PHPCS Fixes and Collapsable section updates. #462
Conversation
|
WalkthroughThis update introduces responsive CSS adjustments for better mobile readability, JavaScript enhancements for collapsible sections, and security improvements through data sanitization in PHP. It also includes PHPCS fixes and removal of unused functions, while ignoring certain PHPCS checks where necessary. Changes
Uplevel your code reviews with CodeRabbit ProCodeRabbit ProIf you like this project, please support us by purchasing the Pro version. The Pro version has advanced context, superior noise reduction and several proprietary improvements compared to the open source version. Moreover, CodeRabbit Pro is free for open source projects. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Files selected (22)
- assets/css/scss/_collapse.scss (1)
- assets/css/scss/_update-fixes.scss (1)
- assets/css/scss/layout/_single-sections.scss (1)
- assets/css/style.css (1)
- assets/css/style.scss (1)
- assets/js/blocks/query-loops.js (28)
- assets/js/blocks/tour.js (1)
- assets/js/src/custom.js (2)
- includes/classes/admin/class-settings.php (4)
- includes/classes/blocks/class-registration.php (1)
- includes/classes/legacy/class-admin.php (3)
- includes/classes/legacy/class-maps.php (1)
- includes/classes/legacy/class-tour-operator.php (2)
- includes/partials/navigation.php (1)
- includes/patterns/accommodation-card.php (1)
- includes/patterns/destination-card.php (1)
- includes/patterns/gallery.php (1)
- includes/patterns/itinerary-list.php (1)
- includes/patterns/room-card.php (1)
- includes/patterns/tour-card.php (1)
- includes/patterns/travel-information.php (1)
- includes/template-tags/helpers.php (2)
Files not summarized due to errors (2)
- assets/css/scss/layout/_single-sections.scss (diff tokens exceeds limit)
- assets/js/blocks/query-loops.js (diff tokens exceeds limit)
Files not reviewed due to errors (5)
- assets/css/scss/_collapse.scss (no response)
- assets/css/scss/layout/_single-sections.scss (no response)
- assets/js/blocks/query-loops.js (no response)
- includes/classes/admin/class-settings.php (no response)
- includes/partials/navigation.php (no response)
Files skipped from review due to trivial changes (7)
- includes/patterns/accommodation-card.php
- includes/patterns/destination-card.php
- includes/patterns/gallery.php
- includes/patterns/itinerary-list.php
- includes/patterns/room-card.php
- includes/patterns/tour-card.php
- includes/patterns/travel-information.php
Review comments generated (13)
- Review: 11
- LGTM: 2
Tips
Chat with 
CodeRabbit Bot (@coderabbitai)
- Reply on review comments left by this bot to ask follow-up questions. A review comment is a comment on a diff or a file.
- Invite the bot into a review comment chain by tagging
@coderabbitaiin a reply.
Code suggestions
- The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
- You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.
Pausing incremental reviews
- Add
@coderabbitai: ignoreanywhere in the PR description to pause further reviews from the bot.
| @@ -5,6 +5,7 @@ | |||
| @import 'scss/icons'; | |||
| @import 'scss/additional'; | |||
| @import 'scss/slider'; | |||
| @import 'scss/collapse'; | |||
There was a problem hiding this comment.
The import statement for 'scss/collapse' has been added. Ensure that the file 'collapse.scss' exists in the 'scss' directory and it doesn't contain any syntax errors or undefined variables/mixins. If there are dependencies between SCSS files, make sure they are imported in the correct order.
+ @import 'scss/collapse';| @media (min-width: 800px) { | ||
| .single-tour-operator .toggle-button { | ||
| display: none; | ||
| } | ||
| } | ||
| /* Optional: Responsive adjustments for smaller screens */ | ||
| @media (max-width: 768px) { | ||
| .single-tour-operator { | ||
| /* Styling for the toggle button */ | ||
| /* Styling for the SVG icons */ | ||
| /* Collapsed state for the second wp-block-group */ | ||
| } | ||
| .single-tour-operator .toggle-button { | ||
| display: inline-flex; | ||
| align-items: center; | ||
| padding: 5px; | ||
| background: none; | ||
| border: none; | ||
| cursor: pointer; | ||
| font-size: 14px; | ||
| color: var(--wp--preset--color--contrast); | ||
| } | ||
| .single-tour-operator .toggle-icon { | ||
| width: 16px; | ||
| height: 16px; | ||
| fill: var(--wp--preset--color--contrast); | ||
| margin-left: 5px; | ||
| } | ||
| .single-tour-operator section.wp-block-group .wp-block-group.collapsed { | ||
| display: none; /* Hide the content */ | ||
| } | ||
| .fast-facts-wrapper > .wp-block-group { | ||
| flex-wrap: wrap; /* Allow wrapping for better readability */ | ||
| gap: 5px; | ||
| } | ||
| .fast-facts-wrapper > .wp-block-group .wp-block-group.is-layout-flex:last-child { | ||
| flex-wrap: wrap; /* Allow text to wrap on smaller screens */ | ||
| } | ||
| } |
There was a problem hiding this comment.
The CSS changes for responsive design look good. However, there are comments indicating that there should be styles applied to .single-tour-operator within the @media (max-width: 768px) query, but no styles are present. If these styles are not needed, consider removing the comments to avoid confusion.
- /* Styling for the toggle button */
- /* Styling for the SVG icons */
- /* Collapsed state for the second wp-block-group */If they are needed, please add the appropriate styles.
| @@ -396,7 +396,7 @@ if ( window.location.hash ) { | |||
| }); | |||
| } | |||
| }); | |||
| }); | |||
| });*/ | |||
There was a problem hiding this comment.
The commented-out code has been removed, which is a good practice for maintaining clean and readable code. However, please ensure that this removal does not affect any functionality or dependencies in the code.
- });*/
+ | @@ -444,6 +444,6 @@ | |||
| }); | |||
| } | |||
| }); | |||
| });*/ | |||
| }); | |||
There was a problem hiding this comment.
The closing brackets and parentheses have been uncommented. This seems to be a correction of the previous state where it was mistakenly commented out. Please ensure that this change aligns with the intended structure of your JavaScript code.
- });*/
+ });| @@ -102,6 +102,7 @@ public function enqueue_admin_stylescripts( $hook ) { | |||
| } | |||
|
|
|||
| //deregister scripts | |||
| // @phpcs:ignore WordPress.Security.NonceVerification.Recommended | |||
There was a problem hiding this comment.
The @phpcs:ignore directive is used to ignore the nonce verification check. However, it's important to note that ignoring this check can lead to potential security vulnerabilities as nonces are used in WordPress to prevent CSRF attacks. It would be better to verify the nonce before using the $_GET['post'] value.
- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( isset( $_GET['post'] ) && in_array( get_post_type( $_GET['post'] ), array( 'team', 'special', 'review', 'destination', 'accommodation', 'tour' ) ) ) {
+ if ( isset( $_GET['post'] ) && wp_verify_nonce($_REQUEST['_wpnonce'], 'my-nonce-action') && in_array( get_post_type( $_GET['post'] ), array( 'team', 'special', 'review', 'destination', 'accommodation', 'tour' ) ) ) {| // @phpcs:ignore WordPress.Security.NonceVerification.Recommended | ||
| if ( isset( $_POST['tagline'] ) && ! empty( $_POST['tagline'] ) ) { | ||
| $meta = sanitize_text_field( $_POST['tagline'] ); | ||
| $meta = sanitize_text_field( wp_unslash( $_POST['tagline'] ) ); |
There was a problem hiding this comment.
Again, ignoring nonce verification checks can lead to potential security vulnerabilities. It's recommended to verify the nonce before using the $_POST['tagline'] value.
- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( isset( $_POST['tagline'] ) && ! empty( $_POST['tagline'] ) ) {
+ if ( isset( $_POST['tagline'] ) && wp_verify_nonce($_REQUEST['_wpnonce'], 'my-nonce-action') && ! empty( $_POST['tagline'] ) ) {Please replace 'my-nonce-action' with the appropriate nonce action for your application.
| if ( isset( $_GET['debug_bot'] ) ) { | ||
| $user_agent = sanitize_text_field( $_GET['debug_bot'] ); | ||
| } else { | ||
| $user_agent = sanitize_text_field( $_SERVER['HTTP_USER_AGENT'] ); | ||
| // @phpcs:ignore WordPress.Security.NonceVerification.Recommended | ||
| $user_agent = sanitize_text_field( wp_unslash( $_GET['debug_bot'] ) ); | ||
| // @phpcs:ignore WordPress.Security.NonceVerification.Recommended | ||
| } else if ( isset( $_GET['HTTP_USER_AGENT'] ) ) { | ||
| // @phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated | ||
| $user_agent = sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) ); |
There was a problem hiding this comment.
There seems to be a misunderstanding in the use of $_GET and $_SERVER superglobals. The HTTP_USER_AGENT is not typically found in the $_GET array, but rather in the $_SERVER array. Also, it's important to validate and sanitize all user inputs, including those from $_SERVER['HTTP_USER_AGENT']. Here's how you can correct this:
- if ( isset( $_GET['debug_bot'] ) ) {
- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- $user_agent = sanitize_text_field( wp_unslash( $_GET['debug_bot'] ) );
- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- } else if ( isset( $_GET['HTTP_USER_AGENT'] ) ) {
- // @phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated
- $user_agent = sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) );
+ if ( isset( $_GET['debug_bot'] ) ) {
+ $user_agent = sanitize_text_field( wp_unslash( $_GET['debug_bot'] ) );
+ } else if ( isset( $_SERVER['HTTP_USER_AGENT'] ) ) {
+ $user_agent = sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) );
}Please note that ignoring PHPCS warnings related to nonce verification and input sanitization might lead to security vulnerabilities. It would be better to address these issues directly instead of suppressing the warnings.
| // phpcs:disable WordPress.DB -- Start ignoring | ||
| $query = "SELECT COUNT(ID) | ||
| FROM $wpdb->posts | ||
| WHERE 1=1 | ||
| AND ID IN (%s) | ||
| AND post_status IN ('draft', 'publish')"; | ||
|
|
||
| // @phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared | ||
| return (int) $wpdb->get_var( $wpdb->prepare( $query, $ids ) ); | ||
| $result = (int) $wpdb->get_var( $wpdb->prepare( $query, $ids ) ); | ||
| // phpcs:enable -- Stop ignoring |
There was a problem hiding this comment.
The use of wpdb->prepare here is incorrect. The %s placeholder in the SQL query expects a string, but you're passing an array ($ids). This could lead to unexpected results or SQL errors. You should create a list of placeholders that matches the number of elements in $ids, and then use call_user_func_array to pass the parameters to wpdb->prepare.
Here's how you can do it:
- $ids = wp_unslash( sanitize_post_field( 'id', $ids, 0, 'db' ) );
+ $ids = array_map('intval', explode(',', wp_unslash( sanitize_text_field( $_POST['ids'] ) )));
- $query = "SELECT COUNT(ID)
- FROM $wpdb->posts
- WHERE 1=1
- AND ID IN (%s)
- AND post_status IN ('draft', 'publish')";
+ $placeholders = implode(', ', array_fill(0, count($ids), '%d'));
+ $query = $wpdb->prepare("SELECT COUNT(ID)
+ FROM $wpdb->posts
+ WHERE 1=1
+ AND ID IN ($placeholders)
+ AND post_status IN ('draft', 'publish')", ...$ids);This way, each ID will be properly escaped, and the query will work as expected.
| AND post_parent = %d | ||
| ORDER BY post_title ASC | ||
| LIMIT 100", | ||
| $post_type,$post_id | ||
| $post_type, | ||
| $post_id | ||
| ) | ||
| ); | ||
| // phpcs:enable -- Stop ignoring | ||
|
|
||
| if ( count( $children ) > 0 ) { | ||
| return $children; |
There was a problem hiding this comment.
Note: This review was outside of the patch, so it was mapped to the patch with the greatest overlap. Original lines [98-111]
While it's good that you've added PHPCS ignore comments around the direct database query, it would be better to use WordPress's built-in functions for querying the database. This will make your code more maintainable and less prone to SQL injection attacks. Here's how you could rewrite this using get_posts:
- // phpcs:disable WordPress.DB -- Start ignoring
- $children = $wpdb->get_results(
- $wpdb->prepare(
- "SELECT ID
- FROM $wpdb->posts
- WHERE post_type = %s
- AND post_status = 'publish'
- AND post_parent = %d
- ORDER BY post_title ASC
- LIMIT 100",
- $post_type,
- $post_id
- )
- );
- // phpcs:enable -- Stop ignoring
+ $args = array(
+ 'post_type' => $post_type,
+ 'post_status' => 'publish',
+ 'post_parent' => $post_id,
+ 'orderby' => 'title',
+ 'order' => 'ASC',
+ 'numberposts' => 100,
+ );
+ $children = get_posts($args);This way, you're leveraging WordPress's built-in functionality and reducing the risk of SQL injection.
| // @phpcs:ignore WordPress.Security.NonceVerification.Recommended | ||
| if ( ! is_network_admin() && ! isset( $_GET['activate-multi'] ) ) { | ||
| set_transient( '_tour_operators_flush_rewrite_rules', 1, 30 ); | ||
| } | ||
|
|
||
| // @phpcs:ignore WordPress.Security.NonceVerification.Recommended |
There was a problem hiding this comment.
The use of @phpcs:ignore is generally discouraged as it can lead to overlooking potential security issues. In this case, the $_GET['activate-multi'] parameter is not being sanitized before use which could lead to a potential security vulnerability. It would be better to sanitize the input using filter_input(INPUT_GET, 'activate-multi').
- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( ! is_network_admin() && ! isset( $_GET['activate-multi'] ) ) {
+ if ( ! is_network_admin() && ! isset( filter_input(INPUT_GET, 'activate-multi') ) ) {
set_transient( '_tour_operators_flush_rewrite_rules', 1, 30 );
}
- // @phpcs:ignore WordPress.Security.NonceVerification.Recommended
- if ( ! is_network_admin() && ! isset( $_GET['activate-multi'] ) ) {
+ if ( ! is_network_admin() && ! isset( filter_input(INPUT_GET, 'activate-multi') ) ) {
set_transient( '_tour_operators_welcome_redirect', 1, 30 );
}
PHPCS Fixes and Collapsable section updates for the single tour, accommodation and destination
Summary by CodeRabbit
lsx-itinerary-wrapperclass and improved function closure.wp_unslashandsanitize_text_fieldfunctions. Improved redirection process withwp_safe_redirect.phpcs:ignoreFiledirectives to bypass PHPCS checks for non-enqueued image functions in several PHP files.// phpcs:disableand// phpcs:enablecomments to ignore WordPress.DB sniff for a database query in thelsx_to_item_has_childrenfunction.