Issues in comment.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-admin/comment.php (9 issues)

Labels

Severity

Minor 9

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Comment Management Screen
 *
 * @package WordPress
 * @subpackage Administration
 */

/** Load WordPress Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );

$parent_file = 'edit-comments.php';
$submenu_file = 'edit-comments.php';

/**
 * @global string $action
 */
global $action;
wp_reset_vars( array('action') );

if ( isset( $_POST['deletecomment'] ) )
	$action = 'deletecomment';

if ( 'cdc' == $action )
	$action = 'delete';
elseif ( 'mac' == $action )
	$action = 'approve';

if ( isset( $_GET['dt'] ) ) {
	if ( 'spam' == $_GET['dt'] )
		$action = 'spam';
	elseif ( 'trash' == $_GET['dt'] )
		$action = 'trash';
}

switch( $action ) {

case 'editcomment' :
	$title = __('Edit Comment');

	get_current_screen()->add_help_tab( array(
		'id'      => 'overview',
		'title'   => __('Overview'),
		'content' =>
			'<p>' . __( 'You can edit the information left in a comment if needed. This is often useful when you notice that a commenter has made a typographical error.' ) . '</p>' .
			'<p>' . __( 'You can also moderate the comment from this screen using the Status box, where you can also change the timestamp of the comment.' ) . '</p>'
	) );

	get_current_screen()->set_help_sidebar(
	'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Administration_Screens#Comments" target="_blank">Documentation on Comments</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
	);

	wp_enqueue_script('comment');
	require_once( ABSPATH . 'wp-admin/admin-header.php' );

	$comment_id = absint( $_GET['c'] );

	if ( !$comment = get_comment( $comment_id ) )
		comment_footer_die( __( 'Invalid comment ID.' ) . sprintf(' <a href="%s">' . __('Go back') . '</a>.', 'javascript:history.go(-1)') );

	if ( !current_user_can( 'edit_comment', $comment_id ) )
		comment_footer_die( __('Sorry, you are not allowed to edit this comment.') );

	if ( 'trash' == $comment->comment_approved )
		comment_footer_die( __('This comment is in the Trash. Please move it out of the Trash if you want to edit it.') );

	$comment = get_comment_to_edit( $comment_id );

	include( ABSPATH . 'wp-admin/edit-form-comment.php' );

	break;

case 'delete'  :
case 'approve' :
case 'trash'   :
case 'spam'    :

	$title = __('Moderate Comment');

	$comment_id = absint( $_GET['c'] );

	if ( ! $comment = get_comment( $comment_id ) ) {
		wp_redirect( admin_url('edit-comments.php?error=1') );
		die();
	}

	if ( !current_user_can( 'edit_comment', $comment->comment_ID ) ) {
		wp_redirect( admin_url('edit-comments.php?error=2') );
		die();
	}

	// No need to re-approve/re-trash/re-spam a comment.
	if ( $action == str_replace( '1', 'approve', $comment->comment_approved ) ) {
		wp_redirect( admin_url( 'edit-comments.php?same=' . $comment_id ) );
		die();
 	}

	require_once( ABSPATH . 'wp-admin/admin-header.php' );

	$formaction    = $action . 'comment';
	$nonce_action  = 'approve' == $action ? 'approve-comment_' : 'delete-comment_';
	$nonce_action .= $comment_id;

?>
<div class="wrap">

<h1><?php echo esc_html( $title ); ?></h1>

<?php
switch ( $action ) {
	case 'spam' :
		$caution_msg = __('You are about to mark the following comment as spam:');
		$button      = _x( 'Mark as Spam', 'comment' );
		break;
	case 'trash' :
		$caution_msg = __('You are about to move the following comment to the Trash:');
		$button      = __('Move to Trash');
		break;
	case 'delete' :
		$caution_msg = __('You are about to delete the following comment:');
		$button      = __('Permanently Delete Comment');
		break;
	default :
		$caution_msg = __('You are about to approve the following comment:');
		$button      = __('Approve Comment');
		break;
}

if ( $comment->comment_approved != '0' ) { // if not unapproved
	$message = '';
	switch ( $comment->comment_approved ) {
		case '1' :
			$message = __('This comment is currently approved.');
			break;
		case 'spam' :
			$message  = __('This comment is currently marked as spam.');
			break;
		case 'trash' :
			$message  = __('This comment is currently in the Trash.');
			break;
	}
	if ( $message ) {
		echo '<div id="message" class="notice notice-info"><p>' . $message . '</p></div>';
	}
}
?>
<div id="message" class="notice notice-warning"><p><strong><?php _e( 'Caution:' ); ?></strong> <?php echo $caution_msg; ?></p></div>

<table class="form-table comment-ays">
<tr>
<th scope="row"><?php _e('Author'); ?></th>
<td><?php comment_author( $comment ); ?></td>
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
</tr>
<?php if ( get_comment_author_email( $comment ) ) { ?>
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
<tr>
<th scope="row"><?php _e('Email'); ?></th>
<td><?php comment_author_email( $comment ); ?></td>
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
</tr>
<?php } ?>
<?php if ( get_comment_author_url( $comment ) ) { ?>
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
<tr>
<th scope="row"><?php _e('URL'); ?></th>
<td><a href="<?php comment_author_url( $comment ); ?>"><?php comment_author_url( $comment ); ?></a></td>
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
</tr>
<?php } ?>
<tr>
	<th scope="row"><?php /* translators: column name or table row header */ _e( 'In Response To' ); ?></th>
	<td>
	<?php
		$post_id = $comment->comment_post_ID;
		if ( current_user_can( 'edit_post', $post_id ) ) {
			$post_link = "<a href='" . esc_url( get_edit_post_link( $post_id ) ) . "'>";
			$post_link .= esc_html( get_the_title( $post_id ) ) . '</a>';
		} else {
			$post_link = esc_html( get_the_title( $post_id ) );
		}
		echo $post_link;

		if ( $comment->comment_parent ) {
			$parent      = get_comment( $comment->comment_parent );
			$parent_link = esc_url( get_comment_link( $parent ) );
			$name        = get_comment_author( $parent );
			printf(
				/* translators: %s: comment link */
				' | ' . __( 'In reply to %s.' ),
				'<a href="' . $parent_link . '">' . $name . '</a>'
			);
		}
	?>
	</td>
</tr>
<tr>
	<th scope="row"><?php _e( 'Submitted on' ); ?></th>
	<td>
	<?php
		/* translators: 1: comment date, 2: comment time */
		$submitted = sprintf( __( '%1$s at %2$s' ),
			/* translators: comment date format. See https://secure.php.net/date */
			get_comment_date( __( 'Y/m/d' ), $comment ),
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
			get_comment_date( __( 'g:i a' ), $comment )
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
		);
		if ( 'approved' === wp_get_comment_status( $comment ) && ! empty ( $comment->comment_post_ID ) ) {
			echo '<a href="' . esc_url( get_comment_link( $comment ) ) . '">' . $submitted . '</a>';
		} else {
			echo $submitted;
		}
	?>
	</td>
</tr>
<tr>
<th scope="row"><?php /* translators: field name in comment form */ _ex('Comment', 'noun'); ?></th>
<td class="comment-content">
	<?php comment_text( $comment ); ?>
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
	<p class="edit-comment"><a href="<?php echo admin_url( "comment.php?action=editcomment&amp;c={$comment->comment_ID}" ); ?>"><?php esc_attr_e( 'Edit' ); ?></a></p>
</td>
</tr>
</table>

<form action="comment.php" method="get" class="comment-ays-submit">

<p>
	<?php submit_button( $button, 'primary', 'submit', false ); ?>
	<a href="<?php echo admin_url('edit-comments.php'); ?>" class="button-cancel"><?php esc_attr_e( 'Cancel' ); ?></a>
</p>

<?php wp_nonce_field( $nonce_action ); ?>
<input type="hidden" name="action" value="<?php echo esc_attr($formaction); ?>" />
<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID); ?>" />
<input type="hidden" name="noredir" value="1" />
</form>

</div>
<?php
	break;

case 'deletecomment'    :
case 'trashcomment'     :
case 'untrashcomment'   :
case 'spamcomment'      :
case 'unspamcomment'    :
case 'approvecomment'   :
case 'unapprovecomment' :
	$comment_id = absint( $_REQUEST['c'] );

	if ( in_array( $action, array( 'approvecomment', 'unapprovecomment' ) ) )
		check_admin_referer( 'approve-comment_' . $comment_id );
	else
		check_admin_referer( 'delete-comment_' . $comment_id );

	$noredir = isset($_REQUEST['noredir']);

	if ( !$comment = get_comment($comment_id) )
		comment_footer_die( __( 'Invalid comment ID.' ) . sprintf(' <a href="%s">' . __('Go back') . '</a>.', 'edit-comments.php') );
	if ( !current_user_can( 'edit_comment', $comment->comment_ID ) )
		comment_footer_die( __('Sorry, you are not allowed to edit comments on this post.') );

	if ( '' != wp_get_referer() && ! $noredir && false === strpos(wp_get_referer(), 'comment.php') )
		$redir = wp_get_referer();
	elseif ( '' != wp_get_original_referer() && ! $noredir )
		$redir = wp_get_original_referer();
	elseif ( in_array( $action, array( 'approvecomment', 'unapprovecomment' ) ) )
		$redir = admin_url('edit-comments.php?p=' . absint( $comment->comment_post_ID ) );
	else
		$redir = admin_url('edit-comments.php');

	$redir = remove_query_arg( array('spammed', 'unspammed', 'trashed', 'untrashed', 'deleted', 'ids', 'approved', 'unapproved'), $redir );

	switch ( $action ) {
		case 'deletecomment' :
			wp_delete_comment( $comment );
			$redir = add_query_arg( array('deleted' => '1'), $redir );
			break;
		case 'trashcomment' :
			wp_trash_comment( $comment );
			$redir = add_query_arg( array('trashed' => '1', 'ids' => $comment_id), $redir );
			break;
		case 'untrashcomment' :
			wp_untrash_comment( $comment );
			$redir = add_query_arg( array('untrashed' => '1'), $redir );
			break;
		case 'spamcomment' :
			wp_spam_comment( $comment );
			$redir = add_query_arg( array('spammed' => '1', 'ids' => $comment_id), $redir );
			break;
		case 'unspamcomment' :
			wp_unspam_comment( $comment );
			$redir = add_query_arg( array('unspammed' => '1'), $redir );
			break;
		case 'approvecomment' :
			wp_set_comment_status( $comment, 'approve' );
			$redir = add_query_arg( array( 'approved' => 1 ), $redir );
			break;
		case 'unapprovecomment' :
			wp_set_comment_status( $comment, 'hold' );
			$redir = add_query_arg( array( 'unapproved' => 1 ), $redir );
			break;
	}

	wp_redirect( $redir );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
	die;

case 'editedcomment' :

	$comment_id = absint( $_POST['comment_ID'] );
	$comment_post_id = absint( $_POST['comment_post_ID'] );

	check_admin_referer( 'update-comment_' . $comment_id );

	edit_comment();

	$location = ( empty( $_POST['referredby'] ) ? "edit-comments.php?p=$comment_post_id" : $_POST['referredby'] ) . '#comment-' . $comment_id;

	/**
	 * Filters the URI the user is redirected to after editing a comment in the admin.
	 *
	 * @since 2.1.0
	 *
	 * @param string $location The URI the user will be redirected to.
	 * @param int $comment_id The ID of the comment being edited.
	 */
	$location = apply_filters( 'comment_edit_redirect', $location, $comment_id );
	wp_redirect( $location );

	exit();

default:
	wp_die( __('Unknown action.') );

} // end switch

include( ABSPATH . 'wp-admin/admin-footer.php' );


1		<?php
2		/**
3		* Comment Management Screen
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** Load WordPress Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11
12		$parent_file = 'edit-comments.php';
13		$submenu_file = 'edit-comments.php';
14
15		/**
16		* @global string $action
17		*/
18		global $action;
19		wp_reset_vars( array('action') );
20
21		if ( isset( $_POST['deletecomment'] ) )
22		$action = 'deletecomment';
23
24		if ( 'cdc' == $action )
25		$action = 'delete';
26		elseif ( 'mac' == $action )
27		$action = 'approve';
28
29		if ( isset( $_GET['dt'] ) ) {
30		if ( 'spam' == $_GET['dt'] )
31		$action = 'spam';
32		elseif ( 'trash' == $_GET['dt'] )
33		$action = 'trash';
34		}
35
36		switch( $action ) {
37
38		case 'editcomment' :
39		$title = __('Edit Comment');
40
41		get_current_screen()->add_help_tab( array(
42		'id' => 'overview',
43		'title' => __('Overview'),
44		'content' =>
45		'<p>' . __( 'You can edit the information left in a comment if needed. This is often useful when you notice that a commenter has made a typographical error.' ) . '</p>' .
46		'<p>' . __( 'You can also moderate the comment from this screen using the Status box, where you can also change the timestamp of the comment.' ) . '</p>'
47		) );
48
49		get_current_screen()->set_help_sidebar(
50		'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
51		'<p>' . __( '<a href="https://codex.wordpress.org/Administration_Screens#Comments" target="_blank">Documentation on Comments</a>' ) . '</p>' .
52		'<p>' . __( '<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
53		);
54
55		wp_enqueue_script('comment');
56		require_once( ABSPATH . 'wp-admin/admin-header.php' );
57
58		$comment_id = absint( $_GET['c'] );
59
60	View Code Duplication	if ( !$comment = get_comment( $comment_id ) )
61		comment_footer_die( __( 'Invalid comment ID.' ) . sprintf(' <a href="%s">' . __('Go back') . '</a>.', 'javascript:history.go(-1)') );
62
63		if ( !current_user_can( 'edit_comment', $comment_id ) )
64		comment_footer_die( __('Sorry, you are not allowed to edit this comment.') );
65
66		if ( 'trash' == $comment->comment_approved )
67		comment_footer_die( __('This comment is in the Trash. Please move it out of the Trash if you want to edit it.') );
68
69		$comment = get_comment_to_edit( $comment_id );
70
71		include( ABSPATH . 'wp-admin/edit-form-comment.php' );
72
73		break;
74
75		case 'delete' :
76		case 'approve' :
77		case 'trash' :
78		case 'spam' :
79
80		$title = __('Moderate Comment');
81
82		$comment_id = absint( $_GET['c'] );
83
84		if ( ! $comment = get_comment( $comment_id ) ) {
85		wp_redirect( admin_url('edit-comments.php?error=1') );
86		die();
87		}
88
89		if ( !current_user_can( 'edit_comment', $comment->comment_ID ) ) {
90		wp_redirect( admin_url('edit-comments.php?error=2') );
91		die();
92		}
93
94		// No need to re-approve/re-trash/re-spam a comment.
95		if ( $action == str_replace( '1', 'approve', $comment->comment_approved ) ) {
96		wp_redirect( admin_url( 'edit-comments.php?same=' . $comment_id ) );
97		die();
98		}
99
100		require_once( ABSPATH . 'wp-admin/admin-header.php' );
101
102		$formaction = $action . 'comment';
103		$nonce_action = 'approve' == $action ? 'approve-comment_' : 'delete-comment_';
104		$nonce_action .= $comment_id;
105
106		?>
107		<div class="wrap">
108
109		<h1><?php echo esc_html( $title ); ?></h1>
110
111		<?php
112		switch ( $action ) {
113		case 'spam' :
114		$caution_msg = __('You are about to mark the following comment as spam:');
115		$button = _x( 'Mark as Spam', 'comment' );
116		break;
117		case 'trash' :
118		$caution_msg = __('You are about to move the following comment to the Trash:');
119		$button = __('Move to Trash');
120		break;
121		case 'delete' :
122		$caution_msg = __('You are about to delete the following comment:');
123		$button = __('Permanently Delete Comment');
124		break;
125		default :
126		$caution_msg = __('You are about to approve the following comment:');
127		$button = __('Approve Comment');
128		break;
129		}
130
131		if ( $comment->comment_approved != '0' ) { // if not unapproved
132		$message = '';
133		switch ( $comment->comment_approved ) {
134		case '1' :
135		$message = __('This comment is currently approved.');
136		break;
137		case 'spam' :
138		$message = __('This comment is currently marked as spam.');
139		break;
140		case 'trash' :
141		$message = __('This comment is currently in the Trash.');
142		break;
143		}
144		if ( $message ) {
145		echo '<div id="message" class="notice notice-info"><p>' . $message . '</p></div>';
146		}
147		}
148		?>
149		<div id="message" class="notice notice-warning"><p><strong><?php _e( 'Caution:' ); ?></strong> <?php echo $caution_msg; ?></p></div>
150
151		<table class="form-table comment-ays">
152		<tr>
153		<th scope="row"><?php _e('Author'); ?></th>
154		<td><?php comment_author( $comment ); ?></td>
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
155		</tr>
156		<?php if ( get_comment_author_email( $comment ) ) { ?>
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
157		<tr>
158		<th scope="row"><?php _e('Email'); ?></th>
159		<td><?php comment_author_email( $comment ); ?></td>
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
160		</tr>
161		<?php } ?>
162		<?php if ( get_comment_author_url( $comment ) ) { ?>
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
163		<tr>
164		<th scope="row"><?php _e('URL'); ?></th>
165		<td><a href="<?php comment_author_url( $comment ); ?>"><?php comment_author_url( $comment ); ?></a></td>
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
166		</tr>
167		<?php } ?>
168		<tr>
169		<th scope="row"><?php /* translators: column name or table row header */ _e( 'In Response To' ); ?></th>
170		<td>
171		<?php
172		$post_id = $comment->comment_post_ID;
173	View Code Duplication	if ( current_user_can( 'edit_post', $post_id ) ) {
174		$post_link = "<a href='" . esc_url( get_edit_post_link( $post_id ) ) . "'>";
175		$post_link .= esc_html( get_the_title( $post_id ) ) . '</a>';
176		} else {
177		$post_link = esc_html( get_the_title( $post_id ) );
178		}
179		echo $post_link;
180
181	View Code Duplication	if ( $comment->comment_parent ) {
182		$parent = get_comment( $comment->comment_parent );
183		$parent_link = esc_url( get_comment_link( $parent ) );
184		$name = get_comment_author( $parent );
185		printf(
186		/* translators: %s: comment link */
187		' \| ' . __( 'In reply to %s.' ),
188		'<a href="' . $parent_link . '">' . $name . '</a>'
189		);
190		}
191		?>
192		</td>
193		</tr>
194		<tr>
195		<th scope="row"><?php _e( 'Submitted on' ); ?></th>
196		<td>
197		<?php
198		/* translators: 1: comment date, 2: comment time */
199		$submitted = sprintf( __( '%1$s at %2$s' ),
200		/* translators: comment date format. See https://secure.php.net/date */
201		get_comment_date( __( 'Y/m/d' ), $comment ),
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
202		get_comment_date( __( 'g:i a' ), $comment )
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
203		);
204		if ( 'approved' === wp_get_comment_status( $comment ) && ! empty ( $comment->comment_post_ID ) ) {
205		echo '<a href="' . esc_url( get_comment_link( $comment ) ) . '">' . $submitted . '</a>';
206		} else {
207		echo $submitted;
208		}
209		?>
210		</td>
211		</tr>
212		<tr>
213		<th scope="row"><?php /* translators: field name in comment form */ _ex('Comment', 'noun'); ?></th>
214		<td class="comment-content">
215		<?php comment_text( $comment ); ?>
		0 ignored issues – show Documentation introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$comment` is of type `object<WP_Comment>\|array`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
216		<p class="edit-comment"><a href="<?php echo admin_url( "comment.php?action=editcomment&c={$comment->comment_ID}" ); ?>"><?php esc_attr_e( 'Edit' ); ?></a></p>
217		</td>
218		</tr>
219		</table>
220
221		<form action="comment.php" method="get" class="comment-ays-submit">
222
223		<p>
224		<?php submit_button( $button, 'primary', 'submit', false ); ?>
225		<a href="<?php echo admin_url('edit-comments.php'); ?>" class="button-cancel"><?php esc_attr_e( 'Cancel' ); ?></a>
226		</p>
227
228		<?php wp_nonce_field( $nonce_action ); ?>
229		<input type="hidden" name="action" value="<?php echo esc_attr($formaction); ?>" />
230		<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID); ?>" />
231		<input type="hidden" name="noredir" value="1" />
232		</form>
233
234		</div>
235		<?php
236		break;
237
238		case 'deletecomment' :
239		case 'trashcomment' :
240		case 'untrashcomment' :
241		case 'spamcomment' :
242		case 'unspamcomment' :
243		case 'approvecomment' :
244		case 'unapprovecomment' :
245		$comment_id = absint( $_REQUEST['c'] );
246
247		if ( in_array( $action, array( 'approvecomment', 'unapprovecomment' ) ) )
248		check_admin_referer( 'approve-comment_' . $comment_id );
249		else
250		check_admin_referer( 'delete-comment_' . $comment_id );
251
252		$noredir = isset($_REQUEST['noredir']);
253
254	View Code Duplication	if ( !$comment = get_comment($comment_id) )
255		comment_footer_die( __( 'Invalid comment ID.' ) . sprintf(' <a href="%s">' . __('Go back') . '</a>.', 'edit-comments.php') );
256		if ( !current_user_can( 'edit_comment', $comment->comment_ID ) )
257		comment_footer_die( __('Sorry, you are not allowed to edit comments on this post.') );
258
259		if ( '' != wp_get_referer() && ! $noredir && false === strpos(wp_get_referer(), 'comment.php') )
260		$redir = wp_get_referer();
261		elseif ( '' != wp_get_original_referer() && ! $noredir )
262		$redir = wp_get_original_referer();
263		elseif ( in_array( $action, array( 'approvecomment', 'unapprovecomment' ) ) )
264		$redir = admin_url('edit-comments.php?p=' . absint( $comment->comment_post_ID ) );
265		else
266		$redir = admin_url('edit-comments.php');
267
268		$redir = remove_query_arg( array('spammed', 'unspammed', 'trashed', 'untrashed', 'deleted', 'ids', 'approved', 'unapproved'), $redir );
269
270		switch ( $action ) {
271		case 'deletecomment' :
272		wp_delete_comment( $comment );
273		$redir = add_query_arg( array('deleted' => '1'), $redir );
274		break;
275		case 'trashcomment' :
276		wp_trash_comment( $comment );
277		$redir = add_query_arg( array('trashed' => '1', 'ids' => $comment_id), $redir );
278		break;
279		case 'untrashcomment' :
280		wp_untrash_comment( $comment );
281		$redir = add_query_arg( array('untrashed' => '1'), $redir );
282		break;
283		case 'spamcomment' :
284		wp_spam_comment( $comment );
285		$redir = add_query_arg( array('spammed' => '1', 'ids' => $comment_id), $redir );
286		break;
287		case 'unspamcomment' :
288		wp_unspam_comment( $comment );
289		$redir = add_query_arg( array('unspammed' => '1'), $redir );
290		break;
291		case 'approvecomment' :
292		wp_set_comment_status( $comment, 'approve' );
293		$redir = add_query_arg( array( 'approved' => 1 ), $redir );
294		break;
295		case 'unapprovecomment' :
296		wp_set_comment_status( $comment, 'hold' );
297		$redir = add_query_arg( array( 'unapproved' => 1 ), $redir );
298		break;
299		}
300
301		wp_redirect( $redir );
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$redir` defined by `remove_query_arg(array('... 'unapproved'), $redir)` on line `268` can also be of type `boolean`; however, `wp_redirect()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
302		die;
303
304		case 'editedcomment' :
305
306		$comment_id = absint( $_POST['comment_ID'] );
307		$comment_post_id = absint( $_POST['comment_post_ID'] );
308
309		check_admin_referer( 'update-comment_' . $comment_id );
310
311		edit_comment();
312
313		$location = ( empty( $_POST['referredby'] ) ? "edit-comments.php?p=$comment_post_id" : $_POST['referredby'] ) . '#comment-' . $comment_id;
314
315		/**
316		* Filters the URI the user is redirected to after editing a comment in the admin.
317		*
318		* @since 2.1.0
319		*
320		* @param string $location The URI the user will be redirected to.
321		* @param int $comment_id The ID of the comment being edited.
322		*/
323		$location = apply_filters( 'comment_edit_redirect', $location, $comment_id );
324		wp_redirect( $location );
325
326		exit();
327
328		default:
329		wp_die( __('Unknown action.') );
330
331		} // end switch
332
333		include( ABSPATH . 'wp-admin/admin-footer.php' );
334

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-admin/comment.php (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like