Issues in edit-comments.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-admin/edit-comments.php (1 issue)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Edit Comments Administration Screen.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );
if ( ! current_user_can( 'edit_posts' ) ) {
	wp_die(
		'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
		'<p>' . __( 'Sorry, you are not allowed to edit comments.' ) . '</p>',
		403
	);
}

$wp_list_table = _get_list_table('WP_Comments_List_Table');
$pagenum = $wp_list_table->get_pagenum();

$doaction = $wp_list_table->current_action();

if ( $doaction ) {
	check_admin_referer( 'bulk-comments' );

	if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
		$comment_status = wp_unslash( $_REQUEST['comment_status'] );
		$delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
		$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
		$doaction = 'delete';
	} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
		$comment_ids = $_REQUEST['delete_comments'];
		$doaction = ( $_REQUEST['action'] != -1 ) ? $_REQUEST['action'] : $_REQUEST['action2'];
	} elseif ( isset( $_REQUEST['ids'] ) ) {
		$comment_ids = array_map( 'absint', explode( ',', $_REQUEST['ids'] ) );
	} elseif ( wp_get_referer() ) {
		wp_safe_redirect( wp_get_referer() );

		exit;
	}

	$approved = $unapproved = $spammed = $unspammed = $trashed = $untrashed = $deleted = 0;

	$redirect_to = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'spammed', 'unspammed', 'approved', 'unapproved', 'ids' ), wp_get_referer() );
	$redirect_to = add_query_arg( 'paged', $pagenum, $redirect_to );

	wp_defer_comment_counting( true );

	foreach ( $comment_ids as $comment_id ) { // Check the permissions on each
		if ( !current_user_can( 'edit_comment', $comment_id ) )
			continue;

		switch ( $doaction ) {
			case 'approve' :
				wp_set_comment_status( $comment_id, 'approve' );
				$approved++;
				break;
			case 'unapprove' :
				wp_set_comment_status( $comment_id, 'hold' );
				$unapproved++;
				break;
			case 'spam' :
				wp_spam_comment( $comment_id );
				$spammed++;
				break;
			case 'unspam' :
				wp_unspam_comment( $comment_id );
				$unspammed++;
				break;
			case 'trash' :
				wp_trash_comment( $comment_id );
				$trashed++;
				break;
			case 'untrash' :
				wp_untrash_comment( $comment_id );
				$untrashed++;
				break;
			case 'delete' :
				wp_delete_comment( $comment_id );
				$deleted++;
				break;
		}
	}

	if ( ! in_array( $doaction, array( 'approve', 'unapprove', 'spam', 'unspam', 'trash', 'delete' ), true ) ) {
		$screen = get_current_screen()->id;

		/**
		 * Fires when a custom bulk action should be handled.
		 *
		 * The redirect link should be modified with success or failure feedback
		 * from the action to be used to display feedback to the user.
		 *
		 * The dynamic portion of the hook name, `$screen`, refers to the current screen ID.
		 *
		 * @since 4.7.0
		 *
		 * @param string $redirect_url The redirect URL.
		 * @param string $doaction     The action being taken.
		 * @param array  $items        The items to take the action on.
		 */
		$redirect_to = apply_filters( "handle_bulk_actions-{$screen}", $redirect_to, $doaction, $comment_ids );
	}

	wp_defer_comment_counting( false );

	if ( $approved )
		$redirect_to = add_query_arg( 'approved', $approved, $redirect_to );
	if ( $unapproved )
		$redirect_to = add_query_arg( 'unapproved', $unapproved, $redirect_to );
	if ( $spammed )
		$redirect_to = add_query_arg( 'spammed', $spammed, $redirect_to );
	if ( $unspammed )
		$redirect_to = add_query_arg( 'unspammed', $unspammed, $redirect_to );
	if ( $trashed )
		$redirect_to = add_query_arg( 'trashed', $trashed, $redirect_to );
	if ( $untrashed )
		$redirect_to = add_query_arg( 'untrashed', $untrashed, $redirect_to );
	if ( $deleted )
		$redirect_to = add_query_arg( 'deleted', $deleted, $redirect_to );
	if ( $trashed || $spammed )
		$redirect_to = add_query_arg( 'ids', join( ',', $comment_ids ), $redirect_to );

	wp_safe_redirect( $redirect_to );
	exit;
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
	 exit;
}

$wp_list_table->prepare_items();

wp_enqueue_script('admin-comments');
enqueue_comment_hotkeys_js();

if ( $post_id ) {
	$comments_count = wp_count_comments( $post_id );
	$draft_or_post_title = wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '&hellip;' );
	if ( $comments_count->moderated > 0 ) {
		/* translators: 1: comments count 2: post title */
		$title = sprintf( __( 'Comments (%1$s) on &#8220;%2$s&#8221;' ),
			number_format_i18n( $comments_count->moderated ),
			$draft_or_post_title
		);
	} else {
		/* translators: %s: post title */
		$title = sprintf( __( 'Comments on &#8220;%s&#8221;' ),
			$draft_or_post_title
		);
	}
} else {
	$comments_count = wp_count_comments();
	if ( $comments_count->moderated > 0 ) {
		/* translators: %s: comments count */
		$title = sprintf( __( 'Comments (%s)' ),
			number_format_i18n( $comments_count->moderated )
		);
	} else {
		$title = __( 'Comments' );
	}
}

add_screen_option( 'per_page' );

get_current_screen()->add_help_tab( array(
'id'		=> 'overview',
'title'		=> __('Overview'),
'content'	=>
	'<p>' . __( 'You can manage comments made on your site similar to the way you manage posts and other content. This screen is customizable in the same ways as other management screens, and you can act on comments using the on-hover action links or the Bulk Actions.' ) . '</p>'
) );
get_current_screen()->add_help_tab( array(
'id'		=> 'moderating-comments',
'title'		=> __('Moderating Comments'),
'content'	=>
		'<p>' . __( 'A red bar on the left means the comment is waiting for you to moderate it.' ) . '</p>' .
		'<p>' . __( 'In the <strong>Author</strong> column, in addition to the author&#8217;s name, email address, and blog URL, the commenter&#8217;s IP address is shown. Clicking on this link will show you all the comments made from this IP address.' ) . '</p>' .
		'<p>' . __( 'In the <strong>Comment</strong> column, hovering over any comment gives you options to approve, reply (and approve), quick edit, edit, spam mark, or trash that comment.' ) . '</p>' .
		'<p>' . __( 'In the <strong>In Response To</strong> column, there are three elements. The text is the name of the post that inspired the comment, and links to the post editor for that entry. The View Post link leads to that post on your live site. The small bubble with the number in it shows the number of approved comments that post has received. If there are pending comments, a red notification circle with the number of pending comments is displayed. Clicking the notification circle will filter the comments screen to show only pending comments on that post.' ) . '</p>' .
		'<p>' . __( 'In the <strong>Submitted On</strong> column, the date and time the comment was left on your site appears. Clicking on the date/time link will take you to that comment on your live site.' ) . '</p>' .
		'<p>' . __( 'Many people take advantage of keyboard shortcuts to moderate their comments more quickly. Use the link to the side to learn more.' ) . '</p>'
) );

get_current_screen()->set_help_sidebar(
	'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Administration_Screens#Comments">Documentation on Comments</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Comment_Spam">Documentation on Comment Spam</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Keyboard_Shortcuts">Documentation on Keyboard Shortcuts</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://wordpress.org/support/">Support Forums</a>' ) . '</p>'
);

get_current_screen()->set_screen_reader_content( array(
	'heading_views'      => __( 'Filter comments list' ),
	'heading_pagination' => __( 'Comments list navigation' ),
	'heading_list'       => __( 'Comments list' ),
) );

require_once( ABSPATH . 'wp-admin/admin-header.php' );
?>

<div class="wrap">
<h1 class="wp-heading-inline"><?php
if ( $post_id ) {
	/* translators: %s: link to post */
	printf( __( 'Comments on &#8220;%s&#8221;' ),
		sprintf( '<a href="%1$s">%2$s</a>',
			get_edit_post_link( $post_id ),
			wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '&hellip;' )
		)
	);
} else {
	_e( 'Comments' );
}
?></h1>

<?php
if ( isset($_REQUEST['s']) && strlen( $_REQUEST['s'] ) ) {
	echo '<span class="subtitle">';
	/* translators: %s: search keywords */
	printf( __( 'Search results for &#8220;%s&#8221;' ),
		wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50, '&hellip;' )
	);
	echo '</span>';
}
?>

<hr class="wp-header-end">

<?php
if ( isset( $_REQUEST['error'] ) ) {
	$error = (int) $_REQUEST['error'];
	$error_msg = '';
	switch ( $error ) {
		case 1 :
			$error_msg = __( 'Invalid comment ID.' );
			break;
		case 2 :
			$error_msg = __( 'Sorry, you are not allowed to edit comments on this post.' );
			break;
	}
	if ( $error_msg )
		echo '<div id="moderated" class="error"><p>' . $error_msg . '</p></div>';
}

if ( isset($_REQUEST['approved']) || isset($_REQUEST['deleted']) || isset($_REQUEST['trashed']) || isset($_REQUEST['untrashed']) || isset($_REQUEST['spammed']) || isset($_REQUEST['unspammed']) || isset($_REQUEST['same']) ) {
	$approved  = isset( $_REQUEST['approved']  ) ? (int) $_REQUEST['approved']  : 0;
	$deleted   = isset( $_REQUEST['deleted']   ) ? (int) $_REQUEST['deleted']   : 0;
	$trashed   = isset( $_REQUEST['trashed']   ) ? (int) $_REQUEST['trashed']   : 0;
	$untrashed = isset( $_REQUEST['untrashed'] ) ? (int) $_REQUEST['untrashed'] : 0;
	$spammed   = isset( $_REQUEST['spammed']   ) ? (int) $_REQUEST['spammed']   : 0;
	$unspammed = isset( $_REQUEST['unspammed'] ) ? (int) $_REQUEST['unspammed'] : 0;
	$same      = isset( $_REQUEST['same'] )      ? (int) $_REQUEST['same']      : 0;

	if ( $approved > 0 || $deleted > 0 || $trashed > 0 || $untrashed > 0 || $spammed > 0 || $unspammed > 0 || $same > 0 ) {
		if ( $approved > 0 ) {
			/* translators: %s: number of comments approved */
			$messages[] = sprintf( _n( '%s comment approved', '%s comments approved', $approved ), $approved );
		}

		if ( $spammed > 0 ) {
			$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
			/* translators: %s: number of comments marked as spam */
			$messages[] = sprintf( _n( '%s comment marked as spam.', '%s comments marked as spam.', $spammed ), $spammed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=unspam&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
		}

		if ( $unspammed > 0 ) {
			/* translators: %s: number of comments restored from the spam */
			$messages[] = sprintf( _n( '%s comment restored from the spam', '%s comments restored from the spam', $unspammed ), $unspammed );
		}

		if ( $trashed > 0 ) {
			$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
			/* translators: %s: number of comments moved to the Trash */
			$messages[] = sprintf( _n( '%s comment moved to the Trash.', '%s comments moved to the Trash.', $trashed ), $trashed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=untrash&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
		}

		if ( $untrashed > 0 ) {
			/* translators: %s: number of comments restored from the Trash */
			$messages[] = sprintf( _n( '%s comment restored from the Trash', '%s comments restored from the Trash', $untrashed ), $untrashed );
		}

		if ( $deleted > 0 ) {
			/* translators: %s: number of comments permanently deleted */
			$messages[] = sprintf( _n( '%s comment permanently deleted', '%s comments permanently deleted', $deleted ), $deleted );
		}

		if ( $same > 0 && $comment = get_comment( $same ) ) {
			switch ( $comment->comment_approved ) {
				case '1' :
					$messages[] = __('This comment is already approved.') . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
					break;
				case 'trash' :
					$messages[] = __( 'This comment is already in the Trash.' ) . ' <a href="' . esc_url( admin_url( 'edit-comments.php?comment_status=trash' ) ) . '"> ' . __( 'View Trash' ) . '</a>';
					break;
				case 'spam' :
					$messages[] = __( 'This comment is already marked as spam.' ) . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
					break;
			}
		}

		echo '<div id="moderated" class="updated notice is-dismissible"><p>' . implode( "<br/>\n", $messages ) . '</p></div>';
	}
}
?>

<?php $wp_list_table->views(); ?>

<form id="comments-form" method="get">

<?php $wp_list_table->search_box( __( 'Search Comments' ), 'comment' ); ?>

<?php if ( $post_id ) : ?>
<input type="hidden" name="p" value="<?php echo esc_attr( intval( $post_id ) ); ?>" />
<?php endif; ?>
<input type="hidden" name="comment_status" value="<?php echo esc_attr($comment_status); ?>" />
<input type="hidden" name="pagegen_timestamp" value="<?php echo esc_attr(current_time('mysql', 1)); ?>" />

<input type="hidden" name="_total" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('total_items') ); ?>" />
<input type="hidden" name="_per_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('per_page') ); ?>" />
<input type="hidden" name="_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('page') ); ?>" />

<?php if ( isset($_REQUEST['paged']) ) { ?>
	<input type="hidden" name="paged" value="<?php echo esc_attr( absint( $_REQUEST['paged'] ) ); ?>" />
<?php } ?>

<?php $wp_list_table->display(); ?>
</form>
</div>

<div id="ajax-response"></div>

<?php
wp_comment_reply('-1', true, 'detail');
wp_comment_trashnotice();
include( ABSPATH . 'wp-admin/admin-footer.php' ); ?>


1		<?php
2		/**
3		* Edit Comments Administration Screen.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** WordPress Administration Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11		if ( ! current_user_can( 'edit_posts' ) ) {
12		wp_die(
13		'<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' .
14		'<p>' . __( 'Sorry, you are not allowed to edit comments.' ) . '</p>',
15		403
16		);
17		}
18
19		$wp_list_table = _get_list_table('WP_Comments_List_Table');
20		$pagenum = $wp_list_table->get_pagenum();
21
22		$doaction = $wp_list_table->current_action();
23
24		if ( $doaction ) {
25		check_admin_referer( 'bulk-comments' );
26
27		if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
28		$comment_status = wp_unslash( $_REQUEST['comment_status'] );
29		$delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
30		$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
31		$doaction = 'delete';
32		} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
33		$comment_ids = $_REQUEST['delete_comments'];
34		$doaction = ( $_REQUEST['action'] != -1 ) ? $_REQUEST['action'] : $_REQUEST['action2'];
35		} elseif ( isset( $_REQUEST['ids'] ) ) {
36		$comment_ids = array_map( 'absint', explode( ',', $_REQUEST['ids'] ) );
37		} elseif ( wp_get_referer() ) {
38		wp_safe_redirect( wp_get_referer() );
		0 ignored issues – show Security Bug introduced 2016-03-16 22:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_get_referer()` can also be of type `false`; however, `wp_safe_redirect()` does only seem to accept `string`, did you maybe forget to handle an error condition? Loading history...
39		exit;
40		}
41
42		$approved = $unapproved = $spammed = $unspammed = $trashed = $untrashed = $deleted = 0;
43
44		$redirect_to = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'spammed', 'unspammed', 'approved', 'unapproved', 'ids' ), wp_get_referer() );
45		$redirect_to = add_query_arg( 'paged', $pagenum, $redirect_to );
46
47		wp_defer_comment_counting( true );
48
49		foreach ( $comment_ids as $comment_id ) { // Check the permissions on each
50		if ( !current_user_can( 'edit_comment', $comment_id ) )
51		continue;
52
53		switch ( $doaction ) {
54		case 'approve' :
55		wp_set_comment_status( $comment_id, 'approve' );
56		$approved++;
57		break;
58		case 'unapprove' :
59		wp_set_comment_status( $comment_id, 'hold' );
60		$unapproved++;
61		break;
62		case 'spam' :
63		wp_spam_comment( $comment_id );
64		$spammed++;
65		break;
66		case 'unspam' :
67		wp_unspam_comment( $comment_id );
68		$unspammed++;
69		break;
70		case 'trash' :
71		wp_trash_comment( $comment_id );
72		$trashed++;
73		break;
74		case 'untrash' :
75		wp_untrash_comment( $comment_id );
76		$untrashed++;
77		break;
78		case 'delete' :
79		wp_delete_comment( $comment_id );
80		$deleted++;
81		break;
82		}
83		}
84
85		if ( ! in_array( $doaction, array( 'approve', 'unapprove', 'spam', 'unspam', 'trash', 'delete' ), true ) ) {
86		$screen = get_current_screen()->id;
87
88		/**
89		* Fires when a custom bulk action should be handled.
90		*
91		* The redirect link should be modified with success or failure feedback
92		* from the action to be used to display feedback to the user.
93		*
94		* The dynamic portion of the hook name, `$screen`, refers to the current screen ID.
95		*
96		* @since 4.7.0
97		*
98		* @param string $redirect_url The redirect URL.
99		* @param string $doaction The action being taken.
100		* @param array $items The items to take the action on.
101		*/
102		$redirect_to = apply_filters( "handle_bulk_actions-{$screen}", $redirect_to, $doaction, $comment_ids );
103		}
104
105		wp_defer_comment_counting( false );
106
107		if ( $approved )
108		$redirect_to = add_query_arg( 'approved', $approved, $redirect_to );
109		if ( $unapproved )
110		$redirect_to = add_query_arg( 'unapproved', $unapproved, $redirect_to );
111		if ( $spammed )
112		$redirect_to = add_query_arg( 'spammed', $spammed, $redirect_to );
113		if ( $unspammed )
114		$redirect_to = add_query_arg( 'unspammed', $unspammed, $redirect_to );
115		if ( $trashed )
116		$redirect_to = add_query_arg( 'trashed', $trashed, $redirect_to );
117		if ( $untrashed )
118		$redirect_to = add_query_arg( 'untrashed', $untrashed, $redirect_to );
119		if ( $deleted )
120		$redirect_to = add_query_arg( 'deleted', $deleted, $redirect_to );
121		if ( $trashed \|\| $spammed )
122		$redirect_to = add_query_arg( 'ids', join( ',', $comment_ids ), $redirect_to );
123
124		wp_safe_redirect( $redirect_to );
125		exit;
126	View Code Duplication	} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
127		wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
128		exit;
129		}
130
131		$wp_list_table->prepare_items();
132
133		wp_enqueue_script('admin-comments');
134		enqueue_comment_hotkeys_js();
135
136		if ( $post_id ) {
137		$comments_count = wp_count_comments( $post_id );
138		$draft_or_post_title = wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '…' );
139	View Code Duplication	if ( $comments_count->moderated > 0 ) {
140		/* translators: 1: comments count 2: post title */
141		$title = sprintf( __( 'Comments (%1$s) on “%2$s”' ),
142		number_format_i18n( $comments_count->moderated ),
143		$draft_or_post_title
144		);
145		} else {
146		/* translators: %s: post title */
147		$title = sprintf( __( 'Comments on “%s”' ),
148		$draft_or_post_title
149		);
150		}
151		} else {
152		$comments_count = wp_count_comments();
153	View Code Duplication	if ( $comments_count->moderated > 0 ) {
154		/* translators: %s: comments count */
155		$title = sprintf( __( 'Comments (%s)' ),
156		number_format_i18n( $comments_count->moderated )
157		);
158		} else {
159		$title = __( 'Comments' );
160		}
161		}
162
163		add_screen_option( 'per_page' );
164
165		get_current_screen()->add_help_tab( array(
166		'id' => 'overview',
167		'title' => __('Overview'),
168		'content' =>
169		'<p>' . __( 'You can manage comments made on your site similar to the way you manage posts and other content. This screen is customizable in the same ways as other management screens, and you can act on comments using the on-hover action links or the Bulk Actions.' ) . '</p>'
170		) );
171		get_current_screen()->add_help_tab( array(
172		'id' => 'moderating-comments',
173		'title' => __('Moderating Comments'),
174		'content' =>
175		'<p>' . __( 'A red bar on the left means the comment is waiting for you to moderate it.' ) . '</p>' .
176		'<p>' . __( 'In the <strong>Author</strong> column, in addition to the author’s name, email address, and blog URL, the commenter’s IP address is shown. Clicking on this link will show you all the comments made from this IP address.' ) . '</p>' .
177		'<p>' . __( 'In the <strong>Comment</strong> column, hovering over any comment gives you options to approve, reply (and approve), quick edit, edit, spam mark, or trash that comment.' ) . '</p>' .
178		'<p>' . __( 'In the <strong>In Response To</strong> column, there are three elements. The text is the name of the post that inspired the comment, and links to the post editor for that entry. The View Post link leads to that post on your live site. The small bubble with the number in it shows the number of approved comments that post has received. If there are pending comments, a red notification circle with the number of pending comments is displayed. Clicking the notification circle will filter the comments screen to show only pending comments on that post.' ) . '</p>' .
179		'<p>' . __( 'In the <strong>Submitted On</strong> column, the date and time the comment was left on your site appears. Clicking on the date/time link will take you to that comment on your live site.' ) . '</p>' .
180		'<p>' . __( 'Many people take advantage of keyboard shortcuts to moderate their comments more quickly. Use the link to the side to learn more.' ) . '</p>'
181		) );
182
183		get_current_screen()->set_help_sidebar(
184		'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
185		'<p>' . __( '<a href="https://codex.wordpress.org/Administration_Screens#Comments">Documentation on Comments</a>' ) . '</p>' .
186		'<p>' . __( '<a href="https://codex.wordpress.org/Comment_Spam">Documentation on Comment Spam</a>' ) . '</p>' .
187		'<p>' . __( '<a href="https://codex.wordpress.org/Keyboard_Shortcuts">Documentation on Keyboard Shortcuts</a>' ) . '</p>' .
188		'<p>' . __( '<a href="https://wordpress.org/support/">Support Forums</a>' ) . '</p>'
189		);
190
191		get_current_screen()->set_screen_reader_content( array(
192		'heading_views' => __( 'Filter comments list' ),
193		'heading_pagination' => __( 'Comments list navigation' ),
194		'heading_list' => __( 'Comments list' ),
195		) );
196
197		require_once( ABSPATH . 'wp-admin/admin-header.php' );
198		?>
199
200		<div class="wrap">
201		<h1 class="wp-heading-inline"><?php
202		if ( $post_id ) {
203		/* translators: %s: link to post */
204		printf( __( 'Comments on “%s”' ),
205		sprintf( '<a href="%1$s">%2$s</a>',
206		get_edit_post_link( $post_id ),
207		wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '…' )
208		)
209		);
210		} else {
211		_e( 'Comments' );
212		}
213		?></h1>
214
215		<?php
216		if ( isset($_REQUEST['s']) && strlen( $_REQUEST['s'] ) ) {
217		echo '<span class="subtitle">';
218		/* translators: %s: search keywords */
219		printf( __( 'Search results for “%s”' ),
220		wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50, '…' )
221		);
222		echo '</span>';
223		}
224		?>
225
226		<hr class="wp-header-end">
227
228		<?php
229		if ( isset( $_REQUEST['error'] ) ) {
230		$error = (int) $_REQUEST['error'];
231		$error_msg = '';
232		switch ( $error ) {
233		case 1 :
234		$error_msg = __( 'Invalid comment ID.' );
235		break;
236		case 2 :
237		$error_msg = __( 'Sorry, you are not allowed to edit comments on this post.' );
238		break;
239		}
240		if ( $error_msg )
241		echo '<div id="moderated" class="error"><p>' . $error_msg . '</p></div>';
242		}
243
244		if ( isset($_REQUEST['approved']) \|\| isset($_REQUEST['deleted']) \|\| isset($_REQUEST['trashed']) \|\| isset($_REQUEST['untrashed']) \|\| isset($_REQUEST['spammed']) \|\| isset($_REQUEST['unspammed']) \|\| isset($_REQUEST['same']) ) {
245		$approved = isset( $_REQUEST['approved'] ) ? (int) $_REQUEST['approved'] : 0;
246		$deleted = isset( $_REQUEST['deleted'] ) ? (int) $_REQUEST['deleted'] : 0;
247		$trashed = isset( $_REQUEST['trashed'] ) ? (int) $_REQUEST['trashed'] : 0;
248		$untrashed = isset( $_REQUEST['untrashed'] ) ? (int) $_REQUEST['untrashed'] : 0;
249		$spammed = isset( $_REQUEST['spammed'] ) ? (int) $_REQUEST['spammed'] : 0;
250		$unspammed = isset( $_REQUEST['unspammed'] ) ? (int) $_REQUEST['unspammed'] : 0;
251		$same = isset( $_REQUEST['same'] ) ? (int) $_REQUEST['same'] : 0;
252
253		if ( $approved > 0 \|\| $deleted > 0 \|\| $trashed > 0 \|\| $untrashed > 0 \|\| $spammed > 0 \|\| $unspammed > 0 \|\| $same > 0 ) {
254		if ( $approved > 0 ) {
255		/* translators: %s: number of comments approved */
256		$messages[] = sprintf( _n( '%s comment approved', '%s comments approved', $approved ), $approved );
257		}
258
259	View Code Duplication	if ( $spammed > 0 ) {
260		$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
261		/* translators: %s: number of comments marked as spam */
262		$messages[] = sprintf( _n( '%s comment marked as spam.', '%s comments marked as spam.', $spammed ), $spammed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=unspam&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
263		}
264
265		if ( $unspammed > 0 ) {
266		/* translators: %s: number of comments restored from the spam */
267		$messages[] = sprintf( _n( '%s comment restored from the spam', '%s comments restored from the spam', $unspammed ), $unspammed );
268		}
269
270	View Code Duplication	if ( $trashed > 0 ) {
271		$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
272		/* translators: %s: number of comments moved to the Trash */
273		$messages[] = sprintf( _n( '%s comment moved to the Trash.', '%s comments moved to the Trash.', $trashed ), $trashed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=untrash&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
274		}
275
276		if ( $untrashed > 0 ) {
277		/* translators: %s: number of comments restored from the Trash */
278		$messages[] = sprintf( _n( '%s comment restored from the Trash', '%s comments restored from the Trash', $untrashed ), $untrashed );
279		}
280
281		if ( $deleted > 0 ) {
282		/* translators: %s: number of comments permanently deleted */
283		$messages[] = sprintf( _n( '%s comment permanently deleted', '%s comments permanently deleted', $deleted ), $deleted );
284		}
285
286		if ( $same > 0 && $comment = get_comment( $same ) ) {
287		switch ( $comment->comment_approved ) {
288	View Code Duplication	case '1' :
289		$messages[] = __('This comment is already approved.') . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
290		break;
291	View Code Duplication	case 'trash' :
292		$messages[] = __( 'This comment is already in the Trash.' ) . ' <a href="' . esc_url( admin_url( 'edit-comments.php?comment_status=trash' ) ) . '"> ' . __( 'View Trash' ) . '</a>';
293		break;
294	View Code Duplication	case 'spam' :
295		$messages[] = __( 'This comment is already marked as spam.' ) . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
296		break;
297		}
298		}
299
300		echo '<div id="moderated" class="updated notice is-dismissible"><p>' . implode( "<br/>\n", $messages ) . '</p></div>';
301		}
302		}
303		?>
304
305		<?php $wp_list_table->views(); ?>
306
307		<form id="comments-form" method="get">
308
309		<?php $wp_list_table->search_box( __( 'Search Comments' ), 'comment' ); ?>
310
311		<?php if ( $post_id ) : ?>
312		<input type="hidden" name="p" value="<?php echo esc_attr( intval( $post_id ) ); ?>" />
313		<?php endif; ?>
314		<input type="hidden" name="comment_status" value="<?php echo esc_attr($comment_status); ?>" />
315		<input type="hidden" name="pagegen_timestamp" value="<?php echo esc_attr(current_time('mysql', 1)); ?>" />
316
317		<input type="hidden" name="_total" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('total_items') ); ?>" />
318		<input type="hidden" name="_per_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('per_page') ); ?>" />
319		<input type="hidden" name="_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('page') ); ?>" />
320
321		<?php if ( isset($_REQUEST['paged']) ) { ?>
322		<input type="hidden" name="paged" value="<?php echo esc_attr( absint( $_REQUEST['paged'] ) ); ?>" />
323		<?php } ?>
324
325		<?php $wp_list_table->display(); ?>
326		</form>
327		</div>
328
329		<div id="ajax-response"></div>
330
331		<?php
332		wp_comment_reply('-1', true, 'detail');
333		wp_comment_trashnotice();
334		include( ABSPATH . 'wp-admin/admin-footer.php' ); ?>
335

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-admin/edit-comments.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like