Issues in class-settings-advanced.php (master) - Issues in master - ravinderk/Give - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4335)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

admin/settings/class-settings-advanced.php (6 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Give Settings Page/Tab
 *
 * @package     Give
 * @subpackage  Classes/Give_Settings_Advanced
 * @copyright   Copyright (c) 2016, GiveWP
 * @license     http://opensource.org/licenses/gpl-2.0.php GNU Public License
 * @since       1.8
 */

if ( ! defined( 'ABSPATH' ) ) {
	exit; // Exit if accessed directly
}

if ( ! class_exists( 'Give_Settings_Advanced' ) ) :

	/**
	 * Give_Settings_Advanced.
	 *
	 * @sine 1.8
	 */
	class Give_Settings_Advanced extends Give_Settings_Page {

		/**
		 * Constructor.
		 */
		public function __construct() {

			$this->id    = 'advanced';
			$this->label = __( 'Advanced', 'give' );

			$this->default_tab = 'advanced-options';

			if ( $this->id === give_get_current_setting_tab() ) {
				add_action( 'give_admin_field_remove_cache_button', array( $this, 'render_remove_cache_button' ), 10, 1 );
				add_action( 'give_save_settings_give_settings', array( $this, 'validate_settngs' ) );
			}

			parent::__construct();
		}

		/**
		 * Get settings array.
		 *
		 * @since  1.8
		 * @return array
		 */
		public function get_settings() {
			$settings = array();

			$current_section = give_get_current_setting_section();

			switch ( $current_section ) {
				case 'advanced-options':
					$settings = array(
						array(
							'id'   => 'give_title_data_control_2',
							'type' => 'title',
						),
						array(
							'name'    => __( 'Remove Data on Uninstall', 'give' ),
							'desc'    => __( 'When the plugin is deleted, completely remove all Give data. This includes all Give settings, forms, form meta, donor, donor data, donations. Everything.', 'give' ),
							'id'      => 'uninstall_on_delete',
							'type'    => 'radio_inline',
							'default' => 'disabled',
							'options' => array(
								'enabled'  => __( 'Yes, Remove all data', 'give' ),
								'disabled' => __( 'No, keep my Give settings and donation data', 'give' ),
							),
						),
						array(
							'name'    => __( 'Default User Role', 'give' ),
							'desc'    => __( 'Assign default user roles for donors when donors opt to register as a WP User.', 'give' ),
							'id'      => 'donor_default_user_role',
							'type'    => 'select',
							'default' => 'give_donor',
							'options' => give_get_user_roles(),
						),
						array(
							/* translators: %s: the_content */
							'name'    => sprintf( __( '%s filter', 'give' ), '<code>the_content</code>' ),
							/* translators: 1: https://codex.wordpress.org/Plugin_API/Filter_Reference/the_content 2: the_content */
							'desc'    => sprintf( __( 'If you are seeing extra social buttons, related posts, or other unwanted elements appearing within your forms then you can disable WordPress\' content filter. <a href="%1$s" target="_blank">Learn more</a> about %2$s filter.', 'give' ), esc_url( 'https://codex.wordpress.org/Plugin_API/Filter_Reference/the_content' ), '<code>the_content</code>' ),
							'id'      => 'the_content_filter',
							'default' => 'enabled',
							'type'    => 'radio_inline',
							'options' => array(
								'enabled'  => __( 'Enabled', 'give' ),
								'disabled' => __( 'Disabled', 'give' ),
							),
						),
						array(
							'name'    => __( 'Script Loading Location', 'give' ),
							'desc'    => __( 'This allows you to load your Give scripts either in the <code>&lt;head&gt;</code> or footer of your website.', 'give' ),
							'id'      => 'scripts_footer',
							'type'    => 'radio_inline',
							'default' => 'disabled',
							'options' => array(
								'disabled' => __( 'Head', 'give' ),
								'enabled'  => __( 'Footer', 'give' ),
							),
						),
						array(
							'name'    => __( 'Babel Polyfill Script', 'give' ),
							'desc'    => __( 'Decide whether to load the Babel polyfill, which provides backwards compatibility for older browsers such as IE 11. The polyfill may be disabled to avoid conflicts with other themes or plugins that load the same script.', 'give' ),
							'id'      => 'babel_polyfill_script',
							'type'    => 'radio_inline',
							'default' => 'enabled',
							'options' => array(
								'enabled'  => __( 'Enabled', 'give' ),
								'disabled' => __( 'Disabled', 'give' ),
							),
						),
						array(
							'name'    => __( 'Akismet SPAM Protection', 'give' ),
							'desc'    => __( 'Add a layer of SPAM protection to your donation submissions with Akismet. When enabled, donation submissions will be first sent to Akismet\'s API if you have the plugin activated and configured.', 'give' ),
							'id'      => 'akismet_spam_protection',
							'type'    => 'radio_inline',
							'default' => ( give_check_akismet_key() ) ? 'enabled' : 'disabled',
							'options' => array(
								'enabled'  => __( 'Enabled', 'give' ),
								'disabled' => __( 'Disabled', 'give' ),
							),
						),
						array(
							'name'        => 'Give Cache',
							'id'          => 'give-clear-cache',
							'buttonTitle' => __( 'Clear Cache', 'give' ),
							'desc'        => __( 'Click this button if you want to clear Give\'s cache. The plugin stores common settings and queries in cache to optimize performance. Clearing cache will remove and begin rebuilding these saved queries.', 'give' ),
							'type'        => 'remove_cache_button'
						),
						array(
							'name'  => __( 'Advanced Settings Docs Link', 'give' ),
							'id'    => 'advanced_settings_docs_link',
							'url'   => esc_url( 'http://docs.givewp.com/settings-advanced' ),
							'title' => __( 'Advanced Settings', 'give' ),
							'type'  => 'give_docs_link',
						),
						array(
							'id'   => 'give_title_data_control_2',
							'type' => 'sectionend',
						),
					);
					break;
			}

			/**
			 * Hide caching setting by default.
			 *
			 * @since 2.0
			 */
			if ( apply_filters( 'give_settings_advanced_show_cache_setting', false ) ) {
				array_splice( $settings, 1, 0, array(
					array(
						'name'    => __( 'Cache', 'give' ),
						'desc'    => __( 'If caching is enabled the plugin will start caching custom post type related queries and reduce the overall load time.', 'give' ),
						'id'      => 'cache',
						'type'    => 'radio_inline',
						'default' => 'enabled',
						'options' => array(
							'enabled'  => __( 'Enabled', 'give' ),
							'disabled' => __( 'Disabled', 'give' ),
						),
					)
				) );
			}



			/**
			 * Filter the advanced settings.
			 * Backward compatibility: Please do not use this filter. This filter is deprecated in 1.8
			 */
			$settings = apply_filters( 'give_settings_advanced', $settings );

			/**
			 * Filter the settings.
			 *
			 * @since  1.8
			 *
			 * @param  array $settings
			 */
			$settings = apply_filters( 'give_get_settings_' . $this->id, $settings );

			// Output.
			return $settings;
		}

		/**
		 * Get sections.
		 *
		 * @since 1.8
		 * @return array
		 */
		public function get_sections() {
			$sections = array(
				'advanced-options' => __( 'Advanced Options', 'give' ),
			);

			return apply_filters( 'give_get_sections_' . $this->id, $sections );
		}


		/**
		 *  Render remove_cache_button field type
		 *
		 * @since  2.1
		 * @access public
		 *
		 * @param array $field
		 */
		public function render_remove_cache_button( $field ) {

			?>
			<tr valign="top" <?php echo ! empty( $field['wrapper_class'] ) ? 'class="' . $field['wrapper_class'] . '"' : '' ?>>

				<th scope="row" class="titledesc">
					<label
						for="<?php echo esc_attr( $field['id'] ); ?>"><?php echo esc_html( $field['name'] ) ?></label>
				</th>
				<td class="give-forminp">
					<button type="button" id="<?php echo esc_attr( $field['id'] ); ?>"
					        class="button button-secondary"><?php echo esc_html( $field['buttonTitle'] ) ?></button>
					<?php echo Give_Admin_Settings::get_field_description( $field ); ?>

				</td>
			</tr>
			<?php
		}


		/**
		 * Validate setting
		 *
		 * @since  2.2.0
		 * @access public
		 *
		 * @param array $options
		 */
		public function validate_settngs( $options ) {
			// Sanitize data.
			$akismet_spam_protection = isset( $options['akismet_spam_protection'] )
				? $options['akismet_spam_protection']
				: ( give_check_akismet_key() ? 'enabled' : 'disabled' );

			// Show error message if Akismet not configured and Admin try to save 'enabled' option.
			if (
				give_is_setting_enabled( $akismet_spam_protection )
				&& ! give_check_akismet_key()
			) {
				Give_Admin_Settings::add_error(
					'give-akismet-protection',
					__( 'Please properly configure Akismet to enable SPAM protection.', 'give' )
				);

				give_update_option( 'akismet_spam_protection', 'disabled' );
			}
		}
	}

endif;

return new Give_Settings_Advanced();


1		<?php
2		/**
3		* Give Settings Page/Tab
4		*
5		* @package Give
6		* @subpackage Classes/Give_Settings_Advanced
7		* @copyright Copyright (c) 2016, GiveWP
8		* @license http://opensource.org/licenses/gpl-2.0.php GNU Public License
9		* @since 1.8
10		*/
11
12		if ( ! defined( 'ABSPATH' ) ) {
13		exit; // Exit if accessed directly
14		}
15
16		if ( ! class_exists( 'Give_Settings_Advanced' ) ) :
17
18		/**
19		* Give_Settings_Advanced.
20		*
21		* @sine 1.8
22		*/
23		class Give_Settings_Advanced extends Give_Settings_Page {
24
25		/**
26		* Constructor.
27		*/
28	View Code Duplication	public function __construct() {
		0 ignored issues – show Duplication introduced 2018-08-27 15:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
29		$this->id = 'advanced';
30		$this->label = __( 'Advanced', 'give' );
31
32		$this->default_tab = 'advanced-options';
33
34		if ( $this->id === give_get_current_setting_tab() ) {
35		add_action( 'give_admin_field_remove_cache_button', array( $this, 'render_remove_cache_button' ), 10, 1 );
36		add_action( 'give_save_settings_give_settings', array( $this, 'validate_settngs' ) );
37		}
38
39		parent::__construct();
40		}
41
42		/**
43		* Get settings array.
44		*
45		* @since 1.8
46		* @return array
47		*/
48		public function get_settings() {
49		$settings = array();
50
51		$current_section = give_get_current_setting_section();
52
53		switch ( $current_section ) {
54		case 'advanced-options':
55		$settings = array(
56		array(
57		'id' => 'give_title_data_control_2',
58		'type' => 'title',
59		),
60		array(
61		'name' => __( 'Remove Data on Uninstall', 'give' ),
62		'desc' => __( 'When the plugin is deleted, completely remove all Give data. This includes all Give settings, forms, form meta, donor, donor data, donations. Everything.', 'give' ),
63		'id' => 'uninstall_on_delete',
64		'type' => 'radio_inline',
65		'default' => 'disabled',
66		'options' => array(
67		'enabled' => __( 'Yes, Remove all data', 'give' ),
68		'disabled' => __( 'No, keep my Give settings and donation data', 'give' ),
69		),
70		),
71		array(
72		'name' => __( 'Default User Role', 'give' ),
73		'desc' => __( 'Assign default user roles for donors when donors opt to register as a WP User.', 'give' ),
74		'id' => 'donor_default_user_role',
75		'type' => 'select',
76		'default' => 'give_donor',
77		'options' => give_get_user_roles(),
78		),
79		array(
80		/* translators: %s: the_content */
81		'name' => sprintf( __( '%s filter', 'give' ), '<code>the_content</code>' ),
82		/* translators: 1: https://codex.wordpress.org/Plugin_API/Filter_Reference/the_content 2: the_content */
83		'desc' => sprintf( __( 'If you are seeing extra social buttons, related posts, or other unwanted elements appearing within your forms then you can disable WordPress\' content filter. <a href="%1$s" target="_blank">Learn more</a> about %2$s filter.', 'give' ), esc_url( 'https://codex.wordpress.org/Plugin_API/Filter_Reference/the_content' ), '<code>the_content</code>' ),
84		'id' => 'the_content_filter',
85		'default' => 'enabled',
86		'type' => 'radio_inline',
87		'options' => array(
88		'enabled' => __( 'Enabled', 'give' ),
89		'disabled' => __( 'Disabled', 'give' ),
90		),
91		),
92		array(
93		'name' => __( 'Script Loading Location', 'give' ),
94		'desc' => __( 'This allows you to load your Give scripts either in the <code><head></code> or footer of your website.', 'give' ),
95		'id' => 'scripts_footer',
96		'type' => 'radio_inline',
97		'default' => 'disabled',
98		'options' => array(
99		'disabled' => __( 'Head', 'give' ),
100		'enabled' => __( 'Footer', 'give' ),
101		),
102		),
103		array(
104		'name' => __( 'Babel Polyfill Script', 'give' ),
105		'desc' => __( 'Decide whether to load the Babel polyfill, which provides backwards compatibility for older browsers such as IE 11. The polyfill may be disabled to avoid conflicts with other themes or plugins that load the same script.', 'give' ),
106		'id' => 'babel_polyfill_script',
107		'type' => 'radio_inline',
108		'default' => 'enabled',
109		'options' => array(
110		'enabled' => __( 'Enabled', 'give' ),
111		'disabled' => __( 'Disabled', 'give' ),
112		),
113		),
114		array(
115		'name' => __( 'Akismet SPAM Protection', 'give' ),
116		'desc' => __( 'Add a layer of SPAM protection to your donation submissions with Akismet. When enabled, donation submissions will be first sent to Akismet\'s API if you have the plugin activated and configured.', 'give' ),
117		'id' => 'akismet_spam_protection',
118		'type' => 'radio_inline',
119		'default' => ( give_check_akismet_key() ) ? 'enabled' : 'disabled',
120		'options' => array(
121		'enabled' => __( 'Enabled', 'give' ),
122		'disabled' => __( 'Disabled', 'give' ),
123		),
124		),
125		array(
126		'name' => 'Give Cache',
127		'id' => 'give-clear-cache',
128		'buttonTitle' => __( 'Clear Cache', 'give' ),
129		'desc' => __( 'Click this button if you want to clear Give\'s cache. The plugin stores common settings and queries in cache to optimize performance. Clearing cache will remove and begin rebuilding these saved queries.', 'give' ),
130		'type' => 'remove_cache_button'
131		),
132		array(
133		'name' => __( 'Advanced Settings Docs Link', 'give' ),
134		'id' => 'advanced_settings_docs_link',
135		'url' => esc_url( 'http://docs.givewp.com/settings-advanced' ),
136		'title' => __( 'Advanced Settings', 'give' ),
137		'type' => 'give_docs_link',
138		),
139		array(
140		'id' => 'give_title_data_control_2',
141		'type' => 'sectionend',
142		),
143		);
144		break;
145		}
146
147		/**
148		* Hide caching setting by default.
149		*
150		* @since 2.0
151		*/
152		if ( apply_filters( 'give_settings_advanced_show_cache_setting', false ) ) {
153		array_splice( $settings, 1, 0, array(
154		array(
155		'name' => __( 'Cache', 'give' ),
156		'desc' => __( 'If caching is enabled the plugin will start caching custom post type related queries and reduce the overall load time.', 'give' ),
157		'id' => 'cache',
158		'type' => 'radio_inline',
159		'default' => 'enabled',
160		'options' => array(
161		'enabled' => __( 'Enabled', 'give' ),
162		'disabled' => __( 'Disabled', 'give' ),
163		),
164		)
165		) );
166		}
167
		0 ignored issues – show Coding Style introduced 2017-07-29 03:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this Functions must not contain multiple empty lines in a row; found 2 empty lines Loading history...
168
169		/**
170		* Filter the advanced settings.
171		* Backward compatibility: Please do not use this filter. This filter is deprecated in 1.8
172		*/
173		$settings = apply_filters( 'give_settings_advanced', $settings );
174
175		/**
176		* Filter the settings.
177		*
178		* @since 1.8
179		*
180		* @param array $settings
181		*/
182		$settings = apply_filters( 'give_get_settings_' . $this->id, $settings );
183
184		// Output.
185		return $settings;
186		}
187
188		/**
189		* Get sections.
190		*
191		* @since 1.8
192		* @return array
193		*/
194		public function get_sections() {
195		$sections = array(
196		'advanced-options' => __( 'Advanced Options', 'give' ),
197		);
198
199		return apply_filters( 'give_get_sections_' . $this->id, $sections );
200		}
201
202
203		/**
204		* Render remove_cache_button field type
205		*
206		* @since 2.1
207		* @access public
208		*
209		* @param array $field
210		*/
211	View Code Duplication	public function render_remove_cache_button( $field ) {
		0 ignored issues – show Duplication introduced 2018-04-03 03:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
212		?>
213		<tr valign="top" <?php echo ! empty( $field['wrapper_class'] ) ? 'class="' . $field['wrapper_class'] . '"' : '' ?>>
		0 ignored issues – show introduced 2017-07-29 03:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this Expected next thing to be a escaping function, not '!' Loading history... introduced 2018-04-03 03:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this Expected next thing to be a escaping function, not '$field' Loading history...
214		<th scope="row" class="titledesc">
215		<label
216		for="<?php echo esc_attr( $field['id'] ); ?>"><?php echo esc_html( $field['name'] ) ?></label>
217		</th>
218		<td class="give-forminp">
219		<button type="button" id="<?php echo esc_attr( $field['id'] ); ?>"
220		class="button button-secondary"><?php echo esc_html( $field['buttonTitle'] ) ?></button>
221		<?php echo Give_Admin_Settings::get_field_description( $field ); ?>
		0 ignored issues – show introduced 2018-04-03 03:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'Give_Admin_Settings' Loading history...
222		</td>
223		</tr>
224		<?php
225		}
226
227
228		/**
229		* Validate setting
230		*
231		* @since 2.2.0
232		* @access public
233		*
234		* @param array $options
235		*/
236		public function validate_settngs( $options ) {
237		// Sanitize data.
238		$akismet_spam_protection = isset( $options['akismet_spam_protection'] )
239		? $options['akismet_spam_protection']
240		: ( give_check_akismet_key() ? 'enabled' : 'disabled' );
241
242		// Show error message if Akismet not configured and Admin try to save 'enabled' option.
243		if (
244		give_is_setting_enabled( $akismet_spam_protection )
245		&& ! give_check_akismet_key()
246		) {
247		Give_Admin_Settings::add_error(
248		'give-akismet-protection',
249		__( 'Please properly configure Akismet to enable SPAM protection.', 'give' )
250		);
251
252		give_update_option( 'akismet_spam_protection', 'disabled' );
253		}
254		}
255		}
256
257		endif;
258
259		return new Give_Settings_Advanced();
260

ravinderk / Give

Issues (4335)

Security Analysis not enabled

admin/settings/class-settings-advanced.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like