Issues in edit-comments.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-admin/edit-comments.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Edit Comments Administration Screen.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );
if ( ! current_user_can( 'edit_posts' ) ) {
	wp_die(
		'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
		'<p>' . __( 'Sorry, you are not allowed to edit comments.' ) . '</p>',
		403
	);
}

$wp_list_table = _get_list_table('WP_Comments_List_Table');
$pagenum = $wp_list_table->get_pagenum();

$doaction = $wp_list_table->current_action();

if ( $doaction ) {
	check_admin_referer( 'bulk-comments' );

	if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
		$comment_status = wp_unslash( $_REQUEST['comment_status'] );
		$delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
		$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
		$doaction = 'delete';
	} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
		$comment_ids = $_REQUEST['delete_comments'];
		$doaction = ( $_REQUEST['action'] != -1 ) ? $_REQUEST['action'] : $_REQUEST['action2'];
	} elseif ( isset( $_REQUEST['ids'] ) ) {
		$comment_ids = array_map( 'absint', explode( ',', $_REQUEST['ids'] ) );
	} elseif ( wp_get_referer() ) {
		wp_safe_redirect( wp_get_referer() );

		exit;
	}

	$approved = $unapproved = $spammed = $unspammed = $trashed = $untrashed = $deleted = 0;

	$redirect_to = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'spammed', 'unspammed', 'approved', 'unapproved', 'ids' ), wp_get_referer() );
	$redirect_to = add_query_arg( 'paged', $pagenum, $redirect_to );

	wp_defer_comment_counting( true );

	foreach ( $comment_ids as $comment_id ) { // Check the permissions on each
		if ( !current_user_can( 'edit_comment', $comment_id ) )
			continue;

		switch ( $doaction ) {
			case 'approve' :
				wp_set_comment_status( $comment_id, 'approve' );
				$approved++;
				break;
			case 'unapprove' :
				wp_set_comment_status( $comment_id, 'hold' );
				$unapproved++;
				break;
			case 'spam' :
				wp_spam_comment( $comment_id );
				$spammed++;
				break;
			case 'unspam' :
				wp_unspam_comment( $comment_id );
				$unspammed++;
				break;
			case 'trash' :
				wp_trash_comment( $comment_id );
				$trashed++;
				break;
			case 'untrash' :
				wp_untrash_comment( $comment_id );
				$untrashed++;
				break;
			case 'delete' :
				wp_delete_comment( $comment_id );
				$deleted++;
				break;
		}
	}

	wp_defer_comment_counting( false );

	if ( $approved )
		$redirect_to = add_query_arg( 'approved', $approved, $redirect_to );
	if ( $unapproved )
		$redirect_to = add_query_arg( 'unapproved', $unapproved, $redirect_to );
	if ( $spammed )
		$redirect_to = add_query_arg( 'spammed', $spammed, $redirect_to );
	if ( $unspammed )
		$redirect_to = add_query_arg( 'unspammed', $unspammed, $redirect_to );
	if ( $trashed )
		$redirect_to = add_query_arg( 'trashed', $trashed, $redirect_to );
	if ( $untrashed )
		$redirect_to = add_query_arg( 'untrashed', $untrashed, $redirect_to );
	if ( $deleted )
		$redirect_to = add_query_arg( 'deleted', $deleted, $redirect_to );
	if ( $trashed || $spammed )
		$redirect_to = add_query_arg( 'ids', join( ',', $comment_ids ), $redirect_to );

	wp_safe_redirect( $redirect_to );
	exit;
} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
	 wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );

	 exit;
}

$wp_list_table->prepare_items();

wp_enqueue_script('admin-comments');
enqueue_comment_hotkeys_js();

if ( $post_id ) {
	$comments_count = wp_count_comments( $post_id );
	$draft_or_post_title = wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '&hellip;' );
	if ( $comments_count->moderated > 0 ) {
		/* translators: 1: comments count 2: post title */
		$title = sprintf( __( 'Comments (%1$s) on &#8220;%2$s&#8221;' ),
			number_format_i18n( $comments_count->moderated ),
			$draft_or_post_title
		);
	} else {
		/* translators: %s: post title */
		$title = sprintf( __( 'Comments on &#8220;%s&#8221;' ),
			$draft_or_post_title
		);
	}
} else {
	$comments_count = wp_count_comments();
	if ( $comments_count->moderated > 0 ) {
		/* translators: %s: comments count */
		$title = sprintf( __( 'Comments (%s)' ),
			number_format_i18n( $comments_count->moderated )
		);
	} else {
		$title = __( 'Comments' );
	}
}

add_screen_option( 'per_page' );

get_current_screen()->add_help_tab( array(
'id'		=> 'overview',
'title'		=> __('Overview'),
'content'	=>
	'<p>' . __( 'You can manage comments made on your site similar to the way you manage posts and other content. This screen is customizable in the same ways as other management screens, and you can act on comments using the on-hover action links or the Bulk Actions.' ) . '</p>'
) );
get_current_screen()->add_help_tab( array(
'id'		=> 'moderating-comments',
'title'		=> __('Moderating Comments'),
'content'	=>
		'<p>' . __( 'A red bar on the left means the comment is waiting for you to moderate it.' ) . '</p>' .
		'<p>' . __( 'In the <strong>Author</strong> column, in addition to the author&#8217;s name, email address, and blog URL, the commenter&#8217;s IP address is shown. Clicking on this link will show you all the comments made from this IP address.' ) . '</p>' .
		'<p>' . __( 'In the <strong>Comment</strong> column, hovering over any comment gives you options to approve, reply (and approve), quick edit, edit, spam mark, or trash that comment.' ) . '</p>' .
		'<p>' . __( 'In the <strong>In Response To</strong> column, there are three elements. The text is the name of the post that inspired the comment, and links to the post editor for that entry. The View Post link leads to that post on your live site. The small bubble with the number in it shows the number of approved comments that post has received. If there are pending comments, a red notification circle with the number of pending comments is displayed. Clicking the notification circle will filter the comments screen to show only pending comments on that post.' ) . '</p>' .
		'<p>' . __( 'In the <strong>Submitted On</strong> column, the date and time the comment was left on your site appears. Clicking on the date/time link will take you to that comment on your live site.' ) . '</p>' .
		'<p>' . __( 'Many people take advantage of keyboard shortcuts to moderate their comments more quickly. Use the link to the side to learn more.' ) . '</p>'
) );

get_current_screen()->set_help_sidebar(
	'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Administration_Screens#Comments" target="_blank">Documentation on Comments</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Comment_Spam" target="_blank">Documentation on Comment Spam</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://codex.wordpress.org/Keyboard_Shortcuts" target="_blank">Documentation on Keyboard Shortcuts</a>' ) . '</p>' .
	'<p>' . __( '<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
);

get_current_screen()->set_screen_reader_content( array(
	'heading_views'      => __( 'Filter comments list' ),
	'heading_pagination' => __( 'Comments list navigation' ),
	'heading_list'       => __( 'Comments list' ),
) );

require_once( ABSPATH . 'wp-admin/admin-header.php' );
?>

<div class="wrap">
<h1><?php
if ( $post_id ) {
	/* translators: %s: link to post */
	printf( __( 'Comments on &#8220;%s&#8221;' ),
		sprintf( '<a href="%1$s">%2$s</a>',
			get_edit_post_link( $post_id ),
			wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '&hellip;' )
		)
	);
} else {
	_e( 'Comments' );
}

if ( isset($_REQUEST['s']) && strlen( $_REQUEST['s'] ) ) {
	echo '<span class="subtitle">';
	/* translators: %s: search keywords */
	printf( __( 'Search results for &#8220;%s&#8221;' ),
		wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50, '&hellip;' )

	);
	echo '</span>';
}
?></h1>

<?php
if ( isset( $_REQUEST['error'] ) ) {
	$error = (int) $_REQUEST['error'];
	$error_msg = '';
	switch ( $error ) {
		case 1 :
			$error_msg = __( 'Invalid comment ID.' );
			break;
		case 2 :
			$error_msg = __( 'Sorry, you are not allowed to edit comments on this post.' );
			break;
	}
	if ( $error_msg )
		echo '<div id="moderated" class="error"><p>' . $error_msg . '</p></div>';
}

if ( isset($_REQUEST['approved']) || isset($_REQUEST['deleted']) || isset($_REQUEST['trashed']) || isset($_REQUEST['untrashed']) || isset($_REQUEST['spammed']) || isset($_REQUEST['unspammed']) || isset($_REQUEST['same']) ) {
	$approved  = isset( $_REQUEST['approved']  ) ? (int) $_REQUEST['approved']  : 0;
	$deleted   = isset( $_REQUEST['deleted']   ) ? (int) $_REQUEST['deleted']   : 0;
	$trashed   = isset( $_REQUEST['trashed']   ) ? (int) $_REQUEST['trashed']   : 0;
	$untrashed = isset( $_REQUEST['untrashed'] ) ? (int) $_REQUEST['untrashed'] : 0;
	$spammed   = isset( $_REQUEST['spammed']   ) ? (int) $_REQUEST['spammed']   : 0;
	$unspammed = isset( $_REQUEST['unspammed'] ) ? (int) $_REQUEST['unspammed'] : 0;
	$same      = isset( $_REQUEST['same'] )      ? (int) $_REQUEST['same']      : 0;

	if ( $approved > 0 || $deleted > 0 || $trashed > 0 || $untrashed > 0 || $spammed > 0 || $unspammed > 0 || $same > 0 ) {
		if ( $approved > 0 ) {
			/* translators: %s: number of comments approved */
			$messages[] = sprintf( _n( '%s comment approved', '%s comments approved', $approved ), $approved );
		}

		if ( $spammed > 0 ) {
			$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
			/* translators: %s: number of comments marked as spam */
			$messages[] = sprintf( _n( '%s comment marked as spam.', '%s comments marked as spam.', $spammed ), $spammed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=unspam&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
		}

		if ( $unspammed > 0 ) {
			/* translators: %s: number of comments restored from the spam */
			$messages[] = sprintf( _n( '%s comment restored from the spam', '%s comments restored from the spam', $unspammed ), $unspammed );
		}

		if ( $trashed > 0 ) {
			$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
			/* translators: %s: number of comments moved to the Trash */
			$messages[] = sprintf( _n( '%s comment moved to the Trash.', '%s comments moved to the Trash.', $trashed ), $trashed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=untrash&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
		}

		if ( $untrashed > 0 ) {
			/* translators: %s: number of comments restored from the Trash */
			$messages[] = sprintf( _n( '%s comment restored from the Trash', '%s comments restored from the Trash', $untrashed ), $untrashed );
		}

		if ( $deleted > 0 ) {
			/* translators: %s: number of comments permanently deleted */
			$messages[] = sprintf( _n( '%s comment permanently deleted', '%s comments permanently deleted', $deleted ), $deleted );
		}

		if ( $same > 0 && $comment = get_comment( $same ) ) {
			switch ( $comment->comment_approved ) {
				case '1' :
					$messages[] = __('This comment is already approved.') . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
					break;
				case 'trash' :
					$messages[] = __( 'This comment is already in the Trash.' ) . ' <a href="' . esc_url( admin_url( 'edit-comments.php?comment_status=trash' ) ) . '"> ' . __( 'View Trash' ) . '</a>';
					break;
				case 'spam' :
					$messages[] = __( 'This comment is already marked as spam.' ) . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
					break;
			}
		}

		echo '<div id="moderated" class="updated notice is-dismissible"><p>' . implode( "<br/>\n", $messages ) . '</p></div>';
	}
}
?>

<?php $wp_list_table->views(); ?>

<form id="comments-form" method="get">

<?php $wp_list_table->search_box( __( 'Search Comments' ), 'comment' ); ?>

<?php if ( $post_id ) : ?>
<input type="hidden" name="p" value="<?php echo esc_attr( intval( $post_id ) ); ?>" />
<?php endif; ?>
<input type="hidden" name="comment_status" value="<?php echo esc_attr($comment_status); ?>" />
<input type="hidden" name="pagegen_timestamp" value="<?php echo esc_attr(current_time('mysql', 1)); ?>" />

<input type="hidden" name="_total" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('total_items') ); ?>" />
<input type="hidden" name="_per_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('per_page') ); ?>" />
<input type="hidden" name="_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('page') ); ?>" />

<?php if ( isset($_REQUEST['paged']) ) { ?>
	<input type="hidden" name="paged" value="<?php echo esc_attr( absint( $_REQUEST['paged'] ) ); ?>" />
<?php } ?>

<?php $wp_list_table->display(); ?>
</form>
</div>

<div id="ajax-response"></div>

<?php
wp_comment_reply('-1', true, 'detail');
wp_comment_trashnotice();
include( ABSPATH . 'wp-admin/admin-footer.php' ); ?>


1		<?php
2		/**
3		* Edit Comments Administration Screen.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** WordPress Administration Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11		if ( ! current_user_can( 'edit_posts' ) ) {
12		wp_die(
13		'<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' .
14		'<p>' . __( 'Sorry, you are not allowed to edit comments.' ) . '</p>',
15		403
16		);
17		}
18
19		$wp_list_table = _get_list_table('WP_Comments_List_Table');
20		$pagenum = $wp_list_table->get_pagenum();
21
22		$doaction = $wp_list_table->current_action();
23
24		if ( $doaction ) {
25		check_admin_referer( 'bulk-comments' );
26
27		if ( 'delete_all' == $doaction && !empty( $_REQUEST['pagegen_timestamp'] ) ) {
28		$comment_status = wp_unslash( $_REQUEST['comment_status'] );
29		$delete_time = wp_unslash( $_REQUEST['pagegen_timestamp'] );
30		$comment_ids = $wpdb->get_col( $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_approved = %s AND %s > comment_date_gmt", $comment_status, $delete_time ) );
31		$doaction = 'delete';
32		} elseif ( isset( $_REQUEST['delete_comments'] ) ) {
33		$comment_ids = $_REQUEST['delete_comments'];
34		$doaction = ( $_REQUEST['action'] != -1 ) ? $_REQUEST['action'] : $_REQUEST['action2'];
35		} elseif ( isset( $_REQUEST['ids'] ) ) {
36		$comment_ids = array_map( 'absint', explode( ',', $_REQUEST['ids'] ) );
37		} elseif ( wp_get_referer() ) {
38		wp_safe_redirect( wp_get_referer() );
		0 ignored issues – show Security Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_get_referer()` can also be of type `false`; however, `wp_safe_redirect()` does only seem to accept `string`, did you maybe forget to handle an error condition? Loading history...
39		exit;
40		}
41
42		$approved = $unapproved = $spammed = $unspammed = $trashed = $untrashed = $deleted = 0;
43
44		$redirect_to = remove_query_arg( array( 'trashed', 'untrashed', 'deleted', 'spammed', 'unspammed', 'approved', 'unapproved', 'ids' ), wp_get_referer() );
45		$redirect_to = add_query_arg( 'paged', $pagenum, $redirect_to );
46
47		wp_defer_comment_counting( true );
48
49		foreach ( $comment_ids as $comment_id ) { // Check the permissions on each
50		if ( !current_user_can( 'edit_comment', $comment_id ) )
51		continue;
52
53		switch ( $doaction ) {
54		case 'approve' :
55		wp_set_comment_status( $comment_id, 'approve' );
56		$approved++;
57		break;
58		case 'unapprove' :
59		wp_set_comment_status( $comment_id, 'hold' );
60		$unapproved++;
61		break;
62		case 'spam' :
63		wp_spam_comment( $comment_id );
64		$spammed++;
65		break;
66		case 'unspam' :
67		wp_unspam_comment( $comment_id );
68		$unspammed++;
69		break;
70		case 'trash' :
71		wp_trash_comment( $comment_id );
72		$trashed++;
73		break;
74		case 'untrash' :
75		wp_untrash_comment( $comment_id );
76		$untrashed++;
77		break;
78		case 'delete' :
79		wp_delete_comment( $comment_id );
80		$deleted++;
81		break;
82		}
83		}
84
85		wp_defer_comment_counting( false );
86
87		if ( $approved )
88		$redirect_to = add_query_arg( 'approved', $approved, $redirect_to );
89		if ( $unapproved )
90		$redirect_to = add_query_arg( 'unapproved', $unapproved, $redirect_to );
91		if ( $spammed )
92		$redirect_to = add_query_arg( 'spammed', $spammed, $redirect_to );
93		if ( $unspammed )
94		$redirect_to = add_query_arg( 'unspammed', $unspammed, $redirect_to );
95		if ( $trashed )
96		$redirect_to = add_query_arg( 'trashed', $trashed, $redirect_to );
97		if ( $untrashed )
98		$redirect_to = add_query_arg( 'untrashed', $untrashed, $redirect_to );
99		if ( $deleted )
100		$redirect_to = add_query_arg( 'deleted', $deleted, $redirect_to );
101		if ( $trashed \|\| $spammed )
102		$redirect_to = add_query_arg( 'ids', join( ',', $comment_ids ), $redirect_to );
103
104		wp_safe_redirect( $redirect_to );
105		exit;
106	View Code Duplication	} elseif ( ! empty( $_GET['_wp_http_referer'] ) ) {
107		wp_redirect( remove_query_arg( array( '_wp_http_referer', '_wpnonce' ), wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_SERVER['REQUEST_URI'])` targeting `wp_unslash()` can also be of type `array`; however, `remove_query_arg()` does only seem to accept `boolean\|string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history... Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `remove_query_arg(array('...SERVER['REQUEST_URI']))` targeting `remove_query_arg()` can also be of type `boolean`; however, `wp_redirect()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
108		exit;
109		}
110
111		$wp_list_table->prepare_items();
112
113		wp_enqueue_script('admin-comments');
114		enqueue_comment_hotkeys_js();
115
116		if ( $post_id ) {
117		$comments_count = wp_count_comments( $post_id );
118		$draft_or_post_title = wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '…' );
119	View Code Duplication	if ( $comments_count->moderated > 0 ) {
120		/* translators: 1: comments count 2: post title */
121		$title = sprintf( __( 'Comments (%1$s) on “%2$s”' ),
122		number_format_i18n( $comments_count->moderated ),
123		$draft_or_post_title
124		);
125		} else {
126		/* translators: %s: post title */
127		$title = sprintf( __( 'Comments on “%s”' ),
128		$draft_or_post_title
129		);
130		}
131		} else {
132		$comments_count = wp_count_comments();
133	View Code Duplication	if ( $comments_count->moderated > 0 ) {
134		/* translators: %s: comments count */
135		$title = sprintf( __( 'Comments (%s)' ),
136		number_format_i18n( $comments_count->moderated )
137		);
138		} else {
139		$title = __( 'Comments' );
140		}
141		}
142
143		add_screen_option( 'per_page' );
144
145		get_current_screen()->add_help_tab( array(
146		'id' => 'overview',
147		'title' => __('Overview'),
148		'content' =>
149		'<p>' . __( 'You can manage comments made on your site similar to the way you manage posts and other content. This screen is customizable in the same ways as other management screens, and you can act on comments using the on-hover action links or the Bulk Actions.' ) . '</p>'
150		) );
151		get_current_screen()->add_help_tab( array(
152		'id' => 'moderating-comments',
153		'title' => __('Moderating Comments'),
154		'content' =>
155		'<p>' . __( 'A red bar on the left means the comment is waiting for you to moderate it.' ) . '</p>' .
156		'<p>' . __( 'In the <strong>Author</strong> column, in addition to the author’s name, email address, and blog URL, the commenter’s IP address is shown. Clicking on this link will show you all the comments made from this IP address.' ) . '</p>' .
157		'<p>' . __( 'In the <strong>Comment</strong> column, hovering over any comment gives you options to approve, reply (and approve), quick edit, edit, spam mark, or trash that comment.' ) . '</p>' .
158		'<p>' . __( 'In the <strong>In Response To</strong> column, there are three elements. The text is the name of the post that inspired the comment, and links to the post editor for that entry. The View Post link leads to that post on your live site. The small bubble with the number in it shows the number of approved comments that post has received. If there are pending comments, a red notification circle with the number of pending comments is displayed. Clicking the notification circle will filter the comments screen to show only pending comments on that post.' ) . '</p>' .
159		'<p>' . __( 'In the <strong>Submitted On</strong> column, the date and time the comment was left on your site appears. Clicking on the date/time link will take you to that comment on your live site.' ) . '</p>' .
160		'<p>' . __( 'Many people take advantage of keyboard shortcuts to moderate their comments more quickly. Use the link to the side to learn more.' ) . '</p>'
161		) );
162
163		get_current_screen()->set_help_sidebar(
164		'<p><strong>' . __( 'For more information:' ) . '</strong></p>' .
165		'<p>' . __( '<a href="https://codex.wordpress.org/Administration_Screens#Comments" target="_blank">Documentation on Comments</a>' ) . '</p>' .
166		'<p>' . __( '<a href="https://codex.wordpress.org/Comment_Spam" target="_blank">Documentation on Comment Spam</a>' ) . '</p>' .
167		'<p>' . __( '<a href="https://codex.wordpress.org/Keyboard_Shortcuts" target="_blank">Documentation on Keyboard Shortcuts</a>' ) . '</p>' .
168		'<p>' . __( '<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>' ) . '</p>'
169		);
170
171		get_current_screen()->set_screen_reader_content( array(
172		'heading_views' => __( 'Filter comments list' ),
173		'heading_pagination' => __( 'Comments list navigation' ),
174		'heading_list' => __( 'Comments list' ),
175		) );
176
177		require_once( ABSPATH . 'wp-admin/admin-header.php' );
178		?>
179
180		<div class="wrap">
181		<h1><?php
182		if ( $post_id ) {
183		/* translators: %s: link to post */
184		printf( __( 'Comments on “%s”' ),
185		sprintf( '<a href="%1$s">%2$s</a>',
186		get_edit_post_link( $post_id ),
187		wp_html_excerpt( _draft_or_post_title( $post_id ), 50, '…' )
188		)
189		);
190		} else {
191		_e( 'Comments' );
192		}
193
194		if ( isset($_REQUEST['s']) && strlen( $_REQUEST['s'] ) ) {
195		echo '<span class="subtitle">';
196		/* translators: %s: search keywords */
197		printf( __( 'Search results for “%s”' ),
198		wp_html_excerpt( esc_html( wp_unslash( $_REQUEST['s'] ) ), 50, '…' )
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_REQUEST['s'])` targeting `wp_unslash()` can also be of type `array`; however, `esc_html()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
199		);
200		echo '</span>';
201		}
202		?></h1>
203
204		<?php
205		if ( isset( $_REQUEST['error'] ) ) {
206		$error = (int) $_REQUEST['error'];
207		$error_msg = '';
208		switch ( $error ) {
209		case 1 :
210		$error_msg = __( 'Invalid comment ID.' );
211		break;
212		case 2 :
213		$error_msg = __( 'Sorry, you are not allowed to edit comments on this post.' );
214		break;
215		}
216		if ( $error_msg )
217		echo '<div id="moderated" class="error"><p>' . $error_msg . '</p></div>';
218		}
219
220		if ( isset($_REQUEST['approved']) \|\| isset($_REQUEST['deleted']) \|\| isset($_REQUEST['trashed']) \|\| isset($_REQUEST['untrashed']) \|\| isset($_REQUEST['spammed']) \|\| isset($_REQUEST['unspammed']) \|\| isset($_REQUEST['same']) ) {
221		$approved = isset( $_REQUEST['approved'] ) ? (int) $_REQUEST['approved'] : 0;
222		$deleted = isset( $_REQUEST['deleted'] ) ? (int) $_REQUEST['deleted'] : 0;
223		$trashed = isset( $_REQUEST['trashed'] ) ? (int) $_REQUEST['trashed'] : 0;
224		$untrashed = isset( $_REQUEST['untrashed'] ) ? (int) $_REQUEST['untrashed'] : 0;
225		$spammed = isset( $_REQUEST['spammed'] ) ? (int) $_REQUEST['spammed'] : 0;
226		$unspammed = isset( $_REQUEST['unspammed'] ) ? (int) $_REQUEST['unspammed'] : 0;
227		$same = isset( $_REQUEST['same'] ) ? (int) $_REQUEST['same'] : 0;
228
229		if ( $approved > 0 \|\| $deleted > 0 \|\| $trashed > 0 \|\| $untrashed > 0 \|\| $spammed > 0 \|\| $unspammed > 0 \|\| $same > 0 ) {
230		if ( $approved > 0 ) {
231		/* translators: %s: number of comments approved */
232		$messages[] = sprintf( _n( '%s comment approved', '%s comments approved', $approved ), $approved );
233		}
234
235	View Code Duplication	if ( $spammed > 0 ) {
236		$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
237		/* translators: %s: number of comments marked as spam */
238		$messages[] = sprintf( _n( '%s comment marked as spam.', '%s comments marked as spam.', $spammed ), $spammed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=unspam&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
239		}
240
241		if ( $unspammed > 0 ) {
242		/* translators: %s: number of comments restored from the spam */
243		$messages[] = sprintf( _n( '%s comment restored from the spam', '%s comments restored from the spam', $unspammed ), $unspammed );
244		}
245
246	View Code Duplication	if ( $trashed > 0 ) {
247		$ids = isset($_REQUEST['ids']) ? $_REQUEST['ids'] : 0;
248		/* translators: %s: number of comments moved to the Trash */
249		$messages[] = sprintf( _n( '%s comment moved to the Trash.', '%s comments moved to the Trash.', $trashed ), $trashed ) . ' <a href="' . esc_url( wp_nonce_url( "edit-comments.php?doaction=undo&action=untrash&ids=$ids", "bulk-comments" ) ) . '">' . __('Undo') . '</a><br />';
250		}
251
252		if ( $untrashed > 0 ) {
253		/* translators: %s: number of comments restored from the Trash */
254		$messages[] = sprintf( _n( '%s comment restored from the Trash', '%s comments restored from the Trash', $untrashed ), $untrashed );
255		}
256
257		if ( $deleted > 0 ) {
258		/* translators: %s: number of comments permanently deleted */
259		$messages[] = sprintf( _n( '%s comment permanently deleted', '%s comments permanently deleted', $deleted ), $deleted );
260		}
261
262		if ( $same > 0 && $comment = get_comment( $same ) ) {
263		switch ( $comment->comment_approved ) {
264	View Code Duplication	case '1' :
265		$messages[] = __('This comment is already approved.') . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
266		break;
267	View Code Duplication	case 'trash' :
268		$messages[] = __( 'This comment is already in the Trash.' ) . ' <a href="' . esc_url( admin_url( 'edit-comments.php?comment_status=trash' ) ) . '"> ' . __( 'View Trash' ) . '</a>';
269		break;
270	View Code Duplication	case 'spam' :
271		$messages[] = __( 'This comment is already marked as spam.' ) . ' <a href="' . esc_url( admin_url( "comment.php?action=editcomment&c=$same" ) ) . '">' . __( 'Edit comment' ) . '</a>';
272		break;
273		}
274		}
275
276		echo '<div id="moderated" class="updated notice is-dismissible"><p>' . implode( "<br/>\n", $messages ) . '</p></div>';
277		}
278		}
279		?>
280
281		<?php $wp_list_table->views(); ?>
282
283		<form id="comments-form" method="get">
284
285		<?php $wp_list_table->search_box( __( 'Search Comments' ), 'comment' ); ?>
286
287		<?php if ( $post_id ) : ?>
288		<input type="hidden" name="p" value="<?php echo esc_attr( intval( $post_id ) ); ?>" />
289		<?php endif; ?>
290		<input type="hidden" name="comment_status" value="<?php echo esc_attr($comment_status); ?>" />
291		<input type="hidden" name="pagegen_timestamp" value="<?php echo esc_attr(current_time('mysql', 1)); ?>" />
292
293		<input type="hidden" name="_total" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('total_items') ); ?>" />
294		<input type="hidden" name="_per_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('per_page') ); ?>" />
295		<input type="hidden" name="_page" value="<?php echo esc_attr( $wp_list_table->get_pagination_arg('page') ); ?>" />
296
297		<?php if ( isset($_REQUEST['paged']) ) { ?>
298		<input type="hidden" name="paged" value="<?php echo esc_attr( absint( $_REQUEST['paged'] ) ); ?>" />
299		<?php } ?>
300
301		<?php $wp_list_table->display(); ?>
302		</form>
303		</div>
304
305		<div id="ajax-response"></div>
306
307		<?php
308		wp_comment_reply('-1', true, 'detail');
309		wp_comment_trashnotice();
310		include( ABSPATH . 'wp-admin/admin-footer.php' ); ?>
311

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-admin/edit-comments.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like