Issues in edit.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-admin/edit.php (3 issues)

Labels

Bug 3

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Edit Posts Administration Screen.
 *
 * @package WordPress
 * @subpackage Administration
 */

/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );

if ( ! $typenow )
	wp_die( __( 'Invalid post type.' ) );

if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) {
	wp_die( __( 'Sorry, you are not allowed to edit posts in this post type.' ) );
}

if ( 'attachment' === $typenow ) {
	if ( wp_redirect( admin_url( 'upload.php' ) ) ) {
		exit;
	}
}

/**
 * @global string       $post_type
 * @global WP_Post_Type $post_type_object
 */
global $post_type, $post_type_object;

$post_type = $typenow;
$post_type_object = get_post_type_object( $post_type );

if ( ! $post_type_object )
	wp_die( __( 'Invalid post type.' ) );

if ( ! current_user_can( $post_type_object->cap->edit_posts ) ) {
	wp_die(
		'<h1>' . __( 'Cheatin&#8217; uh?' ) . '</h1>' .
		'<p>' . __( 'Sorry, you are not allowed to edit posts in this post type.' ) . '</p>',
		403
	);
}

$wp_list_table = _get_list_table('WP_Posts_List_Table');
$pagenum = $wp_list_table->get_pagenum();

// Back-compat for viewing comments of an entry
foreach ( array( 'p', 'attachment_id', 'page_id' ) as $_redirect ) {
	if ( ! empty( $_REQUEST[ $_redirect ] ) ) {
		wp_redirect( admin_url( 'edit-comments.php?p=' . absint( $_REQUEST[ $_redirect ] ) ) );
		exit;
	}
}
unset( $_redirect );

if ( 'post' != $post_type ) {
	$parent_file = "edit.php?post_type=$post_type";
	$submenu_file = "edit.php?post_type=$post_type";
	$post_new_file = "post-new.php?post_type=$post_type";
} else {
	$parent_file = 'edit.php';
	$submenu_file = 'edit.php';
	$post_new_file = 'post-new.php';
}

$doaction = $wp_list_table->current_action();

if ( $doaction ) {
	check_admin_referer('bulk-posts');

	$sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'locked', 'ids'), wp_get_referer() );
	if ( ! $sendback )
		$sendback = admin_url( $parent_file );
	$sendback = add_query_arg( 'paged', $pagenum, $sendback );
	if ( strpos($sendback, 'post.php') !== false )
		$sendback = admin_url($post_new_file);

	if ( 'delete_all' == $doaction ) {
		// Prepare for deletion of all posts with a specified post status (i.e. Empty trash).
		$post_status = preg_replace('/[^a-z0-9_-]+/i', '', $_REQUEST['post_status']);
		// Validate the post status exists.
		if ( get_post_status_object( $post_status ) ) {
			$post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type=%s AND post_status = %s", $post_type, $post_status ) );
		}
		$doaction = 'delete';
	} elseif ( isset( $_REQUEST['media'] ) ) {
		$post_ids = $_REQUEST['media'];
	} elseif ( isset( $_REQUEST['ids'] ) ) {
		$post_ids = explode( ',', $_REQUEST['ids'] );
	} elseif ( !empty( $_REQUEST['post'] ) ) {
		$post_ids = array_map('intval', $_REQUEST['post']);
	}

	if ( !isset( $post_ids ) ) {
		wp_redirect( $sendback );
		exit;
	}

	switch ( $doaction ) {
		case 'trash':
			$trashed = $locked = 0;

			foreach ( (array) $post_ids as $post_id ) {
				if ( !current_user_can( 'delete_post', $post_id) )
					wp_die( __('Sorry, you are not allowed to move this item to the Trash.') );

				if ( wp_check_post_lock( $post_id ) ) {
					$locked++;
					continue;
				}

				if ( !wp_trash_post($post_id) )
					wp_die( __('Error in moving to Trash.') );

				$trashed++;
			}

			$sendback = add_query_arg( array('trashed' => $trashed, 'ids' => join(',', $post_ids), 'locked' => $locked ), $sendback );
			break;
		case 'untrash':
			$untrashed = 0;
			foreach ( (array) $post_ids as $post_id ) {
				if ( !current_user_can( 'delete_post', $post_id) )
					wp_die( __('Sorry, you are not allowed to restore this item from the Trash.') );

				if ( !wp_untrash_post($post_id) )
					wp_die( __('Error in restoring from Trash.') );

				$untrashed++;
			}
			$sendback = add_query_arg('untrashed', $untrashed, $sendback);
			break;
		case 'delete':
			$deleted = 0;
			foreach ( (array) $post_ids as $post_id ) {
				$post_del = get_post($post_id);

				if ( !current_user_can( 'delete_post', $post_id ) )
					wp_die( __('Sorry, you are not allowed to delete this item.') );

				if ( $post_del->post_type == 'attachment' ) {
					if ( ! wp_delete_attachment($post_id) )
						wp_die( __('Error in deleting.') );
				} else {
					if ( !wp_delete_post($post_id) )
						wp_die( __('Error in deleting.') );
				}
				$deleted++;
			}
			$sendback = add_query_arg('deleted', $deleted, $sendback);
			break;
		case 'edit':
			if ( isset($_REQUEST['bulk_edit']) ) {
				$done = bulk_edit_posts($_REQUEST);

				if ( is_array($done) ) {
					$done['updated'] = count( $done['updated'] );
					$done['skipped'] = count( $done['skipped'] );
					$done['locked'] = count( $done['locked'] );
					$sendback = add_query_arg( $done, $sendback );
				}
			}
			break;
	}

	$sendback = remove_query_arg( array('action', 'action2', 'tags_input', 'post_author', 'comment_status', 'ping_status', '_status', 'post', 'bulk_edit', 'post_view'), $sendback );

	wp_redirect($sendback);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
	exit();
} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
	 wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );

	 exit;
}

$wp_list_table->prepare_items();

wp_enqueue_script('inline-edit-post');
wp_enqueue_script('heartbeat');

$title = $post_type_object->labels->name;

if ( 'post' == $post_type ) {
	get_current_screen()->add_help_tab( array(
	'id'		=> 'overview',
	'title'		=> __('Overview'),
	'content'	=>
		'<p>' . __('This screen provides access to all of your posts. You can customize the display of this screen to suit your workflow.') . '</p>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'screen-content',
	'title'		=> __('Screen Content'),
	'content'	=>
		'<p>' . __('You can customize the display of this screen&#8217;s contents in a number of ways:') . '</p>' .
		'<ul>' .
			'<li>' . __('You can hide/display columns based on your needs and decide how many posts to list per screen using the Screen Options tab.') . '</li>' .
			'<li>' . __( 'You can filter the list of posts by post status using the text links above the posts list to only show posts with that status. The default view is to show all posts.' ) . '</li>' .
			'<li>' . __('You can view posts in a simple title list or with an excerpt using the Screen Options tab.') . '</li>' .
			'<li>' . __('You can refine the list to show only posts in a specific category or from a specific month by using the dropdown menus above the posts list. Click the Filter button after making your selection. You also can refine the list by clicking on the post author, category or tag in the posts list.') . '</li>' .
		'</ul>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'action-links',
	'title'		=> __('Available Actions'),
	'content'	=>
		'<p>' . __('Hovering over a row in the posts list will display action links that allow you to manage your post. You can perform the following actions:') . '</p>' .
		'<ul>' .
			'<li>' . __('<strong>Edit</strong> takes you to the editing screen for that post. You can also reach that screen by clicking on the post title.') . '</li>' .
			'<li>' . __('<strong>Quick Edit</strong> provides inline access to the metadata of your post, allowing you to update post details without leaving this screen.') . '</li>' .
			'<li>' . __('<strong>Trash</strong> removes your post from this list and places it in the trash, from which you can permanently delete it.') . '</li>' .
			'<li>' . __('<strong>Preview</strong> will show you what your draft post will look like if you publish it. View will take you to your live site to view the post. Which link is available depends on your post&#8217;s status.') . '</li>' .
		'</ul>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'bulk-actions',
	'title'		=> __('Bulk Actions'),
	'content'	=>
		'<p>' . __('You can also edit or move multiple posts to the trash at once. Select the posts you want to act on using the checkboxes, then select the action you want to take from the Bulk Actions menu and click Apply.') . '</p>' .
				'<p>' . __('When using Bulk Edit, you can change the metadata (categories, author, etc.) for all selected posts at once. To remove a post from the grouping, just click the x next to its name in the Bulk Edit area that appears.') . '</p>'
	) );

	get_current_screen()->set_help_sidebar(
	'<p><strong>' . __('For more information:') . '</strong></p>' .
	'<p>' . __('<a href="https://codex.wordpress.org/Posts_Screen" target="_blank">Documentation on Managing Posts</a>') . '</p>' .
	'<p>' . __('<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
	);

} elseif ( 'page' == $post_type ) {
	get_current_screen()->add_help_tab( array(
	'id'		=> 'overview',
	'title'		=> __('Overview'),
	'content'	=>
		'<p>' . __('Pages are similar to posts in that they have a title, body text, and associated metadata, but they are different in that they are not part of the chronological blog stream, kind of like permanent posts. Pages are not categorized or tagged, but can have a hierarchy. You can nest pages under other pages by making one the &#8220;Parent&#8221; of the other, creating a group of pages.') . '</p>'
	) );
	get_current_screen()->add_help_tab( array(
	'id'		=> 'managing-pages',
	'title'		=> __('Managing Pages'),
	'content'	=>
		'<p>' . __('Managing pages is very similar to managing posts, and the screens can be customized in the same way.') . '</p>' .
		'<p>' . __('You can also perform the same types of actions, including narrowing the list by using the filters, acting on a page using the action links that appear when you hover over a row, or using the Bulk Actions menu to edit the metadata for multiple pages at once.') . '</p>'
	) );

	get_current_screen()->set_help_sidebar(
	'<p><strong>' . __('For more information:') . '</strong></p>' .
	'<p>' . __('<a href="https://codex.wordpress.org/Pages_Screen" target="_blank">Documentation on Managing Pages</a>') . '</p>' .
	'<p>' . __('<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
	);

}

get_current_screen()->set_screen_reader_content( array(
	'heading_views'      => $post_type_object->labels->filter_items_list,
	'heading_pagination' => $post_type_object->labels->items_list_navigation,
	'heading_list'       => $post_type_object->labels->items_list,
) );

add_screen_option( 'per_page', array( 'default' => 20, 'option' => 'edit_' . $post_type . '_per_page' ) );

$bulk_counts = array(
	'updated'   => isset( $_REQUEST['updated'] )   ? absint( $_REQUEST['updated'] )   : 0,
	'locked'    => isset( $_REQUEST['locked'] )    ? absint( $_REQUEST['locked'] )    : 0,
	'deleted'   => isset( $_REQUEST['deleted'] )   ? absint( $_REQUEST['deleted'] )   : 0,
	'trashed'   => isset( $_REQUEST['trashed'] )   ? absint( $_REQUEST['trashed'] )   : 0,
	'untrashed' => isset( $_REQUEST['untrashed'] ) ? absint( $_REQUEST['untrashed'] ) : 0,
);

$bulk_messages = array();
$bulk_messages['post'] = array(
	'updated'   => _n( '%s post updated.', '%s posts updated.', $bulk_counts['updated'] ),
	'locked'    => ( 1 == $bulk_counts['locked'] ) ? __( '1 post not updated, somebody is editing it.' ) :
	                   _n( '%s post not updated, somebody is editing it.', '%s posts not updated, somebody is editing them.', $bulk_counts['locked'] ),
	'deleted'   => _n( '%s post permanently deleted.', '%s posts permanently deleted.', $bulk_counts['deleted'] ),
	'trashed'   => _n( '%s post moved to the Trash.', '%s posts moved to the Trash.', $bulk_counts['trashed'] ),
	'untrashed' => _n( '%s post restored from the Trash.', '%s posts restored from the Trash.', $bulk_counts['untrashed'] ),
);
$bulk_messages['page'] = array(
	'updated'   => _n( '%s page updated.', '%s pages updated.', $bulk_counts['updated'] ),
	'locked'    => ( 1 == $bulk_counts['locked'] ) ? __( '1 page not updated, somebody is editing it.' ) :
	                   _n( '%s page not updated, somebody is editing it.', '%s pages not updated, somebody is editing them.', $bulk_counts['locked'] ),
	'deleted'   => _n( '%s page permanently deleted.', '%s pages permanently deleted.', $bulk_counts['deleted'] ),
	'trashed'   => _n( '%s page moved to the Trash.', '%s pages moved to the Trash.', $bulk_counts['trashed'] ),
	'untrashed' => _n( '%s page restored from the Trash.', '%s pages restored from the Trash.', $bulk_counts['untrashed'] ),
);

/**
 * Filters the bulk action updated messages.
 *
 * By default, custom post types use the messages for the 'post' post type.
 *
 * @since 3.7.0
 *
 * @param array $bulk_messages Arrays of messages, each keyed by the corresponding post type. Messages are
 *                             keyed with 'updated', 'locked', 'deleted', 'trashed', and 'untrashed'.
 * @param array $bulk_counts   Array of item counts for each message, used to build internationalized strings.
 */
$bulk_messages = apply_filters( 'bulk_post_updated_messages', $bulk_messages, $bulk_counts );
$bulk_counts = array_filter( $bulk_counts );

require_once( ABSPATH . 'wp-admin/admin-header.php' );
?>
<div class="wrap">
<h1><?php
echo esc_html( $post_type_object->labels->name );
if ( current_user_can( $post_type_object->cap->create_posts ) )
	echo ' <a href="' . esc_url( admin_url( $post_new_file ) ) . '" class="page-title-action">' . esc_html( $post_type_object->labels->add_new ) . '</a>';

if ( isset( $_REQUEST['s'] ) && strlen( $_REQUEST['s'] ) ) {
	/* translators: %s: search keywords */
	printf( ' <span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;' ) . '</span>', get_search_query() );
}
?></h1>

<?php
// If we have a bulk message to issue:
$messages = array();
foreach ( $bulk_counts as $message => $count ) {
	if ( isset( $bulk_messages[ $post_type ][ $message ] ) )
		$messages[] = sprintf( $bulk_messages[ $post_type ][ $message ], number_format_i18n( $count ) );
	elseif ( isset( $bulk_messages['post'][ $message ] ) )
		$messages[] = sprintf( $bulk_messages['post'][ $message ], number_format_i18n( $count ) );

	if ( $message == 'trashed' && isset( $_REQUEST['ids'] ) ) {
		$ids = preg_replace( '/[^0-9,]/', '', $_REQUEST['ids'] );
		$messages[] = '<a href="' . esc_url( wp_nonce_url( "edit.php?post_type=$post_type&doaction=undo&action=untrash&ids=$ids", "bulk-posts" ) ) . '">' . __('Undo') . '</a>';
	}
}

if ( $messages )
	echo '<div id="message" class="updated notice is-dismissible"><p>' . join( ' ', $messages ) . '</p></div>';
unset( $messages );

$_SERVER['REQUEST_URI'] = remove_query_arg( array( 'locked', 'skipped', 'updated', 'deleted', 'trashed', 'untrashed' ), $_SERVER['REQUEST_URI'] );
?>

<?php $wp_list_table->views(); ?>

<form id="posts-filter" method="get">

<?php $wp_list_table->search_box( $post_type_object->labels->search_items, 'post' ); ?>

<input type="hidden" name="post_status" class="post_status_page" value="<?php echo !empty($_REQUEST['post_status']) ? esc_attr($_REQUEST['post_status']) : 'all'; ?>" />
<input type="hidden" name="post_type" class="post_type_page" value="<?php echo $post_type; ?>" />
<?php if ( ! empty( $_REQUEST['show_sticky'] ) ) { ?>
<input type="hidden" name="show_sticky" value="1" />
<?php } ?>

<?php $wp_list_table->display(); ?>

</form>

<?php
if ( $wp_list_table->has_items() )
	$wp_list_table->inline_edit();
?>

<div id="ajax-response"></div>
<br class="clear" />
</div>

<?php
include( ABSPATH . 'wp-admin/admin-footer.php' );


1		<?php
2		/**
3		* Edit Posts Administration Screen.
4		*
5		* @package WordPress
6		* @subpackage Administration
7		*/
8
9		/** WordPress Administration Bootstrap */
10		require_once( dirname( __FILE__ ) . '/admin.php' );
11
12		if ( ! $typenow )
13		wp_die( __( 'Invalid post type.' ) );
14
15	View Code Duplication	if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) {
16		wp_die( __( 'Sorry, you are not allowed to edit posts in this post type.' ) );
17		}
18
19		if ( 'attachment' === $typenow ) {
20		if ( wp_redirect( admin_url( 'upload.php' ) ) ) {
21		exit;
22		}
23		}
24
25		/**
26		* @global string $post_type
27		* @global WP_Post_Type $post_type_object
28		*/
29		global $post_type, $post_type_object;
30
31		$post_type = $typenow;
32		$post_type_object = get_post_type_object( $post_type );
33
34		if ( ! $post_type_object )
35		wp_die( __( 'Invalid post type.' ) );
36
37	View Code Duplication	if ( ! current_user_can( $post_type_object->cap->edit_posts ) ) {
38		wp_die(
39		'<h1>' . __( 'Cheatin’ uh?' ) . '</h1>' .
40		'<p>' . __( 'Sorry, you are not allowed to edit posts in this post type.' ) . '</p>',
41		403
42		);
43		}
44
45		$wp_list_table = _get_list_table('WP_Posts_List_Table');
46		$pagenum = $wp_list_table->get_pagenum();
47
48		// Back-compat for viewing comments of an entry
49		foreach ( array( 'p', 'attachment_id', 'page_id' ) as $_redirect ) {
50		if ( ! empty( $_REQUEST[ $_redirect ] ) ) {
51		wp_redirect( admin_url( 'edit-comments.php?p=' . absint( $_REQUEST[ $_redirect ] ) ) );
52		exit;
53		}
54		}
55		unset( $_redirect );
56
57		if ( 'post' != $post_type ) {
58		$parent_file = "edit.php?post_type=$post_type";
59		$submenu_file = "edit.php?post_type=$post_type";
60		$post_new_file = "post-new.php?post_type=$post_type";
61		} else {
62		$parent_file = 'edit.php';
63		$submenu_file = 'edit.php';
64		$post_new_file = 'post-new.php';
65		}
66
67		$doaction = $wp_list_table->current_action();
68
69		if ( $doaction ) {
70		check_admin_referer('bulk-posts');
71
72		$sendback = remove_query_arg( array('trashed', 'untrashed', 'deleted', 'locked', 'ids'), wp_get_referer() );
73		if ( ! $sendback )
74		$sendback = admin_url( $parent_file );
75		$sendback = add_query_arg( 'paged', $pagenum, $sendback );
76		if ( strpos($sendback, 'post.php') !== false )
77		$sendback = admin_url($post_new_file);
78
79		if ( 'delete_all' == $doaction ) {
80		// Prepare for deletion of all posts with a specified post status (i.e. Empty trash).
81		$post_status = preg_replace('/[^a-z0-9_-]+/i', '', $_REQUEST['post_status']);
82		// Validate the post status exists.
83		if ( get_post_status_object( $post_status ) ) {
84		$post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type=%s AND post_status = %s", $post_type, $post_status ) );
85		}
86		$doaction = 'delete';
87		} elseif ( isset( $_REQUEST['media'] ) ) {
88		$post_ids = $_REQUEST['media'];
89		} elseif ( isset( $_REQUEST['ids'] ) ) {
90		$post_ids = explode( ',', $_REQUEST['ids'] );
91		} elseif ( !empty( $_REQUEST['post'] ) ) {
92		$post_ids = array_map('intval', $_REQUEST['post']);
93		}
94
95		if ( !isset( $post_ids ) ) {
96		wp_redirect( $sendback );
97		exit;
98		}
99
100		switch ( $doaction ) {
101		case 'trash':
102		$trashed = $locked = 0;
103
104		foreach ( (array) $post_ids as $post_id ) {
105		if ( !current_user_can( 'delete_post', $post_id) )
106		wp_die( __('Sorry, you are not allowed to move this item to the Trash.') );
107
108		if ( wp_check_post_lock( $post_id ) ) {
109		$locked++;
110		continue;
111		}
112
113		if ( !wp_trash_post($post_id) )
114		wp_die( __('Error in moving to Trash.') );
115
116		$trashed++;
117		}
118
119		$sendback = add_query_arg( array('trashed' => $trashed, 'ids' => join(',', $post_ids), 'locked' => $locked ), $sendback );
120		break;
121		case 'untrash':
122		$untrashed = 0;
123		foreach ( (array) $post_ids as $post_id ) {
124		if ( !current_user_can( 'delete_post', $post_id) )
125		wp_die( __('Sorry, you are not allowed to restore this item from the Trash.') );
126
127		if ( !wp_untrash_post($post_id) )
128		wp_die( __('Error in restoring from Trash.') );
129
130		$untrashed++;
131		}
132		$sendback = add_query_arg('untrashed', $untrashed, $sendback);
133		break;
134		case 'delete':
135		$deleted = 0;
136		foreach ( (array) $post_ids as $post_id ) {
137		$post_del = get_post($post_id);
138
139		if ( !current_user_can( 'delete_post', $post_id ) )
140		wp_die( __('Sorry, you are not allowed to delete this item.') );
141
142		if ( $post_del->post_type == 'attachment' ) {
143		if ( ! wp_delete_attachment($post_id) )
144		wp_die( __('Error in deleting.') );
145		} else {
146		if ( !wp_delete_post($post_id) )
147		wp_die( __('Error in deleting.') );
148		}
149		$deleted++;
150		}
151		$sendback = add_query_arg('deleted', $deleted, $sendback);
152		break;
153		case 'edit':
154		if ( isset($_REQUEST['bulk_edit']) ) {
155		$done = bulk_edit_posts($_REQUEST);
156
157		if ( is_array($done) ) {
158		$done['updated'] = count( $done['updated'] );
159		$done['skipped'] = count( $done['skipped'] );
160		$done['locked'] = count( $done['locked'] );
161		$sendback = add_query_arg( $done, $sendback );
162		}
163		}
164		break;
165		}
166
167		$sendback = remove_query_arg( array('action', 'action2', 'tags_input', 'post_author', 'comment_status', 'ping_status', '_status', 'post', 'bulk_edit', 'post_view'), $sendback );
168
169		wp_redirect($sendback);
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$sendback` defined by `remove_query_arg(array('...post_view'), $sendback)` on line `167` can also be of type `boolean`; however, `wp_redirect()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
170		exit();
171	View Code Duplication	} elseif ( ! empty($_REQUEST['_wp_http_referer']) ) {
172		wp_redirect( remove_query_arg( array('_wp_http_referer', '_wpnonce'), wp_unslash($_SERVER['REQUEST_URI']) ) );
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `wp_unslash($_SERVER['REQUEST_URI'])` targeting `wp_unslash()` can also be of type `array`; however, `remove_query_arg()` does only seem to accept `boolean\|string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history... Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `remove_query_arg(array('...SERVER['REQUEST_URI']))` targeting `remove_query_arg()` can also be of type `boolean`; however, `wp_redirect()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
173		exit;
174		}
175
176		$wp_list_table->prepare_items();
177
178		wp_enqueue_script('inline-edit-post');
179		wp_enqueue_script('heartbeat');
180
181		$title = $post_type_object->labels->name;
182
183		if ( 'post' == $post_type ) {
184		get_current_screen()->add_help_tab( array(
185		'id' => 'overview',
186		'title' => __('Overview'),
187		'content' =>
188		'<p>' . __('This screen provides access to all of your posts. You can customize the display of this screen to suit your workflow.') . '</p>'
189		) );
190		get_current_screen()->add_help_tab( array(
191		'id' => 'screen-content',
192		'title' => __('Screen Content'),
193		'content' =>
194		'<p>' . __('You can customize the display of this screen’s contents in a number of ways:') . '</p>' .
195		'<ul>' .
196		'<li>' . __('You can hide/display columns based on your needs and decide how many posts to list per screen using the Screen Options tab.') . '</li>' .
197		'<li>' . __( 'You can filter the list of posts by post status using the text links above the posts list to only show posts with that status. The default view is to show all posts.' ) . '</li>' .
198		'<li>' . __('You can view posts in a simple title list or with an excerpt using the Screen Options tab.') . '</li>' .
199		'<li>' . __('You can refine the list to show only posts in a specific category or from a specific month by using the dropdown menus above the posts list. Click the Filter button after making your selection. You also can refine the list by clicking on the post author, category or tag in the posts list.') . '</li>' .
200		'</ul>'
201		) );
202		get_current_screen()->add_help_tab( array(
203		'id' => 'action-links',
204		'title' => __('Available Actions'),
205		'content' =>
206		'<p>' . __('Hovering over a row in the posts list will display action links that allow you to manage your post. You can perform the following actions:') . '</p>' .
207		'<ul>' .
208		'<li>' . __('<strong>Edit</strong> takes you to the editing screen for that post. You can also reach that screen by clicking on the post title.') . '</li>' .
209		'<li>' . __('<strong>Quick Edit</strong> provides inline access to the metadata of your post, allowing you to update post details without leaving this screen.') . '</li>' .
210		'<li>' . __('<strong>Trash</strong> removes your post from this list and places it in the trash, from which you can permanently delete it.') . '</li>' .
211		'<li>' . __('<strong>Preview</strong> will show you what your draft post will look like if you publish it. View will take you to your live site to view the post. Which link is available depends on your post’s status.') . '</li>' .
212		'</ul>'
213		) );
214		get_current_screen()->add_help_tab( array(
215		'id' => 'bulk-actions',
216		'title' => __('Bulk Actions'),
217		'content' =>
218		'<p>' . __('You can also edit or move multiple posts to the trash at once. Select the posts you want to act on using the checkboxes, then select the action you want to take from the Bulk Actions menu and click Apply.') . '</p>' .
219		'<p>' . __('When using Bulk Edit, you can change the metadata (categories, author, etc.) for all selected posts at once. To remove a post from the grouping, just click the x next to its name in the Bulk Edit area that appears.') . '</p>'
220		) );
221
222		get_current_screen()->set_help_sidebar(
223		'<p><strong>' . __('For more information:') . '</strong></p>' .
224		'<p>' . __('<a href="https://codex.wordpress.org/Posts_Screen" target="_blank">Documentation on Managing Posts</a>') . '</p>' .
225		'<p>' . __('<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
226		);
227
228		} elseif ( 'page' == $post_type ) {
229		get_current_screen()->add_help_tab( array(
230		'id' => 'overview',
231		'title' => __('Overview'),
232		'content' =>
233		'<p>' . __('Pages are similar to posts in that they have a title, body text, and associated metadata, but they are different in that they are not part of the chronological blog stream, kind of like permanent posts. Pages are not categorized or tagged, but can have a hierarchy. You can nest pages under other pages by making one the “Parent” of the other, creating a group of pages.') . '</p>'
234		) );
235		get_current_screen()->add_help_tab( array(
236		'id' => 'managing-pages',
237		'title' => __('Managing Pages'),
238		'content' =>
239		'<p>' . __('Managing pages is very similar to managing posts, and the screens can be customized in the same way.') . '</p>' .
240		'<p>' . __('You can also perform the same types of actions, including narrowing the list by using the filters, acting on a page using the action links that appear when you hover over a row, or using the Bulk Actions menu to edit the metadata for multiple pages at once.') . '</p>'
241		) );
242
243		get_current_screen()->set_help_sidebar(
244		'<p><strong>' . __('For more information:') . '</strong></p>' .
245		'<p>' . __('<a href="https://codex.wordpress.org/Pages_Screen" target="_blank">Documentation on Managing Pages</a>') . '</p>' .
246		'<p>' . __('<a href="https://wordpress.org/support/" target="_blank">Support Forums</a>') . '</p>'
247		);
248
249		}
250
251		get_current_screen()->set_screen_reader_content( array(
252		'heading_views' => $post_type_object->labels->filter_items_list,
253		'heading_pagination' => $post_type_object->labels->items_list_navigation,
254		'heading_list' => $post_type_object->labels->items_list,
255		) );
256
257		add_screen_option( 'per_page', array( 'default' => 20, 'option' => 'edit_' . $post_type . '_per_page' ) );
258
259		$bulk_counts = array(
260		'updated' => isset( $_REQUEST['updated'] ) ? absint( $_REQUEST['updated'] ) : 0,
261		'locked' => isset( $_REQUEST['locked'] ) ? absint( $_REQUEST['locked'] ) : 0,
262		'deleted' => isset( $_REQUEST['deleted'] ) ? absint( $_REQUEST['deleted'] ) : 0,
263		'trashed' => isset( $_REQUEST['trashed'] ) ? absint( $_REQUEST['trashed'] ) : 0,
264		'untrashed' => isset( $_REQUEST['untrashed'] ) ? absint( $_REQUEST['untrashed'] ) : 0,
265		);
266
267		$bulk_messages = array();
268		$bulk_messages['post'] = array(
269		'updated' => _n( '%s post updated.', '%s posts updated.', $bulk_counts['updated'] ),
270		'locked' => ( 1 == $bulk_counts['locked'] ) ? __( '1 post not updated, somebody is editing it.' ) :
271		_n( '%s post not updated, somebody is editing it.', '%s posts not updated, somebody is editing them.', $bulk_counts['locked'] ),
272		'deleted' => _n( '%s post permanently deleted.', '%s posts permanently deleted.', $bulk_counts['deleted'] ),
273		'trashed' => _n( '%s post moved to the Trash.', '%s posts moved to the Trash.', $bulk_counts['trashed'] ),
274		'untrashed' => _n( '%s post restored from the Trash.', '%s posts restored from the Trash.', $bulk_counts['untrashed'] ),
275		);
276		$bulk_messages['page'] = array(
277		'updated' => _n( '%s page updated.', '%s pages updated.', $bulk_counts['updated'] ),
278		'locked' => ( 1 == $bulk_counts['locked'] ) ? __( '1 page not updated, somebody is editing it.' ) :
279		_n( '%s page not updated, somebody is editing it.', '%s pages not updated, somebody is editing them.', $bulk_counts['locked'] ),
280		'deleted' => _n( '%s page permanently deleted.', '%s pages permanently deleted.', $bulk_counts['deleted'] ),
281		'trashed' => _n( '%s page moved to the Trash.', '%s pages moved to the Trash.', $bulk_counts['trashed'] ),
282		'untrashed' => _n( '%s page restored from the Trash.', '%s pages restored from the Trash.', $bulk_counts['untrashed'] ),
283		);
284
285		/**
286		* Filters the bulk action updated messages.
287		*
288		* By default, custom post types use the messages for the 'post' post type.
289		*
290		* @since 3.7.0
291		*
292		* @param array $bulk_messages Arrays of messages, each keyed by the corresponding post type. Messages are
293		* keyed with 'updated', 'locked', 'deleted', 'trashed', and 'untrashed'.
294		* @param array $bulk_counts Array of item counts for each message, used to build internationalized strings.
295		*/
296		$bulk_messages = apply_filters( 'bulk_post_updated_messages', $bulk_messages, $bulk_counts );
297		$bulk_counts = array_filter( $bulk_counts );
298
299		require_once( ABSPATH . 'wp-admin/admin-header.php' );
300		?>
301		<div class="wrap">
302		<h1><?php
303		echo esc_html( $post_type_object->labels->name );
304	View Code Duplication	if ( current_user_can( $post_type_object->cap->create_posts ) )
305		echo ' <a href="' . esc_url( admin_url( $post_new_file ) ) . '" class="page-title-action">' . esc_html( $post_type_object->labels->add_new ) . '</a>';
306
307	View Code Duplication	if ( isset( $_REQUEST['s'] ) && strlen( $_REQUEST['s'] ) ) {
308		/* translators: %s: search keywords */
309		printf( ' <span class="subtitle">' . __( 'Search results for “%s”' ) . '</span>', get_search_query() );
310		}
311		?></h1>
312
313		<?php
314		// If we have a bulk message to issue:
315		$messages = array();
316		foreach ( $bulk_counts as $message => $count ) {
317		if ( isset( $bulk_messages[ $post_type ][ $message ] ) )
318		$messages[] = sprintf( $bulk_messages[ $post_type ][ $message ], number_format_i18n( $count ) );
319		elseif ( isset( $bulk_messages['post'][ $message ] ) )
320		$messages[] = sprintf( $bulk_messages['post'][ $message ], number_format_i18n( $count ) );
321
322	View Code Duplication	if ( $message == 'trashed' && isset( $_REQUEST['ids'] ) ) {
323		$ids = preg_replace( '/[^0-9,]/', '', $_REQUEST['ids'] );
324		$messages[] = '<a href="' . esc_url( wp_nonce_url( "edit.php?post_type=$post_type&doaction=undo&action=untrash&ids=$ids", "bulk-posts" ) ) . '">' . __('Undo') . '</a>';
325		}
326		}
327
328		if ( $messages )
329		echo '<div id="message" class="updated notice is-dismissible"><p>' . join( ' ', $messages ) . '</p></div>';
330		unset( $messages );
331
332		$_SERVER['REQUEST_URI'] = remove_query_arg( array( 'locked', 'skipped', 'updated', 'deleted', 'trashed', 'untrashed' ), $_SERVER['REQUEST_URI'] );
333		?>
334
335		<?php $wp_list_table->views(); ?>
336
337		<form id="posts-filter" method="get">
338
339		<?php $wp_list_table->search_box( $post_type_object->labels->search_items, 'post' ); ?>
340
341		<input type="hidden" name="post_status" class="post_status_page" value="<?php echo !empty($_REQUEST['post_status']) ? esc_attr($_REQUEST['post_status']) : 'all'; ?>" />
342		<input type="hidden" name="post_type" class="post_type_page" value="<?php echo $post_type; ?>" />
343		<?php if ( ! empty( $_REQUEST['show_sticky'] ) ) { ?>
344		<input type="hidden" name="show_sticky" value="1" />
345		<?php } ?>
346
347		<?php $wp_list_table->display(); ?>
348
349		</form>
350
351		<?php
352		if ( $wp_list_table->has_items() )
353		$wp_list_table->inline_edit();
354		?>
355
356		<div id="ajax-response"></div>
357		<br class="clear" />
358		</div>
359
360		<?php
361		include( ABSPATH . 'wp-admin/admin-footer.php' );
362

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-admin/edit.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like