Phpcs cleanup

build-plugin.sh

@@ -1,25 +1,39 @@
 #!/bin/bash
 
+DEFAULT_NAME="WordPress Plugin Template"
+DEFAULT_CLASS=${DEFAULT_NAME// /_}
+DEFAULT_TOKEN=$( tr '[A-Z]' '[a-z]' <<< $DEFAULT_CLASS)
+DEFAULT_SLUG=${DEFAULT_TOKEN//_/-}
+DEFAULT_OPT_PREFIX="wpt_"
+
 printf "Plugin name: "
 read NAME
 
+CLASS_NAME=${NAME// /_}
+
 printf "Destination folder: "
 read FOLDER
 
+printf "Class name \e[3m(Default is %s)\e[0m: " "$CLASS_NAME"
+read CLASS
+
+if [ $CLASS == "" ]; then
+	$CLASS = $CLASS_NAME
+fi
+
 printf "Include Grunt support (y/n): "
 read GRUNT
 
+printf "Options prefix: "
+read OPT_PREFIX
+
 printf "Initialise new git repo (y/n): "
 read NEWREPO
 
-DEFAULT_NAME="WordPress Plugin Template"
-DEFAULT_CLASS=${DEFAULT_NAME// /_}
-DEFAULT_TOKEN=$( tr '[A-Z]' '[a-z]' <<< $DEFAULT_CLASS)
-DEFAULT_SLUG=${DEFAULT_TOKEN//_/-}
 
-CLASS=${NAME// /_}
 TOKEN=$( tr '[A-Z]' '[a-z]' <<< $CLASS)
 SLUG=${TOKEN//_/-}
+OPT_PREFIX=${OPT_PREFIX}_
 
 git clone https://github.com/hlashbrooke/$DEFAULT_SLUG.git $FOLDER/$SLUG
 
@@ -62,6 +76,10 @@ cp readme.txt readme.tmp
 sed "s/$DEFAULT_NAME/$NAME/g" readme.tmp > readme.txt
 rm readme.tmp
 
+cp Gruntfile.js Gruntfile.tmp
+sed "s/$DEFAULT_SLUG/$SLUG/g" Gruntfile.tmp > Gruntfile.js
+rm Gruntfile.tmp
+
 
 cd lang
 mv $DEFAULT_SLUG.pot $SLUG.pot
@@ -113,6 +131,10 @@ cp class-$SLUG-settings.php class-$SLUG-settings.tmp
 sed "s/$DEFAULT_SLUG/$SLUG/g" class-$SLUG-settings.tmp > class-$SLUG-settings.php
 rm class-$SLUG-settings.tmp
 
+cp class-$SLUG-settings.php class-$SLUG-settings.tmp
+sed "s/$DEFAULT_OPT_PREFIX/$OPT_PREFIX/g" class-$SLUG-settings.tmp > class-$SLUG-settings.php
+rm class-$SLUG-settings.tmp
+
 
 cd lib
 mv class-$DEFAULT_SLUG-post-type.php class-$SLUG-post-type.php

includes/class-wordpress-plugin-template-settings.php

@@ -21,7 +21,7 @@ class WordPress_Plugin_Template_Settings {
 	 * @access  private
 	 * @since   1.0.0
 	 */
-	private static $_instance = null; //phpcs:ignore
+	private static $instance = null;
 
 	/**
 	 * The main plugin object.
@@ -389,7 +389,7 @@ public function register_settings() {
 	 */
 	public function settings_section( $section ) {
 		$html = '<p> ' . $this->settings[ $section['id'] ]['description'] . '</p>' . "\n";
-		echo $html; //phpcs:ignore
+		echo wp_kses( $html, $this->allowed_htmls );
 	}
 
 	/**
@@ -404,11 +404,19 @@ public function settings_page() {
 			$html .= '<h2>' . __( 'Plugin Settings', 'wordpress-plugin-template' ) . '</h2>' . "\n";
 
 			$tab = '';
-		//phpcs:disable
-		if ( isset( $_GET['tab'] ) && $_GET['tab'] ) {
-			$tab .= $_GET['tab'];
+
+			$nonce_name = 'WordPress_Plugin_Template_nonce';
+			$nonce      = sanitize_text_field( wp_create_nonce( $nonce_name ) );
+
+		if ( isset( $_POST['tab'] ) ) {
+			if ( wp_verify_nonce( $nonce, $nonce_name ) ) {
+				$current_section = sanitize_text_field( wp_unslash( $_POST['tab'] ) );
+			}
+		} else {
+			if ( isset( $_GET['tab'] ) && sanitize_text_field( wp_unslash( $_GET['tab'] ) ) ) {
+				$current_section = sanitize_text_field( wp_unslash( $_GET['tab'] ) );
+			}
 		}
-		//phpcs:enable
 
 		// Show page tabs.
 		if ( is_array( $this->settings ) && 1 < count( $this->settings ) ) {
@@ -420,19 +428,28 @@ public function settings_page() {
 
 				// Set tab class.
 				$class = 'nav-tab';
-				if ( ! isset( $_GET['tab'] ) ) { //phpcs:ignore
+				if ( ! isset( $_GET['tab'] ) ) {
 					if ( 0 === $c ) {
 						$class .= ' nav-tab-active';
 					}
 				} else {
-					if ( isset( $_GET['tab'] ) && $section == $_GET['tab'] ) { //phpcs:ignore
+					if ( isset( $_GET['tab'] ) && $section === $_GET['tab'] ) {
+						$tab    = sanitize_text_field( wp_unslash( $_GET['tab'] ) );
 						$class .= ' nav-tab-active';
 					}
 				}
 
 				// Set tab link.
-				$tab_link = add_query_arg( array( 'tab' => $section ) );
-				if ( isset( $_GET['settings-updated'] ) ) { //phpcs:ignore
+				$tab_link = add_query_arg(
+					array(
+						'tab'       => $section,
+						$nonce_name => $nonce,
+					)
+				);
+
+				if ( isset( $_GET['settings-updated'] ) ) {
+					$updated = sanitize_text_field( wp_unslash( $_GET['settings-updated'] ) );
+
 					$tab_link = remove_query_arg( 'settings-updated', $tab_link );
 				}
 
@@ -460,7 +477,7 @@ public function settings_page() {
 			$html         .= '</form>' . "\n";
 		$html             .= '</div>' . "\n";
 
-		echo $html; //phpcs:ignore
+		echo wp_kses( $html, $this->allowed_htmls );
 	}
 
 	/**
@@ -475,10 +492,10 @@ public function settings_page() {
 	 * @return object WordPress_Plugin_Template_Settings instance
 	 */
 	public static function instance( $parent ) {
-		if ( is_null( self::$_instance ) ) {
-			self::$_instance = new self( $parent );
+		if ( is_null( self::$instance ) ) {
+			self::$instance = new self( $parent );
 		}
-		return self::$_instance;
+		return self::$instance;
 	} // End instance()
 
 	/**
@@ -499,4 +516,126 @@ public function __wakeup() {
 		_doing_it_wrong( __FUNCTION__, esc_html( __( 'Unserializing instances of WordPress_Plugin_Template_API is forbidden.' ) ), esc_attr( $this->parent->_version ) );
 	} // End __wakeup()
 
+	/**
+	 * Allowed html for output.
+	 *
+	 * @var array
+	 */
+	public $allowed_htmls = [
+		'a'        => [
+			'href'  => [],
+			'title' => [],
+			'class' => [],
+		],
+		'h1'       => [
+			'href'  => [],
+			'title' => [],
+			'class' => [],
+		],
+		'h2'       => [
+			'href'  => [],
+			'title' => [],
+			'class' => [],
+		],
+		'h3'       => [
+			'href'  => [],
+			'title' => [],
+			'class' => [],
+		],
+		'h4'       => [
+			'href'  => [],
+			'title' => [],
+			'class' => [],
+		],
+		'input'    => [
+			'id'                  => [],
+			'type'                => [],
+			'name'                => [],
+			'placeholder'         => [],
+			'value'               => [],
+			'class'               => [],
+			'checked'             => [],
+			'style'               => [],
+			'data-uploader_title' => [],
+			'data-uploader_text'  => [],
+		],
+		'select'   => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+			'style'       => [],
+		],
+		'option'   => [
+			'id'          => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+			'selected'    => [],
+		],
+		'label'    => [
+			'for'   => [],
+			'title' => [],
+		],
+		'span'     => [
+			'class' => [],
+			'title' => [],
+		],
+		'table'    => [
+			'scope' => [],
+			'title' => [],
+			'class' => [],
+			'role'  => [],
+		],
+		'tbody'    => [
+			'scope' => [],
+			'title' => [],
+			'class' => [],
+			'role'  => [],
+		],
+		'th'       => [
+			'scope' => [],
+			'title' => [],
+		],
+		'form'     => [
+			'method'      => [],
+			'type'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'value'       => [],
+			'multiple'    => [],
+			'selected'    => [],
+			'action'      => [],
+			'enctype'     => [],
+		],
+		'div'      => [
+			'class' => [],
+			'id'    => [],
+		],
+		'img'      => [
+			'class' => [],
+			'id'    => [],
+			'src'   => [],
+		],
+		'textarea' => [
+			'class'       => [],
+			'id'          => [],
+			'rows'        => [],
+			'cols'        => [],
+			'name'        => [],
+			'placeholder' => [],
+			'spellcheck'  => [],
+		],
+		'tr'       => [],
+		'td'       => [],
+		'p'        => [],
+		'br'       => [],
+		'em'       => [],
+		'strong'   => [],
+		'th'       => [],
+	];
 }

includes/class-wordpress-plugin-template.php

@@ -21,7 +21,7 @@ class WordPress_Plugin_Template {
 	 * @access  private
 	 * @since   1.0.0
 	 */
-	private static $_instance = null; //phpcs:ignore
+	private static $instance = null;
 
 	/**
 	 * Local instance of WordPress_Plugin_Template_Admin_API
@@ -51,7 +51,7 @@ class WordPress_Plugin_Template {
 	/**
 	 * The token.
 	 *
-	 * @var     string
+	 * @var     strings
 	 * @access  public
 	 * @since   1.0.0
 	 */
@@ -276,11 +276,11 @@ public function load_plugin_textdomain() {
 	 * @static
 	 */
 	public static function instance( $file = '', $version = '1.0.0' ) {
-		if ( is_null( self::$_instance ) ) {
-			self::$_instance = new self( $file, $version );
+		if ( is_null( self::$instance ) ) {
+			self::$instance = new self( $file, $version );
 		}
 
-		return self::$_instance;
+		return self::$instance;
 	} // End instance ()
 
 	/**
@@ -321,7 +321,7 @@ public function install() {
 	 * @since   1.0.0
 	 */
 	private function _log_version_number() { //phpcs:ignore
-		update_option( $this->_token . '_version', $this->_version );
+		update_option( $this->_token . '_version', $this->version );
 	} // End _log_version_number ()
 
 }

includes/lib/class-wordpress-plugin-template-admin-api.php

@@ -218,7 +218,8 @@ public function display_field( $data = array(), $post = null, $echo = true ) {
 			return $html;
 		}
 
-		echo $html; //phpcs:ignore
+		$sanitation = new WordPress_Plugin_Template_Settings( $this );
+		echo wp_kses( $field, $sanitation->allowed_htmls );
 
 	}
 
@@ -321,7 +322,8 @@ public function display_meta_box_field( $field = array(), $post = null ) {
 
 		$field = '<p class="form-field"><label for="' . $field['id'] . '">' . $field['label'] . '</label>' . $this->display_field( $field, $post, false ) . '</p>' . "\n";
 
-		echo $field; //phpcs:ignore
+		$sanitation = new WordPress_Plugin_Template_Settings( $this );
+		echo wp_kses( $field, $sanitation->allowed_htmls );
 	}
 
 	/**