"Escaping response messages and adding PHPCS exceptions"

In this commit, we have made several changes to ensure safe output and to follow proper PHP coding standards. 1. We have started using 'esc_html' function to escape the outputs of the exception messages in the 'class-request.php' file. This is to prevent potential security leaks from unescaped outputs. 2. We also added comments to ignore phpcs warnings for certain lines which were raising warnings due to variable naming issues. Especially for lines using `nodeName` and `keyPath` properties, as they do not follow WordPress's snake case convention, but they are necessary for our function to work correctly. Further, they are properties of node, which we do not have control over, hence
alleyinteractive · Oct 31, 2023 · a094bc2 · a094bc2
1 parent 7818b1a
commit a094bc2
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/includes/apple-exporter/components/class-divider.php b/includes/apple-exporter/components/class-divider.php
@@ -23,7 +23,7 @@ class Divider extends Component {
 	 * @return \DOMElement|null The node on success, or null on no match.
 	 */
 	public static function node_matches( $node ) {
-		if ( 'hr' === $node->nodeName ) {
+		if ( 'hr' === $node->nodeName ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
 			return $node;
 		}
 

diff --git a/includes/apple-push-api/request/class-request.php b/includes/apple-push-api/request/class-request.php
@@ -152,7 +152,7 @@ public function get( $url ) {
 	private function parse_response( $response, $json = true, $type = 'post', $meta = null, $bundles = null, $article = '', $debug_mime_request = '' ) {
 		// Ensure we have an expected response type.
 		if ( ( ! is_array( $response ) || ! isset( $response['body'] ) ) && ! is_wp_error( $response ) ) {
-			throw new Request_Exception( __( 'Invalid response:', 'apple-news' ) . $response );
+			throw new Request_Exception( esc_html( __( 'Invalid response:', 'apple-news' ) . $response ) );
 		}
 
 		// If debugging mode is enabled, send an email.
@@ -224,7 +224,7 @@ private function parse_response( $response, $json = true, $type = 'post', $meta
 			if ( is_array( $error_messages ) && ! empty( $error_messages ) ) {
 				$string_errors = implode( ', ', $error_messages );
 			}
-			throw new Request_Exception( __( 'There has been an error with your request:', 'apple-news' ) . " $string_errors" );
+			throw new Request_Exception( esc_html( __( 'There has been an error with your request:', 'apple-news' ) . " $string_errors" ) );
 		}
 
 		// Check for errors from the API.
@@ -235,8 +235,8 @@ private function parse_response( $response, $json = true, $type = 'post', $meta
 			foreach ( $response_decoded->errors as $error ) {
 				// If there is a keyPath, build it into a string.
 				$key_path = '';
-				if ( ! empty( $error->keyPath ) && is_array( $error->keyPath ) ) {
-					foreach ( $error->keyPath as $i => $path ) {
+				if ( ! empty( $error->keyPath ) && is_array( $error->keyPath ) ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
+					foreach ( $error->keyPath as $i => $path ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
 						if ( $i > 0 ) {
 							$key_path .= "->$path";
 						} else {
@@ -271,7 +271,7 @@ private function parse_response( $response, $json = true, $type = 'post', $meta
 				);
 			}
 
-			throw new Request_Exception( $message );
+			throw new Request_Exception( esc_html( $message ) );
 		}
 
 		// Return the response in the desired format.