url() can also be of type false; however, parameter $url of esc_url() does only seem to accept string, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

84
						<a href="<?php echo esc_url( /** @scrutinizer ignore-type */ lsx_get_my_url() ); ?>" rel="bookmark"><?php the_title(); ?> <span class="fa fa-external-link"></span></a>
Loading history...
85
					<?php else : ?>
86
						<a href="<?php the_permalink(); ?>" rel="bookmark"><?php the_title(); ?></a>
87
					<?php endif; ?>
88
89
					<?php if ( is_sticky() ) : ?>
90
						<span class="label label-default label-sticky"><?php esc_html_e( 'Featured', 'lsx' ); ?></span>
91
					<?php endif; ?>
92
				</h2>
93
				<div class="entry-meta">
94
					<?php lsx_post_meta_list_top(); ?>
95
				</div><!-- .entry-meta -->
96
97
				<?php lsx_post_meta_category(); ?>
98
99
			</header><!-- .entry-header -->
100
101
			<?php if ( has_post_format( array( 'quote' ) ) || apply_filters( 'lsx_blog_display_text_on_list', true ) ) : ?>
102
103
				<?php if ( lsx_post_format_force_content_on_list() && ! apply_filters( 'lsx_blog_force_content_on_list', false ) ) : ?>
104
105
					<div class="entry-summary">
106
					<?php
107
					if ( ! has_excerpt() ) {
108
109
						$excerpt_more = '<p><a class="moretag" href="' . esc_url( get_permalink() ) . '">' . esc_html__( 'Read More', 'lsx' ) . '</a></p>';
110
						$content      = wp_trim_words( get_the_content(), 50 );
111
						$content      = '<p>' . $content . '</p>' . $excerpt_more;
112
						echo wp_kses_post( $content );
113
					} else {
114
						the_excerpt();
115
					}
116
					?>
117
					</div><!-- .entry-summary -->
118
119
				<?php elseif ( has_post_format( array( 'link' ) ) ) : ?>
120
121
				<?php elseif ( apply_filters( 'lsx_blog_force_content_on_list', false ) ) : ?>
122
123
					<div class="entry-content">
124
						<?php the_content(); ?>
125
					</div><!-- .entry-content -->
126
127
				<?php else : ?>
128
129
					<div class="entry-content">
130
						<?php
131
							the_content();
132
133
							wp_link_pages( array(
0 ignored issues
show
The opening parenthesis of a multi-line function call should be the last content on the line.
Loading history...
134
								'before'      => '<div class="lsx-postnav-wrapper"><div class="lsx-postnav">',
135
								'after'       => '</div></div>',
136
								'link_before' => '<span>',
137
								'link_after'  => '</span>',
138
							) );
0 ignored issues
show
For multi-line function calls, the closing parenthesis should be on a new line.

If a function call spawns multiple lines, the coding standard suggests to move the closing parenthesis to a new line:

someFunctionCall(
    $firstArgument,
    $secondArgument,
    $thirdArgument
); // Closing parenthesis on a new line.
Loading history...
139
						?>
140
					</div><!-- .entry-content -->
141
142
				<?php endif; ?>
143
144
			<?php endif; ?>
145
146
			<div class="clearfix"></div>
147
148
			<?php $comments_number = get_comments_number(); ?>
149
150
			<div class="post-tags-wrapper">
151
152
				<?php lsx_content_post_tags(); ?>
153
154
				<?php if ( comments_open() && ! empty( $comments_number ) ) : ?>
155
					<div class="post-comments">
156
						<a href="<?php the_permalink(); ?>#comments">
157
							<?php
158
							if ( '1' === $comments_number ) {
159
								echo esc_html_x( 'One Comment', 'content.php', 'lsx' );
160
							} else {
161
								printf(
162
									/* Translators: %s: number of comments */
163
									esc_html( _nx(
164
										'%s Comment',
165
										'%s Comments',
166
										$comments_number,
167
										'content.php',
168
										'lsx'
169
									) ),
170
									esc_html( number_format_i18n( $comments_number ) )
171
								);
172
							}
173
							?>
174
						</a>
175
					</div>
176
				<?php endif ?>
177
			</div>
178
		</div>
179
180
		<?php if ( has_post_thumbnail() ) : ?>
181
182
			<div class="entry-image hidden-xs">
183
				<a class="thumbnail" href="<?php the_permalink(); ?>" style="background-image:url(<?php echo esc_url( $image_src ); ?>);">
184
					<?php lsx_thumbnail( 'lsx-thumbnail-single' ); ?>
185
				</a>
186
			</div>
187
188
		<?php endif; ?>
189
	</div>
190
191
	<?php lsx_entry_bottom(); ?>
192
193
	<div class="clearfix"></div>
194
195
	<div class="lsx-breaker"></div>
196
</article>
197
198
<?php
199
lsx_entry_after();
200