Issues (461)

Branch: master

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  Header Injection
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

partials/content.php (4 issues)

1
<?php
2
/**
3
 * Template used to display post content.
4
 *
5
 * @package lsx
6
 */
7
8
?>
9
10
<?php lsx_entry_before(); ?>
11
12
<?php
13
	$no_thumb_post_types   = array(
14
		'audio'   => 'audio',
15
		'gallery' => 'gallery',
16
		'image'   => 'image',
17
		'link'    => 'link',
18
		'quote'   => 'quote',
19
		'video'   => 'video',
20
	);
21
	$no_thumb_post_formats = apply_filters( 'lsx_no_thumb_post_formats', $no_thumb_post_types );
22
23
	$has_thumb = has_post_thumbnail() && ! has_post_format( $no_thumb_post_formats );
24
25
	if ( $has_thumb ) {
26
		$thumb_class = 'has-thumb';
27
	} else {
28
		$thumb_class = 'no-thumb';
29
	}
30
31
	$blog_layout = apply_filters( 'lsx_blog_layout', 'default' );
32
33
	$image_class = '';
34
35
	$thumbnail_id = get_post_thumbnail_id( get_the_ID() );
0 ignored issues
show
It seems like get_the_ID() can also be of type false; however, parameter $post of get_post_thumbnail_id() does only seem to accept WP_Post|integer, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

35
	$thumbnail_id = get_post_thumbnail_id( /** @scrutinizer ignore-type */ get_the_ID() );
Loading history...
36
	if ( empty( $thumbnail_id ) ) {
37
		$thumbnail_id = apply_filters( 'lsx_get_thumbnail_post_placeholder_id', $thumbnail_id, get_the_ID() );
38
	}
39
	$image_arr    = wp_get_attachment_image_src( $thumbnail_id, 'lsx-thumbnail-single' );
40
	$image_src    = '';
41
42
	if ( is_array( $image_arr ) ) {
43
		$image_src = $image_arr[0];
44
	}
45
?>
46
47
<article id="post-<?php the_ID(); ?>" <?php post_class( array( 'lsx-slot', $thumb_class ) ); ?>>
48
	<?php lsx_entry_top(); ?>
49
50
	<div class="entry-layout">
51
		<div class="entry-layout-content entry-layout-content-<?php echo has_post_thumbnail() ? '67' : '100'; ?>">
52
			<header class="entry-header">
53
				<?php if ( $has_thumb ) : ?>
54
					<div class="entry-image <?php echo esc_attr( $image_class ); ?>">
55
						<a class="thumbnail" href="<?php the_permalink(); ?>">
56
							<?php lsx_thumbnail( 'lsx-thumbnail-single' ); ?>
57
						</a>
58
					</div>
59
				<?php endif; ?>
60
61
				<?php
62
				$format = get_post_format();
63
64
				if ( false === $format ) {
65
					$format        = 'standard';
66
					$show_on_front = get_option( 'show_on_front', 'posts' );
67
68
					if ( 'page' === $show_on_front ) {
69
						$archive_link = get_permalink( get_option( 'page_for_posts' ) );
70
					} else {
71
						$archive_link = home_url();
72
					}
73
				} else {
74
					$archive_link = get_post_format_link( $format );
75
				}
76
77
				$format = lsx_translate_format_to_fontawesome( $format );
78
				?>
79
80
				<h1 class="entry-title">
81
					<?php if ( has_post_thumbnail() ) : ?>
82
						<a href="<?php echo esc_url( $archive_link ); ?>" class="format-link has-thumb fa fa-<?php echo esc_attr( $format ); ?>"></a>
83
					<?php else : ?>
84
						<a href="<?php echo esc_url( $archive_link ); ?>" class="format-link fa fa-<?php echo esc_attr( $format ); ?>"></a>
85
					<?php endif; ?>
86
87
					<?php if ( has_post_format( array( 'link' ) ) ) : ?>
88
						<a href="<?php echo esc_url( lsx_get_my_url() ); ?>" rel="bookmark"><?php the_title(); ?> <span class="fa fa-external-link"></span></a>
0 ignored issues
show
It seems like lsx_get_my_url() can also be of type false; however, parameter $url of esc_url() does only seem to accept string, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

88
						<a href="<?php echo esc_url( /** @scrutinizer ignore-type */ lsx_get_my_url() ); ?>" rel="bookmark"><?php the_title(); ?> <span class="fa fa-external-link"></span></a>
Loading history...
89
					<?php else : ?>
90
						<a href="<?php the_permalink(); ?>" rel="bookmark"><?php the_title(); ?></a>
91
					<?php endif; ?>
92
93
					<?php if ( is_sticky() ) : ?>
94
						<span class="label label-default label-sticky"><?php esc_html_e( 'Featured', 'lsx' ); ?></span>
95
					<?php endif; ?>
96
				</h1>
97
98
				<div class="entry-meta">
99
					<?php lsx_post_meta_list_top(); ?>
100
				</div><!-- .entry-meta -->
101
102
				<?php lsx_post_meta_category(); ?>
103
104
			</header><!-- .entry-header -->
105
106
			<?php if ( has_post_format( array( 'quote' ) ) || apply_filters( 'lsx_blog_display_text_on_list', true ) ) : ?>
107
108
				<?php if ( lsx_post_format_force_content_on_list() && ! apply_filters( 'lsx_blog_force_content_on_list', false ) ) : ?>
109
110
					<div class="entry-summary">
111
						<?php
112
						if ( false === apply_filters( 'lsx_disable_content_excerpt', false ) ) {
113
							if ( ! has_excerpt() ) {
114
								$excerpt_more = '<p><a class="moretag" href="' . esc_url( get_permalink() ) . '">' . esc_html__( 'Read More', 'lsx' ) . '</a></p>';
115
								$content      = wp_trim_words( strip_shortcodes( get_the_content() ), 30 );
116
								$content      = '<p>' . $content . '</p>' . $excerpt_more;
117
								echo wp_kses_post( $content );
118
							} else {
119
								the_excerpt();
120
							}
121
						} else {
122
							$excerpt_more = '<p><a class="moretag" href="' . esc_url( get_permalink() ) . '">' . esc_html__( 'Read More', 'lsx' ) . '</a></p>';
123
							echo wp_kses_post( $excerpt_more );
124
						}
125
						?>
126
127
					</div><!-- .entry-summary -->
128
129
				<?php elseif ( has_post_format( array( 'link' ) ) ) : ?>
130
131
				<?php elseif ( apply_filters( 'lsx_blog_force_content_on_list', false ) ) : ?>
132
133
					<div class="entry-content">
134
						<?php the_content(); ?>
135
					</div><!-- .entry-content -->
136
137
				<?php else : ?>
138
139
					<div class="entry-content">
140
						<?php
141
							the_content();
142
143
							wp_link_pages( array(
0 ignored issues
show
The opening parenthesis of a multi-line function call should be the last content on the line.
Loading history...
144
								'before'      => '<div class="lsx-postnav-wrapper"><div class="lsx-postnav">',
145
								'after'       => '</div></div>',
146
								'link_before' => '<span>',
147
								'link_after'  => '</span>',
148
							) );
0 ignored issues
show
For multi-line function calls, the closing parenthesis should be on a new line.

If a function call spawns multiple lines, the coding standard suggests to move the closing parenthesis to a new line:

someFunctionCall(
    $firstArgument,
    $secondArgument,
    $thirdArgument
); // Closing parenthesis on a new line.
Loading history...
149
						?>
150
					</div><!-- .entry-content -->
151
152
				<?php endif; ?>
153
154
			<?php endif; ?>
155
156
			<div class="clearfix"></div>
157
158
			<?php $comments_number = get_comments_number(); ?>
159
160
			<?php if ( has_tag() || ! empty( $comments_number ) ) { ?>
161
				<div class="post-tags-wrapper">
162
163
					<?php lsx_content_post_tags(); ?>
164
165
					<?php if ( comments_open() && ! empty( $comments_number ) ) : ?>
166
						<div class="post-comments">
167
							<a href="<?php the_permalink(); ?>#comments">
168
								<?php
169
								if ( '1' === $comments_number ) {
170
									echo esc_html_x( 'One Comment', 'content.php', 'lsx' );
171
								} else {
172
									printf(
173
										/* Translators: %s: number of comments */
174
										esc_html( _nx(
175
											'%s Comment',
176
											'%s Comments',
177
											$comments_number,
178
											'content.php',
179
											'lsx'
180
										) ),
181
										esc_html( number_format_i18n( $comments_number ) )
182
									);
183
								}
184
								?>
185
							</a>
186
						</div>
187
					<?php endif ?>
188
				</div>
189
			<?php } ?>
190
		</div>
191
192
		<?php if ( has_post_thumbnail() ) : ?>
193
194
			<div class="entry-image hidden-xs">
195
				<a class="thumbnail" href="<?php the_permalink(); ?>" style="background-image:url(<?php echo esc_url( $image_src ); ?>);">
196
					<?php lsx_thumbnail( 'lsx-thumbnail-single' ); ?>
197
				</a>
198
			</div>
199
200
		<?php endif; ?>
201
	</div>
202
203
	<?php lsx_entry_bottom(); ?>
204
205
	<div class="clearfix"></div>
206
207
	<div class="lsx-breaker"></div>
208
</article>
209
210
<?php
211
lsx_entry_after();
212