Updated Coding Standards

Author: n7studios

includes/class-integrate-convertkit-wpforms.php

@@ -489,7 +489,7 @@ private function get_referrer_url( $form_data ) {
 
 		// If the request includes the page_url, return that URL.
 		if ( array_key_exists( 'page_url', $_REQUEST ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			return esc_url( $_REQUEST['page_url'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+			return esc_url( sanitize_text_field( wp_unslash( $_REQUEST['page_url'] ) ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 		}
 
 		// Return the AJAX URL.
@@ -715,7 +715,7 @@ public function maybe_display_notice() {
 				sprintf(
 					'%s %s',
 					esc_html__( 'Kit: ', 'integrate-convertkit-wpforms' ),
-					sanitize_text_field( $_REQUEST['error_description'] ) // phpcs:ignore WordPress.Security.NonceVerification
+					sanitize_text_field( wp_unslash( $_REQUEST['error_description'] ) ) // phpcs:ignore WordPress.Security.NonceVerification
 				)
 			);
 		}
@@ -733,7 +733,7 @@ public function maybe_get_and_store_access_token() {
 		if ( ! array_key_exists( 'page', $_REQUEST ) ) { // phpcs:ignore WordPress.Security.NonceVerification
 			return;
 		}
-		if ( $_REQUEST['page'] !== 'wpforms-settings' ) { // phpcs:ignore WordPress.Security.NonceVerification
+		if ( sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) !== 'wpforms-settings' ) { // phpcs:ignore WordPress.Security.NonceVerification
 			return;
 		}
 
@@ -750,7 +750,7 @@ public function maybe_get_and_store_access_token() {
 		}
 
 		// Sanitize token.
-		$authorization_code = sanitize_text_field( $_REQUEST['code'] ); // phpcs:ignore WordPress.Security.NonceVerification
+		$authorization_code = sanitize_text_field( wp_unslash( $_REQUEST['code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification
 
 		// Exchange the authorization code and verifier for an access token.
 		$api    = new Integrate_ConvertKit_WPForms_API(
@@ -843,7 +843,7 @@ public function delete_resource_cache() {
 		}
 
 		// Sanitize data.
-		$account_id = sanitize_text_field( $_POST['key'] );
+		$account_id = sanitize_text_field( wp_unslash( $_POST['key'] ) );
 
 		// Get API instance.
 		$api = $this->get_api_instance( $account_id );

phpcs.xml

@@ -10,8 +10,8 @@
 	<!-- Exclude minified Javascript files. -->
 	<exclude-pattern>*.min.js</exclude-pattern>
 
-	<!-- Check that code meets WordPress-Extra standards. -->
-	<rule ref="WordPress-Extra">
+	<!-- Check that code meets WordPress standards - this includes core, docs and extra. -->
+	<rule ref="WordPress">
 		<!--
 		We may want a middle ground though. The best way to do this is add the
 		entire ruleset, then rule by rule, remove ones that don't suit a project.
@@ -29,13 +29,11 @@
 		<exclude name="WordPress.Security.EscapeOutput"/>
 		-->
 		<exclude name="WordPress.PHP.YodaConditions" />
+		<exclude name="WordPress.DB.SlowDBQuery.slow_db_query_meta_query" />
 		<exclude name="PSR2.Methods.FunctionClosingBrace.SpacingBeforeClose" />
 		<exclude name="PSR2.Classes.ClassDeclaration.CloseBraceAfterBody" />
 	</rule>
 
-	<!-- Check that code is documented to WordPress Standards. -->
-	<rule ref="WordPress-Docs"/>
-
 	<!-- Add in some extra rules from other standards. -->
 	<rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>
 	<rule ref="Generic.Commenting.Todo"/>