Issues in field.php (master) - Issues in master - moonstonemedia/Simple-Calendar - Measure and Improve Code Quality continuously with Scrutinizer

Issues (234)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/abstracts/field.php (4 issues)

Labels

Duplication 4

Severity

Informational 4

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Input Field
 *
 * @package SimpleCalendar/Admin
 */
namespace SimpleCalendar\Abstracts;

if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * The Field.
 *
 * Object for handling an input field in plugin back end.
 *
 * @since 3.0.0
 */
abstract class Field {

	/**
	 * Field type.
	 *
	 * @access public
	 * @var string
	 */
	public $type = '';

	/**
	 * Field name.
	 *
	 * @access public
	 * @var string
	 */
	public $name = '';

	/**
	 * Field Id.
	 *
	 * @access public
	 * @var string
	 */
	public $id = '';

	/**
	 * Field title (label).
	 *
	 * @access public
	 * @var string
	 */
	public $title = '';

	/**
	 * Field type class.
	 *
	 * @access protected
	 * @var string
	 */
	protected $type_class = '';

	/**
	 * CSS classes.
	 *
	 * @access public
	 * @var string
	 */
	public $class = '';

	/**
	 * CSS styles.
	 *
	 * @access public
	 * @var string
	 */
	public $style = '';

	/**
	 * Description.
	 *
	 * @access public
	 * @var string
	 */
	public $description = '';

	/**
	 * Tooltip text.
	 *
	 * @access public
	 * @var string
	 */
	public $tooltip = '';

	/**
	 * Attributes.
	 *
	 * @access public
	 * @var string
	 */
	public $attributes = '';

	/**
	 * Placeholder.
	 *
	 * @access public
	 * @var string
	 */
	public $placeholder = '';

	/**
	 * Options.
	 *
	 * @access public
	 * @var array
	 */
	public $options = array();

	/**
	 * Value.
	 *
	 * @access public
	 * @var array|string
	 */
	public $value = '';

	/**
	 * Default value.
	 *
	 * @access public
	 * @var array|string
	 */
	public $default = '';

	public $text = '';

	/**
	 * Validation result.
	 *
	 * @access public
	 * @var string|true
	 */
	public $validation = true;

	/**
	 * Construct the field.
	 *
	 * Escapes and sets every field property.
	 *
	 * @since 3.0.0
	 *
	 * @param array $field Field data.
	 */
	public function __construct( $field ) {

		// Field properties.
		if ( isset( $field['title'] ) ) {
			$this->title = esc_attr( $field['title'] );
		}
		if ( isset( $field['description'] ) ) {
			$this->description = wp_kses_post( $field['description'] );
		}
		if ( isset( $field['type'] ) ) {
			$this->type = esc_attr( $field['type'] );
		}
		if ( isset( $field['name'] ) ) {
			$this->name = esc_attr( $field['name'] );
		}
		if ( isset( $field['id'] ) ) {
			$this->id = esc_attr( $field['id'] );
		}
		if ( isset( $field['placeholder'] ) ) {
			$this->placeholder = esc_attr( $field['placeholder'] );
		}
		if ( isset( $field['options'] ) && is_array( $field['options'] ) ) {
			$this->options = array_map( 'esc_attr', $field['options'] );
		}
		if ( isset( $field['text'] ) ) {
			$this->text = $field['text'];
		}

		// Escaping.
		if ( ! empty( $field['escaping'] ) && ( is_string( $field['escaping'] ) || is_array( $field['escaping'] ) ) ) {
			if ( isset( $field['default'] ) ) {

				$this->default = $this->escape_callback( $field['escaping'], $field['default'] );
			}
			if ( isset( $field['value'] ) ) {

				$this->value = $this->escape_callback( $field['escaping'], $field['value'] );
			}
		} else {
			if ( isset( $field['default'] ) ) {
				$this->default = $this->escape( $field['default'] );
			}
			if ( isset( $field['value'] ) ) {
				$this->value = $this->escape( $field['value'] );
			}
		}

		// Validation.
		if ( ! empty( $field['validation'] ) ) {
			$this->validation = $this->validate( $field['validation'], $this->value );
		}

		// CSS classes and styles.
		$classes = isset( $field['class'] ) ? $field['class'] : '';
		$this->set_class( $classes );
		if ( isset( $field['style'] ) ) {
			$this->set_style( $field['style'] );
		}

		// Custom attributes.
		if ( isset( $field['attributes'] ) ) {
			$this->set_attributes( $field['attributes'] );
		}

		// Tooltip markup.
		if ( isset( $field['tooltip'] ) ) {
			$this->tooltip = ' <i class="simcal-icon-help simcal-help-tip" data-tip="' . esc_attr( $field['tooltip'] ) . '"></i> ' ;
		}
	}

	/**
	 * Set custom HTML attributes.
	 *
	 * @since  3.0.0
	 *
	 * @param  array $attributes
	 *
	 * @return void
	 */
	public function set_attributes( $attributes ) {


		$attr = '';

		if ( ! empty( $attributes ) && is_array( $attributes ) ) {
			foreach ( $attributes as $k => $v ) {
				$attr .= esc_attr( $k ) . '="' . esc_attr( $v ) . '" ';
			}
		}

		$this->attributes = $attr;
	}

	/**
	 * Set CSS styles.
	 *
	 * @since  3.0.0
	 *
	 * @param  array $css
	 *
	 * @return void
	 */
	public function set_style( $css ) {


		$styles = '';

		if ( ! empty( $css ) && is_array( $css ) ) {
			foreach ( $css as $k => $v ) {
				$styles .= esc_attr( $k ) . ': ' . esc_attr( $v ) . '; ';
			}
		}

		$this->style = $styles;
	}

	/**
	 * Set classes.
	 *
	 * @since  3.0.0
	 *
	 * @param  array $class
	 *
	 * @return void
	 */
	public function set_class( $class ) {

		$classes = '';
		$type_class = '';
		$error = '';

		if ( ! empty( $class ) && is_array( $class ) ) {
			$classes = implode( ' ', array_map( 'esc_attr', $class ) );
		}
		if ( ! empty( $this->type_class ) ) {
			$type_class = esc_attr( $this->type_class );
		}
		if ( true !== $this->validation && ! empty( $this->validation ) ) {
			$error = 'simcal-field-error ';
		}

		$this->class = trim( $error . 'simcal-field ' . $type_class . ' ' . $classes );
	}

	/**
	 * Escape field value.
	 *
	 * Default escape function, a wrapper for esc_attr().
	 *
	 * @since  3.0.0
	 * @access protected
	 *
	 * @param  array|string|int $value
	 *
	 * @return array|string
	 */
	protected function escape( $value )  {
		return ! empty( $value ) ? ( is_array( $value ) ? array_map( 'esc_attr', $value ) : esc_attr( $value ) ) : '';
	}

	/**
	 * Escape callback.
	 *
	 * Custom escaping function set in field args.
	 *
	 * @since  3.0.0
	 * @access protected
	 *
	 * @param  array|string $callback
	 * @param  mixed        $value
	 *
	 * @return mixed
	 */
	protected function escape_callback( $callback, $value ) {
		if ( $callback && ( is_string( $callback ) || is_array( $callback ) ) ) {
			return call_user_func( $callback, $value );
		}
		return esc_attr( $value );
	}

	/**
	 * Validation callback.
	 *
	 * Custom field validation callback set in field args.
	 *
	 * @since  3.0.0
	 * @access protected
	 *
	 * @param  array|string $callback
	 * @param  string       $value
	 *
	 * @return true|string Expected to return bool (true) if passes, message string if not.
	 */
	protected function validate( $callback, $value ) {
		if ( $callback && ( is_string( $callback ) || is_array( $callback ) ) ) {
			$screen = function_exists( 'get_current_screen' ) ? get_current_screen() : '';
			return call_user_func( $callback, $value, $screen );
		}
		return true;
	}

	/**
	 * Outputs the field markup.
	 *
	 * @since  3.0.0
	 *
	 * @return void
	 */
	abstract public function html();

}


1		<?php
2		/**
3		* Input Field
4		*
5		* @package SimpleCalendar/Admin
6		*/
7		namespace SimpleCalendar\Abstracts;
8
9		if ( ! defined( 'ABSPATH' ) ) {
10		exit;
11		}
12
13		/**
14		* The Field.
15		*
16		* Object for handling an input field in plugin back end.
17		*
18		* @since 3.0.0
19		*/
20		abstract class Field {
21
22		/**
23		* Field type.
24		*
25		* @access public
26		* @var string
27		*/
28		public $type = '';
29
30		/**
31		* Field name.
32		*
33		* @access public
34		* @var string
35		*/
36		public $name = '';
37
38		/**
39		* Field Id.
40		*
41		* @access public
42		* @var string
43		*/
44		public $id = '';
45
46		/**
47		* Field title (label).
48		*
49		* @access public
50		* @var string
51		*/
52		public $title = '';
53
54		/**
55		* Field type class.
56		*
57		* @access protected
58		* @var string
59		*/
60		protected $type_class = '';
61
62		/**
63		* CSS classes.
64		*
65		* @access public
66		* @var string
67		*/
68		public $class = '';
69
70		/**
71		* CSS styles.
72		*
73		* @access public
74		* @var string
75		*/
76		public $style = '';
77
78		/**
79		* Description.
80		*
81		* @access public
82		* @var string
83		*/
84		public $description = '';
85
86		/**
87		* Tooltip text.
88		*
89		* @access public
90		* @var string
91		*/
92		public $tooltip = '';
93
94		/**
95		* Attributes.
96		*
97		* @access public
98		* @var string
99		*/
100		public $attributes = '';
101
102		/**
103		* Placeholder.
104		*
105		* @access public
106		* @var string
107		*/
108		public $placeholder = '';
109
110		/**
111		* Options.
112		*
113		* @access public
114		* @var array
115		*/
116		public $options = array();
117
118		/**
119		* Value.
120		*
121		* @access public
122		* @var array\|string
123		*/
124		public $value = '';
125
126		/**
127		* Default value.
128		*
129		* @access public
130		* @var array\|string
131		*/
132		public $default = '';
133
134		public $text = '';
135
136		/**
137		* Validation result.
138		*
139		* @access public
140		* @var string\|true
141		*/
142		public $validation = true;
143
144		/**
145		* Construct the field.
146		*
147		* Escapes and sets every field property.
148		*
149		* @since 3.0.0
150		*
151		* @param array $field Field data.
152		*/
153		public function __construct( $field ) {
154
155		// Field properties.
156		if ( isset( $field['title'] ) ) {
157		$this->title = esc_attr( $field['title'] );
158		}
159		if ( isset( $field['description'] ) ) {
160		$this->description = wp_kses_post( $field['description'] );
161		}
162		if ( isset( $field['type'] ) ) {
163		$this->type = esc_attr( $field['type'] );
164		}
165		if ( isset( $field['name'] ) ) {
166		$this->name = esc_attr( $field['name'] );
167		}
168		if ( isset( $field['id'] ) ) {
169		$this->id = esc_attr( $field['id'] );
170		}
171		if ( isset( $field['placeholder'] ) ) {
172		$this->placeholder = esc_attr( $field['placeholder'] );
173		}
174		if ( isset( $field['options'] ) && is_array( $field['options'] ) ) {
175		$this->options = array_map( 'esc_attr', $field['options'] );
176		}
177		if ( isset( $field['text'] ) ) {
178		$this->text = $field['text'];
179		}
180
181		// Escaping.
182		if ( ! empty( $field['escaping'] ) && ( is_string( $field['escaping'] ) \|\| is_array( $field['escaping'] ) ) ) {
183	View Code Duplication	if ( isset( $field['default'] ) ) {
		0 ignored issues – show Duplication introduced 2016-07-13 22:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
184		$this->default = $this->escape_callback( $field['escaping'], $field['default'] );
185		}
186	View Code Duplication	if ( isset( $field['value'] ) ) {
		0 ignored issues – show Duplication introduced 2016-07-13 22:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
187		$this->value = $this->escape_callback( $field['escaping'], $field['value'] );
188		}
189		} else {
190		if ( isset( $field['default'] ) ) {
191		$this->default = $this->escape( $field['default'] );
192		}
193		if ( isset( $field['value'] ) ) {
194		$this->value = $this->escape( $field['value'] );
195		}
196		}
197
198		// Validation.
199		if ( ! empty( $field['validation'] ) ) {
200		$this->validation = $this->validate( $field['validation'], $this->value );
201		}
202
203		// CSS classes and styles.
204		$classes = isset( $field['class'] ) ? $field['class'] : '';
205		$this->set_class( $classes );
206		if ( isset( $field['style'] ) ) {
207		$this->set_style( $field['style'] );
208		}
209
210		// Custom attributes.
211		if ( isset( $field['attributes'] ) ) {
212		$this->set_attributes( $field['attributes'] );
213		}
214
215		// Tooltip markup.
216		if ( isset( $field['tooltip'] ) ) {
217		$this->tooltip = ' <i class="simcal-icon-help simcal-help-tip" data-tip="' . esc_attr( $field['tooltip'] ) . '"></i> ' ;
218		}
219		}
220
221		/**
222		* Set custom HTML attributes.
223		*
224		* @since 3.0.0
225		*
226		* @param array $attributes
227		*
228		* @return void
229		*/
230	View Code Duplication	public function set_attributes( $attributes ) {
		0 ignored issues – show Duplication introduced 2016-07-13 22:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
231
232		$attr = '';
233
234		if ( ! empty( $attributes ) && is_array( $attributes ) ) {
235		foreach ( $attributes as $k => $v ) {
236		$attr .= esc_attr( $k ) . '="' . esc_attr( $v ) . '" ';
237		}
238		}
239
240		$this->attributes = $attr;
241		}
242
243		/**
244		* Set CSS styles.
245		*
246		* @since 3.0.0
247		*
248		* @param array $css
249		*
250		* @return void
251		*/
252	View Code Duplication	public function set_style( $css ) {
		0 ignored issues – show Duplication introduced 2016-07-13 22:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
253
254		$styles = '';
255
256		if ( ! empty( $css ) && is_array( $css ) ) {
257		foreach ( $css as $k => $v ) {
258		$styles .= esc_attr( $k ) . ': ' . esc_attr( $v ) . '; ';
259		}
260		}
261
262		$this->style = $styles;
263		}
264
265		/**
266		* Set classes.
267		*
268		* @since 3.0.0
269		*
270		* @param array $class
271		*
272		* @return void
273		*/
274		public function set_class( $class ) {
275
276		$classes = '';
277		$type_class = '';
278		$error = '';
279
280		if ( ! empty( $class ) && is_array( $class ) ) {
281		$classes = implode( ' ', array_map( 'esc_attr', $class ) );
282		}
283		if ( ! empty( $this->type_class ) ) {
284		$type_class = esc_attr( $this->type_class );
285		}
286		if ( true !== $this->validation && ! empty( $this->validation ) ) {
287		$error = 'simcal-field-error ';
288		}
289
290		$this->class = trim( $error . 'simcal-field ' . $type_class . ' ' . $classes );
291		}
292
293		/**
294		* Escape field value.
295		*
296		* Default escape function, a wrapper for esc_attr().
297		*
298		* @since 3.0.0
299		* @access protected
300		*
301		* @param array\|string\|int $value
302		*
303		* @return array\|string
304		*/
305		protected function escape( $value ) {
306		return ! empty( $value ) ? ( is_array( $value ) ? array_map( 'esc_attr', $value ) : esc_attr( $value ) ) : '';
307		}
308
309		/**
310		* Escape callback.
311		*
312		* Custom escaping function set in field args.
313		*
314		* @since 3.0.0
315		* @access protected
316		*
317		* @param array\|string $callback
318		* @param mixed $value
319		*
320		* @return mixed
321		*/
322		protected function escape_callback( $callback, $value ) {
323		if ( $callback && ( is_string( $callback ) \|\| is_array( $callback ) ) ) {
324		return call_user_func( $callback, $value );
325		}
326		return esc_attr( $value );
327		}
328
329		/**
330		* Validation callback.
331		*
332		* Custom field validation callback set in field args.
333		*
334		* @since 3.0.0
335		* @access protected
336		*
337		* @param array\|string $callback
338		* @param string $value
339		*
340		* @return true\|string Expected to return bool (true) if passes, message string if not.
341		*/
342		protected function validate( $callback, $value ) {
343		if ( $callback && ( is_string( $callback ) \|\| is_array( $callback ) ) ) {
344		$screen = function_exists( 'get_current_screen' ) ? get_current_screen() : '';
345		return call_user_func( $callback, $value, $screen );
346		}
347		return true;
348		}
349
350		/**
351		* Outputs the field markup.
352		*
353		* @since 3.0.0
354		*
355		* @return void
356		*/
357		abstract public function html();
358
359		}
360

moonstonemedia / Simple-Calendar

Issues (234)

Security Analysis not enabled

includes/abstracts/field.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like