Issues in edit.php (ticket-41057) - Issues in ticket-41057 - ntwb/wordpress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4967)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/wp-admin/edit.php (3 issues)

Labels

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Edit Posts Administration Screen.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );

if ( ! $typenow )
	wp_die( __( 'Invalid post type.' ) );

if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) {
	wp_die( __( 'Sorry, you are not allowed to edit posts in this post type.' ) );
}

if ( 'attachment' === $typenow ) {
	if ( wp_redirect( admin_url( 'upload.php' ) ) ) {
		exit;
	}
}

/**
 * @global string       $post_type
 * @global WP_Post_Type $post_type_object
 */
global $post_type, $post_type_object;

$post_type = $typenow;
$post_type_object = get_post_type_object( $post_type );

if ( ! $post_type_object )
	wp_die( __( 'Invalid post type.' ) );

if ( ! current_user_can( $post_type_object->cap->edit_posts ) ) {
	wp_die(
		'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
		'<p>' . __( 'Sorry, you are not allowed to edit posts in this post type.' ) . '</p>',
		403
	);
}

$wp_list_table = _get_list_table('WP_Posts_List_Table');
$pagenum = $wp_list_table->get_pagenum();

// Back-compat for viewing comments of an entry
foreach ( array( 'p', 'attachment_id', 'page_id' ) as $_redirect ) {
	if ( ! empty( $_REQUEST[ $_redirect ] ) ) {
		wp_redirect( admin_url( 'edit-comments.php?p=' . absint( $_REQUEST[ $_redirect ] ) ) );
		exit;
	}
}
unset( $_redirect );

if ( 'post' != $post_type ) {
	$parent_file = "edit.php?post_type=$post_type";
	$submenu_file = "edit.php?post_type=$post_type";
	$post_new_file = "post-new.php?post_type=$post_type";
} else {
	$parent_file = 'edit.php';
	$submenu_file = 'edit.php';
	$post_new_file = 'post-new.php';
}

$doaction = $wp_list_table->current_action();

if ( $doaction ) {
	check_admin_referer('bulk-posts');

	$sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'locked', 'ids'), wp_get_referer() );
	if ( ! $sendback )
		$sendback = admin_url( $parent_file );
	$sendback = add_query_arg( 'paged', $pagenum, $sendback );
	if ( strpos($sendback, 'post.php') !== false )
		$sendback = admin_url($post_new_file);

	if ( 'delete_all' == $doaction ) {
		// Prepare for deletion of all posts with a specified post status (i.e. Empty trash).
		$post_status = preg_replace('/[^a-z0-9_-]+/i', '', $_REQUEST['post_status']);
		// Validate the post status exists.
		if ( get_post_status_object( $post_status ) ) {
			$post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type=%s AND post_status = %s", $post_type, $post_status ) );
		}
		$doaction = 'delete';
	} elseif ( isset( $_REQUEST['media'] ) ) {
		$post_ids = $_REQUEST['media'];
	} elseif ( isset( $_REQUEST['ids'] ) ) {
		$post_ids = explode( ',', $_REQUEST['ids'] );
	} elseif ( !empty( $_REQUEST['post'] ) ) {
		$post_ids = array_map('intval', $_REQUEST['post']);
	}

	if ( !isset( $post_ids ) ) {
		wp_redirect( $sendback );
		exit;
	}

	switch ( $doaction ) {
		case 'trash':
			$trashed = $locked = 0;

			foreach ( (array) $post_ids as $post_id ) {
				if ( !current_user_can( 'delete_post', $post_id) )
					wp_die( __('Sorry, you are not allowed to move this item to the Trash.') );

				if ( wp_check_post_lock( $post_id ) ) {
					$locked++;
					continue;
				}

				if ( !wp_trash_post($post_id) )
					wp_die( __('Error in moving to Trash.') );

				$trashed++;
			}

			$sendback = add_query_arg( array('trashed' => $trashed, 'ids' => join(',', $post_ids), 'locked' => $locked ), $sendback );
			break;
		case 'untrash':
			$untrashed = 0;
			foreach ( (array) $post_ids as $post_id ) {
				if ( !current_user_can( 'delete_post', $post_id) )
					wp_die( __('Sorry, you are not allowed to restore this item from the Trash.') );

				if ( !wp_untrash_post($post_id) )
					wp_die( __('Error in restoring from Trash.') );

				$untrashed++;
			}
			$sendback = add_query_arg('untrashed', $untrashed, $sendback);
			break;
		case 'delete':
			$deleted = 0;
			foreach ( (array) $post_ids as $post_id ) {
				$post_del = get_post($post_id);

				if ( !current_user_can( 'delete_post', $post_id ) )
					wp_die( __('Sorry, you are not allowed to delete this item.') );

				if ( $post_del->post_type == 'attachment' ) {
					if ( ! wp_delete_attachment($post_id) )
						wp_die( __('Error in deleting.') );
				} else {
					if ( !wp_delete_post($post_id) )
						wp_die( __('Error in deleting.') );
				}
				$deleted++;
			}
			$sendback = add_query_arg('deleted', $deleted, $sendback);
			break;
		case 'edit':
			if ( isset($_REQUEST['bulk_edit']) ) {
				$done = bulk_edit_posts($_REQUEST);

				if ( is_array($done) ) {
					$done['updated'] = count( $done['updated'] );
					$done['skipped'] = count( $done['skipped'] );
					$done['locked'] = count( $done['locked'] );
					$sendback = add_query_arg( $done, $sendback );
				}
			}
			break;
		default:
			/** This action is documented in wp-admin/edit-comments.php */
			$sendback = apply_filters( 'handle_bulk_actions-' . get_current_screen()->id, $sendback, $doaction, $post_ids );
			break;
	}

	$sendback = remove_query_arg( array('action', 'action2', 'tags_input', 'post_author', 'comment_status', 'ping_status', '_status', 'post', 'bulk_edit', 'post_view'), $sendback );

	wp_redirect($sendback);
	exit();
} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
	 wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );

	 exit;
}

$wp_list_table->prepare_items();

wp_enqueue_script('inline-edit-post');
wp_enqueue_script('heartbeat');

$title = $post_type_object->labels->name;

if ( 'post' == $post_type ) {
	get_current_screen()->add_help_tab( array(
	'id'		=> 'overview',
	'title'		=> __('Overview'),
	'content'	=>
		'<p>' . __('This screen provides access to all of your posts. You can customize the display of this screen to suit your workflow.') . '</p>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'screen-content',
	'title'		=> __('Screen Content'),
	'content'	=>
		'<p>' . __('You can customize the display of this screen&#8217;s contents in a number of ways:') . '</p>' .
		'<ul>' .
			'<li>' . __('You can hide/display columns based on your needs and decide how many posts to list per screen using the Screen Options tab.') . '</li>' .
			'<li>' . __( 'You can filter the list of posts by post status using the text links above the posts list to only show posts with that status. The default view is to show all posts.' ) . '</li>' .
			'<li>' . __('You can view posts in a simple title list or with an excerpt using the Screen Options tab.') . '</li>' .
			'<li>' . __('You can refine the list to show only posts in a specific category or from a specific month by using the dropdown menus above the posts list. Click the Filter button after making your selection. You also can refine the list by clicking on the post author, category or tag in the posts list.') . '</li>' .
		'</ul>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'action-links',
	'title'		=> __('Available Actions'),
	'content'	=>
		'<p>' . __('Hovering over a row in the posts list will display action links that allow you to manage your post. You can perform the following actions:') . '</p>' .
		'<ul>' .
			'<li>' . __('<strong>Edit</strong> takes you to the editing screen for that post. You can also reach that screen by clicking on the post title.') . '</li>' .
			'<li>' . __('<strong>Quick Edit</strong> provides inline access to the metadata of your post, allowing you to update post details without leaving this screen.') . '</li>' .
			'<li>' . __('<strong>Trash</strong> removes your post from this list and places it in the trash, from which you can permanently delete it.') . '</li>' .
			'<li>' . __('<strong>Preview</strong> will show you what your draft post will look like if you publish it. View will take you to your live site to view the post. Which link is available depends on your post&#8217;s status.') . '</li>' .
		'</ul>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'bulk-actions',
	'title'		=> __('Bulk Actions'),
	'content'	=>
		'<p>' . __('You can also edit or move multiple posts to the trash at once. Select the posts you want to act on using the checkboxes, then select the action you want to take from the Bulk Actions menu and click Apply.') . '</p>' .
				'<p>' . __('When using Bulk Edit, you can change the metadata (categories, author, etc.) for all selected posts at once. To remove a post from the grouping, just click the x next to its name in the Bulk Edit area that appears.') . '</p>'
	) );

	get_current_screen()->set_help_sidebar(
	'<p><strong>' . __('For more information:') . '</strong></p>' .
	'<p>' . __('<a href="https://codex.wordpress.org/Posts_Screen">Documentation on Managing Posts</a>') . '</p>' .
	'<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
	);

} elseif ( 'page' == $post_type ) {
	get_current_screen()->add_help_tab( array(
	'id'		=> 'overview',
	'title'		=> __('Overview'),
	'content'	=>
		'<p>' . __('Pages are similar to posts in that they have a title, body text, and associated metadata, but they are different in that they are not part of the chronological blog stream, kind of like permanent posts. Pages are not categorized or tagged, but can have a hierarchy. You can nest pages under other pages by making one the &#8220;Parent&#8221; of the other, creating a group of pages.') . '</p>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'managing-pages',
	'title'		=> __('Managing Pages'),
	'content'	=>
		'<p>' . __('Managing pages is very similar to managing posts, and the screens can be customized in the same way.') . '</p>' .
		'<p>' . __('You can also perform the same types of actions, including narrowing the list by using the filters, acting on a page using the action links that appear when you hover over a row, or using the Bulk Actions menu to edit the metadata for multiple pages at once.') . '</p>'
	) );

	get_current_screen()->set_help_sidebar(
	'<p><strong>' . __('For more information:') . '</strong></p>' .
	'<p>' . __('<a href="https://codex.wordpress.org/Pages_Screen">Documentation on Managing Pages</a>') . '</p>' .
	'<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
	);

}

get_current_screen()->set_screen_reader_content( array(
	'heading_views'      => $post_type_object->labels->filter_items_list,
	'heading_pagination' => $post_type_object->labels->items_list_navigation,
	'heading_list'       => $post_type_object->labels->items_list,
) );

add_screen_option( 'per_page', array( 'default' => 20, 'option' => 'edit_' . $post_type . '_per_page' ) );

$bulk_counts = array(
	'updated'   => isset( $_REQUEST['updated'] )   ? absint( $_REQUEST['updated'] )   : 0,
	'locked'    => isset( $_REQUEST['locked'] )    ? absint( $_REQUEST['locked'] )    : 0,
	'deleted'   => isset( $_REQUEST['deleted'] )   ? absint( $_REQUEST['deleted'] )   : 0,
	'trashed'   => isset( $_REQUEST['trashed'] )   ? absint( $_REQUEST['trashed'] )   : 0,
	'untrashed' => isset( $_REQUEST['untrashed'] ) ? absint( $_REQUEST['untrashed'] ) : 0,
);

$bulk_messages = array();
$bulk_messages['post'] = array(
	'updated'   => _n( '%s post updated.', '%s posts updated.', $bulk_counts['updated'] ),
	'locked'    => ( 1 == $bulk_counts['locked'] ) ? __( '1 post not updated, somebody is editing it.' ) :
	                   _n( '%s post not updated, somebody is editing it.', '%s posts not updated, somebody is editing them.', $bulk_counts['locked'] ),
	'deleted'   => _n( '%s post permanently deleted.', '%s posts permanently deleted.', $bulk_counts['deleted'] ),
	'trashed'   => _n( '%s post moved to the Trash.', '%s posts moved to the Trash.', $bulk_counts['trashed'] ),
	'untrashed' => _n( '%s post restored from the Trash.', '%s posts restored from the Trash.', $bulk_counts['untrashed'] ),
);
$bulk_messages['page'] = array(
	'updated'   => _n( '%s page updated.', '%s pages updated.', $bulk_counts['updated'] ),
	'locked'    => ( 1 == $bulk_counts['locked'] ) ? __( '1 page not updated, somebody is editing it.' ) :
	                   _n( '%s page not updated, somebody is editing it.', '%s pages not updated, somebody is editing them.', $bulk_counts['locked'] ),
	'deleted'   => _n( '%s page permanently deleted.', '%s pages permanently deleted.', $bulk_counts['deleted'] ),
	'trashed'   => _n( '%s page moved to the Trash.', '%s pages moved to the Trash.', $bulk_counts['trashed'] ),
	'untrashed' => _n( '%s page restored from the Trash.', '%s pages restored from the Trash.', $bulk_counts['untrashed'] ),
);

/**
 * Filters the bulk action updated messages.
 *
 * By default, custom post types use the messages for the 'post' post type.
 *
 * @since 3.7.0
 *
 * @param array $bulk_messages Arrays of messages, each keyed by the corresponding post type. Messages are
 *                             keyed with 'updated', 'locked', 'deleted', 'trashed', and 'untrashed'.
 * @param array $bulk_counts   Array of item counts for each message, used to build internationalized strings.
 */
$bulk_messages = apply_filters( 'bulk_post_updated_messages', $bulk_messages, $bulk_counts );
$bulk_counts = array_filter( $bulk_counts );

require_once( ABSPATH . 'wp-admin/admin-header.php' );
?>
<div class="wrap">
<h1 class="wp-heading-inline"><?php
echo esc_html( $post_type_object->labels->name );
?></h1>

<?php
if ( current_user_can( $post_type_object->cap->create_posts ) ) {
	echo ' <a href="' . esc_url( admin_url( $post_new_file ) ) . '" class="page-title-action">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
}

if ( isset( $_REQUEST['s'] ) && strlen( $_REQUEST['s'] ) ) {
	/* translators: %s: search keywords */
	printf( ' <span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;' ) . '</span>', get_search_query() );
}
?>

<hr class="wp-header-end">

<?php
// If we have a bulk message to issue:
$messages = array();
foreach ( $bulk_counts as $message => $count ) {
	if ( isset( $bulk_messages[ $post_type ][ $message ] ) )
		$messages[] = sprintf( $bulk_messages[ $post_type ][ $message ], number_format_i18n( $count ) );
	elseif ( isset( $bulk_messages['post'][ $message ] ) )
		$messages[] = sprintf( $bulk_messages['post'][ $message ], number_format_i18n( $count ) );

	if ( $message == 'trashed' && isset( $_REQUEST['ids'] ) ) {
		$ids = preg_replace( '/[^0-9,]/', '', $_REQUEST['ids'] );
		$messages[] = '<a href="' . esc_url( wp_nonce_url( "edit.php?post_type=$post_type&doaction=undo&action=untrash&ids=$ids", "bulk-posts" ) ) . '">' . __('Undo') . '</a>';
	}
}

if ( $messages )

	echo '<div id="message" class="updated notice is-dismissible"><p>' . join( ' ', $messages ) . '</p></div>';
unset( $messages );

$_SERVER['REQUEST_URI'] = remove_query_arg( array( 'locked', 'skipped', 'updated', 'deleted', 'trashed', 'untrashed' ), $_SERVER['REQUEST_URI'] );
?>

<?php $wp_list_table->views(); ?>

<form id="posts-filter" method="get">

<?php $wp_list_table->search_box( $post_type_object->labels->search_items, 'post' ); ?>

<input type="hidden" name="post_status" class="post_status_page" value="<?php echo !empty($_REQUEST['post_status']) ? esc_attr($_REQUEST['post_status']) : 'all'; ?>" />
<input type="hidden" name="post_type" class="post_type_page" value="<?php echo $post_type; ?>" />

<?php if ( ! empty( $_REQUEST['author'] ) ) { ?>
<input type="hidden" name="author" value="<?php echo esc_attr( $_REQUEST['author'] ); ?>" />
<?php } ?>

<?php if ( ! empty( $_REQUEST['show_sticky'] ) ) { ?>
<input type="hidden" name="show_sticky" value="1" />
<?php } ?>

<?php $wp_list_table->display(); ?>

</form>

<?php
if ( $wp_list_table->has_items() )
	$wp_list_table->inline_edit();
?>

<div id="ajax-response"></div>
<br class="clear" />
</div>

<?php
include( ABSPATH . 'wp-admin/admin-footer.php' );


1		<?php
2		/**
3		* Edit Posts Administration Screen.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** WordPress Administration Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11
12		if ( ! $typenow )
13		wp_die( __( 'Invalid post type.' ) );
14
15	View Code Duplication	if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) {
16		wp_die( __( 'Sorry, you are not allowed to edit posts in this post type.' ) );
17		}
18
19		if ( 'attachment' === $typenow ) {
20		if ( wp_redirect( admin_url( 'upload.php' ) ) ) {
21		exit;
22		}
23		}
24
25		/**
26		* @global string $post_type
27		* @global WP_Post_Type $post_type_object
28		*/
29		global $post_type, $post_type_object;
30
31		$post_type = $typenow;
32		$post_type_object = get_post_type_object( $post_type );
33
34		if ( ! $post_type_object )
35		wp_die( __( 'Invalid post type.' ) );
36
37	View Code Duplication	if ( ! current_user_can( $post_type_object->cap->edit_posts ) ) {
38		wp_die(
39		'<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' .
40		'<p>' . __( 'Sorry, you are not allowed to edit posts in this post type.' ) . '</p>',
41		403
42		);
43		}
44
45		$wp_list_table = _get_list_table('WP_Posts_List_Table');
46		$pagenum = $wp_list_table->get_pagenum();
47
48		// Back-compat for viewing comments of an entry
49		foreach ( array( 'p', 'attachment_id', 'page_id' ) as $_redirect ) {
50		if ( ! empty( $_REQUEST[ $_redirect ] ) ) {
51		wp_redirect( admin_url( 'edit-comments.php?p=' . absint( $_REQUEST[ $_redirect ] ) ) );
52		exit;
53		}
54		}
55		unset( $_redirect );
56
57		if ( 'post' != $post_type ) {
58		$parent_file = "edit.php?post_type=$post_type";
59		$submenu_file = "edit.php?post_type=$post_type";
60		$post_new_file = "post-new.php?post_type=$post_type";
61		} else {
62		$parent_file = 'edit.php';
63		$submenu_file = 'edit.php';
64		$post_new_file = 'post-new.php';
65		}
66
67		$doaction = $wp_list_table->current_action();
68
69		if ( $doaction ) {
70		check_admin_referer('bulk-posts');
71
72		$sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'locked', 'ids'), wp_get_referer() );
73		if ( ! $sendback )
74		$sendback = admin_url( $parent_file );
75		$sendback = add_query_arg( 'paged', $pagenum, $sendback );
76		if ( strpos($sendback, 'post.php') !== false )
77		$sendback = admin_url($post_new_file);
78
79		if ( 'delete_all' == $doaction ) {
80		// Prepare for deletion of all posts with a specified post status (i.e. Empty trash).
81		$post_status = preg_replace('/[^a-z0-9_-]+/i', '', $_REQUEST['post_status']);
82		// Validate the post status exists.
83		if ( get_post_status_object( $post_status ) ) {
84		$post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type=%s AND post_status = %s", $post_type, $post_status ) );
85		}
86		$doaction = 'delete';
87		} elseif ( isset( $_REQUEST['media'] ) ) {
88		$post_ids = $_REQUEST['media'];
89		} elseif ( isset( $_REQUEST['ids'] ) ) {
90		$post_ids = explode( ',', $_REQUEST['ids'] );
91		} elseif ( !empty( $_REQUEST['post'] ) ) {
92		$post_ids = array_map('intval', $_REQUEST['post']);
93		}
94
95		if ( !isset( $post_ids ) ) {
96		wp_redirect( $sendback );
97		exit;
98		}
99
100		switch ( $doaction ) {
101		case 'trash':
102		$trashed = $locked = 0;
103
104		foreach ( (array) $post_ids as $post_id ) {
105		if ( !current_user_can( 'delete_post', $post_id) )
106		wp_die( __('Sorry, you are not allowed to move this item to the Trash.') );
107
108		if ( wp_check_post_lock( $post_id ) ) {
109		$locked++;
110		continue;
111		}
112
113		if ( !wp_trash_post($post_id) )
114		wp_die( __('Error in moving to Trash.') );
115
116		$trashed++;
117		}
118
119		$sendback = add_query_arg( array('trashed' => $trashed, 'ids' => join(',', $post_ids), 'locked' => $locked ), $sendback );
120		break;
121		case 'untrash':
122		$untrashed = 0;
123		foreach ( (array) $post_ids as $post_id ) {
124		if ( !current_user_can( 'delete_post', $post_id) )
125		wp_die( __('Sorry, you are not allowed to restore this item from the Trash.') );
126
127		if ( !wp_untrash_post($post_id) )
128		wp_die( __('Error in restoring from Trash.') );
129
130		$untrashed++;
131		}
132		$sendback = add_query_arg('untrashed', $untrashed, $sendback);
133		break;
134		case 'delete':
135		$deleted = 0;
136		foreach ( (array) $post_ids as $post_id ) {
137		$post_del = get_post($post_id);
138
139		if ( !current_user_can( 'delete_post', $post_id ) )
140		wp_die( __('Sorry, you are not allowed to delete this item.') );
141
142		if ( $post_del->post_type == 'attachment' ) {
143		if ( ! wp_delete_attachment($post_id) )
144		wp_die( __('Error in deleting.') );
145		} else {
146		if ( !wp_delete_post($post_id) )
147		wp_die( __('Error in deleting.') );
148		}
149		$deleted++;
150		}
151		$sendback = add_query_arg('deleted', $deleted, $sendback);
152		break;
153		case 'edit':
154		if ( isset($_REQUEST['bulk_edit']) ) {
155		$done = bulk_edit_posts($_REQUEST);
156
157		if ( is_array($done) ) {
158		$done['updated'] = count( $done['updated'] );
159		$done['skipped'] = count( $done['skipped'] );
160		$done['locked'] = count( $done['locked'] );
161		$sendback = add_query_arg( $done, $sendback );
162		}
163		}
164		break;
165		default:
166		/** This action is documented in wp-admin/edit-comments.php */
167		$sendback = apply_filters( 'handle_bulk_actions-' . get_current_screen()->id, $sendback, $doaction, $post_ids );
168		break;
169		}
170
171		$sendback = remove_query_arg( array('action', 'action2', 'tags_input', 'post_author', 'comment_status', 'ping_status', '_status', 'post', 'bulk_edit', 'post_view'), $sendback );
172
173		wp_redirect($sendback);
174		exit();
175	View Code Duplication	} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
176		wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );
		0 ignored issues – show Bug introduced 2016-03-16 22:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_SERVER['REQUEST_URI'])` targeting `wp_unslash()` can also be of type `array`; however, `remove_query_arg()` does only seem to accept `boolean\|string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history... Bug introduced 2015-12-17 04:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `remove_query_arg(array('...SERVER['REQUEST_URI']))` targeting `remove_query_arg()` can also be of type `boolean`; however, `wp_redirect()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
177		exit;
178		}
179
180		$wp_list_table->prepare_items();
181
182		wp_enqueue_script('inline-edit-post');
183		wp_enqueue_script('heartbeat');
184
185		$title = $post_type_object->labels->name;
186
187		if ( 'post' == $post_type ) {
188		get_current_screen()->add_help_tab( array(
189		'id' => 'overview',
190		'title' => __('Overview'),
191		'content' =>
192		'<p>' . __('This screen provides access to all of your posts. You can customize the display of this screen to suit your workflow.') . '</p>'
193		) );
194		get_current_screen()->add_help_tab( array(
195		'id' => 'screen-content',
196		'title' => __('Screen Content'),
197		'content' =>
198		'<p>' . __('You can customize the display of this screen’s contents in a number of ways:') . '</p>' .
199		'<ul>' .
200		'<li>' . __('You can hide/display columns based on your needs and decide how many posts to list per screen using the Screen Options tab.') . '</li>' .
201		'<li>' . __( 'You can filter the list of posts by post status using the text links above the posts list to only show posts with that status. The default view is to show all posts.' ) . '</li>' .
202		'<li>' . __('You can view posts in a simple title list or with an excerpt using the Screen Options tab.') . '</li>' .
203		'<li>' . __('You can refine the list to show only posts in a specific category or from a specific month by using the dropdown menus above the posts list. Click the Filter button after making your selection. You also can refine the list by clicking on the post author, category or tag in the posts list.') . '</li>' .
204		'</ul>'
205		) );
206		get_current_screen()->add_help_tab( array(
207		'id' => 'action-links',
208		'title' => __('Available Actions'),
209		'content' =>
210		'<p>' . __('Hovering over a row in the posts list will display action links that allow you to manage your post. You can perform the following actions:') . '</p>' .
211		'<ul>' .
212		'<li>' . __('<strong>Edit</strong> takes you to the editing screen for that post. You can also reach that screen by clicking on the post title.') . '</li>' .
213		'<li>' . __('<strong>Quick Edit</strong> provides inline access to the metadata of your post, allowing you to update post details without leaving this screen.') . '</li>' .
214		'<li>' . __('<strong>Trash</strong> removes your post from this list and places it in the trash, from which you can permanently delete it.') . '</li>' .
215		'<li>' . __('<strong>Preview</strong> will show you what your draft post will look like if you publish it. View will take you to your live site to view the post. Which link is available depends on your post’s status.') . '</li>' .
216		'</ul>'
217		) );
218		get_current_screen()->add_help_tab( array(
219		'id' => 'bulk-actions',
220		'title' => __('Bulk Actions'),
221		'content' =>
222		'<p>' . __('You can also edit or move multiple posts to the trash at once. Select the posts you want to act on using the checkboxes, then select the action you want to take from the Bulk Actions menu and click Apply.') . '</p>' .
223		'<p>' . __('When using Bulk Edit, you can change the metadata (categories, author, etc.) for all selected posts at once. To remove a post from the grouping, just click the x next to its name in the Bulk Edit area that appears.') . '</p>'
224		) );
225
226		get_current_screen()->set_help_sidebar(
227		'<p><strong>' . __('For more information:') . '</strong></p>' .
228		'<p>' . __('<a href="https://codex.wordpress.org/Posts_Screen">Documentation on Managing Posts</a>') . '</p>' .
229		'<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
230		);
231
232		} elseif ( 'page' == $post_type ) {
233		get_current_screen()->add_help_tab( array(
234		'id' => 'overview',
235		'title' => __('Overview'),
236		'content' =>
237		'<p>' . __('Pages are similar to posts in that they have a title, body text, and associated metadata, but they are different in that they are not part of the chronological blog stream, kind of like permanent posts. Pages are not categorized or tagged, but can have a hierarchy. You can nest pages under other pages by making one the “Parent” of the other, creating a group of pages.') . '</p>'
238		) );
239		get_current_screen()->add_help_tab( array(
240		'id' => 'managing-pages',
241		'title' => __('Managing Pages'),
242		'content' =>
243		'<p>' . __('Managing pages is very similar to managing posts, and the screens can be customized in the same way.') . '</p>' .
244		'<p>' . __('You can also perform the same types of actions, including narrowing the list by using the filters, acting on a page using the action links that appear when you hover over a row, or using the Bulk Actions menu to edit the metadata for multiple pages at once.') . '</p>'
245		) );
246
247		get_current_screen()->set_help_sidebar(
248		'<p><strong>' . __('For more information:') . '</strong></p>' .
249		'<p>' . __('<a href="https://codex.wordpress.org/Pages_Screen">Documentation on Managing Pages</a>') . '</p>' .
250		'<p>' . __('<a href="https://wordpress.org/support/">Support Forums</a>') . '</p>'
251		);
252
253		}
254
255		get_current_screen()->set_screen_reader_content( array(
256		'heading_views' => $post_type_object->labels->filter_items_list,
257		'heading_pagination' => $post_type_object->labels->items_list_navigation,
258		'heading_list' => $post_type_object->labels->items_list,
259		) );
260
261		add_screen_option( 'per_page', array( 'default' => 20, 'option' => 'edit_' . $post_type . '_per_page' ) );
262
263		$bulk_counts = array(
264		'updated' => isset( $_REQUEST['updated'] ) ? absint( $_REQUEST['updated'] ) : 0,
265		'locked' => isset( $_REQUEST['locked'] ) ? absint( $_REQUEST['locked'] ) : 0,
266		'deleted' => isset( $_REQUEST['deleted'] ) ? absint( $_REQUEST['deleted'] ) : 0,
267		'trashed' => isset( $_REQUEST['trashed'] ) ? absint( $_REQUEST['trashed'] ) : 0,
268		'untrashed' => isset( $_REQUEST['untrashed'] ) ? absint( $_REQUEST['untrashed'] ) : 0,
269		);
270
271		$bulk_messages = array();
272		$bulk_messages['post'] = array(
273		'updated' => _n( '%s post updated.', '%s posts updated.', $bulk_counts['updated'] ),
274		'locked' => ( 1 == $bulk_counts['locked'] ) ? __( '1 post not updated, somebody is editing it.' ) :
275		_n( '%s post not updated, somebody is editing it.', '%s posts not updated, somebody is editing them.', $bulk_counts['locked'] ),
276		'deleted' => _n( '%s post permanently deleted.', '%s posts permanently deleted.', $bulk_counts['deleted'] ),
277		'trashed' => _n( '%s post moved to the Trash.', '%s posts moved to the Trash.', $bulk_counts['trashed'] ),
278		'untrashed' => _n( '%s post restored from the Trash.', '%s posts restored from the Trash.', $bulk_counts['untrashed'] ),
279		);
280		$bulk_messages['page'] = array(
281		'updated' => _n( '%s page updated.', '%s pages updated.', $bulk_counts['updated'] ),
282		'locked' => ( 1 == $bulk_counts['locked'] ) ? __( '1 page not updated, somebody is editing it.' ) :
283		_n( '%s page not updated, somebody is editing it.', '%s pages not updated, somebody is editing them.', $bulk_counts['locked'] ),
284		'deleted' => _n( '%s page permanently deleted.', '%s pages permanently deleted.', $bulk_counts['deleted'] ),
285		'trashed' => _n( '%s page moved to the Trash.', '%s pages moved to the Trash.', $bulk_counts['trashed'] ),
286		'untrashed' => _n( '%s page restored from the Trash.', '%s pages restored from the Trash.', $bulk_counts['untrashed'] ),
287		);
288
289		/**
290		* Filters the bulk action updated messages.
291		*
292		* By default, custom post types use the messages for the 'post' post type.
293		*
294		* @since 3.7.0
295		*
296		* @param array $bulk_messages Arrays of messages, each keyed by the corresponding post type. Messages are
297		* keyed with 'updated', 'locked', 'deleted', 'trashed', and 'untrashed'.
298		* @param array $bulk_counts Array of item counts for each message, used to build internationalized strings.
299		*/
300		$bulk_messages = apply_filters( 'bulk_post_updated_messages', $bulk_messages, $bulk_counts );
301		$bulk_counts = array_filter( $bulk_counts );
302
303		require_once( ABSPATH . 'wp-admin/admin-header.php' );
304		?>
305		<div class="wrap">
306		<h1 class="wp-heading-inline"><?php
307		echo esc_html( $post_type_object->labels->name );
308		?></h1>
309
310		<?php
311	View Code Duplication	if ( current_user_can( $post_type_object->cap->create_posts ) ) {
312		echo ' <a href="' . esc_url( admin_url( $post_new_file ) ) . '" class="page-title-action">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
313		}
314
315	View Code Duplication	if ( isset( $_REQUEST['s'] ) && strlen( $_REQUEST['s'] ) ) {
316		/* translators: %s: search keywords */
317		printf( ' <span class="subtitle">' . __( 'Search results for “%s”' ) . '</span>', get_search_query() );
318		}
319		?>
320
321		<hr class="wp-header-end">
322
323		<?php
324		// If we have a bulk message to issue:
325		$messages = array();
326		foreach ( $bulk_counts as $message => $count ) {
327		if ( isset( $bulk_messages[ $post_type ][ $message ] ) )
328		$messages[] = sprintf( $bulk_messages[ $post_type ][ $message ], number_format_i18n( $count ) );
329		elseif ( isset( $bulk_messages['post'][ $message ] ) )
330		$messages[] = sprintf( $bulk_messages['post'][ $message ], number_format_i18n( $count ) );
331
332	View Code Duplication	if ( $message == 'trashed' && isset( $_REQUEST['ids'] ) ) {
333		$ids = preg_replace( '/[^0-9,]/', '', $_REQUEST['ids'] );
334		$messages[] = '<a href="' . esc_url( wp_nonce_url( "edit.php?post_type=$post_type&doaction=undo&action=untrash&ids=$ids", "bulk-posts" ) ) . '">' . __('Undo') . '</a>';
335		}
336		}
337
338		if ( $messages )
		0 ignored issues – show Bug Best Practice introduced 2015-12-17 04:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$messages` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
339		echo '<div id="message" class="updated notice is-dismissible"><p>' . join( ' ', $messages ) . '</p></div>';
340		unset( $messages );
341
342		$_SERVER['REQUEST_URI'] = remove_query_arg( array( 'locked', 'skipped', 'updated', 'deleted', 'trashed', 'untrashed' ), $_SERVER['REQUEST_URI'] );
343		?>
344
345		<?php $wp_list_table->views(); ?>
346
347		<form id="posts-filter" method="get">
348
349		<?php $wp_list_table->search_box( $post_type_object->labels->search_items, 'post' ); ?>
350
351		<input type="hidden" name="post_status" class="post_status_page" value="<?php echo !empty($_REQUEST['post_status']) ? esc_attr($_REQUEST['post_status']) : 'all'; ?>" />
352		<input type="hidden" name="post_type" class="post_type_page" value="<?php echo $post_type; ?>" />
353
354		<?php if ( ! empty( $_REQUEST['author'] ) ) { ?>
355		<input type="hidden" name="author" value="<?php echo esc_attr( $_REQUEST['author'] ); ?>" />
356		<?php } ?>
357
358		<?php if ( ! empty( $_REQUEST['show_sticky'] ) ) { ?>
359		<input type="hidden" name="show_sticky" value="1" />
360		<?php } ?>
361
362		<?php $wp_list_table->display(); ?>
363
364		</form>
365
366		<?php
367		if ( $wp_list_table->has_items() )
368		$wp_list_table->inline_edit();
369		?>
370
371		<div id="ajax-response"></div>
372		<br class="clear" />
373		</div>
374
375		<?php
376		include( ABSPATH . 'wp-admin/admin-footer.php' );
377

ntwb / wordpress

Issues (4967)

Security Analysis not enabled

src/wp-admin/edit.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like